ECS4120-28Fv2 ECS4120-28Fv2-I 28-Port Layer 2+ Gigabit Ethernet Switch Web Management Guide Software Release 1.2.2.24 www.edge-core.
Web Management Guide ECS4120-28Fv2 Gigabit Ethernet Switch L2+ Gigabit Ethernet Switch with 20 100/1000 SFP Ports, 4 10/100/1000 BASE-T (RJ-45) / 100/1000 SFP Combo Ports, 4 10 Gigabit SFP+ Ports , and DC Power Supply (Operating Temperature: 0°C – 50°C) ECS4120-28Fv2-I Gigabit Ethernet Switch L2+ Gigabit Ethernet Switch with 20 100/1000 SFP Ports, 4 10/100/1000 BASE-T (RJ-45) / 100/1000 SFP Combo Ports, 4 10 Gigabit SFP+ Ports, and DC Power Supply (Operating Temperature: -10°C – 65°C) E102019-CS-R04
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide For information on how to install the switch, see the following guide: Installation Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
How to Use This Guide Revision Date Change Description v1.2.2.2 09/2018 Added: "Smart Pair Configuration" on page 570 Updated: ◆ "Dashboard" on page 52 ◆ "Home Page" on page 54 ◆ "Specifying NTP Time Servers" on page 95 ◆ "Configuring AAA Accounting" on page 301 ‐ new command AAA accounting based on specific privilege levels. ◆ "Configuring LLDP Interface Attributes" on page 415 ◆ "ERPS Ring Configuration" on page 488 ◆ Figure 395 on page 603 ◆ Multiple updates per internal review.
How to Use This Guide – 6 –
Contents Section I How to Use This Guide 3 Contents 7 Figures 19 Tables 35 Getting Started 37 1 Introduction 39 Key Features 39 Description of Software Features 40 Address Resolution Protocol 44 Operation, Administration, and Maintenance 45 Multicast Filtering 45 Link Layer Discovery Protocol 45 System Defaults Section II 46 Web Configuration 49 2 Using the Web Interface 51 Connecting to the Web Interface 51 Navigating the Web Browser Interface 52 Dashboard 52 Home Pag
Contents Displaying System Information 78 Displaying Hardware/Software Versions 79 Configuring Support for Jumbo Frames 80 Displaying Bridge Extension Capabilities 81 Managing System Files 82 Copying Files via FTP/ TFTP or HTTP 82 Saving the Running Configuration to a Local File 85 Setting the Start-up File 86 Showing System Files 86 Automatic Operation Code Upgrade 87 Setting the System Clock 91 Setting the Time Manually 91 Setting the SNTP Polling Interval 92 Configuring NTP 93
Contents Trunk Configuration 133 Configuring a Static Trunk 134 Configuring a Dynamic Trunk 137 Displaying LACP Port Counters 143 Displaying LACP Settings and Status for the Local Side 144 Displaying LACP Settings and Status for the Remote Side 146 Configuring Load Balancing 147 Saving Power 149 Configuring Local Port Mirroring 150 Configuring Remote Port Mirroring 152 Sampling Traffic Flows 156 Configuring sFlow Receiver Settings 157 Configuring an sFlow Polling Instance 159 Traf
Contents Configuring VLAN Translation 6 Address Table Settings Dynamic Address Cache 201 205 205 Displaying the Dynamic Address Table 205 Clearing the Dynamic Address Table 206 Changing the Aging Time 207 Configuring MAC Address Learning 208 Setting Static Addresses 209 Issuing MAC Address Traps 211 7 Spanning Tree Algorithm 213 Overview 213 Configuring Loopback Detection 216 Configuring Global Settings for STA 217 Displaying Global Settings for STA 223 Configuring Interface Setti
Contents Mapping Internal DSCP Values to Egress CoS Values 262 Mapping IP Precedence Values to Internal DSCP Values 264 Mapping IP Port Priority to Internal DSCP Values 266 10 Quality of Service 269 Overview 269 Configuring a Class Map 270 Creating QoS Policies 274 Attaching a Policy Map to a Port 284 11 VoIP Traffic Configuration 287 Overview 287 Configuring VoIP Traffic 288 Configuring Telephony OUI 289 Configuring VoIP Traffic Ports 290 12 Security Measures 293 AAA Authentica
Contents Configuring the SSH Server 330 Generating the Host Key Pair 331 Importing User Public Keys 333 Access Control Lists 335 Showing TCAM Utilization 336 Setting the ACL Name and Type 338 Configuring a Standard IPv4 ACL 340 Configuring an Extended IPv4 ACL 341 Configuring a Standard IPv6 ACL 343 Configuring an Extended IPv6 ACL 345 Configuring a MAC ACL 347 Configuring an ARP ACL 349 Displaying Configured ACL Rules 351 Showing ACL Hardware Counters 353 Filtering IP Addresses
Contents Displaying Information for Dynamic IPv4 Source Guard Bindings IPv6 Source Guard 391 392 Configuring Ports for IPv6 Source Guard 393 Configuring Static Bindings for IPv6 Source Guard 395 Displaying Information for Dynamic IPv6 Source Guard Bindings 397 ARP Inspection 398 Configuring Global Settings for ARP Inspection 399 Configuring VLAN Settings for ARP Inspection 401 Configuring Interface Settings for ARP Inspection 403 Displaying ARP Inspection Statistics 404 Displaying the ARP
Contents Specifying Trap Managers 458 Creating SNMP Notification Logs 462 Showing SNMP Statistics 464 Remote Monitoring 466 Configuring RMON Alarms 466 Configuring RMON Events 469 Configuring RMON History Samples 471 Configuring RMON Statistical Samples 474 Switch Clustering 476 Configuring General Settings for Clusters 477 Cluster Member Configuration 478 Managing Cluster Members 480 Setting a Time Range 481 Ethernet Ring Protection Switching 483 ERPS Global Configuration 488
Contents Displaying Details for Local MEPs 544 Displaying Local MIPs 546 Displaying Remote MEPs 547 Displaying Details for Remote MEPs 548 Displaying the Link Trace Cache 550 Displaying Fault Notification Settings 551 Displaying Continuity Check Errors 552 OAM Configuration 553 Enabling OAM on Local Ports 553 Displaying Statistics for OAM Messages 556 Displaying the OAM Event Log 557 Displaying the Status of Remote Interfaces 558 Configuring a Remote Loopback Test 559 Displaying R
Contents Displaying Multicast Groups Discovered by IGMP Snooping 593 Displaying IGMP Snooping Statistics 594 Filtering and Throttling IGMP Groups 598 Enabling IGMP Filtering and Throttling 599 Configuring IGMP Filter Profiles 599 Configuring IGMP Filtering and Throttling for Interfaces 602 MLD Snooping (Snooping and Query for IPv6) 603 Configuring MLD Snooping and Query Parameters 604 Setting Immediate Leave Status for MLD Snooping per Interface 605 Specifying Static Interfaces for an IPv
Contents Configuring Static ARP Addresses 658 Displaying Dynamic or Local ARP Entries 660 Displaying ARP Statistics 660 16 IP Configuration 663 Setting the Switch’s IP Address (IP Version 4) Configuring IPv4 Interface Settings 663 663 Setting the Switch’s IP Address (IP Version 6) 667 Configuring the IPv6 Default Gateway 667 Configuring IPv6 Interface Settings 668 Configuring an IPv6 Address 673 Showing IPv6 Addresses 676 Showing the IPv6 Neighbor Cache 677 Showing IPv6 Statistics 67
Contents Section III Configuring DHCP Relay Agent Mode 701 Configuring DHCP Relay Agent Mode 702 Configuring DHCP Layer 3 Relay Service 703 Configuring DHCP L2 Relay Service with Option 82 704 Configuring the DHCP Server 708 Enabling DHCP Dynamic Provision 715 Configuring the PPPoE Intermediate Agent 716 Configuring PPPoE IA Global Settings 716 Configuring PPPoE IA Interface Settings 717 Showing PPPoE IA Statistics 719 Appendices 721 A Software Specifications 723 Software Features
Figures Figure 1: Dashboard 52 Figure 2: Home Page 54 Figure 3: Front Panel Indicators 55 Figure 4: System Information 78 Figure 5: General Switch Information 80 Figure 6: Configuring Support for Jumbo Frames 81 Figure 7: Displaying Bridge Extension Configuration 82 Figure 8: Copy Firmware 84 Figure 9: Saving the Running Configuration 85 Figure 10: Setting Start-Up Files 86 Figure 11: Displaying System Files 87 Figure 12: Configuring Automatic Code Upgrade 90 Figure 13: Manually Set
Figures Figure 30: Restarting the Switch (In) 110 Figure 31: Restarting the Switch (At) 111 Figure 32: Restarting the Switch (Regularly) 111 Figure 33: Configuring Connections by Port List 117 Figure 34: Configuring Connections by Port Range 118 Figure 35: Displaying Port Information 119 Figure 36: Showing Port Statistics (Table) 123 Figure 37: Showing Port Statistics (Chart) 123 Figure 38: Configuring a History Sample 125 Figure 39: Showing Entries for History Sampling 126 Figure 40: S
Figures Figure 65: Displaying Local Port Mirror Sessions 152 Figure 66: Configuring Remote Port Mirroring 152 Figure 67: Configuring Remote Port Mirroring (Source) 155 Figure 68: Configuring Remote Port Mirroring (Intermediate) 156 Figure 69: Configuring Remote Port Mirroring (Destination) 156 Figure 70: Configuring an sFlow Receiver 158 Figure 71: Showing sFlow Receivers 159 Figure 72: Configuring an sFlow Instance 160 Figure 73: Showing sFlow Instances 160 Figure 74: Enabling Traffic Se
Figures Figure 100: Assigning Interfaces to Protocol VLANs 196 Figure 101: Showing the Interface to Protocol Group Mapping 197 Figure 102: Configuring IP Subnet VLANs 199 Figure 103: Showing IP Subnet VLANs 199 Figure 104: Configuring MAC-Based VLANs 200 Figure 105: Showing MAC-Based VLANs 201 Figure 106: Configuring VLAN Translation 201 Figure 107: Configuring VLAN Translation 202 Figure 108: Showing the Entries for VLAN Translation 202 Figure 109: Displaying the Dynamic MAC Address Tabl
Figures Figure 135: Configuring MSTP Interface Settings 236 Figure 136: Displaying MSTP Interface Settings 237 Figure 137: Configuring Rate Limits 240 Figure 138: Configuring Storm Control 242 Figure 139: Storm Control by Limiting the Traffic Rate 242 Figure 140: Storm Control by Shutting Down a Port 243 Figure 141: Configuring ATC Timers 245 Figure 142: Configuring ATC Interface Attributes 247 Figure 143: Setting the Default Port Priority 250 Figure 144: Setting the Queue Mode (Strict)
Figures Figure 170: Attaching a Policy Map to a Port 285 Figure 171: Configuring a Voice VLAN 289 Figure 172: Configuring an OUI Telephony List 290 Figure 173: Showing an OUI Telephony List 290 Figure 174: Configuring Port Settings for a Voice VLAN 292 Figure 175: Configuring the Authentication Sequence 296 Figure 176: Authentication Server Operation 296 Figure 177: Configuring Remote Authentication Server (RADIUS) 299 Figure 178: Configuring Remote Authentication Server (TACACS+) 300 Fig
Figures Figure 205: Configuring the SSH Server 331 Figure 206: Generating the SSH Host Key Pair 332 Figure 207: Showing the SSH Host Key Pair 332 Figure 208: Copying the SSH User’s Public Key 334 Figure 209: Showing the SSH User’s Public Key 334 Figure 210: Showing TCAM Utilization 337 Figure 211: Creating an ACL 339 Figure 212: Showing a List of ACLs 339 Figure 213: Configuring a Standard IPv4 ACL 341 Figure 214: Configuring an Extended IPv4 ACL 343 Figure 215: Configuring a Standard I
Figures Figure 240: Setting the Filter Type for IP Source Guard 388 Figure 241: Configuring Static Bindings for IPv4 Source Guard 391 Figure 242: Displaying Static Bindings for IPv4 Source Guard 391 Figure 243: Showing the IPv4 Source Guard Binding Table 392 Figure 244: Setting the Filter Type for IPv6 Source Guard 395 Figure 245: Configuring Static Bindings for IPv6 Source Guard 397 Figure 246: Displaying Static Bindings for IPv6 Source Guard 397 Figure 247: Showing the IPv6 Source Guard Bin
Figures Figure 275: Configuring Global Settings for SNMP 441 Figure 276: Setting Community Access Strings 442 Figure 277: Showing Community Access Strings 442 Figure 278: Configuring the Local Engine ID for SNMP 443 Figure 279: Configuring a Remote Engine ID for SNMP 444 Figure 280: Showing Remote Engine IDs for SNMP 444 Figure 281: Creating an SNMP View 446 Figure 282: Showing SNMP Views 446 Figure 283: Adding an OID Subtree to an SNMP View 447 Figure 284: Showing the OID Subtree Configu
Figures Figure 310: Showing Collected RMON Statistical Samples 476 Figure 311: Configuring a Switch Cluster 478 Figure 312: Configuring a Cluster Members 479 Figure 313: Showing Cluster Members 479 Figure 314: Showing Cluster Candidates 479 Figure 315: Managing a Cluster Member 480 Figure 316: Setting the Name of a Time Range 482 Figure 317: Showing a List of Time Ranges 482 Figure 318: Add a Rule to a Time Range 483 Figure 319: Showing the Rules Configured for a Time Range 483 Figure 3
Figures Figure 345: Configuring Detailed Settings for Maintenance Associations 533 Figure 346: Configuring Maintenance End Points 535 Figure 347: Showing Maintenance End Points 535 Figure 348: Configuring Remote Maintenance End Points 537 Figure 349: Showing Remote Maintenance End Points 537 Figure 350: Transmitting Link Trace Messages 539 Figure 351: Transmitting Loopback Messages 540 Figure 352: Transmitting Delay-Measure Messages 542 Figure 353: Showing Information on Local MEPs 543 Fi
Figures Figure 380: Showing Current Interfaces Attached a Multicast Router 584 Figure 381: Assigning an Interface to a Multicast Service 585 Figure 382: Showing Static Interfaces Assigned to a Multicast Service 586 Figure 383: Configuring IGMP Snooping on a VLAN 591 Figure 384: Showing Interface Settings for IGMP Snooping 592 Figure 385: Dropping IGMP Query or Multicast Data Packets 593 Figure 386: Showing Multicast Groups Learned by IGMP Snooping 594 Figure 387: Displaying IGMP Snooping Stat
Figures Figure 415: Displaying MVR Group Address Profiles 626 Figure 416: Assigning an MVR Group Address Profile to a Domain 626 Figure 417: Showing the MVR Group Address Profiles Assigned to a Domain 627 Figure 418: Configuring Interface Settings for MVR 629 Figure 419: Assigning Static MVR Groups to an Interface 631 Figure 420: Showing the Static MVR Groups Assigned to a Port 631 Figure 421: Displaying MVR Receiver Groups 632 Figure 422: Displaying MVR Statistics – Query 634 Figure 423: D
Figures Figure 450: Configuring General Settings for an IPv6 Interface 672 Figure 451: Configuring RA Guard for an IPv6 Interface 673 Figure 452: Configuring an IPv6 Address 675 Figure 453: Showing Configured IPv6 Addresses 677 Figure 454: Showing IPv6 Neighbors 678 Figure 455: Showing IPv6 Statistics (IPv6) 682 Figure 456: Showing IPv6 Statistics (ICMPv6) 683 Figure 457: Showing IPv6 Statistics (UDP) 683 Figure 458: Showing Reported MTU Values 684 Figure 459: Virtual Interfaces and Layer
Figures Figure 485: Enabling Dynamic Provisioning via DHCP 715 Figure 486: Configuring Global Settings for PPPoE Intermediate Agent 717 Figure 487: Configuring Interface Settings for PPPoE Intermediate Agent 719 Figure 488: Showing PPPoE Intermediate Agent Statistics 720 – 33 –
Figures – 34 –
Tables Table 1: Key Features 39 Table 2: System Defaults 46 Table 3: Web Page Configuration Buttons 54 Table 4: Switch Main Menu 56 Table 5: Predefined Summer-Time Parameters 100 Table 6: Port Statistics 120 Table 7: LACP Port Counters 143 Table 8: LACP Internal Configuration Information 144 Table 9: LACP Remote Device Configuration Information 146 Table 10: Traffic Segmentation Forwarding 162 Table 11: Recommended STA Path Cost Range 225 Table 12: Default STA Path Costs 225 Table 1
Tables Table 30: Port ID Subtype 424 Table 31: Remote Port Auto-Negotiation Advertised Capability 428 Table 32: SNMPv3 Security Models and Levels 439 Table 33: Supported Notification Messages 448 Table 34: ERPS Request/State Priority 506 Table 35: OAM Operation State 509 Table 36: Remote Loopback Status 515 Table 37: Remote MEP Priority Levels 526 Table 38: MEP Defect Descriptions 527 Table 39: OAM Operation State 554 Table 40: Remote Loopback Status 560 Table 41: Address Resolution P
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 38 –
1 Introduction This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Chapter 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description Address Table 16K MAC addresses in forwarding table, 1K static MAC addresses; 1K entries in ARP cache; 2K entries in ipv6 neighbor cache; 1K L2 IPv4 multicast groups IP Version 4 and 6 Supports IPv4 and IPv6 addressing, and management IEEE 802.
Chapter 1 | Introduction Description of Software Features Some of the management features are briefly described below. Configuration Backup You can save the current configuration settings to a file on the management station and Restore (using the web interface) or an FTP/TFTP server (using the web or console interface), and later download this file to restore the switch configuration settings. Authentication This switch authenticates management access via the console port, Telnet, or a web browser.
Chapter 1 | Introduction Description of Software Features Rate Limiting This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped. Port Mirroring The switch can unobtrusively mirror traffic from any port to a monitor port.
Chapter 1 | Introduction Description of Software Features To avoid dropping frames on congested ports, the switch provides 3 Mbits for frame buffering. This buffer can queue packets awaiting transmission on congested networks. Spanning Tree The switch supports these spanning tree protocols: Algorithm ◆ Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection.
Chapter 1 | Introduction Description of Software Features ◆ Provide data security by restricting all traffic to the originating VLAN, except where a connection is explicitly defined via the switch's routing service. ◆ Use protocol VLANs to restrict traffic to specified interfaces based on protocol type. IEEE 802.1Q Tunneling This feature is designed for service providers carrying traffic for multiple customers (QinQ) across their networks.
Chapter 1 | Introduction Description of Software Features Operation, The switch provides OAM remote management tools required to monitor and Administration, maintain the links to subscriber CPEs (Customer Premise Equipment). This section and Maintenance describes functions including enabling OAM for selected ports, loopback testing, and displaying remote device information.
Chapter 1 | Introduction System Defaults System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Static Trunks None LACP (all ports) Disabled Rate Limiting Disabled Storm Control Broadc
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Queue Weight Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled IP Port Priority Disabled Management. VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
Section II Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
Section II | Web Configuration – 50 –
2 Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 11, Mozilla Firefox 52, or Google Chrome 57, or more recent versions). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Note: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Note: You can open a connection to the vendor’s web site by clicking on the logo.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 3: Web Page Configuration Buttons (Continued) Button Action Refreshes the current page. Displays the site map. Logs out of the management interface. Sends mail to the vendor. Links to the vendor’s web site. Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active Ports (i.e., up or down), Duplex State (i.e.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Interface 113 Port 114 General Configure by Port List Configures connection settings per port 114 Configure by Port Range Configures connection settings for a range of ports 117 Show Information Displays port connection status 118 Statistics Shows Interface, Etherlike, and RMON port statistics 119 Charts Shows Interface, Etherlike, RMON, and all port stati
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Neighbors Description Page Displays configuration settings and operational state for the remote side of a link aggregation 146 Configure Trunk 137 Configure Configures connection settings 137 Show Displays port connection status 137 Show Member Shows the active members in a trunk 137 Statistics Shows Interface, Etherlike, and RMON port statistics 119 Chart Shows Interface,
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure General Enables GVRP VLAN registration protocol globally 178 Configure Interface Configures GVRP status and timers per interface 178 Dynamic Show Dynamic VLAN 178 Show VLAN Shows the VLANs this switch has joined through GVRP 178 Show VLAN Member Shows the interfaces assigned to a VLAN through GVRP 178 IEEE 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Clear Dynamic MAC Learning Status Description Page Removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries 206 Enables MAC address learning on selected interfaces 208 Static 209 Add Configures static entries in the address table 209 Show Displays static entries in the address table 209 MAC
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Auto Traffic Control Description Page Sets thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port 242 Configure Global Sets the time to apply the control response after traffic has exceeded 244 the upper threshold, and the time to release the control response after traffic has fallen beneath the lower threshold Configure
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows configured class maps 270 Modify Modifies the name of a class map 270 Add Rule Configures the criteria used to classify ingress traffic 270 Show Rule Shows the traffic classification rules for a class map 270 Configure Policy 274 Add Creates a policy map to apply to multiple interfaces 274 Show Shows configured policy maps 274 Modify Modifie
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Configure Service Description Page Sets the accounting method applied to specific interfaces for 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page SSH Secure Shell 327 Configures SSH server settings 330 Configure Global Configure Host Key 331 Generate Generates the host key pair (public and private) 331 Show Displays RSA and DSA host keys; deletes host keys 331 Configure User Key 333 Copy Imports user public keys from TFTP server 333 Show Displays RSA and DSA user keys; deletes user keys 333 Acce
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page DHCP Snooping6 377 Configure Global Enables DHCPv6 snooping globally, information option; and sets the information policy 379 Configure VLAN Enables DHCPv6 snooping on a VLAN 381 Configure Interface Sets the trust mode for an interface 383 Binding Displays the DHCPv6 Snooping binding information 384 Statistics Displays information on client, server, and rela
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Administration 407 Log 408 System 408 Configure Global Stores error messages in local memory 408 Show System Logs Shows logged error messages 408 Remote Configures the logging of messages to a remote logging process 410 SMTP Sends an SMTP client message to a participating server 411 LLDP Configure Global 413 Configures global LLDP timing parameters 413
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Show Remote Engine Description Page Shows configured engine ID for remote devices 443 Configure View 444 Add View Adds an SNMP v3 view of the OID MIB 444 Show View Shows configured SNMP v3 views 444 Add OID Subtree Specifies a part of the subtree for the selected view 444 Show OID Subtree Shows the subtrees assigned to each view 444 Configure Group 447 Add Adds a group w
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page History Shows sampling parameters for each entry in the history group 471 Statistics Shows sampling parameters for each entry in the statistics group 474 History Shows sampled data for each entry in the history group 471 Statistics Shows sampled data for each entry in the history group 474 Show Show Details Cluster 476 Configure Global Globally enables clu
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Show Configure MA Description Page Shows list of configured maintenance domains 525 Configure Maintenance Associations 529 Add Defines a unique CFM service instance, identified by its parent MD, the 529 MA index, the VLAN assigned to the MA, and the MIP creation method Configure Details Configures detailed settings, including continuity check status and interval level, cross-check s
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Remote Interface Displays information about attached OAM-enabled devices 513 Remote Loopback Performs a loopback test on the specified port 514 UniDirectional Link Detection 562 UDLD Configure Global Configures the message probe interval, detection interval, and recovery 563 interval Configure Interface Enables UDLD and aggressive mode which reduces the shut-dow
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Add Address Configures an IP interface for a VLAN 663 Show Address Shows the IP interfaces assigned to a VLAN 663 Routing Static Routes 689 Add Configures static routing entries 689 Show Shows static routing entries 689 Routing Table Show Information 690 Shows all routing entries, including local, static and dynamic routes IPv6 Configuration 690 667 Confi
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Displays cache entries discovered by designated name servers 698 Dynamic Host Configuration Protocol 699 Client Specifies the DHCP client identifier for an interface 699 Relay Specifies DHCP Layer 2 or Layer 3 relay service L3 Relay Specifies DHCP relay servers 701 L2 Relay Configures DHCP relay service for attached host devices, including DHCP option 82 infor
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows configured IGMP filter profiles 599 Add Multicast Group Range Assigns multicast groups to selected profile 599 Show Multicast Group Range Shows multicast groups assigned to a profile 599 Configure Interface Assigns IGMP filter profiles to port interfaces and sets throttling action 602 Statistics 594 Show Query Statistics Shows statistics for query-
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Profile 624 Add Configures multicast stream addresses 624 Show Shows multicast stream addresses 624 Associate Profile 624 Add Maps an address profile to a domain 624 Show Shows addresses profile to domain mapping 624 Configure Interface Configures MVR interface type and immediate leave mode; also displays 627 MVR operational and active status Co
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Show Member Description Page Shows the multicast groups assigned to an MVR VLAN, the source address of the multicast services, and the interfaces with active subscribers 647 Show Statistics 648 Show Query Statistics Shows statistics for query-related messages 648 Show VLAN Statistics Shows statistics for protocol messages and number of active groups 648 Show Port Statistics Show
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface – 76 –
3 Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
Chapter 3 | Basic Management Tasks Displaying System Information Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. ◆ System Up Time – Length of time the management agent has been up.
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ Hardware Version – Hardware version of the main board.
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Web Interface To view hardware and software version information. 1. Click System, then Switch. Figure 5: General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet and 10 Gigabit Ethernet ports or trunks.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Web Interface To configure support for jumbo frames: 1. Click System, then Capability. 2. Enable or disable support for jumbo frames. 3. Click Apply. Figure 6: Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System > Capability page to display settings based on the Bridge MIB.
Chapter 3 | Basic Management Tasks Managing System Files Untagged) on each port. (Refer to “VLAN Configuration” on page 167.) ◆ Max Supported VLAN Numbers – The maximum number of VLANs supported on this switch. ◆ Max Supported VLAN ID – The maximum configurable VLAN identifier supported on this switch. Web Interface To view Bridge Extension information: 1. Click System, then Capability.
Chapter 3 | Basic Management Tasks Managing System Files Command Usage ◆ When logging into an FTP server, the interface prompts for a user name and password configured on the remote server. Note that “Anonymous” is set as the default user name. ◆ The reset command will not be accepted during copy operations to flash memory.
Chapter 3 | Basic Management Tasks Managing System Files Web Interface To copy firmware files: 1. Click System, then File. 2. Select Copy from the Action list. 3. Select FTP Upload, HTTP Upload or TFTP Upload as the file transfer method. 4. If FTP or TFTP Upload is used, enter the IP address of the file server. 5. If FTP Upload is used, enter the user name and password for your account on the FTP server. 6. Set the file type to Operation Code. 7. Enter the name of the file to download. 8.
Chapter 3 | Basic Management Tasks Managing System Files Saving the Running Use the System > File (Copy) page to save the current configuration settings to a Configuration to a local file on the switch. The configuration settings are not automatically saved by Local File the system for subsequent use when the switch is rebooted. You must save these settings to the current startup file, or to another file which can be subsequently set as the startup file.
Chapter 3 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Setting the Use the System > File (Set Start-Up) page to specify the firmware or configuration Start-up File file to use for system initialization. Web Interface To set a file to use for system initialization: 1. Click System, then File. 2. Select Set Start-Up from the Action list. 3.
Chapter 3 | Basic Management Tasks Managing System Files Figure 11: Displaying System Files Automatic Operation Use the System > File (Automatic Operation Code Upgrade) page to automatically Code Upgrade download an operation code file when a file newer than the currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Chapter 3 | Basic Management Tasks Managing System Files series.bix and ECS4120-Series.bix are considered to be unique files. Thus, if the upgrade file is stored as ECS4120-Series.bix (or even EcS4120-Series.bix) on a case-sensitive server, then the switch (requesting ecs4120-series.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Chapter 3 | Basic Management Tasks Managing System Files ■ host – Defines the IP address of the TFTP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized. ■ filedir – Defines the directory, relative to the TFTP server root, where the upgrade file can be found. Nested directory structures are accepted.
Chapter 3 | Basic Management Tasks Managing System Files The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: ■ ftp://192.168.0.1/ The user name and password are empty, so “anonymous” will be the user name and the password will be blank. The image file is in the FTP root directory. ■ ftp://switches:upgrade@192.168.0.1/ The user name is “switches” and the password is “upgrade”.
Chapter 3 | Basic Management Tasks Setting the System Clock Automatic Upgrade is looking for a new image New image detected: current version 1.2.1.3; new version 1.2.1.6 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To manually set the system clock: 1. Click System, then Time. 2. Select Configure General from the Step list. 3. Select Manual from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 14: Setting the Polling Interval for SNTP Configuring NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers. Parameters The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 15: Configuring NTP Configuring Use the System > Time (Configure Time Server) pages to specify the IP address for Time Servers NTP/SNTP time servers, or to set the authentication key for NTP time servers. Specifying SNTP Time Servers Use the System > Time (Configure Time Server – Configure SNTP Server) page to specify the IP address for up to three SNTP time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 16: Specifying SNTP Time Servers Specifying NTP Time Servers Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. Parameters The following parameters are displayed: ◆ NTP Server IP Address – Adds the IPv4 or IPv6 address for up to 50 time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 17: Adding an NTP Time Server To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 18: Showing the NTP Time Server List Specifying NTP Authentication Keys Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To add an entry to NTP authentication key list: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Add NTP Authentication Key from the Action list. 4. Enter the index number and MD5 authentication key string. 5. Click Apply. Figure 19: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2.
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the Time Zone Use the System > Time (Configure Time Zone) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 21: Setting the Time Zone Configuring Use the Summer Time page to set the system clock forward during the summer Summer Time months (also known as daylight savings time). In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
Chapter 3 | Basic Management Tasks Setting the System Clock Table 5: Predefined Summer-Time Parameters Region Start Time, Day, Week, & Month End Time, Day, Week, & Month Australia 00:00:00, Sunday, Week 5 of October 23:59:59, Sunday, Week 5 of March 60 min Europe 00:00:00, Sunday, Week 5 of March 60 min 23:59:59, Sunday, Week 5 of October New Zealand 00:00:00, Sunday, Week 1 of October 23:59:59, Sunday, Week 3 of March USA 02:00:00, Sunday, Week 2 of March Rel.
Chapter 3 | Basic Management Tasks Configuring the Console Port Figure 22: Configuring Summer Time Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Chapter 3 | Basic Management Tasks Configuring the Console Port per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits) ◆ Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) ◆ Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None.
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password. Note that the password is only configurable through the CLI.
Chapter 3 | Basic Management Tasks Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. Web Interface To configure parameters for the console port: 1. Click System, then Telnet. 2. Specify the connection parameters as required. 3.
Chapter 3 | Basic Management Tasks Displaying CPU Utilization 2. Change the update interval if required. Note that the interval is changed as soon as a new setting is selected. 3. Use Action drop-down menu to select “Show Information by Task” to view a detailed list of processes and their utilization.
Chapter 3 | Basic Management Tasks Configuring CPU Guard Configuring CPU Guard Use the System > CPU Guard page to set the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Parameters The following parameters are displayed: ◆ CPU Guard Status – Enables CPU Guard.
Chapter 3 | Basic Management Tasks Displaying Memory Utilization Web Interface To configure CPU Guard: 1. Click System, CPU Guard. 2. Set CPU guard status, configure the watermarks or threshold parameter, enable traps if required. 3. Click Apply. Figure 27: Configuring CPU Guard Displaying Memory Utilization Use the System > Memory Status page to display memory utilization parameters. Parameters The following parameters are displayed: ◆ Free Size – The amount of memory currently free for use.
Chapter 3 | Basic Management Tasks Resetting the System Web Interface To display memory utilization: 1. Click System, then Memory Status. Figure 28: Displaying Memory Utilization Resetting the System Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. Command Usage ◆ This command resets the entire system. ◆ When the system is restarted, it will always run the Power-On Self-Test.
Chapter 3 | Basic Management Tasks Resetting the System ■ ■ ■ In – Specifies an interval after which to reload the switch. (The specified time must be equal to or less than 24 days.) ■ hours – The number of hours, combined with the minutes, before the switch resets. (Range: 0-576) ■ minutes – The number of minutes, combined with the hours, before the switch resets. (Range: 0-59) At – Specifies a time at which to reload the switch. ■ DD - The day of the month at which to reload.
Chapter 3 | Basic Management Tasks Resetting the System Figure 29: Restarting the Switch (Immediately) Figure 30: Restarting the Switch (In) – 110 –
Chapter 3 | Basic Management Tasks Resetting the System Figure 31: Restarting the Switch (At) Figure 32: Restarting the Switch (Regularly) – 111 –
Chapter 3 | Basic Management Tasks Resetting the System – 112 –
4 Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Displaying Statistics – Shows Interface, Etherlike, and RMON port statistics in table or chart form. ◆ Displaying Statistical History – Displays statistical history for the specified interfaces.
Chapter 4 | Interface Configuration Port Configuration Port Configuration This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Configuring by Port Use the Interface > Port > General (Configure by Port List) page to enable/disable List an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Chapter 4 | Interface Configuration Port Configuration ◆ For other traffic types, calculation of overall frame size is basically the same, including the additional header fields SA(6) + DA(6) + Type(2) + VLAN-Tag(4) for tagged packets, (for untaqged packets, the 4-byte field will not be added by switch), and the payload. This should all be less than the configured port MTU, including the CRC at the end of the frame.
Chapter 4 | Interface Configuration Port Configuration ■ 100h - Supports 100 Mbps half-duplex operation. ■ 100f - Supports 100 Mbps full-duplex operation. ■ 1000f - Supports 1000 Mbps full-duplex operation. ■ 10Gf (10G SFP+ ports only) - Supports 10 Gbps full-duplex operation. ■ Sym (Symmetric) - Check this item to transmit and receive pause frames.
Chapter 4 | Interface Configuration Port Configuration Figure 33: Configuring Connections by Port List Configuring by Use the Interface > Port > General (Configure by Port Range) page to enable/ Port Range disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control. For more information on command usage and a description of the parameters, refer to “Configuring by Port List” on page 114.
Chapter 4 | Interface Configuration Port Configuration Figure 34: Configuring Connections by Port Range Displaying Use the Interface > Port > General (Show Information) page to display the current Connection Status connection status, including link state, speed/duplex mode, flow control, and autonegotiation. Parameters These parameters are displayed: ◆ Port – Port identifier. ◆ Type – Indicates the port type. (1000BASE-T, 1000BASE SFP, 10GBASE SFP+) ◆ Name – Interface label.
Chapter 4 | Interface Configuration Showing Port or Trunk Statistics ◆ MTU Size – The maximum transfer unit (MTU) allowed for layer 2 packets crossing a Gigabit or 10 Gigabit Ethernet port or trunk. ◆ Link Up Down Trap – Shows if a notification message will be sent whenever a port link is established or broken. (Default: Enabled) Web Interface To display port connection parameters: 1. Click Interface, Port, General. 2. Select Show Information from the Action List.
Chapter 4 | Interface Configuration Showing Port or Trunk Statistics Parameters These parameters are displayed: Table 6: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
Chapter 4 | Interface Configuration Showing Port or Trunk Statistics Table 6: Port Statistics (Continued) Parameter Description Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy. Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size. Symbol Errors A count of the times there was an invalid data symbol when a valid carrier was present.
Chapter 4 | Interface Configuration Showing Port or Trunk Statistics Table 6: Port Statistics (Continued) Parameter Description 64 Bytes Packets The total number of packets (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
Chapter 4 | Interface Configuration Showing Port or Trunk Statistics Figure 36: Showing Port Statistics (Table) To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Chapter 4 | Interface Configuration Displaying Statistical History Displaying Statistical History Use the Interface > Port > History or Interface > Trunk > History page to display statistical history for the specified interfaces. Command Usage For a description of the statistics displayed on these pages, see “Showing Port or Trunk Statistics” on page 119. Parameters These parameters are displayed: Add ◆ Port – Port number. (Range: 1-28) ◆ History Name – Name of sample interval.
Chapter 4 | Interface Configuration Displaying Statistical History ◆ Requested Buckets - The number of samples to take. ◆ Granted Buckets - The number of buckets granted. ◆ Status - Shows if this entry is active. Web Configuration To configure a periodic sample of statistics: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Add from the Action menu. 3. Select an interface from the Port or Trunk list. 4.
Chapter 4 | Interface Configuration Displaying Statistical History Figure 39: Showing Entries for History Sampling To show the configured parameters for a sampling entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Status from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
Chapter 4 | Interface Configuration Displaying Statistical History 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list. Figure 41: Showing Current Statistics for a History Sample To show ingress or egress traffic statistics for a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Input Previous Entry or Output Previous Entry from the options for Mode. 4.
Chapter 4 | Interface Configuration Transceiver Data and Thresholds Figure 42: Showing Ingress Statistics for a History Sample Transceiver Data and Thresholds Displaying Use the Interface > Port > Transceiver page to display identifying information, and Transceiver Data operational for optical transceivers which support Digital Diagnostic Monitoring (DDM). Parameters These parameters are displayed: ◆ Port – Port number.
Chapter 4 | Interface Configuration Transceiver Data and Thresholds Web Interface To display identifying information and functional parameters for optical transceivers: 1. Click Interface, Port, Transceiver. 2. Select a port from the scroll-down list. Figure 43: Displaying Transceiver Data Configuring Use the Interface > Port > Transceiver page to configure thresholds for alarm and Transceiver warning messages for optical transceivers which support Digital Diagnostic Thresholds Monitoring (DDM).
Chapter 4 | Interface Configuration Transceiver Data and Thresholds The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters.
Chapter 4 | Interface Configuration Performing Cable Diagnostics ■ Threshold events are triggered as described above to avoid a hysteresis effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low threshold. ■ Trap messages configured by this command are sent to any management station configured as an SNMP trap manager using the Administration > SNMP (Configure Trap) page.
Chapter 4 | Interface Configuration Performing Cable Diagnostics ■ Interpair shorts ■ Intrapair shorts ■ Open pairs ◆ Detects the location of cable faults. ◆ Detects good cable (accuracy 10 meters). ■ Detects the length of good cables on a per pair basis ◆ Cable diagnostics can only be performed on twisted-pair media. ◆ This cable test is only accurate for Gigabit Ethernet cables 7 - 100 meters long. ◆ The test takes approximately 1 second.
Chapter 4 | Interface Configuration Trunk Configuration ◆ Test – Initiates cable test. Web Interface To test the cable attached to a port: 1. Click Interface, Port, Cable Test. 2. Click Test for any port to start the cable test. Figure 45: Performing Cable Tests Trunk Configuration This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Chapter 4 | Interface Configuration Trunk Configuration To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply. Figure 48: Adding Static Trunks Members To configure connection parameters for a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3.
Chapter 4 | Interface Configuration Trunk Configuration To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
Chapter 4 | Interface Configuration Trunk Configuration ◆ Ports are only allowed to join the same Link Aggregation Group (LAG) if (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured). However, if the LAG admin key is set, then the port admin key must be set to the same value for a port to be allowed to join that group. Note: If the LACP admin key is not set when a channel group is formed (i.e.
Chapter 4 | Interface Configuration Trunk Configuration When a dynamic port-channel is torn down, the configured timeout value will be retained. When the dynamic port-channel is constructed again, that timeout value will be used. Configure Aggregation Port - General ◆ Port – Port identifier. (Range: 1-28) ◆ LACP Status – Enables or disables LACP on a port. Configure Aggregation Port - Actor/Partner ◆ Port – Port number.
Chapter 4 | Interface Configuration Trunk Configuration Note: Configuring LACP settings for a port only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with that port. Note: Configuring the port partner sets the remote side of an aggregate link; i.e., the ports on the attached device. The command attributes have the same meaning as those used for the port actor.
Chapter 4 | Interface Configuration Trunk Configuration Figure 53: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply.
Chapter 4 | Interface Configuration Trunk Configuration To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Show Member from the Action list. 4. Select a Trunk. Figure 55: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Configure from the Action list. 4.
Chapter 4 | Interface Configuration Trunk Configuration To display connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Show from the Action list. Figure 57: Displaying Connection Parameters for Dynamic Trunks Displaying Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP Port Counters Information - Counters) page to display statistics for LACP protocol messages.
Chapter 4 | Interface Configuration Trunk Configuration 4. Click Counters. 5. Select a group member from the Port list. Figure 58: Displaying LACP Port Counters Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Internal) page to display the configuration settings and operational for the Local Side state for the local side of a link aggregation.
Chapter 4 | Interface Configuration Trunk Configuration Table 8: LACP Internal Configuration Information (Continued) Parameter Description ◆ ◆ ◆ ◆ Synchronization – The System considers this link to be IN_SYNC; i.e., it has been allocated to the correct Link Aggregation Group, the group has been associated with a compatible Aggregator, and the identity of the Link Aggregation Group is consistent with the System ID and operational Key information transmitted.
Chapter 4 | Interface Configuration Trunk Configuration Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Neighbors) page to display the configuration settings and for the Remote Side operational state for the remote side of a link aggregation. Parameters These parameters are displayed: Table 9: LACP Remote Device Configuration Information Parameter Description Partner Admin System LAG partner’s system ID assigned by the user.
Chapter 4 | Interface Configuration Trunk Configuration Figure 60: Displaying LACP Port Remote Information Configuring Use the Interface > Trunk > Load Balance page to set the load-distribution method Load Balancing used among ports in aggregated links. Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 4 | Interface Configuration Trunk Configuration ■ Source and Destination MAC Address: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from and destined for many different hosts. ■ Source IP Address: All traffic with the same source IP address is output on the same link in a trunk.
Chapter 4 | Interface Configuration Saving Power Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port. Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
Chapter 4 | Interface Configuration Configuring Local Port Mirroring ◆ Power Saving Status – Adjusts the power provided to ports based on the length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements. (Default: Disabled on Gigabit Ethernet RJ-45 ports) Web Interface To enable power savings: 1. Click Interface, Green Ethernet. 2. Mark the Enabled check box for a port. 3. Click Apply.
Chapter 4 | Interface Configuration Configuring Local Port Mirroring (remote port mirroring as described in “Configuring Remote Port Mirroring” on page 152). ◆ Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port. ◆ When mirroring port traffic, the target port must be included in the same VLAN as the source port when using MSTP (see “Spanning Tree Algorithm” on page 213). ◆ The destination port cannot be a trunk or trunk member port.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring To display the configured mirror sessions: 1. Click Interface, Port, Mirror. 2. Select Show from the Action List. Figure 65: Displaying Local Port Mirror Sessions Configuring Remote Port Mirroring Use the Interface > RSPAN page to mirror traffic from remote switches for analysis at a destination port on the local switch.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring Local Port Mirroring” on page 150), or from one or more source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section). ◆ Configuration Guidelines Take the following step to configure an RSPAN session: 1. Use the VLAN Static List (see “Configuring VLAN Groups” on page 171) to reserve a VLAN for use by RSPAN (marking the “Remote VLAN” field on this page.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring RSPAN has been configured, MAC address learning will still not be restarted on the RSPAN uplink ports. ■ IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring ◆ Type – Specifies the traffic type to be mirrored remotely. (Options: Rx, Tx, Both) ◆ Destination Port – Specifies the destination port to monitor the traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session.
Chapter 4 | Interface Configuration Sampling Traffic Flows Figure 68: Configuring Remote Port Mirroring (Intermediate) Figure 69: Configuring Remote Port Mirroring (Destination) Sampling Traffic Flows The flow sampling (sFlow) feature embedded on this switch, together with a remote sFlow Collector, can provide network administrators with an accurate, detailed and real-time overview of the types and levels of traffic present on their network.
Chapter 4 | Interface Configuration Sampling Traffic Flows Note: The terms “collector”, “receiver” and “owner”, in the context of this chapter, all refer to a remote server capable of receiving the sFlow datagrams generated by the sFlow agent of the switch. As the Collector receives streams from the various sFlow agents (other switches or routers) throughout the network, a timely, network-wide picture of utilization and traffic flows is created.
Chapter 4 | Interface Configuration Sampling Traffic Flows used to indicate the appropriate number of zeros required to fill the undefined fields. ◆ Receiver Socket Port7 – The UDP port on which the sFlow Collector is listening for sFlow streams. (Range: 1-65534) ◆ Maximum Datagram Size – Maximum size of the sFlow datagram payload. (Range: 200-1500 bytes) ◆ Datagram Version – Sends either v4 or v5 sFlow datagrams to the receiver. Web Interface To configure an sFlow receiver: 1.
Chapter 4 | Interface Configuration Sampling Traffic Flows Figure 71: Showing sFlow Receivers Configuring an sFlow Use the Interface > sFlow (Configure Details – Add) page to enable an sFlow polling Polling Instance data source that polls periodically based on a specified time interval, or an sFlow data source instance that takes samples periodically based on the number of packets processed. Parameters These parameters are displayed in the web interface: ◆ Receiver Owner Name – The name of the receiver.
Chapter 4 | Interface Configuration Sampling Traffic Flows 5. Click Apply. Figure 72: Configuring an sFlow Instance Web Interface To show configured instances: 1. Click Interface, sFlow. 2. Select Configure Details from the Step list. 3. Select Show from the Action list. 4. Select the owner name from the scroll-down list. 5. Select sFlow type as Sampling or Polling.
Chapter 4 | Interface Configuration Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation Figure 74: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the and Downlink Ports downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Parameters These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆ Direction – Adds an interface to the segmented group by setting the direction to uplink or downlink. (Default: Uplink) ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier.
Chapter 4 | Interface Configuration VLAN Trunking 3. Select Show from the Action list. Figure 76: Showing Traffic Segmentation Members VLAN Trunking Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. Command Usage ◆ Use this feature to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong.
Chapter 4 | Interface Configuration VLAN Trunking ◆ To prevent loops from forming in the spanning tree, all unknown VLANs will be bound to a single instance (either STP/RSTP or an MSTP instance, depending on the selected STA mode). ◆ If both VLAN trunking and ingress filtering are disabled on an interface, packets with unknown VLAN tags will still be allowed to enter this interface and will be flooded to all other ports where VLAN trunking is enabled.
Chapter 4 | Interface Configuration VLAN Trunking – 166 –
5 VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customerspecific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆ L2PT Tunneling – Configures Layer 2 Protocol Tunneling for the specified protocol. ◆ Protocol VLANs8 – Configures VLAN groups based on specified protocols.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs groups (such as e-mail), or multicast groups (used for multimedia applications such as video conferencing). VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 79: VLAN Compliant and VLAN Non-compliant Devices tagged frames VA VA VA: VLAN Aware VU: VLAN Unaware tagged frames VA untagged frames VA VU VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs. Note: If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in “Adding Static Members to VLANs” on page 173). But you can still enable GVRP on these edge switches, as well as on the core switches in the network.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Configuring Use the VLAN > Static (Add) page to create or remove VLAN groups, set VLAN Groups administrative status, or specify Remote VLAN type (see “Configuring Remote Port Mirroring” on page 152). To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. Parameters These parameters are displayed: Add ◆ VLAN ID – ID of VLAN or range of VLANs (1-4094).
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Web Interface To create VLAN groups: 1. Click VLAN, Static. 2. Select Add from the Action list. 3. Enter a VLAN ID or range of IDs. 4. Enable the Status field to set the VLAN as operational. 5. Specify whether the VLANs are to be used for remote port mirroring. 6. Click Apply. Figure 81: Creating Static VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 82: Modifying Settings for Static VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list. Figure 83: Showing Static VLANs Adding Static Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or Edit Members to VLANs Member by Interface Range) pages to configure port members for the selected VLAN index, interface, or a range of interfaces.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ ◆ Interface – Displays a list of ports or trunks. ■ Port – Port Identifier. (Range: 1-28) ■ Trunk – Trunk Identifier. (Range: 1-26) Mode – Indicates VLAN membership mode for an interface. (Default: Hybrid) ■ Access - Sets the port to operate as an untagged interface. The port transmits and receives untagged frames on a single VLAN only. Access mode is mutually exclusive with VLAN trunking (see “VLAN Trunking” on page 164).
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: ■ Tagged: Interface is a member of the VLAN. All packets transmitted by the port will be tagged, that is, carry a tag and therefore carry VLAN or CoS information. ■ Untagged: Interface is a member of the VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs 3. Select a VLAN from the scroll-down list. 4. Set the Interface type to display as Port or Trunk. 5. Modify the settings for any interface as required. 6. Click Apply. Figure 84: Configuring Static Members by VLAN Index To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3. Select a port or trunk configure. 4. Modify the settings for any interface as required. 5. Click Apply.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 85: Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Configuring Dynamic Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to enable VLAN Registration GVRP and adjust the protocol timers per interface. Parameters These parameters are displayed: Configure General ◆ GVRP Status – GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN – Show VLAN Member ◆ VLAN – Identifier of a VLAN this switch has joined through GVRP. ◆ Interface – Displays a list of ports or trunks which have joined the selected VLAN through GVRP.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 88: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN from the Action list. Figure 89: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 90: Showing the Members of a Dynamic VLAN IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 6. After packet classification, the packet is written to memory for processing as a single-tagged or double-tagged packet. 7. The switch sends the packet to the proper egress port. 8. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packet will have two tags. Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 5. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see “Adding Static Members to VLANs” on page 173). 6. Configure the QinQ tunnel uplink port to Uplink mode (see “Adding an Interface to QinQ Tunnel” on page 188). 7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see “Adding Static Members to VLANs” on page 173).
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 3. Enable Tunnel Status, and specify the TPID if a client attached to a tunnel port is using a non-standard ethertype to identify 802.1Q tagged frames. 4. Click Apply. Figure 92: Enabling QinQ Tunneling Creating Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to SPVLAN CVLAN to SPVLAN mapping entry.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling ◆ Service VLAN ID – VLAN ID for the outer VLAN tag. (Range: 1-4094) Web Interface To configure a mapping entry: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3. Select Add from the Action list. 4. Select an interface from the Port list. 5. Specify the CVID to SVID mapping for packets exiting the specified port. 6. Click Apply. Figure 93: Configuring CVLAN to SPVLAN Mapping Entries To show the mapping table: 1.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 94: Showing CVLAN to SPVLAN Mapping Entries The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the “switchport dot1q-tunnel service match cvid” command in the CLI Reference Guide. Adding an Interface to Follow the guidelines in the preceding section to set up a QinQ tunnel on the QinQ Tunnel switch.
Chapter 5 | VLAN Configuration L2PT Tunneling Web Interface To add an interface to a QinQ tunnel: 1. Click VLAN, Tunnel. 2. Select Configure Interface from the Step list. 3. Set the mode for any tunnel access port to Access and the tunnel uplink port to Uplink. 4. Click Apply. Figure 95: Adding an Interface to a QinQ Tunnel L2PT Tunneling When Layer 2 Protocol Tunneling (L2PT) is not used, protocol packets (e.g., STP) are flooded to 802.1Q access ports on the same edge switch, but filtered from 802.
Chapter 5 | VLAN Configuration L2PT Tunneling switches carrying this traffic across the service provider’s network treat these encapsulated packets in the same way as normal data, forwarding them to the tunnel’s egress port. The egress port decapsulates these packets, restores the proper protocol and MAC address information, and then floods them onto the same VLANs at the customer’s remote site (via all of the appropriate tunnel ports and access ports9 connected to the same metro VLAN).
Chapter 5 | VLAN Configuration L2PT Tunneling ■ ◆ recognized as a Generic Bridge PDU Tunneling (GBPT) protocol packet (i.e., having the destination address 01-00-0C-CD-CD-D0), it is forwarded to the following ports in the same S-VLAN: ■ other access ports for which L2PT is enabled after decapsulating the packet and restoring the proper protocol and MAC address information. ■ all uplink ports.
Chapter 5 | VLAN Configuration L2PT Tunneling Web Interface To configure the destination MAC address for L2PT: 1. Click VLAN, L2PT. 2. Select Configure Global from the Step list. 3. Set the tunnel MAC address. 4. Click Apply. Figure 96: Configuring the L2PT Tunnel Address Enabling L2PT for Use the VLAN > L2PT (Configure Interface) page to enable Layer 2 Protocol Selected Interfaces Tunneling on selected interfaces. Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier.
Chapter 5 | VLAN Configuration Protocol VLANs 3. Mark the protocols to be passed through the L2PT tunnel on the required interfaces. 4. Click Apply. Figure 97: Enabling L2PT on Required Interfaces Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Chapter 5 | VLAN Configuration Protocol VLANs Configuring Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. Protocol VLAN Groups Parameters These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. ◆ Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, RARP and IPv6. If LLC Other is chosen for the Frame Type, the only available Protocol Type is IPX Raw.
Chapter 5 | VLAN Configuration Protocol VLANs Figure 98: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. Figure 99: Displaying Protocol VLANs Mapping Protocol Use the VLAN > Protocol (Configure Interface - Add) page to map a protocol group Groups to Interfaces to a VLAN for each interface that will participate in the group.
Chapter 5 | VLAN Configuration Protocol VLANs ■ If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. ■ If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ■ Port – Port Identifier. (Range: 1-28) ■ Trunk – Trunk Identifier.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port or trunk. Figure 101: Showing the Interface to Protocol Group Mapping Configuring IP Subnet VLANs Use the VLAN > IP Subnet page to configure IP subnet-based VLANs.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs ■ The interface must be configured as a member of the subnet VLAN. ■ The IP address and subnet mask of the inbound packet must fall within specified subnet VLAN The above conditions mean that any ARP requests will not be forwarded within the subnet VLAN because they are EtherType 0x0806 and do not meet the requirements for an IP subnet VLAN. For example, ping requests must pass through and IP subnet VLAN.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Figure 102: Configuring IP Subnet VLANs To show the configured IP subnet VLANs: 1. Click VLAN, IP Subnet. 2. Select Show from the Action list. Figure 103: Showing IP Subnet VLANs Configuring MAC-based VLANs Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs ◆ When MAC-based, IP subnet-based, or protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. Parameters These parameters are displayed: ◆ MAC Address – A source MAC address which is to be mapped to a specific VLAN. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 5 | VLAN Configuration Configuring VLAN Translation Figure 105: Showing MAC-Based VLANs Configuring VLAN Translation Use the VLAN > Translation (Add) page to map VLAN IDs between the customer and service provider for networks that do not support IEEE 802.1Q tunneling. Command Usage ◆ QinQ tunneling uses double tagging to preserve the customer’s VLAN tags on traffic crossing the service provider’s network.
Chapter 5 | VLAN Configuration Configuring VLAN Translation Parameters These parameters are displayed: ◆ Port – Port Identifier. (Range: 1-28) ◆ Old VLAN – The original VLAN ID. (Range: 1-4094) ◆ New VLAN – The new VLAN ID. (Range: 1-4094) Web Interface To configure VLAN translation: 1. Click VLAN, Translation. 2. Select Add from the Action list. 3. Select a port, and enter the original and new VLAN IDs. 4. Click Apply.
Chapter 5 | VLAN Configuration Configuring VLAN Translation – 203 –
Chapter 5 | VLAN Configuration Configuring VLAN Translation – 204 –
6 Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ Dynamic Address Cache – Shows dynamic entries in the address table.
Chapter 6 | Address Table Settings Dynamic Address Cache ◆ Type – Shows that the entries in this table are learned. (Values: Learned or Security, the last of which indicates Port Security) ◆ Life Time – Shows the time to retain the specified address. Web Interface To show the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Show Dynamic MAC from the Action list. 3. Select the Sort Key (MAC Address, VLAN, or Interface). 4. Enter the search parameters (MAC Address, VLAN, or Interface). 5.
Chapter 6 | Address Table Settings Dynamic Address Cache Web Interface To clear the entries in the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Clear Dynamic MAC from the Action list. 3. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). 4. Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. 5. Click Clear.
Chapter 6 | Address Table Settings Configuring MAC Address Learning 5. Click Apply. Figure 111: Setting the Address Aging Time Configuring MAC Address Learning Use the MAC Address > Learning Status page to enable or disable MAC address learning on an interface. Command Usage ◆ When MAC address learning is disabled, the switch immediately stops learning new MAC addresses on the specified interface.
Chapter 6 | Address Table Settings Setting Static Addresses ◆ Status – The status of MAC address learning. (Default: Enabled) Web Interface To enable or disable MAC address learning: 1. Click MAC Address, Learning Status. 2. Set the learning status for any interface. 3. Click Apply. Figure 112: Configuring MAC Address Learning Setting Static Addresses Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch.
Chapter 6 | Address Table Settings Setting Static Addresses Parameters These parameters are displayed: Add Static Address ◆ VLAN – ID of configured VLAN. (Range: 1-4094) ◆ Interface – Port or trunk associated with the device assigned a static address. ◆ MAC Address – Physical address of a device mapped to this interface. Enter an address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. ◆ Static Status – Sets the time to retain the specified address.
Chapter 6 | Address Table Settings Issuing MAC Address Traps To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list. Figure 114: Displaying Static MAC Addresses Issuing MAC Address Traps Use the MAC Address > MAC Notification pages to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed.
Chapter 6 | Address Table Settings Issuing MAC Address Traps 3. Configure MAC notification traps and the transmission interval. 4. Click Apply. Figure 115: Issuing MAC Address Traps (Global Configuration) To enable MAC address traps at the interface level: 1. Click MAC Address, MAC Notification. 2. Select Configure Interface from the Step list. 3. Enable MAC notification traps for the required ports. 4. Click Apply.
7 Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
Chapter 7 | Spanning Tree Algorithm Overview ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 117: STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge.
Chapter 7 | Spanning Tree Algorithm Overview Figure 118: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree IST (for this Region) MST 1 Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 231). An MST Region may contain multiple MSTP Instances.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Configuring Loopback Detection Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode. This loopback state can be released manually or automatically.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA If an interface is shut down due to a detected loopback, and the release mode is set to “Auto,” the selected interface will be automatically enabled when the shutdown interval has expired. If an interface is shut down due to a detected loopback, and the release mode is set to “Manual,” the interface can be re-enabled using the Release button. Web Interface To configure loopback detection: 1. Click Spanning Tree, Loopback Detection. 2.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Rapid Spanning Tree Protocol10 RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: ◆ ■ STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA is a root port, a new root port is selected from among the device ports attached to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) ■ ■ ■ ◆ Default: 20 Minimum: The higher of 6 or [2 x (Hello Time + 1)] Maximum: The lower of 40 or [2 x (Forward Delay - 1)] Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Web Interface To configure global STA settings: 1. Click Spanning Tree, STA. 2. Select Configure Global from the Step list. 3. Select Configure from the Action list. 4. Modify any of the required attributes. Note that the parameters displayed for the spanning tree types (STP, RSTP, MSTP) varies as described in the preceding section. 5.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 122: Configuring Global Settings for STA (RSTP) Figure 123: Configuring Global Settings for STA (MSTP) – 222 –
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Figure 124: Displaying Global Settings for STA Configuring Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Configure) page to configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Admin Path Cost – This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost takes precedence over port priority.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA The root path cost for i1 on SW3 used to compete for the role of root port is 0 + path cost of i1 on SW3; 0 since i1 is directly connected to the root bridge. If the path cost of i1 on SW2 is never configured/changed, it is 10000. Then the root path cost for i2 on SW3 used to compete for the role of root port is 10000 + path cost of i2 on SW3. The path cost of i1 on SW3 is also 10000 if not configured/changed.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA IEEE 802.3D-2004 17.20.4); otherwise it equals the spanning tree’s maximum age for configuration messages (see maximum age under “Configuring Global Settings for STA” on page 217). An interface cannot function as an edge port under the following conditions: ■ If spanning tree mode is set to STP (page 217), edge-port mode cannot automatically transition to operational edge-port state using the automatic setting.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA format (RSTP or STP-compatible) to send on the selected interfaces. (Default: Disabled) ◆ TC Propagate Stop – Stops the propagation of topology change notifications (TCN). (Default: Disabled) Web Interface To configure interface settings for STA: 1. Click Spanning Tree, STA. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Modify any of the required attributes. 5. Click Apply.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA ◆ STA Status – Displays current state of this port within the Spanning Tree: ■ Discarding - Port receives STA configuration messages, but does not forward packets. ■ Learning - Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA false if a BPDU is received, indicating that another bridge is attached to this port. ◆ Port Role – Roles are assigned according to whether the port is part of the active topology, that is the best port connecting a non-root bridge to the root bridge (i.e., root port), connecting a LAN through the bridge to the root bridge (i.e., designated port), is the MSTI regional root (i.e.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Figure 128: Displaying Interface Settings for STA Configuring Multiple Spanning Trees Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. Command Usage MSTP generates a unique spanning tree for each instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Note: All VLANs are automatically added to the IST (Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Parameters These parameters are displayed: ◆ MST ID – Instance identifier to configure. (Range: 0-4094) ◆ VLAN ID – VLAN to assign to this MST instance. (Range: 1-4094) ◆ Priority – The priority of a spanning tree instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To show the MSTP instances: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. Figure 130: Displaying MST Instances To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees 4. Select an MST ID. The attributes displayed on this page are described under “Displaying Global Settings for STA” on page 223. Figure 132: Displaying Global Settings for an MST Instance To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP To show the VLAN members of an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Member from the Action list. Figure 134: Displaying Members of an MST Instance Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP – 238 –
8 Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
Chapter 8 | Congestion Control Storm Control Web Interface To configure rate limits: 1. Click Traffic, Rate Limit. 2. Enable the rate limit Status for the required ports. 3. Set the rate limit for the individual ports. 4. Click Apply. Figure 137: Configuring Rate Limits Storm Control Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds.
Chapter 8 | Congestion Control Storm Control port. Enabling hardware-level storm control on a port will disable automatic storm control on that port. ◆ Rate limits set by the storm control function are also used by automatic storm control when the control response is set to rate control on the Auto Traffic Control (Configure Interface) page. ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results.
Chapter 8 | Congestion Control Automatic Traffic Control Figure 138: Configuring Storm Control Automatic Traffic Control Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. Command Usage ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 8 | Congestion Control Automatic Traffic Control ◆ Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. ◆ When traffic falls below the alarm clear threshold after the release timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control Release Trap sent and logged.
Chapter 8 | Congestion Control Automatic Traffic Control Setting the ATC Timers Use the Traffic > Auto Traffic Control (Configure Global) page to set the time at which to apply the control response after ingress traffic has exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
Chapter 8 | Congestion Control Automatic Traffic Control Figure 141: Configuring ATC Timers Configuring ATC Use the Traffic > Auto Traffic Control (Configure Interface) page to set the storm Thresholds and control mode (broadcast or multicast), the traffic thresholds, the control response, Responses to automatically release a response of rate limiting, or to send related SNMP trap messages.
Chapter 8 | Congestion Control Automatic Traffic Control ◆ Auto Release Control – Automatically stops a traffic control response of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 139 on page 242. When traffic control stops, the event is logged by the system and a Traffic Release Trap can be sent.
Chapter 8 | Congestion Control Automatic Traffic Control Web Interface To configure the response timers for automatic storm control: 1. Click Traffic, Auto Traffic Control. 2. Select Configure Interface from the Step field. 3. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send. 4. Click Apply.
Chapter 8 | Congestion Control Automatic Traffic Control – 248 –
9 Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s highpriority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) Web Interface To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2.
Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues. The queues assigned to use strict priority should be specified using the Strict Mode field parameter.
Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Set the queue mode. 3. If the weighted queue mode is selected, the queue weight can be modified if required. 4. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table. 5. Click Apply.
Chapter 9 | Class of Service Layer 2 Queue Settings Figure 146: Setting the Queue Mode (Strict and WRR) Mapping CoS Values Use the Traffic > Priority > PHB to Queue page to specify the hardware output to Egress Queues queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see “Mapping CoS Priorities to Internal DSCP Values” on page 260).
Chapter 9 | Class of Service Layer 2 Queue Settings The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in Table 14. However, priority levels can be mapped to the switch’s output queues in any way that benefits application traffic for the network.
Chapter 9 | Class of Service Layer 2 Queue Settings 3. Map an internal PHB to a hardware queue. Depending on how an ingress packet is processed internally based on its CoS value, and the assigned output queue, the mapping done on this page can effectively determine the service priority for different traffic classes. 4. Click Apply. Figure 147: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: 1. Click Traffic, Priority, PHB to Queue. 2. Select Show from the Action list.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ Trust Mode ■ CoS – Maps layer 3/4 priorities using Class of Service values. (This is the default setting.) ■ DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point values. ■ IP Precedence – Maps layer 3/4 priorities using IP Precedence values. Web Interface To configure the trust mode: 1. Click Traffic, Priority, Trust Mode. 2.
Chapter 9 | Class of Service Layer 3/4 Priority Settings ◆ This map is only used when the priority mapping mode is set to DSCP (see page 256), and the ingress packet type is IPv4. Any attempt to configure the DSCP mutation map will not be accepted by the switch, unless the trust mode has been set to DSCP. ◆ Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/ Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map DSCP values to internal PHB/drop precedence: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any DSCP value. 5. Click Apply. Figure 150: Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Show from the Action list. 3. Select a port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Mapping CoS Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in incoming Priorities to Internal packets to per-hop behavior and drop precedence values for priority processing. DSCP Values Command Usage ◆ The default mapping of CoS to PHB values is shown in Table 17 on page 260. ◆ Enter up to eight CoS/CFI paired values, per-hop behavior and drop precedence. ◆ If a packet arrives with a 802.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map CoS/CFI values to internal PHB/drop precedence: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any of the CoS/CFI combinations. 5. Click Apply. Figure 152: Configuring CoS to DSCP Internal Mapping To show the CoS/CFI to internal PHB/drop precedence map: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Show from the Action list. 3.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Mapping Internal Use the Traffic > Priority > DSCP to CoS page to map internal per-hop behavior and DSCP Values to drop precedence value pairs to CoS values used in tagged egress packets on a Egress CoS Values Layer 2 interface. Command Usage ◆ Enter any per-hop behavior and drop precedence pair within the internal priority map, and then enter the corresponding CoS/CFI pair. ◆ If the packet is forwarded with an 8021.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map internal per-hop behavior and drop precedence values to CoS values in the web interface: 1. Click Traffic, Priority, DSCP to CoS. 2. Select Configure from the Action list. 3. Select an interface. 4. Select any PHB and drop precedence pair within the internal priority map, and then set the corresponding CoS/CFI pair. 5. Click Apply.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Mapping IP Use the Traffic > Priority > IP Precedence to DSCP page to map IP precedence Precedence Values to values in incoming packets to per-hop behavior and drop precedence values for Internal DSCP Values priority processing. The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic.
Chapter 9 | Class of Service Layer 3/4 Priority Settings ◆ Drop Precedence – Drop precedence used for controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) Table 20: Default Mapping of IP Precedence to Internal PHB/Drop Values IP Precedence Value 0 1 2 3 4 5 6 7 Per-hop Behavior 0 1 2 3 4 5 6 7 Drop Precedence 0 0 0 0 0 0 0 0 Web Interface To map IP Precedence to internal PHB/drop precedence in the web interface: 1.
Chapter 9 | Class of Service Layer 3/4 Priority Settings To show the IP Precedence to internal PHB/drop precedence map in the web interface: 1. Click Traffic, Priority, IP Precedence to DSCP. 2. Select Show from the Action list. 3. Select an interface.
Chapter 9 | Class of Service Layer 3/4 Priority Settings ◆ PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7) ◆ Drop Precedence – Drop precedence used for controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) Web Interface To map TCP/UDP port number to per-hop behavior and drop precedence in the web interface: 1. Click Traffic, Priority, IP Port to DSCP. 2. Select Configure from the Action list. 3. Select an interface. 4.
Chapter 9 | Class of Service Layer 3/4 Priority Settings To show the TCP/UDP port number to per-hop behavior and drop precedence map in the web interface: 1. Click Traffic, Priority, IP Port to DSCP. 2. Select Show from the Action list. 3. Select an interface.
10 Quality of Service This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port – Applies a policy map to an ingress port.
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class that specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN or a CoS value. 3.
Chapter 10 | Quality of Service Configuring a Class Map Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value. (Range: 0-63) ◆ IP Precedence – An IP Precedence value.
Chapter 10 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 161: Showing Class Maps To modify the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Modify from the Action list. 4. Select the class name and then use the Class Rename option to edit the name or in the Description field edit the text.
Chapter 10 | Quality of Service Configuring a Class Map 4. Select the name of a class map. 5. Specify type of traffic for this class based on an access list, a DSCP or IP Precedence value, a VLAN, or a CoS value. You can specify up to 16 items to match when assigning ingress traffic to a class map. 6. Click Apply. Figure 163: Adding Rules to a Class Map To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list.
Chapter 10 | Quality of Service Creating QoS Policies Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 270), modify service tagging, and enforce bandwidth policing. A policy map can then be bound by a service policy to one or more interfaces (page 284). Configuring QoS policies requires several steps.
Chapter 10 | Quality of Service Creating QoS Policies ◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
Chapter 10 | Quality of Service Creating QoS Policies (BP). Action may taken for traffic conforming to the maximum throughput, exceeding the maximum throughput, or exceeding the peak burst size. ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
Chapter 10 | Quality of Service Creating QoS Policies which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM. Command Usage A policy map can contain 16 class statements that can be applied to the same interface (page 284). Up to 32 policy maps can be configured for ingress ports.
Chapter 10 | Quality of Service Creating QoS Policies ◆ Meter – Check this to define the maximum throughput, burst rate, and the action that results from a policy violation. ◆ Meter Mode – Selects one of the following policing methods. ■ Flow (Police Flow) – Defines the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and the action to take for conforming and non-conforming traffic.
Chapter 10 | Quality of Service Creating QoS Policies packets are pre-colored. The functional differences between these modes is described at the beginning of this section under “srTCM Police Meter.” ■ Committed Information Rate (CIR) – Committed rate in kilobits per second. (Range: 0-10000000 kbps or maximum port speed, whichever is lower) The rate cannot exceed the configured interface speed. ■ Committed Burst Size (BC) – Committed burst in bytes.
Chapter 10 | Quality of Service Creating QoS Policies The color modes include “Color-Blind” which assumes that the packet stream is uncolored, and “Color-Aware” which assumes that the incoming packets are pre-colored. The functional differences between these modes is described at the beginning of this section under “trTCM Police Meter.” ■ Committed Information Rate (CIR) – Committed rate in kilobits per second.
Chapter 10 | Quality of Service Creating QoS Policies Web Interface To configure a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add from the Action list. 4. Enter a policy name. 5. Enter a description. 6. Click Add. Figure 165: Configuring a Policy Map To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list.
Chapter 10 | Quality of Service Creating QoS Policies To modify the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Modify from the Action list. 4. Select the policy name and then use the Policy Rename option to edit the name or in the Description field edit the text. Figure 167: Modifying Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3.
Chapter 10 | Quality of Service Creating QoS Policies Figure 168: Adding Rules to a Policy Map To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port Attaching a Policy Map to a Port Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. Command Usage ◆ First define a class map, define a policy map, and then bind the service policy to the required interface. ◆ Only one policy map can be bound to an interface. ◆ The switch does not allow a policy map to be bound to an interface for egress traffic.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port Figure 170: Attaching a Policy Map to a Port – 285 –
Chapter 10 | Quality of Service Attaching a Policy Map to a Port – 286 –
11 VoIP Traffic Configuration This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port. Command Usage All ports are set to VLAN hybrid mode by default.
Chapter 11 | VoIP Traffic Configuration Configuring Telephony OUI Figure 171: Configuring a Voice VLAN Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports 6. Enter a description for the devices. 7. Click Apply. Figure 172: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Parameters These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) ■ None – The Voice VLAN feature is disabled on the port. The port will not detect VoIP traffic or be added to the Voice VLAN. ■ Auto – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports When VoIP Mode is set to Auto, the Remaining Age will be displayed. Otherwise, if the VoIP Mode is Disabled or set to Manual, the remaining age will display “NA.” Web Interface To configure VoIP traffic settings for a port: 1. Click Traffic, VoIP. 2. Select Configure Interface from the Step list. 3. Configure any required changes to the VoIP settings each port. 4. Click Apply.
12 Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting ◆ IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the source address cannot be identified via ND snooping, DHCPv6 snooping, nor static source bindings. ◆ ARP Inspection – Security feature that validates the MAC Address bindings for Address Resolution Protocol packets.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting To configure AAA on the switch, you need to follow this general process: 1. Configure RADIUS and TACACS+ server access parameters. See “Configuring Local/Remote Logon Authentication” on page 295. 2. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. 3.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting ■ TACACS – User authentication is performed using a TACACS+ server only. ■ [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. Web Interface To configure the method(s) of controlling management access: 1. Click Security, AAA, System Authentication. 2. Specify the authentication sequence (i.e., one to three methods). 3. Click Apply.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. Command Usage ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting ◆ ■ Set Key – Mark this box to set or modify the encryption key. ■ Authentication Key – Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) ■ Confirm Authentication Key – Re-type the string entered in the previous field to ensure no errors were made.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting When specifying the priority sequence for a sever, the server index must already be defined (see “Configuring Local/Remote Logon Authentication” on page 295). Web Interface To configure the parameters for RADIUS or TACACS+ authentication: 1. Click Security, AAA, Server. 2. Select Configure Server from the Step list. 3. Select RADIUS or TACACS+ server type. 4.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting Figure 178: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting ■ ◆ Exec – Administrative accounting for local console, Telnet, or SSH connections. Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined. (Range: 1-64 characters) Note that the method name is only used to describe the accounting method configured on the specified RADIUS or TACACS+ servers.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting Show Information – Summary ◆ Accounting Type - Displays the accounting service. ◆ Method Name - Displays the user-defined or default accounting method. ◆ Server Group Name - Displays the accounting server group. ◆ Interface - Displays the port, console or Telnet interface to which these rules apply. (This field is null if the accounting method and associated server group has not been assigned to an interface.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting 3. Select Add from the Action list. 4. Select the accounting type (802.1X, Command 0 to 15, Exec). 5. Specify the name of the accounting method and server group name. 6. Click Apply. Figure 182: Configuring AAA Accounting Methods To show the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels (0 to 15), and local console, Telnet, or SSH connections: 1. Click Security, AAA, Accounting. 2. Select Configure Service from the Step list. 3. Select the accounting type (802.1X, Command 0 to 15, Exec). 4. Enter the required accounting method. 5. Click Apply.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary. Figure 187: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting Configuring AAA Use the Security > AAA > Authorization page to enable authorization of requested Authorization services, and also to display the configured authorization methods, and the methods applied to specific interfaces. Command Usage ◆ This feature performs authorization to determine if a user is allowed to run an Exec shell.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting ◆ Interface - Displays the console or Telnet interface to which these rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) Web Interface To configure the authorization method applied to the Exec service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3.
Chapter 12 | Security Measures AAA Authentication, Authorization and Accounting To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click Security, AAA, Authorization. 2. Select Configure Service from the Step list. 3. Enter the required authorization method. 4. Click Apply. Figure 191: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: 1.
Chapter 12 | Security Measures Configuring User Accounts Configuring User Accounts Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. Command Usage ◆ The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.” ◆ The guest only has read access for most configuration parameters.
Chapter 12 | Security Measures Configuring User Accounts ■ Encrypted Password – Encrypted password. The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP or FTP server. There is no need for you to manually configure encrypted passwords. ◆ Password – Specifies the user password.
Chapter 12 | Security Measures Web Authentication Figure 194: Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Chapter 12 | Security Measures Web Authentication ◆ Quiet Period – Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts. (Range: 1-180 seconds; Default: 60 seconds) ◆ Login Attempts – Configures the amount of times a supplicant may attempt and fail authentication before it must wait the configured quiet period.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Revert – Restores the previous configuration settings. ◆ Re-authenticate – Ends all authenticated web sessions for selected host IP addresses in the Authenticated Host List, and forces the users to reauthenticate. ◆ Revert – Restores the previous configuration settings. Web Interface To enable web authentication for a port: 1. Click Security, Web Authentication. 2. Select Configure Interface from the Step list. 3.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Command Usage ◆ MAC address authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 21: Dynamic QoS Profiles ◆ Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate rate-limit-input=100 (in units of Kbps) 802.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ When the last user logs off on a port with a dynamic QoS assignment, the switch restores the original QoS configuration for the port. ◆ When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) 4. Click Apply. Figure 197: Configuring Global Settings for Network Access Configuring Network Use the Security > Network Access (Configure Interface - General) page to Access for Ports configure MAC authentication on switch ports, including enabling address authentication, setting the maximum MAC count, and enabling dynamic VLAN or dynamic QoS assignments.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server through the 802.1X authentication process are applied to the port, providing the VLANs have already been created on the switch. (GVRP is not used to create the VLANs.) (Default: Enabled) The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 198: Configuring Interface Settings for Network Access Configuring Port Link Use the Security > Network Access (Configure Interface - Link Detection) page to Detection send an SNMP trap and/or shut down a port when a link event occurs. Parameters These parameters are displayed: ◆ Link Detection Status – Configures whether Link Detection is enabled or disabled for a port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) 4. Modify the link detection status, trigger condition, and the response for any port. 5. Click Apply. Figure 199: Configuring Link Detection for Network Access Configuring a MAC Use the Security > Network Access (Configure MAC Filter) page to designate Address Filter specific MAC addresses or MAC address ranges as exempt from authentication.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To add a MAC address filter for MAC authentication: 1. Click Security, Network Access. 2. Select Configure MAC Filter from the Step list. 3. Select Add from the Action list. 4. Enter a filter ID, MAC address, and optional mask. 5. Click Apply. Figure 200: Configuring a MAC Address Filter for Network Access To show the MAC address filter table for MAC authentication: 1. Click Security, Network Access. 2.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Displaying Secure Use the Security > Network Access (Show Information) page to display the MAC Address authenticated MAC addresses stored in the secure MAC address table. Information Information on the secure MAC entries can be displayed and selected entries can be removed from the table. Parameters These parameters are displayed: ◆ ◆ Query By – Specifies parameters to use in the MAC address query.
Chapter 12 | Security Measures Configuring HTTPS Figure 202: Showing Addresses Authenticated for Network Access Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Configuring Global Use the Security > HTTPS (Configure Global) page to enable or disable HTTPS and Settings for HTTPS specify the TCP port used for this service.
Chapter 12 | Security Measures Configuring HTTPS ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 11, Mozilla Firefox 52, or Google Chrome 57, or more recent versions. ◆ The following web browsers and operating systems currently support HTTPS: Table 22: HTTPS System Support ◆ Web Browser Operating System Internet Explorer 11.
Chapter 12 | Security Measures Configuring HTTPS Figure 203: Configuring HTTPS Replacing the Default Use the Security > HTTPS (Copy Certificate) page to replace the default secure-site Secure-site Certificate certificate. When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that the web browser displays will be associated with a warning that the site is not recognized as a secure site.
Chapter 12 | Security Measures Configuring the Secure Shell ◆ Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. ◆ Confirm Password – Re-type the string entered in the previous field to ensure no errors were made. The switch will not download the certificate if these two fields do not match. Web Interface To replace the default secure-site certificate: 1.
Chapter 12 | Security Measures Configuring the Secure Shell SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered. Note: You need to install an SSH client on the management station to access the switch for management via the SSH protocol. Note: The switch supports both SSH Version 1.5 and 2.0 clients. Command Usage The SSH server on this switch supports both password and public key authentication.
Chapter 12 | Security Measures Configuring the Secure Shell 288402533115952134861022902978982721353267131629432532818915045306393916643 steve@192.168.1.19 4. Set the Optional Parameters – On the SSH Settings page, configure the optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. 6.
Chapter 12 | Security Measures Configuring the Secure Shell c. The client sends a signature generated using the private key to the switch. d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to four client sessions.
Chapter 12 | Security Measures Configuring the Secure Shell Web Interface To configure the SSH server: 1. Click Security, SSH. 2. Select Configure Global from the Step list. 3. Enable the SSH server. 4. Adjust the authentication parameters as required. 5. Click Apply.
Chapter 12 | Security Measures Configuring the Secure Shell Note: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. Web Interface To generate the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Generate from the Action list. 4. Click Apply. Figure 206: Generating the SSH Host Key Pair To display or clear the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3.
Chapter 12 | Security Measures Configuring the Secure Shell Importing User Public Use the Security > SSH (Configure User Key - Copy) page to upload a user’s public Keys key to the switch. This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
Chapter 12 | Security Measures Configuring the Secure Shell Figure 208: Copying the SSH User’s Public Key To display or clear the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Show from the Action list. 4. Select a user from the User Name list. 5. Click Clear.
Chapter 12 | Security Measures Access Control Lists Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4/IPv6 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on source or destination address), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
Chapter 12 | Security Measures Access Control Lists compression is disabled, the ACL would occupy (128*n) entries of TCAM, using up nearly all of the hardware resources. When using compression, the 128 ACEs are compressed into one ACE classifying the IP address as 192.168.1.0/24, which requires only “n” entries in TCAM. The above example is an ideal case for compression.
Chapter 12 | Security Measures Access Control Lists ◆ Device – Memory chip used for indicated pools. ◆ Pool – Rule slice (or call group). Each slice has a fixed number of rules that are used for the specified features. ◆ Total – The maximum number of policy control entries allocated to the each pool. ◆ Used – The number of policy control entries used by the operating system. ◆ Free – The number of policy control entries available for use. ◆ Capability – The processes assigned to each pool.
Chapter 12 | Security Measures Access Control Lists Setting the ACL Name Use the Security > ACL (Configure ACL - Add) page to create an ACL. and Type Parameters These parameters are displayed: ◆ ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆ Type – The following filter modes are supported: ■ IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address.
Chapter 12 | Security Measures Access Control Lists 2. Select Configure ACL from the Step list. 3. Select Add from the Action list. 4. Fill in the ACL Name field, and select the ACL type. 5. Click Apply. Figure 211: Creating an ACL To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures Access Control Lists Configuring a Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL Standard IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Address Type – Specifies the source IP address.
Chapter 12 | Security Measures Access Control Lists Figure 213: Configuring a Standard IPv4 ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to configure Extended IPv4 ACL an Extended IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists ■ Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) ■ Control Code Bit Mask – Decimal number representing the code bits to match. (Range: 0-63) The control bit mask is a decimal number (for an equivalent binary bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit.
Chapter 12 | Security Measures Access Control Lists 7. Select the address type (Any, Host, or IP). 8. If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. 9. Set any other required criteria, such as service type, protocol type, or control code. 10. Click Apply.
Chapter 12 | Security Measures Access Control Lists 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ Source Prefix-Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). (Range: 0-128 bits) ◆ Time Range – Name of a time range. Web Interface To add rules to a Standard IPv6 ACL: 1.
Chapter 12 | Security Measures Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page to Extended IPv6 ACL configure an Extended IPv6 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source Address Type – Specifies the source IP address type.
Chapter 12 | Security Measures Access Control Lists Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
Chapter 12 | Security Measures Access Control Lists Figure 216: Configuring an Extended IPv6 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC MAC ACL ACL based on hardware addresses, packet format, and Ethernet type. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists ◆ VID – VLAN ID. (Range: 1-4094) ◆ VID Bit Mask – VLAN bit mask. (Range: 0-4095, 4095 meaning exact match) ◆ Ethernet Type – This option can only be used to filter Ethernet II formatted packets. (Range: 0-ffff hex.) A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), 8137 (IPX). ◆ Ethernet Type Bit Mask – Protocol bit mask. (Range: 0-ffff hex.
Chapter 12 | Security Measures Access Control Lists Figure 217: Configuring a MAC ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs ARP ACL based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see “Configuring Global Settings for ARP Inspection” on page 399). Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
Chapter 12 | Security Measures Access Control Lists ◆ Source/Destination MAC Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any) ◆ Source/Destination MAC Address – Source or destination MAC address. ◆ Source/Destination MAC Bit Mask – Hexadecimal mask for source or destination MAC address.
Chapter 12 | Security Measures Access Control Lists Figure 218: Configuring a ARP ACL Displaying Configured To display a table of rules configured for each ACL use the Security > ACL(Configure ACL Rules ACL- Show Rule) page. Web Interface To show the rules for an individual ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show Rule from the Action list. 4. Select the type of ACL from the Type list. 5.
Chapter 12 | Security Measures Access Control Lists Binding a Port to an After configuring ACLs, use the Security > ACL (Configure Interface – Configure) Access Control List page to bind the ports that need to filter traffic to the appropriate ACLs. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to bind to a port. ◆ Port – Port identifier. ◆ ACL – ACL used for ingress or egress packets. ◆ ◆ Time Range – Name of a time range.
Chapter 12 | Security Measures Access Control Lists 5. Select the name of an ACL from the ACL list. 6. Select a time range during which the ACL is active. 7. Enable the counter for ACL statistics if required. 8. Click Apply. Figure 220: Binding a Port to an ACL Showing ACL Use the Security > ACL > (Configure Interface - Show Hardware Counters) page to Hardware Counters show statistics for ACL hardware counters. Parameters These parameters are displayed: ◆ Port – Port identifier.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access ◆ Hit – Shows the number of packets matching this ACL. ◆ Clear Counter – Clears the hit counter for the specified ACL. Web Interface To show statistics for ACL hardware counters: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Show Hardware Counters from the Action list. 4. Select a port. 5. Select ingress or egress traffic.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access ◆ IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. ◆ When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Chapter 12 | Security Measures Configuring Port Security Figure 222: Creating an IP Address Filter for Management Access To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list.
Chapter 12 | Security Measures Configuring Port Security ◆ To configure the maximum number of address entries which can be learned on a port, specify the maximum number of dynamic addresses allowed. The switch will learn up to the maximum number of allowed address pairs for frames received on the port. When the port has reached the maximum number of MAC addresses, the port will stop learning new addresses.
Chapter 12 | Security Measures Configuring Port Security ◆ ■ Shutdown: Disable the port. ■ Trap and Shutdown: Send an SNMP trap message and disable the port. Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0-1024, where 0 means disabled) The maximum address count is effective when port security is enabled or disabled. ◆ Current MAC Count – The number of MAC addresses currently associated with this interface.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication The operation of 802.1X on the switch requires the following: ◆ The switch must have an IP address assigned. ◆ RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified. ◆ 802.1X must be enabled globally for the switch. ◆ Each switch port that will be used must be set to dot1X “Auto” mode.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To configure global settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Global from the Step list. 3. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. 4. Click Apply Figure 226: Configuring Global Settings for 802.1X Port Authentication Configuring Port Use the Security > Port Authentication (Configure Interface) page to configure Authenticator 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Parameters These parameters are displayed: ◆ Port – Port number. ◆ Status – Indicates if authentication is enabled or disabled on the port. The status is disabled if the control mode is set to Force-Authorized. ◆ Authorized – Displays the 802.1X authorization status of connected clients. ◆ ◆ ■ Yes – Connected client is authorized. ■ N/A – Connected client is not authorized, or port is not connected.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Quiet Period – Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60 seconds) ◆ Tx Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Supplicant List ◆ Supplicant – MAC address of authorized client. Authenticator PAE State Machine ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). ◆ Reauth Count – Number of times connecting state is re-entered.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 227: Configuring Interface Settings for 802.1X Port Authenticator Displaying 802.1X Use the Security > Port Authentication (Show Statistics) page to display statistics for Statistics dot1x protocol exchanges for any port. Parameters These parameters are displayed: Table 23: 802.1X Statistics Parameter Description Authenticator Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Table 23: 802.1X Statistics (Continued) Parameter Description Rx Last EAPOLSrc The source MAC address carried in the most recent EAPOL frame received by this Authenticator. Rx EAP Resp/Id The number of EAP Resp/Id frames that have been received by this Authenticator. Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Authenticator.
Chapter 12 | Security Measures DoS Protection Web Interface To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. Figure 228: Showing Statistics for 802.1X Port Authenticator DoS Protection Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource.
Chapter 12 | Security Measures DHCPv4 Snooping ◆ TCP-SYN/FIN Scan – A TCP SYN/FIN scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet. If the target TCP port is open, it simply discards the TCP SYN FIN scan.
Chapter 12 | Security Measures DHCPv4 Snooping messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped. ◆ Table entries are only learned for trusted interfaces. An entry is added or removed dynamically to the DHCP snooping table when a client receives or releases an IP address from a DHCP server. Each entry includes a MAC address, IP address, lease time, VLAN identifier, and port identifier.
Chapter 12 | Security Measures DHCPv4 Snooping ■ Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place.
Chapter 12 | Security Measures DHCPv4 Snooping DHCP Snooping Use the IP Service > DHCP > Snooping (Configure Global) page to enable DHCP Global Configuration Snooping globally on the switch, or to configure MAC Address Verification. Parameters These parameters are displayed: General ◆ DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled) ◆ DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification.
Chapter 12 | Security Measures DHCPv4 Snooping ◆ DHCP Snooping Information Option Remote ID TR101 VLAN Field – Adds “:VLAN” in TR101 field for untagged packets. (Default: Enabled) The format for TR101 option 82 is: “ eth /[:]”. Note that the SID (Switch ID) is always 0. By default the PVID is added to the end of the TR101 field for untagged packets. For tagged packets, the VLAN ID is always added.
Chapter 12 | Security Measures DHCPv4 Snooping Figure 230: Configuring Global Settings for DHCP Snooping DHCP Snooping VLAN Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or disable Configuration DHCP snooping on specific VLANs. Command Usage ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Chapter 12 | Security Measures DHCPv4 Snooping Web Interface To configure global settings for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Configure VLAN from the Step list. 3. Enable DHCP Snooping on any existing VLAN. 4. Click Apply Figure 231: Configuring DHCP Snooping on a VLAN Configuring Interfaces Use the IP Service > DHCP > Snooping (Configure Interface) page to configure for DHCP Snooping switch interfaces as trusted or untrusted.
Chapter 12 | Security Measures DHCPv4 Snooping ◆ Circuit ID – Specifies DHCP Option 82 circuit ID suboption information. ■ Mode ■ VLAN-Unit-Port - The string “VLAN-Unit-Port.” (Default: This is the default setting.) ■ string - An arbitrary string inserted into the circuit identifier field. (Range: 1-32 characters) ■ TR101 - The remote node ID generated by the switch is based on TR101 syntax (R-124, Access_Node_ID). ■ IP Address - Specifies the switch’s IP address as the node identifier.
Chapter 12 | Security Measures DHCPv4 Snooping Figure 232: Configuring the Port Mode for DHCP Snooping Displaying DHCP Use the IP Service > DHCP > Snooping (Show Information) page to display entries Snooping Binding in the binding table. Information Parameters These parameters are displayed: ◆ Interface ■ Port identifier. (Range: 1-28) ■ Trunk identifier. (Range: 1-26) ◆ MAC Address – Physical address associated with the entry. ◆ IP Address – IP address corresponding to the client.
Chapter 12 | Security Measures DHCPv6 Snooping ◆ Clear from Flash – Removes all dynamically learned snooping entries from flash memory. Web Interface To display the binding table for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Show Information from the Step list. 3. Use the Store or Clear function if required.
Chapter 12 | Security Measures DHCPv6 Snooping ◆ When enabled, DHCPv6 messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCPv6 snooping. ◆ Table entries are only learned for trusted interfaces. Each entry includes a MAC address, IPv6 address, lease time, binding type, VLAN identifier, and port identifier. ◆ When DHCPv6 snooping is enabled, the rate limit for the number of DHCPv6 messages that can be processed by the switch is 100 packets per second.
Chapter 12 | Security Measures DHCPv6 Snooping ■ If a DHCPv6 Reply packet is received from a server on a trusted port, it will be processed in the following manner: A. Check if IPv6 address in IA option is found in binding table: ■ If yes, continue to C. ■ If not, continue to B. ■ Check if IPv6 address in IA option is found in binding cache: ■ If yes, continue to C. ■ If not, check failed, and forward packet to trusted port. B.
Chapter 12 | Security Measures DHCPv6 Snooping ◆ DHCPv6 Snooping Option Remote ID – Enables the insertion of remote-id option 37 information into DHCPv6 client messages. Remote-id option information such as the port attached to the client, DUID, and VLAN ID is used by the DHCPv6 server to assign preassigned configuration data specific to the DHCPv6 client. (Default: Disabled) ■ DHCPv6 provides a relay mechanism for sending information about the switch and its DHCPv6 clients to the DHCPv6 server.
Chapter 12 | Security Measures DHCPv6 Snooping ■ Drop – Drops the client’s request packet instead of relaying it. (This is the default policy.) ■ Keep – Retains the Option 82 information in the client request, and forwards the packets to trusted ports. ■ Replace – Replaces the Option 37 remote-ID in the client’s request with the relay agent’s remote-ID (when DHCPv6 snooping is enabled), and forwards the packets to trusted ports. Web Interface To configure global settings for DHCPv6 Snooping: 1.
Chapter 12 | Security Measures DHCPv6 Snooping Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN. (Range: 1-4094) Web Interface To configure global settings for DHCPv6 Snooping: 1. Click IP Service, DHCPv6, Snooping. 2. Select Configure VLAN from the Step list. 3. Select Add from the Action list. 4. Select a VLAN on which to enable DHCPv6 Snooping. 5. Click Apply Figure 235: Configuring DHCPv6 Snooping on a VLAN To show the VLANs for which DHCPv6 Snooping is enabled: 1.
Chapter 12 | Security Measures DHCPv6 Snooping Configuring Interfaces Use the IP Service > DHCP > Snooping6 (Configure Interface) page to configure for DHCPv6 Snooping switch interfaces as trusted or untrusted, and set the maximum number of entries which can be stored in the binding database for an interface. Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network.
Chapter 12 | Security Measures DHCPv6 Snooping Figure 237: Configuring the Trust Sate for DHCPv6 Snooping Displaying DHCPv6 Use the IP Service > DHCPv6 > Snooping (Show Information – Binding) page to Snooping Binding display entries in the binding table. Information Parameters These parameters are displayed: ◆ Link-layer Address – IPv6 link-layer address associated with the entry. ◆ IPv6 Address/IPv6 Prefix – IPv6 address/prefix corresponding to the client.
Chapter 12 | Security Measures DHCPv6 Snooping Figure 238: Displaying the Binding Table for DHCPv6 Snooping Displaying DHCPv6 Use the IP Service > DHCPv6 > Snooping (Show Information – Statistics) page to Snooping Statistics display information on client, server, and relay packets. Parameters These parameters are displayed: ◆ State – Packet states include received, sent and dropped. ◆ Types ■ Client Packet – Includes Solicit, Request, Confirm, Renew, Rebind, Decline, Release and Information-request.
Chapter 12 | Security Measures IPv4 Source Guard Figure 239: Displaying Statistics for DHCPv6 Snooping IPv4 Source Guard IPv4 Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCPv4 Snooping” on page 368).
Chapter 12 | Security Measures IPv4 Source Guard Note: Multicast addresses cannot be used by IP Source Guard. ◆ When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping (see “DHCPv4 Snooping” on page 368), or static addresses configured in the source guard binding table. ◆ If IP source guard is enabled, an inbound packet’s IP address (SIP option) or both its IP address and corresponding MAC address (SIP-MAC option) will be checked against the binding table.
Chapter 12 | Security Measures IPv4 Source Guard ■ SIP-MAC – Enables traffic filtering based on IPv4 addresses and corresponding MAC addresses stored in the binding table. ◆ Filter Table – Sets the source guard learning model to search for addresses in the ACL binding table or the MAC address binding table. (Default: ACL binding table) ◆ Max Binding Entry – The maximum number of entries that can be bound to an interface.
Chapter 12 | Security Measures IPv4 Source Guard Configuring Static Use the Security > IP Source Guard > Static Binding (Configure ACL Table and Bindings for IPv4 Configure MAC Table) pages to bind a static address to a port. Table entries include Source Guard a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.
Chapter 12 | Security Measures IPv4 Source Guard Parameters These parameters are displayed: Add – Configure ACL Table ◆ Port – The port to which a static entry is bound. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address. ◆ IP Address – A valid unicast IP address, including classful types A, B or C. Add – Configure MAC Table ◆ MAC Address – A valid unicast MAC address. ◆ VLAN – ID of a configured VLAN or a range of VLANs.
Chapter 12 | Security Measures IPv4 Source Guard Figure 241: Configuring Static Bindings for IPv4 Source Guard To display static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Binding. 2. Select Configure ACL Table or Configure MAC Table from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures IPv6 Source Guard Dynamic Binding List ◆ VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – Port to which this entry is bound. ◆ IP Address – IP address corresponding to the client. ◆ Type – DHCP-Snooping Web Interface To display the binding table for IP Source Guard: 1. Click Security, IP Source Guard, Dynamic Binding. 2. Mark the search criteria, and enter the required values. 3.
Chapter 12 | Security Measures IPv6 Source Guard Configuring Ports for Use the Security > IPv6 Source Guard > Port Configuration page to filter inbound IPv6 Source Guard traffic based on the source IPv6 address or address prefix stored in the binding table. IPv6 Source Guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IPv6 address of a neighbor.
Chapter 12 | Security Measures IPv6 Source Guard traffic on that port, except for ND packets and DHCPv6 packets allowed by DHCPv6 snooping. ■ Only IPv6 global unicast addresses are accepted for static bindings. Parameters These parameters are displayed: ◆ Port – Port identifier (Range: 1-28) ◆ Filter Type – Configures the switch to filter inbound traffic based on the following options. (Default: Disabled) ◆ ■ Disabled – Disables IPv6 source guard filtering on the port.
Chapter 12 | Security Measures IPv6 Source Guard 2. Set the required filtering type for each port. 3. Click Apply Figure 244: Setting the Filter Type for IPv6 Source Guard Configuring Static Use the Security > IPv6 Source Guard > Static Binding page to bind a static address Bindings for IPv6 to a port.
Chapter 12 | Security Measures IPv6 Source Guard Parameters These parameters are displayed: Add ◆ Port – The port to which a static entry is bound. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address. ◆ IPv6 Address/IPv6 Prefix – A valid global unicast IPv6 address or address prefix. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 12 | Security Measures IPv6 Source Guard Figure 245: Configuring Static Bindings for IPv6 Source Guard To display static bindings for Iv6 Source Guard: 1. Click Security, IPv6 Source Guard, Static Configuration. 2. Select Show from the Action list. Figure 246: Displaying Static Bindings for IPv6 Source Guard Displaying Use the Security > IPv6 Source Guard > Dynamic Binding page to display the Information for source-guard binding table for a selected interface.
Chapter 12 | Security Measures ARP Inspection ◆ IPv6 Address/IPv6 Prefix – IPv6 address/prefix corresponding to the client. ◆ Type – Shows the entry type: ■ DHCP – Dynamic DHCPv6 binding, stateful address. ■ ND – Dynamic Neighbor Discovery binding, stateless address. Web Interface To display the binding table for IPv6 Source Guard: 1. Click Security, IPv6 Source Guard, Dynamic Binding. 2. Mark the search criteria, and enter the required values. 3.
Chapter 12 | Security Measures ARP Inspection Command Usage Enabling & Disabling ARP Inspection ◆ ARP Inspection is controlled on a global and VLAN basis. ◆ By default, ARP Inspection is disabled both globally and on all VLANs. ◆ ■ If ARP Inspection is globally enabled, then it becomes active only on the VLANs where it has been enabled.
Chapter 12 | Security Measures ARP Inspection ■ IP – Checks the ARP body for invalid and unexpected IP addresses. These addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses. ■ Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses.
Chapter 12 | Security Measures ARP Inspection ■ Src-MAC – Validates the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. ◆ Log Message Number – The maximum number of entries saved in a log message. (Range: 0-256; Default: 20) ◆ Log Interval – The interval at which log messages are sent. (Range: 0-86400 seconds; Default: 10 seconds) Web Interface To configure global settings for ARP Inspection: 1.
Chapter 12 | Security Measures ARP Inspection ◆ ARP Inspection uses the DHCP snooping bindings database for the list of valid IP-to-MAC address bindings. ARP ACLs take precedence over entries in the DHCP snooping bindings database. The switch first compares ARP packets to any specified ARP ACLs.
Chapter 12 | Security Measures ARP Inspection Figure 249: Configuring VLAN Settings for ARP Inspection Configuring Interface Use the Security > ARP Inspection (Configure Interface) page to specify the ports Settings for ARP that require ARP inspection, and to adjust the packet inspection rate. Inspection Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. ◆ Trust Status – Configures the port as trusted or untrusted.
Chapter 12 | Security Measures ARP Inspection Figure 250: Configuring Interface Settings for ARP Inspection Displaying ARP Use the Security > ARP Inspection (Show Information - Show Statistics) page to Inspection Statistics display statistics about the number of ARP packets processed, or dropped for various reasons.
Chapter 12 | Security Measures ARP Inspection 3. Select Show Statistics from the Action list. Figure 251: Displaying Statistics for ARP Inspection Displaying the ARP Use the Security > ARP Inspection (Show Information - Show Log) page to show Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components. Parameters These parameters are displayed: Table 25: ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen.
Chapter 12 | Security Measures Application Filter Figure 252: Displaying the ARP Inspection Log Application Filter Use the Security > Application Filter page to forward CDP or PVST packets. Command Usage If this feature is not enabled, the switch will handle CDP or PVST packets as normal packets. In other words, they are forwarded to other ports in the same VLAN that are also configured to forward the specified packet type.
13 Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Loopback Detection (LBD) – Detects general loopback conditions caused by hardware problems or faulty protocol settings. ◆ Smart Pair Configuration – Detects general loopback conditions caused by hardware problems or faulty protocol settings.
Chapter 13 | Basic Administration Protocols Configuring Event Logging Table 26: Logging Levels (Continued) Level Severity Name Description 2 Critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) 1 Alert Immediate action needed 0 Emergency System unusable * There are only Level 2, 5 and 6 error messages for the current firmware release.
Chapter 13 | Basic Administration Protocols Configuring Event Logging To show the error messages logged to system or flash memory: 1. Click Administration, Log, System. 2. Select Show System Logs from the Step list. 3. Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory. This page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e.
Chapter 13 | Basic Administration Protocols Configuring Event Logging as sorting or storing messages in the corresponding database. (Range: 16-23, Default: 23) ◆ Logging Trap Level – Limits log messages that are sent to the remote syslog server for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be sent to the remote server.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Severity – Sets the syslog severity threshold level (see table on page 408) used to trigger alert messages. All events at this level or higher will be sent to the configured email recipients. For example, using Level 7 will report all events from level 7 to level 0. (Default: Level 7) ◆ Email Source Address – Sets the email address used for the “From” field in alert messages.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 257: Configuring SMTP Alert Messages Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Transmission Interval – Configures the periodic transmit interval for LLDP advertisements. (Range: 5-32768 seconds; Default: 30 seconds) ◆ Hold Time Multiplier – Configures the time-to-live (TTL) value sent in LLDP advertisements as shown in the formula below.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol critical to the timely startup of LLDP, and therefore integral to the rapid availability of Emergency Call Service. Web Interface To configure LLDP timing attributes: 1. Click Administration, LLDP. 2. Select Configure Global from the Step list. 3. Enable LLDP, and modify any of the timing parameters as required. 4. Click Apply.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol For information on defining SNMP trap destinations, see “Specifying Trap Managers” on page 458. Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol b. If both the management-ipv6-address and the IPv6 address of a VLAN interface are configured, the IPv6 address of the VLAN ID will be sent in the Management Address TLV of the LLDP PDU transmitted. c. Two Management Address TLVs in the LLDP PDU will be sent if both of the two conditions below are true: ■ The interface has both commands configured i.e. management-ipaddress and management-ipv6-address.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ◆ ■ VLAN ID – The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “IEEE 802.1Q VLANs” on page 167). (Default: Enabled) ■ VLAN Name – The name of all VLANs to which this interface has been assigned (see “IEEE 802.1Q VLANs” on page 167).
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ■ ◆ Network Policy – This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 259: Configuring LLDP Interface Attributes Configuring LLDP Use the Administration > LLDP (Configure Interface – Add CA-Type) page to specify Interface Civic- the physical location of the device attached to an interface.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 27: LLDP MED Location CA Types (Continued) ◆ CA Type Description CA Value Example 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Select Show CA-Type from the Action list. 4. Select an interface from the Port or Trunk list. Figure 261: Showing the Civic Address for an LLDP Interface To modify the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Local Use the Administration > LLDP (Show Local Device Information) page to display Device Information information about the switch, such as its MAC address, chassis ID, management IP address, and port information. Parameters These parameters are displayed: General Settings ◆ Chassis Type – Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 29: System Capabilities (Continued) ID Basis Reference Router IETF RFC 1812 Telephone IETF RFC 2011 DOCSIS cable device IETF RFC 2669 and IETF RFC 2670 End Station Only IETF RFC 2011 ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. Refer to the preceding table. ◆ Management Address – The management address associated with the local system.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 30: Port ID Subtype (Continued) ID Basis Reference Agent circuit ID agent circuit ID (IETF RFC 3046) Locally assigned locally assigned ◆ Port/Trunk ID – A string that contains the specific identifier for the local interface based on interface subtype used by this switch. ◆ Port/Trunk Description – A string that indicates the port or trunk description.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 264: Displaying Local Device Information for LLDP (Port) Figure 265: Displaying Local Device Information for LLDP (Port Details) Figure 266: Displaying Local Device Information for LLDP (Trunk) Figure 267: Displaying Local Device Information for LLDP (Trunk Details) – 426 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display Remote Device information about devices connected directly to the switch’s ports which are Information advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 29, "System Capabilities," on page 423.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 29, "System Capabilities," on page 423.) ◆ Management Address List – The management addresses for this device.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 31: Remote Port Auto-Negotiation Advertised Capability (Continued) Bit Capability 5 100BASE-TX full duplex mode 6 100BASE-T2 half duplex mode 7 100BASE-T2 full duplex mode 8 PAUSE for full-duplex links 9 Asymmetric PAUSE for full-duplex links 10 Symmetric PAUSE for full-duplex links 11 Asymmetric and Symmetric PAUSE for full-duplex links 12 1000BASE-X, -LX, -SX, -CX half duplex mode 13 1000BASE-X, -LX, -SX, -
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port/Trunk Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆ Remote Link Aggregation Status – The current aggregation status of the link. ◆ Remote Link Port ID – This object contains the IEEE 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port/Trunk Details – Network Policy14 ◆ Application Type – The primary applications defined for this network policy: ■ Voice ■ Voice Signaling ■ Guest Signaling ■ Guest Voice Signaling ■ Softphone Voice ■ Video Conferencing ■ Streaming Video ■ Video Signaling ◆ Tagged Flag – Indicates whether the specified application type is using a tagged or untagged VLAN.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ■ ECS ELIN – Emergency Call Service Emergency Location Identification Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ◆ What – The type of device to which the location applies as described for the field entry “Device entry refers to” under “Configuring LLDP Interface Attributes.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To display LLDP information for a remote port: 1. Click Administration, LLDP. 2. Select Show Remote Device Information from the Step list. 3. Select Port, Port Details, Trunk, or Trunk Details. 4. When the next page opens, select a port on this switch and the index for a remote device attached to this port. 5. Click Query.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 269: Displaying Remote Device Information for LLDP (Port Details) – 434 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 270: Displaying Remote Device Information for LLDP (Trunk) Figure 271: Displaying Remote Device Information for LLDP (Trunk Details)16 16. See Figure 269 for extension information.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying Device Use the Administration > LLDP (Show Device Statistics) page to display statistics for Statistics LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces. Parameters These parameters are displayed: General Statistics on Remote Devices ◆ Neighbor Entries List Last Updated – The time the LLDP neighbor entry list was last updated.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To display statistics for LLDP-capable devices attached to the switch: 1. Click Administration, LLDP. 2. Select Show Device Statistics from the Step list. 3. Select General, Port, or Trunk.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 274: Displaying LLDP Device Statistics (Trunk) Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 3. Use the Administration > SNMP (Configure Trap) page to specify trap managers so that key events are reported by this switch to your management station. Configuring SNMPv3 Management Access 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. 2.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 275: Configuring Global Settings for SNMP Setting Community Use the Administration > SNMP (Configure Community) page to configure up to Access Strings five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 276: Setting Community Access Strings To show the community access strings: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show Community from the Action list. Figure 277: Showing Community Access Strings Setting the Local Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change Engine ID the local engine ID.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Engine Boots – The number of times that the engine has (re-)initialized since the SNMP Engine ID was last configured. Web Interface To configure the local SNMP engine ID: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Set Engine ID from the Action list. 4. Enter an ID of a least 9 hexadecimal characters. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Remote IP Host – The IPv4 address of a remote management station which is using the specified engine ID. Web Interface To configure a remote SNMP engine ID: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Add Remote Engine from the Action list. 4. Enter an ID of a least 9 hexadecimal characters, and the IP address of the remote host. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Parameters These parameters are displayed: Add View ◆ View Name – The name of the SNMP view. A maximum of 32 views can be configured. (Range: 1-32 characters) ◆ OID Subtree – Specifies the initial object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. Use the Add OID Subtree page to configure additional object identifiers.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 281: Creating an SNMP View To show the SNMP views of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Show View from the Action list. Figure 282: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 283: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Show OID Subtree from the Action list. 4. Select a view name from the list of existing views.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default security level.) ■ AuthNoPriv – SNMP communications use authentication, but the data is not encrypted. ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Read View – The configured view for read access. (Range: 1-32 characters) ◆ Write View – The configured view for write access.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 33: Supported Notification Messages (Continued) Model Level Group authenticationFailure* 1.3.6.1.6.3.1.1.5.5 An authenticationFailure trap signifies that the SNMPv2 entity, acting in an agent role, has received a protocol message that is not properly authenticated.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 33: Supported Notification Messages (Continued) Model Level Group swAtcMcastStormAlarmFireTrap 1.3.6.1.4.1.259.6.10.120.2.1.0.74 When multicast traffic is detected as the storm, this trap is fired. swAtcMcastStormAlarmClearTrap 1.3.6.1.4.1.259.6.10.120.2.1.0.75 When multicast storm is detected as normal traffic, this trap is fired. swAtcMcastStormTcApplyTrap 1.3.6.1.4.1.259.6.10.120.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 33: Supported Notification Messages (Continued) Model Level Group lbdDetectionTrap 1.3.6.1.4.1.259.6.10.120.2.1.0.141 This trap is sent when a loopback condition is detected by LBD. lbdRecoveryTrap 1.3.6.1.4.1.259.6.10.120.2.1.0.142 This trap is sent when a recovery is done by LBD. sfpThresholdAlarmWarnTrap 1.3.6.1.4.1.259.6.10.120.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 285: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Local Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to SNMPv3 Users authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 4. Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified. If the security level is authPriv, a privacy password must also be specified. 5. Click Apply Figure 287: Configuring Local SNMPv3 Users To show local SNMPv3 users: 1. Click Administration, SNMP. 2.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 3. Select the User Name. 4. Enter a new group name. 5. Click Apply Figure 289: Changing a Local SNMPv3 User Group Configuring Remote Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page SNMPv3 Users to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ AuthNoPriv – SNMP communications use authentication, but the data is not encrypted. ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 290: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying Trap Use the Administration > SNMP (Configure Trap) page to specify the host devices to Managers be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Community String – Specifies a valid community string for the new trap manager entry. (Range: 1-32 characters, case sensitive) Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User – Add Community page. ◆ UDP Port – Specifies the UDP port number used by the trap manager.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ ◆ Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) ■ Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 292: Configuring Trap Managers (SNMPv1) Figure 293: Configuring Trap Managers (SNMPv2c) Figure 294: Configuring Trap Managers (SNMPv3) To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 295: Showing Trap Managers Creating SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to create an Notification Logs SNMP notification log. Command Usage ◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether there are Traps or Informs that may be exceeding retransmission limits.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol The notification log is stored locally. It is not sent to a remote device. This remote host parameter is only required to complete mandatory fields in the SNMP Notification MIB. ◆ Filter Profile Name – Notification log profile name. (Range: 1-32 characters) Web Interface To create an SNMP notification log: First create a trap host using the Administration > SNMP (Configure Trap – Add) page.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show configured SNMP notification logs: 1. Click Administration, SNMP. 2. Select Configure Notify Filter from the Step list. 3. Select Show from the Action list. Figure 299: Showing SNMP Notification Logs Showing SNMP Use the Administration > SNMP (Show Statistics) page to show counters for SNMP Statistics input and output protocol data units.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Get-request PDUs – The total number of SNMP Get-Request PDUs which have been accepted and processed, or generated, by the SNMP protocol entity. ◆ Get-next PDUs – The total number of SNMP Get-Next PDUs which have been accepted and processed, or generated, by the SNMP protocol entity.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 300: Showing SNMP Statistics Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 13 | Basic Administration Protocols Remote Monitoring Command Usage ◆ If an alarm is already defined for an index, the entry must be deleted before any changes can be made. Parameters These parameters are displayed: ◆ Index – Index to this entry. (Range: 1-65535) ◆ Variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled. Note that etherStatsEntry.n uniquely defines the MIB variable, and etherStatsEntry.n.
Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To configure an RMON alarm: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Click Alarm. 5. Enter an index number, the MIB object to be polled (etherStatsEntry.n.n), the polling interval, the sample type, the thresholds, and the event to trigger. 6. Click Apply Figure 301: Configuring an RMON Alarm To show configured RMON alarms: 1. Click Administration, RMON.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 302: Showing Configured RMON Alarms Configuring RMON Use the Administration > RMON (Configure Global - Add - Event) page to set the Events action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Community – A password-like community string sent with the trap operation to SNMP v1 and v2c hosts. Although the community string can be set on this configuration page, it is recommended that it be defined on the SNMP trap configuration page (see “Setting Community Access Strings” on page 441) prior to configuring it here. (Range: 1-32 characters) ◆ Description – A comment that describes this event.
Chapter 13 | Basic Administration Protocols Remote Monitoring To show configured RMON events: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Event. Figure 304: Showing Configured RMON Events Configuring RMON Use the Administration > RMON (Configure Interface - Add - History) page to collect History Samples statistics on a physical interface to monitor network utilization, packet types, and errors.
Chapter 13 | Basic Administration Protocols Remote Monitoring example, if control entry 15 is assigned to port 5, this index entry will be removed from the Show and Show Details page for port 8. Parameters These parameters are displayed: ◆ Port – The port number on the switch. (Range: 1-28) ◆ Index – Index to this entry. (Range: 1-65535) ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆ Buckets – The number of buckets requested for this entry.
Chapter 13 | Basic Administration Protocols Remote Monitoring To show configured RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click History. Figure 306: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to Statistical Samples collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. Command Usage ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 308: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 309: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 310: Showing Collected RMON Statistical Samples Switch Clustering Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Chapter 13 | Basic Administration Protocols Switch Clustering ◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN: 1. Create VLAN 4093 (see “Configuring VLAN Groups” on page 171). 2. Add the participating ports to this VLAN (see “Adding Static Members to VLANs” on page 173), and set them to hybrid mode, tagged members, PVID = 1, and acceptable frame type = all.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure a switch cluster: 1. Click Administration, Cluster. 2. Select Configure Global from the Step list. 3. Set the required attributes for a Commander or a managed candidate. 4. Click Apply. Figure 311: Configuring a Switch Cluster Cluster Member Use the Administration > Cluster (Configure Member - Add) page to add Candidate Configuration switches to the cluster as Members.
Chapter 13 | Basic Administration Protocols Switch Clustering 5. Click Apply. Figure 312: Configuring a Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Show from the Action list. Figure 313: Showing Cluster Members To show cluster candidates: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Show Candidate from the Action list.
Chapter 13 | Basic Administration Protocols Switch Clustering Managing Cluster Use the Administration > Cluster (Show Member) page to manage another switch Members in the cluster. Parameters These parameters are displayed: ◆ Member ID – The ID number of the Member switch. (Range: 1-36) ◆ Role – Indicates the current status of the switch in the cluster. ◆ IP Address – The internal cluster IP address assigned to the Member switch. ◆ MAC Address – The MAC address of the Member switch.
Chapter 13 | Basic Administration Protocols Setting a Time Range Setting a Time Range Use the Administration > Time Range page to set a time range during which various functions are applied, including applied ACLs or PoE. Command Usage ◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
Chapter 13 | Basic Administration Protocols Setting a Time Range Figure 316: Setting the Name of a Time Range To show a list of time ranges: 1. Click Administration, Time Range. 2. Select Show from the Action list. Figure 317: Showing a List of Time Ranges To configure a rule for a time range: 1. Click Administration, Time Range. 2. Select Add Rule from the Action list. 3. Select the name of time range from the drop-down list. 4. Select a mode option of Absolute or Periodic. 5.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 318: Add a Rule to a Time Range To show the rules configured for a time range: 1. Click Administration, Time Range. 2. Select Show Rule from the Action list. Figure 319: Showing the Rules Configured for a Time Range Ethernet Ring Protection Switching Note: Information in this section is based on ITU-T G.8032/Y.1344. Note: To configures ERPS with multiple instances, see the CLI Reference Guide. The ITU G.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Ethernet rings. An Ethernet ring built using ERPS can provide resilience at a lower cost and than that provided by SONET or EAPS rings. ERPS is more economical than EAPS in that only one physical link is required between each node in the ring. However, since it can tolerate only one break in the ring, it is not as robust as EAPS. ERPS supports up to 255 nodes in the ring structure.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 320: ERPS Ring Components West Port East Port RPL (Idle State) CC Messages x RPL Owner CC Messages Multi-ring/Ladder Network – ERPSv2 also supports multipoint-to-multipoint connectivity within interconnected rings, called a “multi-ring/ladder network” topology.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching corresponding to the traffic channel may be transferred over a common Ethernet connection for ERP1 and ERP2 through the interconnection nodes C and D. Interconnection nodes C and D have separate ERP Control Processes for each Ethernet Ring. Figure 321 on page 486 (Signal Fail Condition) illustrates a situation where protection switching has occurred due to an SF condition on the ring link between interconnection nodes C and D.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Hold-off timer to filter out intermittent link faults, and the WTR timer to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. 5. Configure the ERPS control VLAN (Configure Domain – Configure Details): Specify the control VLAN (CVLAN) used to pass R-APS ring maintenance commands. The CVLAN must NOT be configured with an IP address.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS Global Use the Administration > ERPS (Configure Global) page to globally enable or Configuration disable ERPS on the switch. Parameters These parameters are displayed: ◆ ERPS Status – Enables ERPS on the switch. (Default: Disabled) ERPS must be enabled globally on the switch before it can enabled on an ERPS ring (by setting the Admin Status on the Configure Domain – Configure Details page).
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Parameters These parameters are displayed: Add ◆ Domain Name – Name of an ERPS ring. (Range: 1-12 characters) ◆ Domain ID – ERPS ring identifier used in R-APS messages. (Range: 1-255) Show ◆ Domain Name – Name of a configured ERPS ring. ◆ ID – ERPS ring identifier used in R-APS messages. ◆ Admin Status – Shows whether ERPS is enabled on the switch. ◆ Ver – Shows the ERPS version.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching generated R-APS messages is allowed and the reception of all R-APS messages is allowed. ■ Forwarding – The transmission and reception of traffic is allowed; transmission, reception and forwarding of R-APS messages is allowed. ■ Unknown – The interface is not in a known state (includes the domain being disabled). ◆ Local SF – A signal fault generated on a link to the local node.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching default MAC address is disabled for the R-APS Def MAC parameter, then the Domain ID will be used in R-APS PDUs. ◆ Admin Status – Activates the current ERPS ring. (Default: Disabled) Before enabling a ring, the global ERPS function should be enabled see (“ERPS Global Configuration” on page 488), the east and west ring ports configured on each node, the RPL owner specified, and the control VLAN configured.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Control VLAN – A dedicated VLAN used for sending and receiving E-APS protocol messages. (Range: 1-4094) Configure one control VLAN for each ERPS ring.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ ■ Only one RPL owner can be configured on a ring. If the switch is set as the RPL owner for an ERPS domain, the west ring port is set as one end of the RPL. If the switch is set as the RPL neighbor for an ERPS domain, the east ring port is set as the other end of the RPL. ■ The east and west connections to the ring must be specified for all ring nodes.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching b. The WTR timer is canceled if during the WTR period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node. c.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Recovery with revertive mode is handled as follows: a. The reception of an R-APS (NR) message causes the RPL Owner Node to start the WTB timer. b. The WTB timer is cancelled if during the WTB period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node. c.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching The Ethernet Ring Node where the Manual Switch was cleared continuously transmits the R-APS (NR) message on both ring ports, informing that no request is present at this ring node. The ring nodes stop transmitting R-APS (NR) messages when they accept an RAPS (NR, RB) message, or when another higher priority request is received.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Major Domain – The ERPS ring used for sending control packets. This switch can support up to six rings. However, ERPS control packets can only be sent on one ring. This parameter is used to indicate that the current ring is a secondary ring, and to specify the major ring which will be used to send ERPS control packets. The Ring Protection Link (RPL) is always the west port.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ring. Care must also be taken to ensure that the local RAPS messages of the sub-ring being transported over the virtual channel into the interconnected network can be uniquely distinguished from those of other interconnected ring R-APS messages. This can be achieved by, for example, by using separate VIDs for the virtual channels of different sub-rings.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 324: Sub-ring without Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel ◆ Ring Node Major Ring R-APS Def MAC – Sets the switch’s MAC address to be used as the node identifier in R-APS messages. (Default: Enabled) When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching CCMs are propagated by the Connectivity Fault Management (CFM) protocol as described under “Connectivity Fault Management” on page 517. If the standard recovery procedure were used as shown in the following figure, and node E detected CCM loss, it would send an R-APS (SF) message to the RPL owner and block the link to node D, isolating that nonERPS device.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching for old messages still circulating on the ring to expire. (Range: 10-2000 milliseconds, in steps of 10 milliseconds) The guard timer duration should be greater than the maximum expected forwarding delay for an R-APS message to pass around the ring. A side-effect of the guard timer is that during its duration, a node will be unaware of new or existing ring requests transmitted from other nodes.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Interface – The port or trunk attached to the west or east ring port. Note that a ring port cannot be configured as a member of a spanning tree, a dynamic trunk, or a static trunk.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching 4. Enter a name and optional identifier for the ring. 5. Click Apply. Figure 326: Creating an ERPS Ring To configure the ERPS parameters for a ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Configure Details from the Action list. 4. Configure the ERPS parameters for this node.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 327: Creating an ERPS Ring To show the configured ERPS rings: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Show from the Action list.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 328: Showing Configured ERPS Rings ERPS Forced and Use the Administration > ERPS (Configure Operation) page to block a ring port Manual Mode using Forced Switch or Manual Switch commands. Operations Parameters These parameters are displayed: ◆ Domain Name – Name of a configured ERPS ring. ◆ Operation – Specifies a Forced Switch (FS) or Manual Switch (MS) operation on the east or west ring port.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Protection switching on a forced switch request is completed when the above actions are performed by each ring node. At this point, traffic flows around the ring are resumed.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ When a ring is under an FS condition, and the node at which an FS command was issued is removed or fails, the ring remains in FS state because the FS command can only be cleared at node where the FS command was issued. This results in an unrecoverable FS condition. When performing a maintenance procedure (e.g.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching a. While an existing manual switch request is present in the ring, any new manual switch request is rejected. The request is rejected at the ring node where the new request is issued and a notification is generated to inform the operator that the new MS request was not accepted. b.
Chapter 13 | Basic Administration Protocols OAM Configuration 5. Specify a Forced Switch, Manual Switch, or Clear operation. 6. Click Apply. Figure 329: Blocking an ERPS Ring Port OAM Configuration The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment).
Chapter 13 | Basic Administration Protocols OAM Configuration Table 35: OAM Operation State (Continued) ◆ ◆ State Description Active Send Local This value is used by active mode devices and indicates the OAM entity is actively trying to discover whether the peer has OAM capability but has not yet made that determination. Send Local And Remote The local OAM entity has discovered the peer but has not yet accepted or rejected the configuration of the peer.
Chapter 13 | Basic Administration Protocols OAM Configuration If reporting is enabled and an errored frame link event occurs, the local OAM entity (this switch) sends an Event Notification OAMPDU to the remote OAM entity. The Errored Frame Event TLV includes the number of errored frames detected during the specified period. ■ Status – Enables reporting of errored frame link events.
Chapter 13 | Basic Administration Protocols OAM Configuration Displaying Statistics Use the Administration > OAM > Counters page to display statistics for the various for OAM Messages types of OAM messages passed across each port. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ Clear – Clears statistical counters for the selected ports.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ The time of locally generated events can be accurately retrieved from the sysUpTime variable. For remotely generated events, the time of an event is indicated by the reception of an Event Notification OAMPDU from the peer. Web Interface To display link events for the selected port: 1. Click Administration, OAM, Event Log. 2. Select a port from the drop-down list.
Chapter 13 | Basic Administration Protocols OAM Configuration conditions. This switch does not support the unidirectional function, but can parse error messages sent from a peer with unidirectional capability. ◆ Link Monitor – Shows if the OAM entity can send and receive Event Notification OAMPDUs. ◆ MIB Variable Retrieval – Shows if the OAM entity can send and receive Variable Request and Response OAMPDUs. Web Interface To display information about attached OAM-enabled devices: 1.
Chapter 13 | Basic Administration Protocols OAM Configuration Parameters These parameters are displayed: Loopback Mode of Remote Device ◆ Port – Port identifier. (Range: 1-28) ◆ Loopback Mode – Shows if loop back mode is enabled on the peer. This attribute must be enabled before starting the loopback test. ◆ Loopback Status – Shows if loopback testing is currently running. Loopback Test Parameters ◆ Packet Number – Number of packets to send.
Chapter 13 | Basic Administration Protocols OAM Configuration ■ Loss Rate – The percentage of packets for which there was no response. Web Interface To initiate a loop back test to the peer device attached to the selected port: 1. Click Administration, OAM, Remote Loop Back. 2. Select Remote Loopback Test from the Action list. 3. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply. 4.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Loss Rate – The percentage of packets transmitted for which there was no response. Web Interface To display the results of remote loop back testing for each port for which this information is available: 1. Click Administration, OAM, Remote Loopback. 2. Select Show Test Result from the Action list.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management automatically generated by maintenance points when connectivity faults or configuration errors are detected in the local maintenance domain.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management two operator domains which include access points marked “O1” and “O2” respectively. The users of these domains can see their respective MEPs as well as all the MIPs within their domains. There is a service provider domain at the second level in the hierarchy.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management message can also be sent using the MEP’s identifier. A reply indicates that the destination is reachable. Link trace messages are used for fault verification. These messages are multicast frames sent out to track the hop-by-hop path to a target MEP within the same MA. Responses provide information on the ingress, egress, and relay action taken at each hop along the path, providing vital information about connectivity problems.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management "Configuring CFM Maintenance Associations"), or setting the start-up delay for the cross-check operation (see "Configuring Global Settings for CFM"). You can also enable SNMP traps for events discovered by continuity check messages or crosscheck messages (see "Configuring Global Settings for CFM").
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Use this command attribute to enable the link trace cache to store the results of link trace operations initiated on this device. Use the CFM Transmit Link Trace page (see "Transmitting Link Trace Messages") to transmit a link trace message. Link trace responses are returned from each MIP along the path and from the target MEP.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Cross Check MEP Missing – Sends a trap if the cross-check timer expires and no CCMs have been received from a remote MEP configured in the static list. A MEP Missing trap is sent if cross-checking is enabled18, and no CCM is received for a remote MEP configured in the static list19. ◆ Cross Check MEP Unknown – Sends a trap if an unconfigured MEP comes up.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 338: Configuring Global Settings for CFM Configuring Interfaces CFM processes are enabled by default for all physical interfaces, both ports and for CFM trunks. You can use the Administration > CFM (Configure Interface) page to change these settings. Command Usage ◆ An interface must be enabled before a MEP can be created (see "Configuring Maintenance End Points").
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 339: Configuring Interfaces for CFM Configuring CFM Use the Administration > CFM (Configure MD) pages to create and configure a Maintenance Domains Maintenance Domain (MD) which defines a portion of the network for which connectivity faults can be managed. Domain access points are set up on the boundary of a domain to provide end-to-end connectivity fault detection, analysis, and recovery.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management hierarchy. This option is used to hide the structure of network at the lowest domain level. The diagnostic functions provided by CFM can be used to detect connectivity failures between any pair of MEPs in an MA. Using MIPs allows these failures to be isolated to smaller segments of the network.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Table 37: Remote MEP Priority Levels (Continued) Priority Level Level Name Description 5 xcon DefXconCCM 6 noXcon No defects DefXconCCM or lower are to be reported. Table 38: MEP Defect Descriptions Defect Description DefMACstatus Either some remote MEP is reporting its Interface Status TLV as not isUp, or all remote MEPs are reporting a Port Status TLV that contains some value other than psUp.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management A change to the hold time only applies to entries stored in the database after this attribute is changed. ◆ MEP Fault Notify Lowest Priority – The lowest priority defect that is allowed to generate a fault alarm. (Range: 1-6, Default: 2) ◆ MEP Fault Notify Alarm Time – The time that one or more defects must be present before a fault alarm is issued.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 341: Showing Maintenance Domains To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from the MD Index. 5. Specify the MEP archive hold and MEP fault notification parameters. 6.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Maintenance End Points” on page 534). ◆ An MA must be defined before any associated DSAPs or remote MEPs can be assigned (see “Configuring Remote Maintenance End Points” on page 535). ◆ Multiple domains at the same maintenance level cannot have an MA on the same VLAN (see “Configuring CFM Maintenance Domains” on page 525).
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Each MA name must be unique within the CFM domain. ◆ Primary VLAN – Service VLAN ID. (Range: 1-4094) This is the VLAN through which all CFM functions are executed for this MA. ◆ MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this MA: ■ Default – MIPs can be created for this MA on any bridge port through which the MA’s VID can pass.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ AIS Status – Enables/disables suppression of the Alarm Indication Signal (AIS). (Default: Enabled) ◆ AIS Period – Configures the period at which AIS is sent in an MA. (Range: 1 or 60 seconds; Default: 1 second) ◆ AIS Transmit Level – Configure the AIS maintenance level in an MA.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 3. Select Show from the Action list. 4. Select an entry from the MD Index list. Figure 344: Showing Maintenance Associations To configure detailed settings for maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from MD Index and MA Index. 5.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Use the Administration > CFM (Configure MEP – Add) page to configure Maintenance Maintenance End Points (MEPs). MEPs, also called Domain Service Access Points End Points (DSAPs), must be configured at the domain boundary to provide management access for each maintenance association.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 6. Click Apply. Figure 346: Configuring Maintenance End Points To show the configured maintenance end points: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3. Select Show from the Action list. 4. Select an entry from MD Index and MA Index.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Remote MEPs can only be configured if local domain service access points (DSAPs) have already been created (see "Configuring Maintenance End Points") at the same maintenance level and in the same MA. DSAPs are MEPs that exist on the edge of the domain, and act as primary service access points for end-toend cross-check, loop-back, and link-trace functions.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 348: Configuring Remote Maintenance End Points To show the configured remote maintenance end points: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3. Select Show from the Action list. 4. Select an entry from MD Index and MA Index.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ LTMs are sent as multicast CFM frames, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the LTM reaches its destination or can no longer be forwarded. ◆ LTMs are used to isolate faults. However, this task can be difficult in an Ethernet environment, since each node is connected through multipoint links.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 5. Click Apply. 6. Check the results in the Link Trace cache (see "Displaying the Link Trace Cache"). Figure 350: Transmitting Link Trace Messages Transmitting Loop Use the Administration > CFM (Transmit Loopback) page to transmit Loopback Back Messages Messages (LBMs). These messages can be used to isolate or verify connectivity faults by submitting a request to a target node (i.e.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Source MEP ID – The identifier of a source MEP that will send the loopback message. (Range: 1-8191) ◆ Target ■ MEP ID – The identifier of a remote MEP that is the target of a loopback message. (Range: 1-8191) ■ MAC Address – MAC address of a remote MEP that is the target of a loopback message.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Transmitting Use the Administration > CFM (Transmit Delay Measure) page to send periodic Delay-Measure delay-measure requests to a specified MEP within a maintenance association. Requests Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this function.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Packet Size – The size of the delay-measure message. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Interval – The transmission delay between delay-measure messages. (Range: 1-5 seconds; Default: 1 second) ◆ Timeout – The timeout to wait for a response. (Range: 1-5 seconds; Default: 5 seconds) Web Interface To transmit delay-measure messages: 1. Click Administration, CFM. 2. Select Transmit Delay Measure from the Step list. 3.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Local MEPs Use the Administration > CFM > Show Information (Show Local MEP) page to show information for the MEPs configured on this device. Parameters These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Details Use the Administration > CFM > Show Information (Show Local MEP Details) page for Local MEPs to show detailed CFM information about a local MEP in the continuity check database. Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Maintenance end point identifier.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Suppressing Alarms – Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions. Web Interface To show detailed information for the MEPs configured on this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MEP Details from the Action list. 4. Select an entry from MD Index and MA Index. 5.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Local MIPs Use the Administration > CFM > Show Information (Show Local MIP) page to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".) Parameters These parameters are displayed: ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Use the Administration > CFM > Show Information (Show Remote MEP) page to Remote MEPs show MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages. Parameters These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MA Name – Maintenance association name.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Details for Use the Administration > CFM > Show Information (Show Remote MEP Details) Remote MEPs page to show detailed information for MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages. Parameters These parameters are displayed: ◆ MD Index – Domain index.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ ■ Down – The interface cannot pass packets. ■ Testing – The interface is in some test mode. ■ Unknown – The interface status cannot be determined for some reason. ■ Dormant – The interface is not in a state to pass packets but is in a pending state, waiting for some external event. ■ Not Present – Some component of the interface is missing.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying the Use the Administration > CFM > Show Information (Show Link Trace Cache) page to Link Trace Cache show information about link trace operations launched from this device. Parameters These parameters are displayed: ◆ Hops – The number hops taken to reach the target MEP. ◆ MA – Maintenance association name. ◆ IP Address / Alias – IP address or DNS alias of the target device’s CPU.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ■ HIT – Target located on this device. Web Interface To show information about link trace operations launched from this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Link Trace Cache from the Action list.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Web Interface To show configuration settings for the fault notification generator: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Fault Notification Generator from the Action list.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ ■ EXCESS_LEV – The number of different MD levels at which MIPs are to be created on this port exceeds the bridge's capabilities. ■ OVERLAP_LEV – A MEP is created for one VID at one maintenance level, but a MEP is configured on another VID at an equivalent or higher level, exceeding the bridge's capabilities. MA Name – The maintenance association for this entry. Web Interface To show CFM continuity check errors: 1.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ Admin Status – Enables or disables OAM functions. (Default: Disabled) ◆ Operation State – Shows the operational state between the local and remote OAM devices. This value is always “disabled” if OAM is disabled on the local interface. Table 39: OAM Operation State ◆ ◆ State Description Disabled OAM is disabled on this interface via the OAM Admin Status. Link Fault The link has detected a fault or the interface is not operational.
Chapter 13 | Basic Administration Protocols OAM Configuration ■ Critical Event – If a critical event occurs, the local OAM entity indicates this to its peer by setting the appropriate flag in the next OAMPDU to be sent and stores this information in its OAM event log. (Default: Enabled) Critical events include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults.
Chapter 13 | Basic Administration Protocols OAM Configuration Figure 361: Enabling OAM for Local Ports Displaying Statistics Use the Administration > OAM > Counters page to display statistics for the various for OAM Messages types of OAM messages passed across each port. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ Clear – Clears statistical counters for the selected ports.
Chapter 13 | Basic Administration Protocols OAM Configuration Web Interface To display statistics for OAM messages: 1. Click Administration, OAM, Counters. Figure 362: Displaying Statistics for OAM Messages Displaying the Use the Administration > OAM > Event Log page to display link events for the OAM Event Log selected port. Command Usage ◆ When a link event occurs, no matter whether the location is local or remote, this information is entered in OAM event log.
Chapter 13 | Basic Administration Protocols OAM Configuration Figure 363: Displaying the OAM Event Log Displaying the Status Use the Administration > OAM > Remote Interface page to display information of Remote Interfaces about attached OAM-enabled devices. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ MAC Address – MAC address of the OAM peer. ◆ OUI – Organizational Unit Identifier of the OAM peer.
Chapter 13 | Basic Administration Protocols OAM Configuration Web Interface To display information about attached OAM-enabled devices: 1. Click Administration, OAM, Remote Interface. Figure 364: Displaying Status of Remote Interfaces Configuring a Remote Use the Administration > OAM > Remote Loopback (Remote Loopback Test) page Loopback Test to initiate a loop back test to the peer device attached to the selected port.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ Loopback Status – Shows if loopback testing is currently running. Loopback Test Parameters ◆ Packet Number – Number of packets to send. (Range: 1-99999999; Default: 10000) ◆ Packet Size – Size of packets to send. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Test – Starts the loop back test. ◆ End – Stops the loop back test. Loop Back Status of Remote Device ◆ Result – Shows the loop back status on the peer.
Chapter 13 | Basic Administration Protocols OAM Configuration 3. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply. 4. Set the number of packets to send and the packet size, and then click Test.
Chapter 13 | Basic Administration Protocols UDLD Configuration Figure 366: Displaying the Results of Remote Loop Back Testing UDLD Configuration The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 13 | Basic Administration Protocols UDLD Configuration Configuring UDLD Use the Administration > UDLD > Configure Global page to configure the Protocol Intervals UniDirectional Link Detection message probe interval, detection interval, and recovery interval. Parameters These parameters are displayed: ◆ Message Interval – Configures the message interval between UDLD probe messages for ports in the advertisement phase and determined to be bidirectional.
Chapter 13 | Basic Administration Protocols UDLD Configuration Web Interface To configure the UDLD message probe interval, detection interval, and recovery interval: 1. Click Administration, UDLD, Configure Global. 2. Select Configure Global from the Step list. 3. Configure the message and detection intervals. 4. Enable automatic recovery if required, and set the recovery interval. 5. Click Apply.
Chapter 13 | Basic Administration Protocols UDLD Configuration ends without the proper echo information being received, the link is considered to be unidirectional. ◆ Aggressive Mode – Reduces the shut-down delay after loss of bidirectional connectivity is detected. (Default: Disabled) UDLD can function in two modes: normal mode and aggressive mode.
Chapter 13 | Basic Administration Protocols UDLD Configuration Web Interface To enable UDLD and aggressive mode: 1. Click Administration, UDLD, Configure Interface. 2. Enable UDLD and aggressive mode on the required ports. 3. Click Apply. Figure 368: Configuring UDLD Interface Settings Displaying Use the Administration > UDLD (Show Information) page to show UDLD neighbor UDLD Neighbor information, including neighbor state, expiration time, and protocol intervals.
Chapter 13 | Basic Administration Protocols LBD Configuration Web Interface To display UDLD neighbor information: 1. Click Administration, UDLD, Show Information. 2. Select an interface from the Port list. Figure 369: Displaying UDLD Neighbor Information LBD Configuration The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings.
Chapter 13 | Basic Administration Protocols LBD Configuration Configuring Global Use the Administration > LBD (Configure Global) page to enable loopback Settings for LBD detection globally, specify the interval at which to transmit control frames, the interval to wait before releasing an interface from shutdown state, the response to a detected loopback, and the traps to send. Parameters These parameters are displayed: ◆ Global Status – Enables loopback detection globally on the switch.
Chapter 13 | Basic Administration Protocols LBD Configuration ◆ ◆ Trap – Sends a trap when a loopback condition is detected, or when the switch recovers from a loopback condition. (Options: Both, Detect, None, Recover; Default: None) ■ Both – Sends an SNMP trap message when a loopback condition is detected, or when the switch recovers from a loopback condition. ■ Detect – Sends an SNMP trap message when a loopback condition is detected.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Configuring Interface Use the Administration > LBD (Configure Interface) page to enable loopback Settings for LBD detection on an interface, to display the loopback operational state, and the VLANs which are looped back. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ■ Port – Port Identifier. (Range: 1-10/26/28/52) ■ Trunk – Trunk Identifier.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Under the Administration > Smart Pair menus you can configure the Smart Pair ports and set the wait to restore delay for a globally configured Smart Pair. Additionally you can show the Smart Pairs configured on the switch and in the show menu restore traffic manually to a configured Smart Pair. Usage Guidelines ◆ Spanning-Tree must be disabled on the port in order to configure it as part of a Smart Pair.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Figure 372: Configuring the Smart Pair Global Settings (Adding a Smart Pair) Configuring Smart Use the Administration > Smart Pair (Configure Smart Pair Global) to add the port Pair Interface Settings members of a Smart Pair. The ports must have spanning tree turned off to be available for selection.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration 5. Select the Smart Pair Backup Port from the Primary Port pull-down menu and check the box in front of the port ID. 6. Input the WTR delay time in seconds and check the box in front of the field. 7. Click Apply. Figure 373: Configuring Interfaces for a Smart Pair Show the Configured Use the Administration > Smart Pair (Configure Global) to show the configured Smart Pair IDs Smart Pair IDs.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration 1. Click Administration, Smart Pair, Configure Smart Pair. 2. Select Configure from the Show menu. 3. Select the Smart Pair ID from the ID pull-down menu. 4. Click the Restore button to manually restore traffic to the primary port of a specified Smart Pair.
14 Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface. ◆ MLD Snooping – Configures snooping and query parameters for IPv6.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 376: Multicast Filtering Concept Unicast Flow Multicast Flow This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) switches in the local network segment, IGMP Snooping is the only service required to support multicast filtering. When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or 3 hosts are all forwarded to the upstream router as IGMPv3 reports. The primary enhancement provided by IGMPv3 snooping is in keeping track of information about the specific multicast sources which downstream IGMPv3 hosts have requested or refused.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) the switch (page 584). IGMP Snooping with Proxy Reporting – The switch supports last leave, and query suppression (as defined in DSL Forum TR-101, April 2006): ◆ When proxy reporting is disabled, all IGMP reports received by the switch are forwarded natively to the upstream multicast routers. ◆ Last Leave: Intercepts, absorbs and summarizes IGMP leaves coming from IGMP hosts.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Parameters These parameters are displayed: ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping. (Default: Disabled) When IGMP snooping is enabled globally, the per VLAN interface settings for IGMP snooping take precedence (see “Setting IGMP Snooping Status per Interface” on page 586).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) multicast traffic to be delivered only to those ports on which multicast group members have been learned. Otherwise, the time spent in flooding mode can be manually configured to reduce excessive loading. When the spanning tree topology changes, the root bridge sends a proxy query to quickly re-learn the host membership/port relations for multicast channels.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) This parameter can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. ◆ Version Exclusive – Discards any received IGMP messages which use a version different to that currently configured by the IGMP Version attribute.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 377: Configuring General Settings for IGMP Snooping Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) Interfaces for a page to statically attach an interface to a multicast router/switch. Multicast Router Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Show Static Multicast Router ◆ VLAN – Selects the VLAN for which to display any configured static multicast routers. ◆ Interface – Shows the interface to which the specified static multicast routers are attached. Show Current Multicast Router ◆ VLAN – Selects the VLAN for which to display any currently active multicast routers. ◆ Interface – Shows the interface to which an active multicast router is attached.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 379: Showing Static Interfaces Attached a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol (such as PIM) to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group. Command Usage ◆ Static multicast addresses are never aged out. ◆ When a multicast address is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To show the static interfaces assigned to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Multicast Router Discovery uses the following three message types to discover multicast routers: ◆ Multicast Router Advertisement – Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Parameters These parameters are displayed: ◆ VLAN – ID of configured VLANs. (Range: 1-4094) ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) joining the multicast group. Only when all hosts on that port leave the group will the member port be deleted. ◆ Multicast Router Discovery – MRD is used to discover which interfaces are attached to multicast routers. (Default: Disabled) ◆ General Query Suppression – Suppresses general queries except for ports attached to downstream multicast hosts.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Query Interval – The interval between sending IGMP general queries. (Range: 2-31744 seconds; Default: 125 seconds) An IGMP general query message is sent by the switch at the interval specified by this attribute. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To resolve this problem, the source address in proxied IGMP query messages can be replaced with any valid unicast address (other than the router’s own address). Web Interface To configure IGMP snooping on a VLAN: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Configure VLAN from the Action list. 3. Select the VLAN to configure and update the required parameters. 4. Click Apply.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 384: Showing Interface Settings for IGMP Snooping Filtering IGMP Query Use the Multicast > IGMP Snooping > Interface (Configure Interface) page to Packets and Multicast configure an interface to drop IGMP query packets or multicast data packets. Data Parameters These parameters are displayed: ◆ Interface – Port or Trunk identifier.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) 5. Click Apply. Figure 385: Dropping IGMP Query or Multicast Data Packets Displaying Multicast Use the Multicast > IGMP Snooping > Forwarding Entry page to display the Groups Discovered forwarding entries learned through IGMP Snooping. by IGMP Snooping Command Usage To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page 578).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To show multicast groups learned through IGMP snooping: 1. Click Multicast, IGMP Snooping, Forwarding Entry. 2. Select the VLAN for which to display this information. Figure 386: Showing Multicast Groups Learned by IGMP Snooping Displaying IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP snooping Snooping Statistics protocol-related statistics for the specified interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Self Querier Uptime – Time local querier has been up. ◆ General Query Received – The number of general queries received on this interface. ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Output Statistics ◆ Report – The number of IGMP membership reports sent from this interface. ◆ Leave – The number of leave messages sent from this interface. ◆ G Query – The number of general query messages sent from this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To display IGMP snooping protocol-related statistics for a VLAN: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show VLAN Statistics from the Action list. 3. Select a VLAN.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port. Figure 389: Displaying IGMP Snooping Statistics – Port Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups switch randomly removes an existing group and replaces it with the new multicast group. Enabling IGMP Use the Multicast > IGMP Snooping > Filter (Configure General) page to enable Filtering and IGMP filtering and throttling globally on the switch. Throttling Parameters These parameters are displayed: ◆ IGMP Filter Status – Enables IGMP filtering and throttling globally for the switch.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Parameters These parameters are displayed: Add ◆ Profile ID – Creates an IGMP profile. (Range: 1-4294967295) ◆ Access Mode – Sets the access mode of the profile; either permit or deny. (Default: Deny) When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 392: Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add Multicast Group Range from the Action list. 4.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Current Multicast Groups – Displays the current multicast groups the interface has joined. ◆ Throttling Action Mode – Sets the action to take when the maximum number of multicast groups for the interface has been exceeded. (Default: Deny) ◆ ■ Deny - The new multicast group join report is dropped. ■ Replace - The new multicast group replaces an existing group.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) include MLDv2 query and report messages, as well as MLDv1 report and done messages. Remember that IGMP Snooping and MLD Snooping are independent functions, and can therefore both function at the same time. Configuring MLD Use the Multicast > MLD Snooping > General page to configure the switch to Snooping and Query forward multicast traffic intelligently.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) receiving query packets) to have expired. (Range: 300-500 seconds; Default: 300 seconds) ◆ MLD Snooping Version – The protocol version used for compatibility with other devices on the network. This is the MLD version the switch uses to send snooping reports. (Range: 1-2; Default: 2) ◆ Unknown Multicast Mode – The action for dealing with unknown multicast packets.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Immediate Leave Status – Immediately deletes a member port of an IPv6 multicast service when a leave packet is received at that port and immediate leave is enabled for the parent VLAN. (Default: Disabled) If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Interface – Activates the Port or Trunk scroll down list. ◆ Port or Trunk – Specifies the interface attached to a multicast router. Web Interface To specify a static interface attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Add Static Multicast Router from the Action list. 3.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 3. Select the VLAN for which to display this information. Ports in the selected VLAN which are attached to a neighboring multicast router/switch are displayed. Figure 400: Showing Current Interfaces Attached an IPv6 Multicast Router Assigning Interfaces Use the Multicast > MLD Snooping > MLD Member (Add Static Member) page to to IPv6 Multicast statically assign an IPv6 multicast service to an interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Web Interface To statically assign an interface to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Add Static Member from the Action list. 3. Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an MLD-enabled switch or multicast router), and enter the multicast IP address. 4. Click Apply.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display information about all IPv6 multicast groups, MLD Snooping or multicast routing must first be enabled on the switch. To show all of the interfaces statically or dynamically assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Current Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) reception of packets sent to the given multicast address is requested from all IP source addresses, except for those listed in the exclude source-list and for any other sources where the source timer status has expired. ◆ Filter Timer Elapse – The Filter timer is only used when a specific multicast address is in Exclude mode. It represents the time for the multicast address filter mode to expire and change to Include mode.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Report – The number of MLD membership reports received on this interface. ◆ Leave – The number of leave messages received on this interface. ◆ G Query – The number of general query messages received on this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages received on this interface. ◆ Drop – The number of times a report, leave or query was dropped.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Number of Groups – Number of active MLD groups active on the specified interface. Physical Interface (Port/Trunk) ◆ Querier ■ ■ ◆ Transmit ■ General – The number of general queries sent from this interface. ■ Group Specific – The number of group specific queries sent from this interface. Received ■ General – The number of general queries received on this interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ■ Other Uptime – Time remote querier has been up. ■ Other Expire – Time after which remote querier is assumed to have expired. ■ Self Addr – IPv6 address of local querier on this interface. ■ Self Expire – Time after which local querier is assumed to have expired. ■ Self Uptime – Time local querier has been up. ■ Transmit ■ ◆ ■ General – The number of general queries sent from this interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Web Interface To display MLD snooping input-related message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Input. Figure 405: Displaying MLD Snooping Statistics – Input To display MLD snooping output-related message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Output.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD query message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Query.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD summary statistics for a port or trunk: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Summary. 3. Select a port or trunk.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD summary statistics for a VLAN: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Summary. 3. Select a VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 To clear MLD statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Clear. 3. Select All or enter the required interface. 4. Click Clear.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 411: MVR Concept Multicast Router Satellite Services Multicast Server Layer 2 Switch Source Port Service Network Receiver Ports Set-top Box PC TV Set-top Box TV Command Usage ◆ General Configuration Guidelines for MVR: 1. Enable MVR for a domain on the switch, and select the MVR VLAN (see “Configuring MVR Domain Settings” on page 623). 2.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Configuring MVR Use the Multicast > MVR (Configure Global) page to configure proxy switching and Global Settings the robustness variable. Parameters These parameters are displayed: ◆ ◆ Proxy Switching – Configures MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ ◆ Proxy Query Interval – Configures the interval at which the receiver port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) ■ This parameter sets the general query interval at which active receiver ports send out general queries. ■ This interval is only effective when proxy switching is enabled.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Configuring MVR Use the Multicast > MVR (Configure Domain) page to enable MVR globally on the Domain Settings switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 4. Enable MVR for the selected domain, select the MVR VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required. 5. Click Apply.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ End IP Address – Ending IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) Associate Profile ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Profile Name – The name of a profile to be assigned to this domain. (Range: 1-21 characters) Web Interface To configure an MVR group address profile: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 To show the configured MVR group address profiles: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 415: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 417: Showing the MVR Group Address Profiles Assigned to a Domain Configuring MVR Use the Multicast > MVR (Configure Interface) page to configure each interface that Interface Status participates in the MVR protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list. ■ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ■ By Host IP – The router/querier will not send out a group-specific query when an IGMPv2/v3 leave message is received (the same as it would without this option having been used). Instead of immediately deleting that group, it will look up the record, and only delete the group if there are no other subscribers for it on the member port. Only when all hosts on that port leave the group will the member port be deleted.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 419: Assigning Static MVR Groups to an Interface To show the static MVR groups assigned to an interface: 1. Click Multicast, MVR. 2. Select Configure Static Group Member from the Step list. 3. Select Show from the Action list. 4. Select an MVR domain. 5. Select the port or trunk for which to display this information.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ VLAN – The VLAN through which the service is received. Note that this may be different from the MVR VLAN if the group address has been statically assigned. ◆ Port – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN. ◆ Up Time – Time this service has been forwarded to attached clients.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Port – Port identifier. (Range: 1-28) ◆ Trunk – Trunk identifier. (Range: 1-26) Query Statistics ◆ Querier IP Address – The IP address of the querier on this interface. ◆ Querier Expire Time – The time after which this querier is assumed to have expired. ◆ General Query Received – The number of general queries received on this interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Leave – The number of leave messages sent from this interface. ◆ G Query – The number of general query messages sent from this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface. Web Interface To display statistics for MVR query-related messages: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN. Figure 423: Displaying MVR Statistics – VLAN To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 424: Displaying MVR Statistics – Port Multicast VLAN Registration for IPv6 MVR6 functions in a manner similar to that described for MRV (see “Multicast VLAN Registration for IPv4” on page 619). Command Usage ◆ General Configuration Guidelines for MVR6: 1. Enable MVR6 for a domain on the switch, and select the MVR VLAN (see “Configuring MVR6 Domain Settings” on page 639). 2.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Configuring MVR6 Use the Multicast > MVR6 (Configure Global) page to configure proxy switching Global Settings and the robustness variable. Parameters These parameters are displayed: ◆ ◆ Proxy Switching – Configures MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ ◆ Proxy Query Interval – Configures the interval at which the receiver port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) ■ This parameter sets the general query interval at which active receiver ports send out general queries. ■ This interval is only effective when proxy switching is enabled.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Configuring MVR6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 globally on the Domain Settings switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. Parameters These parameters are displayed: ◆ Domain ID– An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 3. Select a domain from the scroll-down list. 4. Enable MVR6 for the selected domain, select the MVR6 VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required. 5. Click Apply.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Parameters These parameters are displayed: Configure Profile ◆ Profile Name – The name of a profile containing one or more MVR6 group addresses. (Range: 1-21 characters) ◆ Start IPv6 Address – Starting IP address for an MVR6 multicast group. This parameter must be a full IPv6 address including the network prefix and host address bits. ◆ End IPv6 Address – Ending IP address for an MVR6 multicast group.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To show the configured MVR6 group address profiles: 1. Click Multicast, MVR6. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 428: Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 430: Showing MVR6 Group Address Profiles Assigned to a Domain Configuring MVR6 Use the Multicast > MVR6 (Configure Interface) page to configure each interface Interface Status that participates in the MVR6 protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list. ■ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 no other subscribers for it on the member port. Only when all hosts on that port leave the group will the member port be deleted. Web Interface To configure interface settings for MVR6: 1. Click Multicast, MVR6. 2. Select Configure Interface from the Step list. 3. Select an MVR6 domain. 4. Click Port or Trunk. 5.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Interface – Port or trunk identifier. ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Group IPv6 Address – Defines a multicast service sent to the selected port. Multicast groups must be assigned from the MVR6 group range configured on the Configure General page. Web Interface To assign a static MVR6 group to an interface: 1.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 4. Select an MVR6 domain. 5. Select the port or trunk for which to display this information. Figure 433: Showing the Static MVR6 Groups Assigned to a Port Displaying MVR6 Use the Multicast > MVR6 (Show Member) page to show the multicast groups Receiver Groups either statically or dynamically assigned to the MVR6 receiver groups on each interface. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Web Interface To display the interfaces assigned to the MVR6 receiver groups: 1. Click Multicast, MVR6. 2. Select Show Member from the Step list. 3. Select an MVR6 domain. Figure 434: Displaying MVR6 Receiver Groups Displaying Use the Multicast > MVR6 > Show Statistics pages to display MVR6 protocol-related MVR6 Statistics statistics for the specified interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent – The number of leaves sent from this interface. VLAN, Port, and Trunk Statistics Input Statistics ◆ Report – The number of MLD membership reports received on this interface. ◆ Leave – The number of leave messages received on this interface. ◆ G Query – The number of general query messages received on this interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Web Interface To display statistics for MVR6 query-related messages: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR6 domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a Port.
15 Basic IP Functions This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol – Describes how to configure ARP aging time, proxy ARP, or static addresses. Also shows how to display dynamic entries in the ARP cache. Using the Ping Function Use the Tools > Ping page to send ICMP echo request packets to another node on the network.
Chapter 15 | Basic IP Functions Using the Ping Function Parameters These parameters are displayed: ◆ Host Name/IP Address – IPv4/IPv6 address or alias of the host. ◆ Probe Count – Number of packets to send. (Range: 1-16) ◆ Data Size – Number of bytes in a packet. (Range: 32-512 bytes for IPv4, 0-1500 bytes for IPv6) The actual packet size will be eight bytes larger than the size specified because the switch adds header information. Web Interface To ping another device on the network: 1.
Chapter 15 | Basic IP Functions Using the Trace Route Function Using the Trace Route Function Use the Tools > Trace Route page to show the route packets take to the specified destination. Command Usage ◆ Use the trace route function to determine the path taken to reach a specified destination. ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded.
Chapter 15 | Basic IP Functions Address Resolution Protocol Figure 439: Tracing the Route to a Network Device Address Resolution Protocol If static routes are added to the switch, the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Chapter 15 | Basic IP Functions Address Resolution Protocol cache, and forwards the IP traffic on to the next hop. As long as this entry has not timed out, the router will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request. Also, if the switch receives a request for its own IP address, it will send back a response, and also cache the MAC of the source device's IP address.
Chapter 15 | Basic IP Functions Address Resolution Protocol Web Interface To configure the timeout for the ARP cache or to enable Proxy ARP for a VLAN (i.e., IP subnetwork): 1. Click Tools > ARP 2. Select Configure General from the Step List. 3. Set the timeout to a suitable value for the ARP cache, or enable Proxy ARP for subnetworks that do not have routing or a default gateway. 4. Click Apply.
Chapter 15 | Basic IP Functions Address Resolution Protocol Parameters These parameters are displayed: ◆ IP Address – IP address statically mapped to a physical MAC address. (Valid IP addresses consist of four numbers, 0 to 255, separated by periods.) ◆ MAC Address – MAC address statically mapped to the corresponding IP address. (Valid MAC addresses are hexadecimal numbers in the format: xx-xxxx-xx-xx-xx) Web Interface To map an IP address to the corresponding physical address in the ARP cache: 1.
Chapter 15 | Basic IP Functions Address Resolution Protocol Figure 443: Displaying Static ARP Entries Displaying Dynamic Use the IP > ARP (Show Information – ARP Address) page to display dynamic or or Local ARP Entries local entries in the ARP cache. The ARP cache contains static entries, and entries for local interfaces, including subnet, host, and broadcast addresses. However, most entries will be dynamically learned through replies to broadcast messages.
Chapter 15 | Basic IP Functions Address Resolution Protocol Table 42: ARP Statistics (Continued) Parameter Description Sent Request Number of ARP Request packets sent by the router. Sent Reply Number of ARP Reply packets sent by the router. Web Interface To display ARP statistics: 1. Click Tools, ARP. 2. Select Show Information from the Step List. 3. Click Statistics.
Chapter 15 | Basic IP Functions Address Resolution Protocol – 662 –
16 IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server. An IPv6 address can either be manually configured or dynamically generated.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ Once an IP address has been assigned to an interface, routing between different interfaces on the switch is enabled. ◆ To enable routing between interfaces defined on this switch and external network interfaces, you must configure static routes (page 689) or a default gateway (page 688).
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Web Interface To set a static IPv4 address for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3. Select any configured VLAN, set IP Address Mode to “User Specified,” set IP Address Type to “Primary” if no address has yet been configured for this interface, and then enter the IP address and subnet mask. 4. Select Primary or Secondary Address Type. 5. Click Apply.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 447: Configuring a Dynamic IPv4 Address Note: The switch will also broadcast a request for IP configuration settings on each power reset. Note: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 448: Showing the Configured IPv4 Address for an Interface Setting the Switch’s IP Address (IP Version 6) This section describes how to configure an IPv6 interface for management access over the network, or for creating an interface to multiple subnets. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. ■ An IPv6 address must be configured according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ IPv6 Neighbor Discovery Protocol supersedes IPv4 Address Resolution Protocol in IPv6 networks. IPv6 nodes on the same network segment use Neighbor Discovery to discover each other's presence, to determine each other's linklayer addresses, to find routers and to maintain reachability information about the paths to active neighbors.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ■ Configuring a value of 0 disables duplicate address detection. ■ Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. ■ Duplicate address detection is stopped on any interface that has been suspended (see “Configuring VLAN Groups” on page 171).
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ■ This time limit is included in all router advertisements sent out through an interface, ensuring that nodes on the same link use the same time value. ■ Setting the time limit to 0 means that the configured time is unspecified by this switch. Restart DHCPv6 – When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address autoconfiguration.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To configure general IPv6 settings for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Interface from the Action list. 3. Select VLAN mode. 4. Specify the VLAN to configure. 5. Enable IPv6 explicitly to automatically configure a link-local address and enable IPv6 on the selected interface. (To manually configure the link-local address, use the Add IPv6 Address page.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 451: Configuring RA Guard for an IPv6 Interface Configuring an Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 IPv6 Address interface for management access over the network, or for creating an interface to multiple subnets. Command Usage ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ You can also manually configure the global unicast address by entering the full address and prefix length. ◆ You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface. ◆ If a duplicate link-local address is detected on the local segment, this interface is disabled and a warning message displayed on the console.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) inverting the universal/local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address. For example, if a device had an EUI-48 address of 28-9F-18-1C-82-35, the global/local bit must first be inverted to meet EUI-64 requirements (i.e., 1 for globally defined addresses and 0 for locally defined addresses), changing 28 to 2A.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing IPv6 Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the IPv6 Addresses addresses assigned to an interface. Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) 3. Select a VLAN from the list. Figure 453: Showing Configured IPv6 Addresses Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the Neighbor Cache IPv6 addresses detected for neighbor devices. Parameters These parameters are displayed: Table 43: Show IPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 43: Show IPv6 Neighbors - display description (Continued) Field Description The following states are used for static entries: ◆ Incomplete - The interface for this entry is down. ◆ Permanent - Indicates a static entry. ◆ Reachable - The interface for this entry is up. Reachability detection is not applied to static entries in the IPv6 neighbor discovery cache. VLAN VLAN interface from which the address was reached.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) feed back information about more suitable routes (that is, the next hop router) to use for a specific destination. ◆ UDP – User Datagram Protocol provides a datagram mode of packet switched communications. It uses IP as the underlying transport mechanism, providing access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 44: Show IPv6 Statistics - display description (Continued) Field Description Reassembled Succeeded The number of IPv6 datagrams successfully reassembled. Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 44: Show IPv6 Statistics - display description (Continued) Field Description Parameter Problem Messages The number of ICMP Parameter Problem messages received by the interface. Echo Request Messages The number of ICMP Echo (request) messages received by the interface. Echo Reply Messages The number of ICMP Echo Reply messages received by the interface.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 44: Show IPv6 Statistics - display description (Continued) Field Description Group Membership Reduction Messages The number of ICMPv6 Group Membership Reduction messages sent. Multicast Listener The number of MLDv2 reports sent by the interface. Discovery Version 2 Reports UDP Statistics Input The total number of UDP datagrams delivered to UDP users.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 456: Showing IPv6 Statistics (ICMPv6) Figure 457: Showing IPv6 Statistics (UDP) – 683 –
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum for Responding transmission unit (MTU) cache for destinations that have returned an ICMP packetDestinations too-big message along with an acceptable MTU to this switch.
17 General IP Routing This chapter provides information on network functions including: ◆ Static Routes – Configures static routes to other network segments. ◆ Routing Table – Displays routing entries learned through dynamic routing and statically configured entries. Overview This switch supports IP routing and routing path management via static routing definitions.
Chapter 17 | General IP Routing IP Routing and Switching Figure 459: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Unt Untagged Unt VLAN 1 VLAN 2 Tagged or Tagged or Untagged Untagged Tagged or Tagged or Untagged Untagged Intra-subnet traffic (Layer 2 switching) IP Routing and Switching IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
Chapter 17 | General IP Routing IP Routing and Switching If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node. However, if the packet belongs to a subnet not included on this switch, then the packet should be sent to the next hop router (with the MAC address of the router itself used as the destination MAC address, and the destination IP address of the destination node).
Chapter 17 | General IP Routing Configuring IP Routing Interfaces Configuring IP Routing Interfaces Configuring Local and Use the IP > General > Routing Interface (Add Address) page to configure routing Remote Interfaces interfaces for directly connected IPv4 subnets (see “Setting the Switch’s IP Address (IP Version 4)” on page 663. Or use the IP > IPv6 Configuration pages to configure routing interfaces for directly connected IPv6 subnets (see “Setting the Switch’s IP Address (IP Version 6)” on page 667).
Chapter 17 | General IP Routing Configuring Static Routes Configuring Static Routes You can enter static routes in the routing table using the IP > Routing > Static Routes (Add) page. Static routes can be set to force the use of a specific route to a subnet. Static routes do not automatically change in response to changes in network topology, so you should only configure a small number of stable routes to ensure network accessibility. Command Usage Up to 256 static routes can be configured.
Chapter 17 | General IP Routing Displaying the Routing Table Figure 460: Configuring Static Routes To display static routes: 1. Click IP, Routing, Static Routes. 2. Select Show from the Action List. Figure 461: Displaying Static Routes Displaying the Routing Table Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces or through static routes.
Chapter 17 | General IP Routing Displaying the Routing Table FIB entry are a network prefix, a router (i.e., VLAN) interface, and next hop information. ◆ The Routing Table (and the “show ip route” command described in the CLI Reference Guide) only displays routes which are currently accessible for forwarding. The router must be able to directly reach the next hop, so the VLAN interface associated with any static route entry must be up.
Chapter 17 | General IP Routing Displaying the Routing Table – 692 –
18 IP Services This chapter describes the following IP services: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ DHCP Client – Specifies the DHCP client identifier for an interface. ◆ DHCP Relay – Enables DHCP relay service, and defines the servers to which client requests are forwarded. ◆ DHCP Server – Configures address to be allocated to networks or specific hosts.
Chapter 18 | IP Services Domain Name Service ◆ If one or more name servers are configured, but DNS is not yet enabled and the switch receives a DHCP packet containing a DNS field with a list of DNS servers, then the switch will automatically enable DNS host name-to-address translation. Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names.
Chapter 18 | IP Services Domain Name Service ◆ When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see “Configuring a List of Name Servers” on page 696). ◆ If all name servers are deleted, DNS will automatically be disabled.
Chapter 18 | IP Services Domain Name Service Configuring a List Use the IP Service > DNS - General (Add Name Server) page to configure a list of of Name Servers name servers to be tried in sequential order. Command Usage ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see “Configuring General DNS Service Parameters” on page 693).
Chapter 18 | IP Services Domain Name Service To show the list name servers: 1. Click IP Service, DNS. 2. Select Show Name Servers from the Action list. Figure 467: Showing the List of Name Servers for DNS Configuring Use the IP Service > DNS - Static Host Table (Add) page to manually configure static Static DNS Host entries in the DNS table that are used to map domain names to IP addresses.
Chapter 18 | IP Services Domain Name Service Figure 468: Configuring Static Entries in the DNS Table To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 469: Showing Static Entries in the DNS Table Displaying the DNS Use the IP Service > DNS - Cache page to display entries in the DNS cache that have Cache been learned via the designated name servers.
Chapter 18 | IP Services Dynamic Host Configuration Protocol ◆ TTL – The time to live reported by the name server. ◆ Host – The host name associated with this record. Web Interface To display entries in the DNS cache: 1. Click IP Service, DNS, Cache. Figure 470: Showing Entries in the DNS Cache Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) can dynamically allocate an IP address and other configuration information to network clients when they boot up.
Chapter 18 | IP Services Dynamic Host Configuration Protocol Table 46: Options 60, 66 and 67 Statements Statement Option ◆ Keyword Parameter 60 vendor-class-identifier a string indicating the vendor class identifier 66 tftp-server-name a string indicating the tftp server name 67 bootfile-name a string indicating the bootfile name By default, DHCP option 66/67 parameters are not carried in a DHCP server reply.
Chapter 18 | IP Services Dynamic Host Configuration Protocol Web Interface To configure a DHCP client identifier: 1. Click IP Service, DHCP, Client. 2. Mark the check box to enable this feature. Select the default setting, or the format for a vendor class identifier. If a non-default value is used, enter a text string or hexadecimal value. 3. Click Apply.
Chapter 18 | IP Services Dynamic Host Configuration Protocol Configuring DHCP Use the IP Service > DHCP > Relay page to configure the DHCP relay service mode Relay Agent Mode as either a Layer 2 Relay Agent or a Layer 3 Relay Agent. Command Usage If the DHCP client subnet is different from the DHCP server subnet, configure the DHCP Relay Agent mode to L3. Otherwise, you can use the L2 option when both the client and server are located on the same subnet.
Chapter 18 | IP Services Dynamic Host Configuration Protocol Figure 472: Configuring the DHCP Relay Agent mode Configuring DHCP Use the IP Service > DHCP > L3 Relay page to configure DHCP relay service for Layer 3 Relay Service attached host devices. If DHCP L3 relay mode is enabled, and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server.
Chapter 18 | IP Services Dynamic Host Configuration Protocol Web Interface To configure DHCP L3 relay service: 1. Click IP Service, DHCP, L3 Relay. 2. Enter up to five IP addresses for DHCP servers or relay servers in order of preference for any VLAN. 3. Click Apply.
Chapter 18 | IP Services Dynamic Host Configuration Protocol request, including the VLAN ID, stack unit, and port. This allows DHCP client-server exchange messages to be forwarded between the server and client without having to flood them onto the entire VLAN. The switch then forwards the packet to the DHCP server.
Chapter 18 | IP Services Dynamic Host Configuration Protocol ◆ ■ If the policy is “keep,” the DHCP request packet's option 82 content will be retained. The relay agent address is inserted into the DHCP request packet, and the switch then unicasts this packet to the DHCP server. ■ If the policy is “drop,” the original DHCP request packet is flooded onto the VLAN which received the packet but is not relayed.
Chapter 18 | IP Services Dynamic Host Configuration Protocol ◆ Insertion of Relay Information – Enable DHCP Option 82 information relay. (Default: Disabled) ◆ DHCP Option Policy – Specifies how to handle client requests which already contain DHCP Option 82 information: ■ Drop - Floods the original request packet onto the VLAN that received it instead of relaying it. (This is the default.
Chapter 18 | IP Services Dynamic Host Configuration Protocol Configuring the This switch includes a Dynamic Host Configuration Protocol (DHCP) server that can DHCP Server assign temporary IP addresses to any attached host requesting service. It can also provide other network settings such as the domain name, default gateway, Domain Name Servers (DNS), Windows Internet Naming Service (WINS) name servers, or information on the bootup file for the host device to download.
Chapter 18 | IP Services Dynamic Host Configuration Protocol 3. Mark the Enabled box. 4. Click Apply. Figure 478: Enabling the DHCP Server Setting Excluded Addresses Use the IP Service > DHCP > Server (Configure Excluded Addresses – Add) page to specify the IP addresses that should not be assigned to clients. Parameters These parameters are displayed: ◆ Start IP Address – Specifies a single IP address or the first address in a range that the DHCP server should not assign to DHCP clients.
Chapter 18 | IP Services Dynamic Host Configuration Protocol Figure 479: Configuring Excluded Addresses on the DHCP Server To show the IP addresses excluded for DHCP clients: 1. Click IP Service, DHCP, Server. 2. Select Configure Excluded Addresses from the Step list. 3. Select Show from the Action list.
Chapter 18 | IP Services Dynamic Host Configuration Protocol found, it assigns an address from the matching network address pool. However, if no matching address pool is found the request is ignored. ◆ When searching for a manual binding, the switch compares the client identifier and then the hardware address for DHCP clients. Since BOOTP clients cannot transmit a client identifier, you must configure a hardware address for this host type.
Chapter 18 | IP Services Dynamic Host Configuration Protocol ◆ DNS Server – The IP address of the primary and alternate DNS server. DNS servers must be configured for a DHCP client to map host names to IP addresses. ◆ Netbios Server – IP address of the primary and alternate NetBIOS Windows Internet Naming Service (WINS) name server used for Microsoft DHCP clients. ◆ Netbios Type – NetBIOS node type for Microsoft DHCP clients.
Chapter 18 | IP Services Dynamic Host Configuration Protocol Figure 481: Configuring DHCP Server Address Pools (Network) Figure 482: Configuring DHCP Server Address Pools (Host) To show the configured DHCP address pools: 1. Click IP Service, DHCP, Server. 2. Select Configure Pool from the Step list. 3. Select Show from the Action list.
Chapter 18 | IP Services Dynamic Host Configuration Protocol Figure 483: Showing Configured DHCP Server Address Pools Displaying Address Bindings Use the IP Service > DHCP > Server (Show IP Binding) page display the host devices which have acquired an IP address from this switch’s DHCP server. Parameters These parameters are displayed: ◆ IP Address – IP address assigned to host. ◆ MAC Address – MAC address of host. ◆ Lease Time – Duration that this IP address can be used by the host.
Chapter 18 | IP Services Dynamic Host Configuration Protocol Enabling DHCP Use the IP Service > DHCP > Dynamic Provision to enable dynamic provisioning via Dynamic Provision DHCP. Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Chapter 18 | IP Services Configuring the PPPoE Intermediate Agent Configuring the PPPoE Intermediate Agent This section describes how to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
Chapter 18 | IP Services Configuring the PPPoE Intermediate Agent Web Interface To configure global settings for PPPoE IA: 1. Click IP Service, PPPoE Intermediate Agent. 2. Select Configure Global from the Step list. 3. Enable the PPPoE IA on the switch, set the access node identifier, and set the generic error message. 4. Click Apply.
Chapter 18 | IP Services Configuring the PPPoE Intermediate Agent ◆ Vendor Tag Strip – Enables the stripping of vendor tags from PPPoE Discovery packets sent from a PPPoE server. (Default: Disabled) This parameter only applies to trusted interfaces. It is used to strip off vendorspecific tags (which carry subscriber and line identification information) in PPPoE Discovery packets received from an upstream PPPoE server before forwarding them to a user.
Chapter 18 | IP Services Configuring the PPPoE Intermediate Agent Figure 487: Configuring Interface Settings for PPPoE Intermediate Agent g Showing PPPoE IA Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to show Statistics statistics on PPPoE IA protocol messages. Parameters These parameters are displayed: ◆ Interface – Port or trunk selection. ◆ Received – Received PPPoE active discovery messages. ◆ ■ All – All PPPoE active discovery message types.
Chapter 18 | IP Services Configuring the PPPoE Intermediate Agent Web Interface To show statistics for PPPoE IA protocol messages: 1. Click IP Service, PPPoE Intermediate Agent. 2. Select Show Statistics from the Step list. 3. Select Port or Trunk interface type.
Section III Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 723 ◆ “Troubleshooting” on page 729 ◆ “License Information” on page 731 – 721 –
Section III | Appendices – 722 –
A Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, Authentication IP Filter Client Access Control Access Control Lists (2048 rules), Port Authentication (802.
Appendix A | Software Specifications Software Features VLAN Support Up to 4094 groups; port-based, protocol-based, tagged (802.
Appendix A | Software Specifications Management Features Management Features In-Band Management Telnet, web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band RS-232 DB-9 console port Management Software Loading HTTP, FTP or TFTP in-band, or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards Ethernet Service OAM (ITU-T Y.1731) - partial support IEEE 802.
Appendix A | Software Specifications Management Information Bases IGMP (RFC 1112) IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - partial support IGMP Proxy (RFC 4541) IPv4 IGMP (RFC 3228) MLD Snooping (RFC 4541) NTP (RFC 1305) RADIUS+ (RFC 2618) RIPv1 (RFC 1058) RIPv2 (RFC 2453) RIPv2, extension (RFC 1724) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 1901, 2571) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 3411, 3413, 3414, 3415) SNTP (RFC 2030) SSH (Version 2.
Appendix A | Software Specifications Management Information Bases IPV6-UDP-MIB (RFC 2054) Link Aggregation MIB (IEEE 802.3ad) MAU MIB (RFC 3636) MIB II (RFC 1213) P-Bridge MIB (RFC 2674P) Port Access Entity MIB (IEEE 802.1X) Port Access Entity Equipment MIB Power Ethernet MIB (RFC 3621) Private MIB Q-Bridge MIB (RFC 2674Q) QinQ Tunneling (IEEE 802.
Appendix A | Software Specifications Management Information Bases – 728 –
B Troubleshooting Problems Accessing the Management Interface Table 48: Troubleshooting Chart Symptom Action Cannot connect using a web browser ◆ ◆ ◆ ◆ ◆ ◆ Cannot access the onboard configuration program via a serial port connection ◆ Forgot or lost the password ◆ Be sure the switch is powered on. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a welldefined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information.
Glossary IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members.
Glossary MIB Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages.
Glossary Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links. QinQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks. It is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. QoS Quality of Service.
Glossary SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
E102019-CS-R04
