2/28-Port Gigabit Ethernet Layer 2 Switch ECS4210-12P ECS4210-12T ECS4210-28P ECS4210-28T Web Management Guide Software Release v1.0.0.24 www.edge-core.
Web Management Guide ECS4210-12P Layer 2 Managed PoE Switch with 8 10/100/1000BASE-T (RJ-45) PoE Ports, 2 10/100/1000BASE-T (RJ-45) Ports, and 2 Gigabit SFP Uplink Ports ECS4210-12T Layer 2 Managed Switch with 8 10/100/1000BASE-T (RJ-45) Ports, and 4 Gigabit SFP Uplink Ports ECS4210-28P Layer 2 Managed PoE Switch with 24 10/100/1000BASE-T (RJ-45) PoE Ports, and 4 Gigabit SFP Uplink Ports ECS4210-28T Layer 2 Managed Switch with 24 10/100/1000BASE-T (RJ-45) Ports, and 4 Gigabit SFP Uplink Ports ECS4210-12
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment. Warning: Alerts you to a potential hazard that could cause personal injury. Revision History This section summarizes the changes in each revision of this guide.
How to Use This Guide April 2013 Revision This is the first version of this guide. This guide is valid for software release v1.0.0.12.
How to Use This Guide – 6 –
Contents Section I How to Use This Guide 3 Contents 7 Figures 17 Tables 29 Getting Started 31 1 Introduction 33 Key Features 33 Description of Software Features 34 System Defaults 39 2 Using the Web Interface Section II 43 Connecting to the Web Interface 43 Navigating the Web Browser Interface 44 Home Page 44 Configuration Options 45 Panel Display 46 Main Menu 47 Web Configuration 63 3 Basic Management Tasks 65 Displaying System Information 66 Displaying Hardware/Sof
Contents Managing System Files 71 Copying Files via FTP/TFTP or HTTP 71 Saving the Running Configuration to a Local File 73 Setting The Start-Up File 74 Showing System Files 74 Automatic Operation Code Upgrade 75 Setting the System Clock 79 Setting the Time Manually 79 Setting the SNTP Polling Interval 80 Configuring NTP 81 Configuring Time Servers 82 Setting the Time Zone 85 Configuring the Console Port 86 Configuring Telnet Settings 88 Displaying CPU Utilization 90 Displayin
Contents Traffic Segmentation 128 Enabling Traffic Segmentation 128 Configuring Uplink and Downlink Ports 129 VLAN Trunking 131 5 VLAN Configuration 135 IEEE 802.1Q VLANs 135 Configuring VLAN Groups 138 Adding Static Members to VLANs 140 Configuring Dynamic VLAN Registration 145 IEEE 802.
Contents Configuring Multiple Spanning Trees 196 Configuring Interface Settings for MSTP 200 8 Congestion Control 203 Rate Limiting 203 Storm Control 204 Automatic Traffic Control 206 Setting the ATC Timers 208 Configuring ATC Thresholds and Responses 209 9 Class of Service 213 Layer 2 Queue Settings 213 Setting the Default Priority for Interfaces 213 Selecting the Queue Mode 214 Mapping CoS Values to Egress Queues 217 Layer 3/4 Priority Settings 220 Setting Priority Processing
Contents Configuring AAA Authorization 262 Configuring User Accounts 265 Web Authentication 267 Configuring Global Settings for Web Authentication 267 Configuring Interface Settings for Web Authentication 268 Network Access (MAC Address Authentication) 270 Configuring Global Settings for Network Access 272 Configuring Network Access for Ports 273 Configuring Port Link Detection 275 Configuring a MAC Address Filter 276 Displaying Secure MAC Address Information 278 Configuring HTTPS 27
Contents Displaying ARP Inspection Statistics 317 Displaying the ARP Inspection Log 318 Filtering IP Addresses for Management Access 319 Configuring Port Security 321 Configuring 802.1X Port Authentication 323 Configuring 802.1X Global Settings 325 Configuring Port Authenticator Settings for 802.1X 326 Configuring Port Supplicant Settings for 802.1X 330 Displaying 802.
Contents Simple Network Management Protocol 385 Configuring Global Settings for SNMP 387 Setting the Local Engine ID 388 Specifying a Remote Engine ID 389 Setting SNMPv3 Views 390 Configuring SNMPv3 Groups 393 Setting Community Access Strings 398 Configuring Local SNMPv3 Users 399 Configuring Remote SNMPv3 Users 401 Specifying Trap Managers 403 Creating SNMP Notification Logs 407 Showing SNMP Statistics 409 Remote Monitoring 411 Configuring RMON Alarms 412 Configuring RMON Event
Contents Showing the MTU for Responding Destinations 15 IP Services 451 453 Domain Name Service 453 Configuring General DNS Service Parameters 453 Configuring a List of Domain Names 454 Configuring a List of Name Servers 456 Configuring Static DNS Host to Address Entries 457 Displaying the DNS Cache 458 Multicast Domain Name Service 459 Dynamic Host Configuration Protocol 460 Specifying A DHCP Client Identifier 460 Configuring DHCP Relay Option 82 461 16 Multicast Filtering 467 Ov
Contents Section III Configuring MVR Domain Settings 506 Configuring MVR Group Address Profiles 507 Configuring MVR Interface Status 510 Assigning Static MVR Multicast Groups to Interfaces 512 Displaying MVR Receiver Groups 514 Displaying MVR Statistics 515 Appendices 521 A Software Specifications 523 Software Features 523 Management Features 524 Standards 525 Management Information Bases 525 B Troubleshooting 527 Problems Accessing the Management Interface 527 Using System Log
Contents – 16 –
Figures Figure 1: Home Page 44 Figure 2: Front Panel Indicators 46 Figure 3: System Information 67 Figure 4: General Switch Information 68 Figure 5: Configuring Support for Jumbo Frames 69 Figure 6: Displaying Bridge Extension Configuration 70 Figure 7: Copy Firmware 72 Figure 8: Saving the Running Configuration 73 Figure 9: Setting Start-Up Files 74 Figure 10: Displaying System Files 75 Figure 11: Configuring Automatic Code Upgrade 78 Figure 12: Manually Setting the System Clock 80
Figures Figure 30: Configuring Connections by Port Range 98 Figure 31: Displaying Port Information 99 Figure 32: Configuring Local Port Mirroring 99 Figure 33: Configuring Local Port Mirroring 100 Figure 34: Displaying Local Port Mirror Sessions 101 Figure 35: Configuring Remote Port Mirroring 101 Figure 36: Configuring Remote Port Mirroring (Source) 104 Figure 37: Configuring Remote Port Mirroring (Intermediate) 105 Figure 38: Configuring Remote Port Mirroring (Destination) 105 Figure 39
Figures Figure 65: Configuring VLAN Trunking 133 Figure 66: VLAN Compliant and VLAN Non-compliant Devices 136 Figure 67: Using GVRP 138 Figure 68: Creating Static VLANs 139 Figure 69: Modifying Settings for Static VLANs 140 Figure 70: Showing Static VLANs 140 Figure 71: Configuring Static Members by VLAN Index 143 Figure 72: Configuring Static VLAN Members by Interface 144 Figure 73: Configuring Static VLAN Members by Interface Range 144 Figure 74: Configuring Global Status of GVRP 146
Figures Figure 100: Showing the Source MAC Addresses to Mirror 174 Figure 101: Configuring Extended MAC Security on a VLAN 177 Figure 102: Configuring Extended MAC Security on a Port or Trunk 177 Figure 103: STP Root Ports and Designated Ports 180 Figure 104: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree 181 Figure 105: Common Internal Spanning Tree, Common Spanning Tree, Internal Spanning Tree 181 Figure 106: Configuring Port Loopback Detection 183 Figure 107: Configuring Globa
Figures Figure 134: Setting the Trust Mode 221 Figure 135: Configuring DSCP to DSCP Internal Mapping 223 Figure 136: Showing DSCP to DSCP Internal Mapping 223 Figure 137: Configuring CoS to DSCP Internal Mapping 225 Figure 138: Showing CoS to DSCP Internal Mapping 225 Figure 139: Configuring a Class Map 229 Figure 140: Showing Class Maps 230 Figure 141: Adding Rules to a Class Map 231 Figure 142: Showing the Rules for a Class Map 231 Figure 143: Configuring a Policy Map 239 Figure 144:
Figures Figure 169: Configuring User Accounts 266 Figure 170: Showing User Accounts 267 Figure 171: Configuring Global Settings for Web Authentication 268 Figure 172: Configuring Interface Settings for Web Authentication 269 Figure 173: Configuring Global Settings for Network Access 273 Figure 174: Configuring Interface Settings for Network Access 275 Figure 175: Configuring Link Detection for Network Access 276 Figure 176: Configuring a MAC Address Filter for Network Access 277 Figure 177:
Figures Figure 204: Configuring VLAN Settings for ARP Inspection 316 Figure 205: Configuring Interface Settings for ARP Inspection 317 Figure 206: Displaying Statistics for ARP Inspection 318 Figure 207: Displaying the ARP Inspection Log 319 Figure 208: Creating an IP Address Filter for Management Access 320 Figure 209: Showing IP Addresses Authorized for Management Access 321 Figure 210: Configuring Port Security 323 Figure 211: Configuring Port Security 324 Figure 212: Configuring Global
Figures Figure 239: Displaying LLDP Device Statistics (General) 380 Figure 240: Displaying LLDP Device Statistics (Port) 381 Figure 241: Showing the Switch’s PoE Budget 382 Figure 242: Setting a Port’s PoE Budget 384 Figure 243: Configuring Global Settings for SNMP 388 Figure 244: Configuring the Local Engine ID for SNMP 389 Figure 245: Configuring a Remote Engine ID for SNMP 390 Figure 246: Showing Remote Engine IDs for SNMP 390 Figure 247: Creating an SNMP View 391 Figure 248: Showing S
Figures Figure 274: Showing Configured RMON Statistical Samples 420 Figure 275: Showing Collected RMON Statistical Samples 421 Figure 276: Configuring a Switch Cluster 423 Figure 277: Configuring Cluster Members 424 Figure 278: Showing Cluster Members 424 Figure 279: Showing Cluster Candidates 424 Figure 280: Managing a Cluster Member 425 Figure 281: Pinging a Network Device 428 Figure 282: Setting the ARP Timeout 430 Figure 283: Displaying ARP Entries 430 Figure 284: Configuring a Stat
Figures Figure 309: Multicast Filtering Concept 467 Figure 310: Configuring General Settings for IGMP Snooping 473 Figure 311: Configuring a Static Interface for a Multicast Router 475 Figure 312: Showing Static Interfaces Attached a Multicast Router 475 Figure 313: Showing Current Interfaces Attached a Multicast Router 476 Figure 314: Assigning an Interface to a Multicast Service 477 Figure 315: Showing Static Interfaces Assigned to a Multicast Service 477 Figure 316: Configuring IGMP Snoopi
Figures Figure 344: Showing the MVR Group Address Profiles Assigned to a Domain 509 Figure 345: Configuring Interface Settings for MVR 512 Figure 346: Assigning Static MVR Groups to a Port 513 Figure 347: Showing the Static MVR Groups Assigned to a Port 514 Figure 348: Displaying MVR Receiver Groups 515 Figure 349: Displaying MVR Statistics – Query 517 Figure 350: Displaying MVR Statistics – VLAN 518 Figure 351: Displaying MVR Statistics – Port 519 – 27 –
Figures – 28 –
Tables Table 1: Key Features 33 Table 2: System Defaults 39 Table 3: Web Page Configuration Buttons 45 Table 4: Switch Main Menu 47 Table 5: Port Statistics 106 Table 6: LACP Port Counters 123 Table 7: LACP Internal Configuration Information 124 Table 8: LACP Remote Device Configuration Information 126 Table 9: Traffic Segmentation Forwarding 129 Table 10: MAC Address Isolation Matrix 168 Table 11: Recommended STA Path Cost Range 191 Table 12: Default STA Path Costs 191 Table 13: IE
Tables Table 30: Supported Notification Messages 394 Table 31: Address Resolution Protocol 429 Table 32: Show IPv6 Neighbors - display description 444 Table 33: Show IPv6 Statistics - display description 446 Table 34: Show MTU - display description 451 Table 35: RADIUS Server AVPs 484 Table 36: Troubleshooting Chart 527 – 30 –
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the menu structure for the management interface.
Section I | Getting Started – 32 –
1 Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Chapter 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description IP Version 4 and 6 Supports IPv4 and IPv6 addressing, and management IEEE 802.
Chapter 1 | Introduction Description of Software Features authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
Chapter 1 | Introduction Description of Software Features STATIC MAC ADDRESSES A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.
Chapter 1 | Introduction Description of Software Features convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP). VIRTUAL LANS The switch supports up to 256 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard.
Chapter 1 | Introduction Description of Software Features QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 1 | Introduction System Defaults System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Static Trunks None LACP (all ports) Disabled Rate Limiting Disabled Storm Control Broadca
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address DHCP Subnet Mask 255.255.0.0 Default Gateway 0.0.0.
Chapter 1 | Introduction System Defaults – 42 –
2 Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6.x or above, or Mozilla Firefox 4.x or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface commands issued through the web interface. See “Configuring Interface Settings for STA” on page 190. Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 300 seconds. Note: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface NOTE: You can open a connection to the vendor’s web site by clicking on the Edge-Core logo. Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control).
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Reset Description Page Restarts the switch immediately, at a specified time, after a specified delay, or at a periodic interval 91 Interface 95 Port 95 General Configure by Port List Configures connection settings per port 95 Configure by Port Range Configures connection settings for a range of ports 97 Show Information Displays port connection status 98 99 Mirror Add Sets t
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Internal Displays configuration settings and operational state for the local side of a link aggregation 124 Neighbors Displays configuration settings and operational state for the remote side of a link aggregation 126 118 Configure Trunk Show Displays trunk connection settings 118 Configure Configures trunk connection settings 118 Show Member Show port members
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Configure Interface Description Page Sets the tunnel mode for any participating interface 153 154 Protocol 155 Configure Protocol Add Creates a protocol group, specifying supported protocols 155 Show Shows configured protocol groups 155 156 Configure Interface Add Maps a protocol group to a VLAN 156 Show Shows the protocol groups mapped to each VLAN 156 158 IP Subnet Add Ma
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Extended MAC Security Description Page Configures the maximum number of MAC addresses that can be learned on an interface, the movable-static function which allows a static address to be moved to another interface, and the sticky-dynamic function which prevents dynamic address already learned elsewhere from being learned at a specified interface.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page 213 Priority Default Priority Sets the default priority for each port or trunk 213 Queue Sets queue mode for the switch; sets the service weight for each queue that will use a weighted or hybrid mode 214 Trust Mode Selects IP Precedence, DSCP or CoS priority processing 220 221 DSCP to DSCP Add Maps DSCP values in incoming packets to per-hop behavior and drop prec
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page 245 Configure OUI Add Maps the OUI in the source MAC address of ingress packets to the VoIP device manufacturer 245 Show Shows the OUI telephony list 245 Configures VoIP traffic settings for ports, including the way in which a port is added to the Voice VLAN, filtering of non-VoIP packets, the method of detecting VoIP traffic, and the priority assigned to the voice
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page 265 User Accounts Add Configures user names, passwords, and access levels 265 Show Shows authorized users 265 Modify Modifies user attributes 265 Allows authentication and access to the network when 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Access Control Lists 290 Show TCAM Shows utilization parameters for TCAM 294 Add Adds an ACL based on IP or MAC address filtering 295 Show Shows the name and type of configured ACLs 295 Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes 295 Show Rule Shows the rules specified for an ACL 295 Binds a port to the spe
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu IP Source Guard Port Configuration Description Page Filters IP traffic based on static entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table 341 Enables IP source guard and selects filter type per port 341 343 Static Binding Add Adds a static addresses to the source-guard binding table 343 Show Shows static addresses in the source-guard binding table 3
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Power over Ethernet 381 Configure Global Displays the power budget for the switch 382 Configure Interface Configures port power parameters 383 Simple Network Management Protocol 385 Enables SNMP agent status, and sets related trap functions 387 PoE* SNMP Configure Global 388 Configure Engine Set Engine ID Sets the SNMP v3 engine ID on this switch 388 Add
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Remote Monitoring 411 Alarm Sets threshold bounds for a monitored variable 412 Event Creates a response event for an alarm 414 Alarm Shows all configured alarms 412 Event Shows all configured events 414 History Periodically samples statistics on a physical interface 416 Statistics Enables collection of statistics on a physical interface 419 History Show
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Interface Configures IPv6 interface address using auto-configuration or link-local address, and sets related protocol settings 435 Add IPv6 Address Adds an global unicast, EUI-64, or link-local IPv6 address to an interface 440 Show IPv6 Address Show the IPv6 addresses assigned to an interface 442 Show IPv6 Neighbor Cache Displays information in the IPv6
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure VLAN Enables DHCP snooping on a VLAN 349 Configure Interface Sets the trust mode for an interface 350 Show Information Displays the DHCP Snooping binding information 352 467 Multicast 468 IGMP Snooping General Enables multicast filtering; configures parameters for multicast snooping 470 473 Multicast Router Add Static Multicast Router Assigns ports
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Port Statistics Shows statistics for protocol messages, number of active groups 485 Show Trunk Statistics Shows statistics for protocol messages, number of active groups 485 494 MLD Snooping General Enables multicast filtering; configures parameters for IPv6 multicast snooping 494 Interface Configures Immediate Leave status for a VLAN 496 496 Multicast Rou
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page 515 Show Statistics Show Query Statistics Shows statistics for query-related messages 515 Show VLAN Statistics Shows statistics for protocol messages and number of active groups 515 Show Port Statistics Shows statistics for protocol messages and number of active groups 515 Show Trunk Statistics Shows statistics for protocol messages and number of active groups 5
Section II Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
Section II | Web Configuration – 64 –
3 Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
Chapter 3 | Basic Management Tasks Displaying System Information Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. (ECS4210-12P: 1.3.6.1.4.1.259.10.1.42.104, ECS4210-12T: 1.3.6.1.4.1.259.10.1.42.
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Figure 3: System Information Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports.
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Web Interface To view hardware and software version information. 1. Click System, then Switch. Figure 4: General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for Layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Web Interface To configure support for jumbo frames: 1. Click System, then Capability. 2. Enable or disable support for jumbo frames. 3. Click Apply. Figure 5: Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System > Capability page to display settings based on the Bridge MIB.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities ◆ Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 135.) ◆ Max Supported VLAN Numbers – The maximum number of VLANs supported on this switch. ◆ Max Supported VLAN ID – The maximum configurable VLAN identifier supported on this switch.
Chapter 3 | Basic Management Tasks Managing System Files Managing System Files This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Copying Files via FTP/ Use the System > File (Copy) page to upload/download firmware or configuration TFTP or HTTP settings using FTP, TFTP or HTTP. By backing up a file to an FTP/TFTP server or management station, that file can later be downloaded to the switch to restore operation.
Chapter 3 | Basic Management Tasks Managing System Files Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. Note: The maximum number of user-defined configuration files is limited only by available flash memory space. Note: The file “Factory_Default_Config.cfg” can be copied to a TFTP server or management station, but cannot be used as the destination file name on the switch. Web Interface To copy firmware files: 1.
Chapter 3 | Basic Management Tasks Managing System Files Saving the Running Use the System > File (Copy) page to save the current configuration settings to a Configuration to a local file on the switch. The configuration settings are not automatically saved by Local File the system for subsequent use when the switch is rebooted. You must save these settings to the current startup file, or to another file which can be subsequently set as the startup file.
Chapter 3 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Setting The Use the System > File (Set Start-Up) page to specify the firmware or configuration Start-Up File file to use for system initialization. Web Interface To set a file to use for system initialization: 1. Click System, then File. 2. Select Set Start-Up from the Action list. 3.
Chapter 3 | Basic Management Tasks Managing System Files 3. To delete a file, mark it in the File List and click Delete. Figure 10: Displaying System Files Automatic Operation Use the System > File (Automatic Operation Code Upgrade) page to automatically Code Upgrade download an operation code file when a file newer than the currently installed one is discovered on the file server.
Chapter 3 | Basic Management Tasks Managing System Files from the server even though ECS4210-SERIES.bix was requested). However, keep in mind that the file systems of many operating systems such as Unix and most Unix-like systems (FreeBSD, NetBSD, OpenBSD, and most Linux distributions, etc.) are case-sensitive, meaning that two files in the same directory, ecs4210-series.bix and ECS4210-SERIES.bix are considered to be unique files. Thus, if the upgrade file is stored as ECS4210-SERIES.
Chapter 3 | Basic Management Tasks Managing System Files The following syntax must be observed: tftp://host[/filedir]/ ■ tftp:// – Defines TFTP protocol for the server connection. ■ host – Defines the IP address of the TFTP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized. ■ filedir – Defines the directory, relative to the TFTP server root, where the upgrade file can be found. Nested directory structures are accepted.
Chapter 3 | Basic Management Tasks Managing System Files ■ tftp://192.168.0.1/switches/opcode/ The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the TFTP root. The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: ■ ftp://192.168.0.1/ The user name and password are empty, so “anonymous” will be the user name and the password will be blank.
Chapter 3 | Basic Management Tasks Setting the System Clock If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.0.1.5; new version 1.1.2.0 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To manually set the system clock: 1. Click System, then Time. 2. Select Configure General from the Step list. 3. Select Manually from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5.
Chapter 3 | Basic Management Tasks Setting the System Clock 5. Click Apply Figure 13: Setting the Polling Interval for SNTP Configuring NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers. Parameters The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 14: Configuring NTP Configuring Time Use the System > Time (Configure Time Server) pages to specify the IP address for Servers NTP/SNTP time servers, or to set the authentication key for NTP time servers. Specifying SNTP Time Servers Use the System > Time (Configure Time Server) page to specify the IP address for up to three SNTP time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Specifying NTP Time Servers Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. Parameters The following parameters are displayed: ◆ NTP Server IP Address – Adds the IPv4 or IPv6 address for up to 50 time servers. The switch will poll the specified time servers for updates when the clock maintenance type is set to NTP on the System > Time (Configure General) page.
Chapter 3 | Basic Management Tasks Setting the System Clock To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List Specifying NTP Authentication Keys Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 18: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Authentication Key from the Action list. Figure 19: Showing the NTP Authentication Key List Setting the Time Zone Use the System > Time (Configure Time Server) page to set the time zone.
Chapter 3 | Basic Management Tasks Configuring the Console Port Web Interface To set your local time zone: 1. Click System, then Time. 2. Select Configure Time Zone from the Action list. 3. Set the offset for your time zone relative to the UTC in hours and minutes. 4. Click Apply. Figure 20: Setting the Time Zone Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port.
Chapter 3 | Basic Management Tasks Configuring the Console Port ◆ Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Figure 21: Console Port Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Chapter 3 | Basic Management Tasks Configuring Telnet Settings ◆ Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
Chapter 3 | Basic Management Tasks Displaying CPU Utilization Displaying CPU Utilization Use the System > CPU Utilization page to display information on CPU utilization. Parameters The following parameters are displayed: ◆ Time Interval – The interval at which to update the displayed utilization rate. (Options: 1, 5, 10, 30, 60 seconds; Default: 1 second) ◆ CPU Utilization – CPU utilization over specified interval. Web Interface To display CPU utilization: 1. Click System, then CPU Utilization. 2.
Chapter 3 | Basic Management Tasks Displaying Memory Utilization Displaying Memory Utilization Use the System > Memory Status page to display memory utilization parameters. Parameters The following parameters are displayed: ◆ Free Size – The amount of memory currently free for use. ◆ Used Size – The amount of memory allocated to active processes. ◆ Total – The total amount of system memory. Web Interface To display memory utilization: 1. Click System, then Memory Status.
Chapter 3 | Basic Management Tasks Resetting the System Parameters The following parameters are displayed: System Reload Information ◆ Reload Settings – Displays information on the next scheduled reload and selected reload mode as shown in the following example: “The switch will be rebooted at March 9 12:00:00 2012. Remaining Time: 0 days, 2 hours, 46 minutes, 5 seconds. Reloading switch regularly time: 12:00 everyday.” ◆ Refresh – Refreshes reload information.
Chapter 3 | Basic Management Tasks Resetting the System ■ Monthly - Day of the month at which to reload. (Range: 1-31) Web Interface To restart the switch: 1. Click System, then Reset. 2. Select the required reload mode. 3. For any option other than to reset immediately, fill in the required parameters 4. Click Apply. 5. When prompted, confirm that you want reset the switch.
Chapter 3 | Basic Management Tasks Resetting the System Figure 26: Restarting the Switch (In) Figure 27: Restarting the Switch (At) Figure 28: Restarting the Switch (Regularly) – 94 –
4 Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Local Port Mirroring – Sets the source and target ports for mirroring on the local switch. ◆ Remote Port Mirroring – Configures mirroring of traffic from remote switches for analysis at a destination port on the local switch.
Chapter 4 | Interface Configuration Port Configuration mode, or flow control under auto-negotiation, the required operation modes must be specified in the capabilities list for an interface. ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
Chapter 4 | Interface Configuration Port Configuration ◆ Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) ◆ Flow Control – Allows automatic or manual selection of flow control. Web Interface To configure port connection parameters: 1. Click Interface, Port, General. 2. Select Configure by Port List from the Action List. 3. Modify the required interface settings. 4. Click Apply.
Chapter 4 | Interface Configuration Port Configuration 5. Click Apply. Figure 30: Configuring Connections by Port Range Displaying Use the Interface > Port > General (Show Information) page to display the current Connection Status connection status, including link state, speed/duplex mode, flow control, and autonegotiation. Parameters These parameters are displayed: ◆ Port – Port identifier. ◆ Type – Indicates the port type. (1000Base-T, 100Base SFP or 1000Base SFP) ◆ Name – Interface label.
Chapter 4 | Interface Configuration Port Configuration Web Interface To display port connection parameters: 1. Click Interface, Port, General. 2. Select Show Information from the Action List. Figure 31: Displaying Port Information Configuring Use the Interface > Port > Mirror page to mirror traffic from any source port to a Local Port Mirroring target port for real-time analysis.
Chapter 4 | Interface Configuration Port Configuration Mirroring” on page 173), the target port cannot be set to the same target ports as that used for port mirroring by this command. ◆ When traffic matches the rules for both port mirroring, and for mirroring of VLAN traffic or packets based on a MAC address, the matching packets will not be sent to target port specified for port mirroring. ◆ Note that Spanning Tree BPDU packets are not mirrored to the target port.
Chapter 4 | Interface Configuration Port Configuration To display the configured mirror sessions: 1. Click Interface, Port, Mirror. 2. Select Show from the Action List. Figure 34: Displaying Local Port Mirror Sessions Configuring Use the Interface > RSPAN page to mirror traffic from remote switches for analysis Remote Port Mirroring at a destination port on the local switch.
Chapter 4 | Interface Configuration Port Configuration ◆ Configuration Guidelines Take the following step to configure an RSPAN session: 1. Use the VLAN Static List (see “Configuring VLAN Groups” on page 138) to reserve a VLAN for use by RSPAN (marking the “Remote VLAN” field on this page. (Default VLAN 1 is prohibited.) 2. Set up the source switch on the RSPAN configuration page by specifying the mirror session, the switch’s role (Source), the RSPAN VLAN, and the uplink port1.
Chapter 4 | Interface Configuration Port Configuration RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. ■ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
Chapter 4 | Interface Configuration Port Configuration ◆ Destination Port – Specifies the destination port1 to monitor the traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session. Also note that a destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
Chapter 4 | Interface Configuration Port Configuration Figure 37: Configuring Remote Port Mirroring (Intermediate) Figure 38: Configuring Remote Port Mirroring (Destination) Showing Port or Trunk Use the Interface > Port/Trunk > Statistics or Chart page to display standard Statistics statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Chapter 4 | Interface Configuration Port Configuration Parameters These parameters are displayed: Table 5: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
Chapter 4 | Interface Configuration Port Configuration Table 5: Port Statistics (Continued) Parameter Description Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy. Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size. Alignment Errors The number of alignment errors (missynchronized data packets).
Chapter 4 | Interface Configuration Port Configuration Table 5: Port Statistics (Continued) Parameter Description 65-127 Byte Packets 128-255 Byte Packets 256-511 Byte Packets 512-1023 Byte Packets 1024-1518 Byte Packets 1519-1536 Byte Packets The total number of packets (including bad packets) received and transmitted where the number of octets fall within the specified range (excluding framing bits but including FCS octets).
Chapter 4 | Interface Configuration Port Configuration To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Chapter 4 | Interface Configuration Port Configuration Performing Use the Interface > Port > Cable Test page to test the cable attached to a port. The Cable Diagnostics cable test will check for any cable faults (short, open, etc.). If a fault is found, the switch reports the length to the fault. Otherwise, it reports the cable length. It can be used to determine the quality of the cable, connectors, and terminations.
Chapter 4 | Interface Configuration Port Configuration Web Interface To test the cable attached to a port: 1. Click Interface, Port, Cable Test. 2. Click Test for any port to start the cable test. Figure 41: Performing Cable Tests Configuring Port Isolation can be used to restrict the traffic types or protocol types allowed to Port Isolation pass between specified ports.
Chapter 4 | Interface Configuration Port Configuration 3. Enable or disable port isolation as required. 4. Click Apply. Figure 42: Enabling Port Isolation Globally Configuring Port Isolation Profiles Use the Interface > Port > Isolation (Configure Profile - Add) page to set the traffic type or protocol type to include in a profile. Command Usage ◆ An isolation profile can include any number of traffic or protocol types.
Chapter 4 | Interface Configuration Port Configuration Figure 43: Configuring Port Isolation Profiles To display the configured settings for a profile: 1. Click Interface, Port, Isolation. 2. Se let Configure Profile from the Step list. 3. Select Show from the Action list. Figure 44: Displaying Port Isolation Profiles Assigning Port Isolation Profiles Use the Interface > Port > Isolation (Configure Interface) page to assign a profile to an uplink or downlink port.
Chapter 4 | Interface Configuration Port Configuration ◆ When a profile is assigned to a port, any traffic attributes not defined in the profile are subject normal switching rules. Parameters These parameters are displayed: ◆ Profile ID – Profile identifier. (Range: 1-26) ◆ Port – Port identifier. (Range: 1-12/28) ◆ Uplink Port Group – Port connected to an upstream interface. ◆ Isolated Port Group – Port connected to an down stream interface.
Chapter 4 | Interface Configuration Trunk Configuration Trunk Configuration This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to 8/12 trunks at a time on the switch.
Chapter 4 | Interface Configuration Trunk Configuration Configuring a Use the Interface > Trunk > Static pages to create a trunk, assign member ports, Static Trunk and configure the connection parameters. Figure 46: Configuring Static Trunks } statically configured active links Command Usage ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation.
Chapter 4 | Interface Configuration Trunk Configuration Figure 47: Creating Static Trunks To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply. Figure 48: Adding Static Trunks Members To configure connection parameters for a static trunk: 1. Click Interface, Trunk, Static. 2.
Chapter 4 | Interface Configuration Trunk Configuration Figure 49: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
Chapter 4 | Interface Configuration Trunk Configuration ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. ◆ If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Chapter 4 | Interface Configuration Trunk Configuration By default, the Actor Admin Key is determined by port's link speed, and copied to Oper Key. The Partner Admin Key is assigned to zero, and the Oper Key is set based upon LACP PDUs received from the Partner. ◆ System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
Chapter 4 | Interface Configuration Trunk Configuration Figure 52: Configuring the LACP Aggregator Admin Key To enable LACP for a port: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click General. 5. Enable LACP on the required ports. 6. Click Apply. Figure 53: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2.
Chapter 4 | Interface Configuration Trunk Configuration 5. Configure the required settings. 6. Click Apply. Figure 54: Configuring LACP Parameters on a Port To configure the connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Configure from the Action list. 4. Modify the required interface settings. (Refer to “Configuring by Port List” on page 95 for a description of the parameters.) 5. Click Apply.
Chapter 4 | Interface Configuration Trunk Configuration Figure 56: Displaying Connection Parameters for Dynamic Trunks To show the port members of dynamic trunks: 1. Click Interface, Trunk, Dynamic. 2. Select Configure General from the Step list. 3. Select Show Member from the Action list.
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To display LACP port counters: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Show Information from the Action list. 4. Click Counters. 5. Select a group member from the Port list.
Chapter 4 | Interface Configuration Trunk Configuration Table 7: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Oper State Administrative or operational values of the actor’s state parameters: ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Chapter 4 | Interface Configuration Trunk Configuration Figure 59: Displaying LACP Port Internal Information Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status for Information - Neighbors) page to display the configuration settings and the Remote Side operational state for the remote side of a link aggregation.
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To display LACP settings and status for the remote side: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Show Information from the Action list. 4. Click Internal. 5. Select a group member from the Port list.
Chapter 4 | Interface Configuration Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation Figure 61: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to and Downlink Ports assign the downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Parameters These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆ Direction – Adds an interface to the segmented group by setting the direction to uplink or downlink. (Default: Uplink) ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier.
Chapter 4 | Interface Configuration VLAN Trunking To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Show from the Action list. Figure 63: Showing Traffic Segmentation Members VLAN Trunking Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface.
Chapter 4 | Interface Configuration VLAN Trunking ◆ VLAN trunking is mutually exclusive with the “access” switchport mode (see “Adding Static Members to VLANs” on page 140). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa. ◆ To prevent loops from forming in the spanning tree, all unknown VLANs will be bound to a single instance (either STP/RSTP or an MSTP instance, depending on the selected STA mode).
Chapter 4 | Interface Configuration VLAN Trunking Figure 65: Configuring VLAN Trunking – 133 –
Chapter 4 | Interface Configuration VLAN Trunking – 134 –
5 VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customerspecific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆ Protocol VLANs – Configures VLAN groups based on specified protocols.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs This switch supports the following VLAN features: ◆ Up to 256 VLANs based on the IEEE 802.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame. Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 67: Using GVRP Port-based VLAN 2 1 9 10 11 3 4 5 13 12 6 15 16 14 7 8 18 19 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ Remote VLAN – Reserves this VLAN for RSPAN (see “Configuring Remote Port Mirroring” on page 101). Modify ◆ VLAN ID – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. Show ◆ VLAN ID – ID of configured VLAN. ◆ VLAN Name – Name of the VLAN. ◆ Status – Operational status of configured VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4. Modify the VLAN name or operational status as required. 5. Click Apply. Figure 69: Modifying Settings for Static VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Parameters These parameters are displayed: Edit Member by VLAN ◆ VLAN – ID of configured VLAN (1-4094). ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-12/28) ◆ Trunk – Trunk Identifier. (Range: 1-8/12) ◆ Mode – Indicates VLAN membership mode for an interface. (Default: Hybrid) ■ Access - Sets the port to operate as an untagged interface. The port transmits and receives untagged frames on a single VLAN only.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ ■ If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded. ■ Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STP. However, they do affect VLAN dependent BPDU frames, such as GMRP.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Web Interface To configure static members by the VLAN index: 1. Click VLAN, Static. 2. Select Edit Member by VLAN from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Modify the settings for any interface as required. 5. Click Apply. Figure 71: Configuring Static Members by VLAN Index To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 72: Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Configuring Dynamic Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to enable VLAN Registration GVRP and adjust the protocol timers per interface. Parameters These parameters are displayed: Configure General ◆ GVRP Status – GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN – Show VLAN Member ◆ VLAN – Identifier of a VLAN this switch has joined through GVRP. ◆ Interface – Displays a list of ports or trunks which have joined the selected VLAN through GVRP.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 75: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN from the Action list. Figure 76: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 77: Showing the Members of a Dynamic VLAN IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 6. After packet classification, the packet is written to memory for processing as a single-tagged or double-tagged packet. 7. The switch sends the packet to the proper egress port. 8. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packet will have two tags. Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 5. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see “Adding Static Members to VLANs” on page 140). 6. Configure the QinQ tunnel uplink port to Uplink mode (see “Adding an Interface to a QinQ Tunnel” on page 153). 7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see “Adding Static Members to VLANs” on page 140).
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 4. Click Apply. Figure 79: Enabling QinQ Tunneling Adding an Interface to Follow the guidelines in the preceding section to set up a QinQ tunnel on the a QinQ Tunnel switch. Then use the VLAN > Tunnel (Configure Interface) page to set the tunnel mode for any participating interface.
Chapter 5 | VLAN Configuration Protocol VLANs Web Interface To add an interface to a QinQ tunnel: 1. Click VLAN, Tunnel. 2. Select Configure Interface from the Step list. 3. Set the mode for any tunnel access port to Access and the tunnel uplink port to Uplink. 4. Click Apply. Figure 80: Adding an Interface to a QinQ Tunnel Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
Chapter 5 | VLAN Configuration Protocol VLANs 2. Create a protocol group for each of the protocols you want to assign to a VLAN using the Configure Protocol (Add) page. 3. Then map the protocol for each interface to the appropriate VLAN using the Configure Interface (Add) page. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Chapter 5 | VLAN Configuration Protocol VLANs 6. Enter an identifier for the protocol group.] 7. Click Apply. Figure 81: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list.
Chapter 5 | VLAN Configuration Protocol VLANs ◆ When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: ■ If the frame is tagged, it will be processed according to the standard rules applied to tagged frames. ■ If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. ■ If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs Figure 83: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port or trunk. Figure 84: Showing the Interface to Protocol Group Mapping Configuring IP Subnet VLANs Use the VLAN > IP Subnet page to configure IP subnet-based VLANs.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs Command Usage ◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an IP address and a mask. The specified VLAN need not be an existing VLAN. ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Figure 85: Configuring IP Subnet VLANs To show the configured IP subnet VLANs: 1. Click VLAN, IP Subnet. 2. Select Show from the Action list. Figure 86: Showing IP Subnet VLANs Configuring MAC-based VLANs Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. Parameters These parameters are displayed: ◆ MAC Address – A source MAC address which is to be mapped to a specific VLAN. Configured MAC addresses can only be unicast addresses. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 5 | VLAN Configuration Configuring VLAN Mirroring To show the MAC addresses mapped to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Show from the Action list. Figure 88: Showing MAC-Based VLANs Configuring VLAN Mirroring Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Chapter 5 | VLAN Configuration Configuring VLAN Mirroring Parameters These parameters are displayed: ◆ Source VLAN – A VLAN whose traffic will be monitored. (Range: 1-4094) ◆ Target Port – The destination port that receives the mirrored traffic from the source VLAN. (Range: 1-12/28) Web Interface To configure VLAN mirroring: 1. Click VLAN, Mirror. 2. Select Add from the Action list. 3. Select the source VLAN, and select a target port. 4. Click Apply.
Chapter 5 | VLAN Configuration Configuring VLAN Mirroring – 164 –
6 Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ Static MAC Addresses – Configures static entries in the address table.
Chapter 6 | Address Table Settings Setting Static Addresses ◆ Static addresses will not be removed from the address table when a given interface link is down. ◆ A static address cannot be learned on another port until the address is removed from the table. Parameters These parameters are displayed: ◆ VLAN – ID of configured VLAN. (Range: 1-4094) ◆ Interface – Port or trunk associated with the device assigned a static address. ◆ MAC Address – Physical address of a device mapped to this interface.
Chapter 6 | Address Table Settings Configuring MAC Address Isolation To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Configure Static Address from the Step list. 3. Select Show from the Action list.
Chapter 6 | Address Table Settings Configuring MAC Address Isolation ◆ Packets are filtered or forwarded according to the isolation profiles shown in the following table.
Chapter 6 | Address Table Settings Configuring MAC Address Isolation Web Interface To enable or disable MAC isolation globally on the switch: 1. Click MAC Address, Static. 2. Select Configure Global from the Step list. 3. Set the MAC-Isolation Global Status. 4. Enter Apply. Figure 93: Setting Global Status for MAC Address Isolation To assign static addresses to an isolation mode: 1. Click MAC Address, Static. 2. Select Configure MAC Address from the Step list. 3. Select Add from the Action list. 4.
Chapter 6 | Address Table Settings Changing the Aging Time To show the static addresses assigned to an isolation mode: 1. Click MAC Address, Static. 2. Select Configure Static Address from the Step list. 3. Select Show from the Action list. Figure 95: Displaying Interfaces Assigned a MAC Address Isolation Mode Changing the Aging Time Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table.
Chapter 6 | Address Table Settings Displaying the Dynamic Address Table Figure 96: Setting the Address Aging Time Displaying the Dynamic Address Table Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Chapter 6 | Address Table Settings Clearing the Dynamic Address Table 5. Click Query. Figure 97: Displaying the Dynamic MAC Address Table Clearing the Dynamic Address Table Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. Parameters These parameters are displayed: ◆ Clear by – All entries can be cleared; or you can clear the entries for a specific MAC address, all the entries in a VLAN, or all the entries associated with a port or trunk.
Chapter 6 | Address Table Settings Configuring MAC Address Mirroring Figure 98: Clearing Entries in the Dynamic MAC Address Table Configuring MAC Address Mirroring Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Chapter 6 | Address Table Settings Configuring MAC Address Mirroring Web Interface To mirror packets based on a MAC address: 1. Click MAC Address, Mirror. 2. Select Add from the Action list. 3. Specify the source MAC address and destination port. 4. Click Apply. Figure 99: Mirroring Packets Based on the Source MAC Address To show the MAC addresses to be mirrored: 1. Click MAC Address, Mirror. 2. Select Show from the Action list.
Chapter 6 | Address Table Settings Configuring Extended MAC Security Configuring Extended MAC Security Use the MAC Address > Extended MAC Security pages to configure the maximum number of MAC addresses that can be learned on an interface, the movable-static function which allows a static address to be moved to another interface, and the sticky-dynamic function which prevents dynamic address already learned elsewhere from being learned at a specified interface.
Chapter 6 | Address Table Settings Configuring Extended MAC Security ◆ ■ The movable-static function cannot be set for a port that is a member of a static or dynamic trunk. When a trunk is formed, the trunk takes on the movable-static status of the first port to join the trunk. When other ports are subsequently added to a trunk, those ports take on the movable-static status of the trunk. When a port leaves a trunk, it retains the movable-static status of the trunk.
Chapter 6 | Address Table Settings Configuring Extended MAC Security 4. Make the required changes to the sticky-dynamic function, movable-static function, and maximum MAC count. Enable or disable trap messages for these features. 5. Click Apply.
Chapter 6 | Address Table Settings Configuring Extended MAC Security – 178 –
7 Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
Chapter 7 | Spanning Tree Algorithm Overview ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 103: STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge.
Chapter 7 | Spanning Tree Algorithm Overview Figure 104: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 196). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Configuring Loopback Detection Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode. This loopback state can be released manually or automatically.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA If an interface is shut down due to a detected loopback, and the release mode is set to “Auto,” the selected interface will be automatically enabled when the shutdown interval has expired. If an interface is shut down due to a detected loopback, and the release mode is set to “Manual,” the interface can be re-enabled using the Release button. Web Interface To configure loopback detection: 1. Click Spanning Tree, Loopback Detection. 2.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Web Interface To configure global STA settings: 1. Click Spanning Tree, STA. 2. Select Configure Global from the Step list. 3. Select Configure from the Action list. 4. Modify any of the required attributes. Note that the parameters displayed for the spanning tree types (STP, RSTP, MSTP) varies as described in the preceding section. 5.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 108: Configuring Global Settings for STA (RSTP) Figure 109: Configuring Global Settings for STA (MSTP) – 188 –
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Figure 110: Displaying Global Settings for STA Configuring Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Configure) page to configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Admin Path Cost – This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost takes precedence over port priority.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Admin Edge Port – Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Migration – If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the Protocol Migration button to manually re-check the appropriate BPDU format (RSTP or STP-compatible) to send on the selected interfaces.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. Parameters These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA ◆ Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree root which include this port. ◆ Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface. This parameter is determined by manual configuration or by auto-detection, as described for Admin Link Type in STA Port Configuration on page 190.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Web Interface To display interface settings for STA: 1. Click Spanning Tree, STA. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list. Figure 113: Displaying Interface Settings for STA Configuring Multiple Spanning Trees Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To use multiple spanning trees: 1. Set the spanning tree type to MSTP (page 183). 2. Enter the spanning tree priority for the selected MST instance on the Spanning Tree > MSTP (Configure Global - Add) page. 3. Add the VLANs that will share this MSTI on the Spanning Tree > MSTP (Configure Global - Add Member) page. Note: All VLANs are automatically added to the IST (Instance 0).
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Figure 114: Creating an MST Instance To show the MSTP instances: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. Figure 115: Displaying MST Instances To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Figure 116: Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Information from the Action list. 4. Select an MST ID. The attributes displayed on this page are described under “Displaying Global Settings for STA” on page 189.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Figure 118: Adding a VLAN to an MST Instance To show the VLAN members of an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Member from the Action list. Figure 119: Displaying Members of an MST Instance Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP ■ Discarding – Port receives STA configuration messages, but does not forward packets. ■ Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. ■ Forwarding – Port forwards packets, and continues learning addresses.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Figure 120: Configuring MSTP Interface Settings To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list.
8 Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
Chapter 8 | Congestion Control Storm Control Web Interface To configure rate limits: 1. Click Traffic, Rate Limit. 2. Enable the Rate Limit Status for the required ports. 3. Set the rate limit for the individual ports,. 4. Click Apply. Figure 122: Configuring Rate Limits Storm Control Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds.
Chapter 8 | Congestion Control Storm Control one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port. ◆ Rate limits set by this function are also used by automatic storm control when the control response is set to rate control on the Auto Traffic Control (Configure Interface) page. ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results.
Chapter 8 | Congestion Control Automatic Traffic Control Figure 123: Configuring Storm Control Automatic Traffic Control Use the Traffic > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. Command Usage ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 8 | Congestion Control Automatic Traffic Control ◆ Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. ◆ When traffic falls below the alarm clear threshold after the release timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control Release Trap sent and logged.
Chapter 8 | Congestion Control Automatic Traffic Control Setting the ATC Timers Use the Traffic > Congestion Control > Auto Traffic Control (Configure Global) page to set the time at which to apply the control response after ingress traffic has exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
Chapter 8 | Congestion Control Automatic Traffic Control Figure 126: Configuring ATC Timers Configuring ATC Use the Traffic > Congestion Control > Auto Traffic Control (Configure Interface) Thresholds and page to set the storm control mode (broadcast or multicast), the traffic thresholds, Responses the control response, to automatically release a response of rate limiting, or to send related SNMP trap messages.
Chapter 8 | Congestion Control Automatic Traffic Control ◆ Auto Release Control – Automatically stops a traffic control response of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 124 on page 206. When traffic control stops, the event is logged by the system and a Traffic Release Trap can be sent.
Chapter 8 | Congestion Control Automatic Traffic Control Web Interface To configure the response timers for automatic storm control: 1. Click Traffic, Congestion Control, Automatic Storm Control. 2. Select Configure Interface from the Step field. 3. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send. 4. Click Apply.
Chapter 8 | Congestion Control Automatic Traffic Control – 212 –
9 Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s highpriority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) Web Interface To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2.
Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict and weighted service is used as specified for each queue. The queues assigned to use strict priority should be specified using the Strict Mode field parameter.
Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Set the queue mode. 3. If the weighted queue mode is selected, the queue weight can be modified if required. 4. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table. 5. Click Apply.
Chapter 9 | Class of Service Layer 2 Queue Settings Figure 131: Setting the Queue Mode (Strict and WRR) Mapping CoS Values Use the Traffic > Priority > PHB to Queue page to specify the hardware output to Egress Queues queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see “Mapping CoS Priorities to Internal DSCP Values” on page 224).
Chapter 9 | Class of Service Layer 2 Queue Settings The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in Table 14. However, priority levels can be mapped to the switch’s output queues in any way that benefits application traffic for the network.
Chapter 9 | Class of Service Layer 2 Queue Settings 4. Map an internal PHB to a hardware queue. Depending on how an ingress packet is processed internally based on its CoS value, and the assigned output queue, the mapping done on this page can effectively determine the service priority for different traffic classes. 5. Click Apply. Figure 132: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: 1. Click Traffic, Priority, PHB to Queue. 2. Select Show from the Action list.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Parameters These parameters are displayed: ◆ Interface – Specifies a port or trunk. ◆ Trust Mode ■ CoS – Maps layer 3/4 priorities using Class of Service values. (This is the default setting.) ■ DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point values. Web Interface To configure the trust mode: 1. Click Traffic, Priority, Trust Mode. 2. Select the interface type to display (Port or Trunk). 3. Set the trust mode. 4.
Chapter 9 | Class of Service Layer 3/4 Priority Settings ◆ This map is only used when the priority mapping mode is set to DSCP (see page 220), and the ingress packet type is IPv4. Any attempt to configure the DSCP mutation map will not be accepted by the switch, unless the trust mode has been set to DSCP. ◆ Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/ Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map DSCP values to internal PHB/drop precedence: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any DSCP value. 5. Click Apply. Figure 135: Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Show from the Action list.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Mapping CoS Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in incoming Priorities to Internal packets to per-hop behavior and drop precedence values for priority processing. DSCP Values Command Usage ◆ The default mapping of CoS to PHB values is shown in Table 17 on page 224. ◆ Enter up to eight CoS/CFI paired values, per-hop behavior and drop precedence. ◆ If a packet arrives with a 802.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map CoS/CFI values to internal PHB/drop precedence: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any of the CoS/CFI combinations. 5. Click Apply. Figure 137: Configuring CoS to DSCP Internal Mapping To show the CoS/CFI to internal PHB/drop precedence map: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Show from the Action list. 3.
Chapter 9 | Class of Service Layer 3/4 Priority Settings – 226 –
10 Quality of Service This chapter describes the following tasks required to apply QoS policies: ◆ Class Map – Creates a map which identifies a specific class of traffic. ◆ Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. ◆ Binding to a Port – Applies a policy map to an ingress port.
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN or a CoS value. 3.
Chapter 10 | Quality of Service Configuring a Class Map Add Rule ◆ Class Name – Name of the class map. ◆ Type – The criteria specified by the match command. (This field is set on the Add page.) ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value. (Range: 0-63) ◆ IP Precedence – An IP Precedence value. (Range: 0-7) ◆ IPv6 DSCP – A DSCP value contained in an IPv6 packet.
Chapter 10 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 140: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
Chapter 10 | Quality of Service Configuring a Class Map Figure 141: Adding Rules to a Class Map To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list.
Chapter 10 | Quality of Service Creating QoS Policies Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 228), modify service tagging, and enforce bandwidth policing. A policy map can then be bound by a service policy to one or more interfaces (page 241). Configuring QoS policies requires several steps.
Chapter 10 | Quality of Service Creating QoS Policies ◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
Chapter 10 | Quality of Service Creating QoS Policies (BP). Action may taken for traffic conforming to the maximum throughput, exceeding the maximum throughput, or exceeding the peak burst size. ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
Chapter 10 | Quality of Service Creating QoS Policies which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM. Command Usage ◆ A policy map can contain 128 class statements that can be applied to the same interface (page 241). Up to 32 policy maps can be configured for ingress ports.
Chapter 10 | Quality of Service Creating QoS Policies ■ Set IP DSCP – Configures the service provided to ingress traffic by setting an IP DSCP value for a matching packet (as specified in rule settings for a class map). (Range: 0-63) ■ ■ PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7) Drop Precedence – Drop precedence used in controlling traffic congestion.
Chapter 10 | Quality of Service Creating QoS Policies The color modes include “Color-Blind” which assumes that the packet stream is uncolored, and “Color-Aware” which assumes that the incoming packets are pre-colored. The functional differences between these modes is described at the beginning of this section under “srTCM Police Meter.” ■ Committed Information Rate (CIR) – Rate in kilobits per second.
Chapter 10 | Quality of Service Creating QoS Policies packets are pre-colored. The functional differences between these modes is described at the beginning of this section under “trTCM Police Meter.” ■ Committed Information Rate (CIR) – Rate in kilobits per second. (Range: 0-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) The rate cannot exceed the configured interface speed. ■ Committed Burst Size (BC) – Burst in bytes.
Chapter 10 | Quality of Service Creating QoS Policies 3. Select Add from the Action list. 4. Enter a policy name. 5. Enter a description. 6. Click Add. Figure 143: Configuring a Policy Map To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list. Figure 144: Showing Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3.
Chapter 10 | Quality of Service Creating QoS Policies options to define parameters such as the maximum throughput and burst rate. Then specify the action to take for conforming traffic, the action to tack for traffic in excess of the maximum rate but within the peak information rate, or the action to take for a policy violation. 6. Click Apply. Figure 145: Adding Rules to a Policy Map To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port Attaching a Policy Map to a Port Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. Command Usage First define a class map, define a policy map, and then bind the service policy to the required interface. Parameters These parameters are displayed: ◆ Port – Specifies a port. ◆ Ingress – Applies the selected rule to ingress traffic. ◆ Egress – Applies the selected rule to egress traffic.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port Figure 147: Attaching a Policy Map to a Port – 242 –
11 VoIP Traffic Configuration This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port. Command Usage All ports are set to VLAN access mode by default.
Chapter 11 | VoIP Traffic Configuration Configuring Telephony OUI Figure 148: Configuring a Voice VLAN Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports 7. Click Apply. Figure 149: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Parameters These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) ■ None – The Voice VLAN feature is disabled on the port. The port will not detect VoIP traffic or be added to the Voice VLAN. ■ Auto – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Web Interface To configure VoIP traffic settings for a port: 1. Click Traffic, VoIP. 2. Select Configure Interface from the Step list. 3. Configure any required changes to the VoIP settings each port. 4. Click Apply.
12 Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Chapter 12 | Security Measures AAA Authorization and Accounting Note: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping. AAA Authorization and Accounting The authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch.
Chapter 12 | Security Measures AAA Authorization and Accounting 3. Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. 4. Apply the method names to port or line interfaces. Note: This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
Chapter 12 | Security Measures AAA Authorization and Accounting Web Interface To configure the method(s) of controlling management access: 1. Click Security, AAA, System Authentication. 2. Specify the authentication sequence (i.e., one to three methods). 3. Click Apply. Figure 152: Configuring the Authentication Sequence Configuring Remote Use the Security > AAA > Server page to configure the message exchange Logon Authentication parameters for RADIUS or TACACS+ remote access authentication servers.
Chapter 12 | Security Measures AAA Authorization and Accounting Command Usage ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet. ◆ RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair.
Chapter 12 | Security Measures AAA Authorization and Accounting ◆ ■ Authentication Key – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) ■ Confirm Authentication Key – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. TACACS+ ■ Global – Provides globally applicable TACACS+ settings.
Chapter 12 | Security Measures AAA Authorization and Accounting When specifying the priority sequence for a sever, the server index must already be defined (see “Configuring Local/Remote Logon Authentication” on page 251). Web Interface To configure the parameters for RADIUS or TACACS+ authentication: 1. Click Security, AAA, Server. 2. Select Configure Server from the Step list. 3. Select RADIUS or TACACS+ server type. 4.
Chapter 12 | Security Measures AAA Authorization and Accounting Figure 155: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
Chapter 12 | Security Measures AAA Authorization and Accounting To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures AAA Authorization and Accounting ◆ Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined. (Range: 1-64 characters) Note that the method name is only used to describe the accounting method configured on the specified RADIUS or TACACS+ servers. No information is sent to the servers about the method to use.
Chapter 12 | Security Measures AAA Authorization and Accounting ◆ Accounting Type - Displays the accounting service. ◆ Interface - Displays the receive port number through which this user accessed the switch. ◆ Time Elapsed - Displays the length of time this entry has been active. Web Interface To configure global settings for AAA accounting: 1. Click Security, AAA, Accounting. 2. Select Configure Global from the Step list. 3. Enter the required update interval. 4. Click Apply.
Chapter 12 | Security Measures AAA Authorization and Accounting Figure 159: Configuring AAA Accounting Methods To show the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures AAA Authorization and Accounting Figure 161: Configuring AAA Accounting Service for 802.1X Service Figure 162: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
Chapter 12 | Security Measures AAA Authorization and Accounting To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Statistics.
Chapter 12 | Security Measures AAA Authorization and Accounting Configure Service ◆ Console Method Name – Specifies a user defined method name to apply to console connections. ◆ VTY Method Name – Specifies a user defined method name to apply to Telnet connections. Show Information ◆ Authorization Type - Displays the authorization service. ◆ Method Name - Displays the user-defined or default accounting method. ◆ Server Group Name - Displays the authorization server group.
Chapter 12 | Security Measures AAA Authorization and Accounting To show the authorization method applied to the EXEC service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3. Select Show from the Action list. Figure 166: Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click Security, AAA, Authorization. 2. Select Configure Service from the Step list.
Chapter 12 | Security Measures Configuring User Accounts To display a the configured authorization method and assigned server groups for The Exec service type: 1. Click Security, AAA, Authorization. 2. Select Show Information from the Step list. Figure 168: Displaying the Applied AAA Authorization Method Configuring User Accounts Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords.
Chapter 12 | Security Measures Configuring User Accounts ■ Encrypted Password – Encrypted password. The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup. There is no need for you to manually configure encrypted passwords. ◆ Password – Specifies the user password.
Chapter 12 | Security Measures Web Authentication Figure 170: Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Chapter 12 | Security Measures Web Authentication ◆ Quiet Period – Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts. (Range: 1-180 seconds; Default: 60 seconds) ◆ Login Attempts – Configures the amount of times a supplicant may attempt and fail authentication before it must wait the configured quiet period.
Chapter 12 | Security Measures Web Authentication ◆ Apply – Enables web authentication if the Status box is checked. ◆ Re-authenticate – Ends all authenticated web sessions for selected host IP addresses in the Authenticated Host List, and forces the users to reauthenticate. ◆ Revert – Restores the previous configuration settings. Web Interface To enable web authentication for a port: 1. Click Security, Web Authentication. 2. Select Configure Interface from the Step list. 3.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points. The switch enables network access from these devices to be controlled by authenticating device MAC addresses with a central RADIUS server.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ■ Tunnel-Private-Group-ID = 1u,2t [VLAN ID list] The VLAN identifier list is carried in the RADIUS “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,3u” where “u” indicates an untagged VLAN and “t” a tagged VLAN. ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Dynamic QoS assignment fails and the authentication result changes from success to failure when the following conditions occur: ■ Illegal characters found in a profile value (for example, a non-digital character in an 802.1p profile value). ■ Failure to configure the received profiles on the authenticated port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To configure aging status and reauthentication time for MAC address authentication: 1. Click Security, Network Access. 2. Select Configure Global from the Step list. 3. Enable or disable aging for secure addresses, and modify the reauthentication time as required. 4. Click Apply.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) authentication (including Network Access and IEEE 802.1X). (Range: 1-1024; Default: 1024) ◆ Guest VLAN – Specifies the VLAN to be assigned to the port when 802.1X Authentication fails. (Range: 0-4094, where 0 means disabled; Default: Disabled) The VLAN must already be created and active (see “Configuring VLAN Groups” on page 138). Also, when used with 802.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) VLAN to use when MAC Authentication or 802.1X Authentication fails, and the dynamic VLAN and QoS assignments. 5. Click Apply. Figure 174: Configuring Interface Settings for Network Access Configuring Port Link Use the Security > Network Access (Configure Interface - Link Detection) page to Detection send an SNMP trap and/or shut down a port when a link event occurs.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) 3. Click the Link Detection button. 4. Modify the link detection status, trigger condition, and the response for any port. 5. Click Apply. Figure 175: Configuring Link Detection for Network Access Configuring a MAC Use the Security > Network Access (Configure MAC Filter) page to designate Address Filter specific MAC addresses or MAC address ranges as exempt from authentication.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To add a MAC address filter for MAC authentication: 1. Click Security, Network Access. 2. Select Configure MAC Filter from the Step list. 3. Select Add from the Action list. 4. Enter a filter ID, MAC address, and optional mask. 5. Click Apply. Figure 176: Configuring a MAC Address Filter for Network Access To show the MAC address filter table for MAC authentication: 1. Click Security, Network Access. 2.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Displaying Secure Use the Security > Network Access (Show Information) page to display the MAC Address authenticated MAC addresses stored in the secure MAC address table. Information Information on the secure MAC entries can be displayed and selected entries can be removed from the table. Parameters These parameters are displayed: ◆ ◆ Query By – Specifies parameters to use in the MAC address query.
Chapter 12 | Security Measures Configuring HTTPS Figure 178: Showing Addresses Authenticated for Network Access Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Configuring Global Use the Security > HTTPS (Configure Global) page to enable or disable HTTPS and Settings for HTTPS specify the UDP port used for this service.
Chapter 12 | Security Measures Configuring HTTPS ◆ The following web browsers and operating systems currently support HTTPS: Table 19: HTTPS System Support ◆ Web Browser Operating System Internet Explorer 6.x or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8 Mozilla Firefox 4.
Chapter 12 | Security Measures Configuring HTTPS Figure 179: Configuring HTTPS Replacing the Default Use the Security > HTTPS (Copy Certificate) page to replace the default secure-site Secure-site Certificate certificate. When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that the web browser displays will be associated with a warning that the site is not recognized as a secure site.
Chapter 12 | Security Measures Configuring the Secure Shell ◆ Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. ◆ Confirm Password – Re-type the string entered in the previous field to ensure no errors were made. The switch will not download the certificate if these two fields do not match. Web Interface To replace the default secure-site certificate: 1.
Chapter 12 | Security Measures Configuring the Secure Shell Note: You need to install an SSH client on the management station to access the switch for management via the SSH protocol. Note: The switch supports both SSH Version 1.5 and 2.0 clients. Command Usage The SSH server on this switch supports both password and public key authentication.
Chapter 12 | Security Measures Configuring the Secure Shell 4. Set the Optional Parameters – On the SSH Settings page, configure the optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
Chapter 12 | Security Measures Configuring the Secure Shell d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Chapter 12 | Security Measures Configuring the Secure Shell 3. Enable the SSH server. 4. Adjust the authentication parameters as required. 5. Click Apply. Figure 181: Configuring the SSH Server Generating the Use the Security > SSH (Configure Host Key - Generate) page to generate a host Host Key Pair public/private key pair used to provide secure communications between an SSH client and the switch.
Chapter 12 | Security Measures Configuring the Secure Shell Web Interface To generate the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Generate from the Action list. 4. Select the host-key type from the drop-down box. 5. Select the option to save the host key from memory to flash if required. 6. Click Apply. Figure 182: Generating the SSH Host Key Pair To display or clear the SSH host key pair: 1. Click Security, SSH. 2.
Chapter 12 | Security Measures Configuring the Secure Shell Figure 183: Showing the SSH Host Key Pair Importing Use the Security > SSH (Configure User Key - Copy) page to upload a user’s public User Public Keys key to the switch. This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
Chapter 12 | Security Measures Configuring the Secure Shell Web Interface To copy the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Copy from the Action list. 4. Select the user name and the public-key type from the respective drop-down boxes, input the TFTP server IP address and the public key source file name. 5. Click Apply. Figure 184: Copying the SSH User’s Public Key To display or clear the SSH user’s public key: 1. Click Security, SSH.
Chapter 12 | Security Measures Access Control Lists Figure 185: Showing the SSH User’s Public Key Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or any frames (based on MAC address or Ethernet type).
Chapter 12 | Security Measures Access Control Lists Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize hardware resources more efficiency. Without compression, one ACE would occupy a fixed number of entries in TCAM. So if one ACL includes 25 ACEs, the ACL would need (25 * n) entries in TCAM, where “n” is the fixed number of TCAM entries needed for one ACE.
Chapter 12 | Security Measures Access Control Lists ◆ Mode ■ Absolute – Specifies a specific time or time range. ■ ■ Start/End – Specifies the hours, minutes, month, day, and year at which to start or end. Periodic – Specifies a periodic interval. ■ Start/To – Specifies the days of the week, hours, and minutes at which to start or end. Web Interface To configure a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Add from the Action list. 4.
Chapter 12 | Security Measures Access Control Lists Figure 187: Showing a List of Time Ranges To configure a rule for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of time range from the drop-down list. 5. Select a mode option of Absolute or Periodic. 6. Fill in the required parameters for the selected mode. 7. Click Apply.
Chapter 12 | Security Measures Access Control Lists Figure 189: Showing the Rules Configured for a Time Range Showing Use the Security > ACL (Configure ACL - Show TCAM) page to show utilization TCAM Utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Chapter 12 | Security Measures Access Control Lists Web Interface To show information on TCAM utilization: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show TCAM from the Action list. Figure 190: Showing TCAM Utilization Setting the ACL Use the Security > ACL (Configure ACL - Add) page to create an ACL. Name and Type Parameters These parameters are displayed: ◆ ACL Name – Name of the ACL.
Chapter 12 | Security Measures Access Control Lists Web Interface To configure the name and type of an ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add from the Action list. 4. Fill in the ACL Name field, and select the ACL type. 5. Click Apply. Figure 191: Creating an ACL To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures Access Control Lists Configuring a Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL Standard IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of rules which permit or deny a packet, or re-direct a packet to another port.
Chapter 12 | Security Measures Access Control Lists Figure 193: Configuring a Standard IPv4 ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to configure Extended IPv4 ACL an Extended IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists ◆ Service Type – Packet priority settings based on the following criteria: ■ ToS – Type of Service level. (Range: 0-15) ■ Precedence – IP precedence level. (Range: 0-7) ■ DSCP – DSCP priority level. (Range: 0-63) ◆ Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) ◆ Control Code Bit Mask – Decimal number representing the code bits to match.
Chapter 12 | Security Measures Access Control Lists 7. Select the address type (Any, Host, or IP). 8. If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. 9. Set any other required criteria, such as service type, protocol type, or control code. 10. Click Apply.
Chapter 12 | Security Measures Access Control Lists ◆ Source IPv6 Address – An IPv6 source address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 12 | Security Measures Access Control Lists Figure 195: Configuring a Standard IPv6 ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page to Extended IPv6 ACL configure an Extended IPv6 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists ◆ Next Header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
Chapter 12 | Security Measures Access Control Lists Figure 196: Configuring an Extended IPv6 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC MAC ACL ACL based on hardware addresses, packet format, and Ethernet type. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists ■ Eth2 – Ethernet II packets. ■ LLC-other – LLC and other packets. ■ SNAP – SNAP packets. ◆ VID – VLAN ID. (Range: 1-4094) ◆ VID Bit Mask – VLAN bit mask. (Range: 0-4095) ◆ Ethernet Type – This option can only be used to filter Ethernet II formatted packets. (Range: 600-ffff hex.) A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), 8137 (IPX).
Chapter 12 | Security Measures Access Control Lists Figure 197: Configuring a MAC ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs ARP ACL based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see “Configuring Global Settings for ARP Inspection” on page 313). Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
Chapter 12 | Security Measures Access Control Lists ◆ Source/Destination MAC Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any) ◆ Source/Destination MAC Address – Source or destination MAC address. ◆ Source/Destination MAC Bit Mask – Hexadecimal mask for source or destination MAC address.
Chapter 12 | Security Measures Access Control Lists Figure 198: Configuring a ARP ACL Binding a Port to an After configuring ACLs, use the Security > ACL (Configure Interface) page to bind Access Control List the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list and one MAC access list to any port. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to bind to a port. ◆ Port – Fixed port or SFP module.
Chapter 12 | Security Measures Access Control Lists 6. Click Apply. Figure 199: Binding a Port to an ACL Configuring After configuring ACLs, use the Security > ACL (Configure Interface – Add Mirror) ACL Mirroring page to mirror traffic matching an ACL from one or more source ports to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Chapter 12 | Security Measures Access Control Lists Web Interface To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Add Mirror from the Action list. 4. Select a port. 5. Select the name of an ACL from the ACL list. 6. Click Apply. Figure 200: Configuring ACL Mirroring To show the ACLs to be mirrored: 1. Select Configure Interface from the Step list. 2. Select Show Mirror from the Action list. 3. Select a port.
Chapter 12 | Security Measures Access Control Lists Showing ACL Use the Security > ACL > Configure Interface (Show Hardware Counters) page to Hardware Counters show statistics for ACL hardware counters. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-12/28) ◆ Type – Selects the type of ACL. ◆ Direction – Displays statistics for ingress traffic. ◆ ACL Name – The ACL bound this port. ◆ Action – Shows if action is to permit or deny specified packets.
Chapter 12 | Security Measures ARP Inspection ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-themiddle” attacks.
Chapter 12 | Security Measures ARP Inspection Configuring Global Use the Security > ARP Inspection (Configure General) page to enable ARP Settings for ARP inspection globally for the switch, to validate address information in each packet, Inspection and configure logging. Command Usage ARP Inspection Validation ◆ By default, ARP Inspection Validation is disabled. ◆ Specifying at least one of the following validations enables ARP Inspection Validation globally.
Chapter 12 | Security Measures ARP Inspection Parameters These parameters are displayed: ◆ ARP Inspection Status – Enables ARP Inspection globally. (Default: Disabled) ◆ ARP Inspection Validation – Enables extended ARP Inspection Validation if any of the following options are enabled. (Default: Disabled) ■ Dst-MAC – Validates the destination MAC address in the Ethernet header against the target MAC address in the body of ARP responses.
Chapter 12 | Security Measures ARP Inspection Configuring VLAN Use the Security > ARP Inspection (Configure VLAN) page to enable ARP inspection Settings for ARP for any VLAN and to specify the ARP ACL to use. Inspection Command Usage ARP Inspection VLAN Filters (ACLs) ◆ By default, no ARP Inspection ACLs are configured and the feature is disabled. ◆ ARP Inspection ACLs are configured within the ARP ACL configuration page (see page 306). ◆ ARP Inspection ACLs can be applied to any configured VLAN.
Chapter 12 | Security Measures ARP Inspection Web Interface To configure VLAN settings for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Configure VLAN from the Step list. 3. Enable ARP inspection for the required VLANs, select an ARP ACL filter to check for configured addresses, and select the Static option to bypass checking the DHCP snooping bindings database if required. 4. Click Apply.
Chapter 12 | Security Measures ARP Inspection Web Interface To configure interface settings for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Configure Interface from the Step list. 3. Specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate. 4. Click Apply.
Chapter 12 | Security Measures ARP Inspection Table 20: ARP Inspection Statistics (Continued) Parameter Description ARP packets dropped by additional validation (Src-MAC) Count of packets that failed the source MAC address test. ARP packets dropped by ARP ACLs Count of ARP packets that failed validation against ARP ACL rules. ARP packets dropped by DHCP snooping Count of packets that failed validation against the DHCP Snooping Binding database.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Table 21: ARP Inspection Log (Continued) Parameter Description Dst. IP Address The destination IP address in the packet. Src. MAC Address The source MAC address in the packet. Dst. MAC Address The destination MAC address in the packet. Web Interface To display the ARP Inspection log: 1. Click Security, ARP Inspection. 2. Select Show Information from the Step list. 3. Select Show Log from the Action list.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access ◆ When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges. ◆ You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses.
Chapter 12 | Security Measures Configuring Port Security To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list. Figure 209: Showing IP Addresses Authorized for Management Access Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Chapter 12 | Security Measures Configuring Port Security ◆ When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table. ◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ MAC Filter ID – The identifier for a MAC address filter. ◆ Last Intrusion MAC – The last unauthorized MAC address detected. ◆ Last Time Detected Intrusion MAC – The last time an unauthorized MAC address was detected. Web Interface To configure port security: 1. Click Security, Port Security. 2.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client. The EAP packet from the RADIUS server contains not only the challenge, but the authentication method to be used. The client can reject the authentication method and request another, depending on the configuration of the client software and the RADIUS server.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication provided in Windows 8, Windows 7, Vista, and XP, and in Windows 2000 with Service Pack 4. To support these encryption methods in Windows 95 and 98, you can use the AEGIS dot1x client or other comparable client software) Configuring 802.1X Use the Security > Port Authentication (Configure Global) page to configure IEEE Global Settings 802.1X port authentication. The 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To configure global settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Global from the Step list. 3. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server. 4. Click Apply Figure 212: Configuring Global Settings for 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication remote authenticator (see “Configuring Port Supplicant Settings for 802.1X” on page 330). ◆ This switch can be configured to serve as the authenticator on selected ports by setting the Control Mode to Auto on this configuration page, and as a supplicant on other ports by the setting the control mode to Force-Authorized on this page and enabling the PAE supplicant on the Supplicant configuration page.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication In this mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses). ◆ Max Count – The maximum number of hosts that can connect to a port when the Multi-Host operation mode is selected.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Intrusion Action – Sets the port’s response to a failed authentication. ■ Block Traffic – Blocks all non-EAP traffic on the port. (This is the default setting.) ■ Guest VLAN – All traffic for the port is assigned to a guest VLAN. The guest VLAN must be separately configured (See “Configuring VLAN Groups” on page 138) and mapped on each port (See “Configuring Network Access for Ports” on page 273).
Chapter 12 | Security Measures Configuring 802.1X Port Authentication 5. Click Apply Figure 213: Configuring Interface Settings for 802.1X Port Authenticator Configuring Use the Security > Port Authentication (Configure Interface – Supplicant) page to Port Supplicant configure 802.1X port settings for supplicant requests issued from a port to an Settings for 802.1X authenticator on another device. When 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ This switch can be configured to serve as the authenticator on selected ports by setting the Control Mode to Auto on the Authenticator configuration page, and as a supplicant on other ports by the setting the control mode to ForceAuthorized on that configuration page and enabling the PAE supplicant on the Supplicant configuration page. Parameters These parameters are displayed: ◆ Port – Port number.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To configure port authenticator settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Interface from the Step list. 3. Click Supplicant. 4. Modify the supplicant settings for each port as required. 5. Click Apply Figure 214: Configuring Interface Settings for 802.1X Port Supplicant Displaying Use the Security > Port Authentication (Show Statistics) page to display statistics for 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Table 22: 802.1X Statistics (Continued) Parameter Description Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator. Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator. Rx Last EAPOLSrc The source MAC address carried in the most recent EAPOL frame received by this Authenticator.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Authenticator. Figure 215: Showing Statistics for 802.1X Port Authenticator To display port supplicant statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Supplicant.
Chapter 12 | Security Measures DoS Protection Figure 216: Showing Statistics for 802.1X Port Supplicant DoS Protection Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
Chapter 12 | Security Measures DoS Protection These packets may have any of the following attributes: ◆ ◆ Header length is less than 4 bytes ◆ Raw IP data length is less than header length * 4 Invalid Source IP Address – Protects against attacks in which hackers replace the source address in packets sent to the victim with an invalid source IP address to protect the identity of the sender or to mislead the receiver as to the origin and validity of sent data.
Chapter 12 | Security Measures DoS Protection of attack is especially effective since the packets seem to come from different sources and thus making the perpetrators hard to trace. These packets may have any of the following attributes: ◆ ◆ Source IP address is ::1 ◆ Source IP address is 0xFF00::/8 Invalid Destination IP Address – Protects against invalid IPv6 destination address attacks.
Chapter 12 | Security Measures DoS Protection no flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet. If the target TCP port is open, it simply discards the TCP NULL scan. ◆ SYN/FIN Scan – Protects against SYN/FIN-scan attacks in which a TCP SYN/FIN scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags.
Chapter 12 | Security Measures DoS Protection Protection for ICMP ◆ Smurf – Protects against smurf attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim. The victim should crash due to the many interrupts required to send ICMP Echo response packets.
Chapter 12 | Security Measures DoS Protection Figure 217: Configuring DoS Protection – 340 –
Chapter 12 | Security Measures IP Source Guard IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 346). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
Chapter 12 | Security Measures IP Source Guard ■ If IP source guard if enabled on an interface for which IP source bindings have not yet been configured (neither by static configuration in the IP source guard binding table nor dynamically learned from DHCP snooping), the switch will drop all IP traffic on that port, except for DHCP packets.
Chapter 12 | Security Measures IP Source Guard Configuring Use the Security > IP Source Guard > Static Configuration page to bind a static Static Bindings for address to a port. Table entries include a MAC address, IP address, lease time, entry IP Source Guard type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.
Chapter 12 | Security Measures IP Source Guard Web Interface To configure static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Configuration. 2. Select Add from the Action list. 3. Enter the required bindings for each port. 4. Click Apply Figure 219: Configuring Static Bindings for IP Source Guard To display static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Configuration. 2. Select Show from the Action list.
Chapter 12 | Security Measures IP Source Guard ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address. ◆ IP Address – A valid unicast IP address, including classful types A, B or C. Dynamic Binding List ◆ VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – Port to which this entry is bound. ◆ IP Address – IP address corresponding to the client.
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
Chapter 12 | Security Measures DHCP Snooping ■ If the DHCP packet is from a client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled. However, if MAC address verification is enabled, then the packet will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header. ■ If the DHCP packet is not a recognizable type, it is dropped.
Chapter 12 | Security Measures DHCP Snooping ◆ If DHCP Snooping Information Option 82 is enabled on the switch, information may be inserted into a DHCP request packet received over any VLAN (depending on DHCP snooping filtering rules). The information inserted into the relayed packets includes the circuit-id and remote-id, as well as the gateway Internet address.
Chapter 12 | Security Measures DHCP Snooping ◆ DHCP Snooping Information Option Policy – Specifies how to handle DHCP client request packets which already contain Option 82 information. ■ Drop – Drops the client’s request packet instead of relaying it. ■ Keep – Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
Chapter 12 | Security Measures DHCP Snooping ◆ When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled. ◆ When DHCP snooping is globally enabled, and DHCP snooping is then disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table. Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN.
Chapter 12 | Security Measures DHCP Snooping ◆ When DHCP snooping is enabled both globally and on a VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. ◆ Set all ports connected to DHCP servers within the local network or fire wall to trusted state. Set all other ports outside the local network or fire wall to untrusted state.
Chapter 12 | Security Measures DHCP Snooping Displaying DHCP Use the IP Service > DHCP > Snooping (Show Information) page to display entries Snooping Binding in the binding table. Information Parameters These parameters are displayed: ◆ MAC Address – Physical address associated with the entry. ◆ IP Address – IP address corresponding to the client. ◆ Lease Time – The time for which this IP address is leased to the client. ◆ Type – Entry types include: ■ DHCP-Snooping – Dynamically snooped.
Chapter 12 | Security Measures DHCP Snooping Figure 225: Displaying the Binding Table for DHCP Snooping – 353 –
Chapter 12 | Security Measures DHCP Snooping – 354 –
13 Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Chapter 13 | Basic Administration Protocols Configuring Event Logging The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM. Parameters These parameters are displayed: ◆ System Log Status – Enables/disables the logging of debug or error messages to the logging process.
Chapter 13 | Basic Administration Protocols Configuring Event Logging Web Interface To configure the logging of error messages to system memory: 1. Click Administration, Log, System. 2. Select Configure Global from the Step list. 3. Enable or disable system logging, set the level of event messages to be logged to flash memory and RAM. 4. Click Apply. Figure 226: Configuring Settings for System Memory Logs To show the error messages logged to system or flash memory: 1. Click Administration, Log, System.
Chapter 13 | Basic Administration Protocols Configuring Event Logging Figure 227: Showing Error Messages Logged to System Memory Remote Log Use the Administration > Log > Remote page to send log messages to syslog Configuration servers or other management stations. You can also limit the event messages sent to only those messages below a specified level. Parameters These parameters are displayed: ◆ Remote Log Status – Enables/disables the logging of debug or error messages to the remote logging process.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To configure the logging of error messages to remote servers: 1. Click Administration, Log, Remote. 2. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. 3. Click Apply.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Setting LLDP Use the Administration > LLDP (Configure Global) page to set attributes for general Timing Attributes functions such as globally enabling LLDP on the switch, setting the message ageout time, and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB. Parameters These parameters are displayed: ◆ LLDP – Enables LLDP globally on the switch.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol any lldpRemTablesChange notification-events missed due to throttling or transmission loss. ◆ MED Fast Start Count – Configures the amount of LLDP MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. (Range: 1-10 packets; Default: 4 packets) The MED Fast Start Count parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ SNMP Notification – Enables the transmission of SNMP trap notifications about LLDP and LLDP-MED changes. (Default: Disabled) This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ◆ ■ System Capabilities – The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ◆ MED TLVs – Configures general information included in the MED TLV field of advertised messages. ■ Capabilities – This option advertises LLDP-MED TLV capabilities, allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP-MED related TLVs are supported on the switch.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol 5. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages. 6. Click Apply. Figure 230: Configuring LLDP Interface Attributes Configuring Use the Administration > LLDP (Configure Interface – Add CA-Type) page to specify LLDP Interface the physical location of the device attached to an interface.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 24: LLDP MED Location CA Types (Continued) ◆ CA Type Description CA Value Example 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Select Show CA-Type from the Action list. 4. Select an interface from the Port or Trunk list.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s administratively assigned name (see “Displaying System Information” on page 66). ◆ System Description – A textual description of the network entity. This field is also displayed by the show system command.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Interface Details The attributes listed below apply to both port and trunk interface types. When a trunk is listed, the descriptions apply to the first port of the trunk. ◆ Local Port/Trunk – Local interface on this switch. ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 233: Displaying Local Device Information for LLDP (General) Figure 234: Displaying Local Device Information for LLDP (Port) Figure 235: Displaying Local Device Information for LLDP (Port Details) – 370 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display Remote Device information about devices connected directly to the switch’s ports which are Information advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 26, "System Capabilities," on page 368.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 26, "System Capabilities," on page 368.) ◆ Management Address List – The management addresses for this device.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 28: Remote Port Auto-Negotiation Advertised Capability (Continued) Bit Capability 5 100BASE-TX full duplex mode 6 100BASE-T2 half duplex mode 7 100BASE-T2 full duplex mode 8 PAUSE for full-duplex links 9 Asymmetric PAUSE for full-duplex links 10 Symmetric PAUSE for full-duplex links 11 Asymmetric and Symmetric PAUSE for full-duplex links 12 1000BASE-X, -LX, -SX, -CX half duplex mode 13 1000BASE-X, -LX, -SX, -
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆ Remote Link Aggregation Status – The current aggregation status of the link. ◆ Remote Link Port ID – This object contains the IEEE 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – Network Policy7 ◆ Application Type – The primary application(s) defined for this network policy: ■ Voice ■ Voice Signaling ■ Guest Signaling ■ Guest Voice Signaling ■ Softphone Voice ■ Video Conferencing ■ Streaming Video ■ Video Signaling ◆ Tagged Flag – Indicates whether the specified application type is using a tagged or untagged VLAN.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ■ ECS ELIN – Emergency Call Service Emergency Location Identification Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ◆ What – The type of device to which the location applies as described for the field entry “Device entry refers to” under “Configuring LLDP Interface Attributes.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol To display detailed LLDP information for a remote Interface: 1. Click Administration, LLDP. 2. Select Show Remote Device Information from the Step list. 3. Select Port Details or Trunk Details. 4. Select a port on this switch and the index for a remote device attached to this interface. 5. Click Query.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 237: Displaying Remote Device Information for LLDP (Port Details) – 378 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDPMED TLVs is shown in the following figure. Figure 238: Displaying Remote Device Information for LLDP (End Node) Displaying Use the Administration > LLDP (Show Device Statistics) page to display statistics for Device Statistics LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port/Trunk ◆ Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular TLV. ◆ Frames Invalid – A count of all LLDPDUs received with one or more detectable errors. ◆ Frames Received – Number of LLDP PDUs received. ◆ Frames Sent – Number of LLDP PDUs transmitted.
Chapter 13 | Basic Administration Protocols Power over Ethernet Figure 240: Displaying LLDP Device Statistics (Port) Power over Ethernet The ECS4210-12P and ECS4210-28P can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device. Once configured to supply power, an automatic detection process is initialized by the switch that is authenticated by a PoE signature from the connected device.
Chapter 13 | Basic Administration Protocols Power over Ethernet Displaying the Use the Administration > PoE (Configure Global) page to display the maximum PoE Switch’s Overall power budget for the switch (power available to all RJ-45 ports). The maximum PoE Power Budget power budget is fixed at the maximum available setting, which prevents overload conditions at the power source.
Chapter 13 | Basic Administration Protocols Power over Ethernet Setting The Port Use the Administration > PoE (Configure Interface) page to set the maximum PoE Power Budget power provided to a port. Command Usage ◆ This switch supports both the IEEE 802.3af PoE and IEEE 802.3at-2009 PoE Plus standards. To ensure that the correct power is supplied to powered devices (PD) compliant with these standards, the first detection pulse from the switch is based on 802.3af to which the 802.
Chapter 13 | Basic Administration Protocols Power over Ethernet Parameters These parameters are displayed: ◆ Port – The port number on the switch. ◆ Admin Status – Enables PoE power on a port. Power is automatically supplied when a device is detected on a port, providing that the power demanded does not exceed the switch or port power budget. (Default: Enabled) ◆ Mode – Shows whether or not PoE power is being supplied to a port. ◆ Priority – Sets the power priority for a port.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 29: SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public (read only) defaultview none none Community string only v1 noAuthNoPriv private (read/write) defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined user defined Community string only v2c noAuthNoPriv public (read only) defau
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 3. Use the Administration > SNMP (Configure Engine) page to change the local engine ID. If you want to change the default engine ID, it must be changed before configuring other parameters. 4. Use the Administration > SNMP (Configure View) page to specify read and write access views for the switch MIB tree. 5. Use the Administration > SNMP (Configure User) page to configure SNMP user groups with the required security model (i.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 243: Configuring Global Settings for SNMP Setting the Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change Local Engine ID the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 244: Configuring the Local Engine ID for SNMP Specifying a Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to Remote Engine ID configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 245: Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Show Remote Engine from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Add OID Subtree ◆ View Name – Lists the SNMP views configured in the Add View page. (Range: 1-32 characters). ◆ OID Subtree – Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string. (Range: 1-64 characters).
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 248: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 250: Showing the OID Subtree Configured for SNMP Views Configuring Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group SNMPv3 Groups which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 30: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 30: Supported Notification Messages (Continued) Model Level Group swPowerStatusChangeTrap 1.3.6.1.4.1.259.6.10.112.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.112.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled. swIpFilterRejectTrap 1.3.6.1.4.1.259.6.10.112.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 30: Supported Notification Messages (Continued) Model Level Group dhcpRogueServerAttackTrap 1.3.6.1.4.1.259.6.10.112.2.1.0.114 This trap is sent when receiving a DHCP packet from a rogue server. swLoginFailureTrap 1.3.6.1.4.1.259.6.10.112.2.1.0.139 This trap is sent when login fail via console, telnet, or web. swLoginSucceedTrap 1.3.6.1.4.1.259.6.10.112.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 251: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting Community Use the Administration > SNMP (Configure User - Add Community) page to Access Strings configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings. Parameters These parameters are displayed: ◆ Community String – A community string that acts like a password and permits access to the SNMP protocol.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 3. Select Show Community from the Action list. Figure 254: Showing Community Access Strings Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to Local SNMPv3 Users authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available. ◆ Privacy Password – A minimum of eight plain text characters is required. Web Interface To configure a local SNMPv3 user: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Add SNMPv3 Local User from the Action list. 4. Enter a name and assign it to a group.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 256: Showing Local SNMPv3 Users Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page Remote SNMPv3 Users to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available. ◆ Privacy Password – A minimum of eight plain text characters is required. Web Interface To configure a remote SNMPv3 user: 1.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list. Figure 258: Showing Remote SNMPv3 Users Specifying Use the Administration > SNMP (Configure Trap) page to specify the host devices to Trap Managers be sent notifications and the types of notifications to send.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 2. Create a local SNMPv3 user to use in the message exchange process (page 399). If the user specified in the notification configuration page does not exist, an SNMPv3 group will be automatically created using the name of the specified local user, and default settings for the read, write, and notify view. 3. Create a view with the required notification messages (page 390). 4.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ ◆ Retry times – The maximum number of times to resend an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3) Community String – Specifies a valid community string for the new notification manager entry. (Range: 1-32 characters, case sensitive) Although you can set this string in the Configure Notification – Add page, we recommend defining it in the Configure User – Add Community page.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Security Level – When notification version 3 is selected, you must specify one of the following security levels. (Default: noAuthNoPriv) ■ noAuthNoPriv – There is no authentication or encryption used in SNMP communications. ■ AuthNoPriv – SNMP communications use authentication, but the data is not encrypted. ■ AuthPriv – SNMP communications use both authentication and encryption.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 261: Configuring Trap Managers (SNMPv3) To show configured notification managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 262: Showing Notification Managers Creating SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to create an Notification Logs SNMP notification log.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 263: Creating SNMP Notification Logs To show configured SNMP notification logs: 1. Click Administration, SNMP. 2. Select Configure Notify Filter from the Step list. 3. Select Show from the Action list. Figure 264: Showing SNMP Notification Logs Showing Use the Administration > SNMP (Show Statistics) page to show counters for SNMP SNMP Statistics input and output protocol data units.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Encoding errors – The total number of ASN.1 or BER errors encountered by the SNMP entity when decoding received SNMP messages. ◆ Number of requested variables – The total number of MIB objects which have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs.
Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To show SNMP statistics: 1. Click Administration, SNMP. 2. Select Show Statistics from the Step list. Figure 265: Showing SNMP Statistics Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring Use the Administration > RMON (Configure Global - Add - Alarm) page to define RMON Alarms specific criteria that will generate response events. Alarms can be set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval).
Chapter 13 | Basic Administration Protocols Remote Monitoring event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. (Range: 0-2147483647) ◆ Falling Event Index – The index of the event to use if an alarm is triggered by monitored variables reaching or crossing below the falling threshold. If there is no corresponding entry in the event control table, then no event will be generated.
Chapter 13 | Basic Administration Protocols Remote Monitoring To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm. Figure 267: Showing Configured RMON Alarms Configuring Use the Administration > RMON (Configure Global - Add - Event) page to set the RMON Events action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ ■ Log – Generates an RMON log entry when the event is triggered. Log messages are processed based on the current configuration settings for event logging (see “System Log Configuration” on page 355). ■ Trap – Sends a trap message to all configured trap managers (see “Specifying Trap Managers” on page 403). ■ Log and Trap – Logs the event and sends a trap message.
Chapter 13 | Basic Administration Protocols Remote Monitoring To show configured RMON events: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Event. Figure 269: Showing Configured RMON Events Configuring RMON Use the Administration > RMON (Configure Interface - Add - History) page to collect History Samples statistics on a physical interface to monitor network utilization, packet types, and errors.
Chapter 13 | Basic Administration Protocols Remote Monitoring example, if control entry 15 is assigned to port 5, this index entry will be removed from the Show and Show Details page for port 8. Parameters These parameters are displayed: ◆ Port – The port number on the switch. ◆ Index - Index to this entry. (Range: 1-65535) ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆ Buckets - The number of buckets requested for this entry.
Chapter 13 | Basic Administration Protocols Remote Monitoring To show configured RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click History. Figure 271: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to Statistical Samples collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. Command Usage ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 273: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 274: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 275: Showing Collected RMON Statistical Samples Switch Clustering Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Chapter 13 | Basic Administration Protocols Switch Clustering ◆ After the Commander and Members have been configured, any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Show Member page. Configuring General Use the Administration > Cluster (Configure Global) page to create a switch cluster. Settings for Clusters Command Usage First be sure that clustering is enabled on the switch (the default is disabled), then set the switch as a Cluster Commander.
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 276: Configuring a Switch Cluster Cluster Member Use the Administration > Cluster (Configure Member - Add) page to add Candidate Configuration switches to the cluster as Members. Parameters These parameters are displayed: ◆ Member ID – Specify a Member ID number for the selected Candidate switch.
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 277: Configuring Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Show from the Action list. Figure 278: Showing Cluster Members To show cluster candidates: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Show Candidate from the Action list.
Chapter 13 | Basic Administration Protocols Switch Clustering Managing Use the Administration > Cluster (Show Member) page to manage another switch Cluster Members in the cluster. Parameters These parameters are displayed: Member ID – The ID number of the Member switch. (Range: 1-36) Role – Indicates the current status of the switch in the cluster. IP Address – The internal cluster IP address assigned to the Member switch. MAC Address – The MAC address of the Member switch.
Chapter 13 | Basic Administration Protocols Switch Clustering – 426 –
14 IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address using Auto IP, or from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
Chapter 14 | IP Configuration Using the Ping Function Command Usage ◆ Use the ping command to see if another site on the network can be reached. ◆ The following are some results of the ping command: ■ Normal response - The normal response occurs in one to ten seconds, depending on network traffic. ■ Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. ■ Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
Chapter 14 | IP Configuration Address Resolution Protocol Address Resolution Protocol The switch uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address. When an IP frame is received by this switch (or any standards-based switch/router), it first looks up the MAC address corresponding to the destination IP address in the ARP cache.
Chapter 14 | IP Configuration Address Resolution Protocol The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the switch may tie up resources by repeating ARP requests for addresses recently flushed from the table. When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address. Web Interface To configure the timeout for the ARP cache: 1. Click IP, ARP. 2. Select Configure General from the Step List.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Setting the Switch’s IP Address (IP Version 4) Use the System > IP page to configure an IPv4 address for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types. For information on configuring the switch with an IPv6 address, see “Setting the Switch’s IP Address (IP Version 6)” on page 434.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ IP Address – Address of the VLAN to which the management station is attached. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: None) ◆ Subnet Mask – This mask identifies the host address bits used for routing to specific subnets. (Default: None) ◆ Gateway IP Address – IP address of the gateway router between the switch and management stations that exist on other network segments.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 285: Configuring an Auto IP Address To obtain an dynamic address through DHCP/BOOTP for the switch: 1. Click System, IP. 2. Select the VLAN through which the management station is attached, set the IP Address Mode to “DHCP” or “BOOTP.” 3. Click Apply to save your changes. 4. Then click Restart DHCP to immediately request a new address.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI. If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To configure an IPv6 default gateway for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Global from the Action list. 3. Enter the IPv6 default gateway. 4. Click Apply.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: VLAN Mode ◆ VLAN – ID of a configured VLAN which is to be used for management access. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ◆ ◆ IPv6 must be enabled on an interface before the MTU can be set. If an IPv6 address has not been assigned to the switch, “N/A” is displayed in the MTU field. ND DAD Attempts – The number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. (Range: 0-600, Default: 1) ■ Configuring a value of 0 disables duplicate address detection.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) switch may also attempt to acquire other non-address configuration information (such as a default gateway) when DHCPv6 is restarted. Prior to submitting a client request to a DHCPv6 server, the switch should be configured with a link-local address using the Address Autoconfig option.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) on the selected interface. Set the MTU size, the maximum number of duplicate address detection messages, the neighbor solicitation message interval, and the remote node reachable time. 4. Click Apply. Figure 288: Configuring General Settings for an IPv6 Interface To configure RA Guard for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Interface from the Action list. 3. Select RA Guard mode. 4.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring an Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 IPv6 Address interface for management access over the network. Command Usage ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address. (Range: 1-4094) ◆ Address Type – Defines the address type configured for this interface.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ◆ Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ You can configure only one link-local address per interface. ■ The specified address replaces a link-local address that was automatically generated for the interface. IPv6 Address – IPv6 address assigned to this interface. Web Interface To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) In addition to the unicast addresses assigned to an interface, a host is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope). FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the Neighbor Cache IPv6 addresses detected for neighbor devices. Parameters These parameters are displayed: Table 32: Show IPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor Age The time since the address was verified as reachable (in seconds).
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To show neighboring IPv6 devices: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Neighbors from the Action list. Figure 292: Showing IPv6 Neighbors Showing Use the IP > IPv6 Configuration (Show Statistics) page to display statistics about IPv6 Statistics IPv6 traffic passing through this switch.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: Table 33: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 33: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 33: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement Messages The number of ICMP Neighbor Advertisement messages received by the interface. Redirect Messages The number of Redirect messages received by the interface. Group Membership Query Messages The number of ICMPv6 Group Membership Query messages received by the interface.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 33: Show IPv6 Statistics - display description (Continued) Field Description Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. Output The total number of UDP datagrams sent from this entity. Web Interface To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 294: Showing IPv6 Statistics (ICMPv6) Figure 295: Showing IPv6 Statistics (UDP) – 450 –
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum for Responding transmission unit (MTU) cache for destinations that have returned an ICMP packetDestinations too-big message along with an acceptable MTU to this switch.
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) – 452 –
15 IP Services This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see “DHCP Snooping” on page 346. This chapter provides information on the following IP services, including: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries.
Chapter 15 | IP Services Domain Name Service Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 alphanumeric characters) Web Interface To configure general settings for DNS: 1. Click IP Service, DNS. 2.
Chapter 15 | IP Services Domain Name Service checking with the specified name servers for a match (see “Configuring a List of Name Servers” on page 456). Parameters These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) Web Interface To create a list domain names: 1. Click IP Service, DNS. 2. Select Add Domain Name from the Action list. 3. Enter one domain name at a time. 4. Click Apply.
Chapter 15 | IP Services Domain Name Service Configuring a List of Use the IP Service > DNS - General (Add Name Server) page to configure a list of Name Servers name servers to be tried in sequential order. Command Usage ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see “Configuring General DNS Service Parameters” on page 453).
Chapter 15 | IP Services Domain Name Service Figure 301: Showing the List of Name Servers for DNS Configuring Use the IP Service > DNS - Static Host Table (Add) page to manually configure static Static DNS Host to entries in the DNS table that are used to map domain names to IP addresses. Address Entries Command Usage ◆ Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.
Chapter 15 | IP Services Domain Name Service To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 303: Showing Static Entries in the DNS Table Displaying the Use the IP Service > DNS - Cache page to display entries in the DNS cache that have DNS Cache been learned via the designated name servers. Command Usage ◆ Servers or other network devices may support one or more connections via multiple IP addresses.
Chapter 15 | IP Services Multicast Domain Name Service Web Interface To display entries in the DNS cache: 1. Click IP Service, DNS, Cache. Figure 304: Showing Entries in the DNS Cache Multicast Domain Name Service Use the IP Service > Multicast DNS page to enable multicast DNS host name-toaddress mapping on the local network without the need for a dedicated DNS server.
Chapter 15 | IP Services Dynamic Host Configuration Protocol Parameters These parameters are displayed: ◆ Multicast DNS Status – Enables multicast DNS host name-to-address mapping on the local network. (Default: Enabled) Web Interface To configure multicast DNS: 1. Click IP Service, Multicast DNS. 2. Mark the check box to enable or disable mDNS as required 3. Click Apply.
Chapter 15 | IP Services Dynamic Host Configuration Protocol Parameters These parameters are displayed: ◆ VLAN – ID of configured VLAN. ◆ Vendor Class ID – The following options are supported when the check box is marked to enable this feature. ◆ Default – The default string. ◆ Text – A text string. (Range: 1-32 characters) ◆ Hex – A hexadecimal value. (Range: 1-64 characters) Web Interface To configure a DHCP client identifier: 1. Click IP Service, DHCP, Client. 2.
Chapter 15 | IP Services Dynamic Host Configuration Protocol ◆ The DHCP Relay Information Option Fields are the Option 82 circuit identification fields (CID – including VLAN ID, stack unit, and port). These fields identify the requesting device by indicating the interface through which the relay agent received the request.
Chapter 15 | IP Services Dynamic Host Configuration Protocol management VLAN or a non-management VLAN, it will add option 82 relay information and the relay agent’s address to the DHCP request packet, and then unicast it to the DHCP server.
Chapter 15 | IP Services Dynamic Host Configuration Protocol ■ A DHCP relay server has been set on the switch, when the switch receives a DHCP request packet with a non-zero relay agent address field (that is not the address of this switch). ■ A DHCP relay server has been set on the switch, when the switch receives DHCP reply packet without option 82 information from the management VLAN.
Chapter 15 | IP Services Dynamic Host Configuration Protocol ◆ Server IP Address – Addresses of DHCP servers or relay servers to be used by the switch’s DHCP relay agent in order of preference. Web Interface To configure DHCP relay service: 1. Click IP Service, DHCP, Relay Option 82. 2. Enable or disable Option 82. 3. Set the Option 82 policy to specify how to handle Option 82 information already contained in DHCP client request packets. 4. Specify whether or not include “type” and “length” sub-options.
Chapter 15 | IP Services Dynamic Host Configuration Protocol – 466 –
16 Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP – Configuring snooping and query parameters. ◆ Filtering and Throttling – Filtering specified multicast service, or throttling the maximum of multicast groups allowed on an interface. ◆ MLD Snooping – Configures snooping and query parameters for IPv6.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Note: When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. Note: IGMP snooping will not function unless a multicast router port is enabled on the switch. This can accomplished in one of two ways.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Configuring IGMP Use the Multicast > IGMP Snooping > General page to configure the switch to Snooping and Query forward multicast traffic intelligently. Based on the IGMP query and report Parameters messages, the switch forwards multicast traffic only to the ports that request it. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) multicast router receives this solicitation, it immediately issues an IGMP general query. A query solicitation can be sent whenever the switch notices a topology change, even if it is not the root bridge in spanning tree. ◆ Router Alert Option – Discards any IGMPv2/v3 packets that do not include the Router Alert option. (Default: Disabled) As described in Section 9.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) This attribute configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed. ◆ Querier Status – When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Command Usage IGMP Snooping must be enabled globally on the switch (see “Configuring IGMP Snooping and Query Parameters” on page 470) before a multicast router port can take effect. Parameters These parameters are displayed: Add Static Multicast Router ◆ VLAN – Selects the VLAN which is to propagate all multicast traffic coming from the attached multicast router. (Range: 1-4094) ◆ Interface – Activates the Port or Trunk scroll down list.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 311: Configuring a Static Interface for a Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information. Figure 312: Showing Static Interfaces Attached a Multicast Router To show the all interfaces attached to a multicast router: 1.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 313: Showing Current Interfaces Attached a Multicast Router Assigning Interfaces Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) page to to Multicast Services statically assign a multicast service to an interface. Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see “Configuring IGMP Snooping and Query Parameters” on page 470).
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) 3. Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an IGMP-enabled switch or multicast router), and enter the multicast IP address. 4. Click Apply. Figure 314: Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Setting IGMP Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to configure Snooping Status IGMP snooping attributes for a VLAN. To configure snooping globally, refer to per Interface “Configuring IGMP Snooping and Query Parameters” on page 470. Command Usage Multicast Router Discovery There have been many mechanisms used in the past to identify multicast routers.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Multicast Router Termination – These messages are sent when a router stops IP multicast routing functions on an interface. Termination messages are sent by multicast routers when: ■ Multicast forwarding is disabled on an interface. ■ An interface is administratively disabled. ■ The router is gracefully shut down. Advertisement and Termination messages are sent to the All-Snoopers multicast address.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) If immediate leave is not used, a multicast router (or querier) will send a groupspecific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period. Note that this time out is set to Last Member Query Interval * Robustness Variable (fixed at 2) as defined in RFC 2236.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) message received from a downstream host in report and leave messages sent upstream from the multicast router port. ◆ Interface Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports. (Range: 1-3; Default: 2) This attribute configures the IGMP report/query version used by IGMP snooping.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Proxy Query Address – A static source address for locally generated query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show VLAN Information from the Action list. Figure 317: Showing Interface Settings for IGMP Snooping Filtering Multicast Use the Multicast > IGMP Snooping > Interface (Configure Port/Trunk) page to Data at Interfaces configure an interface to drop IGMP query packets.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) The attribute value pairs configured on the RADIUS server are shown below. Table 35: RADIUS Server AVPs Attribute Name AVP Type Entry USER_NAME 1 User MAC address USER_PASSWORD 2 User MAC address NAS_IP_ADDRESS 4 Switch IP NAS_PORT 5 User port FRAMED_IP_ADDRESS 8 Multicast group IP Web Interface To drop IGMP query packets or multicast data packets: 1. Click Multicast, IGMP Snooping, Interface. 2.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Group Address – IP multicast group address with subscribers directly attached or downstream from the switch, or a static multicast group assigned to this interface. ◆ Interface – A downstream port or trunk that is receiving traffic for the specified multicast group. This field may include both dynamically and statically configured multicast router ports. ◆ Up Time – Time that this multicast group has been known.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Trunk – Trunk identifier. (Range: 1-8/12) Query Statistics ◆ Querier IP Address – The IP address of the querier on this interface. ◆ Querier Expire Time – The time after which this querier is assumed to have expired. ◆ General Query Received – The number of general queries received on this interface. ◆ General Query Sent – The number of general queries sent from this interface.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface. Web Interface To display statistics for IGMP snooping query-related messages: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Query Statistics from the Action list. 3. Select a VLAN. Figure 320: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: 1.
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 321: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
Chapter 16 | Multicast Filtering Filtering and Throttling IGMP Groups Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 16 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 323: Enabling IGMP Filtering and Throttling Configuring IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page to create Filter Profiles an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
Chapter 16 | Multicast Filtering Filtering and Throttling IGMP Groups 3. Select Add from the Action list. 4. Enter the number for a profile, and set its access mode. 5. Click Apply. Figure 324: Creating an IGMP Filtering Profile To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list.
Chapter 16 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 326: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
Chapter 16 | Multicast Filtering Filtering and Throttling IGMP Groups Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk. ◆ Profile ID – Selects an existing profile to assign to an interface.
Chapter 16 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) MLD Snooping (Snooping and Query for IPv6) Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs.
Chapter 16 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) An MLD general query message is sent by the switch at the interval specified by this attribute. When this message is received by downstream hosts, all receivers build an MLD report for the multicast groups they have joined. ◆ Query Max Response Time – The maximum response time advertised in MLD general queries.
Chapter 16 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Setting Immediate Use the Multicast > MLD Snooping > Interface page to configure Immediate Leave Leave Status for status for a VLAN. MLD Snooping per Interface Parameters These parameters are displayed: ◆ VLAN – A VLAN identification number.
Chapter 16 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Command Usage MLD Snooping must be enabled globally on the switch (see “Configuring MLD Snooping and Query Parameters” on page 494) before a multicast router port can take effect. Parameters These parameters are displayed: ◆ VLAN – Selects the VLAN which is to propagate all IPv6 multicast traffic coming from the attached multicast router. (Range: 1-4094) ◆ Interface – Activates the Port or Trunk scroll down list.
Chapter 16 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 332: Showing Static Interfaces Attached an IPv6 Multicast Router To show all the interfaces attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Current Multicast Router from the Action list. 3. Select the VLAN for which to display this information. Ports in the selected VLAN which are attached to a neighboring multicast router/switch are displayed.
Chapter 16 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Parameters These parameters are displayed: ◆ VLAN – Specifies the VLAN which is to propagate the multicast service. (Range: 1-4094) ◆ Multicast IPv6 Address – The IP address for a specific multicast service. ◆ Interface – Activates the Port or Trunk scroll down list. ◆ Port or Trunk – Specifies the interface assigned to a multicast group.
Chapter 16 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To show the static interfaces assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information. Figure 335: Showing Static Interfaces Assigned to an IPv6 Multicast Service To display information about all IPv6 multicast groups, MLD Snooping or multicast routing must first be enabled on the switch.
Chapter 16 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Showing MLD Use the Multicast > MLD Snooping > Group Information page to display known Snooping Groups multicast groups, member ports, the means by which each group was learned, and and Source List the corresponding source list. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Interface – Port or trunk identifier. ◆ Group Address – The IP address for a specific multicast service.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Figure 337: Showing IPv6 Multicast Services and Corresponding Sources Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Figure 338: MVR Concept Multicast Router Satellite Services Multicast Server Layer 2 Switch Source Port Service Network Receiver Ports Set-top Box PC TV Set-top Box TV Command Usage ◆ General Configuration Guidelines for MVR: 1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring MVR Domain Settings” on page 506). 2.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Configuring MVR Use the Multicast > MVR (Configure Global) page to configure proxy switching and Global Settings the robustness variable. Parameters These parameters are displayed: ◆ ◆ Proxy Switching – Configures MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Chapter 16 | Multicast Filtering Multicast VLAN Registration ◆ ◆ Proxy Query Interval – Configures the interval at which the receiver port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) ■ This parameter sets the general query interval at which active receiver ports send out general queries. ■ This interval is only effective when proxy switching is enabled.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Configuring MVR Use the Multicast > MVR (Configure Domain) page to enable MVR globally on the Domain Settings switch, select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Figure 340: Configuring Domain Settings for MVR Configuring MVR Use the Multicast > MVR (Configure Profile and Associate Profile) pages to assign Group Address the multicast group address for required services to one or more MVR domains. Profiles Command Usage ◆ Use the Configure Profile page to statically configure all multicast group addresses that will join the MVR VLAN.
Chapter 16 | Multicast Filtering Multicast VLAN Registration ◆ Profile Name – The name of a profile to be assigned to this domain. (Range: 1-21 characters) Web Interface To configure an MVR group address profile: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3. Select Add from the Action list. 4. Enter the name of a group profile to be assigned to one or more domains, and specify a multicast group that will stream traffic to participating hosts. 5. Click Apply.
Chapter 16 | Multicast Filtering Multicast VLAN Registration To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4. Select a domain from the scroll-down list, and enter the name of a group profile. 5. Click Apply. Figure 343: Assigning an MVR Group Address Profile to a Domain To show the MVR group address profiles assigned to a domain: 1. Click Multicast, MVR. 2.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Configuring MVR Use the Multicast > MVR (Configure Interface) page to configure each interface that Interface Status participates in the MVR protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Chapter 16 | Multicast Filtering Multicast VLAN Registration ■ Source – An uplink port that can send and receive multicast data for the groups assigned to the MVR VLAN. Note that the source port must be manually configured as a member of the MVR VLAN (see “Adding Static Members to VLANs” on page 140). ■ Receiver – A subscriber port that can receive multicast data sent through the MVR VLAN.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Figure 345: Configuring Interface Settings for MVR Assigning Static MVR Use the Multicast > MVR (Configure Static Group Member) page to statically bind Multicast Groups to multicast groups to a port which will receive long-term multicast streams Interfaces associated with a stable set of hosts. Command Usage ◆ Multicast groups can be statically assigned to a receiver port using this configuration page. ◆ The IP address range from 224.0.0.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Web Interface To assign a static MVR group to a port: 1. Click Multicast, MVR. 2. Select Configure Static Group Member from the Step list. 3. Select Add from the Action list. 4. Select an MVR domain. 5. Select a VLAN and port member to receive the multicast stream, and then enter the multicast group address. 6. Click Apply. Figure 346: Assigning Static MVR Groups to a Port To show the static MVR groups assigned to a port: 1.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Figure 347: Showing the Static MVR Groups Assigned to a Port Displaying MVR Use the Multicast > MVR (Show Member) page to show the multicast groups either Receiver Groups statically or dynamically assigned to the MVR receiver groups on each interface. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Group IP Address – Multicast groups assigned to the MVR VLAN.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Figure 348: Displaying MVR Receiver Groups Displaying MVR Use the Multicast > MVR > Show Statistics pages to display MVR protocol-related Statistics statistics for the specified interface. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Port – Port identifier. (Range: 1-12/28) ◆ Trunk – Trunk identifier.
Chapter 16 | Multicast Filtering Multicast VLAN Registration VLAN, Port, and Trunk Statistics Input Statistics ◆ Report – The number of IGMP membership reports received on this interface. ◆ Leave – The number of leave messages received on this interface. ◆ G Query – The number of general query messages received on this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages received on this interface.
Chapter 16 | Multicast Filtering Multicast VLAN Registration Web Interface To display statistics for MVR query-related messages: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR domain.
Chapter 16 | Multicast Filtering Multicast VLAN Registration To display MVR protocol-related statistics for a VLAN: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN.
Chapter 16 | Multicast Filtering Multicast VLAN Registration To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR domain. 5. Select a Port.
Chapter 16 | Multicast Filtering Multicast VLAN Registration – 520 –
Section III Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 523 ◆ “Troubleshooting” on page 527 ◆ “License Information” on page 529 – 521 –
Section III | Appendices – 522 –
A Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, IP Filter, Authentication DHCP Snooping Client Access Control Access Control Lists (512 rules), Port Authentication (802.1X), MAC Authentication, Port Security, DHCP Snooping, IP Source Guard Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.
Appendix A | Software Specifications Management Features VLAN Support Up to 256 groups; port-based, protocol-based, tagged (802.
Appendix A | Software Specifications Standards Standards IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.
Appendix A | Software Specifications Management Information Bases Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs IPV6-MIB (RFC 2065) IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052) IPV6-UDP-MIB (RFC2054) Link Aggregation MIB (IEEE 802.3ad) MAU MIB (RFC 3636) MIB II (RFC 1213) P-Bridge MIB (RFC 2674P) Port Access Entity MIB (IEEE 802.
B Troubleshooting Problems Accessing the Management Interface Table 36: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Cannot access the onboard configuration program via a serial port connection ◆ Forgot or lost the password ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch.
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DNS Domain Name Service. A system used for translating host names for network nodes into IP addresses. DSCP Differentiated Services Code Point Service. DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP bits are mapped to the Class of Service categories, and then into the output queues. EAPOL Extensible Authentication Protocol over LAN.
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Glossary MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages. Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group.
Glossary RADIUS Remote Authentication Dial-in User Service. RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS-compliant devices on the network. RMON Remote Monitoring. RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. RSTP Rapid Spanning Tree Protocol.
Glossary TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. UDP User Datagram Protocol. UDP provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IPlike services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
Glossary – 540 –
Index Numerics 802.1Q tunnel 148 access 153 configuration, guidelines 151 configuration, limitations 151 description 148 ethernet type 152 interface configuration 153 mode selection 153 status, configuring 152 TPID 152 uplink 153 802.1X authenticator, configuring 326 global settings 325 port authentication 323 port authentication accounting 257, 258 supplicant, configuring 330 A AAA accounting 802.
Index guard 192 ignoring superior BPDUs 191 selecting protocol based on message format 193 shut down port on receipt 192 bridge extension capabilities, displaying 69 broadcast storm, threshold 204, 205 C cable diagnostics 110 canonical format indicator 224 class map DiffServ 228 Class of Service See CoS clustering switches, management access 421 committed burst size, QoS policy 236, 237 committed information rate, QoS policy 236, 237 community string 398 configuration files, restoring defaults 71 configur
Index DSA encryption 286, 288 DSCP 220 enabling 220 mapping to internal values 221 DSCP ingress map, drop precedence 222 DSCP to PHB/drop precedence 222 dynamic addresses clearing 172 displaying 171 dynamic QoS assignment 271, 274 dynamic VLAN assignment 270, 274 E edge port, STA 192, 195 encryption DSA 286, 288 RSA 286, 288 engine ID 388, 389 event logging 355 excess burst size, QoS policy 236 exec command privileges, accounting 258 exec settings accounting 257 authorization 262 F firmware displaying ver
Index version exclusive 472 version for interface, setting 481 version, setting 472 with proxy reporting 469 immediate leave, IGMP snooping 479 immediate leave, MLD snooping 496 importing user public keys 288 ingress filtering 141 IP address Auto IP 431 BOOTP/DHCP 431 setting 427 IP filter, for management access 319 IP source guard configuring static entries 343 setting filter criteria 341 setting maximum bindings 342 IPv4 address BOOTP/DHCP 431 setting 431 IPv6 displaying neighbors 444 duplicate address d
Index RADIUS client 253 RADIUS server 253 sequence 251 settings 252 TACACS+ client 252 TACACS+ server 252 logon authentication, settings 254 loopback detection, STA 182 M MAC address authentication 270 ports, configuring 273 reauthentication 272 MAC address, mirroring 173 main menu, web interface 47 management access, filtering per address 319 management access, IP filter 319 Management Information Bases (MIBs) 525 matching class settings, classifying QoS traffic 229 memory status 91 utilization, showing
Index P passwords administrator setting 265 path cost 195 method 185 STA 191, 195 peak burst size, QoS policy 237 peak information rate, QoS policy 237 per-hop behavior, DSCP ingress map 222 policing traffic, QoS policy 232, 236 policy map description 235 DiffServ 232 port authentication 323 port power displaying status 384 inline 383 inline status 384 maximum allocation 383 priority 384 showing main power 384 port priority configuring 213 default ingress 213 STA 190 port security, configuring 321 ports au
Index RSA encryption 286, 288 RSTP 179 global settings, configuring 183 global settings, displaying 189 interface settings, configuring 190 interface settings, displaying 194 S secure shell 282 configuration 282 security, general measures 249 serial port, configuring 86 Simple Network Management Protocol See SNMP single rate three color meter See srTCM SNMP 385 community string 398 enabling traps 403 filtering IP addresses 319 global settings, configuring 387 trap manager 403 users, configuring 399, 401 SN
Index time zone, setting 85 time, setting 79 TPID 152 traffic segmentation 128 assigning ports 128 enabling 128 sessions, assigning ports 130 sessions, creating 129 trap manager 403 troubleshooting 527 trTCM police meter 237 QoS policy 233 trunk configuration 115 LACP 118 static 116 tunneling unknown VLANs, VLAN trunking 131 two rate three color meter See trTCM Type Length Value See LLDP TLV U unknown unicast storm, threshold 204, 205 unregistered data flooding, IGMP snooping 472 upgrading software 71 use
ECS4210-12P ECS4210-12T ECS4210-28P ECS4210-28T 149100000219A 149100000241A 149100000217H 149100000217H E032014/ST-R03
