ECS4620 Series 28/52-Port Layer 3 Stackable GE Switch Web Management Guide Software Release v1.2.2.26 www.edge-core.
Web Management Guide ECS4620-28T Stackable GE Switch ECS4620-52T Stackable GE Switch Layer 3 Stackable Gigabit Ethernet Switch with 24 10/100/1000BASE-T (RJ-45) Ports, 2 10-Gigabit SFP+ Ports, and Optional Module with 2 10-Gigabit SFP+ Ports Layer 3 Stackable Gigabit Ethernet Switch with 48 10/100/1000BASE-T (RJ-45) Ports, 2 10-Gigabit SFP+ Ports, and Optional Module with 2 10-Gigabit SFP+ Ports ECS4620-28P Stackable GE PoE Switch ECS4620-52P Stackable GE PoE Switch Layer 3 Stackable Gigabit Ethernet
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This guide is for network administrators who are responsible for operating and this Guide? maintaining network equipment.
How to Use This Guide For information on how to install the switch, see the following guide: Installation Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
How to Use This Guide ◆ Updated information in Parameter list for "Enabling QinQ Tunneling on the Switch" on page 185. ◆ Updated Command Usage section under "Configuring IP Subnet VLANs" on page 193. ◆ Updated Command Usage section under "Configuring MAC-based VLANs" on page 196. ◆ Added "Issuing MAC Address Traps" on page 211. ◆ Updated information in Parameter list for "Configuring Interface Settings for STA" on page 223.
How to Use This Guide ◆ Updated parameter list under "DoS Protection" on page 372. ◆ Updated parameter information under "Configuring Ports for IPv4 Source Guard" on page 375. ◆ Updated command usage and parameter information under "Configuring Static Bindings for IPv4 Source Guard" on page 377. ◆ Updated parameter information under "Configuring VLAN Settings for ARP Inspection" on page 351. ◆ Added "UDLD Configuration" on page 539.
How to Use This Guide ◆ Updated parameter section under "Configuring Global Settings for ARP Inspection" on page 349. ◆ Updated command usage section under "Configuring Port Security" on page 358. ◆ Updated command usage section under "Setting the Port PoE Power Budget" on page 424. ◆ Updated private traps in Table 30, "Supported Notification Messages," on page 435. ◆ Updated command usage section under "Switch Clustering" on page 464.
How to Use This Guide – 8 –
Contents Section I How to Use This Guide 3 Contents 9 Figures 23 Tables 39 Getting Started 41 1 Introduction 43 Key Features 43 Description of Software Features 45 IP Routing 49 Equal-cost Multipath Load Balancing 50 Router Redundancy 50 Address Resolution Protocol 50 Operation, Administration, and Maintenance 50 System Defaults Section II 51 Web Configuration 55 2 Using the Web Interface 57 Connecting to the Web Interface 57 Navigating the Web Browser Interface 58 Hom
Contents Displaying System Information 86 Displaying Hardware/Software Versions 87 Configuring Support for Jumbo Frames 88 Displaying Bridge Extension Capabilities 89 Managing System Files 90 Copying Files via FTP/TFTP or HTTP 90 Saving the Running Configuration to a Local File 92 Setting the Start-up File 93 Showing System Files 94 Automatic Operation Code Upgrade 95 Setting the System Clock Setting the Time Manually 99 99 Setting the SNTP Polling Interval 100 Configuring NTP 101
Contents Displaying Transceiver Data 137 Configuring Transceiver Thresholds 138 Performing Cable Diagnostics 140 Trunk Configuration 142 Configuring a Static Trunk 143 Configuring a Dynamic Trunk 146 Displaying LACP Port Counters 152 Displaying LACP Settings and Status for the Local Side 153 Displaying LACP Settings and Status for the Remote Side 155 Configuring Load Balancing 156 Saving Power 158 Traffic Segmentation 160 Enabling Traffic Segmentation 160 Configuring Uplink and Do
Contents Displaying the Dynamic Address Table 207 Clearing the Dynamic Address Table 208 Changing the Aging Time 209 Configuring MAC Address Mirroring 210 Issuing MAC Address Traps 211 7 Spanning Tree Algorithm 213 Overview 213 Configuring Loopback Detection 215 Configuring Global Settings for STA 217 Displaying Global Settings for STA 222 Configuring Interface Settings for STA 223 Displaying Interface Settings for STA 228 Configuring Multiple Spanning Trees 231 Configuring Interf
Contents Attaching a Policy Map to a Port 11 VoIP Traffic Configuration 277 279 Overview 279 Configuring VoIP Traffic 280 Configuring Telephony OUI 281 Configuring VoIP Traffic Ports 282 12 Security Measures 285 AAA (Authentication, Authorization and Accounting) 286 Configuring Local/Remote Logon Authentication 287 Configuring Remote Logon Authentication Servers 288 Configuring AAA Accounting 293 Configuring AAA Authorization 299 Configuring User Accounts 302 Web Authentication 3
Contents Configuring an Extended IPv4 ACL 335 Configuring a Standard IPv6 ACL 337 Configuring an Extended IPv6 ACL 339 Configuring a MAC ACL 341 Configuring an ARP ACL 343 Binding a Port to an Access Control List 344 Configuring ACL Mirroring 345 Showing ACL Hardware Counters 347 ARP Inspection 348 Configuring Global Settings for ARP Inspection 349 Configuring VLAN Settings for ARP Inspection 351 Configuring Interface Settings for ARP Inspection 353 Displaying ARP Inspection Statist
Contents 13 Basic Administration Protocols Configuring Event Logging 395 396 System Log Configuration 396 Remote Log Configuration 398 Sending Simple Mail Transfer Protocol Alerts 399 Link Layer Discovery Protocol 401 Setting LLDP Timing Attributes 401 Configuring LLDP Interface Attributes 403 Configuring LLDP Interface Civic-Address 407 Displaying LLDP Local Device Information 409 Displaying LLDP Remote Device Information 413 Displaying Device Statistics 421 Power over Ethernet 423
Contents Managing Cluster Members 468 Ethernet Ring Protection Switching 469 ERPS Global Configuration 474 ERPS Ring Configuration 474 ERPS Forced and Manual Mode Operations 490 Connectivity Fault Management 494 Configuring Global Settings for CFM 498 Configuring Interfaces for CFM 501 Configuring CFM Maintenance Domains 501 Configuring CFM Maintenance Associations 506 Configuring Maintenance End Points 510 Configuring Remote Maintenance End Points 512 Transmitting Link Trace Messag
Contents 14 Multicast Filtering 545 Overview 545 Layer 2 IGMP (Snooping and Query for IPv4) 546 Configuring IGMP Snooping and Query Parameters 548 Specifying Static Interfaces for a Multicast Router 552 Assigning Interfaces to Multicast Services 554 Setting IGMP Snooping Status per Interface 556 Filtering IGMP Query Packets and Multicast Data 562 Displaying Multicast Groups Discovered by IGMP Snooping 563 Displaying IGMP Snooping Statistics 564 Filtering and Throttling IGMP Groups 568
Contents Configuring MVR6 Global Settings 609 Configuring MVR6 Domain Settings 611 Configuring MVR6 Group Address Profiles 612 Configuring MVR6 Interface Status 615 Assigning Static MVR6 Multicast Groups to Interfaces 617 Displaying MVR6 Receiver Groups 619 Displaying MVR6 Statistics 620 15 IP Configuration 625 Setting the Switch’s IP Address (IP Version 4) 625 Sending DHCP Inform Requests for Additional Information 629 Setting the Switch’s IP Address (IP Version 6) 630 Configuring th
Contents Configuring PPPoE IA Global Settings 670 Configuring PPPoE IA Interface Settings 671 Showing PPPoE IA Statistics 673 17 General IP Routing 675 Overview 675 Initial Configuration 675 IP Routing and Switching 676 Routing Path Management 677 Routing Protocols 678 Configuring IP Routing Interfaces 678 Configuring Local and Remote Interfaces 678 Using the Ping Function 679 Using the Trace Route Function 680 Address Resolution Protocol 682 Basic ARP Configuration 682 Config
Contents Configuring Route Redistribution 713 Specifying an Administrative Distance 715 Configuring Network Interfaces for RIP 716 Displaying RIP Interface Settings 720 Displaying Peer Router Information 721 Resetting RIP Statistics 721 Configuring the Open Shortest Path First Protocol (Version 2) 722 Defining Network Areas Based on Addresses 723 Configuring General Protocol Settings 726 Displaying Administrative Settings and Statistics 729 Adding an NSSA or Stub 731 Configuring NSSA
Contents Displaying the PIM BSR Router 778 Displaying PIM RP Mapping 780 Configuring PIMv6 for IPv6 Section III 781 Enabling PIMv6 Globally 781 Configuring PIMv6 Interface Settings 781 Displaying PIM6 Neighbor Information 787 Configuring Global PIM6-SM Settings 787 Configuring a PIM6 BSR Candidate 789 Configuring a PIM6 Static Rendezvous Point 790 Configuring a PIM6 RP Candidate 792 Displaying the PIM6 BSR Router 794 Displaying RP Mapping 795 Appendices 797 A Software Specificati
Contents – 22 –
Figures Figure 1: Home Page 58 Figure 2: Front Panel Indicators 60 Figure 3: System Information 86 Figure 4: General Switch Information 88 Figure 5: Configuring Support for Jumbo Frames 89 Figure 6: Displaying Bridge Extension Configuration 90 Figure 7: Copy Firmware 92 Figure 8: Saving the Running Configuration 93 Figure 9: Setting Start-Up Files 94 Figure 10: Displaying System Files 95 Figure 11: Configuring Automatic Code Upgrade 98 Figure 12: Manually Setting the System Clock 100
Figures Figure 30: Restarting the Switch (In) 119 Figure 31: Restarting the Switch (At) 120 Figure 32: Restarting the Switch (Regularly) 120 Figure 33: Configuring Connections by Port List 124 Figure 34: Configuring Connections by Port Range 125 Figure 35: Displaying Port Information 126 Figure 36: Configuring Local Port Mirroring 126 Figure 37: Configuring Local Port Mirroring 128 Figure 38: Displaying Local Port Mirror Sessions 128 Figure 39: Configuring Remote Port Mirroring 129 Figu
Figures Figure 65: Enabling Traffic Segmentation 161 Figure 66: Configuring Members for Traffic Segmentation 162 Figure 67: Showing Traffic Segmentation Members 163 Figure 68: Configuring VLAN Trunking 163 Figure 69: Configuring VLAN Trunking 165 Figure 70: VLAN Compliant and VLAN Non-compliant Devices 168 Figure 71: Using GVRP 170 Figure 72: Creating Static VLANs 172 Figure 73: Modifying Settings for Static VLANs 172 Figure 74: Showing Static VLANs 173 Figure 75: Configuring Static Mem
Figures Figure 100: Configuring MAC Address Learning 204 Figure 101: Configuring Static MAC Addresses 206 Figure 102: Displaying Static MAC Addresses 206 Figure 103: Displaying the Dynamic MAC Address Table 208 Figure 104: Clearing Entries in the Dynamic MAC Address Table 209 Figure 105: Setting the Address Aging Time 209 Figure 106: Mirroring Packets Based on the Source MAC Address 211 Figure 107: Showing the Source MAC Addresses to Mirror 211 Figure 108: Issuing MAC Address Traps (Global
Figures Figure 135: Configuring ATC Interface Attributes 247 Figure 136: Setting the Default Port Priority 250 Figure 137: Setting the Queue Mode (Strict) 252 Figure 138: Setting the Queue Mode (WRR) 252 Figure 139: Setting the Queue Mode (Strict and WRR) 253 Figure 140: Mapping CoS Values to Egress Queues 255 Figure 141: Showing CoS Values to Egress Queue Mapping 255 Figure 142: Setting the Trust Mode 257 Figure 143: Configuring DSCP to DSCP Internal Mapping 259 Figure 144: Showing DSCP
Figures Figure 170: Configuring AAA Accounting Service for Command Service 298 Figure 171: Configuring AAA Accounting Service for Exec Service 298 Figure 172: Displaying a Summary of Applied AAA Accounting Methods 299 Figure 173: Displaying Statistics for AAA Accounting Sessions 299 Figure 174: Configuring AAA Authorization Methods 301 Figure 175: Showing AAA Authorization Methods 301 Figure 176: Configuring AAA Authorization Methods for Exec Service 302 Figure 177: Displaying the Applied AAA
Figures Figure 205: Configuring an Extended IPv6 ACL 340 Figure 206: Configuring a MAC ACL 342 Figure 207: Configuring a ARP ACL 344 Figure 208: Binding a Port to an ACL 345 Figure 209: Configuring ACL Mirroring 346 Figure 210: Showing the VLANs to Mirror 347 Figure 211: Showing ACL Statistics 348 Figure 212: Configuring Global Settings for ARP Inspection 351 Figure 213: Configuring VLAN Settings for ARP Inspection 352 Figure 214: Configuring Interface Settings for ARP Inspection 353 Fi
Figures Figure 240: Showing Error Messages Logged to System Memory 398 Figure 241: Configuring Settings for Remote Logging of Error Messages 399 Figure 242: Configuring SMTP Alert Messages 400 Figure 243: Configuring LLDP Timing Attributes 403 Figure 244: Configuring LLDP Interface Attributes 407 Figure 245: Configuring the Civic Address for an LLDP Interface 408 Figure 246: Showing the Civic Address for an LLDP Interface 409 Figure 247: Displaying Local Device Information for LLDP (General)
Figures Figure 275: Configuring Trap Managers (SNMPv3) 449 Figure 276: Showing Trap Managers 450 Figure 277: Creating SNMP Notification Logs 451 Figure 278: Showing SNMP Notification Logs 452 Figure 279: Showing SNMP Statistics 453 Figure 280: Configuring an RMON Alarm 456 Figure 281: Showing Configured RMON Alarms 456 Figure 282: Configuring an RMON Event 458 Figure 283: Showing Configured RMON Events 459 Figure 284: Configuring an RMON History Sample 460 Figure 285: Showing Configured
Figures Figure 310: Showing Maintenance Domains 505 Figure 311: Configuring Detailed Settings for Maintenance Domains 506 Figure 312: Creating Maintenance Associations 509 Figure 313: Showing Maintenance Associations 509 Figure 314: Configuring Detailed Settings for Maintenance Associations 510 Figure 315: Configuring Maintenance End Points 511 Figure 316: Showing Maintenance End Points 512 Figure 317: Configuring Remote Maintenance End Points 513 Figure 318: Showing Remote Maintenance End
Figures Figure 345: Showing Static Interfaces Assigned to a Multicast Service 556 Figure 346: Configuring IGMP Snooping on a VLAN 561 Figure 347: Showing Interface Settings for IGMP Snooping 562 Figure 348: Dropping IGMP Query or Multicast Data Packets 563 Figure 349: Showing Multicast Groups Learned by IGMP Snooping 564 Figure 350: Displaying IGMP Snooping Statistics – Query 566 Figure 351: Displaying IGMP Snooping Statistics – VLAN 567 Figure 352: Displaying IGMP Snooping Statistics – Port
Figures Figure 380: Assigning an MVR Group Address Profile to a Domain 598 Figure 381: Showing the MVR Group Address Profiles Assigned to a Domain 599 Figure 382: Configuring Interface Settings for MVR 601 Figure 383: Assigning Static MVR Groups to an Interface 602 Figure 384: Showing the Static MVR Groups Assigned to a Port 603 Figure 385: Displaying MVR Receiver Groups 604 Figure 386: Displaying MVR Statistics – Query 606 Figure 387: Displaying MVR Statistics – VLAN 607 Figure 388: Displa
Figures Figure 415: Showing Reported MTU Values 647 Figure 416: Configuring General Settings for DNS 650 Figure 417: Configuring a List of Domain Names for DNS 651 Figure 418: Showing the List of Domain Names for DNS 651 Figure 419: Configuring a List of Name Servers for DNS 652 Figure 420: Showing the List of Name Servers for DNS 653 Figure 421: Configuring Static Entries in the DNS Table 653 Figure 422: Showing Static Entries in the DNS Table 654 Figure 423: Showing Entries in the DNS Cac
Figures Figure 450: Displaying ARP Entries 686 Figure 451: Displaying ARP Statistics 687 Figure 452: Configuring Static Routes 688 Figure 453: Displaying Static Routes 689 Figure 454: Displaying the Routing Table 690 Figure 455: Setting the Maximum ECMP Number 692 Figure 456: Master Virtual Router with Backup Routers 693 Figure 457: Several Virtual Master Routers Using Backup Routers 694 Figure 458: Several Virtual Master Routers Configured for Mutual Backup and Load Sharing 694 Figure 459:
Figures Figure 485: OSPF Areas 724 Figure 486: Defining OSPF Network Areas Based on Addresses 725 Figure 487: Showing OSPF Network Areas 726 Figure 488: Showing OSPF Process Identifiers 726 Figure 489: AS Boundary Router 728 Figure 490: Configure General Settings for OSPF 729 Figure 491: Showing General Settings for OSPF 730 Figure 492: Adding an NSSA or Stub 731 Figure 493: Showing NSSAs or Stubs 732 Figure 494: 732 OSPF NSSA Figure 495: Configuring Protocol Settings for an NSSA 735
Figures Figure 520: Displaying the IPv4 Multicast Routing Table 763 Figure 521: Displaying Detailed Entries from IPv4 Multicast Routing Table 764 Figure 522: Displaying the IPv6 Multicast Routing Table 764 Figure 523: Displaying Detailed Entries from IPv6 Multicast Routing Table 765 Figure 524: Enabling PIM Multicast Routing 766 Figure 525: Configuring PIM Interface Settings (Dense Mode) 770 Figure 526: Configuring PIM Interface Settings (Sparse Mode) 771 Figure 527: Showing PIM Neighbors 77
Tables Table 1: Key Features 43 Table 2: System Defaults 51 Table 3: Web Page Configuration Buttons 59 Table 4: Switch Main Menu 61 Table 5: Predefined Summer-Time Parameters 108 Table 6: Port Statistics 133 Table 7: LACP Port Counters 152 Table 8: LACP Internal Configuration Information 153 Table 9: LACP Remote Device Configuration Information 155 Table 10: Traffic Segmentation Forwarding 161 Table 11: Recommended STA Path Cost Range 224 Table 12: Default STA Path Costs 225 Table 1
Tables Table 30: Supported Notification Messages 435 Table 31: ERPS Request/State Priority 491 Table 32: Remote MEP Priority Levels 503 Table 33: MEP Defect Descriptions 503 Table 34: OAM Operation State 531 Table 35: Remote Loopback Status 537 Table 36: Show IPv6 Neighbors - display description 640 Table 37: Show IPv6 Statistics - display description 642 Table 38: Show MTU - display description 647 Table 39: Options 60, 66 and 67 Statements 656 Table 40: Options 55 and 124 Statements
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 42 –
1 Introduction This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Chapter 1 | Introduction Key Features Table 1: Key Features (Continued) Feature Description Address Table 16K MAC addresses in the forwarding table, 1K static MAC addresses; 1760 entries in the ARP cache, 256 static ARP entries, 3836 dynamic ARP entries; 512 static IP routes, 512 IP interfaces; 3996 IPv4 entries in the host table; 12900 IPv4 entries in routing table; 1K L2 IPv4 multicast groups (shared with MAC table); 1K L3 IPv4 multicast groups; 2997 IPv6 entries in the host table; 2996 IPv6 entries i
Chapter 1 | Introduction Description of Software Features Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Storm suppression prevents broadcast, multicast, and unknown unicast traffic storms from engulfing the network.
Chapter 1 | Introduction Description of Software Features server located in a different network. And DHCP Relay Option 82 controls the processing of Option 82 information in DHCP request packets relayed by this device. Port Configuration You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device.
Chapter 1 | Introduction Description of Software Features source IP/MAC address pairs based on static entries or entries stored in the DHCP Snooping table. IEEE 802.1D Bridge The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses.
Chapter 1 | Introduction Description of Software Features Virtual LANs The switch supports up to 4094 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically learned via GVRP, or ports can be manually assigned to a specific set of VLANs.
Chapter 1 | Introduction Description of Software Features Quality of Service Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 1 | Introduction Description of Software Features Policy-based Routing for BGP – The next-hop behavior for ingress IP traffic can be determined based on matching criteria. Equal-cost Multipath When multiple paths to the same destination and with the same path cost are Load Balancing found in the routing table, the Equal-cost Multipath (ECMP) algorithm first checks if the cost is lower than that of any other routing entries.
Chapter 1 | Introduction System Defaults shared by hosts residing in other standard or private VLAN groups, while preserving security and data isolation for normal traffic. Link Layer Discovery LLDP is used to discover basic information about neighboring devices within the Protocol local broadcast domain. LLDP is a Layer 2 protocol that advertises information about the sending device and collects information gathered from neighboring network nodes it discovers.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Authentication and Security Measures Privileged Exec Level Username “admin” Password “admin” Normal Exec Level Username “guest” Password “guest” Enable Privileged Exec from Normal Exec Level Password “super” RADIUS Authentication Disabled TACACS+ Authentication Disabled 802.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Congestion Control Rate Limiting Disabled Storm Control Broadcast: Enabled (64 kbits/sec) Multicast: Disabled Unknown Unicast: Disabled Auto Traffic Control Disabled Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled, RSTP (Defaults: RSTP standard) Edge Ports Disabled LLDP Status Enabled ERPS Status Disabled CFM Status Enabled OAM Status Disabled Vi
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default ARP Enabled Cache Timeout: 20 minutes Proxy: Disabled RIP Disabled OSPF Disabled OSPFv3 Disabled BGPv4 Disabled PIMv4 Disabled PIMv6 Disabled Router Redundancy VRRP Disabled Multicast Filtering IGMP Snooping (Layer 2) Snooping: Enabled Querier: Disabled MLD Snooping (Layer 2 IPv6) Snooping: Enabled Querier: Disabled Multicast VLAN Registration Disabled IGMP Proxy Reporting Di
Section II Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
Section II | Web Configuration ◆ "Configuring Router Redundancy" on page 693 ◆ "Unicast Routing" on page 703 ◆ "Multicast Routing" on page 757 – 56 –
2 Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface for STA” on page 223. Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. Note: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface the ECS4620-28T. The panel graphics for all switch types are shown on the following page. Note: You can open a connection to the vendor’s web site by clicking on the Edgecore logo. Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control).
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Renumber Reset Description Page Reset stack identification numbers 116 Restarts the switch immediately, at a specified time, after a specified delay, or at a periodic interval 117 Interface 121 Port 122 General 122 Configure by Port List Configures connection settings per port 122 Configure by Port Range Configures connection settings for a range of ports 125 Show Informati
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Actor Configures parameters for link aggregation group members on the local side 146 Partner Configures parameters for link aggregation group members on the remote side 146 Show Information 152 Counters Displays statistics for LACP protocol messages 152 Internal Displays configuration settings and operational state for the local side of a link aggregation 153
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Dynamic VLAN 177 Show VLAN Shows the VLANs this switch has joined through GVRP 177 Show VLAN Member Shows the interfaces assigned to a VLAN through GVRP 177 IEEE 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Clear Dynamic MAC Mirror Description Page Removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries 208 Mirrors traffic matching a specified source address from any port on the 210 switch to a target port MAC Notification 211 Configure Global Issues a trap when a dynamic MAC address is added or rem
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Configure Interface Page Sets the storm control mode (broadcast or multicast), the traffic 245 thresholds, the control response, to automatically release a response of rate limiting, or to send related SNMP trap messages Priority Default Priority Sets the default priority for each port or trunk Queue Sets queue mode for the switch; sets the service weight for each queue 25
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure OUI 281 Add Maps the OUI in the source MAC address of ingress packets to the VoIP 281 device manufacturer Show Shows the OUI telephony list Configure Interface 281 Configures VoIP traffic settings for ports, including the way in which a 282 port is added to the Voice VLAN, filtering of non-VoIP packets, the method of detecting VoIP traffic, and the priori
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows authorized users 302 Modify Modifies user attributes 302 Allows authentication and access to the network when 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Show Rule Description Page Shows the time specified by a rule 328 Configure ACL 332 Show TCAM Shows utilization parameters for TCAM 331 Add Adds an ACL based on IP or MAC address filtering 332 Show Shows the name and type of configured ACLs 332 Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes 332 Show Rule Shows the rules specif
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu IP Source Guard Port Configuration Description Page Filters IP traffic based on static entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table 375 Enables IP source guard and selects filter type per port 375 Static Binding 377 Configure ACL Table 377 Add Adds static addresses to the source guard ACL binding table 377 Show Shows static addresses in th
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Remote Device Information 413 Port/Trunk Displays information about a remote device connected to a port on this 413 switch Port/Trunk Details Displays detailed information about a remote device connected to this 413 switch Show Device Statistics 421 General Displays statistics for all connected remote devices 421 Port/Trunk Displays statistics for remote d
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Add Creates an SNMP notification log 450 Show Shows the configured notification logs 450 Shows the status of SNMP communications 452 Remote Monitoring 454 Alarm Sets threshold bounds for a monitored variable 454 Event Creates a response event for an alarm 457 Configure Notify Filter Show Statistics RMON Configure Global Add Show 454 Alarm Shows all con
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu CFM Description Page Connectivity Fault Management 494 Configure Global Configures global settings, including administrative status, cross-check 498 start delay, link trace, and SNMP traps Configure Interface Configures administrative status on an interface 501 Configure MD Configure Maintenance Domains 501 Add Defines a portion of the network for which connectivity faults can 5
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Link Trace Cache Shows information about link trace operations launched from this device 527 Show Fault Notification Generator Displays configuration settings for the fault notification generator 528 Show Continuity Check Error Displays CFM continuity check errors logged on this device 529 Operation, Administration, and Maintenance 530 OAM Interface Enable
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Routing Static Routes 687 Add Configures static routing entries 687 Show Shows static routing entries 687 Show Information Shows all routing entries, including local, static and dynamic routes 689 Configure ECMP Number Sets the maximum number of equal-cost paths to the same destination 690 that can be installed in the routing table Routing Table VRRP Virtual
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page IP Service 649 DNS Domain Name Service General 649 649 Configure Global Enables DNS lookup; defines the default domain name appended to incomplete host names 649 Add Domain Name Defines a list of domain names that can be appended to incomplete host names 650 Show Domain Names Shows the configured domain name list 650 Add Name Server Specifies IP address of
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Show IP Binding Description Page Displays addresses currently bound to DHCP clients 665 UDP Helper General 666 Enables UDP helper globally on the switch Forwarding 666 667 Add Specifies the UDP destination ports for which broadcast traffic will be forwarded 667 Show Shows the list of UDP ports to which broadcast traffic will be forwarded 667 Address 668 Add Specifies the serv
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Filter Configure General 568 Enables IGMP filtering for the switch Configure Profile 568 569 Add Adds IGMP filter profile; and sets access mode 569 Show Shows configured IGMP filter profiles 569 Add Multicast Group Range Assigns multicast groups to selected profile 569 Show Multicast Group Range Shows multicast groups assigned to a profile 569 Configure Int
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Group Information 589 Show Information Shows the current multicast groups learned through IGMP for each VLAN Show Detail Shows detailed information on each multicast group associated with a 589 VLAN interface Multicast Routing General 589 760 Globally enables IPv4 multicast routing Information 760 761 Show Summary Shows each multicast route the switch has learn
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show VLAN Statistics Shows statistics for protocol messages and number of active groups 604 Show Port Statistics Shows statistics for protocol messages and number of active groups 604 Show Trunk Statistics Shows statistics for protocol messages and number of active groups 604 Multicast VLAN Registration for IPv6 608 Configure Global Configures proxy switching a
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Passive Interface 711 Add Stops RIP broadcast and multicast messages from being sent on specified network interfaces 711 Show Shows the configured passive interfaces 711 Neighbor Address 712 Add Configures the router to directly exchange routing information with a static neighbor Show Shows adjacent hosts or interfaces configured as a neighboring router 712 R
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Area 731 Configure Area 731 Add Area Adds NSSA or stub 731 Show Area Shows configured NSSA or stub 731 Configure NSSA Area Configures settings for importing routes into or exporting routes out of not-so-stubby areas 732 Configure Stub Area Configures default cost, and settings for importing routes into a stub 735 Shows statistics for each area, including SP
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page PIM 765 General Enables PIM globally for the switch 765 Interface Enables PIM per interface, and sets the mode to dense or sparse 766 Neighbor Displays information neighboring PIM routers 771 Configure Global Configures settings for register messages, and use of the SPT 772 BSR Candidate Configures the switch as a BSR candidate 773 SM RP Address 775 Add
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show BSR Router Displays information about the BSR 794 Show RP Mapping Displays the active RPs and associated multicast routing entries 795 Show Information * ECS4620-28P/52P/52P-2AC – 84 –
3 Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
Chapter 3 | Basic Management Tasks Displaying System Information Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. ◆ System Up Time – Length of time the management agent has been up.
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ Hardware Version – Hardware version of the main board.
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Web Interface To view hardware and software version information. 1. Click System, then Switch. Figure 4: General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet and 10 Gigabit Ethernet ports or trunks.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Web Interface To configure support for jumbo frames: 1. Click System, then Capability. 2. Enable or disable support for jumbo frames. 3. Click Apply. Figure 5: Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System > Capability page to display settings based on the Bridge MIB.
Chapter 3 | Basic Management Tasks Managing System Files Untagged) on each port. (Refer to “VLAN Configuration” on page 167.) ◆ Max Supported VLAN Numbers – The maximum number of VLANs supported on this switch. ◆ Max Supported VLAN ID – The maximum configurable VLAN identifier supported on this switch. Web Interface To view Bridge Extension information: 1. Click System, then Capability.
Chapter 3 | Basic Management Tasks Managing System Files Command Usage ◆ When logging into an FTP server, the interface prompts for a user name and password configured on the remote server. Note that “Anonymous” is set as the default user name. ◆ The reset command will not be accepted during copy operations to flash memory. Parameters The following parameters are displayed: ◆ Copy Type – The firmware copy operation includes these options: ■ FTP Upload – Copies a file from an FTP server to the switch.
Chapter 3 | Basic Management Tasks Managing System Files 2. Select Copy from the Action list. 3. Select FTP Upload, HTTP Upload, or TFTP Upload as the file transfer method. 4. If FTP or TFTP Upload is used, enter the IP address of the file server. 5. If FTP Upload is used, enter the user name and password for your account on the FTP server. 6. Set the file type to Operation Code. 7. Enter the name of the file to download. 8. Select a file on the switch to overwrite or specify a new file name. 9.
Chapter 3 | Basic Management Tasks Managing System Files ◆ Destination File Name – Copy to the currently designated startup file, or to a new file. The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names is 32 characters. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Note: The maximum number of user-defined configuration files is limited only by available flash memory space.
Chapter 3 | Basic Management Tasks Managing System Files 3. Mark the operation code or configuration file to be used at startup 4. Then click Apply. Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Showing System Files Use the System > File (Show) page to show the files in the system directory, or to delete a file. Note: Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted.
Chapter 3 | Basic Management Tasks Managing System Files Figure 10: Displaying System Files Automatic Operation Use the System > File (Automatic Operation Code Upgrade) page to automatically Code Upgrade download an operation code file when a file newer than the currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Chapter 3 | Basic Management Tasks Managing System Files that the file systems of many operating systems such as Unix and most Unixlike systems (FreeBSD, NetBSD, OpenBSD, and most Linux distributions, etc.) are case-sensitive, meaning that two files in the same directory, ecs4620-28t.bix and ECS4620-28T.bix are considered to be unique files. Thus, if the upgrade file is stored as ECS4620-28T.bix (or even EcS4620-28T.bix) on a case-sensitive server, then the switch (requesting ecs4620-28t.
Chapter 3 | Basic Management Tasks Managing System Files ■ tftp:// – Defines TFTP protocol for the server connection. ■ host – Defines the IP address of the TFTP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized. ■ filedir – Defines the directory, relative to the TFTP server root, where the upgrade file can be found. Nested directory structures are accepted.
Chapter 3 | Basic Management Tasks Managing System Files The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: ■ ftp://192.168.0.1/ The user name and password are empty, so “anonymous” will be the user name and the password will be blank. The image file is in the FTP root directory. ■ ftp://switches:upgrade@192.168.0.1/ The user name is “switches” and the password is “upgrade”.
Chapter 3 | Basic Management Tasks Setting the System Clock Automatic Upgrade is looking for a new image New image detected: current version 1.2.1.3; new version 1.2.1.6 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To manually set the system clock: 1. Click System, then Time. 2. Select Configure General from the Step list. 3. Select Manual from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 13: Setting the Polling Interval for SNTP Configuring NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers. Parameters The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 14: Configuring NTP Configuring Use the System > Time (Configure Time Server) pages to specify the IP address for Time Servers NTP/SNTP time servers, or to set the authentication key for NTP time servers. Specifying SNTP Time Servers Use the System > Time (Configure Time Server – Configure SNTP Server) page to specify the IP address for up to three SNTP time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 15: Specifying SNTP Time Servers Specifying NTP Time Servers Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. Parameters The following parameters are displayed: ◆ NTP Server IP Address – Adds the IPv4 address for up to 50 time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 16: Adding an NTP Time Server To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List Specifying NTP Authentication Keys Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To add an entry to NTP authentication key list: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Add NTP Authentication Key from the Action list. 4. Enter the index number and MD5 authentication key string. 5. Click Apply. Figure 18: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2.
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the Time Zone Use the System > Time (Configure Time Zone) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 20: Setting the Time Zone Configuring Use the Summer Time page to set the system clock forward during the summer Summer Time months (also known as daylight savings time). In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
Chapter 3 | Basic Management Tasks Setting the System Clock Table 5: Predefined Summer-Time Parameters Region Start Time, Day, Week, & Month End Time, Day, Week, & Month Australia 00:00:00, Sunday, Week 5 of October 23:59:59, Sunday, Week 5 of March 60 min Europe 00:00:00, Sunday, Week 5 of March 60 min 23:59:59, Sunday, Week 5 of October New Zealand 00:00:00, Sunday, Week 1 of October 23:59:59, Sunday, Week 3 of March USA 02:00:00, Sunday, Week 2 of March Rel.
Chapter 3 | Basic Management Tasks Configuring the Console Port Figure 21: Configuring Summer Time Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Chapter 3 | Basic Management Tasks Configuring the Console Port per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits) ◆ Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) ◆ Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None.
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password. Note that the password is only configurable through the CLI.
Chapter 3 | Basic Management Tasks Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. Web Interface To configure parameters for the console port: 1. Click System, then Telnet. 2. Specify the connection parameters as required. 3.
Chapter 3 | Basic Management Tasks Displaying Memory Utilization Figure 24: Displaying CPU Utilization Displaying Memory Utilization Use the System > Memory Status page to display memory utilization parameters. Parameters The following parameters are displayed: ◆ Free Size – The amount of memory currently free for use. ◆ Used Size – The amount of memory allocated to active processes. ◆ Total – The total amount of system memory. Web Interface To display memory utilization: 1.
Chapter 3 | Basic Management Tasks Stacking Stacking This section describes the basic functions which enable a properly connected set of switches to function as a single logical entity for management purposes. For information on how to physically connect units into a stack, see the Hardware Installation Guide. For detailed information on how stacking is implemented for this type of switch, refer to “Stack Operations” in the CLI Reference Guide.
Chapter 3 | Basic Management Tasks Stacking 4. Click Apply. Figure 26: Setting the Stack Master Enabling Use the System > Stacking (Configure Stacking Button) page to enable stacking on Stacking Ports the front panel 10G ports. Command Usage ◆ The stacking ports must be enabled on all stack members. ◆ Use the Switch Master Button page to specify one unit as the stack master. ◆ Every switch in the stack must be rebooted to activate this command.
Chapter 3 | Basic Management Tasks Stacking Figure 27: Enabling Stacking on 10G Ports Renumbering If the units are no longer numbered sequentially after several topology changes or the Stack failures, use the System > Stacking (Renumber) page to reset the unit numbers. Just remember to save the new configuration settings to a startup configuration file prior to powering off the stack Master.
Chapter 3 | Basic Management Tasks Resetting the System Resetting the System Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. Command Usage ◆ This command resets the entire system. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory. (See “Saving the Running Configuration to a Local File” on page 92).
Chapter 3 | Basic Management Tasks Resetting the System ■ ■ YYYY - The year at which to reload. (Range: 1970-2037) ■ HH - The hour at which to reload. (Range: 00-23) ■ MM - The minute at which to reload. (Range: 00-59) Regularly – Specifies a periodic interval at which to reload the switch. Time ■ HH - The hour at which to reload. (Range: 00-23) ■ MM - The minute at which to reload. (Range: 00-59) Period ■ Daily - Every day. ■ Weekly - Day of the week at which to reload. (Range: Sunday ...
Chapter 3 | Basic Management Tasks Resetting the System Figure 29: Restarting the Switch (Immediately) Figure 30: Restarting the Switch (In) – 119 –
Chapter 3 | Basic Management Tasks Resetting the System Figure 31: Restarting the Switch (At) Figure 32: Restarting the Switch (Regularly) – 120 –
4 Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Local Port Mirroring – Sets the source and target ports for mirroring on the local switch. ◆ Remote Port Mirroring – Configures mirroring of traffic from remote switches for analysis at a destination port on the local switch.
Chapter 4 | Interface Configuration Port Configuration Port Configuration This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Configuring by Use the Interface > Port > General (Configure by Port List) page to enable/disable Port List an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Chapter 4 | Interface Configuration Port Configuration ◆ ◆ Media Type – Configures the forced transceiver mode for SFP/SFP+ ports, or forced/preferred port type for RJ-45/SFP combination ports. ■ None - Forced transceiver mode is not used for SFP/SFP+ ports. (This is the default setting for RJ-45 ports and SFP/SFP+ ports.) ■ Copper-Forced - Always uses the RJ-45 port. (Only applies to combination RJ-45/SFP ports 23-24 on the ECS4620-28F/28F-DC.
Chapter 4 | Interface Configuration Port Configuration Default: Autonegotiation enabled on Gigabit ports; Advertised capabilities for 100BASE-FX (SFP1) – 100full 1000BASE-T – 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LHX/ZX (SFP1 / SFP+) – 1000full 10GBASE-CR/SR/LR/LRM (SFP+) – 10Gfull ◆ Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) ◆ Flow Control – Allows automatic or manual selection of flow control.
Chapter 4 | Interface Configuration Port Configuration Configuring by Use the Interface > Port > General (Configure by Port Range) page to enable/ Port Range disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control. For more information on command usage and a description of the parameters, refer to “Configuring by Port List” on page 122. Web Interface To configure port connection parameters: 1.
Chapter 4 | Interface Configuration Port Configuration ◆ Admin – Shows if the port is enabled or disabled. ◆ Oper Status – Indicates if the link is Up or Down. ◆ Media Type – Shows the forced transceiver mode for SFP/SFP+ ports, or forced/preferred port type for RJ-45/SFP combination ports used in the ECS4620-28F/28F-DC. ◆ Autonegotiation – Shows if auto-negotiation is enabled or disabled. ◆ Oper Speed Duplex – Shows the current speed and duplex mode.
Chapter 4 | Interface Configuration Port Configuration (remote port mirroring as described in “Configuring Remote Port Mirroring” on page 128). ◆ Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port.
Chapter 4 | Interface Configuration Port Configuration Figure 37: Configuring Local Port Mirroring To display the configured mirror sessions: 1. Click Interface, Port, Mirror. 2. Select Show from the Action List. Figure 38: Displaying Local Port Mirror Sessions Configuring Use the Interface > RSPAN page to mirror traffic from remote switches for analysis Remote Port Mirroring at a destination port on the local switch.
Chapter 4 | Interface Configuration Port Configuration Figure 39: Configuring Remote Port Mirroring Intermediate Switch Uplink Port Uplink Port Destination Switch Source Switch Source Port RPSAN VLAN Uplink Port Uplink Port Destination Port Tagged or untagged traffic from the RSPAN VLAN is analyzed at this port. Ingress or egress traffic is mirrored onto the RSPAN VLAN from here.
Chapter 4 | Interface Configuration Port Configuration ◆ RSPAN Limitations The following limitations apply to the use of RSPAN on this switch: ■ RSPAN Ports – Only ports can be configured as an RSPAN source, destination, or uplink; static and dynamic trunks are not allowed. A port can only be configured as one type of RSPAN interface – source, destination, or uplink. Also, note that the source port and destination port cannot be configured on the same switch.
Chapter 4 | Interface Configuration Port Configuration ■ Intermediate - Specifies this device as an intermediate switch, transparently passing mirrored traffic from one or more sources to one or more destinations. ■ Destination - Specifies this device as a switch configured with a destination port which is to receive mirrored traffic for this session. ◆ Remote VLAN – The VLAN to which traffic mirrored from the source port will be flooded.
Chapter 4 | Interface Configuration Port Configuration Figure 40: Configuring Remote Port Mirroring (Source) Figure 41: Configuring Remote Port Mirroring (Intermediate) Figure 42: Configuring Remote Port Mirroring (Destination) – 132 –
Chapter 4 | Interface Configuration Port Configuration Showing Port or Trunk Use the Interface > Port/Trunk > Statistics or Chart page to display standard Statistics statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Transmitted Broadcast Packets The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a broadcast address at this sub-layer, including those that were discarded or not sent. Received Unknown Packets The number of packets received via the interface which were discarded because of an unknown or unsupported protocol.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Broadcast Packets The total number of good packets received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Packets The total number of good packets received that were directed to this multicast address.
Chapter 4 | Interface Configuration Port Configuration Figure 43: Showing Port Statistics (Table) To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Chapter 4 | Interface Configuration Port Configuration Figure 44: Showing Port Statistics (Chart) Displaying Use the Interface > Port > Transceiver page to display identifying information, and Transceiver Data operational for optical transceivers which support Digital Diagnostic Monitoring (DDM). Parameters These parameters are displayed: ◆ Port – Port number.
Chapter 4 | Interface Configuration Port Configuration problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters. Web Interface To display identifying information and functional parameters for optical transceivers: 1. Click Interface, Port, Transceiver. 2. Select a port from the scroll-down list.
Chapter 4 | Interface Configuration Port Configuration ◆ DDM Information – Information on temperature, supply voltage, laser bias current, laser power, and received optical power. The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices.
Chapter 4 | Interface Configuration Port Configuration will not be generated until the sampled value has risen above the low threshold and reaches the high threshold. ■ Threshold events are triggered as described above to avoid a hysteresis effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low threshold.
Chapter 4 | Interface Configuration Port Configuration Command Usage ◆ Cable diagnostics are performed using Digital Signal Processing (DSP) test methods. DSP analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse. ◆ Cable diagnostics can only be performed on twisted-pair media. ◆ This cable test is only accurate for cables 7 - 100 meters long. ◆ The test takes approximately 5 seconds.
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To test the cable attached to a port: 1. Click Interface, Port, Cable Test. 2. Click Test for any port to start the cable test. Figure 47: Performing Cable Tests Trunk Configuration This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Chapter 4 | Interface Configuration Trunk Configuration To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply. Figure 50: Adding Static Trunks Members To configure connection parameters for a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3.
Chapter 4 | Interface Configuration Trunk Configuration To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
Chapter 4 | Interface Configuration Trunk Configuration ◆ Ports are only allowed to join the same Link Aggregation Group (LAG) if (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured). However, if the LAG admin key is set, then the port admin key must be set to the same value for a port to be allowed to join that group. Note: If the LACP admin key is not set when a channel group is formed (i.e.
Chapter 4 | Interface Configuration Trunk Configuration When a dynamic port-channel is torn down, the configured timeout value will be retained. When the dynamic port-channel is constructed again, that timeout value will be used. Configure Aggregation Port - General ◆ Port – Port identifier. (Range: 1-28/52) ◆ LACP Status – Enables or disables LACP on a port. Configure Aggregation Port - Actor/Partner ◆ Port – Port number.
Chapter 4 | Interface Configuration Trunk Configuration Note: Configuring LACP settings for a port only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with that port. Note: Configuring the port partner sets the remote side of an aggregate link; i.e., the ports on the attached device. The command attributes have the same meaning as those used for the port actor.
Chapter 4 | Interface Configuration Trunk Configuration Figure 55: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply. Figure 56: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2.
Chapter 4 | Interface Configuration Trunk Configuration 4. Select a Trunk. Figure 57: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Configure from the Action list. 4. Modify the required interface settings. (See “Configuring by Port List” on page 122 for a description of the interface settings.) 5. Click Apply.
Chapter 4 | Interface Configuration Trunk Configuration To show connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Show from the Action list. Figure 59: Showing Connection Parameters for Dynamic Trunks Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Port Counters Information - Counters) page to display statistics for LACP protocol messages.
Chapter 4 | Interface Configuration Trunk Configuration 5. Select a group member from the Port list. Figure 60: Displaying LACP Port Counters Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Internal) page to display the configuration settings and operational for the Local Side state for the local side of a link aggregation.
Chapter 4 | Interface Configuration Trunk Configuration Table 8: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Oper State (continued) ◆ ◆ ◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate. LACP-Activity – Activity control value with regard to this link.
Chapter 4 | Interface Configuration Trunk Configuration Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Neighbors) page to display the configuration settings and for the Remote Side operational state for the remote side of a link aggregation. Parameters These parameters are displayed: Table 9: LACP Remote Device Configuration Information Parameter Description Partner Admin System LAG partner’s system ID assigned by the user.
Chapter 4 | Interface Configuration Trunk Configuration Figure 62: Displaying LACP Port Remote Information Configuring Use the Interface > Trunk > Load Balance page to set the load-distribution method Load Balancing used among ports in aggregated links. Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 4 | Interface Configuration Trunk Configuration ■ Source and Destination MAC Address: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from and destined for many different hosts. ■ Source IP Address: All traffic with the same source IP address is output on the same link in a trunk.
Chapter 4 | Interface Configuration Saving Power Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port. Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
Chapter 4 | Interface Configuration Saving Power ◆ Power Saving Status – Adjusts the power provided to ports based on the length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements. (Default: Enabled on Gigabit Ethernet RJ-45 ports) Web Interface To enable power savings: 1. Click Interface, Green Ethernet. 2. Mark the Enabled check box for a port. 3. Click Apply.
Chapter 4 | Interface Configuration Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation Figure 65: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the and Downlink Ports downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Parameters These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆ Direction – Adds an interface to the segmented group by setting the direction to uplink or downlink. (Default: Uplink) ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier.
Chapter 4 | Interface Configuration VLAN Trunking To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Show from the Action list. Figure 67: Showing Traffic Segmentation Members VLAN Trunking Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface.
Chapter 4 | Interface Configuration VLAN Trunking and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. ◆ VLAN trunking is mutually exclusive with the “access” switchport mode (see “Adding Static Members to VLANs” on page 173). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
Chapter 4 | Interface Configuration VLAN Trunking Figure 69: Configuring VLAN Trunking – 165 –
Chapter 4 | Interface Configuration VLAN Trunking – 166 –
5 VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customerspecific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆ Protocol VLANs4 – Configures VLAN groups based on specified protocols.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: ◆ Up to 4094 VLANs based on the IEEE 802.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 71: Using GVRP Port-based VLAN 2 1 9 10 11 3 4 5 13 12 6 15 16 14 7 8 18 19 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ Remote VLAN – Reserves this VLAN for RSPAN (see “Configuring Remote Port Mirroring” on page 128). Modify ◆ VLAN ID – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. ◆ L3 Interface – Sets the interface to support Layer 3 configuration, and reserves memory space required to maintain additional information about this interface type.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 72: Creating Static VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4. Modify the VLAN name or operational status as required. 5. Enable the L3 Interface field to specify that a VLAN will be used as a Layer 3 interface. 6. Click Apply.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list. Figure 74: Showing Static VLANs Adding Static Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or Edit Members to VLANs Member by Interface Range) pages to configure port members for the selected VLAN index, interface, or a range of interfaces.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ ■ Hybrid – Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. ■ 1Q Trunk – Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ■ None: Interface is not a member of the VLAN. Packets associated with this VLAN will not be transmitted by the interface. Note: VLAN 1 is the default untagged VLAN containing all ports on the switch using Hybrid mode. Edit Member by Interface All parameters are the same as those described under the preceding section for Edit Member by VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 75: Configuring Static Members by VLAN Index To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3. Select a port or trunk configure. 4. Modify the settings for any interface as required. 5. Click Apply.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Configure Interface ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-28/52) ◆ Trunk – Trunk Identifier. (Range: 1-16) ◆ GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally enabled for the switch before this setting can take effect (using the Configure General page).
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Web Interface To configure GVRP on the switch: 1. Click VLAN, Dynamic. 2. Select Configure General from the Step list. 3. Enable or disable GVRP. 4. Click Apply. Figure 78: Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: 1. Click VLAN, Dynamic. 2. Select Configure Interface from the Step list. 3. Set the Interface type to display as Port or Trunk. 4. Modify the GVRP status or timers for any interface. 5.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN from the Action list. Figure 80: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Chapter 5 | VLAN Configuration IEEE 802.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: ◆ Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ uplink port are processed in the following manner: 1.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out. Another reason is that it causes non-customer packets to be forwarded to the SPVLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see “Adding Static Members to VLANs” on page 173). Enabling QinQ Use the VLAN > Tunnel (Configure Global) page to configure the switch to operate Tunneling on in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing Layer 2 traffic the Switch across a service provider’s metropolitan area network.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 83: Enabling QinQ Tunneling Creating Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to SPVLAN CVLAN to SPVLAN mapping entry. Mapping Entries Command Usage ◆ The inner VLAN tag of a customer packet entering the edge router of a service provider’s network is mapped to an outer tag indicating the service provider VLAN that will carry this traffic across the 802.1Q tunnel.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Web Interface To configure a mapping entry: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3. Select Add from the Action list. 4. Select an interface from the Port list. 5. Specify the CVID to SVID mapping for packets exiting the specified port. 6. Click Apply. Figure 84: Configuring CVLAN to SPVLAN Mapping Entries To show the mapping table: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the “switchport dot1q-tunnel service match cvid” command in the CLI Reference Guide. Adding an Interface Follow the guidelines under "Enabling QinQ Tunneling on the Switch" in the to a QinQ Tunnel preceding section to set up a QinQ tunnel on the switch.
Chapter 5 | VLAN Configuration Protocol VLANs 4. Click Apply. Figure 86: Adding an Interface to a QinQ Tunnel Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Chapter 5 | VLAN Configuration Protocol VLANs Configuring Protocol Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. VLAN Groups Parameters These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. ◆ Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, RARP and IPv6. If LLC Other is chosen for the Frame Type, the only available Protocol Type is IPX Raw.
Chapter 5 | VLAN Configuration Protocol VLANs Figure 87: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. Figure 88: Displaying Protocol VLANs Mapping Protocol Use the VLAN > Protocol (Configure Interface - Add) page to map a protocol group Groups to Interfaces to a VLAN for each interface that will participate in the group.
Chapter 5 | VLAN Configuration Protocol VLANs ■ If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. ■ If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-28/52) ◆ Trunk – Trunk Identifier.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs Figure 89: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port or trunk. Figure 90: Showing the Interface to Protocol Group Mapping Configuring IP Subnet VLANs Use the VLAN > IP Subnet page to configure IP subnet-based VLANs.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs Command Usage ◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an IP address and a mask. The specified VLAN need not be an existing VLAN. ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs 3. Enter an address in the IP Address field. 4. Enter a mask in the Subnet Mask field. 5. Enter the identifier in the VLAN field. Note that the specified VLAN need not already be configured. 6. Enter a value to assign to untagged frames in the Priority field. 7. Click Apply. Figure 91: Configuring IP Subnet VLANs To show the configured IP subnet VLANs: 1. Click VLAN, IP Subnet. 2. Select Show from the Action list.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Configuring MAC-based VLANs Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Web Interface To map a MAC address to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Add from the Action list. 3. Enter an address in the MAC Address field, and a mask to indicate a range of addresses if required. 4. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured. 5. Enter a value to assign to untagged frames in the Priority field. 6. Click Apply.
Chapter 5 | VLAN Configuration Configuring VLAN Mirroring Configuring VLAN Mirroring Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner. Command Usage ◆ All active ports in a source VLAN are monitored for ingress traffic only.
Chapter 5 | VLAN Configuration Configuring VLAN Translation 4. Click Apply. Figure 95: Configuring VLAN Mirroring To show the VLANs to be mirrored: 1. Click VLAN, Mirror. 2. Select Show from the Action list. Figure 96: Showing the VLANs to Mirror Configuring VLAN Translation Use the VLAN > Translation (Add) page to map VLAN IDs between the customer and service provider for networks that do not support IEEE 802.1Q tunneling.
Chapter 5 | VLAN Configuration Configuring VLAN Translation Figure 97: Configuring VLAN Translation (VLAN 10) (VLAN 100) (VLAN 100) 1 upstream 2 downstream (VLAN 10) ◆ The maximum number of VLAN translation entries is 8 per port, and up to 96 for the system.
Chapter 5 | VLAN Configuration Configuring VLAN Translation To show the mapping entries for VLANs translation: 1. Click VLAN, Translation. 2. Select Show from the Action list. 3. Select a port.
Chapter 5 | VLAN Configuration Configuring VLAN Translation – 202 –
6 Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ MAC Address Learning – Enables or disables address learning on an interface.
Chapter 6 | Address Table Settings Configuring MAC Address Learning ◆ Also note that MAC address learning cannot be disabled if any of the following conditions exist: ■ 802.1X Port Authentication has been globally enabled on the switch (see “Configuring 802.1X Global Settings” on page 362). ■ Security Status (see “Configuring Port Security” on page 358) is enabled on the same interface. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks.
Chapter 6 | Address Table Settings Setting Static Addresses Setting Static Addresses Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Chapter 6 | Address Table Settings Setting Static Addresses Web Interface To configure a static MAC address: 1. Click MAC Address, Static. 2. Select Add from the Action list. 3. Specify the VLAN, the port or trunk to which the address will be assigned, the MAC address, and the time to retain this entry. 4. Click Apply. Figure 101: Configuring Static MAC Addresses To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list.
Chapter 6 | Address Table Settings Displaying the Dynamic Address Table Displaying the Dynamic Address Table Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports.
Chapter 6 | Address Table Settings Clearing the Dynamic Address Table Figure 103: Displaying the Dynamic MAC Address Table Clearing the Dynamic Address Table Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. Parameters These parameters are displayed: ◆ Clear by – All entries can be cleared; or you can clear the entries for a specific MAC address, all the entries in a VLAN, or all the entries associated with a port or trunk.
Chapter 6 | Address Table Settings Changing the Aging Time Figure 104: Clearing Entries in the Dynamic MAC Address Table Changing the Aging Time Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information. Parameters These parameters are displayed: ◆ Aging Status – Enables/disables the function. ◆ Aging Time – The time after which a learned entry is discarded.
Chapter 6 | Address Table Settings Configuring MAC Address Mirroring Configuring MAC Address Mirroring Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Chapter 6 | Address Table Settings Issuing MAC Address Traps Figure 106: Mirroring Packets Based on the Source MAC Address To show the MAC addresses to be mirrored: 1. Click MAC Address, Mirror. 2. Select Show from the Action list. Figure 107: Showing the Source MAC Addresses to Mirror Issuing MAC Address Traps Use the MAC Address > MAC Notification pages to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed.
Chapter 6 | Address Table Settings Issuing MAC Address Traps MAC authentication traps must be enabled at the global level for this attribute to take effect. Web Interface To enable MAC address traps at the global level: 1. Click MAC Address, MAC Notification. 2. Select Configure Global from the Step list. 3. Configure MAC notification traps and the transmission interval. 4. Click Apply. Figure 108: Issuing MAC Address Traps (Global Configuration) To enable MAC address traps at the interface level: 1.
7 Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
Chapter 7 | Spanning Tree Algorithm Overview Figure 110: STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 231). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Note: Loopback detection will not be active if Spanning Tree is disabled on the switch. Note: When configured for manual release mode, then a link down/up event will not release the port from the discarding state. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Status – Enables loopback detection on this interface.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 113: Configuring Port Loopback Detection Configuring Global Settings for STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. Command Usage ◆ Spanning Tree Protocol5 This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. ■ To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Cisco Prestandard Status – Configures spanning tree operation to be compatible with Cisco prestandard versions. (Default: Disabled) Cisco prestandard versions prior to Cisco IOS Release 12.2(25)SEC do not fully follow the IEEE standard, causing some state machine procedures to function incorrectly. This command forces the spanning tree protocol to function in a manner compatible with Cisco prestandard versions.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. ■ ■ ■ Default: 15 Minimum: The higher of 4 or [(Max. Message Age / 2) + 1] Maximum: 30 RSTP does not depend on the forward delay timer in most cases.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA 5.
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 116: Configuring Global Settings for STA (MSTP) Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA root port, then this switch has been accepted as the root device of the Spanning Tree network. ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Configuration Changes – The number of times the Spanning Tree has been reconfigured. ◆ Last Topology Change – Time since the Spanning Tree was last reconfigured. Web Interface To display global STA settings: 1. Click Spanning Tree, STA. 2.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) ◆ BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 217) or when spanning tree is disabled on a specific port.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Table 12: Default STA Path Costs Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (IEEE 802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 Administrative path cost cannot be used to directly determine the root port on a switch. Connections to other devices use IEEE 802.1Q-2005 to determine the root port as in the following example.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA by taking over as the root port and forming a new spanning tree topology. It could also be used to form a border around part of the network where the root bridge is allowed. (Default: Disabled) ◆ Admin Edge Port – Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA configured edge ports should not receive BPDUs. If an edge port receives a BPDU an invalid configuration exists, such as a connection to an unauthorized device. The BPDU guard feature provides a secure response to invalid configurations because an administrator must manually enable the port.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 119: Configuring Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. Parameters These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA The rules defining port status are: ■ A port on a network segment with no other STA compliant bridging device is always forwarding. ■ If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 120: STA Port Roles R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port. R A D x R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Configuring Multiple Spanning Trees Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. Command Usage MSTP generates a unique spanning tree for each instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Parameters These parameters are displayed: ◆ MST ID – Instance identifier to configure. (Range: 0-4094) ◆ VLAN ID – VLAN to assign to this MST instance. (Range: 1-4094) ◆ Priority – The priority of a spanning tree instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To show the MSTP instances: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. Figure 123: Displaying MST Instances To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees 4. Select an MST ID. The attributes displayed on this page are described under “Displaying Global Settings for STA” on page 222. Figure 125: Displaying Global Settings for an MST Instance To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP To show the VLAN members of an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Member from the Action list. Figure 127: Displaying Members of an MST Instance Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP ◆ Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP – 238 –
8 Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
Chapter 8 | Congestion Control Storm Control Web Interface To configure rate limits: 1. Click Traffic, Rate Limit. 2. Set the interface type to Port or Trunk. 3. Enable the Rate Limit Status for the required interface. 4. Set the rate limit for required interfaces. 5. Click Apply. Figure 130: Configuring Rate Limits Storm Control Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds.
Chapter 8 | Congestion Control Storm Control control responses. However, only one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port. ◆ Rate limits set by the storm control function are also used by automatic storm control when the control response is set to rate control on the Auto Traffic Control (Configure Interface) page.
Chapter 8 | Congestion Control Automatic Traffic Control Figure 131: Configuring Storm Control Automatic Traffic Control Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. Command Usage ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 8 | Congestion Control Automatic Traffic Control ◆ Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. ◆ When traffic falls below the alarm clear threshold after the release timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control Release Trap sent and logged.
Chapter 8 | Congestion Control Automatic Traffic Control be triggered (as configured under the Action field) or a trap message sent (as configured under the Trap Storm Fire field). ◆ The release timer only applies to a Rate Control response set in the Action field of the ATC (Interface Configuration) page. When a port has been shut down by a control response, it must be manually re-enabled using the Manual Control Release (see page 245).
Chapter 8 | Congestion Control Automatic Traffic Control Configuring ATC Use the Traffic > Auto Traffic Control (Configure Interface) page to set the storm Thresholds and control mode (broadcast or multicast), the traffic thresholds, the control response, Responses to automatically release a response of rate limiting, or to send related SNMP trap messages. Parameters These parameters are displayed: ◆ Storm Control – Specifies automatic storm control for broadcast traffic or multicast traffic.
Chapter 8 | Congestion Control Automatic Traffic Control ◆ Alarm Clear Threshold – The lower threshold for ingress traffic beneath which a control response for rate limiting will be released after the Release Timer expires, if so configured by the Auto Release Control attribute.
Chapter 8 | Congestion Control Automatic Traffic Control Figure 135: Configuring ATC Interface Attributes – 247 –
Chapter 8 | Congestion Control Automatic Traffic Control – 248 –
9 Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s highpriority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) Web Interface To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2.
Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues. The queues assigned to use strict priority should be specified using the Strict Mode field parameter.
Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Set the queue mode. 3. If the weighted queue mode is selected, the queue weight can be modified if required. 4. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table. 5. Click Apply.
Chapter 9 | Class of Service Layer 2 Queue Settings Figure 139: Setting the Queue Mode (Strict and WRR) Mapping CoS Values Use the Traffic > Priority > PHB to Queue page to specify the hardware output to Egress Queues queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see “Mapping CoS Priorities to Internal DSCP Values” on page 260).
Chapter 9 | Class of Service Layer 2 Queue Settings The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in Table 14. However, priority levels can be mapped to the switch’s output queues in any way that benefits application traffic for the network.
Chapter 9 | Class of Service Layer 2 Queue Settings 3. Select a port. 4. Map an internal PHB to a hardware queue. Depending on how an ingress packet is processed internally based on its CoS value, and the assigned output queue, the mapping done on this page can effectively determine the service priority for different traffic classes. 5. Click Apply. Figure 140: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: 1. Click Traffic, Priority, PHB to Queue. 2.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ Trust Mode ■ CoS – Maps layer 3/4 priorities using Class of Service values. (This is the default setting.) ■ DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point values. Web Interface To configure the trust mode: 1. Click Traffic, Priority, Trust Mode. 2. Set the trust mode for any port. 3. Click Apply.
Chapter 9 | Class of Service Layer 3/4 Priority Settings DSCP mutation map will not be accepted by the switch, unless the trust mode has been set to DSCP. ◆ Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/ Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain. The mutation map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map DSCP values to internal PHB/drop precedence: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any DSCP value. 5. Click Apply. Figure 143: Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Show from the Action list. 3. Select a port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Mapping Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in incoming CoS Priorities to packets to per-hop behavior and drop precedence values for priority processing. Internal DSCP Values Command Usage ◆ The default mapping of CoS to PHB values is shown in Table 17 on page 260. ◆ Enter up to eight CoS/CFI paired values, per-hop behavior and drop precedence. ◆ If a packet arrives with a 802.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map CoS/CFI values to internal PHB/drop precedence: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any of the CoS/CFI combinations. 5. Click Apply.
Chapter 9 | Class of Service Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Show from the Action list. 3. Select a port.
10 Quality of Service This chapter describes the following tasks required to apply QoS policies: ◆ Class Map – Creates a map which identifies a specific class of traffic. ◆ Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. ◆ Binding to a Port – Applies a policy map to an ingress port.
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, a CoS value, or a source port. 3.
Chapter 10 | Quality of Service Configuring a Class Map ■ ◆ Match Any – Match any condition within a class map. Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – The criteria specified by the match command. (This field is set on the Add page.) ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value.
Chapter 10 | Quality of Service Configuring a Class Map Figure 147: Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 148: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
Chapter 10 | Quality of Service Configuring a Class Map Figure 149: Adding Rules to a Class Map To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list.
Chapter 10 | Quality of Service Creating QoS Policies Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 264), modify service tagging, and enforce bandwidth policing. A policy map can then be bound by a service policy to one or more interfaces (page 277). Configuring QoS policies requires several steps.
Chapter 10 | Quality of Service Creating QoS Policies ◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
Chapter 10 | Quality of Service Creating QoS Policies (BP). Action may taken for traffic conforming to the maximum throughput, exceeding the maximum throughput, or exceeding the peak burst size. ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
Chapter 10 | Quality of Service Creating QoS Policies Command Usage ◆ A policy map can contain 512 class statements that can be applied to the same interface (page 277). Up to 32 policy maps can be configured for ingress ports. ◆ After using the policy map to define packet classification, service tagging, and bandwidth policing, it must be assigned to a specific interface by a service policy (page 277) to take effect. Parameters These parameters are displayed: Add ◆ Policy Name – Name of policy map.
Chapter 10 | Quality of Service Creating QoS Policies ◆ Meter Mode – Selects one of the following policing methods. ■ Flow (Police Flow) – Defines the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and the action to take for conforming and non-conforming traffic.
Chapter 10 | Quality of Service Creating QoS Policies ■ Committed Burst Size (BC) – Burst in bytes. (Range: 64-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. ■ Excess Burst Size (BE) – Burst in excess of committed burst size. (Range: 64-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. ■ Conform – Specifies that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level.
Chapter 10 | Quality of Service Creating QoS Policies ■ Committed Burst Size (BC) – Burst in bytes. (Range: 64-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. ■ Peak Information Rate (PIR) – Rate in kilobits per second. (Range: 0-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) The rate cannot exceed the configured interface speed. ■ Peak Burst Size (BP) – Burst size in bytes.
Chapter 10 | Quality of Service Creating QoS Policies Web Interface To configure a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add from the Action list. 4. Enter a policy name. 5. Enter a description. 6. Click Add. Figure 151: Configuring a Policy Map To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list.
Chapter 10 | Quality of Service Creating QoS Policies To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class. Use one of the metering options to define parameters such as the maximum throughput and burst rate.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list. Figure 154: Showing the Rules for a Policy Map Attaching a Policy Map to a Port Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. Command Usage First define a class map, define a policy map, and then bind the service policy to the required interface.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port 4. Select a policy map from the scroll-down box. 5. Click Apply.
11 VoIP Traffic Configuration This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port. Command Usage All ports are set to VLAN hybrid mode by default.
Chapter 11 | VoIP Traffic Configuration Configuring Telephony OUI Figure 156: Configuring a Voice VLAN Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports 6. Enter a description for the devices. 7. Click Apply. Figure 157: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Parameters These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) ■ None – The Voice VLAN feature is disabled on the port. The port will not detect VoIP traffic or be added to the Voice VLAN. ■ Auto – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports When VoIP Mode is set to Auto, the Remaining Age will be displayed. Otherwise, if the VoIP Mode is Disabled or set to Manual, the remaining age will display “NA.” Web Interface To configure VoIP traffic settings for a port: 1. Click Traffic, VoIP. 2. Select Configure Interface from the Step list. 3. Configure any required changes to the VoIP settings each port. 4. Click Apply.
12 Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ◆ IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the source address cannot be identified via ND snooping, DHCPv6 snooping, nor static source bindings. ◆ DHCP Snooping – Filter IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure AAA on the switch, you need to follow this general process: 1. Configure RADIUS and TACACS+ server access parameters. See “Configuring Local/Remote Logon Authentication” on page 287. 2. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. 3.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ TACACS – User authentication is performed using a TACACS+ server only. ■ [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. Web Interface To configure the method(s) of controlling management access: 1. Click Security, AAA, System Authentication. 2. Specify the authentication sequence (i.e., one to three methods). 3. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. Command Usage ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ◆ ■ Authentication Key – Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) ■ Confirm Authentication Key – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ◆ Sequence at Priority - Specifies the server and sequence to use for the group. (Range: 1-5 for RADIUS; 1 for TACACS) When specifying the priority sequence for a sever, the server index must already be defined (see “Configuring Local/Remote Logon Authentication” on page 287). Web Interface To configure the parameters for RADIUS or TACACS+ authentication: 1. Click Security, AAA, Server. 2.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 163: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ Exec – Administrative accounting for local console, Telnet, or SSH connections. ◆ Privilege Level – The CLI privilege levels (0-15). This parameter only applies to Command accounting. ◆ Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ VTY Method Name – Specifies a user defined method name to apply to Telnet and SSH connections. Show Information – Summary ◆ Accounting Type - Displays the accounting service. ◆ Method Name - Displays the user-defined or default accounting method. ◆ Server Group Name - Displays the accounting server group. ◆ Interface - Displays the port, console or Telnet interface to which these rules apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Add from the Action list. 4. Select the accounting type (802.1X, Command, Exec). 5. Specify the name of the accounting method and server group name. 6. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 168: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: 1. Click Security, AAA, Accounting. 2. Select Configure Service from the Step list. 3. Select the accounting type (802.1X, Command, Exec). 4. Enter the required accounting method. 5. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 170: Configuring AAA Accounting Service for Command Service Figure 171: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 172: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Statistics.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Parameters These parameters are displayed: Configure Method ◆ Authorization Type – Specifies the service as Exec, indicating administrative authorization for local console, Telnet, or SSH connections. ◆ Method Name – Specifies an authorization method for service requests. The “default” method is used for a requested service if no other methods have been defined.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) 3. Specify the name of the authorization method and server group name. 4. Click Apply. Figure 174: Configuring AAA Authorization Methods To show the authorization method applied to the EXEC service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures Configuring User Accounts Figure 176: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: 1. Click Security, AAA, Authorization. 2. Select Show Information from the Step list.
Chapter 12 | Security Measures Configuring User Accounts ◆ Access Level – Specifies command access privileges. (Range: 0-15) Level 0 provides access to a limited number of commands which display the current status of the switch, as well as several database clear and reset functions. These commands are equivalent to those available under Normal Exec command mode in the CLI. Levels 1-15 provide full access to all commands, equivalent to CLI Privileged Exec command mode.
Chapter 12 | Security Measures Web Authentication Figure 178: Configuring User Accounts To show user accounts: 1. Click Security, User Accounts. 2. Select Show from the Action list. Figure 179: Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Chapter 12 | Security Measures Web Authentication Note: RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See “Configuring Local/Remote Logon Authentication” on page 287.) Note: Web authentication cannot be configured on trunk ports. Configuring Use the Security > Web Authentication (Configure Global) page to edit the global Global Settings for parameters for web authentication.
Chapter 12 | Security Measures Web Authentication Figure 180: Configuring Global Settings for Web Authentication Configuring Use the Security > Web Authentication (Configure Interface) page to enable web Interface Settings for authentication on a port, and display information for any connected hosts. Web Authentication Parameters These parameters are displayed: ◆ Port – Indicates the port being configured. ◆ Status – Configures the web authentication status for the port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) 4. Mark the check box for any host addresses that need to be re-authenticated, and click Re-authenticate. Figure 181: Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used. For example, if the attribute is “service-policy-in=p1;service-policy-in=p2”, then the switch applies only the DiffServ profile “p1.” ◆ Any unsupported profiles in the Filter-ID attribute are ignored. For example, if the attribute is “map-ip-dscp=2:3;service-policy-in=p1,” then the switch ignores the “map-ip-dscp” profile.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) secure MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 363). Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ■ Status – Enables MAC authentication on a port. (Default: Disabled) ■ Intrusion – Sets the port response to a host MAC authentication failure to either block access to the port or to pass traffic through. (Options: Block, Pass; Default: Block) ■ Max MAC Count8 – Sets the maximum number of MAC addresses that can be authenticated on a port via MAC authentication; that is, the Network Access process described in this section.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ MAC Filter ID – Allows a MAC Filter to be assigned to the port. MAC addresses or MAC address ranges present in a selected MAC Filter are exempt from authentication on the specified port (as described under "Configuring a MAC Address Filter"). (Range: 1-64; Default: None) Web Interface To configure MAC authentication on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ■ ◆ Link up and down – All link up and link down events will trigger the port action. Action – The switch can respond in three ways to a link up or down trigger event. ■ Trap – An SNMP trap is sent. ■ Trap and shutdown – An SNMP trap is sent and the port is shut down. ■ Shutdown – The port is shut down. Web Interface To configure link detection on switch ports: 1. Click Security, Network Access. 2.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ There is no limitation on the number of entries used in a filter table. Parameters These parameters are displayed: ◆ Filter ID – Adds a filter rule for the specified filter. (Range: 1-64) ◆ MAC Address – The filter rule will check ingress packets against the entered MAC address or range of MAC addresses (as defined by the MAC Address Mask).
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 186: Showing the MAC Address Filter Table for Network Access Displaying Secure Use the Security > Network Access (Show Information) page to display the MAC Address authenticated MAC addresses stored in the secure MAC address table. Information Information on the secure MAC entries can be displayed and selected entries can be removed from the table.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To display the authenticated MAC addresses stored in the secure MAC address table: 1. Click Security, Network Access. 2. Select Show Information from the Step list. 3. Use the sort key to display addresses based MAC address, interface, or attribute. 4.
Chapter 12 | Security Measures Configuring HTTPS Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Configuring Global Use the Security > HTTPS (Configure Global) page to enable or disable HTTPS and Settings for HTTPS specify the TCP port used for this service.
Chapter 12 | Security Measures Configuring HTTPS Note: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. Parameters These parameters are displayed: ◆ HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) ◆ HTTPS Port – Specifies the TCP port number used for HTTPS connection to the switch’s web interface. (Default: Port 443) Web Interface To configure HTTPS: 1. Click Security, HTTPS. 2.
Chapter 12 | Security Measures Configuring HTTPS Caution: For maximum security, we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity. This is because the default certificate for the switch is not unique to the hardware you have purchased. When you have obtained these, place them on your TFTP server and transfer them to the switch to replace the default (unrecognized) certificate with an authorized one.
Chapter 12 | Security Measures Configuring the Secure Shell Figure 189: Downloading the Secure-Site Certificate Configuring the Secure Shell The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Chapter 12 | Security Measures Configuring the Secure Shell To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Chapter 12 | Security Measures Configuring the Secure Shell Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b.
Chapter 12 | Security Measures Configuring the Secure Shell Parameters These parameters are displayed: ◆ SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) ◆ Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
Chapter 12 | Security Measures Configuring the Secure Shell Generating the Use the Security > SSH (Configure Host Key - Generate) page to generate a host Host Key Pair public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section “Importing User Public Keys” on page 325.
Chapter 12 | Security Measures Configuring the Secure Shell To display or clear the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Show from the Action list. 4. Select the option to save the host key from memory to flash by clicking Save, or select the host-key type to clear and click Clear.
Chapter 12 | Security Measures Configuring the Secure Shell The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. ◆ TFTP Server IP Address – The IP address of the TFTP server that contains the public key file you wish to import. ◆ Source File Name – The public key file to upload. Web Interface To copy the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Copy from the Action list. 4.
Chapter 12 | Security Measures Access Control Lists Figure 194: Showing the SSH User’s Public Key Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4/IPv6 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type).
Chapter 12 | Security Measures Access Control Lists possible depends on too many factors to be precisely determined. It depends on the amount of hardware resources reserved at runtime for this purpose. Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize hardware resources more efficiency. Without compression, one ACE would occupy a fixed number of entries in TCAM.
Chapter 12 | Security Measures Access Control Lists Parameters These parameters are displayed: Add ◆ Time-Range Name – Name of a time range. (Range: 1-32 characters) Add Rule ◆ Time-Range – Name of a time range. ◆ Mode ■ Absolute – Specifies a specific time or time range. ■ ■ Start/End – Specifies the hours, minutes, month, day, and year at which to start or end. Periodic – Specifies a periodic interval. ■ Start/To – Specifies the days of the week, hours, and minutes at which to start or end.
Chapter 12 | Security Measures Access Control Lists 3. Select Show from the Action list. Figure 196: Showing a List of Time Ranges To configure a rule for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of time range from the drop-down list. 5. Select a mode option of Absolute or Periodic. 6. Fill in the required parameters for the selected mode. 7. Click Apply.
Chapter 12 | Security Measures Access Control Lists 3. Select Show Rule from the Action list. Figure 198: Showing the Rules Configured for a Time Range Showing Use the Security > ACL (Configure ACL - Show TCAM) page to show utilization TCAM Utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Chapter 12 | Security Measures Access Control Lists Web Interface To show information on TCAM utilization: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show TCAM from the Action list. Figure 199: Showing TCAM Utilization Setting the Use the Security > ACL (Configure ACL - Add) page to create an ACL. ACL Name and Type Parameters These parameters are displayed: ◆ ACL Name – Name of the ACL.
Chapter 12 | Security Measures Access Control Lists Web Interface To configure the name and type of an ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add from the Action list. 4. Fill in the ACL Name field, and select the ACL type. 5. Click Apply. Figure 200: Creating an ACL To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures Access Control Lists Configuring a Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL Standard IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Address Type – Specifies the source IP address.
Chapter 12 | Security Measures Access Control Lists Figure 202: Configuring a Standard IPv4 ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to configure Extended IPv4 ACL an Extended IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists ◆ Service Type – Packet priority settings based on the following criteria: ■ Precedence – IP precedence level. (Range: 0-7) ■ DSCP – DSCP priority level. (Range: 0-63) ◆ Control Code – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) ◆ Control Code Bit Mask – Decimal number representing the code bits to match.
Chapter 12 | Security Measures Access Control Lists 8. If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. 9. Set any other required criteria, such as service type, protocol type, or control code. 10. Click Apply. Figure 203: Configuring an Extended IPv4 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to Standard IPv6 ACL configure a Standard IPv6ACL.
Chapter 12 | Security Measures Access Control Lists the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ Source Prefix-Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). (Range: 0-128 bits) ◆ Time Range – Name of a time range. Web Interface To add rules to a Standard IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3.
Chapter 12 | Security Measures Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page to Extended IPv6 ACL configure an Extended IPv6 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source Address Type – Specifies the source IP address type.
Chapter 12 | Security Measures Access Control Lists ◆ Time Range – Name of a time range. Web Interface To add rules to an Extended IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Extended from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any or IPv6-prefix). 8. If you select “Host,” enter a specific address.
Chapter 12 | Security Measures Access Control Lists Configuring a Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC MAC ACL ACL based on hardware addresses, packet format, and Ethernet type. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to a MAC ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select MAC from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or MAC). 8. If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66).
Chapter 12 | Security Measures Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs ARP ACL based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see “Configuring Global Settings for ARP Inspection” on page 349). Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
Chapter 12 | Security Measures Access Control Lists 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the packet type (Request, Response, All). 8. Select the address type (Any, Host, or IP). 9. If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “IP,” enter a base address and a hexadecimal bit mask for an address range. 10. Enable logging if required. 11. Click Apply.
Chapter 12 | Security Measures Access Control Lists ◆ Counter – Enables counter for ACL statistics. Web Interface To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Select IP, MAC or IPv6 from the Type options. 5. Select a port. 6. Select the name of an ACL from the ACL list. 7. Click Apply.
Chapter 12 | Security Measures Access Control Lists Command Usage ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps: 1. Create an ACL as described in the preceding sections. 2. Add one or more mirrored ports to ACL as described under “Binding a Port to an Access Control List” on page 344. 3. Use the Add Mirror page to specify the ACL and the destination port to which matching traffic will be mirrored.
Chapter 12 | Security Measures Access Control Lists 3. Select a port. Figure 210: Showing the VLANs to Mirror Showing ACL Use the Security > ACL > Configure Interface (Show Hardware Counters) page to Hardware Counters show statistics for ACL hardware counters. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ Type – Selects the type of ACL. ◆ Direction – Displays statistics for ingress or egress traffic. ◆ Query – Displays statistics for selected criteria.
Chapter 12 | Security Measures ARP Inspection 4. Select a port. 5. Select ingress or egress traffic. Figure 211: Showing ACL Statistics ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-themiddle” attacks.
Chapter 12 | Security Measures ARP Inspection ◆ ■ When ARP Inspection is enabled globally, all ARP request and reply packets on inspection-enabled VLANs are redirected to the CPU and their switching behavior handled by the ARP Inspection engine. ■ If ARP Inspection is disabled globally, then it becomes inactive for all VLANs, including those where inspection is enabled.
Chapter 12 | Security Measures ARP Inspection ARP Inspection Logging ◆ By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis. After the system message is generated, the entry is cleared from the log buffer.
Chapter 12 | Security Measures ARP Inspection Web Interface To configure global settings for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Configure General from the Step list. 3. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. 4. Click Apply.
Chapter 12 | Security Measures ARP Inspection ◆ If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ DAI Status – Enables Dynamic ARP Inspection for the selected VLAN. (Default: Disabled) ◆ ACL Name – Allows selection of any configured ARP ACLs.
Chapter 12 | Security Measures ARP Inspection Configuring Use the Security > ARP Inspection (Configure Interface) page to specify the ports Interface Settings for that require ARP inspection, and to adjust the packet inspection rate. ARP Inspection Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. ◆ Trust Status – Configures the port as trusted or untrusted.
Chapter 12 | Security Measures ARP Inspection Displaying Use the Security > ARP Inspection (Show Information - Show Statistics) page to ARP Inspection display statistics about the number of ARP packets processed, or dropped for Statistics various reasons. Parameters These parameters are displayed: Table 20: ARP Inspection Statistics Parameter Description Received ARP packets before ARP inspection rate limit Count of ARP packets received but not exceeding the ARP Inspection rate limit.
Chapter 12 | Security Measures ARP Inspection Figure 215: Displaying Statistics for ARP Inspection Displaying the Use the Security > ARP Inspection (Show Information - Show Log) page to show ARP Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components. Parameters These parameters are displayed: Table 21: ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen. Port The port where this packet was seen. Src.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Figure 216: Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Use the Security > IP Filter page to create a list of up to 15 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage ◆ The management interfaces are open to all IP addresses by default.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access ■ Telnet – Configures IP address(es) for the Telnet group. ■ All – Configures IP address(es) for all groups. ◆ Start IP Address – A single IP address, or the starting address of a range. ◆ End IP Address – The end address of a range. Web Interface To create a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Add from the Action list. 3.
Chapter 12 | Security Measures Configuring Port Security To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list. Figure 218: Showing IP Addresses Authorized for Management Access Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Chapter 12 | Security Measures Configuring Port Security ◆ When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table. ◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Current MAC Count – The number of MAC addresses currently associated with this interface. ◆ MAC Filter – Shows if MAC address filtering has been set under Security > Network Access (Configure MAC Filter) as described on page 313. ◆ MAC Filter ID – The identifier for a MAC address filter. ◆ Last Intrusion MAC – The last unauthorized MAC address detected.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) ◆ The RADIUS server and client also have to support the same EAP authentication type – MD5, PEAP, TLS, or TTLS. Native support for these encryption methods is provided in Windows 7, 8 and 10. Configuring 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To configure global settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Global from the Step list. 3. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server. 4. Click Apply Figure 221: Configuring Global Settings for 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ This switch can be configured to serve as the authenticator on selected ports by setting the Control Mode to Auto on this configuration page, and as a supplicant on other ports by the setting the control mode to Force-Authorized on this page and enabling the PAE supplicant on the Supplicant configuration page. Parameters These parameters are displayed: ◆ Port – Port number.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Max Count – The maximum number of hosts that can connect to a port when the Multi-Host operation mode is selected. (Range: 1-1024; Default: 5) ◆ Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ■ Guest VLAN – All traffic for the port is assigned to a guest VLAN. The guest VLAN must be separately configured (See “Configuring VLAN Groups” on page 170) and mapped on each port (See “Configuring Network Access for Ports” on page 310). Supplicant List ◆ Supplicant – MAC address of authorized client.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 222: Configuring Interface Settings for 802.1X Port Authenticator Configuring Use the Security > Port Authentication (Configure Interface – Supplicant) page to Port Supplicant configure 802.1X port settings for supplicant requests issued from a port to an Settings for 802.1X authenticator on another device. When 802.1X is enabled and the control mode is set to Force-Authorized (see “Configuring Port Authenticator Settings for 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Parameters These parameters are displayed: ◆ Port – Port number. ◆ PAE Supplicant – Enables PAE supplicant mode. (Default: Disabled) If the attached client must be authenticated through another device in the network, supplicant status must be enabled. Supplicant status can only be enabled if PAE Control Mode is set to “ForceAuthorized” on this port (see “Configuring Port Authenticator Settings for 802.1X” on page 363).
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 223: Configuring Interface Settings for 802.1X Port Supplicant Displaying Use the Security > Port Authentication (Show Statistics) page to display statistics for 802.1X Statistics dot1x protocol exchanges for any port. Parameters These parameters are displayed: Table 22: 802.1X Statistics Parameter Description Authenticator Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Table 22: 802.1X Statistics (Continued) Parameter Description Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator. Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Authenticator. Supplicant Rx EAPOL Invalid The number of EAPOL frames that have been received by this Supplicant in which the frame type is not recognized.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Authenticator. 4. Select a port. Figure 224: Showing Statistics for 802.
Chapter 12 | Security Measures DoS Protection To display port supplicant statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Supplicant. 4. Select a port. Figure 225: Showing Statistics for 802.1X Port Supplicant DoS Protection Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource.
Chapter 12 | Security Measures DoS Protection ◆ Echo/Chargen Attack Rate – Maximum allowed rate. (Range: 64-2000 kbits/ second; Default: 1000 kbits/second) ◆ Smurf Attack – Attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim. The victim should crash due to the many interrupts required to send ICMP Echo response packets.
Chapter 12 | Security Measures DoS Protection ◆ UDP Flooding Attack Rate – Maximum allowed rate. (Range: 64-2000 kbits/ second; Default: 1000 kbits/second) ◆ WinNuke Attack – Attacks in which affected the Microsoft Windows 3.1x/95/ NT operating systems. In this type of attack, the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.
Chapter 12 | Security Measures IPv4 Source Guard IPv4 Source Guard IPv4 Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 387). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IPv4 address of a neighbor to access the network.
Chapter 12 | Security Measures IPv4 Source Guard ■ If DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the SIP-MAC option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, or dynamic DHCP snooping binding, the packet will be forwarded.
Chapter 12 | Security Measures IPv4 Source Guard Figure 227: Setting the Filter Type for IPv4 Source Guard Configuring Use the Security > IP Source Guard > Static Binding (Configure ACL Table and Static Bindings Configure MAC Table) pages to bind a static address to a port. Table entries include for IPv4 Source Guard a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier.
Chapter 12 | Security Measures IPv4 Source Guard ■ ■ A valid static IP source guard entry will be added to the binding table in MAC mode if one of the following conditions are true: ■ If there is no binding entry with the same IP address and MAC address, a new entry will be added to the binding table using the type of static IP source guard binding entry. ■ If there is a binding entry with same IP address and MAC address, then the new entry shall replace the old one.
Chapter 12 | Security Measures IPv4 Source Guard Web Interface To configure static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Binding. 2. Select Configure ACL Table or Configure MAC Table from the Step list. 3. Select Add from the Action list. 4. Enter the required bindings for each port. 5. Click Apply Figure 228: Configuring Static Bindings for IPv4 Source Guard To display static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Binding. 2.
Chapter 12 | Security Measures IPv4 Source Guard Displaying Use the Security > IP Source Guard > Dynamic Binding page to display the sourceInformation for guard binding table for a selected interface. Dynamic IPv4 Source Guard Bindings Parameters These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address. ◆ IP Address – A valid unicast IP address, including classful types A, B or C.
Chapter 12 | Security Measures IPv6 Source Guard Figure 230: Showing the IPv4 Source Guard Binding Table IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (refer to the DHCPv6 Snooping commands in the CLI Reference Guide).
Chapter 12 | Security Measures IPv6 Source Guard ◆ Table entries include a MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Binding, Dynamic-DHCPv6-Binding), VLAN identifier, and port identifier. ◆ Static addresses entered in the source guard binding table (using the Static Binding page) are automatically configured with an infinite lease time. Dynamic entries learned via DHCPv6 snooping are configured by the DHCPv6 server itself.
Chapter 12 | Security Measures IPv6 Source Guard Guide), and static entries set by IPv6 Source Guard (see “Configuring Static Bindings for IPv6 Source Guard” on page 383). ■ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
Chapter 12 | Security Measures IPv6 Source Guard ◆ Static addresses entered in the source guard binding table are automatically configured with an infinite lease time. ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via ND snooping, DHCPv6 snooping, or static addresses configured in the source guard binding table. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 12 | Security Measures IPv6 Source Guard ◆ Type – Shows the entry type: ■ DHCP – Dynamic DHCPv6 binding, stateful address. ■ ND – Dynamic Neighbor Discovery binding, stateless address. ■ STA – Static IPv6 Source Guard binding. Web Interface To configure static bindings for IPv6 Source Guard: 1. Click Security, IPv6 Source Guard, Static Configuration. 2. Select Add from the Action list. 3. Enter the required bindings for each port. 4.
Chapter 12 | Security Measures IPv6 Source Guard Displaying Use the Security > IPv6 Source Guard > Dynamic Binding page to display the Information for source-guard binding table for a selected interface. Dynamic IPv6 Source Guard Bindings Parameters These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address. ◆ IPv6 Address – A valid global unicast IPv6 address.
Chapter 12 | Security Measures DHCP Snooping Figure 234: Showing the IPv6 Source Guard Binding Table DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Chapter 12 | Security Measures DHCP Snooping ◆ Filtering rules are implemented as follows: ■ If the global DHCP snooping is disabled, all DHCP packets are forwarded. ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table.
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping Option 82 ◆ DHCP provides a relay mechanism for sending information about its DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Chapter 12 | Security Measures DHCP Snooping packet is not same as the client's hardware address in the DHCP packet, the packet is dropped. (Default: Enabled) ◆ DHCP Snooping Rate Limit – Sets the maximum number of DHCP packets that can be trapped by the switch for DHCP snooping. (Range: 1-2048 packets/ second) Information ◆ DHCP Snooping Information Option Status – Enables or disables DHCP Option 82 information relay.
Chapter 12 | Security Measures DHCP Snooping 3. Select the required options for the general DHCP snooping process and for the DHCP snooping information option. 4. Click Apply Figure 235: Configuring Global Settings for DHCP Snooping DHCP Snooping Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or disable VLAN Configuration DHCP snooping on specific VLANs.
Chapter 12 | Security Measures DHCP Snooping Web Interface To configure global settings for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Configure VLAN from the Step list. 3. Enable DHCP Snooping on any existing VLAN. 4. Click Apply Figure 236: Configuring DHCP Snooping on a VLAN Configuring Ports Use the IP Service > DHCP > Snooping (Configure Interface) page to configure for DHCP Snooping switch ports as trusted or untrusted.
Chapter 12 | Security Measures DHCP Snooping ■ Value – An arbitrary string inserted into the circuit identifier field. (Range: 1-32 characters) Web Interface To configure global settings for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Configure Interface from the Step list. 3. Set any ports within the local network or firewall to trusted. 4. Specify the mode used for sending circuit ID information, and an arbitrary string if required. 5.
Chapter 12 | Security Measures DHCP Snooping ◆ VLAN – VLAN to which this entry is bound. ◆ Interface – Port or trunk to which this entry is bound. ◆ Store – Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
13 Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Chapter 13 | Basic Administration Protocols Configuring Event Logging Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Use the Administration > Log > System (Configure Global) page to enable or Configuration disable event logging, and specify which levels are logged to RAM or flash memory.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level. Note: All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface).
Chapter 13 | Basic Administration Protocols Configuring Event Logging memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory. Figure 240: Showing Error Messages Logged to System Memory Remote Log Use the Administration > Log > Remote page to send log messages to syslog Configuration servers or other management stations. You can also limit the event messages sent to only those messages below a specified level.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Port - Specifies the UDP port number used by the remote server. (Range: 1-65535; Default: 514) Web Interface To configure the logging of error messages to remote servers: 1. Click Administration, Log, Remote. 2. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. 3. Click Apply.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Email Destination Address – Specifies the email recipients of alert messages. You can specify up to five recipients. ◆ Server IP Address – Specifies a list of up to three recipient SMTP servers. IPv4 or IPv6 addresses may be specified. The switch attempts to connect to the listed servers in sequential order if the first server fails to respond.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol increase the probability that multiple, rather than single changes, are reported in each transmission. This attribute must comply with the rule: (4 * Delay Interval) Transmission Interval ◆ Reinitialization Delay – Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 243: Configuring LLDP Timing Attributes Configuring LLDP Use the Administration > LLDP (Configure Interface - Configure General) page to Interface Attributes specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages. ■ Management Address – The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ◆ ■ VLAN ID – The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “IEEE 802.1Q VLANs” on page 167). (Default: Enabled) ■ VLAN Name – The name of all VLANs to which this interface has been assigned (see “IEEE 802.1Q VLANs” on page 167.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ■ ◆ Network Policy – This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 244: Configuring LLDP Interface Attributes Configuring Use the Administration > LLDP (Configure Interface – Add CA-Type) page to specify LLDP Interface the physical location of the device attached to an interface.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 24: LLDP MED Location CA Types (Continued) ◆ CA Type Description CA Value Example 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Select Show CA-Type from the Action list. 4. Select an interface from the Port or Trunk list.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s administratively assigned name (see “Displaying System Information” on page 86). ◆ System Description – A textual description of the network entity. This field is also displayed by the show system command.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 247: Displaying Local Device Information for LLDP (General) Figure 248: Displaying Local Device Information for LLDP (Port) Figure 249: Displaying Local Device Information for LLDP (Port Details) – 412 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display Remote Device information about devices connected directly to the switch’s ports which are Information advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 26, "System Capabilities," on page 410.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 26, "System Capabilities," on page 410.) ◆ Management Address List – The management addresses for this device.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 28: Remote Port Auto-Negotiation Advertised Capability (Continued) Bit Capability 5 100BASE-TX full duplex mode 6 100BASE-T2 half duplex mode 7 100BASE-T2 full duplex mode 8 PAUSE for full-duplex links 9 Asymmetric PAUSE for full-duplex links 10 Symmetric PAUSE for full-duplex links 11 Asymmetric and Symmetric PAUSE for full-duplex links 12 1000BASE-X, -LX, -SX, -CX half duplex mode 13 1000BASE-X, -LX, -SX, -
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆ Remote Link Aggregation Status – The current aggregation status of the link. ◆ Remote Link Port ID – This object contains the IEEE 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – Network Policy12 ◆ Application Type – The primary application(s) defined for this network policy: ■ Voice ■ Voice Signaling ■ Guest Signaling ■ Guest Voice Signaling ■ Softphone Voice ■ Video Conferencing ■ Streaming Video ■ Video Signaling ◆ Tagged Flag – Indicates whether the specified application type is using a tagged or untagged VLAN.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ■ ECS ELIN – Emergency Call Service Emergency Location Identification Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ◆ What – The type of device to which the location applies as described for the field entry “Device entry refers to” under “Configuring LLDP Interface Attributes.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To display LLDP information for a remote port: 1. Click Administration, LLDP. 2. Select Show Remote Device Information from the Step list. 3. Select Port, Port Details, Trunk, or Trunk Details. 4. When the next page opens, select a port on this switch and the index for a remote device attached to this port. 5. Click Query.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 251: Displaying Remote Device Information for LLDP (Port Details) – 420 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDPMED TLVs is shown in the following figure. Figure 252: Displaying Remote Device Information for LLDP (End Node) Displaying Use the Administration > LLDP (Show Device Statistics) page to display statistics for Device Statistics LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources. ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired.
Chapter 13 | Basic Administration Protocols Power over Ethernet Figure 253: Displaying LLDP Device Statistics (General) Figure 254: Displaying LLDP Device Statistics (Port) Power over Ethernet The ECS4620-28P/52P can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device.
Chapter 13 | Basic Administration Protocols Power over Ethernet Ports can be set to one of three power priority levels, critical, high, or low. To control the power supply within the switch’s budget, ports set at critical to high priority have power enabled in preference to those ports set at low priority. For example, when a device connected to a port is set to critical priority, the switch supplies the required power, if necessary by denying power to ports set for a lower priority during bootup.
Chapter 13 | Basic Administration Protocols Power over Ethernet power is provided to the port only if the switch can drop power to one or more lower-priority ports and thereby remain within its overall budget. ■ If a device is connected to a port after the switch has finished booting up and would cause the switch to exceed its budget, power will not be provided to that port regardless of its priority setting.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 255: Setting a Port’s PoE Budget Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol and SNMPv3. Users are assigned to “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring SNMPv3 Management Access 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. 2. Use the Administration > SNMP (Configure Trap) page to specify trap managers so that key events are reported by this switch to your management station. 3. Use the Administration > SNMP (Configure Engine) page to change the local engine ID.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 4. Click Apply Figure 256: Configuring Global Settings for SNMP Setting the Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change Local Engine ID the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 257: Configuring the Local Engine ID for SNMP Specifying a Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to Remote Engine ID configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 258: Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Show Remote Engine from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Add OID Subtree ◆ View Name – Lists the SNMP views configured in the Add View page. (Range: 1-32 characters) ◆ OID Subtree – Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 261: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 263: Showing the OID Subtree Configured for SNMP Views Configuring Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group SNMPv3 Groups which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 30: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 30: Supported Notification Messages (Continued) Model Level Group swPowerStatusChangeTrap 1.3.6.1.4.1.259.10.1.41.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.41.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled. swIpFilterRejectTrap 1.3.6.1.4.1.259.10.1.41.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 30: Supported Notification Messages (Continued) Model Level Group swCpuUtiRisingNotification 1.3.6.1.4.1.259.10.1.41.2.1.0.107 This notification indicates that the CPU utilization has risen from cpuUtiFallingThreshold to cpuUtiRisingThreshold. swCpuUtiFallingNotification 1.3.6.1.4.1.259.10.1.41.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 264: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 265: Showing SNMP Groups Setting Community Use the Administration > SNMP (Configure User - Add Community) page to Access Strings configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To set a community access string: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Add Community from the Action list. 4. Add new community strings as required, and select the corresponding access rights from the Access Mode list. 5. Click Apply Figure 266: Setting Community Access Strings To show the community access strings: 1. Click Administration, SNMP. 2.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to Local SNMPv3 Users authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure a local SNMPv3 user: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Add SNMPv3 Local User from the Action list. 4. Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 269: Showing Local SNMPv3 Users To change a local SNMPv3 local user group: 1. Click Administration, SNMP. 2. Select Change SNMPv3 Local User Group from the Action list. 3. Select the User Name. 4. Enter a new group name. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Parameters These parameters are displayed: ◆ User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) ◆ Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) ◆ Remote IP – IPv4 address of the remote device where the user resides. ◆ Security Model – The user security model; SNMP v1, v2c or v3.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 5. Click Apply Figure 271: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying Use the Administration > SNMP (Configure Trap) page to specify the host devices to Trap Managers be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Community String – Specifies a valid community string for the new trap manager entry. (Range: 1-32 characters, case sensitive) Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User – Add Community page. ◆ UDP Port – Specifies the UDP port number used by the trap manager.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ ◆ Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) ■ Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 276: Showing Trap Managers Creating SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to create an Notification Logs SNMP notification log.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ When a trap host is created using the Administration > SNMP (Configure Trap – Add) page described on page 446, a default notify filter will be created. Parameters These parameters are displayed: ◆ IP Address – The IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the Administration > SNMP (Configure Trap – Add) page. The notification log is stored locally.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 278: Showing SNMP Notification Logs Showing Use the Administration > SNMP (Show Statistics) page to show counters for SNMP SNMP Statistics input and output protocol data units. Parameters The following counters are displayed: ◆ SNMP packets input – The total number of messages delivered to the SNMP entity from the transport service.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ SNMP packets output – The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service. ◆ Too big errors – The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “tooBig.
Chapter 13 | Basic Administration Protocols Remote Monitoring Remote Monitoring $$$ Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Sample Type – Tests for absolute or relative changes in the specified variable. ■ Absolute – The variable is compared directly to the thresholds at the end of the sampling period. ■ Delta – The last sample is subtracted from the current value and the difference is then compared to the thresholds.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 280: Configuring an RMON Alarm To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Global - Add - Event) page to set the Events action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems. Command Usage ◆ If an alarm is already defined for an index, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To configure an RMON event: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Click Event. 5. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event. 6.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 283: Showing Configured RMON Events Configuring RMON Use the Administration > RMON (Configure Interface - Add - History) page to collect History Samples statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆ Buckets - The number of buckets requested for this entry. (Range: 1-65536; Default: 50) The number of buckets granted are displayed on the Show page. ◆ Owner - Name of the person who created this entry. (Range: 1-127 characters) Web Interface To periodically sample statistics on a port: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Remote Monitoring 4. Select a port from the list. 5. Click History. Figure 285: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click History.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to Statistical Samples collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. Command Usage ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 287: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 288: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 289: Showing Collected RMON Statistical Samples Switch Clustering Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Chapter 13 | Basic Administration Protocols Switch Clustering ◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN: 1. Create VLAN 4093 (see “Configuring VLAN Groups” on page 170). 2. Add the participating ports to this VLAN (see “Adding Static Members to VLANs” on page 173), and set them to hybrid mode, tagged members, PVID = 1, and acceptable frame type = all.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure a switch cluster: 1. Click Administration, Cluster. 2. Select Configure Global from the Step list. 3. Set the required attributes for a Commander or a managed candidate. 4. Click Apply Figure 290: Configuring a Switch Cluster Cluster Member Use the Administration > Cluster (Configure Member - Add) page to add Candidate Configuration switches to the cluster as Members.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Add from the Action list. 4. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. 5. Click Apply. Figure 291: Configuring a Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3.
Chapter 13 | Basic Administration Protocols Switch Clustering To show cluster candidates: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Show Candidate from the Action list. Figure 293: Showing Cluster Candidates Managing Cluster Use the Administration > Cluster (Show Member) page to manage another switch Members in the cluster. Parameters These parameters are displayed: ◆ Member ID – The ID number of the Member switch.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Web Interface To manage a cluster member: 1. Click Administration, Cluster. 2. Select Show Member from the Step list. 3. Select an entry from the Cluster Member List. 4. Click Operate. Figure 294: Managing a Cluster Member Ethernet Ring Protection Switching Note: Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Operational Concept Loop avoidance in the ring is achieved by guaranteeing that, at any time, traffic may flow on all but one of the ring links. This particular link is called the ring protection link (RPL), and under normal conditions this link is blocked to traffic. One designated node, the RPL owner, is responsible for blocking traffic over the RPL.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 295: ERPS Ring Components West Port East Port RPL (Idle State) x CC Messages RPL Owner CC Messages Multi-ring/Ladder Network – ERPSv2 also supports multipoint-to-multipoint connectivity within interconnected rings, called a “multi-ring/ladder network” topology.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Interconnection nodes C and D have separate ERP Control Processes for each Ethernet Ring. Figure 296 on page 472 (Signal Fail Condition) illustrates a situation where protection switching has occurred due to an SF condition on the ring link between interconnection nodes C and D. The failure of this ring link triggers protection only on the ring to which it belongs, in this case ERP1.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching that the ring has stabilized before blocking the RPL after recovery from a signal failure. 5. Configure the ERPS control VLAN (Configure Domain – Configure Details): Specify the control VLAN (CVLAN) used to pass R-APS ring maintenance commands. The CVLAN must NOT be configured with an IP address. In addition, only ring ports may be added to the CVLAN (prior to configuring the VLAN as a CVLAN).
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS Global Use the Administration > ERPS (Configure Global) page to globally enable or Configuration disable ERPS on the switch. Parameters These parameters are displayed: ◆ ERPS Status – Enables ERPS on the switch. (Default: Disabled) ERPS must be enabled globally on the switch before it can enabled on an ERPS ring (by setting the Admin Status on the Configure Domain – Configure Details page).
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Parameters These parameters are displayed: Add ◆ Domain Name – Name of an ERPS ring. (Range: 1-12 characters) ◆ Domain ID – ERPS ring identifier used in R-APS messages. (Range: 1-255) Show ◆ Domain Name – Name of a configured ERPS ring. ◆ ID – ERPS ring identifier used in R-APS messages. ◆ Admin Status – Shows whether ERPS is enabled on the switch. ◆ Ver – Shows the ERPS version.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching generated R-APS messages is allowed and the reception of all R-APS messages is allowed. ■ Forwarding – The transmission and reception of traffic is allowed; transmission, reception and forwarding of R-APS messages is allowed. ■ Unknown – The interface is not in a known state (includes the domain being disabled). ◆ Local SF – A signal fault generated on a link to the local node.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Revertive/Non-revertive recovery ■ Forced Switch (FS) and Manual Switch (MS) commands for manually blocking a particular ring port ■ Flush FDB (forwarding database) logic which reduces amount of flush FDB operations in the ring ■ Support of multiple ERP instances on a single ring Version 2 is backward compatible with Version 1. If version 2 is specified, the inputs and commands are forwarded transparently.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Node Type – Shows ERPS node type as one of the following: ■ None – Node is neither Ring Protection Link (RPL) owner nor neighbor. (This is the default setting.) ■ RPL Owner – Specifies a ring node to be the RPL owner. ■ ◆ ■ Only one RPL owner can be configured on a ring.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching protection reversion, or until there is another higher priority request (e.g., an SF condition) in the ring. A ring node that has one ring port in an SF condition and detects the SF condition cleared, continuously transmits the R-APS (NR – no request) message with its own Node ID as the priority information over both ring ports, informing that no request is present at this ring node and initiates a guard timer.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching its RPL port, and transmits an R-APS (NR, RB) message in both directions, repeatedly. d. Upon receiving an R-APS (NR, RB) message, any blocking node should unblock its non-failed ring port. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush the FDB.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching b. Then, after the operator issues the Clear command (Configure Operation page) at the RPL Owner Node, this ring node blocks the ring port attached to the RPL, transmits an R-APS (NR, RB) message on both ring ports, informing the ring that the RPL is blocked, and flushes its FDB. c. The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching c. The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL that does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all Ethernet Ring Nodes flush their FDB. This action unblocks the ring port which was blocked as a result of an operator command. ■ Recovery with non-revertive mode is handled as follows: a.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching The node identifier may also be used for debugging, such as to distinguish messages when a node is connected to more than one ring. ◆ R-APS with VC – Configures an R-APS virtual channel to connect two interconnection points on a sub-ring, allowing ERPS protocol traffic to be tunneled across an arbitrary Ethernet network. (Default: Enabled) ■ A sub-ring may be attached to a primary ring with or without a virtual channel.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching are terminated on the interconnection points. Since the sub-ring does not provide an R-APS channel nor R-APS virtual channel beyond the interconnection points, R-APS channel blocking is not employed on the normal ring links to avoid channel segmentation.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching again. The major ring will not be broken, but the bandwidth of data traffic on the major ring may suffer for a short period of time due to this flooding behavior. ◆ Non-ERPS Device Protection – Sends non-standard health-check packets when an owner node enters protection state without any link down event having been detected through Signal Fault messages.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching In order to coordinate timing of protection switches at multiple layers, a holdoff timer may be required. Its purpose is to allow, for example, a server layer protection switch to have a chance to fix the problem before switching at a client layer.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching If the switch goes into ring protection state due to a signal failure, after the failure condition is cleared, the RPL owner will start the wait-to-restore timer and wait until it expires to verify that the ring has stabilized before blocking the RPL and returning to the Idle (normal operating) state. ◆ WTB Expire – The time before the wait-to-block timer expires.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching how ERPS recovers from a node failure, refer to the description of the Revertive parameter on this configuration page. ◆ RPL – If node is connected to the RPL, this shows by which interface. Web Interface To create an ERPS ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Add from the Action list. 4. Enter a name and optional identifier for the ring. 5. Click Apply.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 302: Creating an ERPS Ring To show the configured ERPS rings: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Show from the Action list.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS Forced and Use the Administration > ERPS (Configure Operation) page to block a ring port Manual Mode using Forced Switch or Manual Switch commands. Operations Parameters These parameters are displayed: ◆ Domain Name – Name of a configured ERPS ring. ◆ Operation – Specifies a Forced Switch (FS) or Manual Switch (MS) operation on the east or west ring port. ■ Forced Switch – Blocks specified ring port.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching command. As such, two or more forced switches are allowed in the ring, which may inadvertently cause the segmentation of an ring. It is the responsibility of the operator to prevent this effect if it is undesirable. Ring protection requests, commands and R-APS signals have the priorities as specified in the following table.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Manual Switch – Blocks specified ring port, in the absence of a failure or an FS command. (Options: West or East) ■ A ring with no request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links. In this situation, the Manual Switch command triggers protection switching as follows: a.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching c. An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request. ■ ■ Recovery for manual switching under revertive and non-revertive mode is described under the Revertive parameter.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 304: Blocking an ERPS Ring Port Connectivity Fault Management Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ A Maintenance Level allows maintenance domains to be nested in a hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution. ◆ Maintenance End Points (MEPs) which provide full CFM access to a Service Instance (i.e.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 306: Multiple CFM Maintenance Domains C Customer MA Operator 1 MA P C Operator 2 MA P O1 O2 O1 O2 O1 O2 P P Provider MA C C Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management the configured time period, and fault alarms are enabled, a corresponding trap will be sent. No further fault alarms are sent until the fault notification generator has been reset by the passage of a configured time period without detecting any further faults.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Global Use the Administration > CFM (Configure Global) page to configure global settings Settings for CFM for CFM, such as enabling the CFM process on the switch, setting the start-up delay for cross-check operations, configuring parameters for the link trace cache, and enabling traps for events discovered by continuity check messages or cross-check messages.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management name, MA name, MEPID, sequence number, and TTL value (see "Displaying Fault Notification Settings"). ◆ Link Trace Cache Hold Time – The hold time for CFM link trace cache entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Link Trace Cache attribute field. ◆ Link Trace Cache Size – The maximum size for the link trace cache.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management A MEP Missing trap is sent if cross-checking is enabled17, and no CCM is received for a remote MEP configured in the static list18. ◆ Cross Check MEP Unknown – Sends a trap if an unconfigured MEP comes up. A MEP Unknown trap is sent if cross-checking is enabled17, and a CCM is received from a remote MEP that is not configured in the static list18. Web Interface To configure global settings for CFM: 1. Click Administration, CFM. 2.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Interfaces CFM processes are enabled by default for all physical interfaces, both ports and for CFM trunks. You can use the Administration > CFM (Configure Interface) page to change these settings. Command Usage ◆ An interface must be enabled before a MEP can be created (see "Configuring Maintenance End Points").
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Command Usage Configuring General Settings ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator. ◆ More than one domain can be configured at the same maintenance level, but a single domain can only be configured with one maintenance level.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Fault Notification ◆ A fault alarm can generate an SNMP notification. It is issued when the MEP fault notification generator state machine detects that the configured time period (MEP Fault Notify Alarm Time) has passed with one or more defects indicated, and fault alarms are enabled at or above the specified priority level (MEP Fault Notify Lowest Priority).
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) ◆ MD Level – Authorized maintenance level for this domain. (Range: 0-7) ◆ MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this domain: ■ Default – MIPs can be created for any maintenance association (MA) configured in this domain on any bridge port through which the MA’s VID can pass.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 5. Specify the manner in which MIPs can be created within each domain. 6. Click Apply. Figure 309: Configuring Maintenance Domains To show the configured maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Show from the Action list. Figure 310: Showing Maintenance Domains To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 311: Configuring Detailed Settings for Maintenance Domains Configuring CFM Use the Administration > CFM (Configure MA) pages to create and configure the Maintenance Maintenance Associations (MA) which define a unique CFM service instance. Each Associations MA can be identified by its parent MD, the MD’s maintenance level, the VLAN assigned to the MA, and the set of maintenance end points (MEPs) assigned to it.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ If a maintenance point fails to receive three consecutive CCMs from any other MEP in the same MA, a connectivity failure is registered. ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs).
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MA Name Format – Specifies the name format for the maintenance association as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.1731 defined ICC-based format. ■ Character String – IEEE 802.1ag defined character string format. This is an IETF RFC 2579 DisplayString. ■ ICC Based – ITU-T SG13/SG15 Y.1731 defined ICC based format. ◆ Interval Level – The delay between sending CCMs.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 4. Select an entry from the MD Index list. 5. Specify the MAs assigned to each domain, the VLAN through which CFM messages are passed, and the manner in which MIPs can be created within each MA. 6. Click Apply. Figure 312: Creating Maintenance Associations To show the configured maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Show from the Action list. 4.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 4. Select an entry from MD Index and MA Index. 5. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters. 6. Click Apply Figure 314: Configuring Detailed Settings for Maintenance Associations Configuring Use the Administration > CFM (Configure MEP – Add) page to configure Maintenance Maintenance End Points (MEPs).
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Maintenance end point identifier. (Range: 1-8191) ◆ MEP Direction – Up indicates that the MEP faces inward toward the switch cross-connect matrix, and transmits CFM messages towards, and receives them from, the direction of the internal bridge relay mechanism.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 3. Select Show from the Action list. 4. Select an entry from MD Index and MA Index. Figure 316: Showing Maintenance End Points Configuring Use the Administration > CFM (Configure Remote MEP – Add) page to specify Remote Maintenance remote maintenance end points (MEPs) set on other CFM-enabled devices within a End Points common MA.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Identifier for a maintenance end point which exists on another CFMenabled device within the same MA. (Range: 1-8191) Web Interface To configure a remote maintenance end point: 1. Click Administration, CFM. 2. Select Configure Remote MEP from the Step list. 3.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 318: Showing Remote Maintenance End Points Transmitting Link Use the Administration > CFM (Transmit Link Trace) page to transmit link trace Trace Messages messages (LTMs). These messages can isolate connectivity faults by tracing the path through a network to the designated target node (i.e., a remote maintenance end point). Command Usage ◆ LTMs can be targeted to MEPs, not MIPs.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) ◆ Target ◆ ■ MEP ID – The identifier of a remote MEP that is the target of a link trace message.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 319: Transmitting Link Trace Messages Transmitting Loop Use the Administration > CFM (Transmit Loopback) page to transmit Loopback Back Messages Messages (LBMs). These messages can be used to isolate or verify connectivity faults by submitting a request to a target node (i.e., a remote MEP or MIP) to echo the message back to the source.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Target ■ MEP ID – The identifier of a remote MEP that is the target of a loopback message. (Range: 1-8191) ■ MAC Address – MAC address of a remote MEP that is the target of a loopback message. This address can be entered in either of the following formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx ◆ Count – The number of times the loopback message is sent. (Range: 1-1024) ◆ Packet Size – The size of the loopback message.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Transmitting Use the Administration > CFM (Transmit Delay Measure) page to send periodic Delay-Measure delay-measure requests to a specified MEP within a maintenance association. Requests Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this function.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Packet Size – The size of the delay-measure message. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Interval – The transmission delay between delay-measure messages. (Range: 1-5 seconds; Default: 1 second) ◆ Timeout – The timeout to wait for a response. (Range: 1-5 seconds; Default: 5 seconds) Web Interface To transmit delay-measure messages: 1. Click Administration, CFM. 2. Select Transmit Delay Measure from the Step list. 3.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Local MEPs Use the Administration > CFM > Show Information (Show Local MEP) page to show information for the MEPs configured on this device. Parameters These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Details Use the Administration > CFM > Show Information (Show Local MEP Details) page for Local MEPs to show detailed CFM information about a local MEP in the continuity check database. Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Maintenance end point identifier.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Suppressing Alarms – Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions. Web Interface To show detailed information for the MEPs configured on this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MEP Details from the Action list. 4. Select an entry from MD Index and MA Index. 5.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Local MIPs Use the Administration > CFM > Show Information (Show Local MIP) page to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".) Parameters These parameters are displayed: ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Use the Administration > CFM > Show Information (Show Remote MEP) page to Remote MEPs show MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages. Parameters These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MA Name – Maintenance association name.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Details for Use the Administration > CFM > Show Information (Show Remote MEP Details) Remote MEPs page to show detailed information for MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages. Parameters These parameters are displayed: ◆ MD Index – Domain index.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ ■ Down – The interface cannot pass packets. ■ Testing – The interface is in some test mode. ■ Unknown – The interface status cannot be determined for some reason. ■ Dormant – The interface is not in a state to pass packets but is in a pending state, waiting for some external event. ■ Not Present – Some component of the interface is missing.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying the Use the Administration > CFM > Show Information (Show Link Trace Cache) page to Link Trace Cache show information about link trace operations launched from this device. Parameters These parameters are displayed: ◆ Hops – The number hops taken to reach the target MEP. ◆ MA – Maintenance association name. ◆ IP Address / Alias – IP address or DNS alias of the target device’s CPU.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ■ HIT – Target located on this device. Web Interface To show information about link trace operations launched from this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Link Trace Cache from the Action list.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Web Interface To show configuration settings for the fault notification generator: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Fault Notification Generator from the Action list.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ ■ EXCESS_LEV – The number of different MD levels at which MIPs are to be created on this port exceeds the bridge's capabilities. ■ OVERLAP_LEV – A MEP is created for one VID at one maintenance level, but a MEP is configured on another VID at an equivalent or higher level, exceeding the bridge's capabilities. MA Name – The maintenance association for this entry. Web Interface To show CFM continuity check errors: 1.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ Admin Status – Enables or disables OAM functions. (Default: Disabled) ◆ Operation State – Shows the operational state between the local and remote OAM devices. This value is always “disabled” if OAM is disabled on the local interface. Table 34: OAM Operation State ◆ ◆ State Description Disabled OAM is disabled on this interface via the OAM Admin Status. Link Fault The link has detected a fault or the interface is not operational.
Chapter 13 | Basic Administration Protocols OAM Configuration ■ Critical Event – If a critical event occurs, the local OAM entity indicates this to its peer by setting the appropriate flag in the next OAMPDU to be sent and stores this information in its OAM event log. (Default: Enabled) Critical events include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults.
Chapter 13 | Basic Administration Protocols OAM Configuration Figure 330: Enabling OAM for Local Ports Displaying Statistics Use the Administration > OAM > Counters page to display statistics for the various for OAM Messages types of OAM messages passed across each port. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ Clear – Clears statistical counters for the selected ports.
Chapter 13 | Basic Administration Protocols OAM Configuration Web Interface To display statistics for OAM messages: 1. Click Administration, OAM, Counters. Figure 331: Displaying Statistics for OAM Messages Displaying the Use the Administration > OAM > Event Log page to display link events for the OAM Event Log selected port. Command Usage ◆ When a link event occurs, no matter whether the location is local or remote, this information is entered in OAM event log.
Chapter 13 | Basic Administration Protocols OAM Configuration Figure 332: Displaying the OAM Event Log Displaying the Status Use the Administration > OAM > Remote Interface page to display information of Remote Interfaces about attached OAM-enabled devices. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ MAC Address – MAC address of the OAM peer. ◆ OUI – Organizational Unit Identifier of the OAM peer.
Chapter 13 | Basic Administration Protocols OAM Configuration Web Interface To display information about attached OAM-enabled devices: 1. Click Administration, OAM, Remote Interface. Figure 333: Displaying Status of Remote Interfaces Configuring a Remote Use the Administration > OAM > Remote Loopback (Remote Loopback Test) page Loopback Test to initiate a loop back test to the peer device attached to the selected port.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ Loopback Status – Shows if loopback testing is currently running. Loopback Test Parameters ◆ Packet Number – Number of packets to send. (Range: 1-99999999; Default: 10000) ◆ Packet Size – Size of packets to send. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Test – Starts the loop back test. ◆ End – Stops the loop back test. Loop Back Status of Remote Device ◆ Result – Shows the loop back status on the peer.
Chapter 13 | Basic Administration Protocols OAM Configuration 3. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply. 4. Set the number of packets to send and the packet size, and then click Test.
Chapter 13 | Basic Administration Protocols UDLD Configuration Figure 335: Displaying the Results of Remote Loop Back Testing UDLD Configuration The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 13 | Basic Administration Protocols UDLD Configuration Configuring UDLD Use the Administration > UDLD > Configure Global page to configure the Protocol Intervals UniDirectional Link Detection message probe interval, detection interval, and recovery interval. Parameters These parameters are displayed: ◆ Message Interval – Configures the message interval between UDLD probe messages for ports in the advertisement phase and determined to be bidirectional.
Chapter 13 | Basic Administration Protocols UDLD Configuration Web Interface To configure the UDLD message probe interval, detection interval, and recovery interval: 1. Click Administration, UDLD, Configure Global. 2. Select Configure Global from the Step list. 3. Configure the message and detection intervals. 4. Enable automatic recovery if required, and set the recovery interval. 5. Click Apply.
Chapter 13 | Basic Administration Protocols UDLD Configuration ends without the proper echo information being received, the link is considered to be unidirectional. ◆ Aggressive Mode – Reduces the shut-down delay after loss of bidirectional connectivity is detected. (Default: Disabled) UDLD can function in two modes: normal mode and aggressive mode.
Chapter 13 | Basic Administration Protocols UDLD Configuration Web Interface To enable UDLD and aggressive mode: 1. Click Administration, UDLD, Configure Interface. 2. Enable UDLD and aggressive mode on the required ports. 3. Click Apply. Figure 337: Configuring UDLD Interface Settings Displaying Use the Administration > UDLD (Show Information) page to show UDLD neighbor UDLD Neighbor information, including neighbor state, expiration time, and protocol intervals.
Chapter 13 | Basic Administration Protocols UDLD Configuration Web Interface To display UDLD neighbor information: 1. Click Administration, UDLD, Show Information. 2. Select an interface from the Port list.
14 Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters. ◆ IGMP Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface. ◆ MLD Snooping – Configures snooping and query parameters for IPv6. ◆ Layer 3 IGMP – Configures IGMP query used with multicast routing.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 339: Multicast Filtering Concept Unicast Flow Multicast Flow This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) switches in the local network segment, IGMP Snooping is the only service required to support multicast filtering. When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or 3 hosts are all forwarded to the upstream router as IGMPv3 reports. The primary enhancement provided by IGMPv3 snooping is in keeping track of information about the specific multicast sources which downstream IGMPv3 hosts have requested or refused.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 554).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ IGMP Querier – A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic. If there is more than one router/ switch on the LAN performing IP multicasting, one of these devices is elected “querier” and assumes the role of querying the LAN for group members.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a time out mechanism is used to delete all of the currently learned multicast channels. When a new uplink port starts up, the switch sends unsolicited reports for all currently learned channels out the new uplink port.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Unregistered Data Flooding – Floods unregistered multicast traffic into the attached VLAN. (Default: Disabled) Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) 3. Click Apply. Figure 340: Configuring General Settings for IGMP Snooping Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) Interfaces for a page to statically attach an interface to a multicast router/switch. Multicast Router Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Show Static Multicast Router ◆ VLAN – Selects the VLAN for which to display any configured static multicast routers. ◆ Interface – Shows the interface to which the specified static multicast routers are attached. Show Current Multicast Router ◆ VLAN – Selects the VLAN for which to display any currently active multicast routers. ◆ Interface – Shows the interface to which an active multicast router is attached.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 342: Showing Static Interfaces Attached a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol (such as PIM) to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group. Command Usage ◆ Static multicast addresses are never aged out. ◆ When a multicast address is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To show the static interfaces assigned to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Note: The default values recommended in the MRD draft are implemented in the switch. Multicast Router Discovery uses the following three message types to discover multicast routers: ◆ Multicast Router Advertisement – Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Parameters These parameters are displayed: ◆ VLAN – ID of configured VLANs. (Range: 1-4094) ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) joining the multicast group. Only when all hosts on that port leave the group will the member port be deleted. ◆ Multicast Router Discovery – MRD is used to discover which interfaces are attached to multicast routers. (Default: Disabled) ◆ General Query Suppression – Suppresses general queries except for ports attached to downstream multicast hosts.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Query Interval – The interval between sending IGMP general queries. (Range: 2-31744 seconds; Default: 125 seconds) An IGMP general query message is sent by the switch at the interval specified by this attribute. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To resolve this problem, the source address in proxied IGMP query messages can be replaced with any valid unicast address (other than the router’s own address). Web Interface To configure IGMP snooping on a VLAN: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Configure VLAN from the Action list. 3. Select the VLAN to configure and update the required parameters. 4. Click Apply.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 347: Showing Interface Settings for IGMP Snooping Filtering IGMP Query Use the Multicast > IGMP Snooping > Interface (Configure Interface) page to Packets and Multicast configure an interface to drop IGMP query packets or multicast data packets. Data Parameters These parameters are displayed: ◆ Interface – Port or Trunk identifier.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 348: Dropping IGMP Query or Multicast Data Packets Displaying Multicast Use the Multicast > IGMP Snooping > Forwarding Entry page to display the Groups Discovered forwarding entries learned through IGMP Snooping. by IGMP Snooping Command Usage To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page 548).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To show multicast groups learned through IGMP snooping: 1. Click Multicast, IGMP Snooping, Forwarding Entry. 2. Select the VLAN for which to display this information. Figure 349: Showing Multicast Groups Learned by IGMP Snooping Displaying IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP snooping Snooping Statistics protocol-related statistics for the specified interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Self Querier Uptime – Time local querier has been up. ◆ General Query Received – The number of general queries received on this interface. ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Leave – The number of leave messages sent from this interface. ◆ G Query – The number of general query messages sent from this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface. Web Interface To display statistics for IGMP snooping query-related messages: 1. Click Multicast, IGMP Snooping, Statistics. 2.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 351: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 353: Enabling IGMP Filtering and Throttling Configuring IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page to create Filter Profiles an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Web Interface To create an IGMP filter profile and set its access mode: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add from the Action list. 4. Enter the number for a profile, and set its access mode. 5. Click Apply. Figure 354: Creating an IGMP Filtering Profile To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups 4. Select the profile to configure, and add a multicast group address or range of addresses. 5. Click Apply. Figure 356: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 358: Configuring IGMP Filtering and Throttling Interface Settings MLD Snooping (Snooping and Query for IPv6) Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address. The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. ◆ Robustness – MLD Snooping robustness variable.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 3. Click Apply. Figure 359: Configuring General Settings for MLD Snooping Setting Immediate Use the Multicast > MLD Snooping > Interface page to configure Immediate Leave Leave Status for status for a VLAN. MLD Snooping per Interface Parameters These parameters are displayed: ◆ VLAN – A VLAN identification number.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 360: Configuring Immediate Leave for MLD Snooping Specifying Static Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast Router) Interfaces for an page to statically attach an interface to an IPv6 multicast router/switch. IPv6 Multicast Router Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 361: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Assigning Interfaces Use the Multicast > MLD Snooping > MLD Member (Add Static Member) page to to IPv6 Multicast statically assign an IPv6 multicast service to an interface. Services Multicast filtering can be dynamically configured using MLD snooping and query messages (see “Configuring MLD Snooping and Query Parameters” on page 573).
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 364: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 366: Showing Current Interfaces Assigned to an IPv6 Multicast Service Showing MLD Use the Multicast > MLD Snooping > Group Information page to display known Snooping Groups multicast groups, member ports, the means by which each group was learned, and and Source List the corresponding source list. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Interface – Port or trunk identifier.
Chapter 14 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Web Interface To display known MLD multicast groups: 1. Click Multicast, MLD Snooping, Group Information. 2. Select the port or trunk, and then select a multicast service assigned to that interface.
Chapter 14 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Router Discovery” on page 556.) IGMP Proxy – A device can learn about the multicast service requirements of hosts attached to its downstream interfaces, proxy this group membership information to the upstream router, and forward multicast packets based on that information. Configuring IGMP Use the Multicast > IGMP > Proxy page to configure IGMP Proxy Routing.
Chapter 14 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) switch, IGMP proxy routing has only one upstream connection to the core network side and multiple downstream connections to the customer side. The IGMP proxy routing tree must be manually configured by designating one upstream interface and multiple downstream interfaces on each proxy device.
Chapter 14 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ Multicast routing protocols are not supported when IGMP proxy service is enabled. ◆ Only one upstream interface is supported on the system. ◆ A maximum of 1024 multicast entries are supported. Parameters These parameters are displayed: ◆ VLAN – VLAN interface on which to configure IGMP proxy service.
Chapter 14 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Configuring IGMP Use the Multicast > IGMP > Interface page to configure interface settings for IGMP. Interface Parameters The switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. The hosts may respond with several types of IP multicast messages.
Chapter 14 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) meaning that this device will not advertise a QRV in any query messages it subsequently sends. ◆ Query Interval – Configures the frequency at which host query messages are sent. (Range: 1-255; Default: 125 seconds) Multicast routers send host query messages to determine the interfaces that are connected to downstream hosts requesting a specific multicast service.
Chapter 14 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) 3. Click Apply. Figure 370: Configuring IGMP Interface Settings Configuring Use the Multicast > IGMP > Static Group page to manually propagate traffic from Static IGMP specific multicast groups onto the specified VLAN interface. Group Membership Command Usage ◆ Group addresses within the entire multicast group address range can be specified.
Chapter 14 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ Source Address – The source address of a multicast server transmitting traffic to the specified multicast group address. Web Interface To configure static IGMP groups: 1. Click Multicast, IGMP, Static Group. 2. Select Add from the Action list. 3. Select a VLAN interface to be assigned as a static multicast group member, and then specify the multicast group.
Chapter 14 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Displaying Multicast When IGMP (Layer 3) is enabled on the switch, use the Multicast > IGMP > Group Group Information Information pages to display the current multicast groups learned through IGMP. When IGMP (Layer 3) is disabled and IGMP (Layer 2) is enabled, the active multicast groups can be viewed on the Multicast > IGMP Snooping > Forwarding Entry page (see page 563).
Chapter 14 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ Group Address – IP multicast group address with subscribers directly attached or downstream from the switch, or a static multicast group assigned to this interface. ◆ Interface – The interface on the switch that has received traffic directed to the multicast group address. ◆ Up Time – The time elapsed since this entry was created.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 373: Displaying Multicast Groups Learned from IGMP (Information) To display detailed information about the current multicast groups learned through IGMP: 1. Click Multicast, IGMP, Group Information. 2. Select Show Details from the Action list. 3. Select a VLAN. The selected entry must be a configured IP interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 from the MVR VLAN, users in different IEEE 802.1Q or private VLANs cannot exchange any information (except through upper-level routing services). Figure 375: MVR Concept Multicast Router Satellite Services Multicast Server Layer 2 Switch Source Port Service Network Receiver Ports Set-top Box PC TV Set-top Box TV Command Usage ◆ General Configuration Guidelines for MVR: 1.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Configuring MVR Use the Multicast > MVR (Configure Global) page to configure proxy switching and Global Settings the robustness variable. Parameters These parameters are displayed: ◆ ◆ Proxy Switching – Configures MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ ◆ Proxy Query Interval – Configures the interval at which the receiver port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) ■ This parameter sets the general query interval at which active receiver ports send out general queries. ■ This interval is only effective when proxy switching is enabled.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Configuring MVR Use the Multicast > MVR (Configure Domain) page to enable MVR globally on the Domain Settings switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 4. Enable MVR for the selected domain, select the MVR VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required. 5. Click Apply.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ End IP Address – Ending IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) Associate Profile ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Profile Name – The name of a profile to be assigned to this domain. (Range: 1-21 characters) Web Interface To configure an MVR group address profile: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 To show the configured MVR group address profiles: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 379: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 381: Showing the MVR Group Address Profiles Assigned to a Domain Configuring MVR Use the Multicast > MVR (Configure Interface) page to configure each interface that Interface Status participates in the MVR protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list. ■ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Web Interface To configure interface settings for MVR: 1. Click Multicast, MVR. 2. Select Configure Interface from the Step list. 3. Select an MVR domain. 4. Click Port or Trunk. 5. Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached. 6. Click Apply.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Interface – Port or trunk identifier. ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Group IP Address – Defines a multicast service sent to the selected port. Multicast groups must be assigned from the MVR group range configured on the Configure General page. Web Interface To assign a static MVR group to an interface: 1.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 4. Select an MVR domain. 5. Select the port or trunk for which to display this information. Figure 384: Showing the Static MVR Groups Assigned to a Port Displaying MVR Use the Multicast > MVR (Show Member) page to show the multicast groups either Receiver Groups statically or dynamically assigned to the MVR receiver groups on each interface. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Web Interface To display the interfaces assigned to the MVR receiver groups: 1. Click Multicast, MVR. 2. Select Show Member from the Step list. 3. Select an MVR domain. Figure 385: Displaying MVR Receiver Groups Displaying Use the Multicast > MVR > Show Statistics pages to display MVR protocol-related MVR Statistics statistics for the specified interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent – The number of leaves sent from this interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Web Interface To display statistics for MVR query-related messages: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR domain. 5. Select a Port. Figure 388: Displaying MVR Statistics – Port Multicast VLAN Registration for IPv6 MVR6 functions in a manner similar to that described for MRV (see “Multicast VLAN Registration for IPv4” on page 591).
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 3. Set the interfaces that will join the MVR as source ports or receiver ports (see “Configuring MVR6 Interface Status” on page 615). 4. For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see “Assigning Static MVR6 Multicast Groups to Interfaces” on page 617).
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ ◆ ◆ Robustness Value – Configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. (Range: 1-10; Default: 2) ■ This parameter is used to set the number of times report messages are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 389: Configuring Global Settings for MVR6 Configuring MVR6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 globally on the Domain Settings switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. Parameters These parameters are displayed: ◆ Domain ID– An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 IPv6 address including the network prefix and host address bits. By default, all MVR6 reports sent upstream use a null source IP address. All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.) ◆ The MVR6 group address range assigned to a profile cannot overlap with the group address range of any other profile.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 391: Configuring an MVR6 Group Address Profile To show the configured MVR6 group address profiles: 1. Click Multicast, MVR6. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 392: Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 393: Assigning an MVR6 Group Address Profile to a Domain To show the MVR6 group address profiles assigned to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Show from the Action list.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 membership for MVR6 receiver ports cannot be set to access mode (see“Adding Static Members to VLANs” on page 173). ◆ One or more interfaces may be configured as MVR6 source ports. A source port is able to both receive and send data for configured MVR6 groups or for groups which have been statically assigned (see “Assigning Static MVR Multicast Groups to Interfaces” on page 601). All source ports must belong to the MVR6 VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 “Active” only if there are subscribers receiving multicast traffic from one of the MVR6 groups, or a multicast group has been statically assigned to an interface. ◆ Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR6 receiver.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.) ◆ The MVR6 VLAN cannot be specified as the receiver VLAN for static bindings.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To show the static MVR6 groups assigned to an interface: 1. Click Multicast, MVR6. 2. Select Configure Static Group Member from the Step list. 3. Select Show from the Action list. 4. Select an MVR6 domain. 5. Select the port or trunk for which to display this information.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Count – The number of multicast services currently being forwarded from the MVR6 VLAN. ◆ Clear MVR6 Group – Clears multicast group information dynamically learned through MVR6. Statically configured multicast addresses are not cleared. Web Interface To display the interfaces assigned to the MVR6 receiver groups: 1. Click Multicast, MVR6. 2. Select Show Member from the Step list. 3. Select an MVR6 domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent – The number of leaves sent from this interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Web Interface To display statistics for MVR6 query-related messages: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR6 domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a Port.
15 IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server. An IPv6 address can only be manually configured.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ To enable routing between interfaces defined on this switch and external network interfaces, you must configure static routes (page 687) or use dynamic routing; i.e., RIP (page 704), OSPFv2 (page 722), OSPFv3, or BGPv4. Note that OSPFv3 and BGPv4 are only supported through the Command Line Interface.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Web Interface To set a static IPv4 address for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3. Select any configured VLAN, set IP Address Mode to “User Specified,” set IP Address Type to “Primary” if no address has yet been configured for this interface, and then enter the IP address and subnet mask. 4. Click Apply.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 403: Configuring a Dynamic IPv4 Address Note: The switch will also broadcast a request for IP configuration settings on each power reset. Note: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Chapter 15 | IP Configuration Sending DHCP Inform Requests for Additional Information Figure 404: Showing the Configured IPv4 Address for an Interface Sending DHCP Inform Requests for Additional Information Use the IP > General > Routing Interface (Configure Interface) page to submit a DHCP request for information about the default domain name server and default gateway from a VLAN interface configured with a static IPv4 address.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To send DHCP Inform requests for additional information: 1. Click IP, General, Routing Interface. 2. Select Configure Interface from the Action list. 3. Select a VLAN configured with a static IPv4 address. 4. Set the DHCP inform field to the required status. 5. Click Apply.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring the Use the IP > IPv6 Configuration (Configure Global) page to configure an IPv6 IPv6 Default Gateway default gateway for the switch. Parameters These parameters are displayed: ◆ Default Gateway – Sets the IPv6 address of the default next hop router to use when no routing information is known about an IPv6 address.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring IPv6 Use the IP > IPv6 Configuration (Configure Interface) page to configure general Interface Settings IPv6 settings for the selected VLAN, including explicit configuration of a link local interface address, the MTU size, and neighbor discovery protocol settings for duplicate address detection and the neighbor solicitation interval. Command Usage ◆ The switch must be configured with a link-local address.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ◆ ■ All devices on the same physical medium must use the same MTU in order to operate correctly. ■ IPv6 must be enabled on an interface before the MTU can be set. If an IPv6 address has not been assigned to the switch, “N/A” is displayed in the MTU field. ND DAD Attempts – The number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ND Reachable-Time – The amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. (Range: 0-3600000 milliseconds) Default: 30000 milliseconds is used for neighbor discovery operations, 0 milliseconds is advertised in router advertisements. ■ The time limit configured by this parameter allows the router to detect unavailable neighbors.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) duplicate address detection messages, the neighbor solicitation message interval, and the amount of time that a remote IPv6 node is considered reachable. 6. Click Apply. Figure 407: Configuring General Settings for an IPv6 Interface To configure RA Guard for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Interface from the Action list. 3. Select RA Guard mode. 4. Enable RA Guard for untrusted interfaces. 5.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring an Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 IPv6 Address interface for management access over the network, or for creating an interface to multiple subnets. Command Usage ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) a port belonging to any VLAN, as long as that VLAN has been assigned an IP address. (Range: 1-4094) ◆ Address Type – Defines the address type configured for this interface.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ◆ The specified address replaces a link-local address that was automatically generated for the interface. IPv6 Address – IPv6 address assigned to this interface. Web Interface To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2. Select Add IPv6 Address from the Action list. 3. Specify the VLAN to configure, select the address type, and then enter an IPv6 address and prefix length. 4. Click Apply.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) nodes. The interface-local multicast address is only used for loopback transmission of multicast traffic. Link-local multicast addresses cover the same types as used by link-local unicast addresses, including all nodes (FF02::1), all routers (FF02::2), and solicited nodes (FF02::1:FFXX:XXXX) as described below.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the Neighbor Cache IPv6 addresses detected for neighbor devices. Parameters These parameters are displayed: Table 36: Show IPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor. Age The time since the address was verified as reachable (in seconds).
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To show neighboring IPv6 devices: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Neighbors from the Action list. Figure 411: Showing IPv6 Neighbors Showing Use the IP > IPv6 Configuration (Show Statistics) page to display statistics about IPv6 Statistics IPv6 traffic passing through this switch.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: Table 37: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement Messages The number of ICMP Neighbor Advertisement messages received by the interface. Redirect Messages The number of Redirect messages received by the interface. Group Membership Query Messages The number of ICMPv6 Group Membership Query messages received by the interface.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. Output The total number of UDP datagrams sent from this entity. Web Interface To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 413: Showing IPv6 Statistics (ICMPv6) Figure 414: Showing IPv6 Statistics (UDP) – 646 –
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum for Responding transmission unit (MTU) cache for destinations that have returned an ICMP packetDestinations too-big message along with an acceptable MTU to this switch.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) – 648 –
16 IP Services This chapter describes the following IP services: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ DHCP – Configures client, relay, dynamic provisioning, and DHCP server. ◆ UDP Helper – Configures the switch to forward UDP broadcast packets originating from host applications to another part of the network.
Chapter 16 | IP Services Domain Name Service Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 alphanumeric characters) Web Interface To configure general settings for DNS: 1. Click IP Service, DNS. 2.
Chapter 16 | IP Services Domain Name Service of Name Servers” on page 652). ◆ If all name servers are deleted, DNS will automatically be disabled. Parameters These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 characters) Web Interface To create a list domain names: 1. Click IP Service, DNS. 2. Select Add Domain Name from the Action list. 3. Enter one domain name at a time. 4. Click Apply.
Chapter 16 | IP Services Domain Name Service Configuring a List Use the IP Service > DNS - General (Add Name Server) page to configure a list of of Name Servers name servers to be tried in sequential order. Command Usage ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see “Configuring General DNS Service Parameters” on page 649).
Chapter 16 | IP Services Domain Name Service Figure 420: Showing the List of Name Servers for DNS Configuring Use the IP Service > DNS - Static Host Table (Add) page to manually configure static Static DNS Host entries in the DNS table that are used to map domain names to IP addresses. to Address Entries Command Usage ◆ Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.
Chapter 16 | IP Services Domain Name Service To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 422: Showing Static Entries in the DNS Table Displaying the Use the IP Service > DNS - Cache page to display entries in the DNS cache that have DNS Cache been learned via the designated name servers. Command Usage Servers or other network devices may support one or more connections via multiple IP addresses.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Web Interface To display entries in the DNS cache: 1. Click IP Service, DNS, Cache. Figure 423: Showing Entries in the DNS Cache Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) can dynamically allocate an IP address and other configuration information to network clients when they boot up.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Table 39: Options 60, 66 and 67 Statements Statement Option ◆ Keyword Parameter 60 vendor-class-identifier a string indicating the vendor class identifier 66 tftp-server-name a string indicating the tftp server name 67 bootfile-name a string indicating the bootfile name By default, DHCP option 66/67 parameters are not carried in a DHCP server reply.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Web Interface To configure a DHCP client identifier: 1. Click IP Service, DHCP, Client. 2. Mark the check box to enable this feature. Select the default setting, or the format for a vendor class identifier. If a non-default value is used, enter a text string or hexadecimal value. 3. Click Apply.
Chapter 16 | IP Services Dynamic Host Configuration Protocol IPv6 Configuration (Configure Global) page (see “Configuring the IPv6 Default Gateway” on page 631). ◆ DHCP relay configuration will be disabled if an active DHCP server is detected on the same network segment. Parameters These parameters are displayed: ◆ VLAN ID – ID of configured VLAN. ◆ Server IP Address – Addresses of DHCP servers or relay servers to be used by the switch’s DHCP relay agent in order of preference.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Figure 427: DHCP Server Address Pool Static Addresses 8 network address pools 32 static addresses (all within the confines of configured network address pools) Command Usage ◆ First configure any excluded addresses, including the address for this switch. ◆ Then configure address pools for the network interfaces. You can configure up to 8 network address pools. You can also manually bind an address to a specific client if required.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Figure 428: Enabling the DHCP Server Setting Excluded Addresses Use the IP Service > DHCP > Server (Configure Excluded Addresses – Add) page to specify the IP addresses that should not be assigned to clients. Parameters These parameters are displayed: ◆ Start IP Address – Specifies a single IP address or the first address in a range that the DHCP server should not assign to DHCP clients.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Figure 429: Configuring Excluded Addresses on the DHCP Server To show the IP addresses excluded for DHCP clients: 1. Click IP Service, DHCP, Server. 2. Select Configure Excluded Addresses from the Step list. 3. Select Show from the Action list.
Chapter 16 | IP Services Dynamic Host Configuration Protocol found, it assigns an address from the matching network address pool. However, if no matching address pool is found the request is ignored. ◆ When searching for a manual binding, the switch compares the client identifier and then the hardware address for DHCP clients. Since BOOTP clients cannot transmit a client identifier, you must configure a hardware address for this host type.
Chapter 16 | IP Services Dynamic Host Configuration Protocol ◆ DNS Server – The IP address of the primary and alternate DNS server. DNS servers must be configured for a DHCP client to map host names to IP addresses. ◆ Netbios Server – IP address of the primary and alternate NetBIOS Windows Internet Naming Service (WINS) name server used for Microsoft DHCP clients. ◆ Netbios Type – NetBIOS node type for Microsoft DHCP clients.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Figure 431: Configuring DHCP Server Address Pools (Network) Figure 432: Configuring DHCP Server Address Pools (Host) To show the configured DHCP address pools: 1. Click IP Service, DHCP, Server. 2. Select Configure Pool from the Step list. 3. Select Show from the Action list.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Figure 433: Showing Configured DHCP Server Address Pools Displaying Address Bindings Use the IP Service > DHCP > Server (Show IP Binding) page display the host devices which have acquired an IP address from this switch’s DHCP server. Parameters These parameters are displayed: ◆ IP Address – IP address assigned to host. ◆ MAC Address – MAC address of host. ◆ Lease Time – Duration that this IP address can be used by the host.
Chapter 16 | IP Services Forwarding UDP Service Requests Forwarding UDP Service Requests This section describes how this switch can forward UDP broadcast packets originating from host applications to another part of the network when an local application server is not available. Command Usage ◆ Network hosts occasionally use UDP broadcasts to determine information such as address configuration, and domain name mapping.
Chapter 16 | IP Services Forwarding UDP Service Requests Specifying UDP Use the IP Service > UDP Helper > Forwarding page to specify the UDP destination Destination Ports ports for which broadcast traffic will be forwarded when the UDP helper is enabled. Command Usage Up to 100 UDP ports can be specified with this command for forwarding to one or more remote servers. Parameters These parameters are displayed: ◆ Destination UDP Port – UDP application port for which UDP service requests are forwarded.
Chapter 16 | IP Services Forwarding UDP Service Requests To show the configured UDP destination ports: 1. Click IP Service, UDP Helper, Forwarding. 2. Select Show from the Action list. Figure 437: Showing the UDP Destination Ports Specifying the Use the IP Service > UDP Helper > Address page to specify the application server or Target Server subnet (indicated by a directed broadcast address) to which designated UDP or Subnet broadcast packets are forwarded.
Chapter 16 | IP Services Forwarding UDP Service Requests Parameters These parameters are displayed: ◆ VLAN ID – VLAN identifier (Range: 1-4094) ◆ IP Address – Host address or directed broadcast address to which UDP broadcast packets are forwarded. (Range: 1-65535) Web Interface To specify the target server or subnet for forwarding UDP request packets: 1. Click IP Service, UDP Helper, Address. 2. Select Add from the Action list. 3.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent Configuring the PPPoE Intermediate Agent This section describes how to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent Web Interface To configure global settings for PPPoE IA: 1. Click IP Service, PPPoE Intermediate Agent. 2. Select Configure Global from the Step list. 3. Enable the PPPoE IA on the switch, set the access node identifier, and set the generic error message. 4. Click Apply.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent This parameter only applies to trusted interfaces. It is used to strip off vendorspecific tags (which carry subscriber and line identification information) in PPPoE Discovery packets received from an upstream PPPoE server before forwarding them to a user. ◆ Circuit ID – String identifying the circuit identifier (or interface) on this switch to which the user is connected.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent Figure 441: Configuring Interface Settings for PPPoE Intermediate Agent g Showing PPPoE IA Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to show Statistics statistics on PPPoE IA protocol messages. Parameters These parameters are displayed: ◆ Interface – Port or trunk selection. ◆ Received – Received PPPoE active discovery messages. ◆ ■ All – All PPPoE active discovery message types.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent Web Interface To show statistics for PPPoE IA protocol messages: 1. Click IP Service, PPPoE Intermediate Agent. 2. Select Show Statistics from the Step list. 3. Select Port or Trunk interface type.
17 General IP Routing This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol – Describes how to configure ARP aging time, proxy ARP, or static addresses. Also shows how to display dynamic entries in the ARP cache. ◆ Static Routes – Configures static routes to other network segments.
Chapter 17 | General IP Routing IP Routing and Switching Each VLAN represents a virtual interface to Layer 3. You just need to provide the network address for each virtual interface, and the traffic between different subnetworks will be routed by Layer 3 switching.
Chapter 17 | General IP Routing IP Routing and Switching address is not yet known to the switch, an Address Resolution Protocol (ARP) packet with the destination IP address is broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.
Chapter 17 | General IP Routing Configuring IP Routing Interfaces Routing Protocols The switch supports both static and dynamic routing. ◆ Static routing requires routing information to be stored in the switch either manually or when a connection is set up by an application outside the switch. ◆ Dynamic routing uses a routing protocol to exchange routing information, calculate routing tables, and respond to changes in the status or loading of the network.
Chapter 17 | General IP Routing Configuring IP Routing Interfaces destinations, i.e., packets that do not match any routing table entry. If another router is designated as the default gateway, then the switch will pass packets to this router for any unknown hosts or subnets. To configure a default gateway for IPv4, use the static routing table as described on page 687, enter 0.0.0.0 for the IP address and subnet mask, and then specify this switch itself or another router as the gateway.
Chapter 17 | General IP Routing Configuring IP Routing Interfaces include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Web Interface To ping another device on the network: 1. Click IP, General, Ping. 2. Specify the target device and ping parameters. 3. Click Apply.
Chapter 17 | General IP Routing Configuring IP Routing Interfaces ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The trace route function first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message. The trace function then sends several probe messages at each subsequent TTL level and displays the round-trip time for each message.
Chapter 17 | General IP Routing Address Resolution Protocol Address Resolution Protocol If IP routing is enabled (page 703), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Chapter 17 | General IP Routing Address Resolution Protocol requesting node. That node then sends traffic to the router, which in turn uses its own routing table to forward the traffic to the remote destination. Figure 446: Proxy ARP Proxy ARP no routing, no default gateway ARP request Remote ARP Server Parameters These parameters are displayed: ◆ Timeout – Sets the aging time for dynamic entries in the ARP cache.
Chapter 17 | General IP Routing Address Resolution Protocol Figure 447: Configuring General Settings for ARP Configuring For devices that do not respond to ARP requests or do not respond in a timely Static ARP Addresses manner, traffic will be dropped because the IP address cannot be mapped to a physical address. If this occurs, use the IP > ARP (Configure Static Address – Add) page to manually map an IP address to the corresponding physical address in the ARP cache.
Chapter 17 | General IP Routing Address Resolution Protocol Web Interface To map an IP address to the corresponding physical address in the ARP cache: 1. Click IP, ARP. 2. Select Configure Static Address from the Step List. 3. Select Add from the Action List. 4. Enter the IP address and the corresponding MAC address. 5. Click Apply. Figure 448: Configuring Static ARP Entries To display static entries in the ARP cache: 1. Click IP, ARP. 2. Select Configure Static Address from the Step List. 3.
Chapter 17 | General IP Routing Address Resolution Protocol Displaying Dynamic Use the IP > ARP (Show Information) page to display dynamic or local entries in the or Local ARP Entries ARP cache. The ARP cache contains static entries, and entries for local interfaces, including subnet, host, and broadcast addresses. However, most entries will be dynamically learned through replies to broadcast messages. Web Interface To display all dynamic and local entries in the ARP cache: 1. Click IP, ARP. 2.
Chapter 17 | General IP Routing Configuring Static Routes 3. Click Statistics. Figure 451: Displaying ARP Statistics Configuring Static Routes This router can dynamically configure routes to other network segments using dynamic routing protocols (i.e., RIP, OSPF, BGP). However, you can also manually enter static routes in the routing table using the IP > Routing > Static Routes (Add) page.
Chapter 17 | General IP Routing Configuring Static Routes ◆ Net Mask / Prefix Length – Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. ◆ Next Hop – IP address of the next router hop used for this route. ◆ Distance – An administrative distance indicating that this route can be overridden by dynamic routing information if the distance of the dynamic route is less than that configured for the static route.
Chapter 17 | General IP Routing Displaying the Routing Table Figure 453: Displaying Static Routes Displaying the Routing Table Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.
Chapter 17 | General IP Routing Equal-cost Multipath Routing Parameters These parameters are displayed: ◆ VLAN – VLAN identifier (i.e., configured as a valid IP subnet). ◆ Destination IP Address – IP address of the destination network, subnetwork, or host. Note that the address 0.0.0.0 indicates the default gateway for this router. ◆ Net Mask / Prefix Length – Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
Chapter 17 | General IP Routing Equal-cost Multipath Routing the traffic forwarded to the destination. ECMP uses either equal-cost multipaths manually configured in the static routing table, or equal-cost multipaths dynamically generated by the Open Shortest Path Algorithm (OSPF). In other words, it uses either static or OSPF entries, not both. Normal unicast routing simply selects the path to the destination that has the lowest cost.
Chapter 17 | General IP Routing Equal-cost Multipath Routing Web Interface To configure the maximum ECMP number: 1. Click IP, Routing, Routing Table. 2. Select Configure ECMP Number from the Action List. 3. Enter the maximum number of equal-cost paths used to route traffic to the same destination that are permitted on the switch. 4.
18 Configuring Router Redundancy Router redundancy protocols use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
Chapter 18 | Configuring Router Redundancy Configuring VRRP Groups Figure 457: Several Virtual Master Routers Using Backup Routers Master Router VRID 23 IP(R1) = 192.168.1.3 IP(VR23) = 192.168.1.3 VR Priority = 255 Master Router VRID 25 IP(R2) = 192.168.2.17 IP(VR25) = 192.168.2.17 VR Priority = 255 Backup Router VRID 23 IP(R3) = 192.168.1.4 IP(VR23) = 192.168.1.3 VR Priority = 100 VRID 25 IP(R3) = 192.168.2.18 IP(VR23) = 192.168.2.
Chapter 18 | Configuring Router Redundancy Configuring VRRP Groups Command Usage Address Assignment – ◆ To designate a specific router as the VRRP master, the IP address assigned to the virtual router must already be configured on the router that will become the Owner of the group address. In other words, the IP address for the virtual router exists on one, and only one, router in the virtual router group, and the network mask for the virtual router address is derived from the Owner.
Chapter 18 | Configuring Router Redundancy Configuring VRRP Groups ◆ You can add a delay to the preempt function to give additional time to receive an advertisement message from the current master before taking control. If the router attempting to become the master has just come on line, this delay also gives it time to gather information for its routing table before actually preempting the currently active master router.
Chapter 18 | Configuring Router Redundancy Configuring VRRP Groups ◆ Priority – The priority of this router in a VRRP group. (Range: 1-254; Default: 100) ■ The priority for the VRRP group address owner is automatically set to 255. ■ The priority for backup routers is used to determine which router will take over as the acting master router if the current master fails.
Chapter 18 | Configuring Router Redundancy Configuring VRRP Groups Web Interface To configure VRRP: 1. Click IP, VRRP. 2. Select Configure Group ID from the Step List. 3. Select Add from the Action List. 4. Enter the VRID group number, and select the VLAN (i.e., IP subnet) which is to be serviced by this group. 5. Click Apply. Figure 459: Configuring the VRRP Group ID To show the configured VRRP groups: 1. Click IP, VRRP. 2. Select Configure Group ID from the Step List. 3.
Chapter 18 | Configuring Router Redundancy Configuring VRRP Groups 4. Select a VLAN, a VRRP group identifier, and enter the IP address for the virtual router. 5. Click Apply. Figure 461: Setting the Virtual Router Address for a VRRP Group To show the virtual IP address assigned to a VRRP group: 1. Click IP, VRRP. 2. Select Configure Group ID from the Step List. 3. Select Show IP Addresses from the Action List. 4. Select a VLAN, and a VRRP group identifier.
Chapter 18 | Configuring Router Redundancy Displaying VRRP Global Statistics Figure 463: Configuring Detailed Settings for a VRRP Group Displaying VRRP Global Statistics Use the IP > VRRP (Show Statistics – Global Statistics) page to display counters for errors found in VRRP protocol packets. Parameters These parameters are displayed: ◆ VRRP Packets with Invalid Checksum – The total number of VRRP packets received with an invalid VRRP checksum value.
Chapter 18 | Configuring Router Redundancy Displaying VRRP Group Statistics Figure 464: Showing Counters for Errors Found in VRRP Packets Displaying VRRP Group Statistics Use the IP > VRRP (Show Statistics – Group Statistics) page to display counters for VRRP protocol events and errors that have occurred on a specific VRRP interface. Parameters These parameters are displayed: ◆ VLAN ID – VLAN configured with an IP interface. (Range: 1-4094) ◆ VRID – VRRP group identifier.
Chapter 18 | Configuring Router Redundancy Displaying VRRP Group Statistics Table 43: VRRP Group Statistics (Continued) Parameter Description Received Error Address List VRRP Packets Number of packets received for which the address list does not match the locally configured list for the virtual router. Received Invalid Authentication Type VRRP Packets Number of packets received with an unknown authentication type.
19 Unicast Routing This chapter describes how to configure the following unicast routing protocols: RIP – Configures Routing Information Protocol. OSPFv2 – Configures Open Shortest Path First (Version 2) for IPv4. Overview This switch can route unicast traffic to different subnetworks using the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) protocol. It supports RIP, RIP-2 and OSPFv2 dynamic routing in the web management interface.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Configuring the Routing Information Protocol The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost. Each router broadcasts its advertisement every 30 seconds, together with any updates to its routing table.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Configuring General Use the Routing Protocol > RIP > General (Configure) page to configure general Protocol Settings settings and the basic timers. RIP is used to specify how routers exchange routing information. When RIP is enabled on this router, it sends RIP messages to all devices in the network every 30 seconds (by default), and updates its own routing table when RIP messages are received from other routers.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol ◆ RIP Default Metric – Sets the default metric assigned to external routes imported from other protocols. (Range: 1-15; Default: 1) The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics. It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Basic Timer Settings Note: The timers must be set to the same values for all routers in the network. ◆ Update – Sets the rate at which updates are sent. This is the fundamental timer used to control all basic RIP processes. (Range: 5-2147483647 seconds; Default: 30 seconds) Setting the update timer to a short interval can cause the router to spend an excessive amount of time processing updates.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Figure 467: Configuring General Settings for RIP Clearing Entries from Use the Routing Protocol > RIP > General (Clear Route) page to clear entries from the Routing Table the routing table based on route type or a specific network address. Command Usage ◆ RIP must be enabled to activate this menu option. ◆ Clearing “All” types deletes all routes in the RIP table.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol ◆ Clear Route By Network – Clears a specific route based on its IP address and prefix length. ■ Network IP Address – Deletes all related entries for the specified network address. ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address. Web Interface To clear entries from the routing table RIP: 1. Click Routing Protocol, RIP, General. 2.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Parameters These parameters are displayed: ◆ ◆ By Address – Adds a network to the RIP routing process. ■ Subnet Address – IP address of a network directly connected to this router. (Default: No networks are specified) ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Figure 470: Showing Network Interfaces Using RIP Specifying Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP from Passive Interfaces sending routing updates on the specified interface. Command Usage ◆ Network interfaces can be configured to stop RIP broadcast and multicast messages from being sent.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Figure 471: Specifying a Passive RIP Interface To show the passive RIP interfaces: 1. Click Routing Protocol, RIP, Passive Interface. 2. Select Show from the Action list.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Figure 473: Specifying a Static RIP Neighbor To show static RIP neighbors: 1. Click Routing Protocol, RIP, Neighbor Address. 2. Select Show from the Action list.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics. When a metric value has not been configured on this page, the default-metric determines the metric value to be used for all imported external routes. It is advisable to use a low metric when redistributing routes from another protocol into RIP.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Figure 476: Showing External Routes Redistributed into RIP Specifying an Use the Routing Protocol > RIP > Distance (Add) page to define an administrative Administrative distance for external routes learned from other routing protocols.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Figure 477: Setting the Distance Assigned to External Routes To show the distance assigned to external routes learned from other routing protocols: 1. Click Routing Protocol, RIP, Distance. 2. Select Show from the Action list.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol multicasting as normally required by RIPv2. (Using this mode allows older RIPv2 routers which only receive RIP broadcast messages to receive all of the information provided by RIPv2, including subnet mask, next hop and authentication information. (This is the default setting.) ■ ◆ Use “Do Not Send” to passively monitor route information advertised by other routers attached to the network.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol ◆ Send Version – The RIP version to send on an interface. ■ RIPv1: Sends only RIPv1 packets. ■ RIPv2: Sends only RIPv2 packets. ■ RIPv1 Compatible: Route information is broadcast to other routers with RIPv2. ■ Do Not Send: Does not transmit RIP updates. Passively monitors route information advertised by other routers attached to the network. The default depends on the setting for the Global RIP Version.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol ◆ Instability Prevention – Specifies the method used to reduce the convergence time when the network topology changes, and to prevent RIP protocol messages from looping back to the source router. ■ Split Horizon – This method never propagate routes back to an interface from which they have been acquired.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Figure 480: Showing RIP Network Interface Settings Displaying RIP Use the Routing Protocol > RIP > Statistics (Show Interface Information) page to Interface Settings display information about RIP interface configuration settings. Parameters These parameters are displayed: ◆ Interface – Source IP address of RIP router interface. ◆ Auth Type – The type of authentication used for exchanging RIPv2 protocol messages.
Chapter 19 | Unicast Routing Configuring the Routing Information Protocol Displaying Peer Use the Routing Protocol > RIP > Statistics (Show Peer Information) page to display Router Information information on neighboring RIP routers. Parameters These parameters are displayed: ◆ Peer Address – IP address of a neighboring RIP router. ◆ Update Time – Last time a route update was received from this peer. ◆ Version – Shows whether RIPv1 or RIPv2 packets were received from this peer.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 483: Resetting RIP Statistics Configuring the Open Shortest Path First Protocol (Version 2) Open Shortest Path First (OSPF) is more suited for large area networks which experience frequent changes in the links. It also handles subnets much better than RIP.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) throughput and connectivity. OSPF utilizes IP multicast to reduce the amount of routing traffic required when sending or receiving routing path updates. The separate routing area scheme used by OSPF further reduces the amount of routing traffic, and thus inherently provides another level of routing protection. In addition, all routing protocol exchanges can be authenticated.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Routers in a normal area may import or export routing information about individual nodes. To reduce the amount of routing traffic flooded onto the network, an area can be configured to export a single summarized route that covers a broad range of network addresses within the area (page 738).
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ If an address range overlaps other network areas, the router will use the network area with the address range that most closely matches the interface address. Also, note that if a more specific address range is removed from an area, the interface belonging to that range may still remain active if a less specific address range covering that area has been specified.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To to show the OSPF areas and the assigned interfaces: 1. Click Routing Protocol, OSPF, Network Area. 2. Select Show from the Action list. Figure 487: Showing OSPF Network Areas To to show the OSPF process identifiers: 1. Click Routing Protocol, OSPF, Network Area. 2. Select Show Process from the Action list.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) calculating summary route costs. Enable this field to force the router to calculate summary route costs using RFC 1583. (Default: Disabled) When RFC 1583 compatibility is enabled, only cost is used when choosing among multiple AS-external LSAs advertising the same destination. When disabled, preference is based on type of path, using cost only to break ties (see RFC 2328).
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Default Information ◆ Originate Default Route23 – Generates a default external route into an autonomous system. Note that the Advertise Default Route field must also be properly configured. (Default: Disabled) When this feature is used to redistribute routes into a routing domain (that is, an Autonomous System), this router automatically becomes an Autonomous System Boundary Router (ASBR).
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Web Interface To configure general settings for OSPF: 1. Click Routing Protocol, OSPF, System. 2. Select Configure from the Action list. 3. Select a Process ID, and then specify the Router ID and other global attributes as required. For example, by setting the Auto Cost to 10000, the cost of using an interface is set to 10 for Gigabit ports, and 1 for 10 Gigabit ports. 4.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Table 44: OSPF System Information (Continued) Parameter Description Originate LSAs The number of new link-state advertisements that have been originated. AS LSA Count The number of autonomous system LSAs in the link-state database. External LSA Count The number of external link-state advertisements in the link-state database. External LSA Checksum Checksum of the external link-state advertisement database.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Adding an Use the Routing Protocol > OSPF > Area (Configure Area – Add Area) page to add a NSSA or Stub not-so-stubby area (NSSA) or a stubby area (Stub). Command Usage ◆ This router supports up to 5 stubs or NSSAs. Parameters These parameters are displayed: ◆ Process ID – Protocol identifier as configured on the Routing Protocol > OSPF > Network Area (Add) page.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To show the NSSA or stubs added to the specified OSPF domain: 1. Click Routing Protocol, OSPF, Area. 2. Select Configure Area from the Step list. 3. Select Show Area from the Action list. 4. Select a Process ID.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Command Usage ◆ Before creating an NSSA, first specify the address range for the area (see “Defining Network Areas Based on Addresses” on page 723). Then create an NSSA as described under “Adding an NSSA or Stub” on page 731. ◆ NSSAs cannot be used as a transit area, and should therefore be placed at the edge of the routing domain. ◆ An NSSA can have multiple ABRs or exit points.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Originate Default Information – When the router is an NSSA Area Border Router (ABR) or an NSSA Autonomous System Boundary Router (ASBR), this option causes it to generate a Type-7 default LSA into the NSSA. This default provides a route to other areas within the AS for an NSSA ABR, or to areas outside the AS for an NSSA ASBR.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 495: Configuring Protocol Settings for an NSSA Configuring Use the Routing Protocol > OSPF > Area (Configure Area – Configure Stub Area) Stub Settings page to configure protocol settings for a stub. A stub does not accept external routing information.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Parameters These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 723). ◆ Area ID – Identifier for a stub. ◆ Default Cost – Cost for the default summary route sent into a stub from an area border router (ABR).
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 497: Configuring Protocol Settings for a Stub Displaying Use the Routing Protocol > OSPF > Area (Show Information) page to protocol Information on information on NSSA and Stub areas. NSSA and Stub Areas Parameters These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 723). ◆ Area ID – Identifier for a not-so-stubby area (NSSA) or stub.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 498: Displaying Information on NSSA and Stub Areas Configuring Area Ranges (Route Summarization for ABRs) An OSPF area can include a large number of nodes. If the Area Border Router (ABR) has to advertise route information for each of these nodes, this wastes a lot of bandwidth and processor time.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Parameters These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 723). ◆ Area ID – Identifies an area for which the routes are summarized. The area ID can be in the form of an IPv4 address, or also as a four octet unsigned integer ranging from 0-4294967295. ◆ Range Network – Base address for the routes to summarize.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To show the configured route summaries: 1. Click Routing Protocol, OSPF, Area Range. 2. Select Show from the Action list. 3. Select the process ID.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Parameters These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 723). ◆ Protocol Type – Specifies the external routing protocol type for which routing information is to be redistributed into the local routing domain. (Options: BGP, RIP, Static; Default: RIP) ◆ Metric Type – Indicates the method used to calculate external route costs.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 503: Importing External Routes To show the imported external route types: 1. Click Routing Protocol, OSPF, Redistribute. 2. Select Show from the Action list. 3. Select the process ID.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) imported into the routing table, and then configure one or more summary addresses to reduce the size of the routing table and consolidate these external routes for advertising into the local domain. ◆ To summarize routes sent between OSPF areas, use the Area Range Configuration screen (page 738). ◆ This router supports up 20 Type-5 summary routes.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 506: Showing Summary Addresses for External Routes Configuring OSPF You should specify a routing interface for any local subnet that needs to Interfaces communicate with other network segments located on this router or elsewhere in the network. First configure a VLAN for each subnet that will be directly connected to this router, assign IP interfaces to each VLAN (i.e.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Routes are assigned a metric equal to the sum of all metrics for each interface link in the route. This router uses a default cost of 1 for all ports. Therefore, if you install a 10 Gigabit module, you need to reset the cost for all of the 1 Gbps ports to a value greater than 1 to reflect the actual interface bandwidth. ◆ Router Priority – Sets the interface priority for this router.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) problem, you can use the transmit delay to force the router to wait a specified interval between transmissions. ◆ Retransmit Interval – Sets the time between re-sending link-state advertisements. (Range: 1-65535 seconds; Default: 5 seconds) A router will resend an LSA to a neighbor if it receives no acknowledgment after the specified retransmit interval.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Normally, only one key is used per interface to generate authentication information for outbound packets and to authenticate incoming packets. Neighbor routers must use the same key identifier and key value. When changing to a new key, the router will send multiple copies of all protocol messages, one with the old key and another with the new key.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To configure interface settings for a specific area assigned to a VLAN: 1. Click Routing Protocol, OSPF, Interface. 2. Select Configure by Address from the Action list. 3. Specify the VLAN ID, enter the address assigned to an area, and configure the required interface settings. 4. Click Apply.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 509: Showing OSPF Interfaces To show the MD5 authentication keys configured for an interface: 1. Click Routing Protocol, OSPF, Interface. 2. Select Show MD5 Key from the Action list. 3. Select the VLAN ID.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 511: OSPF Virtual Link isolated area ABR virtual link backbone ABR normal area Virtual links can also be used to create a redundant link between any area and the backbone to help prevent partitioning, or to connect two existing backbone areas into a common backbone.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Web Interface To create a virtual link: 1. Click Routing Protocol, OSPF, Virtual Link. 2. Select Add from the Action list. 3. Specify the process ID, the Area ID, and Neighbor router ID. 4. Click Apply. Figure 512: Adding a Virtual Link To show virtual links: 1. Click Routing Protocol, OSPF, Virtual Link. 2. Select Show from the Action list. 3. Select the process ID.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) 4. Click Apply. Figure 514: Configuring Detailed Settings for a Virtual Link To show the MD5 authentication keys configured for a virtual link: 1. Click Routing Protocol, OSPF, Interface. 2. Select Show MD5 Key from the Action list. 3. Select the VLAN ID.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) You can show information about different LSAs stored in this router’s database, which may include any of the following types: ◆ Router (Type 1) – All routers in an OSPF area originate Router LSAs that describe the state and cost of its active interfaces and neighbors.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Sequence – Sequence number of LSA (used to detect older duplicate LSAs). ◆ Checksum – Checksum of the complete contents of the LSA. Web Interface To display information in the link state database: 1. Click Routing Protocol, OSPF, Information. 2. Click LSDB. 3. Select the process identifier. 4.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Displaying Use the Routing Protocol > OSPF > Information (Neighbor) page to display Information on information about neighboring routers on each interface. Neighboring Routers Parameters These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 723). ◆ ID – Neighbor’s router ID. ◆ Priority – Neighbor’s router priority.
Chapter 19 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 517: Displaying Neighbor Routers Stored in the Link State Database – 756 –
20 Multicast Routing This chapter describes the following multicast routing topics: ◆ Enabling Multicast Routing Globally – Describes how to globally enable multicast routing. ◆ Displaying the Multicast Routing Table – Describes how to display the multicast routing table. ◆ Configuring PIM for IPv4 – Describes how to configure PIM-DM and PIM-SM for IPv4. ◆ Configuring PIMv6 for IPv6 – Describes how to configure PIM-DM and PIM-SM (Version 6) for IPv6.
Chapter 20 | Multicast Routing Overview maintaining its own multicast routing table, making it routing protocol independent. PIM-DM is a simple multicast routing protocol that uses flood and prune to build a source-routed multicast delivery tree for each multicast source-group pair. As mentioned above, it does not maintain it’s own routing table, but instead, uses the routing table provided by whatever unicast routing protocol is enabled on the router interface.
Chapter 20 | Multicast Routing Overview advertising itself as a BSR candidate. Eventually, only the router with the highest BSR priority will continue sending bootstrap messages. Rendezvous Point (RP) – A router may periodically sends PIMv2 messages to the BSR advertising itself as a candidate RP for specified group addresses. The BSR places information about all of the candidate RPs in subsequent bootstrap messages.
Chapter 20 | Multicast Routing Configuring Global Settings for Multicast Routing register-stop message, it stops sending register messages to the RP. If there are no other sources using the shared tree, it is also torn down. Setting up the SPT requires more memory than when using the shared tree, but can significantly reduce group join and data transmission delays. The switch can also be configured to use SPT only for specific multicast groups, or to disable the change over to SPT for specific groups.
Chapter 20 | Multicast Routing Configuring Global Settings for Multicast Routing Web Interface (IPv6) To enable IPv6 multicast routing: 1. Click Multicast, IPv6 Multicast Routing, General. 2. Enable Multicast Forwarding Status. 3. Click Apply.
Chapter 20 | Multicast Routing Configuring Global Settings for Multicast Routing case, any VLAN receiving register packets will be converted into the register interface. ◆ Owner – The associated multicast protocol (PIM-DM, PIM-SM, IGMP Proxy for PIMv4, MLD Proxy for PIMv6). ◆ Flags – The flags associated with each routing entry indicate: ■ Forward – Traffic received from the upstream interface is being forwarded to this interface. ■ Local – This is the outgoing interface.
Chapter 20 | Multicast Routing Configuring Global Settings for Multicast Routing ■ SPT-bit set – Multicast packets have been received from a source on shortest path tree. ■ Join SPT – The rate of traffic arriving over the shared tree has exceeded the SPT-threshold for this group. If the SPT flag is set for (*,G) entries, the next (S,G) packet received will cause the router to join the shortest path tree. If the SPT flag is set for (S,G), the router immediately joins the shortest path tree.
Chapter 20 | Multicast Routing Configuring Global Settings for Multicast Routing 4. Select a Source Address. Figure 521: Displaying Detailed Entries from IPv4 Multicast Routing Table Web Interface (IPv6) To display the multicast routing table: 1. Click Multicast, IPv6 Multicast Routing, Information. 2. Select Show Summary from the Action List. Figure 522: Displaying the IPv6 Multicast Routing Table To display detailed information on a specific flow in multicast routing table: 1.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Figure 523: Displaying Detailed Entries from IPv6 Multicast Routing Table Configuring PIM for IPv4 This section describes how to configure PIM-DM and PIM-SM for IPv4. Enabling PIM Globally Use the Routing Protocol > PIM > General page to enable IPv4 PIM routing globally on the router. Command Usage ◆ This feature enables PIM-DM and PIM-SM globally for the router.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Figure 524: Enabling PIM Multicast Routing Configuring PIM Use the Routing Protocol > PIM > Interface page configure the routing protocol’s Interface Settings functional attributes for each interface. Command Usage ◆ Most of the attributes on this page are common to both PIM-DM and PIM-SM. Select Dense or Sparse Mode to display the common attributes, as well as those applicable to the selected mode.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Parameters These parameters are displayed: Common Attributes ◆ VLAN – Layer 3 VLAN interface. (Range: 1-4094) ◆ Mode – PIM routing mode. (Options: Dense, Sparse, None) ◆ IP Address – Primary IP address assigned to the selected VLAN. ◆ Hello Holdtime – Sets the interval to wait for hello messages from a neighboring PIM router before declaring it dead.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 ◆ LAN Prune Delay – Causes this device to inform downstream routers of how long it will wait before pruning a flow after receiving a prune request. (Default: Disabled) When other downstream routers on the same VLAN are notified that this upstream router has received a prune request, they must send a Join to override the prune before the prune delay expires if they want to continue receiving the flow.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Dense-Mode Attributes ◆ Graft Retry Interval – The time to wait for a Graft acknowledgement before resending a Graft message. (Range: 1-10 seconds; Default: 3 seconds) A graft message is sent by a router to cancel a prune state. When a router receives a graft message, it must respond with an graft acknowledgement message.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Use the same join/prune message interval on all PIM-SM routers in the same PIM-SM domain, otherwise the routing protocol’s performance will be adversely affected. The multicast interface that first receives a multicast stream from a particular source forwards this traffic only to those interfaces on the router that have requests to join this group.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Figure 526: Configuring PIM Interface Settings (Sparse Mode) Displaying PIM Use the Routing Protocol > PIM > Neighbor page to display all neighboring PIM Neighbor Information routers. Parameters These parameters are displayed: ◆ Address – IP address of the next-hop router. ◆ VLAN – VLAN that is attached to this neighbor. ◆ Uptime – The duration this entry has been active. ◆ Expire – The time before this entry will be removed.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Configuring Global Use the Routing Protocol > PIM > SM (Configure Global) page to configure the rate PIM-SM Settings at which register messages are sent, the source of register messages, and switch over to the Shortest Path Tree (SPT). Parameters These parameters are displayed: ◆ Register Rate Limit – Configures the rate at which register messages are sent by the Designated Router (DR) for each (source, group) entry.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Web Interface To configure global settings for PIM-SM: 1. Click Multicast, Multicast Routing, SM. 2. Select Configure Global from the Step list. 3. Set the register rate limit and source of register messages if required. Also specify any multicast groups which must be routed across the shared tree, instead of switching over to the SPT. 4. Click Apply.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Parameters These parameters are displayed: ◆ BSR Candidate Status – Configures the switch as a Bootstrap Router (BSR) candidate. (Default: Disabled) ◆ VLAN ID – Identifier of configured VLAN interface. (Range: 1-4094) ◆ Hash Mask Length – Hash mask length (in bits) used for RP selection (see “Configuring a PIM Static Rendezvous Point” on page 775 and “Configuring a PIM RP Candidate” on page 776).
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Configuring Use the Routing Protocol > PIM > SM (RP Address) page to configure a static a PIM Static address as the Rendezvous Point (RP) for a particular multicast group. Rendezvous Point Command Usage ◆ The router will act as an RP for all multicast groups in the local PIM-SM domain if no groups are specified. A static RP can either be configured for the whole multicast group range 224/4, or for specific group ranges.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Figure 530: Configuring a PIM Static Rendezvous Point To display static rendezvous points: 1. Click Routing Protocol, PIM, SM. 2. Select RP Address from the Step list. 3. Select Show from the Action list. Figure 531: Showing PIM Static Rendezvous Points Configuring a Use the Routing Protocol > PIM > SM (RP Candidate) page to configure the switch PIM RP Candidate to advertise itself as a Rendezvous Point (RP) candidate to the bootstrap router (BSR).
Chapter 20 | Multicast Routing Configuring PIM for IPv4 ■ Compute hash value based on the group address, RP address, priority, and hash mask included in the bootstrap messages. ■ If there is a tie, use the candidate RP with the highest IP address. ◆ This distributed election process provides faster convergence and minimal disruption when an RP fails. It also serves to provide load balancing by distributing groups across multiple RPs.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Figure 532: Configuring a PIM RP Candidate To display settings for an RP candidate: 1. Click Routing Protocol, PIM, SM. 2. Select RP Candidate from the Step list. 3. Select Show from the Action list. 4. Select an interface from the VLAN list.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 ◆ Hash Mask Length – The number of significant bits used in the multicast group comparison mask by this BSR candidate. ◆ Expire – The time before the BSR is declared down. ◆ Role – Candidate or non-candidate BSR. ◆ State24 – Operation state of BSR includes: ■ No information – No information is stored for this device.
Chapter 20 | Multicast Routing Configuring PIM for IPv4 Displaying Use the Routing Protocol > PIM > SM (Show Information – Show RP Mapping) page PIM RP Mapping to display active RPs and associated multicast routing entries. Parameters These parameters are displayed: ◆ Groups – A multicast group address. ◆ RP Address – IP address of the RP for the listed multicast group.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 Configuring PIMv6 for IPv6 This section describes how to configure PIM-DM and PIM-SM for IPv6. Enabling Use the Routing Protocol > PIM6 > General page to enable IPv6 PIM routing PIMv6 Globally globally on the router. Command Usage ◆ This feature enables PIM-DM and PIM-SM for IPv6 globally on the router.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 ◆ PIMv6 and MLD proxy cannot be used at the same time. When an interface is set to use PIMv6 Dense mode, MLD proxy cannot be enabled on any interface of the device (see “MLD Proxy Routing” in the CLI Reference Guide). Also, when MLD proxy is enabled on an interface, PIMv6 cannot be enabled on any interface. PIM6-DM ◆ PIM6-DM functions similar to DVMRP by periodically flooding the network with traffic from any active multicast server.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 ◆ Hello Interval – Sets the frequency at which PIM hello messages are transmitted out on all interfaces. (Range: 1-65535 seconds; Default: 30 seconds) Hello messages are sent to neighboring PIM routers from which this device has received probes, and are used to verify whether or not these neighbors are still active members of the multicast tree.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 continue receiving the flow referenced in the message. (Range: 500-6000 milliseconds; Default: 2500 milliseconds) The override interval and the propagation delay are used to calculate the LAN prune delay.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 forwarding a control message down the distribution tree, refreshing the prune state on the outgoing interfaces of each router in the tree. This also enables PIM routers to recognize topology changes (sources joining or leaving a multicast group) before the default three-minute state timeout expires. This command is only effectively for interfaces of first hop, PIM-DM routers that are directly connected to the sources of multicast groups.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 3. Click Apply.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 Displaying PIM6 Use the Routing Protocol > PIM6 > Neighbor page to display all neighboring PIMv6 Neighbor Information routers. Parameters These parameters are displayed: ◆ Address – IP address of the next-hop router. ◆ VLAN – VLAN that is attached to this neighbor. ◆ Uptime – The duration this entry has been active. ◆ Expire – The time before this entry will be removed. ◆ DR – The designated PIM6-SM router.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 ◆ Register Source – Configures the IP source address of a register message to an address other than the outgoing interface address of the DR that leads back toward the RP.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 Figure 540: Configuring Global Settings for PIM6-SM Configuring a PIM6 Use the Routing Protocol > PIM6 > SM (BSR Candidate) page to configure the BSR Candidate switch as a Bootstrap Router (BSR) candidate. Command Usage ◆ When this router is configured as a BSR candidate, it starts sending bootstrap messages to all of its PIM6-SM neighbors. The primary IP address of the designated VLAN is sent as the candidate’s BSR address.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 portion of the hash is used, and a single RP will be defined for multiple groups. (Range: 0-32; Default: 10) ◆ Priority – Priority used by the candidate bootstrap router in the election process. The BSR candidate with the largest priority is preferred. If the priority values are the same, the candidate with the larger IP address is elected to be the BSR. Setting the priority to zero means that this router is not eligible to server as the BSR.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 longer group prefix length. If the prefix lengths are the same, then the static RP with the highest IP address is chosen. ◆ Static definitions for RP addresses may be used together with RP addresses dynamically learned through the bootstrap router (BSR).
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 To display static rendezvous points: 1. Click Routing Protocol, PIM6, SM. 2. Select RP Address from the Step list. 3. Select Show from the Action list. Figure 543: Showing PIM6 Static Rendezvous Points Configuring a PIM6 Use the Routing Protocol > PIM6 > SM (RP Candidate) page to configure the switch RP Candidate to advertise itself as a Rendezvous Point (RP) candidate to the bootstrap router (BSR).
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 ◆ To improve failover recovery, it is advisable to select at least two core routers in diverse locations, each to serve as both a candidate BSR and candidate RP. It is also preferable to set up one of these routers as both the primary BSR and RP. Parameters These parameters are displayed: ◆ VLAN – Identifier of configured VLAN interface. (Range: 1-4094) ◆ Interval – The interval at which this device advertises itself as an RP candidate.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 To display settings for an RP candidate: 1. Click Routing Protocol, PIM6, SM. 2. Select RP Candidate from the Step list. 3. Select Show from the Action list. 4. Select an interface from the VLAN list. Figure 545: Showing Settings for a PIM6 RP Candidate Displaying the Use the Routing Protocol > PIM6 > SM (Show Information – Show BSR Router) page PIM6 BSR Router to display Information about the bootstrap router (BSR).
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 BSR or from a C-BSR with higher weight than the current BSR will be accepted. ■ Candidate BSR – Bidding in election process. ■ Pending-BSR – The router is a candidate to be the BSR for the RP-set. Currently, no other router is the preferred BSR, but this router is not yet the elected BSR. ■ Elected BSR – Elected to serve as BSR. Web Interface To display information about the BSR: 1. Click Routing Protocol, PIM6, SM. 2.
Chapter 20 | Multicast Routing Configuring PIMv6 for IPv6 Web Interface To display the RPs mapped to multicast groups: 1. Click Routing Protocol, PIM6, SM. 2. Select Show Information from the Step list. 3. Select Show RP Mapping from the Action list.
Section III Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 799 ◆ “Troubleshooting” on page 805 ◆ “License Information” on page 807 – 797 –
Section III | Appendices – 798 –
A Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, IP Filter Authentication General Security Access Control Lists (512 rules), Port Authentication (802.
Appendix A | Software Specifications Software Features Spanning Tree Spanning Tree Protocol (STP, IEEE 802.1D-2004) Algorithm Rapid Spanning Tree Protocol (RSTP, IEEE 802.1D-2004) Multiple Spanning Tree Protocol (MSTP, IEEE 802.1D-2004) VLAN Support Up to 4094 groups; port-based, protocol-based, tagged (802.
Appendix A | Software Specifications Management Features Management Features In-Band Management Telnet, web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band RS-232 DB-9 console port Management Software Loading HTTP, FTP or TFTP in-band, or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards BGPv4 (RFC 4271) Ethernet Service OAM (ITU-T Y.1731) - partial support IEEE 802.
Appendix A | Software Specifications Management Information Bases IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - partial support IGMP Proxy (RFC 4541) IPv4 IGMP (RFC 3228) MLD Snooping (RFC 4541) NTP (RFC 1305) OSPF (RFC 2328, 2178, 1587) OSPFv3 (RFC 2740) PIM-SM (RFC 4601) PIM-DM (RFC 3973) RADIUS+ (RFC 2618) RIPv1 (RFC 1058) RIPv2 (RFC 2453) RIPv2, extension (RFC 1724) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 1901, 2571) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 3411, 3413, 3414, 3415) SNTP (RFC 2030)
Appendix A | Software Specifications Management Information Bases IPV6-TCP-MIB (RFC 2052) IPV6-UDP-MIB (RFC2054) Link Aggregation MIB (IEEE 802.3ad) MAU MIB (RFC 3636) MIB II (RFC 1213) NTP (RFC 1305) OSPF MIB (RFC 1850) OSPFv3 MIB (draft-ietf-ospf-ospfv3-mib-15.txt) P-Bridge MIB (RFC 2674P) Port Access Entity MIB (IEEE 802.1X) Port Access Entity Equipment MIB Power Ethernet MIB (RFC 3621) Private MIB Q-Bridge MIB (RFC 2674Q) QinQ Tunneling (IEEE 802.
Appendix A | Software Specifications Management Information Bases – 804 –
B Troubleshooting Problems Accessing the Management Interface Table 45: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ Be sure the switch is powered on. ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a welldefined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information.
Glossary IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members.
Glossary MIB Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages.
Glossary Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links. QinQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks. It is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. QoS Quality of Service.
Glossary SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
Index Numerics 802.1Q tunnel 181 access 188 configuration, guidelines 184 configuration, limitations 184 CVID to SVID map 186 description 181 ethernet type 185 interface configuration 188 mode selection 188 status, configuring 185 TPID 185 uplink 188 802.1X authenticator, configuring 363 global settings 362 port authentication 360 port authentication accounting 293, 294 supplicant, configuring 367 A AAA accounting 802.
Index flooding when STA globally disabled 218 ignoring superior BPDUs 225 selecting protocol based on message format 227 shut down port on receipt 226 bridge extension capabilities, displaying 89 broadcast storm, threshold 240, 241 C cable diagnostics 140 canonical format indicator 260 CFM basic operations 496 continuity check errors 529 continuity check messages 485, 494, 496, 497 cross-check message 494, 497 cross-check start delay 498 delay measure 518 description 494 domain service access point 494, 5
Index color blind, trTCM 273 committed burst size 272, 273, 274 committed information rate 272, 273 configuring 263 excess burst size 273 metering, configuring 268, 269 peak burst size 274 peak information rate 274 policy map 268 policy map, description 265 QoS policy 268 service policy 277 setting CoS for matching packets 271 setting IP DSCP for matching packets 272, 273, 274 setting PHB for matching packets 271 single-rate, three-color meter 268, 272 srTCM metering 268, 272 traffic between CIR and BE, co
Index hash mask length, PIMv6-SM BSR 789 hello holdtime PIM 767 PIMv6 782 hello interval PIM 767 PIMv6 783 HTTPS 317, 318 configuring 317 replacing SSL certificate 318 secure-site certificate 318 HTTPS, secure server 317 I IEEE 802.1D 213 IEEE 802.1s 213 IEEE 802.1w 213 IEEE 802.
Index displaying neighbors 640 duplicate address detection 640 enabling 632 MTU 632 router advertisements, blocking 634 IPv6 address dynamic configuration (global unicast) 637 dynamic configuration (link-local) 632 EUI format 637 EUI-64 setting 637 explicit configuration 632 global unicast 637 link-local 637 manual configuration (global unicast) 637 manual configuration (link-local) 637 setting 630 IPv6 source guard configuring static entries 383 setting filter criteria 381 setting maximum bindings 382 J
Index maintenance intermediate point, CFM 495, 502, 523 maintenance level, CFM 495, 496 maintenance point, CFM 494 management access, filtering per address 356 management access, IP filter 356 Management Information Bases (MIBs) 802 matching class settings, classifying QoS traffic 265 media-type 123 memory status 113 utilization, showing 113 MEP archive, CFM 504 mirror port configuring 126 configuring local traffic 126 configuring remote traffic 128 MLD snooping 573 configuring 573 enabling 573 groups, disp
Index neighboring router information, diplaying 755 network area 723 normal area 724 NSSA 731, 732, 737 process ID 725, 726, 731, 733, 736, 737, 739, 741, 743 process parameters, displaying 729 redistributing external routes 740 retransmit interval 746 RFC 1583 compatible 726 router ID 727 router priority 745 routing table, displaying 752 SPF timers 727 stub 731, 735 transit area 723, 724, 733, 735, 749, 750 transmit delay over interface 745 virtual link 749 static binding 617 static binding, group to por
Index register rate limit for DR 772 rendezvous point 775 RP candidate 776 RP candidate, advertising 776 RP mapping, displaying 780 shared tree 772 shortest path tree 772 SPT threshold 772 static RP, configuring 775 PIMv6 781 configuring 781 dense mode, enabling 782 dense-mode attributes 784 designated router 783 enabling for interfaces 781 enabling globally 781 global configuration 781 graft retry interval 784 hello holdtime 782 hello interval 783 interface configuration, displaying 786 interface settings
Index QoS 263 configuring 263 CoS/CFI to PHB/drop precedence 260 DSCP to PHB/drop precedence 257 dynamic assignment 311 matching class settings 265 PHB to queue 253 selecting DSCP, CoS 256 QoS policy committed burst size 272, 273 excess burst size 272 peak burst size 273 policing flow 268, 272 srTCM 268 srTCM police meter 272 trTCM 269 trTCM police meter 273 QoS policy, committed information rate 272, 273 QoS policy, peak information rate 273 Quality of Service See QoS query interval, IGMP snooping 560 que
Index enabling traps, mac-address changes 211 filtering IP addresses 356 global settings, configuring 428 trap manager 446 traps, CFM 499 users, configuring 441, 443 SNMPv3 429–447 engine ID 429, 430 engine identifier, local 429 engine identifier, remote 429, 430 groups 434 local users, configuring 441 remote users, configuring 443 user configuration 441, 443 views 431 SNTP setting the system clock 100 specifying servers 102 software displaying version 87 downloading 90 version, displaying 87 Spanning Tree
Index transceiver thresholds configuring 138 displaying 138 trap manager 446 troubleshooting 805, 807 trTCM police meter 273 QoS policy 269 trunk configuration 142 LACP 146 static 143 tunneling unknown VLANs, VLAN trunking 163 two rate three color meter See trTCM Type Length Value See LLDP TLV U UDLD configuration 539 interface settings 541 neighbor information 543 protocol intervals 540 UDP helper 666 application port 667 application server 668 description 666 destination port 667 enabling 666 forward de
Index – 830 –
E022019-CS-R06