User’s Manual 8-port 10/100/1000M + 2G SFP Managed PoE Switch Model No.
The page is intended to be blank
FCC Statement This product has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC Rules. These limits are designed to provide reasonable protection against such interference when operating in a commercial environment. This equipment generates uses and can radiate radio frequency energy, and if not installed and used according to the instructions, may cause harmful interference to radio communications.
Information furnished by Micronet Communication, Inc. is believed to be accurate and reliable. However, no responsibility is assumed by Micronet for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of Micronet. Micronet reserves the right to change specifications at any time without notice. Copyright © 2012 by Micronet Communication Inc. Taiwan, R.O.C.
ABOUT THIS GUIDE PURPOSE This guide gives specific information on how to operate and use the management functions of the switch. AUDIENCE The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
ABOUT THIS GUIDE – 6 –
CONTENTS SECTION I FCC Statement 3 ABOUT THIS GUIDE 5 CONTENTS 7 FIGURES 13 TABLES 17 GETTING STARTED 19 1 INTRODUCTION 20 Key Features 20 Description of Software Features 21 System Defaults 25 2 INITIAL SWITCH CONFIGURATION SECTION II WEB CONFIGURATION 3 USING THE WEB INTERFACE Navigating the Web Browser Interface 28 30 31 31 Home Page 31 Configuration Options 32 Panel Display 32 Main Menu 33 4 CONFIGURING THE SWITCH 41 Configuring System Information 41 Setting a
CONTENTS Controlling LED Intensity 48 Reducing Power to Idle Queue Circuits 50 Configuring Thermal Protection 51 Configuring Port Connections 52 Configuring Security 55 Configuring User Accounts 55 Configuring User Privilege Levels 57 Configuring The Authentication Method For Management Access 59 Configuring SSH 61 Configuring HTTPS 62 Filtering IP Addresses for Management Access 63 Using Simple Network Management Protocol 65 Configuring Port Limit Controls 75 Configuring Authenti
CONTENTS Configuring VLAN Settings for MLD Snooping and Query 143 Configuring MLD Filtering 145 Link Layer Discovery Protocol 146 Configuring LLDP Timing and TLVs 146 Configuring LLDP-MED TLVs 149 Power over Ethernet 155 Configuring the MAC Address Table 158 IEEE 802.
CONTENTS Displaying Log Messages 201 Displaying Log Details 203 Displaying Thermal Protection 203 Displaying Information About Ports 204 Displaying Port Status On the Front Panel 204 Displaying an Overview of Port Statistics 205 Displaying QoS Statistics 205 Displaying QCL Status 206 Displaying Detailed Port Statistics 207 Displaying Information About Security Settings 210 Displaying Access Management Statistics 210 Displaying Information About Switch Settings for Port Security 211
CONTENTS Showing IGMP Snooping Group Information 239 Showing IPv4 SSM Information 240 Showing MLD Snooping Information Showing MLD Snooping Status 241 Showing MLD Snooping Group Information 242 Showing IPv6 SSM Information 243 Displaying LLDP Information 244 Displaying LLDP Neighbor Information 244 Displaying LLDP-MED Neighbor Information 245 Displaying LLDP Neighbor EEE Information 247 Displaying LLDP Port Statistics 249 Displaying LLDP Neighbor PoE Information 250 Displaying PoE St
CONTENTS B TROUBLESHOOTING 270 Problems Accessing the Management Interface 270 Using System Logs 271 C LICENSE INFORMATION 272 The GNU General Public License 272 GLOSSARY 276 INDEX 284 – 12 –
FIGURES Figure 1: Home Page 31 Figure 2: Front Panel Indicators 32 Figure 3: System Information Configuration 42 Figure 4: IP Configuration 44 Figure 5: IPv6 Configuration 46 Figure 6: NTP Configuration 47 Figure 7: Configuring Settings for Remote Logging of Error Messages 48 Figure 8: Configuring LED Power Reduction 49 Figure 9: Configuring EEE Power Reduction 51 Figure 10: Configuring Thermal Protection 52 Figure 11: Port Configuration 54 Figure 12: Showing User Accounts 56 Figure
FIGURES Figure 32: DHCP Snooping Configuration 101 Figure 33: DHCP Relay Configuration 102 Figure 34: Configuring Global and Port-based Settings for IP Source Guard 104 Figure 35: Configuring Static Bindings for IP Source Guard 106 Figure 36: Configuring Global and Port Settings for ARP Inspection 108 Figure 37: Configuring Static Bindings for ARP Inspection 109 Figure 38: Authentication Configuration 110 Figure 39: Static Trunk Configuration 114 Figure 40: LACP Port Configuration 116 Fig
FIGURES Figure 68: Configuring Global and Port Settings for a Voice VLAN 174 Figure 69: Configuring an OUI Telephony List 175 Figure 70: Configuring Ingress Port QoS Classification 177 Figure 71: Configuring Ingress Port Tag Classification 178 Figure 72: Displaying Egress Port Schedulers 180 Figure 73: Configuring Egress Port Schedulers and Shapers 180 Figure 74: Displaying Egress Port Shapers 181 Figure 75: Displaying Port Tag Remarking Mode 183 Figure 76: Configuring Port Tag Remarking Mo
FIGURES Figure 104: Dynamic IP Source Guard Table 224 Figure 105: RADIUS Overview 225 Figure 106: RADIUS Details 229 Figure 107: LACP System Status 230 Figure 108: LACP Port Status 231 Figure 109: LACP Port Statistics 231 Figure 110: Spanning Tree Bridge Status 234 Figure 111: Spanning Tree Detailed Bridge Status 234 Figure 112: Spanning Tree Port Status 235 Figure 113: Spanning Tree Port Statistics 236 Figure 114: MVR Statistics 237 Figure 115: MVR Group Information 238 Figure 116:
TABLES Table 1: Key Features 20 Table 2: System Defaults 25 Table 3: Web Page Configuration Buttons 32 Table 4: Main Menu 33 Table 5: HTTPS System Support 63 Table 6: SNMP Security Models and Levels 65 Table 7: Dynamic QoS Profiles 81 Table 8: QCE Modification Buttons 92 Table 9: Recommended STA Path Cost Range 126 Table 10: Recommended STA Path Costs 126 Table 11: Default STA Path Costs 126 Table 12: QCE Modification Buttons 190 Table 13: System Capabilities 244 Table 14: Trouble
TABLES – 18 –
SECTION I GETTING STARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
1 INTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
CHAPTER 1 | Introduction Description of Software Features Table 1: Key Features (Continued) DESCRIPTION OF Feature Description Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4K using IEEE 802.
CHAPTER 1 | Introduction Description of Software Features ACCESS CONTROL ACLs provide packet filtering for IP frames (based on protocol, TCP/UDP LISTS port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast or multicast, or based on VLAN ID or VLAN tag priority). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.
CHAPTER 1 | Introduction Description of Software Features be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port. IEEE 802.1D BRIDGE The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses.
CHAPTER 1 | Introduction Description of Software Features VIRTUAL LANS The switch supports up to 4096 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned.
CHAPTER 1 | Introduction System Defaults QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Disabled Community Strings “public” (read only) “private” (read/write) Traps Global: disabled Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: default_view Group: default_rw_group Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input and output limits Disabled Port Trunking Static Trunks
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address 192.168.1.10 Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
2 INITIAL SWITCH CONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. To make use of the management features of your switch, you must first configure it with an IP address that is compatible with the network in which it is being installed. This should be done before you permanently install the switch in the network. Follow this procedure: 1. Place the switch close to the PC that you intend to use for configuration.
CHAPTER 2 | Initial Switch Configuration logging out. To change the password, click Security and then Users. Select “admin” from the User Configuration list, fill in the Password fields, and then click Save.
SECTION II WEB CONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
3 USING THE WEB INTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0, Netscape 6.2, Mozilla Firefox 2.0.0.0, or more recent versions). NAVIGATING THE WEB BROWSER INTERFACE To access the web-browser interface you must first enter a user name and password.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface CONFIGURATION Configurable parameters have a dialog box or a drop-down list. Once a OPTIONS configuration change has been made on a page, be sure to click on the Save button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3: Web Page Configuration Buttons Button Action Save Sets specified values to the system.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface MAIN MENU Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Limit Control Configures port security limit controls, including secure address aging; and per port security, including maximum allowed MAC addresses, and response for security breach 75 NAS Configures global and port settings for IEEE 802.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page VLAN Configuration Configures IGMP snooping per VLAN interface 137 Port Group Filtering Configures multicast groups to be filtered on specified port 139 Multicast Listener Discovery Snooping 140 Basic Configuration Configures global and port settings for multicast filtering 140 VLAN Configuration Configures MLD snooping per VLAN interface 143 Port Group Filtering
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Port Scheduler Provides overview of QoS Egress Port Schedulers, including 178 the queue mode and weight; also configures egress queue mode, queue shaper (rate and access to excess bandwidth), and port shaper Port Shaping Provides overview of QoS Egress Port Shapers, including the 181 rate for each queue and port; also configures egress queue mode, queue shaper (rate and access
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Port Security Switch Shows information about MAC address learning for each 211 port, including the software module requesting port security services, the service state, the current number of learned addresses, and the maximum number of secure addresses allowed Port Shows the entries authorized by port security services, including MAC address, VLAN ID, the service state, time
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu IPMC Description Page IP Multicast IGMP Snooping 238 Status Displays statistics related to IGMP packets passed upstream 238 to the IGMP Querier or downstream to multicast clients Group Information Displays active IGMP groups IPv4 SSM Information Displays IGMP Source-Specific Information including group, 240 filtering mode (include or exclude), source address, and type (allow or deny) MLD
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu VeriPHY Description Page Performs cable diagnostics for all ports or selected port to diagnose any cable faults (short, open etc.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface – 40 –
4 CONFIGURING THE SWITCH This chapter describes all of the basic configuration tasks. CONFIGURING SYSTEM INFORMATION Use the System Information Configuration page to identify the system by configuring contact information, system name, location of the switch, and time zone offset. PATH Configuration, System, Information PARAMETERS These parameters are displayed: ◆ System Contact – Administrator responsible for the system.
CHAPTER 4 | Configuring the Switch Setting an IP Address Figure 3: System Information Configuration SETTING AN IP ADDRESS This section describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a DHCP server when it is powered on.
CHAPTER 4 | Configuring the Switch Setting an IP Address will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. DHCP values can include the IP address, subnet mask, and default gateway. (Default: Enabled) ◆ IP Address – Address of the VLAN specified in the VLAN ID field. This should be the VLAN to which the management station is attached. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
CHAPTER 4 | Configuring the Switch Setting an IP Address Figure 4: IP Configuration SETTING AN IPV6 Use the IPv6 Configuration page to configure an IPv6 address for ADDRESS management access to the switch. IPv6 includes two distinct address types - link-local unicast and global unicast. A link-local address makes the switch accessible over IPv6 for all devices attached to the same local subnet. Management traffic using this kind of address cannot be passed by any router outside of the subnet.
CHAPTER 4 | Configuring the Switch Setting an IP Address ■ ■ The global unicast address can be automatically configured by taking the network prefix from router advertisements observed on the local interface, and using the modified EUI-64 form of the interface identifier to automatically create the host portion of the address. This option can be selected by enabling the Auto Configuration option. You can also manually configure the global unicast address by entering the full address and prefix length.
CHAPTER 4 | Configuring the Switch Configuring NTP Service Figure 5: IPv6 Configuration CONFIGURING NTP SERVICE Use the NTP Configuration page to specify the Network Time Protocol (NTP) servers to query for the current time. NTP allows the switch to set its internal clock based on periodic updates from an NTP time server. Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
CHAPTER 4 | Configuring the Switch Configuring Remote Log Messages Figure 6: NTP Configuration CONFIGURING REMOTE LOG MESSAGES Use the System Log Configuration page to send log messages to syslog servers or other management stations. You can also limit the event messages sent to specified types. PATH Configuration, System, Log COMMAND USAGE When remote logging is enabled, system log messages are sent to the designated server. The syslog protocol is based on UDP and received on UDP port 514.
CHAPTER 4 | Configuring the Switch Configuring Power Reduction WEB INTERFACE To configure the logging of error messages to remote servers: 1. Click Configuration, System, Log. 2. Enable remote logging, enter the IP address of the remote server, and specify the type of syslog messages to send. 3. Click Apply.
CHAPTER 4 | Configuring the Switch Configuring Power Reduction PARAMETERS These parameters are displayed: LED Intensity Timers ◆ Time – Time at which LED intensity is set. ◆ Intensity – LED intensity (Range: 0-100%, in increments of 10%, where 0% means off and 100% means full power) Maintenance ◆ On time at link change – LEDs set at full intensity for a specified period when a link change occurs. (Default: 10 seconds) ◆ On at errors – LEDs set at full intensity when a link error occurs.
CHAPTER 4 | Configuring the Switch Configuring Power Reduction REDUCING POWER TO Use the EEE Configuration page to configure Energy Efficient Ethernet IDLE QUEUE CIRCUITS (EEE) for specified queues, and to specify urgent queues which are to transmit data after maximum latency expires regardless of queue length. PATH Configuration, Power Reduction, EEE COMMAND USAGE ◆ EEE works by powering down circuits when there is no traffic. When a port gets data to be transmitted all relevant circuits are powered up.
CHAPTER 4 | Configuring the Switch Configuring Thermal Protection Figure 9: Configuring EEE Power Reduction CONFIGURING THERMAL PROTECTION Use the Thermal Protection Configuration page to set temperature priority levels, and assign those priorities for port shut-down if exceeded. PATH Configuration, Thermal Protection COMMAND USAGE Thermal protection is used to protect the switch ASIC from overheating.
CHAPTER 4 | Configuring the Switch Configuring Port Connections WEB INTERFACE To configure the thermal protection: 1. Click Configuration, Thermal Protection. 2. Select the circuits which will use EEE. 3. Se the temperature threshold for each priority, and then assign a priority level to each of the ports. 4. Click Save. Figure 10: Configuring Thermal Protection CONFIGURING PORT CONNECTIONS Use the Port Configuration page to configure the connection parameters for each port.
CHAPTER 4 | Configuring the Switch Configuring Port Connections ◆ Speed – Sets the port speed and duplex mode using auto-negotiation or manual selection. The following options are supported: ■ ■ Disabled - Disables the interface. You can disable an interface due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also disable an interface for security reasons. Auto - Enables auto-negotiation.
CHAPTER 4 | Configuring the Switch Configuring Port Connections ◆ Power Control – Adjusts the power provided to ports based on the length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements. IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING SECURITY You can configure this switch to authenticate users logging into the system for management access or to control client access to the data ports. Management Access Security (Switch menu) – Management access to the switch can be controlled through local authentication of user names and passwords stored on the switch, or remote authentication of users via a RADIUS or TACACS+ server.
CHAPTER 4 | Configuring the Switch Configuring Security be used for an administrator account, privilege level 10 for a standard user account, and privilege level 5 for a guest account. PARAMETERS These parameters are displayed: ◆ User Name – The name of the user. (Maximum length: 8 characters; maximum number of users: 16) ◆ Password – Specifies the user password.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 13: Configuring User Accounts CONFIGURING USER Use the Privilege Levels page to set the privilege level required to read or PRIVILEGE LEVELS configure specific software modules or system settings. PATH Configuration, Security, Switch, Privilege Levels PARAMETERS These parameters are displayed: ◆ Group Name – The name identifying a privilege group. In most cases, a privilege group consists of a single module (e.g.
CHAPTER 4 | Configuring the Switch Configuring Security ■ ■ ■ 5 – Read access of all system functions except for maintenance and debugging 10 – read and write access of all system functions except for maintenance and debugging 15 – read and write access of all system functions including maintenance and debugging. WEB INTERFACE To configure privilege levels: 1. Click Configuration, Security, Switch, Privilege Levels. 2. Set the required privilege level for any software module or functional group. 3.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING THE AUTHENTICATION METHOD FOR MANAGEMENT ACCESS Use the Authentication Method Configuration page to specify the authentication method for controlling management access through the console, Telnet, SSH or HTTP/HTTPS. Access can be based on the (local) user name and password configured on the switch, or can be controlled with a RADIUS or TACACS+ remote access authentication server.
CHAPTER 4 | Configuring the Switch Configuring Security management access via Telnet, SSH, a web browser, or the console interface. ◆ When using RADIUS or TACACS+ logon authentication, the user name and password must be configured on the authentication server. The encryption methods used for the authentication process must also be configured or negotiated between the authentication server and logon client.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 16: Authentication Method for Management Access CONFIGURING SSH Use the SSH Configuration page to configure access to the Secure Shell (SSH) management interface. SSH provides remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication.
CHAPTER 4 | Configuring the Switch Configuring Security WEB INTERFACE To configure SSH: 1. Click Configuration, Security, Switch, SSH. 2. Enable SSH if required. 3. Click Save. Figure 17: SSH Configuration CONFIGURING HTTPS Use the HTTPS Configuration page to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL). HTTPS provides secure access (i.e., an encrypted connection) to the switch's web interface.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ The following web browsers and operating systems currently support HTTPS: Table 5: HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Windows Vista, Windows 7 Netscape 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Windows Vista, Solaris 2.6 Mozilla Firefox 2.0.0.
CHAPTER 4 | Configuring the Switch Configuring Security PARAMETERS These parameters are displayed: ◆ Mode – Enables or disables filtering of management access based on configured IP addresses. (Default: Disabled) ◆ Start IP Address – The starting address of a range. ◆ End IP Address – The ending address of a range. ◆ HTTP/HTTPS – Filters IP addresses for access to the web interface over standard HTTP, or over HTTPS which uses the Secure Socket Layer (SSL) protocol to provide an encrypted connection.
CHAPTER 4 | Configuring the Switch Configuring Security USING SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
CHAPTER 4 | Configuring the Switch Configuring Security Table 6: SNMP Security Models and Levels (Continued) Model Level Community String Group Read View Write View Security v3 noAuth NoPriv user defined default_rw_group default_view default_view A user name match only v3 Auth NoPriv user defined user defined user defined user defined Provides user authentication via MD5 or SHA algorithms v3 Auth Priv user defined user defined user defined user defined Provides user authenticatio
CHAPTER 4 | Configuring the Switch Configuring Security community string is associated with SNMPv1 or SNMPv2 clients in the SNMPv3 Communities table (page 69). ◆ Engine ID - The SNMPv3 engine ID. (Range: 10-64 hex digits, excluding a string of all 0’s or all F’s; Default: 800007e5017f000001) An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection.
CHAPTER 4 | Configuring the Switch Configuring Security that critical information is received by the host. However, note that informs consume more system resources because they must be kept in memory until a response is received. Informs also add to network traffic. You should consider these effects when deciding whether to issue notifications as traps or informs. ◆ Trap Inform Timeout - The number of seconds to wait for an acknowledgment before resending an inform message.
CHAPTER 4 | Configuring the Switch Configuring Security 3. In the SNMP Trap Configuration table, enable the Trap Mode to allow the switch to send SNMP traps. Specify the trap version, trap community, and IP address of the management station that will receive trap messages either as an IPv4 or IPv6 address. Select the trap types to issue, and set the trap inform settings for SNMP v2c or v3 clients. For SNMP v3 clients, configure the security engine ID and security name used in v3 trap and inform messages.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Community - Specifies the community strings which allow access to the SNMP agent. (Range: 1-32 characters, ASCII characters 33-126 only; Default: public, private) For SNMPv3, these strings are treated as a Security Name, and are mapped as an SNMPv1 or SNMPv2 community string in the SNMPv3 Groups Configuration table (see "Configuring SNMPv3 Groups" on page 72). ◆ Source IP - Specifies the source address of an SNMP client.
CHAPTER 4 | Configuring the Switch Configuring Security PARAMETERS These parameters are displayed: ◆ Engine ID - The engine identifier for the SNMP agent on the remote device where the user resides. (Range: 10-64 hex digits, excluding a string of all 0’s or all F’s) To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
CHAPTER 4 | Configuring the Switch Configuring Security 4. Define the user name, security level, authentication and privacy settings. 5. Click Save. Figure 22: SNMPv3 User Configuration CONFIGURING SNMPV3 GROUPS Use the SNMPv3 Group Configuration page to configure SNMPv3 groups. An SNMPv3 group defines the access policy for assigned users, restricting them to specific read and write views as defined on the SNMPv3 Access Configuration page (page 74).
CHAPTER 4 | Configuring the Switch Configuring Security 4. Select the security name. For SNMP v1 and v2c, the security names displayed are based on the those configured in the SNMPv3 Communities menu. For USM, the security names displayed are based on the those configured in the SNMPv3 Users Configuration menu. 5. Enter a group name. Note that the views assigned to a group must be specified on the SNMP Accesses Configuration menu (see page 74). 6. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security WEB INTERFACE To configure SNMPv3 views: 1. Click Configuration, Security, Switch, SNMP, Views. 2. Click “Add new view” to set up a new view. 3. Enter the view name, view type, and OID subtree. 4. Click Save. Figure 24: SNMPv3 View Configuration CONFIGURING SNMPV3 GROUP ACCESS RIGHTS Use the SNMPv3 Access Configuration page to assign portions of the MIB tree to which each SNMPv3 group is granted access.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Write View Name - The configured view for write access. (Range: 1-32 characters, ASCII characters 33-126 only) WEB INTERFACE To configure SNMPv3 group access rights: 1. Click Configuration, Security, Switch, SNMP, Access. 2. Click Add New Access to create a new entry. 3. Specify the group name, security settings, read view, and write view. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Aging Period – If Aging Enabled is checked, then the aging period is controlled with this parameter. If other modules are using the underlying port security for securing MAC addresses, they may have other requirements for the aging period. The underlying port security will use the shortest requested aging period of all modules that use this functionality.
CHAPTER 4 | Configuring the Switch Configuring Security ■ ■ ■ Ready: The limit is not yet reached. This can be shown for all Actions. Limit Reached: Indicates that the limit is reached on this port. This state can only be shown if Action is set to None or Trap. Shutdown: Indicates that the port is shut down by the Limit Control module. This state can only be shown if Action is set to Shutdown or Trap & Shutdown.
CHAPTER 4 | Configuring the Switch Configuring Security standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network. Figure 27: Using Port Security 802.1x client RADIUS server 1.
CHAPTER 4 | Configuring the Switch Configuring Security The operation of 802.1X on the switch requires the following: ◆ The switch must have an IP address assigned (see page 42). ◆ RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified. Backend RADIUS servers are configured on the Authentication Configuration page (see page 109). ◆ 802.1X / MAC-based authentication must be enabled globally for the switch.
CHAPTER 4 | Configuring the Switch Configuring Security System Configuration ◆ Mode - Indicates if 802.1X and MAC-based authentication are globally enabled or disabled on the switch. If globally disabled, all ports are allowed to forward frames. ◆ Reauthentication Enabled - Sets clients to be re-authenticated after an interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port.
CHAPTER 4 | Configuring the Switch Configuring Security In MAC-based Authentication mode, the switch will ignore new frames coming from the client during the hold time. ◆ RADIUS-Assigned QoS Enabled - RADIUS-assigned QoS provides a means to centrally control the traffic class to which traffic coming from a successfully authenticated supplicant is assigned on the switch. The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this feature.
CHAPTER 4 | Configuring the Switch Configuring Security For example, the attribute “service-policy-in=pp1;rate-limitinput=100” specifies that the diffserv profile name is “pp1,” and the ingress rate limit profile value is 100 kbps. ■ If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used. For example, if the attribute is “service-policy-in=p1;service-policyin=p2”, then the switch applies only the DiffServ profile “p1.
CHAPTER 4 | Configuring the Switch Configuring Security assigned VLAN is enabled for that port. When unchecked, RADIUSserver assigned VLAN is disabled for all ports. When RADIUS-Assigned VLAN is both globally enabled and enabled for a given port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated.
CHAPTER 4 | Configuring the Switch Configuring Security after a network administrator-defined timeout. The switch follows a set of rules for entering and leaving the Guest VLAN as listed below. The “Guest VLAN Enabled” checkbox provides a quick way to globally enable/disable Guest VLAN functionality. When checked, the individual port settings determine whether the port can be moved into Guest VLAN. When unchecked, the ability to move to the Guest VLAN is disabled for all ports.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Allow Guest VLAN if EAPOL Seen - The switch remembers if an EAPOL frame has been received on the port for the lifetime of the port. Once the switch considers whether to enter the Guest VLAN, it will first check if this option is enabled or disabled. If disabled (the default), the switch will only enter the Guest VLAN if an EAPOL frame has not been received on the port for the lifetime of the port.
CHAPTER 4 | Configuring the Switch Configuring Security The maximum number of supplicants that can be attached to a port can be limited using the Port Security Limit Control functionality. ■ MAC-based Auth. - Enables MAC-based authentication on the port. The switch does not transmit or accept EAPOL frames on the port.
CHAPTER 4 | Configuring the Switch Configuring Security (see page 158). Static addresses are treated as authenticated without sending a request to a RADIUS server. ■ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ RADIUS-Assigned QoS Enabled - Enables or disables this feature for a given port. Refer to the description of this feature under the System Configuration section.
CHAPTER 4 | Configuring the Switch Configuring Security 2. Modify the required attributes. 3. Click Save. Figure 28: Network Access Server Configuration FILTERING TRAFFIC An Access Control List (ACL) is a sequential list of permit or deny WITH ACCESS conditions that apply to IP addresses, MAC addresses, or other more CONTROL LISTS specific criteria. This switch tests ingress packets against the conditions in an ACL one by one.
CHAPTER 4 | Configuring the Switch Configuring Security PARAMETERS These parameters are displayed: ◆ Port - Port Identifier. ◆ Policy ID - An ACL policy configured on the ACE Configuration page (page 93). (Range: 1-8; Default: 1, which is undefined) ◆ Action - Permits or denies a frame based on whether it matches a rule defined in the assigned policy. (Default: Permit) ◆ Rate Limiter ID - Specifies a rate limiter (page 90) to apply to the port.
CHAPTER 4 | Configuring the Switch Configuring Security 3. Repeat the preceding step for each port to which an ACL will be applied. 4. Click Save. Figure 29: ACL Port Configuration CONFIGURING RATE LIMITERS Use the ACL Rate Limiter Configuration page to define the rate limits applied to a port (as configured either through the ACL Ports Configuration menu (page 88) or the Access Control List Configuration menu (page 91).
CHAPTER 4 | Configuring the Switch Configuring Security Figure 30: ACL Rate Limiter Configuration CONFIGURING ACCESS CONTROL LISTS Use the Access Control List Configuration page to define filtering rules for an ACL policy, for a specific port, or for all ports. Rules applied to a port take effect immediately, while those defined for a policy must be mapped to one or more ports using the ACL Ports Configuration menu (page 88).
CHAPTER 4 | Configuring the Switch Configuring Security matches this entry when ARP/RARP protocol address space setting is equal to IP (0x800) ■ IPv4 frames (based on destination MAC address, protocol type, TTL, IP fragment, IP option flag, source/destination IP, VLAN ID, VLAN priority) PARAMETERS These parameters are displayed: ACCESS CONTROL LIST CONFIGURATION ◆ Ingress Port - Any port, port identifier, or policy. ◆ Frame Type - The type of frame to match.
CHAPTER 4 | Configuring the Switch Configuring Security ACE CONFIGURATION Ingress Port and Frame Type ◆ Ingress Port - Any port, port identifier, or policy. (Options: Any port, Port 1-10, Policy 1-8; Default: Any) ◆ Frame Type - The type of frame to match. (Options: Any, Ethernet, ARP, IPv4; Default: Any) Filter Criteria Based on Selected Frame Type ◆ Ethernet: MAC Parameters ■ ■ SMAC Filter - The type of source MAC address.
CHAPTER 4 | Configuring the Switch Configuring Security opcode flag set, Reply - frame must have ARP Reply or RARP Reply opcode flag; Default: Any) ■ ■ ■ ■ ■ ■ ■ Sender IP Filter - Specifies the sender’s IP address. (Options: Any - no sender IP filter is specified, Host - specifies the sender IP address in the SIP Address field, Network - specifies the sender IP address and sender IP mask in the SIP Address and SIP Mask fields; Default: Any) Target IP Filter - Specifies the destination IP address.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ IPv4: MAC Parameters ■ DMAC Filter - The type of destination MAC address. (Options: Any, MC - multicast, BC - broadcast, UC - unicast; Default: Any) IP Parameters ■ IP Protocol Filter - Specifies the IP protocol to filter for this rule. (Options: Any, ICMP, UDP, TCP, Other; Default: Any) The following additional fields are displayed when these protocol filters are selected.
CHAPTER 4 | Configuring the Switch Configuring Security entry, 1 - TCP frames where the SYN field is set must match this entry; Default: Any) ■ ■ ■ ■ ■ ■ ■ ■ ■ TCP RST - Specifies the TCP “Reset the connection” (RST) value for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the RST field is set must not match this entry, 1 TCP frames where the RST field is set must match this entry; Default: Any) TCP PSH - Specifies the TCP “Push Function” (PSH) value for this rule.
CHAPTER 4 | Configuring the Switch Configuring Security specifies the destination IP address and destination IP mask in the DIP Address and DIP Mask fields; Default: Any) Response to take when a rule is matched ◆ Action - Permits or denies a frame based on whether it matches an ACL rule. (Default: Permit) ◆ Rate Limiter - Specifies a rate limiter (page 90) to apply to the port. (Range: 1-16; Default: Disabled) ◆ Port Copy - Defines a port to which matching frames are copied.
CHAPTER 4 | Configuring the Switch Configuring Security WEB INTERFACE To configure an Access Control List for a port or a policy: 1. Click Configuration, Security, Network, ACL, Access Control List. 2. Click the button to add a new ACL, or use the other ACL modification buttons to specify the editing action (i.e., edit, delete, or moving the relative position of entry in the list). 3.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING DHCP Use the DHCP Snooping Configuration page to filter IP traffic on insecure SNOOPING ports for which the source address cannot be identified via DHCP snooping. The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard).
CHAPTER 4 | Configuring the Switch Configuring Security ■ ■ ■ ■ ■ If the DHCP packet is not a recognizable type, it is dropped. If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN. If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 32: DHCP Snooping Configuration CONFIGURING DHCP Use the DHCP Relay Configuration page to configure DHCP relay service for RELAY AND OPTION 82 attached host devices. If a subnet does not include a DHCP server, you can INFORMATION relay DHCP client requests to a DHCP server on another subnet.
CHAPTER 4 | Configuring the Switch Configuring Security PARAMETERS These parameters are displayed: ◆ Relay Mode - Enables or disables the DHCP relay function. (Default: Disabled) ◆ Relay Server - IP address of DHCP server to be used by the switch's DHCP relay agent. ◆ Relay Information Mode - Enables or disables the DHCP Relay Option 82 support. Note that Relay Mode must also be enabled for Relay Information Mode to take effect.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING GLOBAL AND PORT SETTINGS FOR IP SOURCE GUARD Use the IP Source Guard Configuration page to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
CHAPTER 4 | Configuring the Switch Configuring Security NOTE: DHCP snooping must be enabled for dynamic clients to be learned automatically. ◆ Port – Port identifier ◆ Mode – Enables or disables IP Source Guard on the specified ports. Only when both Global Mode and Port Mode on a given port are enabled, will ARP Inspection take effect on a given port. (Default: Disabled) ◆ Max Dynamic Clients – Specifies the maximum number of dynamic clients that can be learned on given ports.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING STATIC BINDINGS FOR IP SOURCE GUARD Use the Static IP Source Guard Table to bind a static address to a port. Table entries include a port identifier, VLAN identifier, IP address, and subnet mask. All static entries are configured with an infinite lease time.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 35: Configuring Static Bindings for IP Source Guard CONFIGURING ARP ARP Inspection is a security feature that validates the MAC Address INSPECTION bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle” attacks.
CHAPTER 4 | Configuring the Switch Configuring Security changes will only become active after ARP Inspection is enabled globally again. ◆ ARP Inspection uses the DHCP snooping bindings database for the list of valid IP-to-MAC address bindings. NOTE: DHCP snooping must be enabled for dynamic clients to be learned automatically.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 36: Configuring Global and Port Settings for ARP Inspection CONFIGURING STATIC BINDINGS FOR ARP INSPECTION Use the Static ARP Inspection Table to bind a static address to a port. Table entries include a port identifier, VLAN identifier, source MAC address in ARP request packets, and source IP address in ARP request packets. ARP Inspection uses the DHCP snooping bindings database for the list of valid IP-to-MAC address bindings.
CHAPTER 4 | Configuring the Switch Configuring Security 3. Enter the required bindings for a given port. 4. Click Save. Figure 37: Configuring Static Bindings for ARP Inspection SPECIFYING Use the Authentication Server Configuration page to control management AUTHENTICATION access based on a list of user names and passwords configured on a SERVERS RADIUS or TACACS+ remote access authentication server, and to authenticate client access for IEEE 802.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Port – Network (UDP) port of authentication server used for authentication messages. (Range: 1-65535; Default: 0) If the UDP port is set to 0 (zero), the switch will use 1812 for RADIUS authentication servers, 1813 for RADIUS accounting servers, or 49 for TACACS+ authentication servers. ◆ Secret – Encryption key used to authenticate logon access for the client. (Maximum length: 29 characters) To set an empty secret, use two quotes (“”).
CHAPTER 4 | Configuring the Switch Creating Trunk Groups CREATING TRUNK GROUPS You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a faulttolerant link between two switches. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
CHAPTER 4 | Configuring the Switch Creating Trunk Groups CONFIGURING STATIC Use the Aggregation Mode Configuration page to configure the aggregation TRUNKS mode and members of each static trunk group. PATH Configuration, Aggregation, Static USAGE GUIDELINES ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer's implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups ■ ■ ■ Destination MAC Address – All traffic with the same destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is destined for many different hosts. Do not use this mode for switch-to-router trunk links where the destination MAC address is the same for all traffic.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups Figure 39: Static Trunk Configuration CONFIGURING LACP Use the LACP Port Configuration page to enable LACP on selected ports, configure the administrative key, and the protocol initiation mode. PATH Configuration, Aggregation, LACP USAGE GUIDELINES ◆ To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups ■ ■ Ports must have the same LACP Admin Key. Using autoconfiguration of the Admin Key will avoid this problem. One of the ports at either the near end or far end must be set to active initiation mode. ◆ Aggregation Mode Configuration located under the Static Aggregation menu (see "Configuring Static Trunks" on page 112) also applies to LACP. PARAMETERS These parameters are displayed: ◆ Port – Port identifier.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm Figure 40: LACP Port Configuration CONFIGURING THE SPANNING TREE ALGORITHM The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm Figure 41: STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees" on page 122). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm ◆ Rapid Spanning Tree Protocol1 RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: ■ ■ STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm ◆ Bridge Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm Advanced Settings ◆ Edge Port BPDU Filtering – BPDU filtering allows you to avoid transmitting BPDUs on configured edge ports that are connected to end nodes. By default, STA sends BPDUs to all ports regardless of whether administrative edge is enabled on a port. BDPU filtering is configured on a per-port basis. (Default: Disabled) ◆ Edge Port BPDU Guard – This feature protects edge ports from receiving BPDUs.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm Figure 44: STA Bridge Configuration CONFIGURING Use the MSTI Mapping page to add VLAN groups to an MSTP instance MULTIPLE SPANNING (MSTI), or to designate the name and revision of the VLAN-to-MSTI TREES mapping used on this switch. PATH Configuration, Spanning Tree, MSTI Mapping COMMAND USAGE MSTP generates a unique spanning tree for each instance.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm 3. Enter the spanning tree priority for the CIST and selected MST instance on the MSTI Priorities page. NOTE: All VLANs are automatically added to the CIST (MST Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. PARAMETERS These parameters are displayed: Configuration Identification ◆ Configuration Name2 – The name for this MSTI.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm Figure 45: Adding a VLAN to an MST Instance CONFIGURING Use the MSTI Priorities page to configure the bridge priority for the CIST SPANNING TREE and any configured MSTI. Remember that RSTP looks upon each MST BRIDGE PRIORITIES Instance as a single bridge node. PATH Configuration, Spanning Tree, MSTI Properties PARAMETERS These parameters are displayed: ◆ MSTI – Instance identifier to configure.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm WEB INTERFACE To add VLAN groups to an MSTP instance: 1. Click Configuration, Spanning Tree, MSTI Priorities. 2. Set the bridge priority for the CIST or any configured MSTI. 3. Click Save Figure 46: Configuring STA Bridge Priorities CONFIGURING Use the CIST Ports Configuration page to configure STA attributes for STP/RSTP/CIST interfaces when the spanning tree mode is set to STP or RSTP, or for INTERFACES interfaces in the CIST.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm changes, thereby combining remote network segments into a single spanning tree. As implemented on this switch, BPDU transparency allows a port which is not participating in the spanning tree (such as an uplink port to the service provider’s network) to forward BPDU packets to other ports instead of discarding these packets or attempting to process them.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. (Range: 0-240, in steps of 16; Default: 128) ◆ Admin Edge (Fast Forwarding) – You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm ◆ Point-to-Point – The link type attached to an interface can be set to automatically detect the link type, or manually configured as point-topoint or shared medium. Transition to the forwarding state is faster for point-to-point links than for shared media. These options are described below: ■ Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared medium.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm CONFIGURING MIST Use the MIST Ports Configuration page to configure STA attributes for INTERFACES interfaces in a specific MSTI, including path cost, and port priority. You may use a different priority or path cost for ports of the same media type to indicate the preferred path. (References to “ports” in this section means “interfaces,” which includes both ports and trunks.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration Figure 48: MSTI Port Configuration MULTICAST VLAN REGISTRATION Use the MVR Configuration page to enable MVR globally on the switch, select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and to configure each interface that participates in the MVR protocol as a source port or receiver port.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration Figure 49: MVR Concept Multicast Router Satellite Services Multicast Server Service Network Layer 2 Switch Source Port Receiver Ports Set-top Box PC TV Set-top Box TV PATH Configuration, MVR COMMAND USAGE ◆ General Configuration Guidelines for MVR: 1. Enable MVR globally on the switch, and select the MVR VLAN. 2. Set the interfaces that will join the MVR as source ports or receiver ports. 3.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration ◆ MVR VLAN – Identifier of the VLAN that serves as the channel for streaming multicast services using MVR. MVR source ports should be configured as members of the MVR VLAN, but MVR receiver ports should not be manually configured as members of this VLAN. (Default: 100) Port Configuration ◆ Port – Port identifier. ◆ Mode – Sets the MVR operational mode for any port. MVR must also be globally enabled on the switch for this setting to take effect.
CHAPTER 4 | Configuring the Switch IGMP Snooping Figure 50: Configuring MVR IGMP SNOOPING Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/router.
CHAPTER 4 | Configuring the Switch IGMP Snooping containing multicast group hosts or multicast routers/switches, instead of flooding traffic to all ports in the subnet (VLAN). CONFIGURING GLOBAL AND PORT-RELATED SETTINGS FOR IGMP SNOOPING Use the IGMP Snooping Configuration page to configure global and portrelated settings which control the forwarding of multicast traffic. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
CHAPTER 4 | Configuring the Switch IGMP Snooping last dynamic member port in the group, the receiving port is not a router port, and no IGMPv1 member port exists in the group, the switch will generate and send a group-specific (GS) query to the member port which received the leave message, and then start the last member query timer for that port.
CHAPTER 4 | Configuring the Switch IGMP Snooping If Fast Leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, Fast Leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping. Fast Leave is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used.
CHAPTER 4 | Configuring the Switch IGMP Snooping CONFIGURING VLAN Use the IGMP Snooping VLAN Configuration page to configure IGMP SETTINGS FOR IGMP snooping and query for a VLAN interface SNOOPING AND QUERY PATH Configuration, IPMC, IGMP Snooping, VLAN Configuration PARAMETERS These parameters are displayed: ◆ VLAN ID - VLAN Identifier. ◆ Snooping Enabled - When enabled, the switch will monitor network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic.
CHAPTER 4 | Configuring the Switch IGMP Snooping ◆ QRI - The Query Response Interval is the Max Response Time advertised in periodic General Queries. The QRI applies when the switch is serving as the querier, and is used to inform other devices of the maximum time this system waits for a response to general queries. (Range: 10-31744 tenths of a second; Default: 10 seconds) ◆ LLQI - The Last Member Query Interval (RFC 3810 – MLDv2 for IP) is used to configure the Last Member Query Interval for IGMP.
CHAPTER 4 | Configuring the Switch IGMP Snooping CONFIGURING IGMP Use the IGMP Snooping Port Group Filtering Configuration page to filter FILTERING specific multicast traffic. In certain switch applications, the administrator may want to control the multicast services that are available to end users; for example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by denying access to specified multicast services on a switch port.
CHAPTER 4 | Configuring the Switch MLD Snooping MLD SNOOPING Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. This switch supports MLD protocol version 1.
CHAPTER 4 | Configuring the Switch MLD Snooping Once the table used to store multicast entries for MLD snooping is filled, no new entries are learned. If no router port is configured in the attached VLAN, and Unregistered IPMCv6 Flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN. ◆ Leave Proxy Enabled - Suppresses leave messages unless received from the last member port in the group.
CHAPTER 4 | Configuring the Switch MLD Snooping The switch can be configured to immediately delete a member port of a multicast service if a leave packet is received at that port and the Fast Leave function is enabled. This allows the switch to remove a port from the multicast forwarding table without first having to send an MLD group-specific (GS) query to that interface. If Fast Leave is not used, a multicast router (or querier) will send a GS-query message when a group leave message is received.
CHAPTER 4 | Configuring the Switch MLD Snooping Figure 54: Configuring Global and Port-related Settings for MLD Snooping CONFIGURING VLAN Use the MLD Snooping VLAN Configuration page to configure MLD snooping SETTINGS FOR MLD and query for a VLAN interface SNOOPING AND QUERY PATH Configuration, IPMC, MLD Snooping, VLAN Configuration PARAMETERS These parameters are displayed: ◆ VLAN ID - VLAN Identifier.
CHAPTER 4 | Configuring the Switch MLD Snooping multicast router/switch to ensure that it will continue to receive the multicast service. An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address. The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network.
CHAPTER 4 | Configuring the Switch MLD Snooping This attribute will take effect only if MLD snooping proxy reporting is enabled (see page 140). ◆ URI - The Unsolicited Report Interval specifies how often the upstream interface should transmit unsolicited MLD reports when report suppression/proxy reporting is enabled. (Range: 0-31744 seconds, Default: 1 second) WEB INTERFACE To configure VLAN settings for MLD snooping and query: 1. Click Configuration, IPMC, MLD Snooping, VLAN Configuration. 2.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol 2. Click Add New Filtering Group to display a new entry in the table. 3. Select the port to which the filter will be applied. 4. Enter the IP address of the multicast service to be filtered. 5. Click Save. Figure 56: MLD Snooping Port Group Filtering Configuration LINK LAYER DISCOVERY PROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol ◆ Tx Hold – Configures the time-to-live (TTL) value sent in LLDP advertisements as shown in the formula below. (Range: 2-10; Default: 3) The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. TTL in seconds is based on the following rule: (Transmission Interval * Transmission Hold Time) ≤ 65536.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol If all ports have CDP awareness disabled, the switch forwards CDP frames received from neighbor devices. If at least one port has CDP awareness enabled, all CDP frames are terminated by the switch. When CDP awareness for a port is disabled, the CDP information is not removed immediately, but will be removed when the hold time is exceeded. Optional TLVs - Configures the information included in the TLV field of advertised messages.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol 5. Specify the information to include in the TLV field of advertised messages. 6. Click Save. Figure 57: LLDP Configuration CONFIGURING LLDP- Use the LLDP-MED Configuration page to set the device information which MED TLVS is advertised for end-point devices. LLDP-MED (Link Layer Discovery Protocol - Media Endpoint Discovery) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol the limited LLDPU space and to reduce security and system integrity issues that can come with inappropriate knowledge of the network policy. With this in mind LLDP-MED defines an LLDP-MED Fast Start interaction between the protocol and the application layers on top of the protocol, in order to achieve these related properties. Initially, a Network Connectivity Device will only transmit LLDP TLVs in an LLDPDU.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol ◆ Map Datum – The Map Datum used for the coordinates given in this Option. ■ ■ ■ ◆ WGS84: (Geographical 3D) - World Geodesic System 1984, CRS Code 4327, Prime Meridian Name: Greenwich. NAD83/NAVD88: North American Datum 1983, CRS Code 4269, Prime Meridian Name: Greenwich; The associated vertical datum is the North American Vertical Datum of 1988 (NAVD88).
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol ■ ◆ Postal community name - Postal community name. (Example: Leonia) ■ P.O. Box - Post office box (P.O. BOX). (Example: 12345) ■ Additional code - Additional code. (Example: 1320300003) Emergency Call Service – Emergency Call Service (e.g. 911 and others), such as defined by TIA or NENA. ELIN identifier data format is defined to carry the ELIN identifier as used during emergency call setup to a traditional CAMA or ISDN trunkbased PSAP.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol ■ ■ Policy ID – ID for the policy. This is auto generated and will be used when selecting the polices that will be mapped to the specific ports. Application Type – Intended use of the application types: ■ ■ ■ ■ ■ ■ ■ ■ ■ Voice - For use by dedicated IP Telephony handsets and other similar appliances supporting interactive voice services.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol Tagged indicates that the device is using the IEEE 802.1Q tagged frame format, and that both the VLAN ID and the Layer 2 priority values are being used, as well as the DSCP value. The tagged format includes an additional field, known as the tag header. The tagged frame format also includes priority tagged frames as defined by IEEE 802.1Q-2003. ■ ■ ■ VLAN ID – VLAN identifier for the port.
CHAPTER 4 | Configuring the Switch Power over Ethernet Figure 58: LLDP-MED Configuration POWER OVER ETHERNET Use the Power Over Ethernet Configuration page to set the maximum PoE power provided to a port, the maximum power budget for the switch (power available to all RJ-45 ports), the port PoE operating mode, power allocation priority, and the maximum power allocated to each port.
CHAPTER 4 | Configuring the Switch Power over Ethernet draw Class 4 current. Afterwards, the switch exchanges information with the PD such as duty-cycle, peak and average power needs. ◆ All the RJ-45 ports support both the IEEE 802.3af and IEEE 802.3at standards. The total PoE power delivered by all ports cannot exceed the maximum power budget of 80W. ◆ The switch’s power management enables individual port power to be controlled within the switch’s power budget.
CHAPTER 4 | Configuring the Switch Power over Ethernet accordingly. If no LLDP information is available for a port, the port will reserve power using the class mode In this mode the Maximum Power fields have no effect For all modes, if a port uses more power than the power reserved for that port, it is shut down.
CHAPTER 4 | Configuring the Switch Configuring the MAC Address Table 3. Specify the port PoE operating mode, port power allocation priority, and the port power budget. 4. Click Save. Figure 59: Configuring PoE Settings CONFIGURING THE MAC ADDRESS TABLE Use the MAC Address Table Configuration page to configure dynamic address learning or to assign static addresses to specific ports. Switches store the addresses for all known devices.
CHAPTER 4 | Configuring the Switch Configuring the MAC Address Table MAC Table Learning ◆ Auto - Learning is done automatically as soon as a frame with an unknown source MAC address is received. (This is the default.) ◆ Disable - No addresses are learned and stored in the MAC address table. ◆ Secure - Only static MAC address entries are used, all other frames are dropped. Make sure that the link used for managing the switch is added to the Static MAC Table before changing to secure learning mode.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs Figure 60: MAC Address Table Configuration IEEE 802.1Q VLANS In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs ◆ End stations can belong to multiple VLANs ◆ Passing traffic between VLAN-aware and VLAN-unaware devices ◆ Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs WEB INTERFACE To configure IEEE 802.1Q VLAN groups: 1. Click Configuration, VLANs, VLAN Membership. 2. Change the ports assigned to the default VLAN (VLAN 1) if required. 3. To configure a new VLAN, click Add New VLAN, enter the VLAN ID, and then mark the ports to be assigned to the new group. 4. Click Save.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs ◆ Port Type – Configures how a port processes the VLAN ID in ingress frames. (Default: Unaware) ■ ■ ■ ■ C-port – For customer ports, each frame is assigned to the VLAN indicated in the VLAN tag, and the tag is removed. S-port – For service ports, the EtherType of all received frames is changed to 0x88a8 to indicate that double-tagged frames are being forwarded across the switch.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs are classified to the Port VLAN ID. If the classified VLAN ID of a frame transmitted on the port is different from the Port VLAN ID, a VLAN tag with the classified VLAN ID is inserted in the frame. When forwarding a frame from this switch along a path that contains any VLAN-aware devices, the switch should include VLAN tags.
CHAPTER 4 | Configuring the Switch Configuring Private VLANs CONFIGURING PRIVATE VLANS Use the Private VLAN Membership Configuration page to assign port members to private VLANs. Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on ports assigned to a private VLAN can only be forwarded to, and from, uplink ports (that is, ports configured as members of both a standard IEEE 802.1Q VLAN and the private VLAN).
CHAPTER 4 | Configuring the Switch Using Port Isolation Figure 63: Private VLAN Membership Configuration USING PORT ISOLATION Use the Port Isolation Configuration page to prevent communications between customer ports within the same private VLAN. Ports within a private VLAN (PVLAN) are isolated from other ports which are not in the same PVLAN. Port Isolation can be used to prevent communications between ports within the same PVLAN.
CHAPTER 4 | Configuring the Switch Configuring MAC-based VLANs CONFIGURING MAC-BASED VLANS Use the MAC-based VLAN Membership Configuration page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to the source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
CHAPTER 4 | Configuring the Switch Protocol VLANs Figure 65: Configuring MAC-Based VLANs PROTOCOL VLANS The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
CHAPTER 4 | Configuring the Switch Protocol VLANs CONFIGURING Use the Protocol to Group Mapping Table to create protocol groups. PROTOCOL VLAN GROUPS PATH Configuration, VCL, Protocol-based VLANs, Protocol to Group PARAMETERS These parameters are displayed: ◆ Frame Type – Choose Ethernet, LLC (Logical Link Control), or SNAP (SubNetwork Access Protocol - RFC 1042) as the frame type used by this protocol. ◆ Value – Values which define the specific protocol type.
CHAPTER 4 | Configuring the Switch Protocol VLANs WEB INTERFACE To configure a protocol group: 1. Click Configuration, VCL, Protocol-based VLANs, Protocol to Group. 2. Click add new entry. 3. Fill in the frame type, value, and group name. 4. Click Save. Figure 66: Configuring Protocol VLANs MAPPING PROTOCOL Use the Group Name to VLAN Mapping Table to map a protocol group to a GROUPS TO PORTS VLAN for each interface that will participate in the group.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic ◆ VLAN ID – VLAN to which matching protocol traffic is forwarded. (Range: 1-4095) ◆ Port Members – Ports assigned to this protocol VLAN. WEB INTERFACE To map a protocol group to a VLAN for a port or trunk: 1. Click Configuration, VCL, Protocol-based VLANs, Group to VLAN. 2. Enter the identifier for a protocol group. 3. Enter the corresponding VLAN to which the protocol traffic will be forwarded. 4.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic member the Voice VLAN. Alternatively, switch ports can be manually configured. CONFIGURING VOIP Use the Voice VLAN Configuration page to configure the switch for VoIP TRAFFIC traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic ■ ■ Auto3 – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port. You must select a method for detecting VoIP traffic, either OUI or LLDP (802.1ab). When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list. Forced3 – The Voice VLAN feature is enabled on the port.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic Figure 68: Configuring Global and Port Settings for a Voice VLAN CONFIGURING Use the Voice VLAN OUI Table to identify VoIP devices attached to the TELEPHONY OUI switch. VoIP devices can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
CHAPTER 4 | Configuring the Switch Quality of Service WEB INTERFACE To configure MAC OUI numbers for VoIP equipment: 1. Click Configuration, Voice VLAN, OUI. 2. Click “Add new entry.” 3. Enter a MAC address that specifies the OUI for VoIP devices in the network, and enter a description for the devices. 4. Click Save.
CHAPTER 4 | Configuring the Switch Quality of Service The switch also allows you to configure QoS classification criteria and service policies. The switch’s resources can be prioritized to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on Ethernet type, VLAN ID, TCP/UDP port, DSCP, ToS, or its VLAN priority tag. Based on configured network policies, different kinds of traffic can be marked for different kinds of forwarding.
CHAPTER 4 | Configuring the Switch Quality of Service QoS Ingress Port Tag Classification ◆ Tag Classification – Sets classification mode for tagged frames on this port: ■ ■ Disabled – Uses the default QoS class and DP level for tagged frames. (This is the default.) Enabled – Uses the mapped versions of PCP and DEI for tagged frames. ◆ PCP/DEI – Shows the mapping options for classified (PCP, DEI) to (QoS class, DP level) values when Tag Classification is Enabled.
CHAPTER 4 | Configuring the Switch Quality of Service 3. Set the tag classification mode to Disabled to use the default QoS class and DP level for tagged frames, or to Enabled to use the mapped versions of PCP and DEI for tagged frames. 4. Click Save. Figure 71: Configuring Ingress Port Tag Classification CONFIGURING EGRESS Use the QoS Egress Port Schedulers page to show an overview of the QoS PORT SCHEDULER Egress Port Schedulers, including the queue mode and weight.
CHAPTER 4 | Configuring the Switch Quality of Service processed before the lower priority queues are serviced, or Deficit Weighted Round-Robin (DWRR) queuing which specifies a scheduling weight for each queue. (Options: Strict, Weighted; Default: Strict) DWRR services the queues in a manner similar to WRR, but the next queue is serviced only when the queue’s Deficit Counter becomes smaller than the packet size to be transmitted.
CHAPTER 4 | Configuring the Switch Quality of Service 2. Click on any enter under the Port field to configure the Port Scheduler and Shaper. Figure 72: Displaying Egress Port Schedulers To configure the scheduler mode, the egress queue mode, queue shaper, and port shaper used by egress ports: 1. Click Configuration, QoS, Port Scheduler. 2. Click on any of the entries in the Port field. 3.
CHAPTER 4 | Configuring the Switch Quality of Service CONFIGURING EGRESS Use the QoS Egress Port Shapers page to show an overview of the QoS PORT SHAPER Egress Port Shapers, including the rate for each queue and port. Click on any of the entries in the Port field to configure egress queue mode, queue shaper (rate and access to excess bandwidth), and port shaper PATH Configuration, QoS, Port Shaper PARAMETERS These parameters are displayed: Displaying QoS Egress Port Schedulers ◆ Port – Port identifier.
CHAPTER 4 | Configuring the Switch Quality of Service PARAMETERS These parameters are displayed: Displaying Port Remarking Mode ◆ Port – Port identifier. ◆ Mode – Shows the tag remarking mode used by this port: ■ ■ ■ Classified – Uses classified PCP (Priority Code Point or User Priority) and DEI (Drop Eligible Indicator) values. Default – Uses default PCP/DEI values. Mapped – Uses mapped versions of QoS class and drop precedence level.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 75: Displaying Port Tag Remarking Mode To configure the tag remarking mode: 1. Click Configuration, QoS, Port Tag Remarking. 2. Click on any of the entries in the Port field. 3. Set the tag remarking mode and any parameters associated with the selected mode. 4. Click Save.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 76: Configuring Port Tag Remarking Mode CONFIGURING PORT Use the QoS Port DSCP Configuration page to configure ingress translation DSCP TRANSLATION and classification settings and egress re-writing of DSCP values. AND REWRITING PATH Configuration, QoS, Port DSCP PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ Ingress Translate – Enables ingress translation of DSCP values based on the specified classification method.
CHAPTER 4 | Configuring the Switch Quality of Service ◆ Ingress Classify – Specifies the classification method: ■ Disable – No Ingress DSCP Classification is performed. ■ DSCP=0 – Classify if incoming DSCP is 0. ■ ■ ◆ Selected – Classify only selected DSCP for which classification is enabled in DSCP Translation table (see page 187). All – Classify all DSCP. Egress Rewrite – Configures port egress rewriting of DSCP values: ■ Disable – Egress rewriting is not performed.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 77: Configuring Port DSCP Translation and Rewriting CONFIGURING DSCP- Use the DSCP-Based QoS Ingress Classification page to configure DSCPBASED QOS INGRESS based QoS ingress classification settings. CLASSIFICATION PATH Configuration, QoS, DSCP-Based QoS PARAMETERS These parameters are displayed: ◆ DSCP – DSCP value in ingress packets. (Range: 0-63) ◆ Trust – Controls whether a specific DSCP value is trusted.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 78: Configuring DSCP-based QoS Ingress Classification CONFIGURING DSCP Use the DSCP Translation page to configure DSCP translation for ingress TRANSLATION traffic or DSCP re-mapping for egress traffic. PATH Configuration, QoS, DSCP Translation PARAMETERS These parameters are displayed: ◆ DSCP – DSCP value. (Range: 0-63) ◆ Ingress Translate – Enables ingress translation of DSCP values based on the specified classification method.
CHAPTER 4 | Configuring the Switch Quality of Service WEB INTERFACE To configure DSCP translation or re-mapping: 1. Click Configuration, QoS, DSCP Translation. 2. Set the required ingress translation and egress re-mapping parameters. 3. Click Save. Figure 79: Configuring DSCP Translation and Re-mapping CONFIGURING DSCP Use the DSCP Classification page to map DSCP values to a QoS class and CLASSIFICATION drop precedence level.
CHAPTER 4 | Configuring the Switch Quality of Service WEB INTERFACE To map DSCP values to a QoS class and drop precedence level: 1. Click Configuration, QoS, DSCP Classification. 2. Map key DSCP values to a corresponding QoS class and drop precedence level. 3. Click Save.
CHAPTER 4 | Configuring the Switch Quality of Service ◆ SMAC - The OUI field of the source MAC address, i.e. the first three octets (bytes) of the MAC address. ◆ DMAC - The type of destination MAC address. Possible values are: Any, Broadcast, Multicast, Unicast. ◆ VID – VLAN identifier. (Range: 1-4095) ◆ Action – Indicates the classification action taken on ingress frame if the configured parameters are matched in the frame's content.
CHAPTER 4 | Configuring the Switch Quality of Service ◆ DMAC Type – The type of destination MAC address. (Options: Any, BC (Broadcast), MC (Multicast), UC (Unicast) ◆ Frame Type – The supported types are listed below: ■ ■ Any – Allow all types of frames. Ethernet – This option can only be used to filter Ethernet II formatted packets. (Options: Any, Specific – 600-ffff hex; Default: ffff) Note that 800 (IPv4) and 86DD (IPv6) are excluded.
CHAPTER 4 | Configuring the Switch Quality of Service ■ IP Fragment – Indicates whether or not fragmented packets are accepted. (Options: Any, Yes, No; Default: Any) Datagrams may be fragmented to ensure they can pass through a network device which uses a maximum transfer unit smaller than the original packet’s size. ■ ■ DSCP – Diffserv Code Point value.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 81: QoS Control List Configuration CONFIGURING STORM Use the Storm Control Configuration page to set limits on broadcast, CONTROL multicast and unknown unicast traffic to control traffic storms which may occur when a network device is malfunctioning, the network is not properly configured, or application programs are not well designed or properly configured.
CHAPTER 4 | Configuring the Switch Configuring Port Mirroring ◆ Status - Enables or disables storm control. (Default: Disabled) ◆ Rate (pps) - The threshold above which packets are dropped. This limit can be set by specifying a value of 2n packets per second (pps), or by selecting one of the options in Kpps (i.e., marked with the suffix “K”).
CHAPTER 4 | Configuring the Switch Configuring Port Mirroring mirroring is enabled on the Mirror Configuration page by setting the destination port in the “Port to mirror on” field, and enabling the “Mode” for any port, mirroring will occur regardless of any configuration settings made on the ACL Ports Configuration page (see "Filtering Traffic with Access Control Lists" on page 88) or the ACE Configuration page (see "Configuring Access Control Lists" on page 91).
CHAPTER 4 | Configuring the Switch Configuring UPnP CONFIGURING UPNP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards. The first step in UPnP networking is discovery.
CHAPTER 4 | Configuring the Switch Configuring UPnP WEB INTERFACE To configure UPnP: 1. Click Configuration, UPnP. 2. Enable or disable UPnP, then set the TTL and advertisement values. 3. Click Save.
CHAPTER 4 | Configuring the Switch Configuring UPnP – 198 –
5 MONITORING THE SWITCH This chapter describes how to monitor all of the basic functions, configure or view system logs, and how to view traffic status or the address table. DISPLAYING BASIC INFORMATION ABOUT THE SYSTEM You can use the Monitor/System menu to display a basic description of the switch, log messages, or statistics on traffic used in managing the switch.
CHAPTER 5 | Monitoring the Switch Displaying Basic Information About the System Software ◆ Software Version – Version number of runtime code. ◆ Software Date – Release date of the switch software. WEB INTERFACE To view System Information, click Monitor, System, Information. Figure 85: System Information DISPLAYING CPU Use the CPU Load page to display information on CPU utilization. UTILIZATION The load is averaged over the last 100ms, 1sec and 10 seconds intervals. The last 120 samples are graphed.
CHAPTER 5 | Monitoring the Switch Displaying Basic Information About the System WEB INTERFACE To display CPU utilization: 1. Click System, then CPU Load. Figure 86: CPU Load DISPLAYING LOG Use the System Log Information page to scroll through the logged system MESSAGES and event messages. PATH Monitor, System, CPU Load PARAMETERS These parameters are displayed: Display Filter ◆ Level – Specifies the type of log messages to display. ■ Info – Informational messages only. ■ Warning – Warning conditions.
CHAPTER 5 | Monitoring the Switch Displaying Basic Information About the System ◆ Level – Error level as described above. ◆ Time – The time of the system log entry. ◆ Message – The message text of the system log entry. WEB INTERFACE To display the system log: 1. Click Monitor, System, Log. 2. Specify the message level to display, the starting message ID, and the number of messages to display per page. 3.
CHAPTER 5 | Monitoring the Switch Displaying Thermal Protection DISPLAYING LOG Use the Detailed Log page to view the full text of specific log messages. DETAILS PATH Monitor, System, CPU Load WEB INTERFACE To display the text of a specific log message, click Monitor, System, Detailed Log. Figure 88: Detailed System Log Information DISPLAYING THERMAL PROTECTION Use the Thermal Protection Status page to show the thermal status for each port and the current chip temperature.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports WEB INTERFACE To display the current chip temperature, click Monitor, Thermal Protection. Figure 89: Thermal Protection Status DISPLAYING INFORMATION ABOUT PORTS You can use the Monitor/Port menu to display a graphic image of the front panel which indicates the connection status of each port, basic statistics on the traffic crossing each port, the number of packets processed by each service queue, or detailed statistics on port traffic.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports DISPLAYING AN Use the Port Statistics Overview page to display a summary of basic OVERVIEW OF PORT information on the traffic crossing each port. STATISTICS PATH Monitor, Ports, Traffic Overview PARAMETERS These parameters are displayed: ◆ Packets Received/Transmitted – The number of packets received and transmitted. ◆ Bytes Received/Transmitted – The number of bytes received and transmitted.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ Q# Receive/Transmit – The number of packets received and transmitted through the indicated queue. WEB INTERFACE To display the queue counters, click Monitor, Ports, QoS Statistics.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports ■ ◆ Class (Classified QoS Class) – If a frame matches the QCE, it will be put in the queue corresponding to the specified QoS class. ■ DP – The drop precedence level will be set to the specified value. ■ DSCP – The DSCP value will be set the specified value. Conflict – Displays QCE status.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports ■ ■ ■ ■ ■ Octets – The number of received and transmitted bytes (good and bad), including Frame Check Sequence, but excluding framing bits. Unicast – The number of received and transmitted unicast packets (good and bad). Multicast – The number of received and transmitted multicast packets (good and bad). Broadcast – The number of received and transmitted broadcast packets (good and bad).
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports WEB INTERFACE To display the detailed port statistics, click Monitor, Ports, Detailed Statistics.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING INFORMATION ABOUT SECURITY SETTINGS You can use the Monitor/Security menu to display statistics on management traffic, security controls for client access to the data ports, and the status of remote authentication access servers. DISPLAYING ACCESS Use the Access Management Statistics page to view statistics on traffic MANAGEMENT used in managing the switch.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING INFORMATION ABOUT SWITCH SETTINGS FOR PORT SECURITY Use the Port Security Switch Status page to show information about MAC address learning for each port, including the software module requesting port security services, the service state, the current number of learned addresses, and the maximum number of secure addresses allowed. Port Security is a module with no direct configuration.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ■ ■ Limit Reached: The Port Security service is enabled by at least the Limit Control user module, and that module has indicated that the limit is reached and no more MAC addresses should be taken in. Shutdown: The Port Security service is enabled by at least the Limit Control user module, and that module has indicated that the limit is exceeded.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING Use the Port Security Port Status page to show the entries authorized by INFORMATION ABOUT port security services, including MAC address, VLAN ID, time added to LEARNED MAC table, age, and hold state. ADDRESSES PATH Monitor, Security, Network, Port Security, Port PARAMETERS These parameters are displayed: ◆ MAC Address – The MAC address seen on this port.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING PORT Use the Network Access Server Switch Status page to show the port status STATUS FOR for authentication services, including 802.1X security state, last source AUTHENTICATION address used for authentication, and last ID. SERVICES PATH Monitor, Security, Network, NAS, Switch PARAMETERS These parameters are displayed: ◆ Port – The switch port number. Click to navigate to detailed NAS statistics for this port.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings WEB INTERFACE To display port status for authentication services, click Monitor, Security, Network, NAS, Switch. Figure 98: Network Access Server Switch Status DISPLAYING PORT STATISTICS FOR 802.1X OR REMOTE AUTHENTICATION SERVICE Use the NAS Statistics Port selection page to display authentication statistics for the selected port – either for 802.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings Port Counters Receive EAPOL Counters ◆ Total – The number of valid EAPOL frames of any type that have been received by the switch. ◆ Response ID – The number of valid EAPOL Response Identity frames that have been received by the switch. ◆ Responses – The number of valid EAPOL response frames (other than Response Identity frames) that have been received by the switch.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ◆ Other Requests – ■ ■ 802.1X-based: Counts the number of times that the switch sends an EAP Request packet following the first to the supplicant. Indicates that the backend server chose an EAP-method. MAC-based: Not applicable. ◆ Auth. Successes – ■ 802.1X- and MAC-based: Counts the number of times that the switch receives a success indication.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings Selected Counters This table is visible when the port is one of the following administrative states: Multi 802.1X or MAC-based Auth. The table is identical to and is placed next to the Port Counters table, and will be empty if no MAC address is currently selected. To populate the table, select one of the attached MAC Addresses from the table.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings Figure 99: NAS Statistics for Specified Port DISPLAYING ACL Use the ACL Status page to show the status for different security modules STATUS which use ACL filtering, including ingress port, frame type, and forwarding action. Each row describes a defined ACE (see page 88).
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ■ IPv4/ICMP: ACE will match IPv4 frames with ICMP protocol. ■ IPv4/UDP: ACE will match IPv4 frames with UDP protocol. ■ IPv4/TCP: ACE will match IPv4 frames with TCP protocol. ■ IPv4/Other: ACE will match IPv4 frames, which are not ICMP/UDP or TCP. ◆ Action – Indicates the forwarding action of the ACE: ■ Permit: Frames matching the ACE may be forwarded and learned. ■ Deny: Frames matching the ACE are dropped.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING Use the DHCP Snooping Port Statistics page to show statistics for various STATISTICS FOR types of DHCP protocol packets. DHCP SNOOPING PATH Monitor, Security, Network, DHCP, Snooping Statistics PARAMETERS These parameters are displayed: ◆ Rx/Tx Discover – The number of discover (option 53 with value 1) packets received and transmitted.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings Figure 101: DHCP Snooping Statistics DISPLAYING DHCP Use the DHCP Relay Statistics page to display statistics for the DHCP relay RELAY STATISTICS service supported by this switch and DHCP relay clients. PATH Monitor, Security, Network, DHCP, Relay Statistics PARAMETERS These parameters are displayed: Server Statistics ◆ Transmit to Server – The number of packets relayed from the client to the server.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ◆ Receive Bad Remote ID – The number of packets with a Remote ID option that did not match a known remote ID. Client Statistics ◆ Transmit to Client – The number of packets that were relayed from the server to a client. ◆ Transmit Error – The number of packets containing errors that were sent to servers. ◆ Receive from Client – The number of packets received from clients.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings WEB INTERFACE To display the Dynamic ARP Inspection Table, click Monitor, Security, Network, ARP Inspection. Figure 103: Dynamic ARP Inspection Table DISPLAYING ENTRIES Open the Dynamic IP Source Guard Table to display entries sorted first by IN THE IP SOURCE port, then VLAN ID, MAC address, and finally IP address.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers DISPLAYING INFORMATION ON AUTHENTICATION SERVERS Use the Monitor/Authentication pages to display information on RADIUS authentication and accounting servers, including the IP address and statistics for each server. DISPLAYING A LIST OF Use the RADIUS Overview page to display a list of configured AUTHENTICATION authentication and accounting servers.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers DISPLAYING STATISTICS FOR CONFIGURED AUTHENTICATION SERVERS Use the RADIUS Details page to display statistics for configured authentication and accounting servers. The statistics map closely to those specified in RFC4668 - RADIUS Authentication Client MIB.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers Accept, Access-Reject, Access-Challenge, timeout, or retransmission. ■ Timeouts – The number of authentication timeouts to the server. After a timeout, the client may retry to the same server, send to a different server, or give up. A retry to the same server is counted as a retransmit as well as a timeout. A send to a different server is counted as a Request as well as a timeout.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers ■ ◆ Packets Dropped – The number of RADIUS packets that were received from the server on the accounting port and dropped for some other reason. Transmit Packets ■ ■ ■ ■ Requests – The number of RADIUS packets sent to the server. This does not include retransmissions. Retransmissions – The number of RADIUS packets retransmitted to the RADIUS accounting server.
CHAPTER 5 | Monitoring the Switch Displaying Information on LACP WEB INTERFACE To display statistics for configured authentication and accounting servers, click Monitor, Authentication, RADIUS Details. Figure 106: RADIUS Details DISPLAYING INFORMATION ON LACP Use the monitor pages for LACP to display information on LACP configuration settings, the functional status of participating ports, and statistics on LACP control packets.
CHAPTER 5 | Monitoring the Switch Displaying Information on LACP ◆ Partner System ID – LAG partner's system ID (MAC address). ◆ Partner Key – The Key that the partner has assigned to this LAG. ◆ Last Changed – The time since this LAG changed. ◆ Local Ports – Shows the local ports that are a part of this LAG. WEB INTERFACE To display an overview of LACP groups active on this switch, click Monitor, LACP, System Status.
CHAPTER 5 | Monitoring the Switch Displaying Information on LACP WEB INTERFACE To display LACP status for local ports this switch, click Monitor, LACP, Port Status. Figure 108: LACP Port Status DISPLAYING LACP Use the LACP Port Statistics page to display statistics on LACP control PORT STATISTICS packets crossing on each port. PATH Monitor, LACP, Port Statistics PARAMETERS These parameters are displayed: ◆ Port – Port Identifier. ◆ LACP Transmitted – The number of LACP frames sent from each port.
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree DISPLAYING INFORMATION ON THE SPANNING TREE Use the monitor pages for Spanning Tree to display information on spanning tree bridge status, the functional status of participating ports, and statistics on spanning tree protocol packets. DISPLAYING BRIDGE Use the Bridge Status page to display STA information on the global bridge STATUS FOR STA (i.e., this switch) and individual ports.
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree ◆ Internal Root Cost – The Regional Root Path Cost. For the Regional Root Bridge this is zero. For all other CIST instances in the same MSTP region, it is the sum of the Internal Port Path Costs on the least cost path to the Internal Root Bridge. (This parameter only applies to the CIST instance.) ◆ Topology Change Count – The number of times the Spanning Tree has been reconfigured (during a one-second interval).
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree WEB INTERFACE To display an overview of all STP bridge instances, click Monitor, Spanning Tree, Bridge Status. Figure 110: Spanning Tree Bridge Status To display detailed information on a single STP bridge instance, along with port state for all active ports associated, 1. Click Monitor, Spanning Tree, Bridge Status. 2. Click on an entry in the STP Bridges page.
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree ◆ CIST Role – Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge (i.e., root port), connecting a LAN through the bridge to the root bridge (i.e., designated port); or is an alternate or backup port that may provide connectivity if other bridges, bridge ports, or LANs fail or are removed.
CHAPTER 5 | Monitoring the Switch Displaying MVR Information ◆ RSTP – The number of RSTP Configuration BPDU's received/ transmitted on a port. ◆ STP – The number of legacy STP Configuration BPDU's received/ transmitted on a port. ◆ TCN – The number of (legacy) Topology Change Notification BPDU's received/transmitted on a port. ◆ Discarded Unknown – The number of unknown Spanning Tree BPDU's received (and discarded) on a port.
CHAPTER 5 | Monitoring the Switch Displaying MVR Information ◆ V2 Leaves Received – The number of IGMP V2 leaves received. WEB INTERFACE To display information for MVR statistics, click Monitor, MVR, Statistics. Figure 114: MVR Statistics DISPLAYING MVR Use the MVR Group Information page to display statistics for IGMP protocol GROUP INFORMATION messages used by MVR; and to shows information about the interfaces associated with multicast groups assigned to the MVR VLAN.
CHAPTER 5 | Monitoring the Switch Showing IGMP Snooping Information WEB INTERFACE To display information for MVR statistics and multicast groups, click Monitor, MVR, Group Information. Figure 115: MVR Group Information SHOWING IGMP SNOOPING INFORMATION Use the IGMP Snooping pages to display IGMP snooping statistics, port members of each service group, and information on source-specific groups.
CHAPTER 5 | Monitoring the Switch Showing IGMP Snooping Information ◆ V2 Reports Received – The number of received IGMP Version 2 reports. ◆ V3 Reports Received – The number of received IGMP Version 3 reports. ◆ V2 Leaves Received – The number of received IGMP Version 2 leave reports. Router Port ◆ Port – Port Identifier. ◆ Status – Ports connected to multicast routers may be dynamically discovered by this switch or statically assigned to an interface on this switch.
CHAPTER 5 | Monitoring the Switch Showing IGMP Snooping Information ◆ Port Members – The ports assigned to the listed VLAN which propagate a specific multicast service. WEB INTERFACE To display the port members of each service group, click Monitor, IGMP Snooping, Group Information.
CHAPTER 5 | Monitoring the Switch Showing MLD Snooping Information WEB INTERFACE To display IGMP Source-Specific Information, click Monitor, IGMP Snooping, IGMP SSM Information. Figure 118: IPv4 SSM Information SHOWING MLD SNOOPING INFORMATION Use the MLD Snooping pages to display MLD snooping statistics, port members of each service group, and information on source-specific groups.
CHAPTER 5 | Monitoring the Switch Showing MLD Snooping Information ◆ V2 Reports Received – The number of received MLD Version 2 reports. ◆ V1 Leaves Received – The number of received MLD Version 1 leave reports. Router Port ◆ Port – Port Identifier. ◆ Status – Ports connected to multicast routers may be dynamically discovered by this switch or statically assigned to an interface on this switch. WEB INTERFACE To display MLD snooping status information, click Monitor, MLD Snooping, Status.
CHAPTER 5 | Monitoring the Switch Showing MLD Snooping Information WEB INTERFACE To display the port members of each service group, click Monitor, MLD Snooping, Group Information. Figure 120: MLD Snooping Group Information SHOWING IPV6 SSM Use the MLD SSM Information page to display MLD Source-Specific INFORMATION Information including group, filtering mode (include or exclude), source address, and type (allow or deny).
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information DISPLAYING LLDP INFORMATION Use the monitor pages for LLDP to display information advertised by LLDP neighbors and statistics on LLDP control frames. DISPLAYING LLDP Use the LLDP Neighbor Information page to display information about NEIGHBOR devices connected directly to the switch’s ports which are advertising INFORMATION information through LLDP.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Management Address – The IPv4 address of the remote device. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement. If the neighbor device allows management access, clicking on an entry in this field will re-direct the web browser to the neighbor’s management interface. WEB INTERFACE To display information about LLDP neighbors, click Monitor, LLDP, Neighbors.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information example will any LLDP-MED Endpoint Device claiming compliance as a Media Endpoint (Class II) also support all aspects of TIA-1057 applicable to Generic Endpoints (Class I), and any LLDP-MED Endpoint Device claiming compliance as a Communication Device (Class III) will also support all aspects of TIA-1057 applicable to both Media Endpoints (Class II) and Generic Endpoints (Class I).
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Application Type – The primary function of the application(s) defined for this network policy, and advertised by an Endpoint or Network Connectivity Device. The possible application types are described under "Configuring LLDP-MED TLVs" on page 149. ◆ Policy – This field displays one of the following values: ■ ■ Unknown: The network policy for the specified application type is currently unknown. Defined: The network policy is defined.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Tx Tw – The link partner's maximum time that the transmit path can hold off sending data after de-assertion of Lower Power Idle (LPI) mode. (Tw indicates Wake State Time) ◆ Rx Tw – The link partner's time the receiver would like the transmitter to hold off to allow time for it to wake from sleep. ◆ Fallback Receive Tw – The link partner's fallback receive Tw.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information DISPLAYING LLDP Use the LLDP Port Statistics page to display statistics on LLDP global PORT STATISTICS counters and control frames. PATH Monitor, LLDP, Port Statistics PARAMETERS These parameters are displayed: Global Counters ◆ Neighbor entries were last changed at – The time the LLDP neighbor entry list was last updated. It also shows the time elapsed since last change was detected.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Age-Outs – Each LLDP frame contains information about how long the LLDP information is valid (age-out time). If no new LLDP frame is received within the age-out time, the LLDP information is removed, and the Age-Out counter is incremented. WEB INTERFACE To display statistics on LLDP global counters and control frames, click Monitor, LLDP, Port Statistics.
CHAPTER 5 | Monitoring the Switch Displaying PoE Status For a PD device, it can run on its local power supply or use the PSE as a power source. It can also use both its local power supply and the PSE. If it is unknown what power supply the PD device is using, this is indicated as “Unknown.” ◆ Power Priority – Power Priority represents the priority of the PD device, or the power priority associated with the PSE type device's port that is sourcing the power. There are three levels of power priority.
CHAPTER 5 | Monitoring the Switch Displaying the MAC Address Table ■ Class 3: Max. power 15.4 W ■ Class 4: Max. power 30.0 W ◆ Power Requested – Amount of power the PD wants to be reserved. ◆ Power Allocated – Amount of power the switch has allocated for the PD. ◆ Power Used – How much power the PD is currently using. ◆ Current Used – How much current the PD is currently using ◆ Priority – The port's configured priority level (see page 155). ◆ Port Status – PoE service status for the attached device.
CHAPTER 5 | Monitoring the Switch Displaying Information About VLANs ◆ VLAN – The VLAN containing this entry. ◆ MAC Address – Physical address associated with this interface. ◆ Port Members – The ports associated with this entry. WEB INTERFACE To display the address table, click Monitor, MAC Address Table. Figure 128: MAC Address Table DISPLAYING INFORMATION ABOUT VLANS Use the monitor pages for VLANs to display information about the port members of VLANs, and the VLAN attributes assigned to each port.
CHAPTER 5 | Monitoring the Switch Displaying Information About VLANs ■ ■ ■ Voice VLAN: A VLAN configured specially for voice traffic typically originating from IP phones. MSTP: The 802.1s Multiple Spanning Tree protocol uses VLANs to create multiple spanning trees in a network, which significantly improves network resource utilization while maintaining a loop-free environment. Combined: Shows information for all active user modules. ◆ VLAN ID – A VLAN which has created by one of the software modules.
CHAPTER 5 | Monitoring the Switch Displaying Information About VLANs ◆ PVID – The native VLAN assigned to untagged frames entering this port. ◆ VLAN Aware - Configures whether or not a port processes the VLAN ID in ingress frames. (Default: Disabled) If a port is not VLAN aware, all frames are assigned to the default VLAN (as specified by the Port VLAN ID) and tags are not removed. If a port is VLAN aware, each frame is assigned to the VLAN indicated in the VLAN tag, and the tag is removed.
CHAPTER 5 | Monitoring the Switch Displaying Information About MAC-based VLANs DISPLAYING INFORMATION ABOUT MAC-BASED VLANS Use the MAC-based VLAN Membership Configuration page to display the MAC address to VLAN map entries. PATH Monitor, VCL, MAC-based VLAN PARAMETERS These parameters are displayed: ◆ MAC-based VLAN User – A user or software module that uses VLAN management services to configure MAC-based VLAN membership.
6 PERFORMING BASIC DIAGNOSTICS This chapter describes how to test network connectivity using Ping for IPv4 or IPv6, and how to test network cables. PINGING AN IPV4 OR IPV6 ADDRESS The Ping page is used to send ICMP echo request packets to another node on the network to determine if it can be reached. PATH ◆ Diagnostics, Ping ◆ Diagnostics, Ping6 PARAMETERS These parameters are displayed on the Ping page: ◆ IP Address – IPv4 or IPv6 address of the host.
CHAPTER 6 | Performing Basic Diagnostics Running Cable Diagnostics Figure 132: ICMP Ping RUNNING CABLE DIAGNOSTICS The VeriPHY page is used to perform cable diagnostics for all ports or selected ports to diagnose any cable faults (short, open, etc.) and report the cable length. PATH Diagnostics, VeriPHY PARAMETERS These parameters are displayed on the VeriPHY Cable Diagnostics page: ◆ Port – Diagnostics can be performed on all ports or on a specific port.
CHAPTER 6 | Performing Basic Diagnostics Running Cable Diagnostics WEB INTERFACE To run cable diagnostics: 1. Click Diagnostics, VeriPHY. 2. Select all ports or indicate a specific port for testing. 3. Click Start. If a specific port is selected, the test will take approximately 5 seconds. If all ports are selected, it can run approximately 15 seconds. When completed, the page refreshes automatically, and you can view the cable diagnostics results in the cable status table.
CHAPTER 6 | Performing Basic Diagnostics Running Cable Diagnostics – 260 –
7 PERFORMING SYSTEM MAINTENANCE This chapter describes how to perform basic maintenance tasks including upgrading software, restoring or saving configuration settings, and resetting the switch. RESTARTING THE SWITCH Use the Restart Device page to restart the switch. PATH Maintenance, Restart Device WEB INTERFACE To restart the switch 1. Click Maintenance, Restart Device. 2. Click Yes. The reset will be complete when the user interface displays the login page.
CHAPTER 7 | Performing System Maintenance Restoring Factory Defaults RESTORING FACTORY DEFAULTS Use the Factory Defaults page to restore the original factory settings. Note that the LAN IP Address, Subnet Mask and Gateway IP Address will be reset to their factory defaults. PATH Maintenance, Restart Device CLI REFERENCES "system restore default" on page 275 WEB INTERFACE To restore factory defaults: 1. Click Maintenance, Factory Defaults. 2. Click Yes.
CHAPTER 7 | Performing System Maintenance Managing Configuration Files 3. Click the Upload button to upgrade the switch’s firmware. After the software image is uploaded, a page announces that the firmware update has been initiated. After about a minute, the firmware is updated and the switch is rebooted. CAUTION: While the firmware is being updated, Web access appears to be defunct. The front LED flashes Green/Off at a frequency of 10 Hz while the firmware update is in progress.
CHAPTER 7 | Performing System Maintenance Managing Configuration Files Figure 137: Configuration Save RESTORING Use the Configuration Upload page to restore previously saved CONFIGURATION configuration settings to the switch from a file on your local management SETTINGS station. PATH Maintenance, Configuration, Upload WEB INTERFACE To restore your current configuration settings: 1. Click Maintenance, Configuration, Upload. 2. Click the Browse button, and select the configuration file. 3.
SECTION III APPENDICES This section provides additional information and includes these items: ◆ "Software Specifications" on page 266 ◆ "Troubleshooting" on page 270 ◆ "License Information" on page 272 – 265 –
A SOFTWARE SPECIFICATIONS SOFTWARE FEATURES MANAGEMENT Local, RADIUS, TACACS+, AAA, Port Authentication (802.1X), HTTPS, SSH, AUTHENTICATION Port Security, IP Filter, DHCP Snooping CLIENT ACCESS Access Control Lists (128 rules per system), Port Authentication (802.
APPENDIX A | Software Specifications Management Features VLAN SUPPORT Up to 128 groups; port-based, protocol-based, tagged (802.
APPENDIX A | Software Specifications Standards STANDARDS ANSI/TIA-1057 LLDP for Media Endpoint Discovery - LLDP-MED IEEE 802.1AB Link Layer Discovery Protocol IEEE-802.1ad Provider Bridge IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q-2005 VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.
APPENDIX A | Software Specifications Management Information Bases Entity MIB version 3 (RFC 4133) Ether-like MIB (RFC 3635) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB using SMI v2 (RFC 2863) Interfaces Evolution MIB (RFC 2863) IP MIB (RFC 2011) IP Multicasting related MIBs IPV6-MIB (RFC 2065) IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052) IPV6-UDP-MIB (RFC 2054) MAU MIB (RFC 3636) MIB II (RFC 1213) P-Bridge
B TROUBLESHOOTING PROBLEMS ACCESSING THE MANAGEMENT INTERFACE Table 14: Troubleshooting Chart Symptom Action Cannot connect using a web browser, or SNMP software ◆ ◆ Be sure the switch is powered up. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled. ◆ Be sure you have configured the VLAN interface through which the management station is connected with a valid IP address, subnet mask and default gateway.
APPENDIX B | Troubleshooting Using System Logs USING SYSTEM LOGS If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C LICENSE INFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
APPENDIX C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
APPENDIX C | License Information The GNU General Public License b). Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c).
APPENDIX C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
GLOSSARY ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
GLOSSARY DIFFSERV Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
GLOSSARY GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information.
GLOSSARY IGMP QUERY On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. IGMP PROXY Proxies multicast group membership information onto the upstream interface based on IGMP messages monitored on downstream interfaces, and forwards multicast traffic based on that information.
GLOSSARY MD5 MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest. MIB Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device.
GLOSSARY PORT TRUNK Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lowerspeed physical links. PRIVATE VLANS Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. QINQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks.
GLOSSARY SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
GLOSSARY – 283 –
INDEX classification, QoS 188 rewriting, port 184 translation, port 184 translation, QoS 187 dynamic addresses, displaying A acceptable frame type 163 Access Control List See ACL ACL 88 binding to a port 88 address table 158 aging time 158 address, management access ARP inspection 106 28 B BPDU guard 127 shut down port on receipt 127 broadcast storm, threshold 193 C community string 66, 69 configuration files restoring 263 restoring defaults 264 saving 263 configuration settings restoring 264 saving 26
INDEX snooping, fast leave 135 throttling 136 ingress classification, QoS 186 ingress filtering 163 ingress port tag classification, QoS 177 IP address, setting 42 IP source guard, configuring static entries 105 IPv4 address DHCP 42 setting 42 IPv6 address dynamic configuration (global unicast) 45 dynamic configuration (link-local) 45 EUI format 44, 45 EUI-64 setting 44, 45 global unicast 44, 45 link-local 44 manual configuration (global unicast) 44, 45 manual configuration (link-local) 44 setting 44 K ke
INDEX ingress classification 186 ingress port classification 176 ingress port tag classification 177 port classification 176 port remarking 181 port shaper 178, 181 QCE 190 QCL status 206 queue scheduler 178 P passwords 28, 56 path cost 126, 129 STA 126, 129 PoE configuring 155 port power allocation 156 power budget 157 priority setting 157 shutdown modes 157 status, displaying 251 port maximum frame size 53 statistics 205 port classification, QoS 176 port isolation 166 port priority STA 126, 129 port rem
INDEX static addresses, setting 159 statistics, port 205 STP 119 global settings, displaying 122 settings, configuring 122 STP Also see STA switch settings restoring 263, 264 saving 263 system clock setting 46 setting the time zone 41 system information configuring 41 displaying 199 system logs 201 displaying 201 system software downloading 262 T TACACS+ logon authentication 59, 109 settings 109 Telnet/SSH, filtering IP addresses 63 thermal protection configuring 51 monitoring status 203 port shutdown seq
