SMCGS18/26/50C-Smart SMCGS18/26/50P-Smart
Web Smart 18/26/50-Port GE Switch Web Smart 18/26/50-Port GE PoE Switch Management Guide No. 1, Creation Road III, Hsinchu Science Park, 30077, Taiwan, R.O.C.
Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC. SMC reserves the right to change specifications at any time without notice. Copyright © 2014 by SMC Networks, Inc. No.
WARRANTY AND PRODUCT REGISTRATION To register SMC products and to review the detailed warranty statement, please refer to the Support Section of the SMC Web site at http:// www.smc.com.
ABOUT THIS GUIDE PURPOSE This guide gives specific information on how to operate and use the management functions of the switch. AUDIENCE The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
ABOUT THIS GUIDE ◆ Update on retaining IP settings when restoring factory defaults (see "Restoring Factory Defaults" on page 290). MARCH 2013 REVISION This is the second version of this guide. This guide is valid for software release v1.0.0.4. It includes information on the following changes: ◆ The VeriPHY option was removed from the Diagnostices menu.
CONTENTS SECTION I SECTION II WARRANTY AND PRODUCT REGISTRATION 4 ABOUT THIS GUIDE 5 CONTENTS 7 FIGURES 13 TABLES 19 GETTING STARTED 21 1 INTRODUCTION 23 Key Features 23 Description of Software Features 24 System Defaults 28 2 INITIAL SWITCH CONFIGURATION 31 WEB CONFIGURATION 33 3 USING THE WEB INTERFACE 35 Navigating the Web Browser Interface 35 Home Page 35 Configuration Options 36 Panel Display 36 Main Menu 37 4 CONFIGURING THE SWITCH 45 Configuring System Informa
CONTENTS Configuring Power Reduction Reducing Power to Idle Queue Circuits 54 54 Configuring Port Connections 55 Configuring Security 57 Configuring User Accounts 58 Configuring User Privilege Levels 60 Configuring The Authentication Method For Management Access 61 Configuring SSH 64 Configuring HTTPS 65 Filtering IP Addresses for Management Access 66 Using Simple Network Management Protocol 67 Remote Monitoring 77 Configuring Port Limit Controls 83 Configuring Authentication Throug
CONTENTS Configuring IGMP Filtering MLD Snooping 152 153 Configuring Global and Port-Related Settings for MLD Snooping 153 Configuring VLAN Settings for MLD Snooping and Query 156 Configuring MLD Filtering 158 Link Layer Discovery Protocol 159 Configuring LLDP Timing and TLVs 159 Configuring LLDP-MED TLVs 162 Power over Ethernet 168 Configuring the MAC Address Table 171 IEEE 802.
CONTENTS Configuring Remote Port Mirroring 210 Configuring UPnP 216 Configuring sFlow 217 5 MONITORING THE SWITCH Displaying Basic Information About the System 221 221 Displaying System Information 221 Displaying CPU Utilization 222 Displaying Log Messages 223 Displaying Log Details 225 Displaying Thermal Protection 225 Displaying Information About Ports 226 Displaying Port Status On the Front Panel 226 Displaying an Overview of Port Statistics 227 Displaying QoS Statistics 227 Di
CONTENTS Displaying an Overview of LACP Groups 255 Displaying LACP Port Status 255 Displaying LACP Port Statistics 256 Displaying Information on Loop Protection 257 Displaying Information on the Spanning Tree 258 Displaying Bridge Status for STA 258 Displaying Port Status for STA 260 Displaying Port Statistics for STA 261 Displaying MVR Information 262 Displaying MVR Statistics 262 Displaying MVR Group Information 263 Displaying MVR SFM Information 264 Showing IGMP Snooping Informat
CONTENTS SECTION III Restarting the Switch 289 Restoring Factory Defaults 290 Upgrading Firmware 290 Activating the Alternate Image 291 Managing Configuration Files 292 Saving Configuration Settings 292 Restoring Configuration Settings 293 APPENDICES 295 A SOFTWARE SPECIFICATIONS 297 Software Features 297 Management Features 298 Standards 299 Management Information Bases 300 B TROUBLESHOOTING 301 Problems Accessing the Management Interface 301 Using System Logs 302 C LICENS
FIGURES Figure 1: Home Page 35 Figure 2: Front Panel Indicators 36 Figure 3: System Information Configuration 45 Figure 4: IP Configuration 47 Figure 5: IPv6 Configuration 49 Figure 6: NTP Configuration 50 Figure 7: Time Zone and Daylight Savings Time Configuration 52 Figure 8: Configuring Settings for Remote Logging of Error Messages 53 Figure 9: Configuring EEE Power Reduction 55 Figure 10: Port Configuration 57 Figure 11: Showing User Accounts 59 Figure 12: Configuring User Account
FIGURES Figure 32: ACL Port Configuration 98 Figure 33: ACL Rate Limiter Configuration 99 Figure 34: Access Control List Configuration 106 Figure 35: DHCP Snooping Configuration 109 Figure 36: DHCP Relay Configuration 110 Figure 37: Configuring Global and Port-based Settings for IP Source Guard 113 Figure 38: Configuring Static Bindings for IP Source Guard 114 Figure 39: Configuring Global and Port Settings for ARP Inspection 116 Figure 40: Configuring Static Bindings for ARP Inspection 11
FIGURES Figure 68: Private VLAN Membership Configuration 179 Figure 69: Port Isolation Configuration 179 Figure 70: Configuring MAC-Based VLANs 181 Figure 71: Configuring Protocol VLANs 183 Figure 72: Assigning Ports to Protocol VLANs 184 Figure 73: Assigning Ports to an IP Subnet-based VLAN 185 Figure 74: Configuring Global and Port Settings for a Voice VLAN 188 Figure 75: Configuring an OUI Telephony List 189 Figure 76: Configuring Ingress Port QoS Classification 191 Figure 77: Configur
FIGURES Figure 104: Queueing Counters 228 Figure 105: QoS Control List Status 229 Figure 106: Detailed Port Statistics 231 Figure 107: Access Management Statistics 232 Figure 108: Port Security Switch Status 234 Figure 109: Port Security Port Status 235 Figure 110: Network Access Server Switch Status 236 Figure 111: NAS Statistics for Specified Port 240 Figure 112: ACL Status 242 Figure 113: DHCP Snooping Statistics 243 Figure 114: DHCP Relay Statistics 244 Figure 115: Dynamic ARP Ins
FIGURES Figure 140: LLDP Neighbor Information 272 Figure 141: LLDP-MED Neighbor Information 275 Figure 142: LLDP Neighbor PoE Information 276 Figure 143: LLDP Neighbor EEE Information 277 Figure 144: LLDP Port Statistics 278 Figure 145: Power over Ethernet Status 279 Figure 146: MAC Address Table 280 Figure 147: Showing VLAN Members 282 Figure 148: Showing VLAN Port Status 283 Figure 149: Showing MAC-based VLAN Membership Status 284 Figure 150: Showing sFlow Statistics 285 Figure 151:
FIGURES – 18 –
TABLES Table 1: Key Features 23 Table 2: System Defaults 28 Table 3: Web Page Configuration Buttons 36 Table 4: Main Menu 37 Table 5: HTTPS System Support 65 Table 6: SNMP Security Models and Levels 68 Table 7: Dynamic QoS Profiles 89 Table 8: QCE Modification Buttons 100 Table 9: Recommended STA Path Cost Range 136 Table 10: Recommended STA Path Costs 136 Table 11: Default STA Path Costs 136 Table 12: QCE Modification Buttons 204 Table 13: System Capabilities 271 Table 14: Troubl
TABLES – 20 –
SECTION I GETTING STARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
SECTION I | Getting Started – 22 –
1 INTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
CHAPTER 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4K using IEEE 802.
CHAPTER 1 | Introduction Description of Software Features ACCESS CONTROL ACLs provide packet filtering for IP frames (based on protocol, TCP/UDP LISTS port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast or multicast, or based on VLAN ID or VLAN tag priority). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.
CHAPTER 1 | Introduction Description of Software Features be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port. IEEE 802.1D BRIDGE The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses.
CHAPTER 1 | Introduction Description of Software Features VIRTUAL LANS The switch supports up to 4096 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned.
CHAPTER 1 | Introduction System Defaults QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Disabled Community Strings “public” (read only) “private” (read/write) Traps Global: disabled Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: default_view Group: default_rw_group Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input and output limits Disabled Port Trunking Static Trunks None LACP (all por
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address 192.168.1.10 Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
2 INITIAL SWITCH CONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. To make use of the management features of your switch, you must first configure it with an IP address that is compatible with the network in which it is being installed. This should be done before you permanently install the switch in the network. Follow this procedure: 1. Place the switch close to the PC that you intend to use for configuration.
CHAPTER 2 | Initial Switch Configuration logging out. To change the password, click Security and then Users. Select “admin” from the User Configuration list, fill in the Password fields, and then click Save.
SECTION II WEB CONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
SECTION II | Web Configuration – 34 –
3 USING THE WEB INTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0, Mozilla Firefox 2.0.0.0, or more recent versions). NAVIGATING THE WEB BROWSER INTERFACE To access the web-browser interface you must first enter a user name and password.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface CONFIGURATION Configurable parameters have a dialog box or a drop-down list. Once a OPTIONS configuration change has been made on a page, be sure to click on the Save button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3: Web Page Configuration Buttons Button Action Save Sets specified values to the system.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface MAIN MENU Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Information Configures system contact, name and location 45 IP Configures IPv4 and SNTP settings 46 IPv6 Configures IPv6 and SNTP settings 47 NTP Enables NTP, and configures a list of NTP servers 50 Time Configures the time zone and daylight savings time 51 Log Configures the logging of messages to a remote logging process, specifies the remote log server, and lim
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Limit Control Configures port security limit controls, including secure address aging; and per port security, including maximum allowed MAC addresses, and response for security breach 83 NAS Configures global and port settings for IEEE 802.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu IPMC IGMP Snooping Description Page IP Multicast Internet Group Management Protocol Snooping 146 Basic Configuration Configures global and port settings for multicast filtering 146 VLAN Configuration Configures IGMP snooping per VLAN interface 150 Port Group Filtering Configures multicast groups to be filtered on specified port 152 Multicast Listener Discovery Snooping 153 Basic Conf
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu OUI Description Page Maps the OUI in the source MAC address of ingress packets to the VoIP device manufacturer 188 QoS 189 Port Classification Configures default traffic class, drop priority, user priority, 190 drop eligible indicator, classification mode for tagged frames, and DSCP-based QoS classification Port Policing Controls the bandwidth provided for frames entering the ingress queue
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Traffic Overview Shows basic Ethernet port statistics 227 QoS Statistics Shows the number of packets entering and leaving the egress queues 227 QCL Status Shows the status of QoS Control List entries 228 Detailed Statistics Shows detailed Ethernet port statistics 229 Security Access Management Statistics 232 Displays the number of packets used to manage the switch vi
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Alarm Shows all configured alarms 253 Event Shows all logged events 254 Link Aggregation Control Protocol 255 System Status Displays administration key and associated local ports for each partner 255 Port Status Displays administration key, LAG ID, partner ID, and partner ports for each local port 255 Port Statistics Displays statistics for LACP protocol messages
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page PoE3 Displays status of all LLDP PoE neighbors, including power 275 device type (PSE or PD), source of power, power priority, and maximum required power EEE Displays Energy Efficient Ethernet information advertised through LLDP messages 276 Port Statistics Displays statistics for all connected remote devices, and statistics for LLDP protocol packets crossing each port 277
4 CONFIGURING THE SWITCH This chapter describes all of the basic configuration tasks. CONFIGURING SYSTEM INFORMATION Use the System Information Configuration page to identify the system by configuring contact information, system name, and the location of the switch. PATH Basic/Advanced Configuration, System, Information PARAMETERS These parameters are displayed: ◆ System Contact – Administrator responsible for the system.
CHAPTER 4 | Configuring the Switch Setting an IP Address SETTING AN IP ADDRESS This section describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a DHCP server when it is powered on.
CHAPTER 4 | Configuring the Switch Setting an IP Address ◆ IP Router – IP address of the gateway router between the switch and management stations that exist on other network segments. ◆ VLAN ID – ID of the configured VLAN. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
CHAPTER 4 | Configuring the Switch Setting an IP Address kind of address cannot be passed by any router outside of the subnet. A link-local address is easy to set up, and may be useful for simple networks or basic troubleshooting tasks. However, to connect to a larger network with multiple segments, the switch must be configured with a global unicast address. A link-local address must be manually configured, but a global unicast address can either be manually configured or dynamically assigned.
CHAPTER 4 | Configuring the Switch Setting an IP Address ◆ Address – Manually configures a global unicast address by specifying the full address and network prefix length (in the Prefix field). (Default: ::192.168.1.10) ◆ Prefix – Defines the prefix length as a decimal value indicating how many contiguous bits (starting at the left) of the address comprise the prefix; i.e., the network portion of the address.
CHAPTER 4 | Configuring the Switch Configuring NTP Service CONFIGURING NTP SERVICE Use the NTP Configuration page to specify the Network Time Protocol (NTP) servers to query for the current time. NTP allows the switch to set its internal clock based on periodic updates from an NTP time server. Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
CHAPTER 4 | Configuring the Switch Configuring the Time Zone and Daylight Savings Time CONFIGURING THE TIME ZONE AND DAYLIGHT SAVINGS TIME Use the Time Zone and Daylight Savings Time page to set the time zone and Daylight Savings Time. Time Zone – NTP/SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
CHAPTER 4 | Configuring the Switch Configuring the Time Zone and Daylight Savings Time ■ Non-Recurring – Sets the start, end, and offset times of summer time for the switch on a one-time basis. ■ From – Start time for summer-time. ■ To – End time for summer-time. ■ Offset – The number of minutes to add during Daylight Saving Time. (Range: 1-1440) WEB INTERFACE To set the time zone or Daylight Savings Time: 1. Click Configuration, System, Time. 2. Select one of the predefined time zones. 3.
CHAPTER 4 | Configuring the Switch Configuring Remote Log Messages CONFIGURING REMOTE LOG MESSAGES Use the System Log Configuration page to send log messages to syslog servers or other management stations. You can also limit the event messages sent to specified types. PATH Basic/Advanced Configuration, System, Log COMMAND USAGE When remote logging is enabled, system log messages are sent to the designated server. The syslog protocol is based on UDP and received on UDP port 514.
CHAPTER 4 | Configuring the Switch Configuring Power Reduction CONFIGURING POWER REDUCTION The switch provides power saving methods including powering down the circuitry for port queues when not in use. REDUCING POWER TO Use the EEE Configuration page to configure Energy Efficient Ethernet IDLE QUEUE CIRCUITS (EEE) for specified queues, and to specify urgent queues which are to transmit data after maximum latency expires regardless of queue length.
CHAPTER 4 | Configuring the Switch Configuring Port Connections 3. If required, also specify urgent queues which will be powered up once data is queued and the default wakeup time has passed. 4. Click Save. Figure 9: Configuring EEE Power Reduction CONFIGURING PORT CONNECTIONS Use the Port Configuration page to configure the connection parameters for each port.
CHAPTER 4 | Configuring the Switch Configuring Port Connections ■ 100Mbps FDX - Supports 100 Mbps full-duplex operation ■ 100Mbps HDX - Supports 100 Mbps half-duplex operation ■ 10Mbps FDX - Supports 10 Mbps full-duplex operation ■ 10Mbps HDX - Supports 10 Mbps half-duplex operation (Default: Autonegotiation enabled; Advertised capabilities for RJ-45: 1000BASE-T - 10half, 10full, 100half, 100full, 1000full; SFP: 1000BASE-SX/LX/LH - 1000full) NOTE: The 1000BASE-T standard does not support forced mod
CHAPTER 4 | Configuring the Switch Configuring Security ■ Enabled – Both link up and link down power savings enabled. ■ ActiPHY – Link down power savings enabled. ■ PerfectReach – Link up power savings enabled. WEB INTERFACE To configure port connection settings: 1. Click Configuration, Ports. 2. Make any required changes to the connection settings. 3. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are supported by this switch. These include limiting the number of users accessing a port.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Privilege Level – Specifies the user level. (Options: 1 - 15) Access to specific functions are controlled through the Privilege Levels configuration page (see page 60). The default settings provide four access levels: ■ 1 – Read access of port status and statistics.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING USER Use the Privilege Levels page to set the privilege level required to read or PRIVILEGE LEVELS configure specific software modules or system settings. PATH Advanced Configuration, Security, Switch, Privilege Levels PARAMETERS These parameters are displayed: ◆ ◆ Group Name – The name identifying a privilege group. In most cases, a privilege group consists of a single module (e.g.
CHAPTER 4 | Configuring the Switch Configuring Security 3. Click Save. Figure 13: Configuring Privilege Levels CONFIGURING THE AUTHENTICATION METHOD FOR MANAGEMENT ACCESS Use the Authentication Method Configuration page to specify the authentication method for controlling management access through the console, Telnet, SSH or HTTP/HTTPS. Access can be based on the (local) user name and password configured on the switch, or can be controlled with a RADIUS or TACACS+ remote access authentication server.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 14: Authentication Server Operation Web RADIUS/ TACACS+ server 1. Client attempts management access. 2. Switch contacts authentication server . 3. Authentication server challenges client. 4. Client responds with proper password or .key 5. Authentication server approves access. 6. Switch grants management access.
CHAPTER 4 | Configuring the Switch Configuring Security NOTE: This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA. The configuration of RADIUS and TACACS+ server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS and TACACS+ server software. PARAMETERS These parameters are displayed: ◆ Client – Specifies how the administrator is authenticated when logging into the switch via Telnet, SSH, or a web browser.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING SSH Use the SSH Configuration page to configure access to the Secure Shell (SSH) management interface. SSH provides remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING HTTPS Use the HTTPS Configuration page to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL). HTTPS provides secure access (i.e., an encrypted connection) to the switch's web interface.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 17: HTTPS Configuration FILTERING IP Use the Access Management Configuration page to create a list of up to 16 ADDRESSES FOR IP addresses or IP address groups that are allowed management access to MANAGEMENT ACCESS the switch through the web interface, or SNMP, or Telnet. The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
CHAPTER 4 | Configuring the Switch Configuring Security 5. Mark the protocols to restrict based on the specified address range. The following example shows how to restrict management access for all protocols to a specific address range. 6. Click Save. Figure 18: Access Management Configuration USING SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network.
CHAPTER 4 | Configuring the Switch Configuring Security MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Version - Specifies the SNMP version to use. (Options: SNMP v1, SNMP v2c, SNMP v3; Default: SNMP v2c) ◆ Read Community - The community used for read-only access to the SNMP agent. (Range: 0-255 characters, ASCII characters 33-126 only; Default: public) This parameter only applies to SNMPv1 and SNMPv2c. SNMPv3 uses the User-based Security Model (USM) for authentication and privacy.
CHAPTER 4 | Configuring the Switch Configuring Security 8 colon-separated 16-bit hexadecimal values. One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields. ◆ Trap Authentication Failure - Issues a notification message to specified IP trap managers whenever authentication of an SNMP request fails. (Default: Enabled) ◆ Trap Link-up and Link-down - Issues a notification message whenever a port link is established or broken.
CHAPTER 4 | Configuring the Switch Configuring Security NOTE: To select a name from this field, first enter an SNMPv3 user with the same Trap Security Engine ID in the SNMPv3 Users Configuration menu (see "Configuring SNMPv3 Users" on page 73). WEB INTERFACE To configure SNMP system and trap settings: 1. Click Advanced Configuration, Security, Switch, SNMP, System. 2.
CHAPTER 4 | Configuring the Switch Configuring Security SETTING SNMPV3 COMMUNITY ACCESS STRINGS Use the SNMPv3 Community Configuration page to set community access strings. All community strings used to authorize access by SNMP v1 and v2c clients should be listed in the SNMPv3 Communities Configuration table. For security reasons, you should consider removing the default strings.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING SNMPV3 USERS Use the SNMPv3 User Configuration page to define a unique name and remote engine ID for each SNMPv3 user. Users must be configured with a specific security level, and the types of authentication and privacy protocols to use.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Privacy Protocol - The encryption algorithm use for data privacy; only 56-bit DES is currently available. (Options: None, DES; Default: DES) ◆ Privacy Password - A string identifying the privacy pass phrase. (Range: 8-40 characters, ASCII characters 33-126 only) WEB INTERFACE To configure SNMPv3 users: 1. Click Advanced Configuration, Security, Switch, SNMP, Users. 2. Click “Add new user” to configure a user name. 3.
CHAPTER 4 | Configuring the Switch Configuring Security menu (see page 73). To modify an entry for USM, the current entry must first be deleted. ◆ Group Name - The name of the SNMP group. (Range: 1-32 characters, ASCII characters 33-126 only) WEB INTERFACE To configure SNMPv3 groups: 1. Click Advanced Configuration, Security, Switch, SNMP, Groups. 2. Click “Add new group” to set up a new group. 3. Select a security model. 4. Select the security name.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ View Type - Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view. Generally, if the view type of an entry is “excluded,” another entry of view type “included” should exist and its OID subtree should overlap the “excluded” view entry. ◆ OID Subtree - Object identifiers of branches within the MIB tree. Note that the first character must be a period (.).
CHAPTER 4 | Configuring the Switch Configuring Security ■ Auth, NoPriv - SNMP communications use authentication, but the data is not encrypted. ■ Auth, Priv - SNMP communications use both authentication and encryption. ◆ Read View Name - The configured view for read access. (Range: 1-32 characters, ASCII characters 33-126 only) ◆ Write View Name - The configured view for write access. (Range: 1-32 characters, ASCII characters 33-126 only) WEB INTERFACE To configure SNMPv3 group access rights: 1.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING RMON STATISTICAL SAMPLES Use the RMON Statistics Configuration page to collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. PATH Advanced Configuration, Security, RMON, Statistics COMMAND USAGE ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
CHAPTER 4 | Configuring the Switch Configuring Security growth and plan for expansion before your network becomes too overloaded. PATH Advanced Configuration, Security, RMON, History COMMAND USAGE The information collected for each sample includes: drop events, input octets, packets, broadcast packets, multicast packets, CRC alignment errors, undersize packets, oversize packets, fragments, jabbers, collisions, and network utilization.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING RMON ALARMS Use the RMON Alarm Configuration page to define specific criteria that will generate response events. Alarms can be set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval). Alarms can be set to respond to rising or falling thresholds.
CHAPTER 4 | Configuring the Switch Configuring Security ■ Rising or Falling – Trigger alarm when the first value is larger than the rising threshold or less than the falling threshold (default). ◆ Rising Threshold – If the current value is greater than the rising threshold, and the last sample value was less than this threshold, then an alarm will be generated.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING RMON EVENTS Use the RMON Event Configuration page to set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems. PATH Advanced Configuration, Security, RMON, Event PARAMETERS The following parameters are displayed: ◆ ID – Index to this entry.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 28: RMON Event Configuration CONFIGURING PORT Use the Port Security Limit Control Configuration page to limit the number LIMIT CONTROLS of users accessing a given port. A user is identified by a MAC address and VLAN ID. If Limit Control is enabled on a port, the maximum number of users on the port is restricted to the specified limit. If this number is exceeded, the switch makes the specified response.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Limit – The maximum number of MAC addresses that can be secured on this port. This number cannot exceed 1024. If the limit is exceeded, the corresponding action is taken. The switch is “initialized” with a total number of MAC addresses from which all ports draw whenever a new MAC address is seen on a Port Security-enabled port.
CHAPTER 4 | Configuring the Switch Configuring Security WEB INTERFACE To configure port limit controls: 1. Click Advanced Configuration, Security, Network, Limit Control. 2. Set the system configuration parameters to globally enable or disable limit controls, and configure address aging as required. 3. Set limit controls for any port, including status, maximum number of addresses allowed, and the response to a violation. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 30: Using Port Security 802.1x client 1. Client attempts to access a switch port. 2. Switch sends client an identity request. 3. Client sends back identity information. 4. Switch forwards this to authentication server. 5. Authentication server challenges client. 6. Client responds with proper credentials. 7. Authentication server approves access. 8. Switch grants client access to this port.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ 802.1X / MAC-based authentication must be enabled globally for the switch. ◆ The Admin State for each switch port that requires client authentication must be set to 802.1X or MAC-based. ◆ When using 802.1X authentication: ■ Each client that needs to be authenticated must have dot1x client software installed and properly configured. ■ When using 802.1X authentication, the RADIUS server and 802.1X client must support EAP.
CHAPTER 4 | Configuring the Switch Configuring Security between the switch and the client, and therefore does not imply that a client is still present on a port (see Age Period below). ◆ Reauthentication Period - Sets the time period after which a connected client must be re-authenticated. (Range: 1-3600 seconds; Default: 3600 seconds) ◆ EAPOL Timeout - Sets the time the switch waits for a supplicant response during an authentication session before retransmitting a Request Identify EAPOL packet.
CHAPTER 4 | Configuring the Switch Configuring Security whether RADIUS-assigned QoS Class is enabled for that port. When unchecked, RADIUS-server assigned QoS Class is disabled for all ports. When RADIUS-Assigned QoS is both globally enabled and enabled for a given port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated.
CHAPTER 4 | Configuring the Switch Configuring Security For example, if the attribute is “map-ip-dscp=2:3;service-policyin=p1,” then the switch ignores the “map-ip-dscp” profile. ■ ■ ◆ When authentication is successful, the dynamic QoS information may not be passed from the RADIUS server due to one of the following conditions (authentication result remains unchanged): ■ The Filter-ID attribute cannot be found to carry the user profile. ■ The Filter-ID attribute is empty.
CHAPTER 4 | Configuring the Switch Configuring Security If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID or it's invalid, or the supplicant is otherwise no longer present on the port, the port's VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned setting). This option is only available for single-client modes, i.e. port-based 802.1X and Single 802.1X.
CHAPTER 4 | Configuring the Switch Configuring Security NOTE: For trouble-shooting VLAN assignments, use the Monitor > VLANs > VLAN Membership and VLAN Port pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration. Guest VLAN Operation When a Guest VLAN enabled port's link comes up, the switch starts transmitting EAPOL Request Identity frames. If the number of transmissions of such frames exceeds Max. Reauth.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Admin State - If NAS is globally enabled, this selection controls the port's authentication mode. The following modes are available: ■ Force Authorized - The switch sends one EAPOL Success frame when the port link comes up. This forces the port to grant access to all clients, either dot1x-aware or otherwise. (This is the default setting.) ■ Force Unauthorized - The switch will send one EAPOL Failure frame when the port link comes up.
CHAPTER 4 | Configuring the Switch Configuring Security password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string on the following form “xx-xx-xx-xx-xx-xx”, that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Guest VLAN Enabled - Enables or disables this feature for a given port. Refer to the description of this feature under the System Configure section. ◆ Port State - The current state of the port: ◆ ■ Globally Disabled - 802.1X and MAC-based authentication are globally disabled. (This is the default state.) ■ Link Down - 802.1X or MAC-based authentication is enabled, but there is no link on the port.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 31: Network Access Server Configuration FILTERING TRAFFIC An Access Control List (ACL) is a sequential list of permit or deny WITH ACCESS conditions that apply to IP addresses, MAC addresses, or other more CONTROL LISTS specific criteria. This switch tests ingress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Policy ID - An ACL policy configured on the ACE Configuration page (page 101). (Range: 1-8; Default: 1, which is undefined) ◆ Action - Permits or denies a frame based on whether it matches a rule defined in the assigned policy. (Default: Permit) ◆ Rate Limiter ID - Specifies a rate limiter (page 98) to apply to the port. (Range: 1-15; Default: Disabled) ◆ Port Redirect - Defines a port to which matching frames are redirected.
CHAPTER 4 | Configuring the Switch Configuring Security frames, or shutting down the port. Note that the setting for rate limiting is implemented regardless of whether or not a matching packet is seen. 3. Repeat the preceding step for each port to which an ACL will be applied. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security 3. Click Save. Figure 33: ACL Rate Limiter Configuration CONFIGURING ACCESS CONTROL LISTS Use the Access Control List Configuration page to define filtering rules for an ACL policy, for a specific port, or for all ports. Rules applied to a port take effect immediately, while those defined for a policy must be mapped to one or more ports using the ACL Ports Configuration menu (page 96).
CHAPTER 4 | Configuring the Switch Configuring Security this entry when ARP/RARP hardware address is equal to Ethernet, matches this entry when ARP/RARP protocol address space setting is equal to IP (0x800) ■ IPv4 frames (based on destination MAC address, protocol type, TTL, IP fragment, IP option flag, source/destination IP, VLAN ID, VLAN priority) PARAMETERS These parameters are displayed: ACCESS CONTROL LIST CONFIGURATION ◆ Ingress Port - The ingress port of the ACE: ■ All - The ACE will match all
CHAPTER 4 | Configuring the Switch Configuring Security ACE CONFIGURATION Ingress Port and Frame Type ◆ Ingress Port - Any port, port identifier, or policy. (Options: Any port, Port 1-10, Policy 1-8; Default: Any) ◆ Policy Filter - The policy number filter for this ACE: ◆ ■ Any - No policy filter is specified (i.e., don’t care). ■ Specific - If you want to filter a specific policy with this ACE, choose this value. Two fields for entering an policy value and bitmask appears.
CHAPTER 4 | Configuring the Switch Configuring Security RARP opcode set to ARP, RARP - frame must have ARP/RARP opcode set to RARP, Other - frame has unknown ARP/RARP opcode flag; Default: Any) ■ Request/Reply - Specifies whether the packet is an ARP request, reply, or either type.
CHAPTER 4 | Configuring the Switch Configuring Security RARP frames where the PRO is equal to IP (0x800) must match this entry; Default: Any) ◆ IPv4: MAC Parameters ■ DMAC Filter - The type of destination MAC address. (Options: Any, MC - multicast, BC - broadcast, UC - unicast; Default: Any) IP Parameters ■ IP Protocol Filter - Specifies the IP protocol to filter for this rule.
CHAPTER 4 | Configuring the Switch Configuring Security ■ TCP SYN - Specifies the TCP “Synchronize sequence numbers” (SYN) value for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the SYN field is set must not match this entry, 1 - TCP frames where the SYN field is set must match this entry; Default: Any) ■ TCP RST - Specifies the TCP “Reset the connection” (RST) value for this rule.
CHAPTER 4 | Configuring the Switch Configuring Security ■ DIP Filter - Specifies the destination IP filter for this rule. (Options: Any - no destination IP filter is specified, Host - specifies the destination IP address in the DIP Address field, Network specifies the destination IP address and destination IP mask in the DIP Address and DIP Mask fields; Default: Any) Response to take when a rule is matched ◆ Action - Permits or denies a frame based on whether it matches an ACL rule.
CHAPTER 4 | Configuring the Switch Configuring Security WEB INTERFACE To configure an Access Control List for a port or a policy: 1. Click Advanced Configuration, Security, Network, ACL, Access Control List. 2. Click the button to add a new ACL, or use the other ACL modification buttons to specify the editing action (i.e., edit, delete, or moving the relative position of entry in the list). 3.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING DHCP Use the DHCP Snooping Configuration page to filter IP traffic on insecure SNOOPING ports for which the source address cannot be identified via DHCP snooping. The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard).
CHAPTER 4 | Configuring the Switch Configuring Security ■ If the DHCP packet is not a recognizable type, it is dropped. ■ If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. ■ If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN. ■ If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 35: DHCP Snooping Configuration CONFIGURING DHCP Use the DHCP Relay Configuration page to configure DHCP relay service for RELAY AND OPTION 82 attached host devices. If a subnet does not include a DHCP server, you can INFORMATION relay DHCP client requests to a DHCP server on another subnet.
CHAPTER 4 | Configuring the Switch Configuring Security PARAMETERS These parameters are displayed: ◆ Relay Mode - Enables or disables the DHCP relay function. (Default: Disabled) ◆ Relay Server - IP address of DHCP server to be used by the switch's DHCP relay agent. ◆ Relay Information Mode - Enables or disables the DHCP Relay Option 82 support. Note that Relay Mode must also be enabled for Relay Information Mode to take effect.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING IP IP Source Guard is a security feature that filters IP traffic on network SOURCE GUARD interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "Configuring DHCP Snooping"). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
CHAPTER 4 | Configuring the Switch Configuring Security PARAMETERS These parameters are displayed: Global Configuration ◆ Mode – Enables or disables IP Source Guard globally on the switch. All configured ACEs will be lost when enabled. (Default: Disabled) NOTE: DHCP snooping must be enabled for dynamic clients to be learned automatically. ◆ Translate dynamic to static – Click to translate all dynamic entries to static entries.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 37: Configuring Global and Port-based Settings for IP Source Guard CONFIGURING STATIC BINDINGS FOR IP SOURCE GUARD Use the Static IP Source Guard Table to bind a static address to a port. Table entries include a port identifier, VLAN identifier, IP address, and subnet mask. All static entries are configured with an infinite lease time.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ IP Address – A valid unicast IP address, including classful types A, B or C. ◆ MAC Address – A valid unicast MAC address. WEB INTERFACE To configure static bindings for IP Source Guard: 1. Click Advanced Configuration, Security, Network, IP Source Guard, Static Table. 2. Click “Add new entry.” 3. Enter the required bindings for a given port. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ ■ When ARP Inspection is enabled globally, all ARP request and reply packets on inspection-enabled ports are redirected to the CPU and their switching behavior handled by the ARP Inspection engine. ■ If ARP Inspection is disabled globally, then it becomes inactive for all ports, including those where inspection is enabled.
CHAPTER 4 | Configuring the Switch Configuring Security WEB INTERFACE To configure global and port settings for ARP Inspection: 1. Click Advanced Configuration, Security, Network, ARP Inspection, Configuration. 2. Enable ARP inspection globally, and on any ports where it is required. 3. Click Save. Figure 39: Configuring Global and Port Settings for ARP Inspection CONFIGURING STATIC BINDINGS FOR ARP INSPECTION Use the Static ARP Inspection Table to bind a static address to a port.
CHAPTER 4 | Configuring the Switch Configuring Security WEB INTERFACE To configure the static ARP Inspection table: 1. Click Advanced Configuration, Network, Security, ARP Inspection, Static Table. 2. Click “Add new entry.” 3. Enter the required bindings for a given port. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security Setting the Dead Time to a value greater than 0 (zero) will cause the authentication server to be ignored until the Dead Time has expired. However, if only one server is enabled, it will never be considered dead. RADIUS/TACACS+ Server Configuration ◆ Enabled – Enables the server specified in this entry. ◆ IP Address/Hostname – IP address or IP alias of authentication server.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups Figure 41: Authentication Configuration CREATING TRUNK GROUPS You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a faulttolerant link between two switches. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
CHAPTER 4 | Configuring the Switch Creating Trunk Groups USAGE GUIDELINES Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, configure the trunk on the devices at both ends.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups needs to ensure that frames in each “conversation” are mapped to the same trunk link. To achieve this requirement and to distribute a balanced load across all links in a trunk, the switch uses a hash algorithm to calculate an output link number in the trunk.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups Aggregation Group Configuration ◆ Group ID – Trunk identifier. ◆ Port Members – Port identifier. WEB INTERFACE To configure a static trunk: 1. Click Configuration, Aggregation, Static. 2. Select one or more load-balancing methods to apply to the configured trunks. 3. Assign port members to each trunk that will be used. 4. Click Save.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. ◆ If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
CHAPTER 4 | Configuring the Switch Configuring Loop Protection WEB INTERFACE To configure a dynamic trunk: 1. Click Configuration, Aggregation, LACP. 2. Enable LACP on all of the ports to be used in an LAG. 3. Specify the LACP Admin Key to restrict a port to a specific LAG. 4. Set at least one of the ports in each LAG to Active initiation mode, either at the near end or far end of the trunk. 5. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Loop Protection USAGE GUIDELINES ◆ The default settings for the control frame transmit interval and recover time may be adjusted to improve performance for your specific environment. The response mode may also need to be changed once you determine what kind of packets are being looped back. ◆ Loopback detection must be enabled both globally and on an interface for loopback detection to take effect.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm 3. Enable loop protection for the port to be monitored, set the response to take is a loop is detected, and select whether or not the port will actively transmit control frames. 4. Click Save. Figure 44: Loop Protection Configuration CONFIGURING THE SPANNING TREE ALGORITHM The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm packet from that LAN to the root device. All ports connected to designated bridging devices are assigned as designated ports. After determining the lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm Figure 46: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees" on page 132). An MST Region may contain multiple MSTP Instances.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm CONFIGURING GLOBAL Use the STP Bridge Settings page to configure settings for STA which apply SETTINGS FOR STA globally to the switch. PATH Basic/Advanced Configuration, Spanning Tree, Bridge Settings COMMAND USAGE ◆ Spanning Tree Protocol1 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm PARAMETERS These parameters are displayed: Basic Settings ◆ ◆ ◆ Protocol Version – Specifies the type of spanning tree used on this switch. (Options: STP, RSTP, MSTP; Default: MSTP) ■ STP: Spanning Tree Protocol (IEEE 802.1D); i.e., the switch will use RSTP set to STP forced compatibility mode. ■ RSTP: Rapid Spanning Tree (IEEE 802.1w) ■ MSTP: Multiple Spanning Tree (IEEE 802.1s); This is the default.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm An MST region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MST region is never changed. However, each spanning tree instance within a region, and the common internal spanning tree (CIST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm Figure 48: STA Bridge Configuration CONFIGURING Use the MSTI Mapping page to add VLAN groups to an MSTP instance MULTIPLE SPANNING (MSTI), or to designate the name and revision of the VLAN-to-MSTI TREES mapping used on this switch. PATH Basic/Advanced Configuration, Spanning Tree, MSTI Mapping COMMAND USAGE MSTP generates a unique spanning tree for each instance.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm NOTE: All VLANs are automatically added to the CIST (MST Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. PARAMETERS These parameters are displayed: Configuration Identification ◆ Configuration Name2 – The name for this MSTI.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm Figure 49: Adding a VLAN to an MST Instance CONFIGURING Use the MSTI Priorities page to configure the bridge priority for the CIST SPANNING TREE and any configured MSTI. Remember that RSTP looks upon each MST BRIDGE PRIORITIES Instance as a single bridge node. PATH Basic/Advanced Configuration, Spanning Tree, MSTI Properties PARAMETERS These parameters are displayed: ◆ MSTI – Instance identifier to configure.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm WEB INTERFACE To add VLAN groups to an MSTP instance: 1. Click Configuration, Spanning Tree, MSTI Priorities. 2. Set the bridge priority for the CIST or any configured MSTI. 3. Click Save Figure 50: Configuring STA Bridge Priorities CONFIGURING Use the CIST Ports Configuration page to configure STA attributes for STP/RSTP/CIST interfaces when the spanning tree mode is set to STP or RSTP, or for INTERFACES interfaces in the CIST.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm spanning tree. As implemented on this switch, BPDU transparency allows a port which is not participating in the spanning tree (such as an uplink port to the service provider’s network) to forward BPDU packets to other ports instead of discarding these packets or attempting to process them. ◆ Path Cost – This parameter is used by the STA to determine the best path between devices.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm highest priority, the port with lowest numeric identifier will be enabled. (Range: 0-240, in steps of 16; Default: 128) ◆ Admin Edge (Fast Forwarding) – You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm ◆ Point-to-Point – The link type attached to an interface can be set to automatically detect the link type, or manually configured as point-topoint or shared medium. Transition to the forwarding state is faster for point-to-point links than for shared media. These options are described below: ■ Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared medium.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm CONFIGURING MIST Use the MIST Ports Configuration page to configure STA attributes for INTERFACES interfaces in a specific MSTI, including path cost, and port priority. You may use a different priority or path cost for ports of the same media type to indicate the preferred path. (References to “ports” in this section means “interfaces,” which includes both ports and trunks.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration Figure 52: MSTI Port Configuration MULTICAST VLAN REGISTRATION Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration Figure 53: MVR Concept Multicast Router Satellite Services Multicast Server Layer 2 Switch Source Port Service Network Receiver Ports Set-top Box PC TV Set-top Box TV CONFIGURING Use the MVR Configuration page to enable MVR globally on the switch, GENERAL MVR select the VLAN that will serve as the sole channel for common multicast SETTINGS streams supported by the service provider, and to configure each interface that participates
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration PARAMETERS These parameters are displayed: MVR Configuration ◆ MVR Mode – When MVR is enabled on the switch, any multicast data associated with an MVR group is sent from all designated source ports, to all receiver ports that have registered to receive data from that multicast group. (Default: Disabled) VLAN Interface Settings ◆ MVR VID – Identifier of the VLAN that serves as the channel for streaming multicast services using MVR.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration ■ Source (S) – Configures uplink ports to receive and send multicast data as source ports. Subscribers cannot be directly connect to source ports. Also, note that MVR source ports should not overlap ports in the management. ■ Receiver (R) – Configures a port as a receiver port if it is a subscriber port and should only receive multicast data.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration source ports, specify whether or not control frames are tagged with the MVR ID, set the priority and last member query interval. 4. Optionally enable immediate leave on any receiver port to which only one subscriber is attached. 5. Click Save.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration ◆ The IPv4 address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. ◆ All IPv6 addresses must be specified according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 4 | Configuring the Switch IGMP Snooping IGMP SNOOPING Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/router.
CHAPTER 4 | Configuring the Switch IGMP Snooping PARAMETERS These parameters are displayed: Global Configuration ◆ Snooping Enabled - When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. (Default: Enabled) This switch can passively snoop on IGMP Query and Report packets transferred between IP multicast routers/switches and IP multicast host groups to identify the IP multicast group members.
CHAPTER 4 | Configuring the Switch IGMP Snooping ◆ Leave Proxy Enabled - Suppresses leave messages unless received from the last member port in the group. (Default: Disabled) IGMP leave proxy suppresses all unnecessary IGMP leave messages so that a non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. The leave-proxy feature does not function when a switch is set as the querier.
CHAPTER 4 | Configuring the Switch IGMP Snooping The switch can be configured to immediately delete a member port of a multicast service if a leave packet is received at that port and the Fast Leave function is enabled. This allows the switch to remove a port from the multicast forwarding table without first having to send an IGMP group-specific (GS) query to that interface.
CHAPTER 4 | Configuring the Switch IGMP Snooping CONFIGURING VLAN Use the IGMP Snooping VLAN Configuration page to configure IGMP SETTINGS FOR IGMP snooping and query for a VLAN interface SNOOPING AND QUERY PATH Advanced Configuration, IPMC, IGMP Snooping, VLAN Configuration PARAMETERS These parameters are displayed: ◆ VLAN ID - VLAN Identifier.
CHAPTER 4 | Configuring the Switch IGMP Snooping An MLD general query message is sent by the switch at the interval specified by this attribute. When this message is received by downstream hosts, all receivers build an MLD report for the multicast groups they have joined. ◆ QRI - The Query Response Interval is the Max Response Time advertised in periodic General Queries.
CHAPTER 4 | Configuring the Switch IGMP Snooping CONFIGURING IGMP Use the IGMP Snooping Port Group Filtering Configuration page to filter FILTERING specific multicast traffic. In certain switch applications, the administrator may want to control the multicast services that are available to end users; for example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by denying access to specified multicast services on a switch port.
CHAPTER 4 | Configuring the Switch MLD Snooping MLD SNOOPING Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. This switch supports MLD protocol version 1.
CHAPTER 4 | Configuring the Switch MLD Snooping Once the table used to store multicast entries for MLD snooping is filled, no new entries are learned. If no router port is configured in the attached VLAN, and Unregistered IPMCv6 Flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
CHAPTER 4 | Configuring the Switch MLD Snooping Port Related Configuration ◆ Port – Port identifier. ◆ Router Port - Sets a port to function as a router port, which leads towards a Layer 3 multicast device or MLD querier. (Default: Disabled) If MLD snooping cannot locate the MLD querier, you can manually designate a port which is connected to a known MLD querier (i.e., a multicast router/switch).
CHAPTER 4 | Configuring the Switch MLD Snooping Figure 59: Configuring Global and Port-related Settings for MLD Snooping CONFIGURING VLAN Use the MLD Snooping VLAN Configuration page to configure MLD snooping SETTINGS FOR MLD and query for a VLAN interface SNOOPING AND QUERY PATH Advanced Configuration, IPMC, MLD Snooping, VLAN Configuration PARAMETERS These parameters are displayed: ◆ VLAN ID - VLAN Identifier.
CHAPTER 4 | Configuring the Switch MLD Snooping The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. ◆ Compatibility - Compatibility is maintained by hosts and routers taking appropriate actions depending on the versions of IGMP operating on these devices within a network.
CHAPTER 4 | Configuring the Switch MLD Snooping ◆ URI - The Unsolicited Report Interval specifies how often the upstream interface should transmit unsolicited MLD reports when report suppression/proxy reporting is enabled. (Range: 0-31744 seconds, Default: 1 second) WEB INTERFACE To configure VLAN settings for MLD snooping and query: 1. Click Configuration, IPMC, MLD Snooping, VLAN Configuration. 2. Adjust the MLD settings as required. 3. Click Save.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol 4. Enter the IP address of the multicast service to be filtered. 5. Click Save. Figure 61: MLD Snooping Port Group Filtering Configuration LINK LAYER DISCOVERY PROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol (Transmission Interval * Transmission Hold Time) ≤ 65536. Therefore, the default TTL is 30*3 = 90 seconds. ◆ Tx Delay – Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol Optional TLVs - Configures the information included in the TLV field of advertised messages. ◆ Port Descr – The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software. ◆ Sys Name – The system name is taken from the sysName object in RFC 3418, which contains the system's administratively assigned name.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol Figure 62: LLDP Configuration CONFIGURING LLDP- Use the LLDP-MED Configuration page to set the device information which MED TLVS is advertised for end-point devices. LLDP-MED (Link Layer Discovery Protocol - Media Endpoint Discovery) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol Connectivity Device will only transmit LLDP TLVs in an LLDPDU. Only after an LLDP-MED Endpoint Device is detected, will an LLDP-MED capable Network Connectivity Device start to advertise LLDP-MED TLVs in outgoing LLDPDUs on the associated port.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol ■ ◆ ◆ NAD83/MLLW: North American Datum 1983, CRS Code 4269, Prime Meridian Name: Greenwich; The associated vertical datum is Mean Lower Low Water (MLLW). This datum pair is to be used when referencing locations on water/sea/ocean. Civic Address Location – IETF Geopriv Civic Address based Location Configuration Information (Civic Address LCI). ■ Country code - The two-letter ISO 3166 country code in capital ASCII letters.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol based PSAP. This format consists of a numerical digit string, corresponding to the ELIN to be used for emergency calling. ◆ Policies – Network Policy Discovery enables the efficient discovery and diagnosis of mismatched issues with the VLAN configuration, along with the associated Layer 2 and Layer 3 attributes, which apply for a set of specific protocol applications on that port.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol deployment and enhanced security by isolation from data applications. ■ ■ Voice Signaling (conditional) - For use in network topologies that require a different policy for the voice signaling than for the voice media. This application type should not be advertised if all the same network policies apply as those advertised in the Voice application policy.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol ◆ ■ L2 Priority – Layer 2 priority used for the specified application type. L2 Priority may specify one of eight priority levels (0 - 7), as defined by IEEE 802.1D-2004. A value of 0 represents use of the default priority as defined in IEEE 802.1D-2004. ■ DSCP – DSCP value used to provide Diffserv node behavior for the specified application type as defined in IETF RFC 2474. DSCP may contain one of 64 code point values (0 - 63).
CHAPTER 4 | Configuring the Switch Power over Ethernet Figure 63: LLDP-MED Configuration POWER OVER ETHERNET Use the Power Over Ethernet Configuration page to set the maximum PoE power provided to a port, the maximum power budget for the switch (power available to all RJ-45 ports), the port PoE operating mode, power allocation priority, and the maximum power allocated to each port.
CHAPTER 4 | Configuring the Switch Power over Ethernet draw Class 4 current. Afterwards, the switch exchanges information with the PD such as duty-cycle, peak and average power needs. ◆ All the RJ-45 ports support both the IEEE 802.3af and IEEE 802.3at standards. The total PoE power delivered by all ports cannot exceed the maximum power budget of 80W. ◆ The switch’s power management enables individual port power to be controlled within the switch’s power budget.
CHAPTER 4 | Configuring the Switch Power over Ethernet accordingly. If no LLDP information is available for a port, the port will reserve power using the class mode In this mode the Maximum Power fields have no effect For all modes, if a port uses more power than the power reserved for that port, it is shut down.
CHAPTER 4 | Configuring the Switch Configuring the MAC Address Table 3. Specify the port PoE operating mode, port power allocation priority, and the port power budget. 4. Click Save. Figure 64: Configuring PoE Settings CONFIGURING THE MAC ADDRESS TABLE Use the MAC Address Table Configuration page to configure dynamic address learning or to assign static addresses to specific ports. Switches store the addresses for all known devices.
CHAPTER 4 | Configuring the Switch Configuring the MAC Address Table MAC Table Learning ◆ Auto - Learning is done automatically as soon as a frame with an unknown source MAC address is received. (This is the default.) ◆ Disable - No addresses are learned and stored in the MAC address table. ◆ Secure - Only static MAC address entries are used, all other frames are dropped. Make sure that the link used for managing the switch is added to the Static MAC Table before changing to secure learning mode.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs Figure 65: MAC Address Table Configuration IEEE 802.1Q VLANS In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs ◆ End stations can belong to multiple VLANs ◆ Passing traffic between VLAN-aware and VLAN-unaware devices ◆ Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs WEB INTERFACE To configure IEEE 802.1Q VLAN groups: 1. Click Configuration, VLANs, VLAN Membership. 2. Change the ports assigned to the default VLAN (VLAN 1) if required. 3. To configure a new VLAN, click Add New VLAN, enter the VLAN ID, and then mark the ports to be assigned to the new group. 4. Click Save.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs ◆ ◆ Port Type – Configures how a port processes the VLAN ID in ingress frames. (Default: Unaware) ■ C-port – For customer ports, each frame is assigned to the VLAN indicated in the VLAN tag, and the tag is removed. ■ S-port – For service ports, the EtherType of all received frames is changed to 0x88a8 to indicate that double-tagged frames are being forwarded across the switch.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs are classified to the Port VLAN ID. If the classified VLAN ID of a frame transmitted on the port is different from the Port VLAN ID, a VLAN tag with the classified VLAN ID is inserted in the frame. When forwarding a frame from this switch along a path that contains any VLAN-aware devices, the switch should include VLAN tags.
CHAPTER 4 | Configuring the Switch Configuring Private VLANs CONFIGURING PRIVATE VLANS Use the Private VLAN Membership Configuration page to assign port members to private VLANs. Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on ports assigned to a private VLAN can only be forwarded to, and from, uplink ports (that is, ports configured as members of both a standard IEEE 802.1Q VLAN and the private VLAN).
CHAPTER 4 | Configuring the Switch Using Port Isolation Figure 68: Private VLAN Membership Configuration USING PORT ISOLATION Use the Port Isolation Configuration page to prevent communications between customer ports within the same private VLAN. Ports within a private VLAN (PVLAN) are isolated from other ports which are not in the same PVLAN. Port Isolation can be used to prevent communications between ports within the same PVLAN.
CHAPTER 4 | Configuring the Switch Configuring MAC-based VLANs CONFIGURING MAC-BASED VLANS Use the MAC-based VLAN Membership Configuration page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to the source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
CHAPTER 4 | Configuring the Switch Protocol VLANs Figure 70: Configuring MAC-Based VLANs PROTOCOL VLANS The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
CHAPTER 4 | Configuring the Switch Protocol VLANs CONFIGURING Use the Protocol to Group Mapping Table to create protocol groups. PROTOCOL VLAN GROUPS PATH Advanced Configuration, VCL, Protocol-based VLANs, Protocol to Group PARAMETERS These parameters are displayed: ◆ Frame Type – Choose Ethernet, LLC (Logical Link Control), or SNAP (SubNetwork Access Protocol - RFC 1042) as the frame type used by this protocol. ◆ Value – Values which define the specific protocol type.
CHAPTER 4 | Configuring the Switch Protocol VLANs WEB INTERFACE To configure a protocol group: 1. Click Configuration, VCL, Protocol-based VLANs, Protocol to Group. 2. Click add new entry. 3. Fill in the frame type, value, and group name. 4. Click Save. Figure 71: Configuring Protocol VLANs MAPPING PROTOCOL Use the Group Name to VLAN Mapping Table to map a protocol group to a GROUPS TO PORTS VLAN for each interface that will participate in the group.
CHAPTER 4 | Configuring the Switch Configuring IP Subnet-based VLANs ◆ Port Members – Ports assigned to this protocol VLAN. WEB INTERFACE To map a protocol group to a VLAN for a port or trunk: 1. Click Configuration, VCL, Protocol-based VLANs, Group to VLAN. 2. Enter the identifier for a protocol group. 3. Enter the corresponding VLAN to which the protocol traffic will be forwarded. 4. Select the ports which will be assigned to this protocol VLAN. 5. Click Save.
CHAPTER 4 | Configuring the Switch Configuring IP Subnet-based VLANs ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame. ◆ The IP subnet cannot be a broadcast or multicast IP address.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic MANAGING VOIP TRAFFIC When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation can provide higher voice quality by preventing excessive packet delays, packet loss, and jitter. This is best achieved by assigning all VoIP traffic to a single Voice VLAN. The use of a Voice VLAN has several advantages.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic ◆ Aging Time – The time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port. (Range: 1010,000,000 seconds; Default: 86400 seconds) ◆ Traffic Class – Defines a service priority for traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active on a port.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic This option only works when the detection mode is set to “Auto.” LLDP should also be enabled before setting the discovery protocol to “LLDP” or “Both.” Note that changing the discovery protocol to “OUI” or “LLDP” will restart auto detection process. WEB INTERFACE To configure VoIP traffic settings: 1. Click Advanced Configuration, Voice VLAN, Configuration. 2.
CHAPTER 4 | Configuring the Switch Quality of Service PARAMETERS These parameters are displayed: ◆ Telephony OUI – Specifies a globally unique identifier assigned to a vendor by IEEE to identify VoIP equipment. The OUI must be 6 characters long and the input format “xx-xx-xx” (where x is a hexadecimal digit). ◆ Description – User-defined text that identifies the VoIP devices. WEB INTERFACE To configure MAC OUI numbers for VoIP equipment: 1. Click Advanced Configuration, Voice VLAN, OUI. 2.
CHAPTER 4 | Configuring the Switch Quality of Service This section describes how to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch provides four priority queues for each port. Data packets in a port's high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, the queuing mode, and queue weights.
CHAPTER 4 | Configuring the Switch Quality of Service ◆ DSCP Based – Click to Enable DSCP Based QoS Ingress Port Classification (see page 200). QoS Ingress Port Tag Classification ◆ Tag Classification – Sets classification mode for tagged frames on this port: ■ Disabled – Uses the default QoS class and DP level for tagged frames. (This is the default.) ■ Enabled – Uses the mapped versions of PCP and DEI for tagged frames.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 77: Configuring Ingress Port Tag Classification CONFIGURING PORT Use the QoS Ingress Port Policers page to limit the bandwidth of frames POLICIERS entering the ingress queue. This function allows the network manager to control the maximum rate for traffic received on an port. Port policing is configured on interfaces at the edge of a network to limit traffic into of the network. Packets that exceed the acceptable amount of traffic are dropped.
CHAPTER 4 | Configuring the Switch Quality of Service WEB INTERFACE To configure ingress port policing: 1. Click Advanced Configuration, QoS, Port Policing. 2. Enable port policing as required for any port, set the maximum ingress rate and unit of measure, and then enable flow control if required. 3. Click Save.
CHAPTER 4 | Configuring the Switch Quality of Service ◆ ◆ ◆ Queue Shaper – Controls whether queue shaping is enabled for this queue on this port. ■ Enable – Enables or disables queue shaping. (Default: Disabled) ■ Rate – Controls the rate for the queue shaper. The default value is 500. This value is restricted to 100-1000000 kbps, or 1-3300 Mbps. ■ Unit – Controls the unit of measure for the queue shaper rate as “kbps” or “Mbps.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 79: Displaying Egress Port Schedulers To configure the scheduler mode, the egress queue mode, queue shaper, and port shaper used by egress ports: 1. Click Advanced Configuration, QoS, Port Scheduler. 2. Click on any of the entries in the Port field. 3. Set the scheduler mode, the queue shaper, queue scheduler (when the scheduler mode is set to Weighted), and the port shaper. 4. Click Save.
CHAPTER 4 | Configuring the Switch Quality of Service CONFIGURING EGRESS Use the QoS Egress Port Shapers page to show an overview of the QoS PORT SHAPER Egress Port Shapers, including the rate for each queue and port.
CHAPTER 4 | Configuring the Switch Quality of Service PARAMETERS These parameters are displayed: Displaying Port Remarking Mode ◆ Port – Port identifier. ◆ Mode – Shows the tag remarking mode used by this port: ■ Classified – Uses classified PCP (Priority Code Point or User Priority) and DEI (Drop Eligible Indicator) values. ■ Default – Uses default PCP/DEI values. ■ Mapped – Uses mapped versions of QoS class and drop precedence level.
CHAPTER 4 | Configuring the Switch Quality of Service To configure the tag remarking mode: 1. Click Configuration, QoS, Port Tag Remarking. 2. Click on any of the entries in the Port field. 3. Set the tag remarking mode and any parameters associated with the selected mode. 4. Click Save.
CHAPTER 4 | Configuring the Switch Quality of Service CONFIGURING PORT Use the QoS Port DSCP Configuration page to configure ingress translation DSCP TRANSLATION and classification settings and egress re-writing of DSCP values. AND REWRITING PATH Advanced Configuration, QoS, Port DSCP PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ Ingress Translate – Enables ingress translation of DSCP values based on the specified classification method.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 84: Configuring Port DSCP Translation and Rewriting CONFIGURING DSCP- Use the DSCP-Based QoS Ingress Classification page to configure DSCPBASED QOS INGRESS based QoS ingress classification settings. CLASSIFICATION PATH Advanced Configuration, QoS, DSCP-Based QoS PARAMETERS These parameters are displayed: ◆ DSCP – DSCP value in ingress packets. (Range: 0-63) ◆ Trust – Controls whether a specific DSCP value is trusted.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 85: Configuring DSCP-based QoS Ingress Classification ... CONFIGURING DSCP Use the DSCP Translation page to configure DSCP translation for ingress TRANSLATION traffic or DSCP re-mapping for egress traffic. PATH Advanced Configuration, QoS, DSCP Translation PARAMETERS These parameters are displayed: ◆ DSCP – DSCP value.
CHAPTER 4 | Configuring the Switch Quality of Service WEB INTERFACE To configure DSCP translation or re-mapping: 1. Click Advanced Configuration, QoS, DSCP Translation. 2. Set the required ingress translation and egress re-mapping parameters. 3. Click Save. Figure 86: Configuring DSCP Translation and Re-mapping ... CONFIGURING DSCP Use the DSCP Classification page to map DSCP values to a QoS class and CLASSIFICATION drop precedence level.
CHAPTER 4 | Configuring the Switch Quality of Service WEB INTERFACE To map DSCP values to a QoS class and drop precedence level: 1. Click Advanced Configuration, QoS, DSCP Classification. 2. Map key DSCP values to a corresponding QoS class and drop precedence level. 3. Click Save.
CHAPTER 4 | Configuring the Switch Quality of Service ◆ SMAC - The OUI field of the source MAC address, i.e. the first three octets (bytes) of the MAC address. ◆ DMAC - The type of destination MAC address. Possible values are: Any, Broadcast, Multicast, Unicast. ◆ VID – VLAN identifier. (Range: 1-4095) ◆ Action – Indicates the classification action taken on ingress frame if the configured parameters are matched in the frame's content.
CHAPTER 4 | Configuring the Switch Quality of Service ◆ DMAC Type – The type of destination MAC address. (Options: Any, BC (Broadcast), MC (Multicast), UC (Unicast) ◆ Frame Type – The supported types are listed below: ■ Any – Allow all types of frames. ■ Ethernet – This option can only be used to filter Ethernet II formatted packets. (Options: Any, Specific – 600-ffff hex; Default: ffff) Note that 800 (IPv4) and 86DD (IPv6) are excluded.
CHAPTER 4 | Configuring the Switch Quality of Service ■ IP Fragment – Indicates whether or not fragmented packets are accepted. (Options: Any, Yes, No; Default: Any) Datagrams may be fragmented to ensure they can pass through a network device which uses a maximum transfer unit smaller than the original packet’s size. ■ ■ DSCP – Diffserv Code Point value.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 88: QoS Control List Configuration CONFIGURING STORM Use the Storm Control Configuration page to set limits on broadcast, CONTROL multicast and unknown unicast traffic to control traffic storms which may occur when a network device is malfunctioning, the network is not properly configured, or application programs are not well designed or properly configured.
CHAPTER 4 | Configuring the Switch Configuring Local Port Mirroring ◆ Enable - Enables or disables storm control. (Default: Disabled) ◆ Rate (pps) - The threshold above which packets are dropped. This limit can be set by specifying a value of 2n packets per second (pps), or by selecting one of the options in Kpps (i.e., marked with the suffix “K”).
CHAPTER 4 | Configuring the Switch Configuring Local Port Mirroring port mirroring is enabled on the Mirroring & RSPAN Configuration page, mirroring will occur regardless of any configuration settings made on the ACL Ports Configuration page (see "Filtering Traffic with Access Control Lists" on page 96) or the ACE Configuration page (see "Configuring Access Control Lists" on page 99). PARAMETERS These parameters are displayed: ◆ Session Number - A number identifying the mirror session.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring Figure 90: Mirror Configuration CONFIGURING REMOTE PORT MIRRORING Use the Mirroring & RSPAN Configuration page to mirror traffic from remote switches for analysis at a destination port on the local switch. This feature, also called Remote Switched Port Analyzer (RSPAN), carries traffic generated on the specified source ports over a user-specified VLAN dedicated to that RSPAN session in all participating switches.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring COMMAND USAGE ◆ Configuration Guidelines Take the following step to configure an RSPAN session: 1. Set up the source switch on the Mirroring & RSPAN configuration page by specifying the switch’s Type (Source), the RSPAN VLAN ID, the Reflector port4 through which mirrored traffic is passed on to the RSPAN VLAN, the traffic type to monitor (Rx, Tx or Both) on the source port(s), and the intermediate (or uplink) ports. 2.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring ◆ ■ Source - Specifies this device as the source of remotely mirrored traffic. Source port(s), reflector port, and intermediate port(s) are located on this switch. ■ Intermediate - Specifies this device as an intermediate switch, transparently passing mirrored traffic from one or more sources to one or more destinations. Intermediate ports are located on this switch.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring WEB INTERFACE To configure remote port mirroring for an RSPAN source switch: 1. Click Basic/Advanced Configuration, Mirroring & RSPAN. 2. Set the Mode to Enabled, and the Type to Source. 3. Set the Remote VLAN ID, the Reflector port connecting to the RSPAN VLAN, the type of traffic to mirror from the Source ports, and the intermediate ports through which all mirrored traffic will be forwarded to other switches. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring To configure remote port mirroring for an RSPAN intermediate switch: 1. Click Basic/Advanced Configuration, Mirroring & RSPAN. 2. Set the Mode to Enabled, and the Type to Intermediate. 3. Select the intermediate ports through which all mirrored traffic will be forwarded to other switches. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring To configure remote port mirroring for an RSPAN destination switch: 1. Click Basic/Advanced Configuration, Mirroring & RSPAN. 2. Set the Mode to Enabled, and the Type to destination. 3. Select the intermediate ports to add to the RSPAN VLAN, which will then pass traffic on to the destination ports. 4.
CHAPTER 4 | Configuring the Switch Configuring UPnP CONFIGURING UPNP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards. COMMAND USAGE The first step in UPnP networking is discovery.
CHAPTER 4 | Configuring the Switch Configuring sFlow control points how often it or they should receive a SSDP advertisement message from this switch. Due to the unreliable nature of UDP, the switch sends SSDP messages periodically at the interval one-half of the advertising duration minus 30 seconds. (Range: 100-86400 seconds; Default: 100 seconds) WEB INTERFACE To configure UPnP: 1. Click Configuration, UPnP. 2. Enable or disable UPnP, then set the TTL and advertisement values. 3. Click Save.
CHAPTER 4 | Configuring the Switch Configuring sFlow ◆ Usage accounting ◆ Trending and capacity planning PATH Advanced Configuration, UPnP PARAMETERS These parameters are displayed: Receiver Configuration ◆ Owner – sFlow can be configured in two ways: Through local management using the Web interface or through SNMP. This read-only field shows the owner of the current sFlow configuration and assumes values as follows: ■ If sFlow is currently unconfigured/unclaimed, Owner shows .
CHAPTER 4 | Configuring the Switch Configuring sFlow Port Configuration ◆ Port – Port identifier. ◆ Flow Sampler – The following parameters apply to flow sampling: ■ Enabled – Enables/disables flow sampling on this port. ■ Sampling Rate – The number of packets out of which one sample will be taken. (Range: 1-4096 packets, or 0 to disable sampling; Default: Disabled) ■ Max. Header – Maximum size of the sFlow datagram header.
CHAPTER 4 | Configuring the Switch Configuring sFlow – 220 –
5 MONITORING THE SWITCH This chapter describes how to monitor all of the basic functions, configure or view system logs, and how to view traffic status or the address table. DISPLAYING BASIC INFORMATION ABOUT THE SYSTEM You can use the Monitor/System menu to display a basic description of the switch, log messages, or statistics on traffic used in managing the switch.
CHAPTER 5 | Monitoring the Switch Displaying Basic Information About the System Software ◆ Software Version – Version number of runtime code. ◆ Software Date – Release date of the switch software. ◆ Code Revision – Version control identifier of the switch software. WEB INTERFACE To view System Information, click Monitor, System, Information. Figure 97: System Information DISPLAYING CPU Use the CPU Load page to display information on CPU utilization.
CHAPTER 5 | Monitoring the Switch Displaying Basic Information About the System WEB INTERFACE To display CPU utilization: 1. Click System, then CPU Load. Figure 98: CPU Load DISPLAYING LOG Use the System Log Information page to scroll through the logged system MESSAGES and event messages. PATH Monitor, System, Log PARAMETERS These parameters are displayed: Display Filter ◆ Level – Specifies the type of log messages to display. ■ Info – Informational messages only. ■ Warning – Warning conditions.
CHAPTER 5 | Monitoring the Switch Displaying Basic Information About the System Table Headings ◆ ID – Error ID. ◆ Level – Error level as described above. ◆ Time – The time of the system log entry. ◆ Message – The message text of the system log entry. WEB INTERFACE To display the system log: 1. Click Monitor, System, Log. 2. Specify the message level to display, the starting message ID, and the number of messages to display per page. 3.
CHAPTER 5 | Monitoring the Switch Displaying Thermal Protection DISPLAYING LOG Use the Detailed Log page to view the full text of specific log messages. DETAILS PATH Monitor, System, Detailed Log WEB INTERFACE To display the text of a specific log message, click Monitor, System, Detailed Log. 1. Enter a log identifier in the ID field, and click Refresh.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports WEB INTERFACE To display the current chip temperature, click Monitor, Thermal Protection.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports DISPLAYING AN Use the Port Statistics Overview page to display a summary of basic OVERVIEW OF PORT information on the traffic crossing each port. STATISTICS PATH Monitor, Ports, Traffic Overview PARAMETERS These parameters are displayed: ◆ Packets Received/Transmitted – The number of packets received and transmitted. ◆ Bytes Received/Transmitted – The number of bytes received and transmitted.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports ◆ Q# Receive/Transmit – The number of packets received and transmitted through the indicated queue. WEB INTERFACE To display the queue counters, click Monitor, Ports, QoS Statistics. Figure 104: Queueing Counters DISPLAYING QCL Use the QoS Control List Status page to show the QCE entries configured STATUS for different users or software modules, and whether or not there is a conflict.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports ◆ Conflict – Displays QCE status. It may happen that resources required to add a QCE may not available, in that case it shows conflict status as Yes, otherwise it is always shows No. Please note that conflict can be resolved by releasing the resource required by the QCE and pressing Refresh button. WEB INTERFACE To display the show the status of QCE entries 1. Click Monitor, Ports, QCL Status. 2.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports ■ Broadcast – The number of received and transmitted broadcast packets (good and bad). ■ Pause – A count of the MAC Control frames received or transmitted on this port that have an opcode indicating a PAUSE operation. ◆ Receive/Transmit Size Counters – The number of received and transmitted packets (good and bad) split into categories based on their respective frame sizes.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports WEB INTERFACE To display the detailed port statistics, click Monitor, Ports, Detailed Statistics.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING INFORMATION ABOUT SECURITY SETTINGS You can use the Monitor/Security menu to display statistics on management traffic, security controls for client access to the data ports, and the status of remote authentication access servers. DISPLAYING ACCESS Use the Access Management Statistics page to view statistics on traffic MANAGEMENT used in managing the switch.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING INFORMATION ABOUT SWITCH SETTINGS FOR PORT SECURITY Use the Port Security Switch Status page to show information about MAC address learning for each port, including the software module requesting port security services, the service state, the current number of learned addresses, and the maximum number of secure addresses allowed. Port Security is a module with no direct configuration.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ◆ ■ Limit Reached: The Port Security service is enabled by at least the Limit Control user module, and that module has indicated that the limit is reached and no more MAC addresses should be taken in. ■ Shutdown: The Port Security service is enabled by at least the Limit Control user module, and that module has indicated that the limit is exceeded.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ◆ VLAN ID – The VLAN ID seen on this port. ◆ State – Indicates whether the corresponding MAC address is blocked or forwarding. In the blocked state, it will not be allowed to transmit or receive traffic. ◆ Time of Addition – Shows the date and time when this MAC address was first seen on the port.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings recently received frame from a new client for MAC-based authentication. ◆ Last ID – The user name (supplicant identity) carried in the most recently received Response Identity EAPOL frame for EAPOL-based authentication, and the source MAC address from the most recently received frame from a new client for MAC-based authentication. ◆ QoS Class – The QoS class that NAS has assigned to this port.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings PARAMETERS These parameters are displayed: Port State ◆ Admin State – The port's current administrative state. Refer to NAS Admin State for a description of possible values (see page 85). ◆ Port State – The current state of the port. Refer to NAS Port State for a description of the individual states (see page 85). ◆ QoS Class – The QoS class assigned by the RADIUS server. The field is blank if no QoS class is assigned.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ◆ Request ID – The number of EAPOL Request Identity frames that have been transmitted by the switch. ◆ Requests – The number of valid EAPOL Request frames (other than Request Identity frames) that have been transmitted by the switch. Receive Backend Server Counters – For MAC-based ports there are two tables containing backend server counters. The left-most shows a summary of all backend server counters on this port.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings Last Supplicant Info ◆ MAC Address – The MAC address of the last supplicant/client. ◆ VLAN ID – The VLAN ID on which the last frame from the last supplicant/client was received. ◆ Version – ◆ ■ 802.1X-based: The protocol version number carried in the most recently received EAPOL frame. ■ MAC-based: Not applicable. Identity – ■ 802.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings the client will remain in the unauthenticated state for Hold Time seconds (see page 234). ◆ Last Authentication – Shows the date and time of the last authentication of the client (successful as well as unsuccessful). WEB INTERFACE To display port Statistics for 802.1X or Remote Authentication Service: 1. Click Monitor, Security, Network, NAS, Port. 2. Select a port from the scroll-down list.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ■ ◆ ◆ Port: The ACE will match a specific ingress port. Frame Type – Indicates the frame type to which the ACE applies. Possible values are: ■ Any: The ACE will match any frame type. ■ EType: The ACE will match Ethernet Type frames. Note that an Ethernet Type based ACE will not get matched by IP and ARP frames. ■ ARP: ACE will match ARP/RARP frames. ■ IPv4: ACE will match all IPv4 frames.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings Figure 112: ACL Status DISPLAYING Use the DHCP Snooping Port Statistics page to show statistics for various STATISTICS FOR types of DHCP protocol packets. DHCP SNOOPING PATH Monitor, Security, Network, DHCP, Snooping Statistics PARAMETERS These parameters are displayed: ◆ Rx/Tx Discover – The number of discover (option 53 with value 1) packets received and transmitted.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings WEB INTERFACE To display DHCP Snooping Port Statistics: 1. Click Monitor, Security, Network, DHCP, Snooping Statistics. 2. Select a port from the scroll-down list. Figure 113: DHCP Snooping Statistics DISPLAYING DHCP Use the DHCP Relay Statistics page to display statistics for the DHCP relay RELAY STATISTICS service supported by this switch and DHCP relay clients.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ◆ Receive Missing Circuit ID – The number of packets that were received with the Circuit ID option missing. ◆ Receive Missing Remote ID – The number of packets that were received with the Remote ID option missing. ◆ Receive Bad Circuit ID – The number of packets with a Circuit ID option that did not match a known circuit ID.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING MAC Open the Dynamic ARP Inspection Table to display address entries sorted ADDRESS BINDINGS first by port, then VLAN ID, MAC address, and finally IP address. FOR ARP PACKETS Each page shows up to 999 entries from the Dynamic ARP Inspection table, default being 20, selected through the “entries per page” input field.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers DISPLAYING INFORMATION ON AUTHENTICATION SERVERS Use the Monitor/Authentication pages to display information on RADIUS authentication and accounting servers, including the IP address and statistics for each server. DISPLAYING A LIST OF Use the RADIUS Overview page to display a list of configured AUTHENTICATION authentication and accounting servers.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers DISPLAYING STATISTICS FOR CONFIGURED AUTHENTICATION SERVERS Use the RADIUS Details page to display statistics for configured authentication and accounting servers. The statistics map closely to those specified in RFC4668 - RADIUS Authentication Client MIB.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers Accept, Access-Reject, Access-Challenge, timeout, or retransmission. ■ ◆ Timeouts – The number of authentication timeouts to the server. After a timeout, the client may retry to the same server, send to a different server, or give up. A retry to the same server is counted as a retransmit as well as a timeout. A send to a different server is counted as a Request as well as a timeout.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers ◆ ◆ ■ Unknown Types – The number of RADIUS packets of unknown types that were received from the server on the accounting port. ■ Packets Dropped – The number of RADIUS packets that were received from the server on the accounting port and dropped for some other reason. Transmit Packets ■ Requests – The number of RADIUS packets sent to the server. This does not include retransmissions.
CHAPTER 5 | Monitoring the Switch Displaying Information on RMON WEB INTERFACE To display statistics for configured authentication and accounting servers, click Monitor, Security, AAA, RADIUS Details. Figure 118: RADIUS Details DISPLAYING INFORMATION ON RMON Use the monitor pages for RMON to display information on RMON statistics, alarms and event responses.
CHAPTER 5 | Monitoring the Switch Displaying Information on RMON PARAMETERS These parameters are displayed: ◆ ID – Index of Statistics entry. ◆ Data Source (ifIndex) – Port ID to monitor. ◆ Drop – The total number of events in which packets were dropped by the probe due to lack of resources. ◆ Octets – The total number of octets of data (including those in bad packets) received on the network.
CHAPTER 5 | Monitoring the Switch Displaying Information on RMON WEB INTERFACE To display RMON statistics, click Monitor, Security, Switch, RMON, Statistics. Figure 119: RMON Statistics DISPLAYING RMON Use the RMON History Overview page to view statistics on a physical HISTORICAL SAMPLES interface, including network utilization, packet types, and errors. PATH Monitor, Security, Switch, RMON, History PARAMETERS These parameters are displayed: ◆ History Index – Index of History control entry.
CHAPTER 5 | Monitoring the Switch Displaying Information on RMON WEB INTERFACE To display RMON historical samples, click Monitor, Security, Switch, RMON, History. Figure 120: RMON History Overview DISPLAYING RMON Use the RMON Alarm Overview page to display configured alarm settings. ALARM SETTINGS PATH Monitor, Security, Switch, RMON, Alarm PARAMETERS These parameters are displayed: ◆ ID – Index of Alarm control entry.
CHAPTER 5 | Monitoring the Switch Displaying Information on RMON ◆ Falling Threshold – If the current value is less than the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. ◆ Falling Index – The index of the event to use if an alarm is triggered by monitored variables crossing below the falling threshold. WEB INTERFACE To display RMON alarm settings, click Monitor, Security, Switch, RMON, Alarm.
CHAPTER 5 | Monitoring the Switch Displaying Information on LACP DISPLAYING INFORMATION ON LACP Use the monitor pages for LACP to display information on LACP configuration settings, the functional status of participating ports, and statistics on LACP control packets. DISPLAYING AN Use the LACP System Status page to display an overview of LACP groups.
CHAPTER 5 | Monitoring the Switch Displaying Information on LACP ◆ LACP – Shows LACP status: ■ Yes – LACP is enabled and the port link is up. ■ No – LACP is not enabled or the port link is down. ■ Backup – The port could not join the aggregation group but will join if other port leaves. Meanwhile it's LACP status is disabled. ◆ Key – Current operational value of the key for the aggregation port. Note that only ports with the same key can aggregate together.
CHAPTER 5 | Monitoring the Switch Displaying Information on Loop Protection WEB INTERFACE To display LACP statistics for local ports this switch, click Monitor, LACP, Port Statistics. Figure 125: LACP Port Statistics DISPLAYING INFORMATION ON LOOP PROTECTION Use the Loop Protection Status page to display information on loopback conditions. PATH Monitor, Loop Protection PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ Action – Configured port action, i.e.
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree DISPLAYING INFORMATION ON THE SPANNING TREE Use the monitor pages for Spanning Tree to display information on spanning tree bridge status, the functional status of participating ports, and statistics on spanning tree protocol packets. DISPLAYING BRIDGE Use the Bridge Status page to display STA information on the global bridge STATUS FOR STA (i.e., this switch) and individual ports.
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree ◆ Internal Root Cost – The Regional Root Path Cost. For the Regional Root Bridge this is zero. For all other CIST instances in the same MSTP region, it is the sum of the Internal Port Path Costs on the least cost path to the Internal Root Bridge. (This parameter only applies to the CIST instance.) ◆ Topology Change Count – The number of times the Spanning Tree has been reconfigured (during a one-second interval).
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree WEB INTERFACE To display an overview of all STP bridge instances, click Monitor, Spanning Tree, Bridge Status. Figure 127: Spanning Tree Bridge Status To display detailed information on a single STP bridge instance, along with port state for all active ports associated, 1. Click Monitor, Spanning Tree, Bridge Status. 2. Click on an entry in the STP Bridges page.
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree ◆ CIST Role – Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge (i.e., root port), connecting a LAN through the bridge to the root bridge (i.e., designated port); or is an alternate or backup port that may provide connectivity if other bridges, bridge ports, or LANs fail or are removed.
CHAPTER 5 | Monitoring the Switch Displaying MVR Information ◆ TCN – The number of (legacy) Topology Change Notification BPDU's received/transmitted on a port. ◆ Discarded Unknown – The number of unknown Spanning Tree BPDU's received (and discarded) on a port. ◆ Discarded Illegal – The number of illegal Spanning Tree BPDU's received (and discarded) on a port. WEB INTERFACE To display information on spanning port statistics, click Monitor, Spanning Tree, Port Statistics.
CHAPTER 5 | Monitoring the Switch Displaying MVR Information ◆ IGMPv3/MLDv2 Reports Received – Number of received IGMPv1 Joins and MLDv2 Reports, respectively. ◆ IGMPv2/MLDv1 Leaves Received – Number of received IGMPv2 Leaves and MLDv1 Dones, respectively. WEB INTERFACE To display information for MVR statistics, click Monitor, MVR, Statistics.
CHAPTER 5 | Monitoring the Switch Displaying MVR Information WEB INTERFACE To display information for MVR statistics and multicast groups, click Monitor, MVR, Group Information. Figure 132: MVR Group Information DISPLAYING MVR Use the MVR SFM Information page to display MVR Source-Filtered SFM INFORMATION Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny).
CHAPTER 5 | Monitoring the Switch Showing IGMP Snooping Information SHOWING IGMP SNOOPING INFORMATION Use the IGMP Snooping pages to display IGMP snooping statistics, port members of each service group, and information on source-specific groups. SHOWING IGMP Use the IGMP Snooping Status page to display IGMP querier status, SNOOPING STATUS snooping statistics for each VLAN carrying IGMP traffic, and the ports connected to an upstream multicast router/switch.
CHAPTER 5 | Monitoring the Switch Showing IGMP Snooping Information WEB INTERFACE To display IGMP snooping status information, click Monitor, IGMP Snooping, Status. Figure 134: IGMP Snooping Status SHOWING IGMP Use the IGMP Snooping Group Information page to display the port SNOOPING GROUP members of each service group. INFORMATION PATH Monitor, IPMC, IGMP Snooping, Group Information PARAMETERS These parameters are displayed: ◆ VLAN ID – VLAN Identifier.
CHAPTER 5 | Monitoring the Switch Showing IGMP Snooping Information SHOWING IPV4 SFM Use the IGMP SFM Information page to display IGMP Source-Filtered INFORMATION Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny). PATH Monitor, IPMC, IGMP Snooping, IPv4 SFM Information PARAMETERS These parameters are displayed: ◆ VLAN ID – VLAN identifier. ◆ Group – The IP address of a multicast group detected on this interface.
CHAPTER 5 | Monitoring the Switch Showing MLD Snooping Information SHOWING MLD SNOOPING INFORMATION Use the MLD Snooping pages to display MLD snooping statistics, port members of each service group, and information on source-specific groups. SHOWING MLD Use the IGMP Snooping Status page to display MLD querier status and SNOOPING STATUS snooping statistics for each VLAN carrying multicast traffic, and the ports connected to an upstream multicast router/switch.
CHAPTER 5 | Monitoring the Switch Showing MLD Snooping Information WEB INTERFACE To display MLD snooping status information, click Monitor, MLD Snooping, Status. Figure 137: MLD Snooping Status SHOWING MLD Use the MLD Snooping Group Information page to display the port SNOOPING GROUP members of each service group. INFORMATION PATH Monitor, IPMC, MLD Snooping, Group Information PARAMETERS These parameters are displayed: ◆ VLAN ID – VLAN Identifier.
CHAPTER 5 | Monitoring the Switch Showing MLD Snooping Information SHOWING IPV6 SFM Use the MLD SFM Information page to display MLD Source-Filtered INFORMATION Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny). PATH Monitor, IPMC, MLD Snooping, IPv6 SFM Information PARAMETERS These parameters are displayed: ◆ VLAN ID – VLAN Identifier. ◆ Group – The IP address of a multicast group detected on this interface.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information DISPLAYING LLDP INFORMATION Use the monitor pages for LLDP to display information advertised by LLDP neighbors and statistics on LLDP control frames. DISPLAYING LLDP Use the LLDP Neighbor Information page to display information about NEIGHBOR devices connected directly to the switch’s ports which are advertising INFORMATION information through LLDP.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Management Address – The IPv4 address of the remote device. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement. If the neighbor device allows management access, clicking on an entry in this field will re-direct the web browser to the neighbor’s management interface. WEB INTERFACE To display information about LLDP neighbors, click Monitor, LLDP, Neighbors.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information example will any LLDP-MED Endpoint Device claiming compliance as a Media Endpoint (Class II) also support all aspects of TIA-1057 applicable to Generic Endpoints (Class I), and any LLDP-MED Endpoint Device claiming compliance as a Communication Device (Class III) will also support all aspects of TIA-1057 applicable to both Media Endpoints (Class II) and Generic Endpoints (Class I).
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Application Type – The primary function of the application(s) defined for this network policy, and advertised by an Endpoint or Network Connectivity Device. The possible application types are described under "Configuring LLDP-MED TLVs" on page 162. ◆ Policy – This field displays one of the following values: ■ Unknown: The network policy for the specified application type is currently unknown. ■ Defined: The network policy is defined.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information WEB INTERFACE To display information about LLDP-MED neighbors, click Monitor, LLDP, LLDP-MED Neighbors. Figure 141: LLDP-MED Neighbor Information DISPLAYING LLDP Use the LLDP Neighbor Power Over Ethernet Information page to display NEIGHBOR POE the status of all LLDP PoE neighbors, including power device type (PSE or INFORMATION PD), source of power, power priority, and maximum required power.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information capable of sourcing over a maximum length cable based on its current configuration. WEB INTERFACE To display LLDP neighbor PoE information, click Monitor, LLDP, PoE. Figure 142: LLDP Neighbor PoE Information DISPLAYING LLDP Use the LLDP Neighbors EEE Information page to displays Energy Efficient NEIGHBOR EEE Ethernet information advertised through LLDP messages.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Resolved Tx Tw – The resolved Tx Tw for this link (not the link partner). The resolved value that is the actual “tx wakeup time” used for this link (based on EEE information exchanged via LLDP). ◆ Resolved Rx Tw – The resolved Rx Tw for this link (not the link partner). The resolved value that is the actual “tx wakeup time” used for this link (based on EEE information exchanged via LLDP).
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information LLDP Statistics ◆ Local Port – Port Identifier. ◆ Tx Frames – Number of LLDP PDUs transmitted. ◆ Rx Frames – Number of LLDP PDUs received. ◆ Rx Errors – The number of received LLDP frames containing some kind of error. ◆ Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular Type Length Value (TLV).
CHAPTER 5 | Monitoring the Switch Displaying PoE Status DISPLAYING POE STATUS Use the Power Over Ethernet Status to display the status for all PoE ports, including the PD class, requested power, allocated power, power and current used, and PoE priority. PATH Monitor, PoE PARAMETERS These parameters are displayed: ◆ Local Port – The port on this switch which received the LLDP frame. ◆ PD class – Each PD is classified according to the maximum power it will use.
CHAPTER 5 | Monitoring the Switch Displaying the MAC Address Table DISPLAYING THE MAC ADDRESS TABLE Use the MAC Address Table to display dynamic and static address entries associated with the CPU and each port. PATH Monitor, MAC Address Table PARAMETERS These parameters are displayed: ◆ Start from VLAN # and MAC address # with # entries per page – These input fields allow you to select the starting point in the table. ◆ Type – Indicates whether the entry is static or dynamic.
CHAPTER 5 | Monitoring the Switch Displaying Information About VLANs DISPLAYING INFORMATION ABOUT VLANS Use the monitor pages for VLANs to display information about the port members of VLANs, and the VLAN attributes assigned to each port. VLAN MEMBERSHIP Use the VLAN Membership Status page to display the current port members for all VLANs configured by a selected software module.
CHAPTER 5 | Monitoring the Switch Displaying Information About VLANs Figure 147: Showing VLAN Members VLAN PORT STATUS Use the VLAN Port Status page to show the VLAN attributes of port members for all VLANs configured by a selected software module, including PVID, VLAN aware, ingress filtering, frame type, egress filtering, and UVID. Refer to the preceding section for a description of the software modules that use VLAN management services.
CHAPTER 5 | Monitoring the Switch Displaying Information About MAC-based VLANs ◆ UVID – Shows the untagged VLAN ID. A port's UVID determines the packet's behavior at the egress side. If the VID of Ethernet frames leaving a port match the UVID, these frames will be sent untagged. ◆ Conflicts – Shows whether conflicts exist or not. When a software module requests to set VLAN membership or VLAN port configuration, the following conflicts can occur: ■ Functional conflicts between features.
CHAPTER 5 | Monitoring the Switch Displaying Information About Flow Sampling ◆ VLAN ID – VLAN to which ingress traffic matching the specified source MAC address is forwarded. ◆ Port Members – The ports assigned to this VLAN. WEB INTERFACE 1. To display MAC-based VLAN membership settings, click Monitor, VCL, MAC-based VLAN. 2. Select a software module from the drop-down list on the right side of the page.
CHAPTER 5 | Monitoring the Switch Displaying Information About Flow Sampling ◆ Tx Errors – The number of UDP datagrams that has failed transmission. The most common source of errors is invalid sFlow receiver IP/host name configuration. To diagnose, paste the receiver’s IP address/host name into the Ping Web page (Diagnostics > Ping/Ping6). ◆ Flow Samples – The total number of flow samples sent to the sFlow receiver. ◆ Counter Samples – The total number of counter samples sent to the sFlow receiver.
CHAPTER 5 | Monitoring the Switch Displaying Information About Flow Sampling – 286 –
6 PERFORMING BASIC DIAGNOSTICS This chapter describes how to test network connectivity using Ping for IPv4 or IPv6. PINGING AN IPV4 OR IPV6 ADDRESS The Ping page is used to send ICMP echo request packets to another node on the network to determine if it can be reached. PATH ◆ Diagnostics, Ping ◆ Diagnostics, Ping6 PARAMETERS These parameters are displayed on the Ping page: ◆ IP Address – IPv4 or IPv6 address of the host. An IPv4 address consists of 4 numbers, 0 to 255, separated by periods.
CHAPTER 6 | Performing Basic Diagnostics Pinging an IPv4 or IPv6 Address After you press Start, the sequence number and round-trip time are displayed upon reception of a reply. The page refreshes automatically until responses to all packets are received, or until a timeout occurs.
7 PERFORMING SYSTEM MAINTENANCE This chapter describes how to perform basic maintenance tasks including upgrading software, restoring or saving configuration settings, and resetting the switch. RESTARTING THE SWITCH Use the Restart Device page to restart the switch. PATH Maintenance, Restart Device WEB INTERFACE To restart the switch 1. Click Maintenance, Restart Device. 2. Click Yes. The reset will be complete when the user interface displays the login page.
CHAPTER 7 | Performing System Maintenance Restoring Factory Defaults RESTORING FACTORY DEFAULTS Use the Factory Defaults page to restore the original factory settings. Note that the LAN IP Address, Subnet Mask, and Gateway IP Address settings are retained. NOTE: You can also restore factory defaults by either pressing the switch Reset button for more than six seconds, or for the 50-port switches, connecting Port 1 to Port 2 and then performing a power reset.
CHAPTER 7 | Performing System Maintenance Activating the Alternate Image 3. Click the Upload button to upgrade the switch’s firmware. After the software image is uploaded, a page announces that the firmware update has been initiated. After about a minute, the firmware is updated and the switch is rebooted. CAUTION: While the firmware is being updated, Web access appears to be defunct. The front LED flashes Green/Off at a frequency of 10 Hz while the firmware update is in progress.
CHAPTER 7 | Performing System Maintenance Managing Configuration Files Figure 155: Software Image Selection MANAGING CONFIGURATION FILES Use the Maintenance Configuration pages to save the current configuration to a file on your computer, or to restore previously saved configuration settings to the switch. SAVING Use the Configuration Save page to save the current configuration settings CONFIGURATION to a file on your local management station.
CHAPTER 7 | Performing System Maintenance Managing Configuration Files RESTORING Use the Configuration Upload page to restore previously saved CONFIGURATION configuration settings to the switch from a file on your local management SETTINGS station. PATH Maintenance, Configuration, Upload WEB INTERFACE To restore your current configuration settings: 1. Click Maintenance, Configuration, Upload. 2. Click the Browse button, and select the configuration file. 3.
CHAPTER 7 | Performing System Maintenance Managing Configuration Files – 294 –
SECTION III APPENDICES This section provides additional information and includes these items: ◆ "Software Specifications" on page 297 ◆ "Troubleshooting" on page 301 ◆ "License Information" on page 303 – 295 –
SECTION III | Appendices – 296 –
A SOFTWARE SPECIFICATIONS SOFTWARE FEATURES MANAGEMENT Local, RADIUS, TACACS+, AAA, Port Authentication (802.1X), HTTPS, SSH, AUTHENTICATION Port Security, IP Filter, DHCP Snooping CLIENT ACCESS Access Control Lists (128 rules per system), Port Authentication (802.
APPENDIX A | Software Specifications Management Features VLAN SUPPORT Up to 128 groups; port-based, protocol-based, tagged (802.
APPENDIX A | Software Specifications Standards RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) STANDARDS ANSI/TIA-1057 LLDP for Media Endpoint Discovery - LLDP-MED IEEE 802.1AB Link Layer Discovery Protocol IEEE-802.1ad Provider Bridge IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q-2005 VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.
APPENDIX A | Software Specifications Management Information Bases MANAGEMENT INFORMATION BASES Bridge MIB (RFC 4188) DHCP Option for Civic Addresses Configuration Information (RFC 4776) Differentiated Services MIB (RFC 3289) DNS Resolver MIB (RFC 1612) Entity MIB version 3 (RFC 4133) Ether-like MIB (RFC 3635) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB using SMI v2 (RFC 2863) Interfaces Evolution MIB (RFC 2863)
B TROUBLESHOOTING PROBLEMS ACCESSING THE MANAGEMENT INTERFACE Table 14: Troubleshooting Chart Symptom Action Cannot connect using a web browser, or SNMP software ◆ ◆ Be sure the switch is powered up. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled. ◆ Be sure you have configured the VLAN interface through which the management station is connected with a valid IP address, subnet mask and default gateway.
APPENDIX B | Troubleshooting Using System Logs USING SYSTEM LOGS If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C LICENSE INFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
APPENDIX C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
APPENDIX C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute
APPENDIX C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
GLOSSARY ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
GLOSSARY DIFFSERV Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
GLOSSARY GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information.
GLOSSARY IGMP QUERY On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. IGMP PROXY Proxies multicast group membership information onto the upstream interface based on IGMP messages monitored on downstream interfaces, and forwards multicast traffic based on that information.
GLOSSARY MD5 MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest. MIB Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device.
GLOSSARY PORT TRUNK Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lowerspeed physical links. PRIVATE VLANS Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. QINQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks.
GLOSSARY SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
GLOSSARY – 314 –
INDEX A acceptable frame type 176 Access Control List See ACL ACL 96 binding to a port 96 address table 171 aging time 171 address, management access 31 ARP inspection 114 B BPDU guard 137 shut down port on receipt 137 broadcast storm, threshold 207 C community string 69, 72 configuration files restoring 292 restoring defaults 293 saving 292 configuration settings restoring 293 saving 292 saving or restoring 292 control lists, QoS 203 CPU status 222 utilization, showing 222 classification, QoS 202 rewri
INDEX snooping, fast leave 148 throttling 149 ingress classification, QoS 200 ingress filtering 176 ingress port tag classification, QoS 191 ingress rate limiting 192 IP address, setting 46 IP source guard, configuring static entries 113 IPv4 address DHCP 46 setting 46 IPv6 address dynamic configuration (global unicast) 48 dynamic configuration (link-local) 48 EUI format 48 EUI-64 setting 48 global unicast 48, 49 link-local 48 manual configuration (global unicast) 48, 49 manual configuration (link-local) 4
INDEX statistics, displaying 262 using immediate leave 143 N NTP, specifying servers 50 P passwords 31, 58 path cost 136, 139 STA 136, 139 PoE configuring 168 port power allocation 169 power budget 170 priority setting 170 shutdown modes 170 status, displaying 279 port maximum frame size 56 statistics 227 port classification, QoS 190 port isolation 179 port policer, ingress rate limiter 192 port priority STA 136, 139 port remarking mode 197 QoS 196 port shaper, QoS 193, 196 ports autonegotiation 55 broad
INDEX user configuration 73 views 75 software displaying version 222 downloading 290 Spanning Tree Protocol See STA specifications, software 297 SSH 64 configuring 64 server, configuring 64 STA 126 BPDU shutdown 137 edge port 137 global settings, displaying 129, 132 interface settings 135 link type 138 path cost 136, 139 port priority 136, 139 transmission hold count 131 transmission limit 131 standards, IEEE 299 static addresses, setting 172 statistics, port 227 STP 129, 130 global settings, displaying 13
INDEX panel display 36 – 319 –
INDEX – 320 –
Headquarters No. 1, Creation Rd. III Hsinchu Science Park Taiwan 30077 Tel: +886 3 5638888 Fax: +886 3 6686111 (for Asia-Pacific): Technical Support information at www.smc-asia.com www.smcnetworks.co.kr SMCGS18/26/50C-Smart SMCGS18/26/50P-Smart www.smc.
