Linksys LGS308 User Manual
  1. Manuals
  2. Brands
  3. Linksys Manuals
  4. Switch
  5. LGS308
  6. User manual

Linksys LGS308 User Manual

Smart switch lgs3xx
Hide thumbs
Table of Contents

Advertisement

Quick Links

User Guide
SMART SWITCH
LGS3XX
1

Advertisement

Table of Contents
loading

Related Manuals for Linksys LGS308

Summary of Contents for Linksys LGS308

  • Page 1 User Guide SMART SWITCH LGS3XX...

  • Page 2: Table Of Contents

    Contents Chapter 1 – Getting Started ................5 Chapter 2 – System Status ................. 9 System Summary ............................ 9 RMON ................................ 10 Interface Statistics ..........................17 Chapter 3 – Quick Start ..................19 Chapter 4 – System Management ..............20 System Information ..........................
  • Page 3 MSTP Properties ........................... 99 MSTP Instance Status ........................102 MSTP Instance Interface ........................ 103 Chapter 8 - MAC Address Management ..........106 Dynamic MAC Addresses ....................... 106 Static MAC Addresses ........................107 Reserved MAC Addresses ......................108 Chapter 9 – Multicast ..................110 Feature Configuration ........................
  • Page 4 Chapter 13 - Access Control List ............... 169 MAC-Based ACL ..........................170 MAC-Based ACE ..........................171 IPv4-Based ACL ..........................173 IPv4-Based ACE..........................174 IPv6-Based ACL ..........................176 IPv6-Based ACE..........................176 ACL Binding ............................178 Chapter 14 - Quality of Service ..............180 Feature Configuration ........................

  • Page 5: Chapter 1 - Getting Started

    Chapter 1 – Getting Started There are two ways to configure the device: through the graphical user interface and through the menu command line interface. Starting the Web-based Configuration Utility This section describes how to navigate the Web-based switch configuration utility. If you are using a pop-up blocker, make sure it is disabled.

  • Page 6: Window Navigation

    Logging Out By default, the application logs out after ten minutes of inactivity. CAUTION Unless the Running Configuration is copied to the Startup Configuration, rebooting the device will remove all changes made since the last time the file was saved. Save the Running Configuration to the Startup Configuration before logging off to preserve any changes you made during this session.

  • Page 7: Management Buttons

    Management Buttons The following table describes the commonly used buttons that appear on various pages in the system. Button Name Description Click to display the related Add page and add an entry to a table. Enter the information and click Apply to save it to the Running Configuration.
  • Page 8 Configuring with Menu Command Line Interface To configure with the device through the menu CLI: 1. Log on to the device through telnet. 2. Configure the device. 3. Click Logout.

  • Page 9: Chapter 2 - System Status

    Chapter 2 – System Status System Summary The System Summary page provides a graphic view of the device, and displays device status, hardware information, firmware version information, general PoE status, and other items. To view system information, click System Status > System Summary. The System Summary page contains system and hardware information.

  • Page 10: Rmon

    • Firmware Version—Firmware version number. • Boot Code Version—Boot version number. Hardware Version —Hardware version number of the device. • • Serial Number—Serial number. Device Status • Fan Status—Applicable only to models that have fans. The following values are possible: OK—Fan is operating normally.
  • Page 11 To view RMON statistics and/or set the refresh rate: 1. Click System Status > RMON > Statistics. 2. Select the Interface for which statistics are to be displayed. 3. Select the Refresh Rate, the time period that passes before the interface statistics are refreshed.

  • Page 12: Rmon History

    • Frames of 512 to 1023 Bytes—Number of frames, containing 512-1023 bytes that were received. • Packets of 1024 and More Bytes—Number of frames, containing 1024- 2000 bytes, and Jumbo Frames, that were received. To clear or view statistics counters: •...

  • Page 13: Rmon History Table

    4. Click Apply. The entry is added to the History Control Table page, and the Running Configuration file is updated. 5. Click the History button (described below) to view the actual statistics. RMON History Table The History Table page displays interface-specific statistical network samplings. The samples were configured in the History Control table described above.

  • Page 14: Rmon Events

    • Jabbers—Total number of received packets that were longer than 2000 octets. This number excludes frame bits, but includes FCS octets that had either a bad FCS (Frame Check Sequence) with an integral number of octets (FCS Error) or a bad FCS with a non-integral octet (Alignment Error) number.
  • Page 15 Trap (SNMP Manager and SYSLOG Server)—Send a trap to the remote log server when the alarm goes off. Log and Trap—Add a log entry to the Event Log table and send a trap to the remote log server when the alarm goes off. •...

  • Page 16: Rmon Alarms

    RMON Alarms RMON alarms provide a mechanism for setting thresholds and sampling intervals to generate exception events on counters or any other SNMP object counter maintained by the agent. Both the rising and falling thresholds must be configured in the alarm. After a rising threshold is crossed, no rising events are generated until the companion falling threshold is crossed.

  • Page 17: Interface Statistics

    • Falling Threshold—Enter the value that triggers the falling threshold alarm. • Startup Alarm—Select the first event from which to start generation of alarms. Rising is defined by crossing the threshold from a low-value threshold to a higher- value threshold. o Rising Alarm—A rising value triggers the rising threshold alarm.
  • Page 18 To display Ethernet statistics and/or set the refresh rate: 1. Click System Status > Interface Statistics. 2. Enter the parameters. Interface—Select the specific interface for which Ethernet statistics are to be displayed. Refresh Rate—Select the time period that passes before the interface Ethernet statistics are refreshed.

  • Page 19: Chapter 3 - Quick Start

    Chapter 3 – Quick Start To simplify device configuration through quick navigation, the Quick Start page provides links to the most commonly used pages. Link Name (on the Page) Linked Page Configure User Accounts and User Access & Accounts Management Access Configure Device IP Address IPv4 Interface Create VLANs...

  • Page 20: Chapter 4 - System Management

    Chapter 4 – System Management System Information To enter system information: 1. Click Configuration > System Management > System Information. 2. View or modify the system settings. System Description—Displays a description of the device. • • System Location—Enter the location where the device is physically located. •...

  • Page 21: Management Session Timeout

    Management Session Timeout The Management Session Timeout configures the time intervals that the management sessions can remain idle before they timeout and you must log in again to reestablish the session. To set the idle session timeout for various types of sessions: 1.
  • Page 22 Clock Source System time can be set manually by the user, or dynamically from an SNTP server. If an SNTP server is chosen, the manual time settings are overwritten when communications with the server are established. As part of the boot process, the device always configures the time, time zone, and DST. These parameters are obtained from SNTP, values set manually, or if all else fails, from the factory defaults.

  • Page 23: System Time

    • If the server supplying the source parameters fails, or dynamic configuration is disabled by the user, the manual settings are used. • Dynamic configuration of the time zone and DST continues after the IP address lease time has expired. •...
  • Page 24 2. Enter these parameters: Clock Source • SNTP-If you enable this, the system time is obtained from an SNTP server. To use this feature, you must also configure a connection to an SNTP server in the SNTP Unicast Server page. SNTP Client Unicast-Select to enable client Unicast mode.

  • Page 25: Sntp Unicast Server

    • Daylight Savings Type o USA - DST is set according to the dates used in the USA. o European - DST is set according to the dates used by the European Union and other countries that use this standard. o By Dates - DST is set manually, typically for a country other than the USA or a European country.
  • Page 26 To add a Unicast SNTP server: 1. Click Configuration > System Management > Time > SNTP Unicast Server. This page displays the following information for each Unicast SNTP server: • SNTP Server—SNTP server IP address. The preferred server, or hostname, is chosen according to its stratum level.

  • Page 27: Snmp

    • Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.
  • Page 28 Note—Due to the security vulnerabilities of other versions, it is recommended to use SNMPv3. SNMPv3 • In addition to the functionality provided by SNMPv1 and v2, SNMPv3 applies access control and new trap mechanisms to SNMPv1 and SNMPv2 PDUs. SNMPv3 also defines a User Security Model (USM) that includes: Authentication—Provides data integrity and data origin authentication.
  • Page 29 If you decide to use SNMPv3: 1. Define the SNMP engine by using the Engine ID page. Either create a unique Engine ID or use the default Engine ID. Applying an Engine ID configuration clears the SNMP database. 2. Optionally, define SNMP view(s) by using the Views page. This limits the range of Object IDs available to a community or group.
  • Page 30 8-Port Smart Gigabit PoE+ Switch LGS308P enterprises(1) . linksys(3955) . smb(1000).3.8.2 18-Port Smart Gigabit PoE+ Switch LGS318P enterprises(1) . linksys(3955) . smb(1000).3.18.2 26-Port Smart Gigabit PoE+ Switch enterprises(1) . linksys(3955) . LGS326P smb(1000).3.26. Private OIDs are placed under: enterprises(1).linksys(3955).smb(1000).switch01(201).
  • Page 31 Feature Configuration The Engine ID is used by SNMPv3 entities to uniquely identify them. An SNMP agent is considered an authoritative SNMP engine. This means that the agent responds to incoming messages (Get, GetNext, GetBulk, Set) and sends trap messages to a manager. The agent's local information is encapsulated in fields in the message.
  • Page 32 o Use Default—Select to use the device-generated engine ID. The default engine ID is based on the device MAC address, and is defined per standard First 4 octets—First bit = 1, the rest is the IANA enterprise number. Fifth octet—Set to 3 to indicate the MAC address that follows. Last 6 octets—MAC address of the device.
  • Page 33 Views A view is a user-defined label for a collection of MIB subtrees. Each subtree ID is defined by the Object ID (OID) of the root of the relevant subtrees. Either well- known names can be used to Device Model Object IDs).
  • Page 34 4. Include or exclude the MIB object from the view. If Include Object is selected, the MIB objects are included in the view, otherwise they are excluded. 5. Click Apply. 6. In order to verify your view configuration, select the user-defined views from the View Name list.
  • Page 35 SNMPv3 provides a means of controlling the content each user can read or write and the notifications they receive. A group defines read/write privileges and a level of security. It becomes operational when it is associated with an SNMP user or community. Note—To associate a non-default view with a group, first create the view in the Views page.
  • Page 36 o Security Level—Define the security level attached to the group. SNMPv1 and SNMPv2 support neither authentication nor privacy. If SNMPv3 is selected, select to enable one of the following: o No Authentication and No Privacy—Neither the Authentication nor the Privacy security levels are assigned to the group. o Authorized View—Select the Read, Write and Notify views associated with this group and with the above security level.
  • Page 37 Groups enable network managers to assign access rights to a group of users instead of to a single user. A user can only belong to a single group. To create an SNMPv3 user, the following must first exist: An engine ID must first be configured on the device. This is done in the Engine ID page. An SNMPv3 group must be available.
  • Page 38 • Authentication Password—If authentication is accomplished by either a MD5 or a SHA password, enter the local user password in either Encrypted or Plaintext. Local user passwords are compared to the local database, and can contain up to 32 ASCII characters. •...
  • Page 39 • Advanced Mode—The access rights of a community are defined by a group (defined in the Groups page). You can configure the group with a specific security model. The access rights of a group are Read, Write, and Notify. To define SNMP communities: 1.

  • Page 40: Notification Filters

    o Read Write—Management access is read-write. Changes can be made to the device configuration, but not to the community. o SNMP Admin—User has access to all device configuration options, as well as permissions to modify the community. SNMP Admin is equivalent to Read Write for all MIBs except for the SNMP MIBs.
  • Page 41 3. Enter the parameters. • Filter Name—Enter a name between 0-30 characters. Filter Object—Select the node in the MIB tree that is included or excluded in the • selected SNMP filter. The options to select the object are as follows: o Selection List—Enables you to navigate the MIB tree.
  • Page 42 The Notification Recipients SNMPv1/v2 page and the Notification Recipients SNMPv3 page enable configuring the destination to which SNMP notifications are sent, and the types of SNMP notifications that are sent to each destination (traps or informs). The Add/Edit pop-ups enable configuring the attributes of the notifications.
  • Page 43 • Filter Name—Select the SNMP filter that defines the information contained in traps (defined in the Notification Filter page). 3. Click Apply. The SNMP Notification Recipient settings are written to the Running Configuration file. V3 Notification Recipients To define a recipient in SNMPv3: 1.

  • Page 44: Logs

    • Notification Version—Select SNMP v3. • Notification Type—Select whether to send traps or informs. If both are required, two recipients must be created. • Timeout—Enter the amount of time (seconds) the device waits before re- sending informs/traps. Timeout: Range 1-300, default 15. •...

  • Page 45: Log Management

    In addition, you can send messages to remote SYSLOG servers in the form of SNMP traps and SYSLOG messages. You can configure the messages that are written to each log by severity, and a message can go to more. Log Management You can select the events by severity level.
  • Page 46 For example, if Warning is selected, all severity levels that are Warning and higher are stored in the log (Emergency, Alert, Critical, Error, and Warning). No events with severity level below Warning are stored (Notice, Informational, and Debug). To set global log parameters: 1.

  • Page 47: Remote Log Servers

    Remote Log Servers The Remote Log Servers page enables defining remote SYSLOG servers where log messages are sent (using the SYSLOG protocol). For each server, you can configure the severity of the messages that it receives. To define SYSLOG servers, do the following: 1.
  • Page 48 o Log Server IP Address—Enter the IP address of the log server if it is to be identified by address. o Log Server Name—Enter the domain name of the log server if it is to be identified by name. • Server Settings o UDP Port—Enter the UDP port to which the log messages are sent.

  • Page 49: Flash Memory Log

    • Severity—Event severity. • Description—Message text describing the event. To clear the log messages, click Clear. Flash Memory Log The Flash Memory Log page displays the messages that were stored in the Flash memory, in chronological order. The minimum severity for logging is configured in the Log Management page. Flash logs remain when the device is rebooted.

  • Page 50: Chapter 5 - Port Management

    Chapter 5 – Port Management Ports To configure port settings: 1. Click Configuration > Port Management > Ports. 2. Select Enable to support jumbo packets of up to 10 KB in size. If Jumbo Frames is not enabled (default), the system supports packet size up to 2,000 bytes. For Jumbo Frames to take effect, the device must be rebooted after the feature is enabled.
  • Page 51 Protected Port—Select to make this a protected port. (A protected port is also referred to as a Private VLAN Edge.) Features of a protected port: Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and LAGs) that share the same VLAN. Packets received from protected ports can be forwarded only to unprotected egress ports.

  • Page 52: Link Aggregation

    Back Pressure—Used with Half Duplex mode to slow down the packet reception speed when the device is congested. It disables the remote port, preventing it from sending packets by jamming the signal. Flow Control—Enable or disable 802.3x Flow Control, or enable the Auto Negotiation of flow control on the port (only when in Full Duplex mode).
  • Page 53 This switch supports two modes of load balancing. By MAC Addresses—(Default) Based on the destination and source MAC addresses of all • packets. By IP and MAC Addresses—Based on the destination and source IP addresses for IP • packets, and destination and source MAC addresses for non-IP packets. LAG Management In general, a LAG is treated by the system as a single logical port.
  • Page 54 LAGs The LAGs page enables you to configure the global settings, and to select and edit the desired LAG on the Edit LAG Membership page. To define the member or candidate ports in a LAG: 1. Click Configuration > Port Management > Link Aggregation > LAGs. 2.
  • Page 55 o Auto Negotiation—Select to enable auto-negotiation on the LAG. Auto- negotiation is a protocol between two link partners that enables a LAG to advertise its transmission speed and flow control to its partner (the Flow Control default is disabled). It is recommended to keep auto-negotiation enabled on both sides of an aggregate link, or disabled on both sides, while ensuring that link speeds are identical.

  • Page 56: Green Ethernet

    Green Ethernet Green Ethernet is a common name for a set of features that is designed to be environmentally friendly, and to reduce the power consumption of a device. Green Ethernet is different from EEE in that Green Ethernet energy-detect is enabled on all devices where only the gigabyte ports are enabled with EEE.
  • Page 57 Power savings, current power consumption and cumulative energy saved can be monitored. The total amount of saved energy can be viewed as a percentage of the power that would have been consumed by the physical interfaces had they not been running in Green Ethernet mode. The saved energy displayed is only related to Green Ethernet.
  • Page 58 Note—If Auto-Negotiation is not enabled on a port, the EEE is disabled. The only exception is if the link speed is 1GB, then EEE will still be enabled even though Auto-Negotiation is disabled. Default Configuration By default, 802.3 EEE is enabled globally and per port. Interactions Between Features 802.3 EEE interactions with other features: If auto-negotiation is not enabled on the port, the 802.3 EEE operational status is...

  • Page 59: Poe

    Note—If Short Reach is enabled, EEE must be disabled. • 802.3 Energy Efficient Ethernet (EEE)—Select to globally enable EEE. 2. Click Apply to set the global settings. Power Savings—The percentage of power saved by running Green Ethernet and • Short Reach. The power savings displayed is only relevant to the power saved by Short Reach and Energy Detect modes.
  • Page 60 PoE capabilities: • Eliminates the need to run 110/220 V AC power to all devices on a wired LAN. Removes the necessity for placing all network devices next to power sources. • • Eliminates the need to deploy double cabling systems in an enterprise, significantly decreasing installation costs.
  • Page 61 PoE Priority Example A 48-port device is supplying a total of 375 watts. The administrator configures all ports to allocate up to 30 watts each. This results in 48 times 30 ports equaling 1440 watts, which is too much. The device cannot provide enough power to each port, so it provides power according to the priority.The administrator sets the priority for each port, allocating how much power it can be given.
  • Page 62 To prevent false detection, you should disable PoE on the ports on the PoE switches that are used to connect to PSEs. You should also first power up a PSE device before connecting it to a PoE device. When a device is being falsely detected as a PD, you should disconnect the device from the PoE port and power cycle the device with AC power before reconnecting its PoE ports.

  • Page 63: Port Limit Power Mode

    • Consumed Power—Amount of power in watts that is currently being consumed by the PoE ports. • Available Power—Nominal power in watts minus the amount of consumed power. 3. Click Apply to save the PoE properties. Port Limit Power Mode To configure port limit power mode: 1.

  • Page 64: Class Limit Power Mode

    Class Limit Power Mode To configure class limit power mode: 1. Click Configuration > Port Management > PoE > Class Limit Power Mode. • PoE Status—Enable or disable PoE on the port. Power Priority Level—Port priority is low, high, or critical, for use when the power •...

  • Page 65: Discovery - Lldp

    2. Select a port and click Edit. Enter the fields as described above. 3. Click Apply. The PoE settings for the port are written to the Running Configuration file. Discovery - LLDP Link Layer Discovery Protocol (LLDP) is a link layer protocol for directly-connected LLDP-capable neighbors to advertise themselves and their capabilities.
  • Page 66 The operation of LLDP is independent of the STP status of an interface. If 802.1x port access control is enabled at an interface, the device transmits and receives LLDP packets to and from the interface only if the interface is authenticated and authorized. If a port is the target of mirroring, then LLDP considers it down.
  • Page 67 The LLDP-MED TLVs to be advertised can be selected in the LLDP MED Port Settings page, and the management address TLV of the device may be configured to be advertised. To configure the LLDP port settings: 1. Click Configuration > Port Management > Discovery – LLDP > Feature Configuration. The following fields are displayed (only fields that do not appear in the Edit page are described): •...
  • Page 68 o Port Description—Information about the port, including manufacturer, product name and hardware/software version. o System Name—System's assigned name (in alpha-numeric format). The value equals the sysName object. o System Description—Description of the network entity (in alpha-numeric format). This includes the system's name and versions of the hardware, operating system, and networking software supported by the device.

  • Page 69: Lldp Med Ports

    LLDP MED Ports The LLDP MED Ports page enables the selection of the LLDP MED TLVs and/or the network policies to be included in the outgoing LLDP advertisement for the desired interfaces. Network Policies are configured using the LLDP MED Network Policy page. To configure LLDP MED on each port: 1.

  • Page 70: Lldp Local Information

    • Available Network Policies—Select the LLDP MED policies to be published by LLDP by moving them from the Available Network Policies list. These were created in the LLDP MED Network Policy page. To include one or more user-defined network polices in the advertisement, you must also select Network Policy from the Available Optional TLVs.
  • Page 71 To view the LLDP local port status advertised on a port: 1. Click Configuration > Port Management Discovery - LLDP > LLDP Local Information. 2. Select the desired port from the Port list. This page displays the following groups of fields (the actual fields displayed depend on the optional TLVs selected to be advertised): •...
  • Page 72 Endpoint Class 2—Media endpoint class, offering media streaming capabilities, as well as all Class 1 features. Endpoint Class 3—Communications device class, offering all Class 1 and Class 2 features plus location, 911, Layer 2 device support, and device information management capabilities. PoE Device Type—Port PoE type;...

  • Page 73: Lldp Neighbor Information

    LLDP Neighbor Information The LLDP Neighbors Information page contains information that was received from neighboring devices. After timeout (based on the value received from the neighbor Time To Live TLV during which no LLDP PDU was received from a neighbor), the information is deleted. To view the LLDP neighbor information: Click Configuration>Port Management >...
  • Page 74 Supported System Capabilities—Primary functions of the device. The capabilities are indicated by two octets. Bits 0 through 7 indicate Other, Repeater, Bridge, WLAN AP, Router, Telephone, DOCSIS cable device, and station, respectively. Bits 8 through 15 are reserved. Enabled System Capabilities—Primary enabled function(s) of the device. •...

  • Page 75: Lldp Med Network Policy

    Civic—Civic or street address. Coordinates—Location map coordinates—latitude, longitude, and altitude. ECS ELIN—Device’s Emergency Call Service (ECS) Emergency Location Identification Number (ELIN). Unknown—Unknown location information. • Network Policy Application Type—Network policy application type, for example, Voice. VLAN ID—VLAN ID for which the network policy is defined. VLAN Type—VLAN type, Tagged or Untagged, for which the network policy is defined.
  • Page 76 Setting LLDP MED Network Policy An LLDP-MED network policy is a related set of configuration settings for a specific real-time application such as voice, or video. A network policy, if configured, can be included in the outgoing LLDP packets to the attached LLDP media endpoint device. The media endpoint device must send its traffic as specified in the network policy it receives.

  • Page 77: Chapter 6 - Vlan Management

    Chapter 6 – VLAN Management VLANs A VLAN is a logical group of ports that enables devices associated with it to communicate with each other over the Ethernet MAC layer, regardless of the physical LAN segment of the bridged network to which they are connected. Each VLAN is configured with a unique VLAN ID (VID) with a value from 1 to 4094.

  • Page 78: Vlan Configuration

    The frame is discarded at the ingress port if Ingress Filtering is enabled and the ingress port is not a member of the VLAN to which the packet belongs. A frame is regarded as priority-tagged only if the VID in its VLAN tag is 0. Frames belonging to a VLAN remain within the VLAN.

  • Page 79: Creating Vlans

    Default VLAN Settings When using factory default settings, the device automatically creates VLAN 1 as the default VLAN, the default interface status of all ports is Trunk, and all ports are configured as untagged members of the default VLAN. The default VLAN has the following characteristics: It is distinct, non-static/non-dynamic, and all ports are untagged members by default.
  • Page 80 The Smart device supports up to 128 VLANs, including the default VLAN. Each VLAN must be configured with a unique VID with a value from 1 to 4094. The device reserves VID 4095 as the Discard VLAN and VID 4094 for 802.1x. All packets classified to the Discard VLAN are discarded at ingress, and are not forwarded to a port.

  • Page 81: Interfaces

    Interfaces The Interface Settings page displays and enables configuration of VLAN-related parameters for all interfaces. To configure the interface settings: 1. Click VLAN Management > Interface Settings. 2. Select an interface type (Port or LAG), and click Search. Ports or LAGs and their VLAN Membership are displayed.
  • Page 82 • PVID—Enter the Port VLAN ID (PVID) of the VLAN to which incoming untagged and priority tagged frames are classified. The possible values are 1 to 4094. • Acceptable Frame Type—Select the type of frame that the interface can receive. Frames that are not of the configured frame type are discarded at ingress.
  • Page 83 4. Enter the following fields: • VLAN Mode - Access—The interface is an untagged member of a single VLAN. A port configured in this mode is known as an access port. - Trunk—The interface is an untagged member of one VLAN at most, and is a tagged member of zero or more VLANs.

  • Page 84: Vlan Memberships

    VLAN Memberships The VLAN Memberships page displays the VLAN memberships of the ports in various presentations. You can use them to add memberships to or remove memberships from the VLANs. When a port is forbidden default VLAN membership, that port is not allowed membership in any other VLAN.

  • Page 85: Vlan Groups

    • Interface—Port/LAG ID. • PVID—Port PVID is set to this VLAN. If the interface is in access mode or trunk mode, the device automatically makes the interface an untagged member of the VLAN. If the interface is in general mode, you must manually configure VLAN membership.
  • Page 86 MAC-Based Group MAC-based VLAN classification enables packets to be classified according to their source MAC address. You can then define MAC-to-VLAN mapping per interface. You can define several MAC-based groups, which each group containing different MAC addresses. These MAC-based groups can be assigned to specific ports/LAGs. MAC-based groups cannot contain overlapping ranges of MAC addresses on the same port.
  • Page 87 To assign a MAC address to a VLAN Group: 1. Click Configuration > VLAN Management > MAC-Based Group. 2. Click Add. 3. Enter the values for the following fields: • Group ID—Enter a user-created VLAN group ID number. MAC Address—Enter a MAC address to be assigned to a VLAN group. •...

  • Page 88: Voice Vlan

    4. Click Apply to set the mapping of the VLAN group to the VLAN. This mapping does not bind the interface dynamically to the VLAN; the interface must be manually added to the VLAN.) Voice VLAN In a LAN, voice devices, such as IP phones, VoIP endpoints, and voice systems are placed into the same VLAN.
  • Page 89 Voice VLAN CoS The device can advertise the CoS/802.1p and DSCP settings of the voice VLAN by using LLDP- MED Network policies. You can create your network policy manually or enable the device to automatically generate the network policy based on your voice VLAN configuration. MED- supported devices must send their voice traffic with the same CoS/802.1p and DSCP values, as received with the LLDP- MED response.
  • Page 90 Feature Configuration To configure Auto Voice VLAN: 1. Click Configuration > VLAN Management > Voice VLAN > Feature Configuration. 2. Enter the following to configure Voice VLAN: • Voice VLAN ID—Enter the identifier of the current voice VLAN • CoS/802.1p—Select the CoS/802.1p value to be used by the LLDP-MED as a voice network policy.
  • Page 91 3. Enter the values for the following fields: • Telephony OUI—First six digits of the MAC address that are reserved for OUIs. Description—User-assigned OUI description. • Note—Click Restore to delete all of the user-created OUIs, and leave only the default OUIs in the table.
  • Page 92 To configure Telephony OUI on an interface: 1. Click Configuration > VLAN Management > Voice VLAN > Telephony OUI Interfaces. 2. To configure an interface to be a candidate port of the telephony OUI-based voice VLAN, click Edit. 3. Enter the values for the following fields: •...

  • Page 93: Chapter 7 - Spanning Tree Management

    Chapter 7 - Spanning Tree Management Spanning Tree Protocol protects a Layer 2 Broadcast domain from Broadcast storms by selectively setting links to standby mode to prevent loops. In standby mode, these links temporarily stop transferring user data. After the topology changes so that the data transfer is made possible, the links are automatically reactivated.

  • Page 94: Spanning Tree

    Spanning Tree To set the STP status and global settings: 1. Click Configuration > Spanning Tree Management > Spanning Tree. 2. Enter the parameters. Global Settings: • Spanning Tree—Select to enable on the device. • Spanning Tree Mode—Select an STP mode - Classic STP, Rapid STP or Multiple STP.
  • Page 95 Bridge Settings: • Priority—Sets the bridge priority value. After exchanging BPDUs, the device with the lowest priority becomes the Root Bridge. In the case that all bridges use the same priority, then their MAC addresses are used to determine the Root Bridge. The bridge priority value is provided in increments of 4096.

  • Page 96: Stp Interfaces

    STP Interfaces The STP Interface page enables you to configure STP on a per-port basis, and to view the information learned by the protocol, such as the designated bridge. The defined configuration entered is valid for all flavors of the STP protocol. To configure STP on an interface: 1.

  • Page 97: Rstp Interfaces

    • Port State—Displays the current STP state of a port. o Disabled—STP is currently disabled on the port. The port forwards traffic while learning MAC addresses. o Blocking—The port is currently blocked, and cannot forward traffic (with the exception of BPDU data) or learn MAC addresses. o Listening—The port is in Listening Mode.
  • Page 98 To configure RSTPs: 1. Click Configuration > Spanning Tree Management > Spanning Tree. 2. Select Rapid STP on the Spanning Tree Mode line. 3. Click Configuration > Spanning Tree Management > Spanning Tree > RSTP Interfaces. 4. Select an interface, and click Edit. 5.

  • Page 99: Mstp Properties

    o Backup - Provides a backup path to the designated port path toward the spanning tree leaves. This provides a configuration in which two ports are connected in a loop by a point-to-point link. Backup ports are also used when a LAN has two or more established connections to a shared segment. o Disabled - The port is not participating in spanning tree.
  • Page 100 Decide which MSTP instance be active in what VLAN, and associate these MSTP instances to VLAN(s) accordingly. Configure MSTP attributes on the following pages: • MSTP Properties MSTP Instance Status • • MSTP Instance Interface MSTP Interfaces The global MSTP configures a separate Spanning Tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree instance.
  • Page 101 Enter the parameters. • Region Name—Define an MSTP region name. Revision—Define an unsigned 16-bit number that identifies the revision of the • current MST configuration. The field range is from 0 to 65535. Maximum Hops—Set the total number of hops that occur in a specific region •...

  • Page 102: Mstp Instance Status

    MSTP Instance Status The MSTP Instance Status page displays parameters of MST instances. This is the per-instance equivalent to the Spanning Tree page. To view MSTP instance settings: Click Configuration > Spanning Tree Management > MSTP Instance Status. • Instance ID—Select an MST instance to be displayed and defined. •...

  • Page 103: Mstp Instance Interface

    MSTP Instance Interface The MSTP Instance Interface page enables you to configure the port MSTP settings for every MST instance, and to view information that has currently been learned by the protocol, such as the designated bridge per MST instance. To configure the ports in an MST instance: 1.
  • Page 104 Learning—The port on this instance is in Learning mode. The port cannot forward traffic, but it can learn new MAC addresses. Forwarding—The port on this instance is in Forwarding mode. The port can forward traffic and learn new MAC addresses. Boundary—The port on this instance is a boundary port.
  • Page 105 • Forward Transitions—Displays the number of times the port has changed from the Forwarding state to the Blocking state. 4. Select an interface, and click Edit. 5. Enter the parameters. 6. Click Apply. The Running Configuration file is updated.

  • Page 106: Chapter 8 - Mac Address Management

    Chapter 8 - MAC Address Management There are two types of MAC addresses—static and dynamic. Depending on their type, MAC addresses are either stored in the Static Address table or in the Dynamic Address table, along with VLAN and port information. Static addresses are configured by the user, and therefore, they do not expire.

  • Page 107: Static Mac Addresses

    2. Enter Aging Time. The aging time is a value between the user-configured value and twice that value minus 1. For example, if you entered 300 seconds, the aging time is between 300 and 599 seconds. 3. Click Apply. The aging time is updated. 4.

  • Page 108: Reserved Mac Addresses

    o Permanent—The system never removes this MAC address. If the static MAC address is saved in the Startup Configuration, it is retained after rebooting. o Delete on reset—The static MAC address is deleted when the device is reset. o Delete on timeout—The MAC address is deleted when aging occurs. o Secure—The MAC address is secure when the interface is in classic locked mode (see Port...
  • Page 109 o LLC-SNAP—Applies to Logical Link Control/Sub-Network Access Protocol (LLC-SNAP) packets with the specific MAC address. o All—Applies to all packets with the specific MAC address and protocol. • Action—Select one of the following actions to be taken upon receiving a packet that matches the selected criteria: o Bridge—Forward the packet to all VLAN members.

  • Page 110: Chapter 9 - Multicast

    Chapter 9 – Multicast Multicast forwarding enables one-to-many information dissemination. Multicast applications are useful for dissemination of information to multiple clients, where clients do not require reception of the entire content. A typical application is a cable-TV-like service, where clients can join a channel in the middle of a transmission, and leave before it ends.
  • Page 111 The device can forward Multicast streams based on one of the following options: • Multicast MAC Group Address IP Multicast Group Address (G) • • A combination of the source IP address (S) and the destination IP Multicast Group Address (G) of the Multicast packet.

  • Page 112: Feature Configuration

    Feature Configuration The Feature Configuration page enables you to configure the Bridge Multicast filtering status. By default, all Multicast frames are flooded to all ports of the VLAN. To selectively forward only to relevant ports and filter (drop) the Multicast on the rest of the ports, enable Bridge Multicast filtering status in the Feature Configuration page.
  • Page 113 By selecting the forwarding mode, you can define the method used by hardware to identify Multicast flow by one of the following options: MAC Group Address, IP Group Address, or Source Specific IP Group Address. (S, G) is supported by IGMPv3, while IGMPv1/2 support only (*, G), which is just the group ID.

  • Page 114: Igmp Snooping

    IGMP Snooping To enable IGMP Snooping and identify the device as an IGMP Snooping Querier on a VLAN: 1. Click Configuration > Multicast > IGMP Snooping. 2. Enable IGMP Snooping. When IGMP Snooping is enabled globally, the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic.

  • Page 115: Mld Snooping

    • Querier Source IP Address-Select the source IP address of the IGMP Querier. The following options are available: Auto-The system decides whether to use the IP address of the VLAN or the management IP address. User Defined-This can be the IP address of the VLAN or it can be the management IP address.

  • Page 116: Multicast Router Ports

    • Immediate Leave—Select to enable the switch to remove an interface that sends a leave message from the forwarding table without first sending out MAC-based general queries to the interface. When an MLD Leave Group message is received from a host, the system removes the host port from the table entry. After it relays the MLD queries from the Multicast router, it deletes entries periodically if it does not receive any MLD membership reports from the Multicast clients.

  • Page 117: Forward All

    3. Click Search. The interfaces matching the query criteria are displayed. For each port or LAG, select its association type. Static—The port is statically configured as a Multicast router port. • • Dynamic—(Display only) The port is dynamically configured as a Multicast router port by a IGMP query.

  • Page 118: Unregistered Multicast

    To define Forward All Multicast: 1. Click Configuration > Multicast > Forward All. STEP 2 Define the following: 2. VLAN ID — The VLAN ID the ports/LAGs are to be displayed. 3. Interface Type — Define whether to display ports or LAGs. 4.
  • Page 119 You can select a port to receive or filter unregistered Multicast streams. The configuration is valid for any VLAN of which it is a member (or will be a member). This feature ensures that the customer receives only the Multicast groups requested and not others that may be transmitted in the network.

  • Page 120: Igmp/Mld Ip Group Addresses

    IGMP/MLD IP Group Addresses The IGMP IP Group Addresses page displays the IPv4 group address learned from IGMP messages. There might be a difference between information on this page and, for example, information displayed in the MAC Group Address FDB page. Assuming that the system is in MAC-based groups and a port that requested to join the following Multicast groups 224.1.1.1 and 225.1.1.1, both are mapped to the same MAC Multicast address 01:00:5e:01:01:01.

  • Page 121: Mac Group Address Fdb

    • Excluded Ports — The list of ports not included in the group. • Compatibility Mode — The oldest IGMP version of registration from the hosts the device receives on the IP group address. MAC Group Address FDB The device supports forwarding incoming Multicast traffic based on the Multicast group information.
  • Page 122 To define and view MAC Multicast groups: 1. Click Configuration > Multicast > MAC Group Address FDB. 2. Enter the parameters. • VLAN ID —Enter the VLAN ID of the group to be displayed. • MAC Group Address —Set the MAC address of the Multicast group to be displayed.

  • Page 123: Ip Group Address Fdb

    IP Group Address FDB The IP Group Address FDB page enables querying and adding IP Multicast groups contained in the IP Multicast Groups Forwarding Data Base. To define and view IP Multicast groups: 1. Click Configuration > Multicast > IP Group Address FDB. The page contains all of the IP Multicast group addresses learned by snooping.
  • Page 124 6. Click Apply. The IP Multicast group is added, and the device is updated. To configure and display the registration of an IP group address, select an address and click Membership. The VLAN ID, IP Version, IP Multicast group address, and Source IP address selected are displayed as read-only in the top of the window.

  • Page 125: Chapter 10 - Ip Interface

    Chapter 10 - IP Interface IPv4 Layer 2 IP Addressing The device has one IPv4 address and up to two IPv6 interfaces in the management VLAN. This IP address and the default gateway can be configured manually, or by DHCP. The static IP address and default gateway are configured on the IPv4 Interface page.

  • Page 126: Ipv4 Interface

    • With factory default settings, when no statically defined or DHCP- acquired IP address is available, the default IP address is used. When the other IP addresses become available, the addresses are automatically used. The default IP address is always on the management VLAN.
  • Page 127 SubNet Mask—Select and enter the IP address mask. Prefix Length—Select and enter the length of the IPv4 address prefix. User Defined Default Gateway—Select User Defined and enter the default • gateway IP address. Default Gateway—Displays the current default gateway status. •...

  • Page 128: Ipv6

    The ARP table displays the following fields: • IP Interface—The IPv4 Interface of the directly-connected IP subnet where the IP device resides. • IP Address—The IP address of the IP device. MAC Address—The MAC address of the IP device. • •...

  • Page 129: Ipv6 Interface

    IPv6 Interface An IPv6 interface can be configured on a port, LAG, or VLAN. To define an IPv6 interface: 1. Click Configuration > IP Interface> IPv6 > IPv6 Interface. 2. Click Add to add a new interface on which interface IPv6 is enabled. 3.

  • Page 130: Ipv6 Interface Addresses

    • All link local Multicast addresses (FF02::1) • Solicited-Node Multicast address (format FF02::1:FFXX:XXXX) IPv6 Interface Addresses To assign an IPv6 address to an IPv6 Interface: 1. Click Configuration > IP Interface> IPv6 > IPv6 Interface Addresses. 2. To filter the table, select an interface name, and click Search. The interface appears in the IPv6 Address Table.
  • Page 131 • Prefix Length—The length of the Global IPv6 prefix is a value from 0-128 indicating the number of the high-order contiguous bits of the address that comprise the prefix (the network portion of the address). EUI-64—Select to use the EUI-64 parameter to identify the interface ID portion of •...

  • Page 132: Ipv6 Routes

    • Type — The default router configuration that includes the following options: • Static—The default router was manually added to this table through the Add button. • Dynamic—The default router was dynamically configured. 2. Click Add to add a static default router. 3.

  • Page 133: Ipv6 Neighbors

    • Next Hop Router IPv6 Address—Address where the packet is forwarded. Typically, this is the address of a neighboring router. It can be one of the following types. o Link Local—An IPv6 interface and IPv6 address that uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network.
  • Page 134 The IPv6 Neighbors page enables configuring and viewing the list of IPv6 neighbors on the IPv6 interface. The IPv6 Neighbor Table (also known as IPv6 Neighbor Discovery Cache) displays the MAC addresses of the IPv6 neighbors that are in the same IPv6 subnet as the device. This is the IPv6 equivalent of the IPv4 ARP Table.

  • Page 135: Chapter 11 - Ip Network Operations

    Chapter 11 - IP Network Operations Domain Name System The Domain Name System (DNS) translates domain names into IP addresses for the purpose of locating and addressing hosts. As a DNS client, this device resolves domain names to IP addresses through the use of one or more configured DNS servers.

  • Page 136: Dhcp

    Up to eight DNS servers can be defined. To add a DNS server: 1. Click Add. 2. Enter the parameters. • IP Version—Select IPv6 or IPv4. IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). • o Global — The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.
  • Page 137 • DHCP Insertion - Add Option 82 information to packets that do not have foreign Option 82 information. • DHCP Passthrough - Forward or reject DHCP packets that contain Option 82 information from untrusted ports. On trusted ports, DHCP packets containing Option 82 information are always forwarded.
  • Page 138 4. DHCP server sends DHCPOFFER packet to offer an IP address, DHCPACK to assign one, or DHCPNAK to deny the address request. 5. Device snoops packet. If an entry exists in the DHCP Snooping Binding table that matches the packet, the device replaces it with IP-MAC binding on receipt of DHCPACK. 6.

  • Page 139: Dhcp Snooping

    DHCP Snooping In Layer 2, DHCP Snooping can only be enabled on VLANs with IP addresses. To globally configure DHCP Snooping/Relay: 1. Click Configuration > IP Network Operations > DHCP > DHCP Snooping. 2. To enable DHCP Snooping enter the following fields: DHCP Snooping—Select to enable DHCP Snooping.
  • Page 140 DHCP Interfaces In Layer 2, DHCP Snooping can only be enabled on VLANs with IP addresses. To enable DHCP Snooping on specific interfaces: 1. Click Configuration > IP Network Operations > DHCP > DHCP Interfaces. 2. The following fields are displayed for each interface for which the DHCP Snooping is enabled: •...

  • Page 141: Dhcp Snooping Binding Database

    Trusted Interface Packets from untrusted ports/LAGs are checked against the DHCP Snooping Binding Database. By default, interfaces are untrusted. To designate an interface as untrusted go to Interface Settings. DHCP Snooping Binding Database Note the following points about maintenance of the DHCP Snooping Binding database: The device does not update the DHCP Snooping Binding database when a station moves to another interface.
  • Page 142 When DHCP Snooping is disabled for a VLAN, the binding entries that were collected for that VLAN are removed. If the database is full, DHCP Snooping continues to forward packets, but new entries are not created. To add entries to the DHCP Snooping Binding database: 1.

  • Page 143: Interface Settings

    Interface Settings To configure trusted interfaces: Click Configuration > IP Network Operation > Interface Settings. • Interface—Interface identifier. DHCP Snooping Trusted Interface—Whether the interface is DHCP Snooping trusted. •...

  • Page 144: Chapter 12 - Security

    Chapter 12 – Security Management Security The default username/password is admin/admin. User Access & Accounts The User Access & Accounts page enables entering additional users that are permitted to access to the device (read-only or read-write) or changing the passwords of existing users. User authentication occurs in the order that the authentication methods are selected.
  • Page 145 To add a new user: 1. Click Configuration > Security > Management Security > User Access & Accounts. 2. Enter the following fields: • HTTP Service—Select to enable on the device. • HTTP Server Port—Enter the port on which HTTP is enabled. •...
  • Page 146 User authentication occurs in the order that the authentication methods are selected. If the first authentication method is not available, the next selected method is used. For example, if the selected authentication methods are RADIUS and Local, and all configured RADIUS servers are queried in priority order and do not reply, the user is authenticated locally.

  • Page 147: Access Profile

    Access Profile Access profiles determine how to authenticate and authorize users accessing the device through various access methods. Access profiles can limit management access from specific sources. Only users who pass both the active access profile and are authorized based on the authentication methods that correspond to the access method are given management access to the device.
  • Page 148 • Source IP Address—IP addresses or subnets. Access to management methods might differ among user groups. For example, one user group might be able to access the device module only by using an HTTPS session, while another user group might be able to access the device module by using both HTTPS and Telnet sessions.
  • Page 149 • Telnet—Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access. • HTTP— Users requesting access to the device that meets the HTTP access profile criteria, are permitted or denied. • Secure HTTP (HTTPS)—Users requesting access to the device that meets the HTTPS access profile criteria, are permitted or denied.

  • Page 150: Access Profile Rules

    Access Profile Rules Access profiles can contain up to 128 rules to determine who is permitted to manage and access the device, and the access methods that may be used. Each rule in an access profile contains an action and criteria (one or more parameters) to match. Each rule has a priority;...
  • Page 151 o All—Assigns all management methods to the rule. o Telnet—Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access. o HTTP—Assigns HTTP access to the rule. Users requesting access to the device that meets the HTTP access profile criteria, are permitted or denied. o Secure HTTP (HTTPS)—Users requesting access to the device that meets the HTTPS access profile criteria, are permitted or denied.

  • Page 152: Radius

    RADIUS Remote Authorization Dial-In User Service (RADIUS) servers provide a centralized 802.1X network access control. The device is a RADIUS client that can use a RADIUS server to provide centralized security. An organization can establish a RADIUS server to provide centralized 802.1X network access control for all of its devices.
  • Page 153 Defaults The following defaults are relevant to this feature: No default RADIUS server is defined by default. • • If you configure a RADIUS server, the accounting feature is disabled by default. To user a RADIUS server: 1. Open an account for the device on the RADIUS server. 2.
  • Page 154 • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The options are: o Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network.

  • Page 155: Network Access Control

    Network Access Control 802.1x authentication restricts unauthorized clients from connecting to a LAN through publicity- accessible ports. 802.1x authentication is a client-server model. In this model, network devices have the following specific roles: • Client or supplicant Authenticator • • Authentication server This is described in the figure below: A network device can be either a client/supplicant, an authenticator or both per port.
  • Page 156 Authentication Server An authentication server performs the actual authentication of the client. The authentication server for the device is a RADIUS authentication server with EAP extensions. Port Administrative Authentication States The port administrative state determines whether the client is granted access to the network. The port administrative state can be configured in the Port Authentication page.
  • Page 157 Multiple Authentication Methods If more than one authentication method is enabled on the switch, the following hierarchy of authentication methods is applied: • 802.1x Authentication: Highest MAC-Based Authentication: Lowest • Multiple methods can run at the same time. When one method finishes successfully, the client becomes authorized, the methods with lower priority are stopped and the methods with higher priority continue.
  • Page 158 In this case, the switch supports EAP MD5 functionality with the username and password equal to the client MAC address, as shown below. Guest VLAN The guest VLAN provide access to services that do not require the subscribing devices or ports to be 802.1X or MAC-based authenticated and authorized.
  • Page 159 When the RADIUS-Assigned VLAN feature is enabled, the host modes behave as follows: • Single-Host and Multi-Host Mode Untagged traffic and tagged traffic belonging to the RADIUS-assigned VLAN are bridged via this VLAN. All other traffic not belonging to unauthenticated VLANs is discarded. Full Multi-Sessions Mode •...
  • Page 160 Feature Configuration The Feature Configuration page is used to globally enable 802.1X and define how ports are authenticated. For 802.1X to function, it must be activated globally and individually on each port. To define port-based authentication: 1. Click Configuration > Security > Network Access Control > Feature Configuration. 2.

  • Page 161: Port Authentication

    • Guest VLAN—Enable the use of a guest VLAN for unauthorized ports. If a guest VLAN is enabled, all unauthorized ports automatically join the VLAN selected in the Guest VLAN ID field. If a port is later authorized, it is removed from the guest VLAN.
  • Page 162 2. Select a port, and click Edit. 3. Enter the parameters. Interface—Select a port. • • Port Control—Select the Administrative Port Authorization state. o Force Unauthorized—Denies the interface access by moving the interface into the unauthorized state. The device does not provide authentication services to the client through the interface.

  • Page 163: Authenticated Hosts

    • Reauthentication Period—Enter the number of seconds after which the selected port is reauthenticated. 4. Click Apply. The port settings are written to the Running Configuration file. Authenticated Hosts To display details about authenticated users: Click Configuration > Security > Network Access Control > Authenticated Hosts. •...
  • Page 164 Mode Behavior The following tables describes how authenticated and non-authenticated traffic is handled in various situations. Unauthenticated Traffic With Guest VLAN Without Guest VLAN Untagged Tagged Untagged Tagged Frames are remapped Frames are dropped Frames are dropped Frames are dropped Multi-host to the guest VLAN unless they belong to...

  • Page 165: Port Security

    Port Security Network security can be increased by limiting access on a port to users with specific MAC addresses. The MAC addresses can be either dynamically learned or statically configured. Port security monitors received and learned packets. Access to locked ports is limited to users with specific MAC addresses.
  • Page 166 To configure port security: 1. Click Configuration > Security > Port Security. 2. Select an interface to be modified, and click Edit. 3. Enter the parameters. • Interface—Select the interface name. Interface Status—Select to lock the port. • • Learning Mode—Select the type of port locking. To configure this field, the Interface Status must be unlocked.

  • Page 167: Storm Control

    Storm Control When Broadcast, Multicast, or Unknown Unicast frames are received, they are duplicated, and a copy is sent to all possible egress ports. This means that in practice they are sent to all ports belonging to the relevant VLAN. In this way, one ingress frame is turned into many, creating the potential for a traffic storm.
  • Page 168 • Storm Control Rate Threshold—Enter the maximum rate at which unknown packets can be forwarded. The default for this threshold is 10,000 for FE devices and 100,000 for GE devices. 3. Click Apply. Storm control is modified, and the Running Configuration file is updated.

  • Page 169: Chapter 13 - Access Control List

    Chapter 13 - Access Control List The Access Control List (ACL) feature is part of the security mechanism. ACLs enable network managers to define patterns (filter and actions) for ingress traffic. Packets, entering the device on a port or LAG with an active ACL, are either admitted or denied entry. An Access Control List (ACL) is an ordered list of classification filters and actions.

  • Page 170: Mac-Based Acl

    • MAC-based ACL by using the MAC Based ACL page and the MAC Based ACE page. • IPv4-Based ACL by using the IPv4 Based ACL page and the IPv4 Based ACE page. IPv6-Based ACL by using the IPv6 Based ACL page and the IPv6 Based ACE page. •...

  • Page 171: Mac-Based Ace

    MAC-based ACLs are defined in the MAC Based ACL page. The rules are defined in the MAC- Based ACE page. To define a MAC-based ACL: 1. Click Configuration > Access Control List > MAC Based ACL. This page contains a list of all currently-defined MAC-based ACLs. 2.
  • Page 172 • Destination MAC Address—Select Any if all destination addresses are acceptable or User Defined to enter a destination address or a range of destination addresses. • Destination MAC Address Value—Enter the MAC address to which the destination MAC address is to be matched and its mask (if relevant). •...

  • Page 173: Ipv4-Based Acl

    IPv4-Based ACL IPv4-based ACLs are used to check IPv4 packets, while other types of frames, such as ARPs, are not checked. The following fields can be matched: • IP protocol (by name for well-known protocols or directly by value) • Source/destination ports for TCP/UDP traffic Flag values for TCP frames •...

  • Page 174: Ipv4-Based Ace

    IPv4-Based ACE To add rules (ACEs) to an IPv4-Based ACL: 1. Click Configuration > Access Control List > IPv4-Based ACE. 2. Select an ACL, and click Search. All currently-defined IP ACEs for the selected ACL are displayed. 3. Click Add. 4.
  • Page 175 • Protocol ID —Instead of selecting the name, enter the protocol ID. • Source IP Address—Select Any if all source address are acceptable or User Defined to enter a source address or range of source addresses. • Source IP Address Value—Enter the IP address to which the source MAC address is to be matched and its mask (if relevant).

  • Page 176: Ipv6-Based Acl

    IPv6-Based ACL To define an IPv6-Based ACL: 1. Click Configuration > Access Control List > IPv6 Based ACL. This page contains all currently defined IPv6-Based ACLs. 2. Click Add. 3. Enter the name of the new ACL in the ACL Name field. The names are case-sensitive. 4.
  • Page 177 2. Select an ACL, and click Search. All currently-defined IP ACEs for the selected ACL are displayed. 3. Click Add. 4. Enter the parameters. • ACL Name—Displays the name of the ACL. ACE Priority—Enter the priority. ACEs with higher priority are processed first. •...

  • Page 178: Acl Binding

    • Note—You must specify the IP protocol for the ACE before you can enter the source and/or destination port. • Type of Services—The service type of the IP packet. o Any—Any service type o DSCP to Match—Differentiated Serves Code Point (DSCP) to match o IP Precedence—IP precedence is a model of TOS (type of service) that the network uses to help provide the appropriate QoS commitments.
  • Page 179 Note—To unbind all ACLs from an interface, select the interface, and click Clear. 4. Select an interface, and click Edit. 5. Select one of the following: • MAC Based ACL—Select a MAC-based ACL to be bound to the interface. • IPv4 Based ACL—Select an IPv4-Based ACL to be bound to the interface.

  • Page 180: Chapter 14 - Quality Of Service

    Chapter 14 - Quality of Service The Quality of Service feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment. The QoS feature is used to optimize network performance. It provides classification of incoming traffic to traffic classes, based on attributes, including: •...
  • Page 181 QoS Modes The QoS mode that is selected applies to all interfaces in the system. Basic Mode—Class of Service (CoS). • All traffic of the same class receives the same treatment, which is the single QoS action of determining the egress queue on the egress port, based on the indicated QoS value in the incoming frame.

  • Page 182: Feature Configuration

    Feature Configuration The Feature Configuration page contains fields for setting the QoS mode for the system (Basic, or Disabled, as described in the “QoS Modes” section). In addition, the default CoS priority for each interface can be defined. To select the QoS mode: 1.

  • Page 183: Queue Scheduling

    2. Enter the parameters. • Interface—Select the port or LAG. Default CoS—Select the default CoS (Class-of-Service) value to be assigned for • incoming packets (that do not have a VLAN tag). 3. Click Apply. The interface default CoS value is saved to Running Configuration file. Queue Scheduling The device supports 4 queues for each interface.

  • Page 184: Cos/802.1P To Queue

    It is also possible to assign some of the lower queues to WRR, while keeping some of the higher queues in strict priority. In this case, traffic for the strict priority queues is always sent before traffic from the WRR queues. Only after the strict priority queues have been emptied is traffic from the WRR queues forwarded.
  • Page 185 The CoS/802.1p to Queue page maps 802.1p priorities to egress queues. The CoS/802.1p to Queue Table determines the egress queues of the incoming packets based on the 802.1p priority in their VLAN Tags. For incoming untagged packets, the 802.1p priority is the default CoS/802.1p priority assigned to the ingress ports.

  • Page 186: Dscp To Queue

    DSCP to Queue The DSCP (IP Differentiated Services Code Point) to Queue page maps DSCP values to egress queues. The DSCP to Queue Table determines the egress queues of the incoming IP packets based on their DSCP values. The original VPT (VLAN Priority Tag) of the packet is unchanged. By simply changing the DSCP to Queue mapping and the Queue schedule method and bandwidth allocation, it is possible to achieve the desired quality of services in a network.

  • Page 187: Bandwidth Control

    To map DSCP to queues: 1. Click Configuration > Quality of Service > DSCP to Queue. 2. Select the Output Queue (traffic forwarding queue) to which the DSCP value is mapped. 3. Click Apply. The Running Configuration file is updated. Bandwidth Control The Bandwidth Control page enables users to define two values, Ingress Rate Limit and Egress Shaping Rate, which determine how much traffic the system can receive and send.

  • Page 188: Egress Shaping

    • Ingress Rate Control—Select to enable the ingress rate limit, which is defined in the field below. • Ingress Rate Limit—Enter the maximum amount of bandwidth allowed on the interface. • Ingress Committed Burst Size—Enter the maximum burst size of data for the ingress interface in bytes of data.

  • Page 189: Basic Qos

    To define egress shaping per queue: 1. Click Configuration > Quality of Service > Egress Shaping. The Egress Shaping page displays the rate limit and burst size for each queue. 2. Select an interface type (Port or LAG), and click Search. 3.
  • Page 190 To configure Basic QoS mode: 1. Select Basic mode for the system by using the Feature Configuration page. 2. Select the trust-behavior using the Basic QoS page. The device supports CoS/802.1p trusted mode and DSCP trusted mode. CoS/802.1p trusted mode uses the 802.1p priority in the VLAN tag.

  • Page 191: Qos Statistics

    QoS Statistics Queues Statistics The Queues Statistics page displays queue statistics, including statistics of forwarded and dropped packets, based on interface, queue, and drop precedence. To view Queues Statistics: 1. Click Configuration > Quality of Service > QoS Statistics > Queues Statistics. This page displays the following fields: Refresh Rate—Select the time period that passes before the interface Ethernet •...
  • Page 192 • Queue—Packets were forwarded or tail dropped from this queue. • Drop Precedence—Lowest drop precedence has the lowest probability of being dropped. • Total Packets—Number of packets forwarded or tail dropped. Tail Drop Packets—Percentage of packets that were tail dropped. •...

  • Page 193: Chapter 15 - Maintenance

    Chapter 15 - Maintenance All models can be fully managed through the web-based switch configuration utility. GE is the naming convention used for Gigabit Ethernet (10/100/1000) ports. In Layer 2 system mode, the device forwards packets as a VLAN-aware bridge. Reboot Some configuration changes, such as enabling jumbo frame support, require the system to be rebooted before they take effect.
  • Page 194 Content can be copied from one configuration file type to another, but the names of the file types cannot be changed by the user. Other files on the device include firmware, boot code, and log files, and are referred to as operational files.
  • Page 195 Firmware & Boot Code The Upgrade/Backup Firmware process can be used to upgrade or backup the firmware image and/or boot code. The following methods for transferring files are supported: HTTP/HTTPS that uses the facilities provided by the browser • • TFTP that requires a TFTP server There are two firmware images stored on the device.
  • Page 196 • Boot Code—Controls the basic system startup and launches the firmware image. • Source File Name—Enter the name of the source file. TFTP Server—Select whether to specify the TFTP server by IP address or domain • name. IP Version—Select whether an IPv4 or an IPv6 address is used. •...

  • Page 197: Active Firmware Image

    Active Firmware Image There are two firmware images stored on the device. One of the images is identified as the active image and the other image is identified as the inactive image. The device boots from the image you set as the active image. You can change the image identified as the inactive image to the active image.
  • Page 198 Configuration & Log The Configuration & Log (Backup & Download) page enables: Backing up configuration files or logs from the device to an external device. • • Restoring configuration files from an external device to the device. When restoring a configuration file to the Running Configuration, the imported file adds any configuration commands that did not exist in the old file and overwrites any parameter values in the existing configuration commands.
  • Page 199 • TFTP Server—Select whether to specify the TFTP server by IP address or domain name. • IP Version—Select whether an IPv4 or an IPv6 address is used. • IPv6 Address Type o Link Local—The IPv6 address uniquely identifies hosts on a single network link.

  • Page 200: Configuration File Copy

    Configuration File Copy When you click Apply on any window, changes that you made to the device configuration settings are stored only in the Running Configuration. To preserve the parameters in the Running Configuration, the Running Configuration must be copied to another configuration type or saved on another device.

  • Page 201: Diagnostics

    Diagnostics Copper Test The Copper Test page displays the results of integrated cable tests performed on copper cables by the Virtual Cable Tester (VCT). VCT performs two types of tests: Time Domain Reflectometry (TDR) technology tests the quality and characteristics of a •...

  • Page 202: Optical Module Status

    To test copper cables attached to ports: 1. Click Maintenance > Diagnostics > Copper Test. 2. Select the port on which to run the test. 3. Click Test. 4. When the message appears, click OK to confirm that the link can go down or Cancel to abort the test.
  • Page 203 • Serial Number—Serial number of optical transceiver. • Data Ready—SFP is operational. Values are True and False Loss of Signal—Local SFP reports signal loss. Values are True and False. • • Transmitter Fault—Remote SFP reports signal loss. Values are True, False, and No Signal (N/S).
  • Page 204 • IPv6 Address Type—Select Link Local or Global as the type of IPv6 address to enter as the destination IP address. o Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network.
  • Page 205 Traceroute Traceroute discovers the IP routes along which packets were forwarded by sending an IP packet to the target host and back to the device. The Traceroute page shows each hop between the device and a target host, and the roundtrip time to each such hop. 1.

  • Page 206: Port Mirroring

    • Timeout—Enter the length of time that the system waits for a frame to return before declaring it lost, or select Use Default. 3. Click Start. The operation is performed. A page appears showing the Round Trip Time (RTT) and status for each trip in free text containing the following information: •...
  • Page 207 • Source Port—Interface, port, from which traffic is sent to the analyzer port. • Mirror Type—Type of monitoring: incoming to the port (Rx), outgoing from the port (Tx), or both. • Status— Displays one of the following values: o Active—Both source and destination interfaces are up and forwarding traffic.

  • Page 208: Chapter - 16 Support

    Chapter - 16 Support Click “Get Support” to go to the Linksys Small Business support website. Resources available there include setup help, frequently asked questions, software downloads, live chat with technical support, and community forums.
  • Page 209 Visit linksys.com/support for award-winning 24/7 technical support. BELKIN, LINKSYS and many product names and logos are trademarks of the Belkin group of companies. Third-party trademarks mentioned are the property of their respective owners. Licenses and notices for third party software used in this product may be viewed here: http://support.linksys.com/en-us/license.

This manual is also suitable for:

Lgs318Lgs326Lgs318pLgs308pLgs326p

Table of Contents