Page 1: Management Guide
MANAGEMENT GUIDE Web Smart 10-Port GE PoE Switch SMCGS10P-Smart...
Page 2 Web Smart 10-Port GE PoE Switch Management Guide No. 1, Creation Road III, Hsinchu Science Park, 30077, Taiwan, R.O.C. February 2012 TEL: +886 3 5638888 Pub. # 149100000169A Fax: +886 3 6686111 SMC-UG-0212-02...
Page 3 Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC.
Page 4: Warranty And Product Registration
ARRANTY AND RODUCT EGISTRATION To register SMC products and to review the detailed warranty statement, please refer to the Support Section of the SMC Website at http:// www.smc.com. – 4 –...
Page 5: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 6 EBRUARY EVISION This is the second version of this guide. This guide is valid for software release v1.0.0.3. It includes the following changes: Updated phone and fax numbers for SMC headquarters ◆ Corrrected PVLAN ID range to 1-10 ◆ 2011 R...
Page 7: Table Of Contents
ONTENTS ARRANTY AND RODUCT EGISTRATION BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION ECTION ONFIGURATION SING THE NTERFACE Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ONFIGURING THE WITCH...
Page 8 ONTENTS Controlling LED Intensity Reducing Power to Idle Queue Circuits Configuring Thermal Protection Configuring Port Connections Configuring Security Configuring User Accounts Configuring User Privilege Levels Configuring The Authentication Method For Management Access Configuring SSH Configuring HTTPS Filtering IP Addresses for Management Access Using Simple Network Management Protocol Configuring Port Limit Controls Configuring Authentication Through Network Access Servers...
Page 9 ONTENTS Configuring VLAN Settings for MLD Snooping and Query Configuring MLD Filtering Link Layer Discovery Protocol Configuring LLDP Timing and TLVs Configuring LLDP-MED TLVs Power over Ethernet Configuring the MAC Address Table IEEE 802.1Q VLANs Assigning Ports to VLANs Configuring VLAN Attributes for Port Members Configuring Private VLANs Using Port Isolation Configuring MAC-based VLANs...
Page 10 ONTENTS Displaying Log Messages Displaying Log Details Displaying Thermal Protection Displaying Information About Ports Displaying Port Status On the Front Panel Displaying an Overview of Port Statistics Displaying QoS Statistics Displaying QCL Status Displaying Detailed Port Statistics Displaying Information About Security Settings Displaying Access Management Statistics Displaying Information About Switch Settings for Port Security Displaying Information About Learned MAC Addresses...
Page 11 ONTENTS Showing IGMP Snooping Group Information Showing IPv4 SSM Information Showing MLD Snooping Information Showing MLD Snooping Status Showing MLD Snooping Group Information Showing IPv6 SSM Information Displaying LLDP Information Displaying LLDP Neighbor Information Displaying LLDP-MED Neighbor Information Displaying LLDP Neighbor EEE Information Displaying LLDP Port Statistics Displaying LLDP Neighbor PoE Information...
Page 12 ONTENTS ROUBLESHOOTING Problems Accessing the Management Interface Using System Logs ICENSE NFORMATION The GNU General Public License LOSSARY NDEX – 12 –...
Page 13: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Configuration Figure 4: IP Configuration Figure 5: IPv6 Configuration Figure 6: NTP Configuration Figure 7: Configuring Settings for Remote Logging of Error Messages Figure 8: Configuring LED Power Reduction Figure 9: Configuring EEE Power Reduction Figure 10: Configuring Thermal Protection Figure 11: Port Configuration...
Page 14 IGURES Figure 32: DHCP Snooping Configuration Figure 33: DHCP Relay Configuration Figure 34: Configuring Global and Port-based Settings for IP Source Guard Figure 35: Configuring Static Bindings for IP Source Guard Figure 36: Configuring Global and Port Settings for ARP Inspection Figure 37: Configuring Static Bindings for ARP Inspection Figure 38: Authentication Configuration Figure 39: Static Trunk Configuration...
Page 15 IGURES Figure 68: Configuring Global and Port Settings for a Voice VLAN Figure 69: Configuring an OUI Telephony List Figure 70: Configuring Ingress Port QoS Classification Figure 71: Configuring Ingress Port Tag Classification Figure 72: Displaying Egress Port Schedulers Figure 73: Configuring Egress Port Schedulers and Shapers Figure 74: Displaying Egress Port Shapers Figure 75: Displaying Port Tag Remarking Mode Figure 76: Configuring Port Tag Remarking Mode...
Page 16 IGURES Figure 104: Dynamic IP Source Guard Table Figure 105: RADIUS Overview Figure 106: RADIUS Details Figure 107: LACP System Status Figure 108: LACP Port Status Figure 109: LACP Port Statistics Figure 110: Spanning Tree Bridge Status Figure 111: Spanning Tree Detailed Bridge Status Figure 112: Spanning Tree Port Status Figure 113: Spanning Tree Port Statistics Figure 114: MVR Statistics...
Page 17: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Web Page Configuration Buttons Table 4: Main Menu Table 5: HTTPS System Support Table 6: SNMP Security Models and Levels Table 7: Dynamic QoS Profiles Table 8: QCE Modification Buttons Table 9: Recommended STA Path Cost Range Table 10: Recommended STA Path Costs Table 11: Default STA Path Costs...
Page 18 ABLES – 18 –...
Page 19: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 20 ◆...
Page 20: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 21: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4K using IEEE 802.1Q, port-based, protocol-based, private VLANs, and voice VLANs, and QinQ tunnel Traffic Prioritization Queue mode and CoS configured by Ethernet type, VLAN ID, TCP/...
Page 22 | Introduction HAPTER Description of Software Features ACLs provide packet filtering for IP frames (based on protocol, TCP/UDP CCESS ONTROL port number or frame type) or layer 2 frames (based on any destination ISTS MAC address for unicast, broadcast or multicast, or based on VLAN ID or VLAN tag priority).
Page 23 | Introduction HAPTER Description of Software Features be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port. The switch supports IEEE 802.1D transparent bridging. The address table IEEE 802.1D B RIDGE facilitates data switching by learning addresses, and then filtering or...
Page 24 | Introduction HAPTER Description of Software Features The switch supports up to 4096 VLANs. A Virtual LAN is a collection of IRTUAL network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard.
Page 25: System Defaults
| Introduction HAPTER System Defaults Differentiated Services (DiffServ) provides policy-based management UALITY OF ERVICE mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, DSCP values, or VLAN lists.
Page 26 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Disabled Community Strings “public” (read only) “private” (read/write) Traps Global: disabled Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: default_view Group: default_rw_group Port Configuration Admin Status Enabled Auto-negotiation...
Page 27 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address 192.168.1.10 Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Disabled Snooping: Disabled Proxy service: Disabled Multicast Filtering IGMP Snooping Snooping: Disabled Querier: Disabled MLD Snooping...
Page 28: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. To make use of the management features of your switch, you must first configure it with an IP address that is compatible with the network in which it is being installed.
Page 29 | Initial Switch Configuration HAPTER logging out. To change the password, click Security and then Users. Select “admin” from the User Configuration list, fill in the Password fields, and then click Save. – 29 –...
Page 30: Ection
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 31 ◆ "Configuring the Switch" on page 41 ◆...
Page 31: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0, Netscape 6.2, Mozilla Firefox 2.0.0.0, or more recent versions).
Page 32: Configuration Options
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Save button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 33: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Main Menu Menu Description...
Page 34 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Limit Control Configures port security limit controls, including secure address aging; and per port security, including maximum allowed MAC addresses, and response for security breach Configures global and port settings for IEEE 802.1X Access Control Lists Ports...
Page 35 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page VLAN Configures IGMP snooping per VLAN interface Configuration Port Group Configures multicast groups to be filtered on specified port Filtering MLD Snooping Multicast Listener Discovery Snooping Basic Configures global and port settings for multicast filtering...
Page 36 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Port Scheduler Provides overview of QoS Egress Port Schedulers, including the queue mode and weight; also configures egress queue mode, queue shaper (rate and access to excess bandwidth), and port shaper Port Shaping Provides overview of QoS Egress Port Shapers, including the...
Page 37 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Port Security Switch Shows information about MAC address learning for each port, including the software module requesting port security services, the service state, the current number of learned addresses, and the maximum number of secure addresses allowed Port...
Page 38 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page IPMC IP Multicast IGMP Snooping Status Displays statistics related to IGMP packets passed upstream to the IGMP Querier or downstream to multicast clients Group Displays active IGMP groups Information...
Page 39 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page VeriPHY Performs cable diagnostics for all ports or selected port to diagnose any cable faults (short, open etc.) and report the cable length Maintenance Restart Device...
Page 40 | Using the Web Interface HAPTER Navigating the Web Browser Interface – 40 –...
Page 41: Configuring The Switch
ONFIGURING THE WITCH This chapter describes all of the basic configuration tasks. ONFIGURING YSTEM NFORMATION Use the System Information Configuration page to identify the system by configuring contact information, system name, location of the switch, and time zone offset. Configuration, System, Information ARAMETERS These parameters are displayed: System Contact –...
Page 42: Setting An Ip Address
| Configuring the Switch HAPTER Setting an IP Address Figure 3: System Information Configuration IP A ETTING AN DDRESS This section describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types.
Page 43 | Configuring the Switch HAPTER Setting an IP Address will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. DHCP values can include the IP address, subnet mask, and default gateway.
Page 44: Setting An Ipv6 Address
| Configuring the Switch HAPTER Setting an IP Address Figure 4: IP Configuration Use the IPv6 Configuration page to configure an IPv6 address for ETTING AN management access to the switch. DDRESS IPv6 includes two distinct address types - link-local unicast and global unicast.
Page 45 | Configuring the Switch HAPTER Setting an IP Address The global unicast address can be automatically configured by ■ taking the network prefix from router advertisements observed on the local interface, and using the modified EUI-64 form of the interface identifier to automatically create the host portion of the address.
Page 46: Configuring Ntp Service
| Configuring the Switch HAPTER Configuring NTP Service Figure 5: IPv6 Configuration NTP S ONFIGURING ERVICE Use the NTP Configuration page to specify the Network Time Protocol (NTP) servers to query for the current time. NTP allows the switch to set its internal clock based on periodic updates from an NTP time server.
Page 47: Configuring Remote Log Messages
| Configuring the Switch HAPTER Configuring Remote Log Messages Figure 6: NTP Configuration ONFIGURING EMOTE ESSAGES Use the System Log Configuration page to send log messages to syslog servers or other management stations. You can also limit the event messages sent to specified types. Configuration, System, Log OMMAND SAGE...
Page 48: Configuring Power Reduction
| Configuring the Switch HAPTER Configuring Power Reduction NTERFACE To configure the logging of error messages to remote servers: Click Configuration, System, Log. Enable remote logging, enter the IP address of the remote server, and specify the type of syslog messages to send. Click Apply.
Page 49: Figure 8: Configuring Led Power Reduction
| Configuring the Switch HAPTER Configuring Power Reduction ARAMETERS These parameters are displayed: LED Intensity Timers Time – Time at which LED intensity is set. ◆ Intensity – LED intensity (Range: 0-100%, in increments of 10%, ◆ where 0% means off and 100% means full power) Maintenance On time at link change –...
Page 50: Reducing Power To Idle Queue Circuits
| Configuring the Switch HAPTER Configuring Power Reduction Use the EEE Configuration page to configure Energy Efficient Ethernet EDUCING OWER TO (EEE) for specified queues, and to specify urgent queues which are to UEUE IRCUITS transmit data after maximum latency expires regardless of queue length. Configuration, Power Reduction, EEE OMMAND SAGE...
Page 51: Configuring Thermal Protection
| Configuring the Switch HAPTER Configuring Thermal Protection Figure 9: Configuring EEE Power Reduction ONFIGURING HERMAL ROTECTION Use the Thermal Protection Configuration page to set temperature priority levels, and assign those priorities for port shut-down if exceeded. Configuration, Thermal Protection OMMAND SAGE Thermal protection is used to protect the switch ASIC from overheating.
Page 52: Configuring Port Connections
| Configuring the Switch HAPTER Configuring Port Connections NTERFACE To configure the thermal protection: Click Configuration, Thermal Protection. Select the circuits which will use EEE. Se the temperature threshold for each priority, and then assign a priority level to each of the ports. Click Save.
Page 53 | Configuring the Switch HAPTER Configuring Port Connections Speed – Sets the port speed and duplex mode using auto-negotiation ◆ or manual selection. The following options are supported: Disabled - Disables the interface. You can disable an interface due ■ to abnormal behavior (e.g., excessive collisions), and then re- enable it after the problem has been resolved.
Page 54: Figure 11: Port Configuration
| Configuring the Switch HAPTER Configuring Port Connections Power Control – Adjusts the power provided to ports based on the ◆ length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements. IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
Page 55: Configuring Security
| Configuring the Switch HAPTER Configuring Security ONFIGURING ECURITY You can configure this switch to authenticate users logging into the system for management access or to control client access to the data ports. Management Access Security (Switch menu) – Management access to the switch can be controlled through local authentication of user names and passwords stored on the switch, or remote authentication of users via a RADIUS or TACACS+ server.
Page 56: Figure 12: Showing User Accounts
| Configuring the Switch HAPTER Configuring Security be used for an administrator account, privilege level 10 for a standard user account, and privilege level 5 for a guest account. ARAMETERS These parameters are displayed: User Name – The name of the user. ◆...
Page 57: Configuring User Privilege Levels
| Configuring the Switch HAPTER Configuring Security Figure 13: Configuring User Accounts Use the Privilege Levels page to set the privilege level required to read or ONFIGURING configure specific software modules or system settings. RIVILEGE EVELS Configuration, Security, Switch, Privilege Levels ARAMETERS These parameters are displayed: ◆...
Page 58: Figure 14: Configuring Privilege Levels
| Configuring the Switch HAPTER Configuring Security 5 – Read access of all system functions except for maintenance and ■ debugging 10 – read and write access of all system functions except for ■ maintenance and debugging 15 – read and write access of all system functions including ■...
Page 59: Configuring The Authentication Method For Management Access
| Configuring the Switch HAPTER Configuring Security Use the Authentication Method Configuration page to specify the ONFIGURING authentication method for controlling management access through the UTHENTICATION console, Telnet, SSH or HTTP/HTTPS. Access can be based on the (local) ETHOD user name and password configured on the switch, or can be controlled ANAGEMENT CCESS with a RADIUS or TACACS+ remote access authentication server.
Page 60 | Configuring the Switch HAPTER Configuring Security management access via Telnet, SSH, a web browser, or the console interface. When using RADIUS or TACACS+ logon authentication, the user name ◆ and password must be configured on the authentication server. The encryption methods used for the authentication process must also be configured or negotiated between the authentication server and logon client.
Page 61: Configuring Ssh
| Configuring the Switch HAPTER Configuring Security Figure 16: Authentication Method for Management Access Use the SSH Configuration page to configure access to the Secure Shell ONFIGURING (SSH) management interface. SSH provides remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication.
Page 62: Configuring Https
| Configuring the Switch HAPTER Configuring Security NTERFACE To configure SSH: Click Configuration, Security, Switch, SSH. Enable SSH if required. Click Save. Figure 17: SSH Configuration Use the HTTPS Configuration page to enable the Secure Hypertext Transfer HTTPS ONFIGURING Protocol (HTTPS) over the Secure Socket Layer (SSL). HTTPS provides secure access (i.e., an encrypted connection) to the switch's web interface.
Page 63: Filtering Ip Addresses For Management Access
| Configuring the Switch HAPTER Configuring Security The following web browsers and operating systems currently support ◆ HTTPS: Table 5: HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Windows Vista, Windows 7 Netscape 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Windows Vista, Solaris 2.6...
Page 64: Figure 19: Access Management Configuration
| Configuring the Switch HAPTER Configuring Security ARAMETERS These parameters are displayed: Mode – Enables or disables filtering of management access based on ◆ configured IP addresses. (Default: Disabled) ◆ Start IP Address – The starting address of a range. End IP Address –...
Page 65: Using Simple Network Management Protocol
| Configuring the Switch HAPTER Configuring Security Simple Network Management Protocol (SNMP) is a communication protocol SING IMPLE designed specifically for managing devices on a network. Equipment ETWORK commonly managed with SNMP includes switches, routers and host ANAGEMENT computers. SNMP is typically used to configure these devices for proper ROTOCOL operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Page 66 | Configuring the Switch HAPTER Configuring Security Table 6: SNMP Security Models and Levels (Continued) Model Level Community String Group Read View Write View Security noAuth user defined default_rw_group default_view default_view A user name match only NoPriv Auth user defined user defined user defined user defined...
Page 67 | Configuring the Switch HAPTER Configuring Security community string is associated with SNMPv1 or SNMPv2 clients in the SNMPv3 Communities table (page 69). Engine ID - The SNMPv3 engine ID. (Range: 10-64 hex digits, ◆ excluding a string of all 0’s or all F’s; Default: 800007e5017f000001) An SNMPv3 engine is an independent SNMP agent that resides on the switch.
Page 68 | Configuring the Switch HAPTER Configuring Security that critical information is received by the host. However, note that informs consume more system resources because they must be kept in memory until a response is received. Informs also add to network traffic.
Page 69: Figure 20: Snmp System Configuration
| Configuring the Switch HAPTER Configuring Security In the SNMP Trap Configuration table, enable the Trap Mode to allow the switch to send SNMP traps. Specify the trap version, trap community, and IP address of the management station that will receive trap messages either as an IPv4 or IPv6 address.
Page 70: Figure 21: Snmpv3 Community Configuration
| Configuring the Switch HAPTER Configuring Security Community - Specifies the community strings which allow access to ◆ the SNMP agent. (Range: 1-32 characters, ASCII characters 33-126 only; Default: public, private) For SNMPv3, these strings are treated as a Security Name, and are mapped as an SNMPv1 or SNMPv2 community string in the SNMPv3 Groups Configuration table (see "Configuring SNMPv3 Groups"...
Page 71 | Configuring the Switch HAPTER Configuring Security ARAMETERS These parameters are displayed: Engine ID - The engine identifier for the SNMP agent on the remote ◆ device where the user resides. (Range: 10-64 hex digits, excluding a string of all 0’s or all F’s) To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 72: Figure 22: Snmpv3 User Configuration
| Configuring the Switch HAPTER Configuring Security Define the user name, security level, authentication and privacy settings. Click Save. Figure 22: SNMPv3 User Configuration SNMP ONFIGURING ROUPS Use the SNMPv3 Group Configuration page to configure SNMPv3 groups. An SNMPv3 group defines the access policy for assigned users, restricting them to specific read and write views as defined on the SNMPv3 Access Configuration page (page...
Page 73: Figure 23: Snmpv3 Group Configuration
| Configuring the Switch HAPTER Configuring Security Select the security name. For SNMP v1 and v2c, the security names displayed are based on the those configured in the SNMPv3 Communities menu. For USM, the security names displayed are based on the those configured in the SNMPv3 Users Configuration menu. Enter a group name.
Page 74: Figure 24: Snmpv3 View Configuration
| Configuring the Switch HAPTER Configuring Security NTERFACE To configure SNMPv3 views: Click Configuration, Security, Switch, SNMP, Views. Click “Add new view” to set up a new view. Enter the view name, view type, and OID subtree. Click Save. Figure 24: SNMPv3 View Configuration SNMP ONFIGURING ROUP...
Page 75: Configuring Port Limit Controls
| Configuring the Switch HAPTER Configuring Security Write View Name - The configured view for write access. ◆ (Range: 1-32 characters, ASCII characters 33-126 only) NTERFACE To configure SNMPv3 group access rights: Click Configuration, Security, Switch, SNMP, Access. Click Add New Access to create a new entry. Specify the group name, security settings, read view, and write view.
Page 76 | Configuring the Switch HAPTER Configuring Security Aging Period – If Aging Enabled is checked, then the aging period is ◆ controlled with this parameter. If other modules are using the underlying port security for securing MAC addresses, they may have other requirements for the aging period.
Page 77: Configuring Authentication Through Network Access Servers
| Configuring the Switch HAPTER Configuring Security Ready: The limit is not yet reached. This can be shown for all ■ Actions. Limit Reached: Indicates that the limit is reached on this port. This ■ state can only be shown if Action is set to None or Trap. Shutdown: Indicates that the port is shut down by the Limit Control ■...
Page 78: Figure 27: Using Port Security
| Configuring the Switch HAPTER Configuring Security standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network.
Page 79 | Configuring the Switch HAPTER Configuring Security The operation of 802.1X on the switch requires the following: The switch must have an IP address assigned (see page 42). ◆ RADIUS authentication must be enabled on the switch and the IP ◆...
Page 80 | Configuring the Switch HAPTER Configuring Security System Configuration Mode - Indicates if 802.1X and MAC-based authentication are globally ◆ enabled or disabled on the switch. If globally disabled, all ports are allowed to forward frames. Reauthentication Enabled - Sets clients to be re-authenticated after ◆...
Page 81: Table 7: Dynamic Qos Profiles
| Configuring the Switch HAPTER Configuring Security In MAC-based Authentication mode, the switch will ignore new frames coming from the client during the hold time. RADIUS-Assigned QoS Enabled - RADIUS-assigned QoS provides a ◆ means to centrally control the traffic class to which traffic coming from a successfully authenticated supplicant is assigned on the switch.
Page 82 | Configuring the Switch HAPTER Configuring Security For example, the attribute “service-policy-in=pp1;rate-limit- input=100” specifies that the diffserv profile name is “pp1,” and the ingress rate limit profile value is 100 kbps. If duplicate profiles are passed in the Filter-ID attribute, then only ■...
Page 83 | Configuring the Switch HAPTER Configuring Security assigned VLAN is enabled for that port. When unchecked, RADIUS- server assigned VLAN is disabled for all ports. When RADIUS-Assigned VLAN is both globally enabled and enabled for a given port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated.
Page 84 | Configuring the Switch HAPTER Configuring Security after a network administrator-defined timeout. The switch follows a set of rules for entering and leaving the Guest VLAN as listed below. The “Guest VLAN Enabled” checkbox provides a quick way to globally enable/disable Guest VLAN functionality.
Page 85 | Configuring the Switch HAPTER Configuring Security Allow Guest VLAN if EAPOL Seen - The switch remembers if an ◆ EAPOL frame has been received on the port for the lifetime of the port. Once the switch considers whether to enter the Guest VLAN, it will first check if this option is enabled or disabled.
Page 86 | Configuring the Switch HAPTER Configuring Security The maximum number of supplicants that can be attached to a port can be limited using the Port Security Limit Control functionality. MAC-based Auth. - Enables MAC-based authentication on the port. ■ The switch does not transmit or accept EAPOL frames on the port. Flooded frames and broadcast traffic will be transmitted on the port, whether or not clients are authenticated on the port, whereas unicast traffic from an unsuccessfully authenticated client will be...
Page 87 | Configuring the Switch HAPTER Configuring Security (see page 158). Static addresses are treated as authenticated without sending a request to a RADIUS server. When port status changes to down, all MAC addresses are cleared ■ from the secure MAC address table. Static VLAN assignments are not restored.
Page 88: Filtering Traffic With Access Control Lists
| Configuring the Switch HAPTER Configuring Security Modify the required attributes. Click Save. Figure 28: Network Access Server Configuration An Access Control List (ACL) is a sequential list of permit or deny ILTERING RAFFIC conditions that apply to IP addresses, MAC addresses, or other more WITH CCESS specific criteria.
Page 89 | Configuring the Switch HAPTER Configuring Security ARAMETERS These parameters are displayed: Port - Port Identifier. ◆ Policy ID - An ACL policy configured on the ACE Configuration page ◆ (page 93). (Range: 1-8; Default: 1, which is undefined) Action - Permits or denies a frame based on whether it matches a rule ◆...
Page 90: Figure 29: Acl Port Configuration
| Configuring the Switch HAPTER Configuring Security Repeat the preceding step for each port to which an ACL will be applied. Click Save. Figure 29: ACL Port Configuration ONFIGURING IMITERS Use the ACL Rate Limiter Configuration page to define the rate limits applied to a port (as configured either through the ACL Ports Configuration menu (page...
Page 91: Figure 30: Acl Rate Limiter Configuration
| Configuring the Switch HAPTER Configuring Security Figure 30: ACL Rate Limiter Configuration ONFIGURING CCESS ONTROL ISTS Use the Access Control List Configuration page to define filtering rules for an ACL policy, for a specific port, or for all ports. Rules applied to a port take effect immediately, while those defined for a policy must be mapped to one or more ports using the ACL Ports Configuration menu (page...
Page 92: Table 8: Qce Modification Buttons
| Configuring the Switch HAPTER Configuring Security matches this entry when ARP/RARP protocol address space setting is equal to IP (0x800) IPv4 frames (based on destination MAC address, protocol type, TTL, ■ IP fragment, IP option flag, source/destination IP, VLAN ID, VLAN priority) ARAMETERS These parameters are displayed:...
Page 93 | Configuring the Switch HAPTER Configuring Security ACE C ONFIGURATION Ingress Port and Frame Type Ingress Port - Any port, port identifier, or policy. (Options: Any port, ◆ Port 1-10, Policy 1-8; Default: Any) Frame Type - The type of frame to match. (Options: Any, Ethernet, ◆...
Page 94 | Configuring the Switch HAPTER Configuring Security opcode flag set, Reply - frame must have ARP Reply or RARP Reply opcode flag; Default: Any) Sender IP Filter - Specifies the sender’s IP address. ■ (Options: Any - no sender IP filter is specified, Host - specifies the sender IP address in the SIP Address field, Network - specifies the sender IP address and sender IP mask in the SIP Address and SIP Mask fields;...
Page 95 | Configuring the Switch HAPTER Configuring Security IPv4: ◆ MAC Parameters DMAC Filter - The type of destination MAC address. (Options: Any, ■ MC - multicast, BC - broadcast, UC - unicast; Default: Any) IP Parameters IP Protocol Filter - Specifies the IP protocol to filter for this rule. ■...
Page 96 | Configuring the Switch HAPTER Configuring Security entry, 1 - TCP frames where the SYN field is set must match this entry; Default: Any) TCP RST - Specifies the TCP “Reset the connection” (RST) value ■ for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the RST field is set must not match this entry, 1 - TCP frames where the RST field is set must match this entry;...
Page 97 | Configuring the Switch HAPTER Configuring Security specifies the destination IP address and destination IP mask in the DIP Address and DIP Mask fields; Default: Any) Response to take when a rule is matched Action - Permits or denies a frame based on whether it matches an ◆...
Page 98: Figure 31: Access Control List Configuration
| Configuring the Switch HAPTER Configuring Security NTERFACE To configure an Access Control List for a port or a policy: Click Configuration, Security, Network, ACL, Access Control List. Click the button to add a new ACL, or use the other ACL modification buttons to specify the editing action (i.e., edit, delete, or moving the relative position of entry in the list).
Page 99: Configuring Dhcp Snooping
| Configuring the Switch HAPTER Configuring Security Use the DHCP Snooping Configuration page to filter IP traffic on insecure DHCP ONFIGURING ports for which the source address cannot be identified via DHCP snooping. NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard).
Page 100 | Configuring the Switch HAPTER Configuring Security If the DHCP packet is not a recognizable type, it is dropped. ■ If a DHCP packet from a client passes the filtering criteria above, it ■ will only be forwarded to trusted ports in the same VLAN. If a DHCP packet is from server is received on a trusted port, it will ■...
Page 101: Configuring Dhcp Relay And Option 82 Information
| Configuring the Switch HAPTER Configuring Security Figure 32: DHCP Snooping Configuration Use the DHCP Relay Configuration page to configure DHCP relay service for DHCP ONFIGURING attached host devices. If a subnet does not include a DHCP server, you can ELAY AND PTION relay DHCP client requests to a DHCP server on another subnet.
Page 102: Configuring Ip Source Guard
| Configuring the Switch HAPTER Configuring Security ARAMETERS These parameters are displayed: Relay Mode - Enables or disables the DHCP relay function. ◆ (Default: Disabled) ◆ Relay Server - IP address of DHCP server to be used by the switch's DHCP relay agent.
Page 103 | Configuring the Switch HAPTER Configuring Security IP S ONFIGURING LOBAL AND ETTINGS FOR OURCE UARD Use the IP Source Guard Configuration page to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
Page 104: Figure 34: Configuring Global And Port-Based Settings For Ip Source Guard
| Configuring the Switch HAPTER Configuring Security DHCP snooping must be enabled for dynamic clients to be learned automatically. Port – Port identifier ◆ Mode – Enables or disables IP Source Guard on the specified ports. ◆ Only when both Global Mode and Port Mode on a given port are enabled, will ARP Inspection take effect on a given port.
Page 105 | Configuring the Switch HAPTER Configuring Security IP S ONFIGURING TATIC INDINGS FOR OURCE UARD Use the Static IP Source Guard Table to bind a static address to a port. Table entries include a port identifier, VLAN identifier, IP address, and subnet mask.
Page 106: Configuring Arp Inspection
| Configuring the Switch HAPTER Configuring Security Figure 35: Configuring Static Bindings for IP Source Guard ARP Inspection is a security feature that validates the MAC Address ONFIGURING bindings for Address Resolution Protocol packets. It provides protection NSPECTION against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle”...
Page 107 | Configuring the Switch HAPTER Configuring Security changes will only become active after ARP Inspection is enabled globally again. ARP Inspection uses the DHCP snooping bindings database for the list ◆ of valid IP-to-MAC address bindings. DHCP snooping must be enabled for dynamic clients to be learned automatically.
Page 108: Figure 36: Configuring Global And Port Settings For Arp Inspection
| Configuring the Switch HAPTER Configuring Security Figure 36: Configuring Global and Port Settings for ARP Inspection ARP I ONFIGURING TATIC INDINGS FOR NSPECTION Use the Static ARP Inspection Table to bind a static address to a port. Table entries include a port identifier, VLAN identifier, source MAC address in ARP request packets, and source IP address in ARP request packets.
Page 109: Specifying Authentication Servers
| Configuring the Switch HAPTER Configuring Security Enter the required bindings for a given port. Click Save. Figure 37: Configuring Static Bindings for ARP Inspection Use the Authentication Server Configuration page to control management PECIFYING access based on a list of user names and passwords configured on a UTHENTICATION RADIUS or TACACS+ remote access authentication server, and to ERVERS...
Page 110: Figure 38: Authentication Configuration
| Configuring the Switch HAPTER Configuring Security Port – Network (UDP) port of authentication server used for ◆ authentication messages. (Range: 1-65535; Default: 0) If the UDP port is set to 0 (zero), the switch will use 1812 for RADIUS authentication servers, 1813 for RADIUS accounting servers, or 49 for TACACS+ authentication servers.
Page 111: Creating Trunk Groups
| Configuring the Switch HAPTER Creating Trunk Groups REATING RUNK ROUPS You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault- tolerant link between two switches.
Page 112: Configuring Static Trunks
| Configuring the Switch HAPTER Creating Trunk Groups Use the Aggregation Mode Configuration page to configure the aggregation ONFIGURING TATIC mode and members of each static trunk group. RUNKS Configuration, Aggregation, Static SAGE UIDELINES When configuring static trunks, you may not be able to link switches of ◆...
Page 113 | Configuring the Switch HAPTER Creating Trunk Groups Destination MAC Address – All traffic with the same destination ■ MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is destined for many different hosts.
Page 114: Configuring Lacp
| Configuring the Switch HAPTER Creating Trunk Groups Figure 39: Static Trunk Configuration Use the LACP Port Configuration page to enable LACP on selected ports, LACP ONFIGURING configure the administrative key, and the protocol initiation mode. Configuration, Aggregation, LACP SAGE UIDELINES To avoid creating a loop in the network, be sure you enable LACP before ◆...
Page 115 | Configuring the Switch HAPTER Creating Trunk Groups Ports must have the same LACP Admin Key. Using auto- ■ configuration of the Admin Key will avoid this problem. One of the ports at either the near end or far end must be set to ■...
Page 116: Configuring The Spanning Tree Algorithm
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Figure 40: LACP Port Configuration ONFIGURING THE PANNING LGORITHM The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
Page 117: Figure 41: Stp Root Ports And Designated Ports
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Figure 41: STP Root Ports and Designated Ports Designated Root Root Designated Port Port Designated Bridge Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Page 118: Configuring Global Settings For Sta
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees" on page 122).
Page 119 | Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Rapid Spanning Tree Protocol ◆ RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: STP Mode –...
Page 120 | Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Bridge Priority – Bridge priority is used in selecting the root device, ◆ root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 121 | Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Advanced Settings Edge Port BPDU Filtering – BPDU filtering allows you to avoid ◆ transmitting BPDUs on configured edge ports that are connected to end nodes. By default, STA sends BPDUs to all ports regardless of whether administrative edge is enabled on a port.
Page 122: Configuring Multiple Spanning Trees
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Figure 44: STA Bridge Configuration Use the MSTI Mapping page to add VLAN groups to an MSTP instance ONFIGURING (MSTI), or to designate the name and revision of the VLAN-to-MSTI ULTIPLE PANNING mapping used on this switch.
Page 123 | Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Enter the spanning tree priority for the CIST and selected MST instance on the MSTI Priorities page. All VLANs are automatically added to the CIST (MST Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings.
Page 124: Configuring Spanning Tree Bridge Priorities
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Figure 45: Adding a VLAN to an MST Instance Use the MSTI Priorities page to configure the bridge priority for the CIST ONFIGURING and any configured MSTI. Remember that RSTP looks upon each MST PANNING Instance as a single bridge node.
Page 125: Configuring Stp/Rstp/Cist Interfaces
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm NTERFACE To add VLAN groups to an MSTP instance: Click Configuration, Spanning Tree, MSTI Priorities. Set the bridge priority for the CIST or any configured MSTI. Click Save Figure 46: Configuring STA Bridge Priorities Use the CIST Ports Configuration page to configure STA attributes for ONFIGURING interfaces when the spanning tree mode is set to STP or RSTP, or for...
Page 126: Table 9: Recommended Sta Path Cost Range
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm changes, thereby combining remote network segments into a single spanning tree. As implemented on this switch, BPDU transparency allows a port which is not participating in the spanning tree (such as an uplink port to the service provider’s network) to forward BPDU packets to other ports instead of discarding these packets or attempting to process them.
Page 127 | Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. (Range: 0-240, in steps of 16; Default: 128) Admin Edge (Fast Forwarding) –...
Page 128: Figure 47: Stp/Rstp/Cist Port Configuration
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Point-to-Point – The link type attached to an interface can be set to ◆ automatically detect the link type, or manually configured as point-to- point or shared medium. Transition to the forwarding state is faster for point-to-point links than for shared media.
Page 129: Configuring Mist Interfaces
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Use the MIST Ports Configuration page to configure STA attributes for MIST ONFIGURING interfaces in a specific MSTI, including path cost, and port priority. You may NTERFACES use a different priority or path cost for ports of the same media type to indicate the preferred path.
Page 130: Multicast Vlan Registration
| Configuring the Switch HAPTER Multicast VLAN Registration Figure 48: MSTI Port Configuration VLAN R ULTICAST EGISTRATION Use the MVR Configuration page to enable MVR globally on the switch, select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and to configure each interface that participates in the MVR protocol as a source port or receiver port.
Page 131: Figure 49: Mvr Concept
| Configuring the Switch HAPTER Multicast VLAN Registration Figure 49: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box Configuration, MVR OMMAND SAGE General Configuration Guidelines for MVR: ◆...
Page 132 | Configuring the Switch HAPTER Multicast VLAN Registration MVR VLAN – Identifier of the VLAN that serves as the channel for ◆ streaming multicast services using MVR. MVR source ports should be configured as members of the MVR VLAN, but MVR receiver ports should not be manually configured as members of this VLAN.
Page 133: Igmp Snooping
| Configuring the Switch HAPTER IGMP Snooping Figure 50: Configuring MVR IGMP S NOOPING Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/router.
Page 134: Configuring Global And Port-Related Settings For Igmp Snooping
| Configuring the Switch HAPTER IGMP Snooping containing multicast group hosts or multicast routers/switches, instead of flooding traffic to all ports in the subnet (VLAN). Use the IGMP Snooping Configuration page to configure global and port- ONFIGURING LOBAL related settings which control the forwarding of multicast traffic. Based on ELATED the IGMP query and report messages, the switch forwards traffic only to IGMP...
Page 135 | Configuring the Switch HAPTER IGMP Snooping last dynamic member port in the group, the receiving port is not a router port, and no IGMPv1 member port exists in the group, the switch will generate and send a group-specific (GS) query to the member port which received the leave message, and then start the last member query timer for that port.
Page 136: Figure 51: Configuring Global And Port-Related Settings For Igmp Snooping
| Configuring the Switch HAPTER IGMP Snooping If Fast Leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, Fast Leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
Page 137: Configuring Vlan Settings For Igmp Snooping And Query
| Configuring the Switch HAPTER IGMP Snooping Use the IGMP Snooping VLAN Configuration page to configure IGMP VLAN ONFIGURING snooping and query for a VLAN interface IGMP ETTINGS FOR NOOPING AND UERY Configuration, IPMC, IGMP Snooping, VLAN Configuration ARAMETERS These parameters are displayed: ◆...
Page 138: Figure 52: Configuring Vlan Settings For Igmp Snooping And Query
| Configuring the Switch HAPTER IGMP Snooping QRI - The Query Response Interval is the Max Response Time ◆ advertised in periodic General Queries. The QRI applies when the switch is serving as the querier, and is used to inform other devices of the maximum time this system waits for a response to general queries.
Page 139: Configuring Igmp Filtering
| Configuring the Switch HAPTER IGMP Snooping Use the IGMP Snooping Port Group Filtering Configuration page to filter IGMP ONFIGURING specific multicast traffic. In certain switch applications, the administrator ILTERING may want to control the multicast services that are available to end users; for example, an IP/TV service based on a specific subscription plan.
Page 140: Mld Snooping
| Configuring the Switch HAPTER MLD Snooping MLD S NOOPING Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Page 141 | Configuring the Switch HAPTER MLD Snooping Once the table used to store multicast entries for MLD snooping is filled, no new entries are learned. If no router port is configured in the attached VLAN, and Unregistered IPMCv6 Flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
Page 142 | Configuring the Switch HAPTER MLD Snooping The switch can be configured to immediately delete a member port of a multicast service if a leave packet is received at that port and the Fast Leave function is enabled. This allows the switch to remove a port from the multicast forwarding table without first having to send an MLD group-specific (GS) query to that interface.
Page 143: Configuring Vlan Settings For Mld Snooping And Query
| Configuring the Switch HAPTER MLD Snooping Figure 54: Configuring Global and Port-related Settings for MLD Snooping Use the MLD Snooping VLAN Configuration page to configure MLD snooping VLAN ONFIGURING and query for a VLAN interface ETTINGS FOR NOOPING AND UERY Configuration, IPMC, MLD Snooping, VLAN Configuration ARAMETERS...
Page 144 | Configuring the Switch HAPTER MLD Snooping multicast router/switch to ensure that it will continue to receive the multicast service. An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address.
Page 145: Configuring Mld Filtering
| Configuring the Switch HAPTER MLD Snooping This attribute will take effect only if MLD snooping proxy reporting is enabled (see page 140). URI - The Unsolicited Report Interval specifies how often the upstream ◆ interface should transmit unsolicited MLD reports when report suppression/proxy reporting is enabled.
Page 146: Link Layer Discovery Protocol
| Configuring the Switch HAPTER Link Layer Discovery Protocol Click Add New Filtering Group to display a new entry in the table. Select the port to which the filter will be applied. Enter the IP address of the multicast service to be filtered. Click Save.
Page 147 | Configuring the Switch HAPTER Link Layer Discovery Protocol Tx Hold – Configures the time-to-live (TTL) value sent in LLDP ◆ advertisements as shown in the formula below. (Range: 2-10; Default: 3) The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner.
Page 148 | Configuring the Switch HAPTER Link Layer Discovery Protocol If all ports have CDP awareness disabled, the switch forwards CDP frames received from neighbor devices. If at least one port has CDP awareness enabled, all CDP frames are terminated by the switch. When CDP awareness for a port is disabled, the CDP information is not removed immediately, but will be removed when the hold time is exceeded.
Page 149: Configuring Lldp-Med Tlvs
| Configuring the Switch HAPTER Link Layer Discovery Protocol Specify the information to include in the TLV field of advertised messages. Click Save. Figure 57: LLDP Configuration Use the LLDP-MED Configuration page to set the device information which LLDP- ONFIGURING is advertised for end-point devices.
Page 150 | Configuring the Switch HAPTER Link Layer Discovery Protocol the limited LLDPU space and to reduce security and system integrity issues that can come with inappropriate knowledge of the network policy. With this in mind LLDP-MED defines an LLDP-MED Fast Start interaction between the protocol and the application layers on top of the protocol, in order to achieve these related properties.
Page 151 | Configuring the Switch HAPTER Link Layer Discovery Protocol Map Datum – The Map Datum used for the coordinates given in this ◆ Option. WGS84: (Geographical 3D) - World Geodesic System 1984, CRS ■ Code 4327, Prime Meridian Name: Greenwich. NAD83/NAVD88: North American Datum 1983, CRS Code 4269, ■...
Page 152 | Configuring the Switch HAPTER Link Layer Discovery Protocol Postal community name - Postal community name. ■ (Example: Leonia) P.O. Box - Post office box (P.O. BOX). (Example: 12345) ■ Additional code - Additional code. (Example: 1320300003) ■ Emergency Call Service – Emergency Call Service (e.g. 911 and ◆...
Page 153 | Configuring the Switch HAPTER Link Layer Discovery Protocol Policy ID – ID for the policy. This is auto generated and will be ■ used when selecting the polices that will be mapped to the specific ports. Application Type – Intended use of the application types: ■...
Page 154 | Configuring the Switch HAPTER Link Layer Discovery Protocol Tagged indicates that the device is using the IEEE 802.1Q tagged frame format, and that both the VLAN ID and the Layer 2 priority values are being used, as well as the DSCP value. The tagged format includes an additional field, known as the tag header.
Page 155: Power Over Ethernet
| Configuring the Switch HAPTER Power over Ethernet Figure 58: LLDP-MED Configuration OWER OVER THERNET Use the Power Over Ethernet Configuration page to set the maximum PoE power provided to a port, the maximum power budget for the switch (power available to all RJ-45 ports), the port PoE operating mode, power allocation priority, and the maximum power allocated to each port.
Page 156 | Configuring the Switch HAPTER Power over Ethernet draw Class 4 current. Afterwards, the switch exchanges information with the PD such as duty-cycle, peak and average power needs. All the RJ-45 ports support both the IEEE 802.3af and IEEE 802.3at ◆...
Page 157 | Configuring the Switch HAPTER Power over Ethernet accordingly. If no LLDP information is available for a port, the port will reserve power using the class mode In this mode the Maximum Power fields have no effect For all modes, if a port uses more power than the power reserved for that port, it is shut down.
Page 158: Configuring The Mac Address Table
| Configuring the Switch HAPTER Configuring the MAC Address Table Specify the port PoE operating mode, port power allocation priority, and the port power budget. Click Save. Figure 59: Configuring PoE Settings MAC A ONFIGURING THE DDRESS ABLE Use the MAC Address Table Configuration page to configure dynamic address learning or to assign static addresses to specific ports.
Page 159 | Configuring the Switch HAPTER Configuring the MAC Address Table MAC Table Learning Auto - Learning is done automatically as soon as a frame with an ◆ unknown source MAC address is received. (This is the default.) Disable - No addresses are learned and stored in the MAC address ◆...
Page 160: Ieee 802.1Q Vlans
| Configuring the Switch HAPTER IEEE 802.1Q VLANs Figure 60: MAC Address Table Configuration IEEE 802.1Q VLAN In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains.
Page 161: Assigning Ports To Vlans
| Configuring the Switch HAPTER IEEE 802.1Q VLANs End stations can belong to multiple VLANs ◆ Passing traffic between VLAN-aware and VLAN-unaware devices ◆ Priority tagging ◆ Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate.
Page 162: Configuring Vlan Attributes For Port Members
| Configuring the Switch HAPTER IEEE 802.1Q VLANs NTERFACE To configure IEEE 802.1Q VLAN groups: Click Configuration, VLANs, VLAN Membership. Change the ports assigned to the default VLAN (VLAN 1) if required. To configure a new VLAN, click Add New VLAN, enter the VLAN ID, and then mark the ports to be assigned to the new group.
Page 163 | Configuring the Switch HAPTER IEEE 802.1Q VLANs Port Type – Configures how a port processes the VLAN ID in ingress ◆ frames. (Default: Unaware) C-port – For customer ports, each frame is assigned to the VLAN ■ indicated in the VLAN tag, and the tag is removed. S-port –...
Page 164: Figure 62: Vlan Port Configuration
| Configuring the Switch HAPTER IEEE 802.1Q VLANs are classified to the Port VLAN ID. If the classified VLAN ID of a frame transmitted on the port is different from the Port VLAN ID, a VLAN tag with the classified VLAN ID is inserted in the frame. When forwarding a frame from this switch along a path that contains any VLAN-aware devices, the switch should include VLAN tags.
Page 165: Configuring Private Vlans
| Configuring the Switch HAPTER Configuring Private VLANs VLAN ONFIGURING RIVATE Use the Private VLAN Membership Configuration page to assign port members to private VLANs. Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on ports assigned to a private VLAN can only be forwarded to, and from, uplink ports (that is, ports configured as members of both a standard IEEE 802.1Q VLAN and the private VLAN).
Page 166: Using Port Isolation
| Configuring the Switch HAPTER Using Port Isolation Figure 63: Private VLAN Membership Configuration SING SOLATION Use the Port Isolation Configuration page to prevent communications between customer ports within the same private VLAN. Ports within a private VLAN (PVLAN) are isolated from other ports which are not in the same PVLAN.
Page 167: Configuring Mac-Based Vlans
| Configuring the Switch HAPTER Configuring MAC-based VLANs MAC- VLAN ONFIGURING BASED Use the MAC-based VLAN Membership Configuration page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to the source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Page 168: Protocol Vlans
| Configuring the Switch HAPTER Protocol VLANs Figure 65: Configuring MAC-Based VLANs VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 169: Configuring Protocol Vlan Groups
| Configuring the Switch HAPTER Protocol VLANs Use the Protocol to Group Mapping Table to create protocol groups. ONFIGURING VLAN ROTOCOL ROUPS Configuration, VCL, Protocol-based VLANs, Protocol to Group ARAMETERS These parameters are displayed: Frame Type – Choose Ethernet, LLC (Logical Link Control), or SNAP ◆...
Page 170: Mapping Protocol Groups To Ports
| Configuring the Switch HAPTER Protocol VLANs NTERFACE To configure a protocol group: Click Configuration, VCL, Protocol-based VLANs, Protocol to Group. Click add new entry. Fill in the frame type, value, and group name. Click Save. Figure 66: Configuring Protocol VLANs Use the Group Name to VLAN Mapping Table to map a protocol group to a APPING ROTOCOL...
Page 171: Managing Voip Traffic
| Configuring the Switch HAPTER Managing VoIP Traffic VLAN ID – VLAN to which matching protocol traffic is forwarded. ◆ (Range: 1-4095) Port Members – Ports assigned to this protocol VLAN. ◆ NTERFACE To map a protocol group to a VLAN for a port or trunk: Click Configuration, VCL, Protocol-based VLANs, Group to VLAN.
Page 172: Configuring Voip Traffic
| Configuring the Switch HAPTER Managing VoIP Traffic member the Voice VLAN. Alternatively, switch ports can be manually configured. Use the Voice VLAN Configuration page to configure the switch for VoIP ONFIGURING traffic. First enable automatic detection of VoIP devices attached to the RAFFIC switch ports, then set the Voice VLAN ID for the network.
Page 173 | Configuring the Switch HAPTER Managing VoIP Traffic Auto – The port will be added as a tagged member to the Voice ■ VLAN when VoIP traffic is detected on the port. You must select a method for detecting VoIP traffic, either OUI or LLDP (802.1ab). When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list.
Page 174: Configuring Telephony Oui
| Configuring the Switch HAPTER Managing VoIP Traffic Figure 68: Configuring Global and Port Settings for a Voice VLAN Use the Voice VLAN OUI Table to identify VoIP devices attached to the ONFIGURING switch. VoIP devices can be identified by the manufacturer’s Organizational ELEPHONY Unique Identifier (OUI) in the source MAC address of received packets.
Page 175: Quality Of Service
| Configuring the Switch HAPTER Quality of Service NTERFACE To configure MAC OUI numbers for VoIP equipment: Click Configuration, Voice VLAN, OUI. Click “Add new entry.” Enter a MAC address that specifies the OUI for VoIP devices in the network, and enter a description for the devices. Click Save.
Page 176: Configuring Port Classification
| Configuring the Switch HAPTER Quality of Service The switch also allows you to configure QoS classification criteria and service policies. The switch’s resources can be prioritized to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on Ethernet type, VLAN ID, TCP/UDP port, DSCP, ToS, or its VLAN priority tag.
Page 177: Figure 70: Configuring Ingress Port Qos Classification
| Configuring the Switch HAPTER Quality of Service QoS Ingress Port Tag Classification Tag Classification – Sets classification mode for tagged frames on ◆ this port: Disabled – Uses the default QoS class and DP level for tagged ■ frames. (This is the default.) Enabled –...
Page 178: Configuring Egress Port Scheduler
| Configuring the Switch HAPTER Quality of Service Set the tag classification mode to Disabled to use the default QoS class and DP level for tagged frames, or to Enabled to use the mapped versions of PCP and DEI for tagged frames. Click Save.
Page 179 | Configuring the Switch HAPTER Quality of Service processed before the lower priority queues are serviced, or Deficit Weighted Round-Robin (DWRR) queuing which specifies a scheduling weight for each queue. (Options: Strict, Weighted; Default: Strict) DWRR services the queues in a manner similar to WRR, but the next queue is serviced only when the queue’s Deficit Counter becomes smaller than the packet size to be transmitted.
Page 180: Figure 72: Displaying Egress Port Schedulers
| Configuring the Switch HAPTER Quality of Service Click on any enter under the Port field to configure the Port Scheduler and Shaper. Figure 72: Displaying Egress Port Schedulers To configure the scheduler mode, the egress queue mode, queue shaper, and port shaper used by egress ports: Click Configuration, QoS, Port Scheduler.
Page 181: Configuring Egress Port Shaper
| Configuring the Switch HAPTER Quality of Service Use the QoS Egress Port Shapers page to show an overview of the QoS ONFIGURING GRESS Egress Port Shapers, including the rate for each queue and port. Click on HAPER any of the entries in the Port field to configure egress queue mode, queue shaper (rate and access to excess bandwidth), and port shaper Configuration, QoS, Port Shaper ARAMETERS...
Page 182 | Configuring the Switch HAPTER Quality of Service ARAMETERS These parameters are displayed: Displaying Port Remarking Mode Port – Port identifier. ◆ Mode – Shows the tag remarking mode used by this port: ◆ Classified – Uses classified PCP (Priority Code Point or User ■...
Page 183: Figure 75: Displaying Port Tag Remarking Mode
| Configuring the Switch HAPTER Quality of Service Figure 75: Displaying Port Tag Remarking Mode To configure the tag remarking mode: Click Configuration, QoS, Port Tag Remarking. Click on any of the entries in the Port field. Set the tag remarking mode and any parameters associated with the selected mode.
Page 184: Configuring Port Dscp Translation And Rewriting
| Configuring the Switch HAPTER Quality of Service Figure 76: Configuring Port Tag Remarking Mode Use the QoS Port DSCP Configuration page to configure ingress translation ONFIGURING and classification settings and egress re-writing of DSCP values. DSCP T RANSLATION EWRITING Configuration, QoS, Port DSCP ARAMETERS These parameters are displayed:...
Page 185 | Configuring the Switch HAPTER Quality of Service Ingress Classify – Specifies the classification method: ◆ Disable – No Ingress DSCP Classification is performed. ■ DSCP=0 – Classify if incoming DSCP is 0. ■ Selected – Classify only selected DSCP for which classification is ■...
Page 186: Configuring Dscp-Based Qos Ingress Classification
| Configuring the Switch HAPTER Quality of Service Figure 77: Configuring Port DSCP Translation and Rewriting Use the DSCP-Based QoS Ingress Classification page to configure DSCP- DSCP- ONFIGURING based QoS ingress classification settings. BASED NGRESS LASSIFICATION Configuration, QoS, DSCP-Based QoS ARAMETERS These parameters are displayed: DSCP –...
Page 187: Configuring Dscp Translation
| Configuring the Switch HAPTER Quality of Service Figure 78: Configuring DSCP-based QoS Ingress Classification . . . Use the DSCP Translation page to configure DSCP translation for ingress DSCP ONFIGURING traffic or DSCP re-mapping for egress traffic. RANSLATION Configuration, QoS, DSCP Translation ARAMETERS These parameters are displayed: DSCP –...
Page 188: Configuring Dscp Classification
| Configuring the Switch HAPTER Quality of Service NTERFACE To configure DSCP translation or re-mapping: Click Configuration, QoS, DSCP Translation. Set the required ingress translation and egress re-mapping parameters. Click Save. Figure 79: Configuring DSCP Translation and Re-mapping . . . Use the DSCP Classification page to map DSCP values to a QoS class and DSCP ONFIGURING...
Page 189: Configuring Qos Control Lists
| Configuring the Switch HAPTER Quality of Service NTERFACE To map DSCP values to a QoS class and drop precedence level: Click Configuration, QoS, DSCP Classification. Map key DSCP values to a corresponding QoS class and drop precedence level. Click Save. Figure 80: Mapping DSCP to CoS/DPL Values Use the QoS Control List Configuration page to configure Quality of Service ONFIGURING...
Page 190: Table 12: Qce Modification Buttons
| Configuring the Switch HAPTER Quality of Service SMAC - The OUI field of the source MAC address, i.e. the first three ◆ octets (bytes) of the MAC address. DMAC - The type of destination MAC address. Possible values are: Any, ◆...
Page 191 | Configuring the Switch HAPTER Quality of Service DMAC Type – The type of destination MAC address. (Options: Any, BC ◆ (Broadcast), MC (Multicast), UC (Unicast) Frame Type – The supported types are listed below: ◆ Any – Allow all types of frames. ■...
Page 192 | Configuring the Switch HAPTER Quality of Service IP Fragment – Indicates whether or not fragmented packets ■ are accepted. (Options: Any, Yes, No; Default: Any) Datagrams may be fragmented to ensure they can pass through a network device which uses a maximum transfer unit smaller than the original packet’s size.
Page 193: Configuring Storm Control
| Configuring the Switch HAPTER Quality of Service Figure 81: QoS Control List Configuration Use the Storm Control Configuration page to set limits on broadcast, ONFIGURING TORM multicast and unknown unicast traffic to control traffic storms which may ONTROL occur when a network device is malfunctioning, the network is not properly configured, or application programs are not well designed or properly configured.
Page 194: Configuring Port Mirroring
| Configuring the Switch HAPTER Configuring Port Mirroring Status - Enables or disables storm control. (Default: Disabled) ◆ Rate (pps) - The threshold above which packets are dropped. This limit ◆ can be set by specifying a value of 2 packets per second (pps), or by selecting one of the options in Kpps (i.e., marked with the suffix “K”).
Page 195: Figure 83: Mirror Configuration
| Configuring the Switch HAPTER Configuring Port Mirroring mirroring is enabled on the Mirror Configuration page by setting the destination port in the “Port to mirror on” field, and enabling the “Mode” for any port, mirroring will occur regardless of any configuration settings made on the ACL Ports Configuration page (see "Filtering Traffic with Access Control Lists"...
Page 196: Configuring Upnp
| Configuring the Switch HAPTER Configuring UPnP ONFIGURING Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards.
Page 197: Figure 84: Upnp Configuration
| Configuring the Switch HAPTER Configuring UPnP NTERFACE To configure UPnP: Click Configuration, UPnP. Enable or disable UPnP, then set the TTL and advertisement values. Click Save. Figure 84: UPnP Configuration – 197 –...
Page 198 | Configuring the Switch HAPTER Configuring UPnP – 198 –...
Page 199: Monitoring The Switch
ONITORING THE WITCH This chapter describes how to monitor all of the basic functions, configure or view system logs, and how to view traffic status or the address table. ISPLAYING ASIC NFORMATION BOUT THE YSTEM You can use the Monitor/System menu to display a basic description of the switch, log messages, or statistics on traffic used in managing the switch.
Page 200: Displaying Cpu Utilization
| Monitoring the Switch HAPTER Displaying Basic Information About the System Software Software Version – Version number of runtime code. ◆ Software Date – Release date of the switch software. ◆ NTERFACE To view System Information, click Monitor, System, Information. Figure 85: System Information Use the CPU Load page to display information on CPU utilization.
Page 201: Displaying Log Messages
| Monitoring the Switch HAPTER Displaying Basic Information About the System NTERFACE To display CPU utilization: Click System, then CPU Load. Figure 86: CPU Load Use the System Log Information page to scroll through the logged system ISPLAYING and event messages. ESSAGES Monitor, System, CPU Load ARAMETERS...
Page 202: Figure 87: System Log Information
| Monitoring the Switch HAPTER Displaying Basic Information About the System Level – Error level as described above. ◆ Time – The time of the system log entry. ◆ Message – The message text of the system log entry. ◆ NTERFACE To display the system log: Click Monitor, System, Log.
Page 203: Displaying Log Details
| Monitoring the Switch HAPTER Displaying Thermal Protection Use the Detailed Log page to view the full text of specific log messages. ISPLAYING ETAILS Monitor, System, CPU Load NTERFACE To display the text of a specific log message, click Monitor, System, Detailed Log.
Page 204: Displaying Information About Ports
| Monitoring the Switch HAPTER Displaying Information About Ports NTERFACE To display the current chip temperature, click Monitor, Thermal Protection. Figure 89: Thermal Protection Status ISPLAYING NFORMATION BOUT ORTS You can use the Monitor/Port menu to display a graphic image of the front panel which indicates the connection status of each port, basic statistics on the traffic crossing each port, the number of packets processed by each service queue, or detailed statistics on port traffic.
Page 205: Displaying An Overview Of Port Statistics
| Monitoring the Switch HAPTER Displaying Information About Ports Use the Port Statistics Overview page to display a summary of basic ISPLAYING AN information on the traffic crossing each port. VERVIEW OF TATISTICS Monitor, Ports, Traffic Overview ARAMETERS These parameters are displayed: ◆...
Page 206: Displaying Qcl Status
| Monitoring the Switch HAPTER Displaying Information About Ports ARAMETERS These parameters are displayed: Port – Port identifier. ◆ Q# Receive/Transmit – The number of packets received and ◆ transmitted through the indicated queue. NTERFACE To display the queue counters, click Monitor, Ports, QoS Statistics. Figure 92: Queueing Counters Use the QoS Control List Status page to show the QCE entries configured ISPLAYING...
Page 207: Displaying Detailed Port Statistics
| Monitoring the Switch HAPTER Displaying Information About Ports Class (Classified QoS Class) – If a frame matches the QCE, it will be ■ put in the queue corresponding to the specified QoS class. DP – The drop precedence level will be set to the specified value. ■...
Page 208 | Monitoring the Switch HAPTER Displaying Information About Ports Octets – The number of received and transmitted bytes (good and ■ bad), including Frame Check Sequence, but excluding framing bits. Unicast – The number of received and transmitted unicast packets ■...
Page 209: Figure 94: Detailed Port Statistics
| Monitoring the Switch HAPTER Displaying Information About Ports NTERFACE To display the detailed port statistics, click Monitor, Ports, Detailed Statistics. Figure 94: Detailed Port Statistics – 209 –...
Page 210: Displaying Information About Security Settings
| Monitoring the Switch HAPTER Displaying Information About Security Settings ISPLAYING NFORMATION BOUT ECURITY ETTINGS You can use the Monitor/Security menu to display statistics on management traffic, security controls for client access to the data ports, and the status of remote authentication access servers. Use the Access Management Statistics page to view statistics on traffic ISPLAYING CCESS...
Page 211: Displaying Information About Switch Settings For Port Security
| Monitoring the Switch HAPTER Displaying Information About Security Settings Use the Port Security Switch Status page to show information about MAC ISPLAYING address learning for each port, including the software module requesting NFORMATION BOUT port security services, the service state, the current number of learned WITCH ETTINGS FOR addresses, and the maximum number of secure addresses allowed.
Page 212: Figure 96: Port Security Switch Status
| Monitoring the Switch HAPTER Displaying Information About Security Settings Limit Reached: The Port Security service is enabled by at least the ■ Limit Control user module, and that module has indicated that the limit is reached and no more MAC addresses should be taken in. Shutdown: The Port Security service is enabled by at least the Limit ■...
Page 213: Displaying Information About Learned Mac Addresses
| Monitoring the Switch HAPTER Displaying Information About Security Settings Use the Port Security Port Status page to show the entries authorized by ISPLAYING port security services, including MAC address, VLAN ID, time added to NFORMATION BOUT table, age, and hold state. EARNED DDRESSES Monitor, Security, Network, Port Security, Port...
Page 214: Displaying Port Status For Authentication Services
| Monitoring the Switch HAPTER Displaying Information About Security Settings Use the Network Access Server Switch Status page to show the port status ISPLAYING for authentication services, including 802.1X security state, last source TATUS FOR address used for authentication, and last ID. UTHENTICATION ERVICES Monitor, Security, Network, NAS, Switch...
Page 215: Service
| Monitoring the Switch HAPTER Displaying Information About Security Settings NTERFACE To display port status for authentication services, click Monitor, Security, Network, NAS, Switch. Figure 98: Network Access Server Switch Status Use the NAS Statistics Port selection page to display authentication ISPLAYING statistics for the selected port –...
Page 216 | Monitoring the Switch HAPTER Displaying Information About Security Settings Port Counters Receive EAPOL Counters Total – The number of valid EAPOL frames of any type that have been ◆ received by the switch. Response ID – The number of valid EAPOL Response Identity frames ◆...
Page 217 | Monitoring the Switch HAPTER Displaying Information About Security Settings Other Requests – ◆ 802.1X-based: Counts the number of times that the switch sends ■ an EAP Request packet following the first to the supplicant. Indicates that the backend server chose an EAP-method. MAC-based: Not applicable.
Page 218 | Monitoring the Switch HAPTER Displaying Information About Security Settings Selected Counters This table is visible when the port is one of the following administrative states: Multi 802.1X or MAC-based Auth. The table is identical to and is placed next to the Port Counters table, and will be empty if no MAC address is currently selected.
Page 219: Displaying Acl Status
| Monitoring the Switch HAPTER Displaying Information About Security Settings Figure 99: NAS Statistics for Specified Port Use the ACL Status page to show the status for different security modules ISPLAYING which use ACL filtering, including ingress port, frame type, and forwarding TATUS action.
Page 220: Figure 100: Acl Status
| Monitoring the Switch HAPTER Displaying Information About Security Settings IPv4/ICMP: ACE will match IPv4 frames with ICMP protocol. ■ IPv4/UDP: ACE will match IPv4 frames with UDP protocol. ■ IPv4/TCP: ACE will match IPv4 frames with TCP protocol. ■ IPv4/Other: ACE will match IPv4 frames, which are not ICMP/UDP ■...
Page 221: Displaying Statistics For Dhcp Snooping
| Monitoring the Switch HAPTER Displaying Information About Security Settings Use the DHCP Snooping Port Statistics page to show statistics for various ISPLAYING types of DHCP protocol packets. TATISTICS FOR DHCP S NOOPING Monitor, Security, Network, DHCP, Snooping Statistics ARAMETERS These parameters are displayed: ◆...
Page 222: Displaying Dhcp Relay Statistics
| Monitoring the Switch HAPTER Displaying Information About Security Settings Figure 101: DHCP Snooping Statistics Use the DHCP Relay Statistics page to display statistics for the DHCP relay DHCP ISPLAYING service supported by this switch and DHCP relay clients. ELAY TATISTICS Monitor, Security, Network, DHCP, Relay Statistics ARAMETERS...
Page 223: Displaying Mac Address Bindings For Arp Packets
| Monitoring the Switch HAPTER Displaying Information About Security Settings Receive Bad Remote ID – The number of packets with a Remote ID ◆ option that did not match a known remote ID. Client Statistics Transmit to Client – The number of packets that were relayed from ◆...
Page 224: Displaying Entries In The Ip Source Guard Table
| Monitoring the Switch HAPTER Displaying Information About Security Settings NTERFACE To display the Dynamic ARP Inspection Table, click Monitor, Security, Network, ARP Inspection. Figure 103: Dynamic ARP Inspection Table Open the Dynamic IP Source Guard Table to display entries sorted first by ISPLAYING NTRIES port, then VLAN ID, MAC address, and finally IP address.
Page 225: Displaying Information On Authentication Servers
| Monitoring the Switch HAPTER Displaying Information on Authentication Servers ISPLAYING NFORMATION ON UTHENTICATION ERVERS Use the Monitor/Authentication pages to display information on RADIUS authentication and accounting servers, including the IP address and statistics for each server. Use the RADIUS Overview page to display a list of configured ISPLAYING A IST OF authentication and accounting servers.
Page 226: Displaying Statistics For Configured Authentication Servers
| Monitoring the Switch HAPTER Displaying Information on Authentication Servers Use the RADIUS Details page to display statistics for configured ISPLAYING authentication and accounting servers. The statistics map closely to those TATISTICS FOR specified in RFC4668 - RADIUS Authentication Client MIB. ONFIGURED UTHENTICATION ERVERS...
Page 227 | Monitoring the Switch HAPTER Displaying Information on Authentication Servers Accept, Access-Reject, Access-Challenge, timeout, or retransmission. Timeouts – The number of authentication timeouts to the server. ■ After a timeout, the client may retry to the same server, send to a different server, or give up.
Page 228 | Monitoring the Switch HAPTER Displaying Information on Authentication Servers Packets Dropped – The number of RADIUS packets that were ■ received from the server on the accounting port and dropped for some other reason. Transmit Packets ◆ Requests – The number of RADIUS packets sent to the server. This ■...
Page 229: Displaying Information On Lacp
| Monitoring the Switch HAPTER Displaying Information on LACP NTERFACE To display statistics for configured authentication and accounting servers, click Monitor, Authentication, RADIUS Details. Figure 106: RADIUS Details LACP ISPLAYING NFORMATION ON Use the monitor pages for LACP to display information on LACP configuration settings, the functional status of participating ports, and statistics on LACP control packets.
Page 230: Displaying Lacp Port Status
| Monitoring the Switch HAPTER Displaying Information on LACP Partner System ID – LAG partner's system ID (MAC address). ◆ Partner Key – The Key that the partner has assigned to this LAG. ◆ Last Changed – The time since this LAG changed. ◆...
Page 231: Displaying Lacp Port Statistics
| Monitoring the Switch HAPTER Displaying Information on LACP NTERFACE To display LACP status for local ports this switch, click Monitor, LACP, Port Status. Figure 108: LACP Port Status Use the LACP Port Statistics page to display statistics on LACP control LACP ISPLAYING packets crossing on each port.
Page 232: Displaying Information On The Spanning Tree
| Monitoring the Switch HAPTER Displaying Information on the Spanning Tree ISPLAYING NFORMATION ON THE PANNING Use the monitor pages for Spanning Tree to display information on spanning tree bridge status, the functional status of participating ports, and statistics on spanning tree protocol packets. Use the Bridge Status page to display STA information on the global bridge ISPLAYING RIDGE...
Page 233 | Monitoring the Switch HAPTER Displaying Information on the Spanning Tree Internal Root Cost – The Regional Root Path Cost. For the Regional ◆ Root Bridge this is zero. For all other CIST instances in the same MSTP region, it is the sum of the Internal Port Path Costs on the least cost path to the Internal Root Bridge.
Page 234: Displaying Port Status For Sta
| Monitoring the Switch HAPTER Displaying Information on the Spanning Tree NTERFACE To display an overview of all STP bridge instances, click Monitor, Spanning Tree, Bridge Status. Figure 110: Spanning Tree Bridge Status To display detailed information on a single STP bridge instance, along with port state for all active ports associated, Click Monitor, Spanning Tree, Bridge Status.
Page 235: Displaying Port Statistics For Sta
| Monitoring the Switch HAPTER Displaying Information on the Spanning Tree CIST Role – Roles are assigned according to whether the port is part of ◆ the active topology connecting the bridge to the root bridge (i.e., root port), connecting a LAN through the bridge to the root bridge (i.e., designated port);...
Page 236: Displaying Mvr Information
| Monitoring the Switch HAPTER Displaying MVR Information RSTP – The number of RSTP Configuration BPDU's received/ ◆ transmitted on a port. STP – The number of legacy STP Configuration BPDU's received/ ◆ transmitted on a port. TCN – The number of (legacy) Topology Change Notification BPDU's ◆...
Page 237: Displaying Mvr Group Information
| Monitoring the Switch HAPTER Displaying MVR Information V2 Leaves Received – The number of IGMP V2 leaves received. ◆ NTERFACE To display information for MVR statistics, click Monitor, MVR, Statistics. Figure 114: MVR Statistics Use the MVR Group Information page to display statistics for IGMP protocol ISPLAYING messages used by MVR;...
Page 238: Showing Igmp Snooping Information
| Monitoring the Switch HAPTER Showing IGMP Snooping Information NTERFACE To display information for MVR statistics and multicast groups, click Monitor, MVR, Group Information. Figure 115: MVR Group Information IGMP S HOWING NOOPING NFORMATION Use the IGMP Snooping pages to display IGMP snooping statistics, port members of each service group, and information on source-specific groups.
Page 239: Showing Igmp Snooping Group Information
| Monitoring the Switch HAPTER Showing IGMP Snooping Information V2 Reports Received – The number of received IGMP Version 2 ◆ reports. V3 Reports Received – The number of received IGMP Version 3 ◆ reports. V2 Leaves Received – The number of received IGMP Version 2 leave ◆...
Page 240: Showing Ipv4 Ssm Information
| Monitoring the Switch HAPTER Showing IGMP Snooping Information Port Members – The ports assigned to the listed VLAN which ◆ propagate a specific multicast service. NTERFACE To display the port members of each service group, click Monitor, IGMP Snooping, Group Information. Figure 117: IGMP Snooping Group Information Use the IGMP SSM Information page to display IGMP Source-Specific 4 SSM...
Page 241: Showing Mld Snooping Information
| Monitoring the Switch HAPTER Showing MLD Snooping Information NTERFACE To display IGMP Source-Specific Information, click Monitor, IGMP Snooping, IGMP SSM Information. Figure 118: IPv4 SSM Information MLD S HOWING NOOPING NFORMATION Use the MLD Snooping pages to display MLD snooping statistics, port members of each service group, and information on source-specific groups.
Page 242: Showing Mld Snooping Group Information
| Monitoring the Switch HAPTER Showing MLD Snooping Information V2 Reports Received – The number of received MLD Version 2 ◆ reports. V1 Leaves Received – The number of received MLD Version 1 leave ◆ reports. Router Port ◆ Port – Port Identifier. ◆...
Page 243: Showing Ipv6 Ssm Information
| Monitoring the Switch HAPTER Showing MLD Snooping Information NTERFACE To display the port members of each service group, click Monitor, MLD Snooping, Group Information. Figure 120: MLD Snooping Group Information Use the MLD SSM Information page to display MLD Source-Specific 6 SSM HOWING Information including group, filtering mode (include or exclude), source...
Page 244: Displaying Lldp Information
| Monitoring the Switch HAPTER Displaying LLDP Information LLDP I ISPLAYING NFORMATION Use the monitor pages for LLDP to display information advertised by LLDP neighbors and statistics on LLDP control frames. Use the LLDP Neighbor Information page to display information about LLDP ISPLAYING devices connected directly to the switch’s ports which are advertising...
Page 245: Displaying Lldp-Med Neighbor Information
| Monitoring the Switch HAPTER Displaying LLDP Information Management Address – The IPv4 address of the remote device. If no ◆ management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement. If the neighbor device allows management access, clicking on an entry in this field will re-direct the web browser to the neighbor’s management interface.
Page 246 | Monitoring the Switch HAPTER Displaying LLDP Information example will any LLDP-MED Endpoint Device claiming compliance as a Media Endpoint (Class II) also support all aspects of TIA-1057 applicable to Generic Endpoints (Class I), and any LLDP-MED Endpoint Device claiming compliance as a Communication Device (Class III) will also support all aspects of TIA-1057 applicable to both Media Endpoints (Class II) and Generic Endpoints (Class I).
Page 247: Displaying Lldp Neighbor Eee Information
| Monitoring the Switch HAPTER Displaying LLDP Information Application Type – The primary function of the application(s) defined ◆ for this network policy, and advertised by an Endpoint or Network Connectivity Device. The possible application types are described under "Configuring LLDP-MED TLVs" on page 149.
Page 248: Figure 124: Lldp Neighbor Eee Information
| Monitoring the Switch HAPTER Displaying LLDP Information Tx Tw – The link partner's maximum time that the transmit path can ◆ hold off sending data after de-assertion of Lower Power Idle (LPI) mode. (Tw indicates Wake State Time) Rx Tw – The link partner's time the receiver would like the transmitter ◆...
Page 249: Displaying Lldp Port Statistics
| Monitoring the Switch HAPTER Displaying LLDP Information Use the LLDP Port Statistics page to display statistics on LLDP global LLDP ISPLAYING counters and control frames. TATISTICS Monitor, LLDP, Port Statistics ARAMETERS These parameters are displayed: Global Counters Neighbor entries were last changed at – The time the LLDP ◆...
Page 250: Displaying Lldp Neighbor Poe Information
| Monitoring the Switch HAPTER Displaying LLDP Information Age-Outs – Each LLDP frame contains information about how long the ◆ LLDP information is valid (age-out time). If no new LLDP frame is received within the age-out time, the LLDP information is removed, and the Age-Out counter is incremented.
Page 251: Displaying Poe Status
| Monitoring the Switch HAPTER Displaying PoE Status For a PD device, it can run on its local power supply or use the PSE as a power source. It can also use both its local power supply and the PSE. If it is unknown what power supply the PD device is using, this is indicated as “Unknown.”...
Page 252: Displaying The Mac Address Table
| Monitoring the Switch HAPTER Displaying the MAC Address Table Class 3: Max. power 15.4 W ■ Class 4: Max. power 30.0 W ■ Power Requested – Amount of power the PD wants to be reserved. ◆ Power Allocated – Amount of power the switch has allocated for the ◆...
Page 253: Displaying Information About Vlans
| Monitoring the Switch HAPTER Displaying Information About VLANs VLAN – The VLAN containing this entry. ◆ MAC Address – Physical address associated with this interface. ◆ Port Members – The ports associated with this entry. ◆ NTERFACE To display the address table, click Monitor, MAC Address Table. Figure 128: MAC Address Table VLAN ISPLAYING...
Page 254: Vlan Port Status
| Monitoring the Switch HAPTER Displaying Information About VLANs Voice VLAN: A VLAN configured specially for voice traffic typically ■ originating from IP phones. MSTP: The 802.1s Multiple Spanning Tree protocol uses VLANs to ■ create multiple spanning trees in a network, which significantly improves network resource utilization while maintaining a loop-free environment.
Page 255: Figure 130: Showing Vlan Port Status
| Monitoring the Switch HAPTER Displaying Information About VLANs PVID – The native VLAN assigned to untagged frames entering this ◆ port. VLAN Aware - Configures whether or not a port processes the ◆ VLAN ID in ingress frames. (Default: Disabled) If a port is not VLAN aware, all frames are assigned to the default VLAN (as specified by the Port VLAN ID) and tags are not removed.
Page 256: Displaying Information About Mac-Based Vlans
| Monitoring the Switch HAPTER Displaying Information About MAC-based VLANs MAC- VLAN ISPLAYING NFORMATION BOUT BASED Use the MAC-based VLAN Membership Configuration page to display the MAC address to VLAN map entries. Monitor, VCL, MAC-based VLAN ARAMETERS These parameters are displayed: MAC-based VLAN User –...
Page 257: Performing Basic Diagnostics
ERFORMING ASIC IAGNOSTICS This chapter describes how to test network connectivity using Ping for IPv4 or IPv6, and how to test network cables. INGING AN DDRESS The Ping page is used to send ICMP echo request packets to another node on the network to determine if it can be reached.
Page 258: Running Cable Diagnostics
| Performing Basic Diagnostics HAPTER Running Cable Diagnostics Figure 132: ICMP Ping UNNING ABLE IAGNOSTICS The VeriPHY page is used to perform cable diagnostics for all ports or selected ports to diagnose any cable faults (short, open, etc.) and report the cable length.
Page 259: Figure 133: Veriphy Cable Diagnostics
| Performing Basic Diagnostics HAPTER Running Cable Diagnostics NTERFACE To run cable diagnostics: Click Diagnostics, VeriPHY. Select all ports or indicate a specific port for testing. Click Start. If a specific port is selected, the test will take approximately 5 seconds. If all ports are selected, it can run approximately 15 seconds.
Page 260 | Performing Basic Diagnostics HAPTER Running Cable Diagnostics – 260 –...
Page 261: Performing System Maintenance
ERFORMING YSTEM AINTENANCE This chapter describes how to perform basic maintenance tasks including upgrading software, restoring or saving configuration settings, and resetting the switch. ESTARTING THE WITCH Use the Restart Device page to restart the switch. Maintenance, Restart Device NTERFACE To restart the switch Click Maintenance, Restart Device.
Page 262: Restoring Factory Defaults
IRMWARE Use the Software Upload page to upgrade the switch’s system firmware by specifying a file provided by SMC/Edge-Core. You can download firmware files for your switch from the Support section of the SMC/Edge-Core web site. Maintenance, Software Upload NTERFACE To upgrade firmware: Click Maintenance, Software Upload.
Page 263: Managing Configuration Files
| Performing System Maintenance HAPTER Managing Configuration Files Click the Upload button to upgrade the switch’s firmware. After the software image is uploaded, a page announces that the firmware update has been initiated. After about a minute, the firmware is updated and the switch is rebooted.
Page 264: Restoring Configuration Settings
| Performing System Maintenance HAPTER Managing Configuration Files Figure 137: Configuration Save Use the Configuration Upload page to restore previously saved ESTORING configuration settings to the switch from a file on your local management ONFIGURATION station. ETTINGS Maintenance, Configuration, Upload NTERFACE To restore your current configuration settings: Click Maintenance, Configuration, Upload.
Page 265: Ection
ECTION PPENDICES This section provides additional information and includes these items: "Software Specifications" on page 266 ◆ "Troubleshooting" on page 270 ◆ "License Information" on page 272 ◆ – 265 –...
Page 266: Specifications
OFTWARE PECIFICATIONS OFTWARE EATURES Local, RADIUS, TACACS+, AAA, Port Authentication (802.1X), HTTPS, SSH, ANAGEMENT Port Security, IP Filter, DHCP Snooping UTHENTICATION Access Control Lists (128 rules per system), Port Authentication (802.1X), LIENT CCESS MAC Authentication, Port Security, DHCP Snooping, IP Source Guard, ARP ONTROL Inspection 100BASE-TX: 10/100 Mbps, half/full duplex...
Page 267: Management Features
| Software Specifications PPENDIX Management Features Up to 128 groups; port-based, protocol-based, tagged (802.1Q), VLAN S UPPORT private VLANs, voice VLANs, and MAC-based Supports four levels of priority LASS OF ERVICE Strict, Weighted Round Robin Queue mode and CoS configured by Ethernet type, VLAN ID, TCP/UDP port, DSCP, ToS bit, VLAN tag priority, or port Layer 3/4 priority mapping: IP DSCP remarking DiffServ supports DSCP remarking, ingress traffic policing, and egress...
Page 268: Standards
| Software Specifications PPENDIX Standards TANDARDS ANSI/TIA-1057 LLDP for Media Endpoint Discovery - LLDP-MED IEEE 802.1AB Link Layer Discovery Protocol IEEE-802.1ad Provider Bridge IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q-2005 VLAN IEEE 802.1v Protocol-based VLANs...
Page 269 | Software Specifications PPENDIX Management Information Bases Entity MIB version 3 (RFC 4133) Ether-like MIB (RFC 3635) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB using SMI v2 (RFC 2863) Interfaces Evolution MIB (RFC 2863) IP MIB (RFC 2011) IP Multicasting related MIBs...
Page 270: B Troubleshooting
ROUBLESHOOTING ROBLEMS CCESSING THE ANAGEMENT NTERFACE Table 14: Troubleshooting Chart Symptom Action Cannot connect using a ◆ Be sure the switch is powered up. web browser, or SNMP ◆ Check network cabling between the management station and software the switch. ◆...
Page 271: Using System Logs
| Troubleshooting PPENDIX Using System Logs SING YSTEM If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 272: Information
ICENSE NFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 273: License Information
| License Information PPENDIX The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 274 | License Information PPENDIX The GNU General Public License b). Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 275 | License Information PPENDIX The GNU General Public License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 276: Glossary
LOSSARY Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 277 LOSSARY Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Page 278 LOSSARY Generic Multicast Registration Protocol. GMRP allows network devices to GMRP register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. Specifies a general method for the operation of MAC bridges, including the IEEE 802.1D Spanning Tree Protocol.
Page 279 LOSSARY On each subnetwork, one IGMP-capable device will act as the querier — IGMP Q UERY that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
Page 280 LOSSARY MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Page 281 LOSSARY Defines a network link aggregation and trunking method which specifies RUNK how to create a single high-speed logical link that combines several lower- speed physical links. Private VLANs provide port-based security and isolation between ports VLAN RIVATE within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports.
Page 282 LOSSARY Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Spanning Tree Algorithm is a technology that checks your network for any loops.
Page 283 LOSSARY – 283 –...
Page 284: Index
NDEX classification, QoS 188 rewriting, port 184 acceptable frame type 163 translation, port 184 Access Control List See ACL translation, QoS 187 ACL 88 dynamic addresses, displaying 158 binding to a port 88 address table 158 aging time 158 address, management access 28 edge port, STA 127 ARP inspection 106 EEE, LLDP neighbor information 247...
Page 285 NDEX snooping, fast leave 135 RADIUS client 109 throttling 136 RADIUS server 109 ingress classification, QoS 186 settings 109 ingress filtering 163 TACACS+ client 59 ingress port tag classification, QoS 177 TACACS+ server 59 IP address, setting 42 IP source guard, configuring static entries 105 IPv4 address DHCP 42 main menu 33...
Page 286 NDEX ingress classification 186 ingress port classification 176 passwords 28 ingress port tag classification 177 path cost 126 port classification 176 STA 126 port remarking 181 port shaper 178 configuring 155 QCE 190 port power allocation 156 QCL status 206 power budget 157 queue scheduler 178 priority setting 157...
Page 287 NDEX static addresses, setting 159 statistics, port 205 VLANs STP 119 acceptable frame type 163 global settings, displaying 122 adding static members 161 settings, configuring 122 creating 161 STP Also see STA description 160 switch settings displaying port members 162 restoring 263 egress mode 163 saving 263...
Page 288 Taiwan 30077 Tel: +886 3 5770270 From U.S.A. and Canada (24 hours a day, 7 days a week) Tel: +1 (800) SMC-4-YOU/+1 (949) 679-8000 Fax: +1 (949) 679-1481 Fax: +886 3 5780764 Asia-Pacific Office (for Asia-Pacific): Technical Support information at www.smc-asia.com 1 Coleman Street (for Middle East): Technical Support information at muneer@smc-asia.com...

SMC Networks SMCGS10P-SMART Management Manual

Warranty and Product Registration

About this Guide

Contents

Figures

Tables

Sectioni

Getting Started

1 Introduction

2 Initial Switch Configuration

Ection

Web Configuration

3 Using the Web Interface

4 Configuring the Switch

5 Monitoring the Switch

Quick Links

MANAGEMENT GUIDE

Related Manuals for SMC Networks SMCGS10P-SMART

Summary of Contents for SMC Networks SMCGS10P-SMART