BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION ECTION ONFIGURATION SING THE NTERFACE Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ONFIGURING THE WITCH Configuring System Information Setting an IP Address...
Page 8
ONTENTS Configuring Power Reduction Reducing Power to Idle Queue Circuits Configuring Port Connections Configuring Security Configuring User Accounts Configuring User Privilege Levels Configuring The Authentication Method For Management Access Configuring SSH Configuring HTTPS Filtering IP Addresses for Management Access Using Simple Network Management Protocol Remote Monitoring Configuring Port Limit Controls Configuring Authentication Through Network Access Servers...
Page 9
ONTENTS MLD Snooping Configuring Global and Port-Related Settings for MLD Snooping Configuring VLAN Settings for MLD Snooping and Query Configuring MLD Filtering Link Layer Discovery Protocol Configuring LLDP Timing and TLVs Configuring LLDP-MED TLVs Configuring the MAC Address Table IEEE 802.1Q VLANs Assigning Ports to VLANs Configuring VLAN Attributes for Port Members Using Port Isolation...
Page 10
ONTENTS Configuring UPnP Configuring sFlow ONITORING THE WITCH Displaying Basic Information About the System Displaying System Information Displaying CPU Utilization Displaying Log Messages Displaying Log Details Displaying Information About Ports Displaying Port Status On the Front Panel Displaying an Overview of Port Statistics Displaying QoS Statistics Displaying QCL Status Displaying Detailed Port Statistics...
Page 11
ONTENTS Displaying LACP Port Statistics Displaying Information on the Spanning Tree Displaying Bridge Status for STA Displaying Port Status for STA Displaying Port Statistics for STA Displaying MVR Information Displaying MVR Statistics Displaying MVR Group Information Displaying MVR SFM Information Showing IGMP Snooping Information Showing IGMP Snooping Status Showing IGMP Snooping Group Information...
Page 12
ONTENTS Managing Configuration Files Saving Configuration Settings Restoring Configuration Settings ECTION PPENDICES OFTWARE PECIFICATIONS Software Features Management Features Standards Management Information Bases ROUBLESHOOTING Problems Accessing the Management Interface Using System Logs ICENSE NFORMATION The GNU General Public License LOSSARY NDEX –...
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Configuration Figure 4: IP Configuration Figure 5: IPv6 Configuration Figure 6: NTP Configuration Figure 7: Time Zone and Daylight Savings Time Configuration Figure 8: Configuring Settings for Remote Logging of Error Messages Figure 9: Configuring EEE Power Reduction Figure 10: Port Configuration Figure 11: Showing User Accounts...
Page 14
IGURES Figure 32: ACL Port Configuration Figure 33: ACL Rate Limiter Configuration Figure 34: Access Control List Configuration Figure 35: DHCP Snooping Configuration Figure 36: DHCP Relay Configuration Figure 37: Configuring Global and Port-based Settings for IP Source Guard Figure 38: Configuring Static Bindings for IP Source Guard Figure 39: Configuring Global and Port Settings for ARP Inspection Figure 40: Configuring Static Bindings for ARP Inspection Figure 41: Authentication Configuration...
Page 15
IGURES Figure 68: Configuring Protocol VLANs Figure 69: Assigning Ports to Protocol VLANs Figure 70: Assigning Ports to an IP Subnet-based VLAN Figure 71: Configuring Global and Port Settings for a Voice VLAN Figure 72: Configuring an OUI Telephony List Figure 73: Configuring Ingress Port QoS Classification Figure 74: Configuring Ingress Port Policing Figure 75: Displaying Egress Port Schedulers...
Page 16
IGURES Figure 104: Detailed Port Statistics Figure 105: Access Management Statistics Figure 106: Port Security Switch Status Figure 107: Port Security Port Status Figure 108: Network Access Server Switch Status Figure 109: NAS Statistics for Specified Port Figure 110: ACL Status Figure 111: DHCP Snooping Statistics Figure 112: DHCP Relay Statistics Figure 113: Dynamic ARP Inspection Table...
Page 17
IGURES Figure 140: LLDP Port Statistics (no header) Figure 141: MAC Address Table Figure 142: Showing VLAN Members Figure 143: Showing VLAN Port Status Figure 144: Showing MAC-based VLAN Membership Status Figure 145: Showing sFlow Statistics Figure 146: ICMP Ping Figure 147: VeriPHY Cable Diagnostics Figure 148: Restart Device Figure 149: Factory Defaults...
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Web Page Configuration Buttons Table 4: Main Menu Table 5: HTTPS System Support Table 6: SNMP Security Models and Levels Table 7: Dynamic QoS Profiles Table 8: QCE Modification Buttons Table 9: Recommended STA Path Cost Range Table 10: Recommended STA Path Costs Table 11: Default STA Path Costs...
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 23 ◆...
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4K using IEEE 802.1Q, port-based, protocol-based, private VLANs, and voice VLANs, and QinQ tunnel Traffic Prioritization Queue mode and CoS configured by Ethernet type, VLAN ID, TCP/...
Page 25
| Introduction HAPTER Description of Software Features ACLs provide packet filtering for IP frames (based on protocol, TCP/UDP CCESS ONTROL port number or frame type) or layer 2 frames (based on any destination ISTS MAC address for unicast, broadcast or multicast, or based on VLAN ID or VLAN tag priority).
Page 26
| Introduction HAPTER Description of Software Features be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port. The switch supports IEEE 802.1D transparent bridging. The address table IEEE 802.1D B RIDGE facilitates data switching by learning addresses, and then filtering or...
Page 27
| Introduction HAPTER Description of Software Features The switch supports up to 4096 VLANs. A Virtual LAN is a collection of IRTUAL network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard.
| Introduction HAPTER System Defaults Differentiated Services (DiffServ) provides policy-based management UALITY OF ERVICE mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, DSCP values, or VLAN lists.
Page 29
| Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Disabled Community Strings “public” (read only) “private” (read/write) Traps Global: disabled Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: default_view Group: default_rw_group Port Configuration Admin Status Enabled Auto-negotiation...
Page 30
| Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address 192.168.1.1 Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Disabled Snooping: Disabled Proxy service: Disabled Multicast Filtering IGMP Snooping Snooping: Disabled Querier: Disabled MLD Snooping...
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. To make use of the management features of your switch, you must first configure it with an IP address that is compatible with the network in which it is being installed.
Page 32
| Initial Switch Configuration HAPTER “admin” from the User Configuration list, fill in the Password fields, and then click Save. – 32 –...
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 35 ◆ "Configuring the Switch" on page 45 ◆...
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0, Mozilla Firefox 2.0.0.0, or more recent versions).
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Save button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 37
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Aggregation Static Specifies ports to group into static trunks LACP Allows ports to dynamically join trunks Spanning Tree Bridge Settings Configures global bridge settings for STP, RSTP and MSTP; also configures edge port settings for BPDU filtering, BPDU guard, and port error recovery MSTI Mapping...
Page 38
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Access Sets IP addresses of clients allowed management access via Management HTTP/HTTPS, and SNMP, and Telnet/SSH SNMP Simple Network Management Protocol System Configures read-only and read/write community strings for SNMP v1/v2c, engine ID for SNMP v3, and trap parameters...
Page 39
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Aggregation Static Specifies ports to group into static trunks LACP Allows ports to dynamically join trunks Spanning Tree Bridge Settings Configures global bridge settings for STP, RSTP and MSTP; also configures edge port settings for BPDU filtering, BPDU guard, and port error recovery MSTI Mapping...
Page 40
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Protocol-based VLAN Protocol to Creates a protocol group, specifying supported protocols Group Group to VLAN Maps a protocol group to a VLAN for specified ports IP Subnet-based Maps traffic for a specified IP subnet to a VLAN VLAN...
Page 41
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page sFlow Samples traffic flows, and forwards data to designated collector Monitor System Information Displays basic system description, switch’s MAC address, system time, and software version CPU Load Displays graphic scale of CPU utilization Displays logged messages based on severity...
Page 42
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page ARP Inspection Displays entries in the ARP inspection table, sorted first by port, then VLAN ID, MAC address, and finally IP address IP Source Guard Displays entries in the IP Source Guard table, sorted first by port, then VLAN ID, MAC address, and finally IP address...
Page 43
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Group Displays active MLD groups Information IPv6 SFM Displays MLD Source-Filtered Multicast information including Information group, filtering mode (include or exclude), source address, and type (allow or deny) LLDP Link Layer Discovery Protocol...
Page 44
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Configuration Save Saves configuration settings to a file on the management station Upload Restores configuration settings from a file on the management station The Basic Configuration menu is a subset of Advanced Configuration.
ONFIGURING THE WITCH This chapter describes all of the basic configuration tasks. ONFIGURING YSTEM NFORMATION Use the System Information Configuration page to identify the system by configuring contact information, system name, and the location of the switch. Basic/Advanced Configuration, System, Information ARAMETERS These parameters are displayed: System Contact –...
| Configuring the Switch HAPTER Setting an IP Address IP A ETTING AN DDRESS This section describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types.
| Configuring the Switch HAPTER Setting an IP Address IP Router – IP address of the gateway router between the switch and ◆ management stations that exist on other network segments. VLAN ID – ID of the configured VLAN. By default, all ports on the ◆...
| Configuring the Switch HAPTER Setting an IP Address Use the IPv6 Configuration page to configure an IPv6 address for ETTING AN management access to the switch. DDRESS IPv6 includes two distinct address types - link-local unicast and global unicast. A link-local address makes the switch accessible over IPv6 for all devices attached to the same local subnet.
| Configuring the Switch HAPTER Setting an IP Address interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages, and the host portion is automatically generated using the modified EUI-64 form of the interface identifier;...
| Configuring the Switch HAPTER Configuring NTP Service NTP S ONFIGURING ERVICE Use the NTP Configuration page to specify the Network Time Protocol (NTP) servers to query for the current time. NTP allows the switch to set its internal clock based on periodic updates from an NTP time server. Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
| Configuring the Switch HAPTER Configuring the Time Zone and Daylight Savings Time ONFIGURING THE ONE AND AYLIGHT AVINGS Use the Time Zone and Daylight Savings Time page to set the time zone and Daylight Savings Time. Time Zone – NTP/SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 52
| Configuring the Switch HAPTER Configuring the Time Zone and Daylight Savings Time Non-Recurring – Sets the start, end, and offset times of summer ■ time for the switch on a one-time basis. From – Start time for summer-time. ■ To –...
| Configuring the Switch HAPTER Configuring Remote Log Messages Figure 7: Time Zone and Daylight Savings Time Configuration ONFIGURING EMOTE ESSAGES Use the System Log Configuration page to send log messages to syslog servers or other management stations. You can also limit the event messages sent to specified types.
| Configuring the Switch HAPTER Configuring Remote Log Messages acknowledgments. The syslog packet will always be sent out even if the syslog server does not exist. ARAMETERS These parameters are displayed: Server Mode – Enables/disables the logging of debug or error ◆...
| Configuring the Switch HAPTER Configuring Power Reduction ONFIGURING OWER EDUCTION The switch provides power saving methods including powering down the circuitry for port queues when not in use. Use the EEE Configuration page to configure Energy Efficient Ethernet EDUCING OWER TO (EEE) for specified queues.
| Configuring the Switch HAPTER Configuring Port Connections Figure 9: Configuring EEE Power Reduction ONFIGURING ONNECTIONS Use the Port Configuration page to configure the connection parameters for each port. This page includes options for enabling auto-negotiation or manually setting the speed and duplex mode, enabling flow control, setting the maximum frame size, specifying the response to excessive collisions, or enabling power saving mode.
Page 57
| Configuring the Switch HAPTER Configuring Port Connections The 1000BASE-T standard does not support forced mode. Auto- negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
| Configuring the Switch HAPTER Configuring Security Make any required changes to the connection settings. Click Save. Figure 10: Port Configuration ONFIGURING ECURITY You can configure this switch to authenticate users logging into the system for management access or to control client access to the data ports. Management Access Security (Switch menu) –...
Page 59
| Configuring the Switch HAPTER Configuring Security OMMAND SAGE ◆ The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.” The guest only has read access for most configuration parameters. ◆...
| Configuring the Switch HAPTER Configuring Security NTERFACE To show user accounts: Click Advanced Configuration, Security, Switch, Users. Figure 11: Showing User Accounts To configure a user account: Click Advanced Configuration, Security, Switch, Users. Click “Add new user.” Enter the user name, password, and privilege level. Click Save.
Page 61
| Configuring the Switch HAPTER Configuring Security Security: Authentication, System Access Management, Port ■ (contains Dot1x port, MAC based and the MAC Address Limit), ACL, HTTPS, SSH, ARP Inspection, and IP source guard. IP: Everything except for ping. ■ Port: Everything except for VeriPHY. ■...
| Configuring the Switch HAPTER Configuring Security Figure 13: Configuring Privilege Levels Use the Authentication Method Configuration page to specify the ONFIGURING authentication method for controlling management access through the UTHENTICATION console, Telnet, SSH or HTTP/HTTPS. Access can be based on the (local) ETHOD user name and password configured on the switch, or can be controlled ANAGEMENT...
| Configuring the Switch HAPTER Configuring Security pairs with associated privilege levels for each user that requires management access to the switch. Figure 14: Authentication Server Operation 1. Client attempts management access. 2. Switch contacts authentication server RADIUS/ 3. Authentication server challenges client. 4.
| Configuring the Switch HAPTER Configuring Security This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA. The configuration of RADIUS and TACACS+ server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS and TACACS+ server software.
| Configuring the Switch HAPTER Configuring Security Use the SSH Configuration page to configure access to the Secure Shell ONFIGURING (SSH) management interface. SSH provides remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication.
| Configuring the Switch HAPTER Configuring Security Use the HTTPS Configuration page to enable the Secure Hypertext Transfer HTTPS ONFIGURING Protocol (HTTPS) over the Secure Socket Layer (SSL). HTTPS provides secure access (i.e., an encrypted connection) to the switch's web interface. Advanced Configuration, Security, Switch, HTTPS SAGE UIDELINES...
| Configuring the Switch HAPTER Configuring Security Figure 17: HTTPS Configuration Use the Access Management Configuration page to create a list of up to 16 ILTERING IP addresses or IP address groups that are allowed management access to DDRESSES FOR the switch through the web interface, or SNMP, or Telnet.
| Configuring the Switch HAPTER Configuring Security Mark the protocols to restrict based on the specified address range. The following example shows how to restrict management access for all protocols to a specific address range. Click Save. Figure 18: Access Management Configuration Simple Network Management Protocol (SNMP) is a communication protocol SING IMPLE...
| Configuring the Switch HAPTER Configuring Security and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.
Page 70
| Configuring the Switch HAPTER Configuring Security Version - Specifies the SNMP version to use. (Options: SNMP v1, ◆ SNMP v2c, SNMP v3; Default: SNMP v2c) Read Community - The community used for read-only access to the ◆ SNMP agent. (Range: 0-255 characters, ASCII characters 33-126 only; Default: public) This parameter only applies to SNMPv1 and SNMPv2c.
Page 71
| Configuring the Switch HAPTER Configuring Security 8 colon-separated 16-bit hexadecimal values. One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields. Trap Authentication Failure - Issues a notification message to ◆...
Page 72
| Configuring the Switch HAPTER Configuring Security To select a name from this field, first enter an SNMPv3 user with the same Trap Security Engine ID in the SNMPv3 Users Configuration menu (see "Configuring SNMPv3 Users" on page 74). NTERFACE To configure SNMP system and trap settings: Click Advanced Configuration, Security, Switch, SNMP, System.
| Configuring the Switch HAPTER Configuring Security Figure 19: SNMP System Configuration SNMP ETTING OMMUNITY CCESS TRINGS Use the SNMPv3 Community Configuration page to set community access strings. All community strings used to authorize access by SNMP v1 and v2c clients should be listed in the SNMPv3 Communities Configuration table.
| Configuring the Switch HAPTER Configuring Security For SNMPv3, these strings are treated as a Security Name, and are mapped as an SNMPv1 or SNMPv2 community string in the SNMPv3 Groups Configuration table (see "Configuring SNMPv3 Groups" on page 76). Source IP - Specifies the source address of an SNMP client.
Page 75
| Configuring the Switch HAPTER Configuring Security ARAMETERS These parameters are displayed: Engine ID - The engine identifier for the SNMP agent on the remote ◆ device where the user resides. (Range: 10-64 hex digits, excluding a string of all 0’s or all F’s) To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
| Configuring the Switch HAPTER Configuring Security Define the user name, security level, authentication and privacy settings. Click Save. Figure 21: SNMPv3 User Configuration SNMP ONFIGURING ROUPS Use the SNMPv3 Group Configuration page to configure SNMPv3 groups. An SNMPv3 group defines the access policy for assigned users, restricting them to specific read and write views as defined on the SNMPv3 Access Configuration page (page...
| Configuring the Switch HAPTER Configuring Security Select the security name. For SNMP v1 and v2c, the security names displayed are based on the those configured in the SNMPv3 Communities menu. For USM, the security names displayed are based on the those configured in the SNMPv3 Users Configuration menu. Enter a group name.
| Configuring the Switch HAPTER Configuring Security NTERFACE To configure SNMPv3 views: Click Advanced Configuration, Security, Switch, SNMP, Views. Click “Add new view” to set up a new view. Enter the view name, view type, and OID subtree. Click Save. Figure 23: SNMPv3 View Configuration SNMP ONFIGURING...
| Configuring the Switch HAPTER Configuring Security NTERFACE To configure SNMPv3 group access rights: Click Advanced Configuration, Security, Switch, SNMP, Access. Click Add New Access to create a new entry. Specify the group name, security settings, read view, and write view. Click Save.
| Configuring the Switch HAPTER Configuring Security The information collected for each entry includes: drop events, input ◆ octets, packets, broadcast packets, multicast packets, CRC alignment errors, undersize packets, oversize packets, fragments, jabbers, collisions, and frames of various sizes. ARAMETERS The following parameters are displayed: ◆...
| Configuring the Switch HAPTER Configuring Security ARAMETERS The following parameters are displayed: ID - Index to this entry. (Range: 1-65535) ◆ Data Source – Port identifier. ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 ◆ seconds) Buckets - The number of buckets requested for this entry.
Page 82
| Configuring the Switch HAPTER Configuring Security ARAMETERS The following parameters are displayed: ID – Index to this entry. (Range: 1-65535) ◆ Interval – The polling interval. (Range: 1-2^31 seconds) ◆ Variable – The object identifier of the MIB variable to be sampled. ◆...
| Configuring the Switch HAPTER Configuring Security Falling Threshold – If the current value is less than the falling ◆ threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
| Configuring the Switch HAPTER Configuring Security Type – Specifies the type of event to initiate: ◆ none – No event is generated. ■ log – Generates an RMON log entry when the event is triggered. ■ Log messages are processed based on the current configuration settings for event logging (see "Configuring Remote Log Messages"...
Page 85
| Configuring the Switch HAPTER Configuring Security Advanced Configuration, Security, Network, Limit Control ARAMETERS The following parameters are displayed: System Configuration Mode – Enables or disables Limit Control is globally on the switch. If ◆ globally disabled, other modules may still use the underlying functionality, but limit checks and corresponding actions are disabled.
Page 86
| Configuring the Switch HAPTER Configuring Security Aging enabled, new SNMP traps will be sent every time the limit is exceeded. Shutdown: If Limit + 1 MAC addresses is seen on the port, shut ■ down the port. This implies that all secured MAC addresses will be removed from the port, and no new addresses will be learned.
| Configuring the Switch HAPTER Configuring Security Figure 29: Port Security Limit Control Configuration Network switches can provide open and easy access to network resources ONFIGURING by simply attaching a client PC. Although this automatic configuration and UTHENTICATION access is a desirable feature, it also allows unauthorized personnel to easily HROUGH ETWORK intrude and possibly gain access to sensitive network data.
Page 88
| Configuring the Switch HAPTER Configuring Security This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. These backend servers are configured on the AAA menu (see page 119).
Page 89
| Configuring the Switch HAPTER Configuring Security these encryption methods in Windows 95 and 98, you can use the AEGIS dot1x client or other comparable client software.) MAC-based authentication allows for authentication of more than one user on the same port, and does not require the user to have special 802.1X software installed on his system.
Page 90
| Configuring the Switch HAPTER Configuring Security MAC address in question at regular intervals and free resources if no activity is seen within the given age period. If reauthentication is enabled and the port is in a 802.1X-based mode, this is not so critical, since supplicants that are no longer attached to the port will get removed upon the next reauthentication, which will fail.
| Configuring the Switch HAPTER Configuring Security RADIUS Attributes Used in Identifying a QoS Class The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet. Only the first occurrence of the attribute in the packet will be considered.
Page 92
| Configuring the Switch HAPTER Configuring Security Failure to configure the received profiles on the authenticated ■ port. When the last user logs off on a port with a dynamic QoS ■ assignment, the switch restores the original QoS configuration for the port.
Page 93
| Configuring the Switch HAPTER Configuring Security RADIUS Attributes Used in Identifying a VLAN ID RFC 2868 and RFC 3580 form the basis for the attributes used in identifying a VLAN ID in an Access-Accept packet. The following criteria are used: The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group- ■...
Page 94
| Configuring the Switch HAPTER Configuring Security in the Guest VLAN. If disabled, the switch will first check its history to see if an EAPOL frame has previously been received on the port (this history is cleared if the port link goes down or the port's Admin State is changed), and if not, the port will be placed in the Guest VLAN.
Page 95
| Configuring the Switch HAPTER Configuring Security Single 802.1X - At most one supplicant can get authenticated on ■ the port at a time. If more than one supplicant is connected to a port, the one that comes first when the port's link comes up will be the first one considered.
Page 96
| Configuring the Switch HAPTER Configuring Security The advantage of MAC-based authentication over port-based 802.1X is that several clients can be connected to the same port (e.g. through a 3rd party switch or a hub) and still require individual authentication, and that the clients don't need special supplicant software to authenticate.
Page 97
| Configuring the Switch HAPTER Configuring Security Unauthorized - The port is in Force Unauthorized mode, or a ■ single-supplicant mode and the supplicant is not successfully authorized by the RADIUS server. X Auth/Y Unauth - The port is in a multi-supplicant mode. X ■...
| Configuring the Switch HAPTER Configuring Security Figure 31: Network Access Server Configuration An Access Control List (ACL) is a sequential list of permit or deny ILTERING RAFFIC conditions that apply to IP addresses, MAC addresses, or other more WITH CCESS specific criteria.
Page 99
| Configuring the Switch HAPTER Configuring Security Policy ID - An ACL policy configured on the ACE Configuration page ◆ (page 102). (Range: 1-8; Default: 1, which is undefined) Action - Permits or denies a frame based on whether it matches a rule ◆...
| Configuring the Switch HAPTER Configuring Security Figure 32: ACL Port Configuration ONFIGURING IMITERS Use the ACL Rate Limiter Configuration page to define the rate limits applied to a port (as configured either through the ACL Ports Configuration menu (page 98) or the Access Control List Configuration menu (page 101).
| Configuring the Switch HAPTER Configuring Security Figure 33: ACL Rate Limiter Configuration ONFIGURING CCESS ONTROL ISTS Use the Access Control List Configuration page to define filtering rules for an ACL policy, for a specific port, or for all ports. Rules applied to a port take effect immediately, while those defined for a policy must be mapped to one or more ports using the ACL Ports Configuration menu (page...
| Configuring the Switch HAPTER Configuring Security matches this entry when ARP/RARP protocol address space setting is equal to IP (0x800) IPv4 frames (based on destination MAC address, protocol type, TTL, ■ IP fragment, IP option flag, source/destination IP, VLAN ID, VLAN priority) ARAMETERS These parameters are displayed:...
Page 103
| Configuring the Switch HAPTER Configuring Security Policy Filter - The policy number filter for this ACE: ◆ Any - No policy filter is specified (i.e., don’t care). ■ Specific - If you want to filter a specific policy with this ACE, ■...
Page 104
| Configuring the Switch HAPTER Configuring Security opcode flag set, Reply - frame must have ARP Reply or RARP Reply opcode flag; Default: Any) Sender IP Filter - Specifies the sender’s IP address. ■ (Options: Any - no sender IP filter is specified, Host - specifies the sender IP address in the SIP Address field, Network - specifies the sender IP address and sender IP mask in the SIP Address and SIP Mask fields;...
Page 105
| Configuring the Switch HAPTER Configuring Security IPv4: ◆ MAC Parameters DMAC Filter - The type of destination MAC address. (Options: Any, ■ MC - multicast, BC - broadcast, UC - unicast; Default: Any) IP Parameters IP Protocol Filter - Specifies the IP protocol to filter for this rule. ■...
Page 106
| Configuring the Switch HAPTER Configuring Security entry, 1 - TCP frames where the SYN field is set must match this entry; Default: Any) TCP RST - Specifies the TCP “Reset the connection” (RST) value ■ for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the RST field is set must not match this entry, 1 - TCP frames where the RST field is set must match this entry;...
Page 107
| Configuring the Switch HAPTER Configuring Security specifies the destination IP address and destination IP mask in the DIP Address and DIP Mask fields; Default: Any) Response to take when a rule is matched Action - Permits or denies a frame based on whether it matches an ◆...
| Configuring the Switch HAPTER Configuring Security Click Save. Figure 34: Access Control List Configuration Use the DHCP Snooping Configuration page to filter IP traffic on insecure DHCP ONFIGURING ports for which the source address cannot be identified via DHCP snooping. NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or...
Page 109
| Configuring the Switch HAPTER Configuring Security Table entries are only learned for trusted interfaces. An entry is added ◆ or removed dynamically to the DHCP snooping table when a client receives or releases an IP address from a DHCP server. Each entry includes a MAC address, IP address, lease time, VLAN identifier, and port identifier.
| Configuring the Switch HAPTER Configuring Security ARAMETERS These parameters are displayed: Snooping Mode – Enables DHCP snooping globally. When DHCP ◆ snooping is enabled, DHCP request messages will be forwarded to trusted ports, and reply packets only allowed from trusted ports. (Default: Disabled) Port –...
| Configuring the Switch HAPTER Configuring Security Use the DHCP Relay Configuration page to configure DHCP relay service for DHCP ONFIGURING attached host devices. If a subnet does not include a DHCP server, you can ELAY AND PTION relay DHCP client requests to a DHCP server on another subnet. NFORMATION When DHCP relay is enabled and the switch sees a DHCP request broadcast, it inserts its own IP address into the request (so that the DHCP...
| Configuring the Switch HAPTER Configuring Security NTERFACE To configure DHCP Relay: Click Advanced Configuration, Security, Network, DHCP, Relay. Enable the DHCP relay function, specify the DHCP server’s IP address, enable Option 82 information mode, and set the policy by which to handle relay information found in client packets.
Page 113
| Configuring the Switch HAPTER Configuring Security When enabled, traffic is filtered based upon dynamic entries learned via ◆ DHCP snooping (see "Configuring DHCP Snooping"), or static addresses configured in the source guard binding table. If IP source guard is enabled, an inbound packet’s IP address will be ◆...
| Configuring the Switch HAPTER Configuring Security dynamic clients is equal 0, the switch will only forward IP packets that are matched in static entries for a given port. (Default: Unlimited) NTERFACE To set the IP Source Guard filter for ports: Click Advanced Configuration, Security, Network, IP Source Guard, Configuration.
| Configuring the Switch HAPTER Configuring Security If there is an entry with the same VLAN ID and MAC address, and ■ the type of entry is static IP source guard binding, then the new entry will replace the old one. If there is an entry with the same VLAN ID and MAC address, and ■...
| Configuring the Switch HAPTER Configuring Security ARP Inspection is a security feature that validates the MAC Address ONFIGURING bindings for Address Resolution Protocol packets. It provides protection NSPECTION against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination.
| Configuring the Switch HAPTER Configuring Security ARP I ONFIGURING LOBAL AND ETTINGS FOR NSPECTION Use the ARP Inspection Configuration page to enable ARP inspection globally for the switch and for any ports on which it is required. Advanced Configuration, Security, Network, ARP Inspection, Configuration ARAMETERS These parameters are displayed: Global Configuration...
| Configuring the Switch HAPTER Configuring Security ARP I ONFIGURING TATIC INDINGS FOR NSPECTION Use the Static ARP Inspection Table to bind a static address to a port. Table entries include a port identifier, VLAN identifier, source MAC address in ARP request packets, and source IP address in ARP request packets.
| Configuring the Switch HAPTER Configuring Security Use the Authentication Server Configuration page to control management PECIFYING access based on a list of user names and passwords configured on a UTHENTICATION RADIUS or TACACS+ remote access authentication server, and to ERVERS authenticate client access for IEEE 802.1X port authentication (see page...
| Configuring the Switch HAPTER Configuring Security NTERFACE To configure authentication for management access in the web interface: Click Advanced Configuration, Security, AAA. Configure the authentication method for management client types, the common server timing parameters, and address, UDP port, and secret key for each required RADIUS or TACACS+ server.
| Configuring the Switch HAPTER Creating Trunk Groups REATING RUNK ROUPS You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault- tolerant link between two switches.
| Configuring the Switch HAPTER Creating Trunk Groups Use the Aggregation Mode Configuration page to configure the aggregation ONFIGURING TATIC mode and members of each static trunk group. RUNKS Basic/Advanced Configuration, Aggregation, Static SAGE UIDELINES When configuring static trunks, you may not be able to link switches of ◆...
Page 123
| Configuring the Switch HAPTER Creating Trunk Groups Destination MAC Address – All traffic with the same destination ■ MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is destined for many different hosts.
| Configuring the Switch HAPTER Creating Trunk Groups Figure 42: Static Trunk Configuration Use the LACP Port Configuration page to enable LACP on selected ports, LACP ONFIGURING configure the administrative key, and the protocol initiation mode. Basic/Advanced Configuration, Aggregation, LACP SAGE UIDELINES To avoid creating a loop in the network, be sure you enable LACP before...
Page 125
| Configuring the Switch HAPTER Creating Trunk Groups Ports assigned to a common link aggregation group (LAG) must meet ◆ the following criteria: Ports must have the same LACP Admin Key. Using auto- ■ configuration of the Admin Key will avoid this problem. One of the ports at either the near end or far end must be set to ■...
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Set at least one of the ports in each LAG to Active initiation mode, either at the near end or far end of the trunk. Click Save. Figure 43: LACP Port Configuration ONFIGURING THE PANNING LGORITHM...
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Figure 44: STP Root Ports and Designated Ports Designated Root Root Designated Port Port Designated Bridge Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees" on page 132).
Page 129
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Rapid Spanning Tree Protocol ◆ RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: STP Mode –...
Page 130
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.) Default: 128 ■ Range: 0-240, in steps of 16 ■...
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm administrative edge is enabled on a port. BDPU filtering is configured on a per-port basis. (Default: Disabled) Edge Port BPDU Guard – This feature protects edge ports from ◆ receiving BPDUs. It prevents loops by shutting down an edge port when a BPDU is received instead of putting it into the spanning tree discarding state.
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Use the MSTI Mapping page to add VLAN groups to an MSTP instance ONFIGURING (MSTI), or to designate the name and revision of the VLAN-to-MSTI ULTIPLE PANNING mapping used on this switch. REES Basic/Advanced Configuration, Spanning Tree, MSTI Mapping OMMAND...
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm MSTI Mapping MSTI – Instance identifier to configure. The CIST is not available for ◆ explicit mapping, as it will receive the VLANs not explicitly mapped. (Range: 1-7) VLANs Mapped – VLANs to assign to this MST instance. The VLANs ◆...
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Use the MSTI Priorities page to configure the bridge priority for the CIST ONFIGURING and any configured MSTI. Remember that RSTP looks upon each MST PANNING Instance as a single bridge node. RIDGE RIORITIES Basic/Advanced Configuration, Spanning Tree, MSTI Properties...
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Use the CIST Ports Configuration page to configure STA attributes for ONFIGURING interfaces when the spanning tree mode is set to STP or RSTP, or for STP/RSTP/CIST interfaces in the CIST. STA interface attributes include path cost, port NTERFACES priority, edge port (for fast forwarding), automatic detection of an edge port, and point-to-point link type.
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm Table 10: Recommended STA Path Costs Port Type Link Type IEEE 802.1D-1998 IEEE 802.1w-2001 Ethernet Half Duplex 2,000,000 Full Duplex 1,999,999 Trunk 1,000,000 Fast Ethernet Half Duplex 200,000 Full Duplex 100,000 Trunk 50,000...
Page 137
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm tree priority. Such a port will be selected as an Alternate Port after the Root Port has been selected. If set, this can cause a lack of spanning tree connectivity. It can be set by a network administrator to prevent bridges external to a core region of the network influencing the spanning tree active topology, possibly because those bridges are not under the full control of the administrator.
| Configuring the Switch HAPTER Configuring the Spanning Tree Algorithm NTERFACE To configure settings for STP/RSTP/CIST interfaces: Click Configuration, Spanning Tree, CIST Ports. Modify the required attributes. Click Save. Figure 50: STP/RSTP/CIST Port Configuration Use the MIST Ports Configuration page to configure STA attributes for MIST ONFIGURING interfaces in a specific MSTI, including path cost, and port priority.
| Configuring the Switch HAPTER Multicast VLAN Registration By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown in Table Table 10 Table Priority – Defines the priority used for this port in the Spanning Tree ◆...
| Configuring the Switch HAPTER Multicast VLAN Registration MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong. Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN, users in different IEEE 802.1Q or private VLANs cannot exchange any information (except through upper-level routing services).
Page 141
| Configuring the Switch HAPTER Multicast VLAN Registration ARAMETERS These parameters are displayed: MVR Configuration MVR Mode – When MVR is enabled on the switch, any multicast data ◆ associated with an MVR group is sent from all designated source ports, to all receiver ports that have registered to receive data from that multicast group.
Page 142
| Configuring the Switch HAPTER Multicast VLAN Registration Source (S) – Configures uplink ports to receive and send multicast ■ data as source ports. Subscribers cannot be directly connected to source ports. Also, note that MVR source ports should not overlap ports in the management VLAN.
| Configuring the Switch HAPTER Multicast VLAN Registration Figure 53: Configuring General MVR Settings Use the MVR Channel Configuration page to view dynamic multicast group ONFIGURING bindings for a multicast VLAN, or to configure static bindings for a multicast HANNEL ETTINGS VLAN.
| Configuring the Switch HAPTER IGMP Snooping Start Address - The starting IPv4/IPv6 Multicast Group Address that ◆ will be used as a streaming channel. End Address - The ending IPv4/IPv6 Multicast Group Address that will ◆ be used as a streaming channel. Channel Name –...
| Configuring the Switch HAPTER IGMP Snooping discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch. In this case (Layer 2) IGMP Query can be used to actively ask the attached hosts if they want to receive a specific multicast service.
Page 146
| Configuring the Switch HAPTER IGMP Snooping Once the table used to store multicast entries for IGMP snooping is filled, no new entries are learned. If no router port is configured in the attached VLAN, and Unregistered IPMC Flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
Page 147
| Configuring the Switch HAPTER IGMP Snooping Proxy Enabled – Enables IGMP Snooping with Proxy Reporting. ◆ (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including report suppression, last leave, and query suppression.
| Configuring the Switch HAPTER IGMP Snooping Throttling - Limits the number of multicast groups to which a port can ◆ belong. (Range: 1-10; Default: unlimited) IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, any new IGMP join reports will be dropped.
Page 149
| Configuring the Switch HAPTER IGMP Snooping but the interface settings will not take effect until snooping is re- enabled globally. IGMP Querier - When enabled, the switch can serve as the Querier ◆ (on the selected interface), which is responsible for asking hosts if they want to receive multicast traffic.
| Configuring the Switch HAPTER IGMP Snooping When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group- specific or group-and-source-specific query message, and starts a timer.
| Configuring the Switch HAPTER MLD Snooping Filtering Groups – Multicast groups that are denied on a port. When ◆ filter groups are defined, IGMP join reports received on a port are checked against the these groups. If a requested multicast group is denied, the IGMP join report is dropped.
Page 152
| Configuring the Switch HAPTER MLD Snooping If multicast routing is not supported on other switches in your network, you can use MLD Snooping and Query to monitor MLD service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Page 153
| Configuring the Switch HAPTER MLD Snooping last dynamic member port in the group, and the receiving port is not a router port, the switch will generate and send a group-specific (GS) query to the member port which received the leave message, and then start the last member query timer for that port.
| Configuring the Switch HAPTER MLD Snooping Fast Leave does not apply to a port if the switch has learned that a multicast router is attached to it. Fast Leave can improve bandwidth usage for a network which frequently experiences many MLD host add and leave requests. Throttling - Limits the number of multicast groups to which a port can ◆...
Page 155
| Configuring the Switch HAPTER MLD Snooping Snooping Enabled - When enabled, the switch will monitor network ◆ traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic. (Default: Disabled) When MLD snooping is enabled globally, the per VLAN interface settings for MLD snooping take precedence.
Page 156
| Configuring the Switch HAPTER MLD Snooping QRI - The Query Response Interval is the Max Response Time ◆ advertised in periodic General Queries. The QRI applies when the switch is serving as the querier, and is used to inform other devices of the maximum time this system waits for a response to general queries.
| Configuring the Switch HAPTER Link Layer Discovery Protocol Use the MLD Snooping Port Group Filtering Configuration page to filter ONFIGURING specific multicast traffic. In certain switch applications, the administrator ILTERING may want to control the multicast services that are available to end users; for example, an IP/TV service based on a specific subscription plan.
| Configuring the Switch HAPTER Link Layer Discovery Protocol LLDP also defines how to store and maintain information gathered about the neighboring network nodes it discovers. Use the LLDP Configuration page to set the timing attributes used for the LLDP ONFIGURING transmission of LLDP advertisements, and the device information which is IMING AND...
Page 159
| Configuring the Switch HAPTER Link Layer Discovery Protocol LLDP Interface Attributes Port – Port identifier. ◆ Mode – Enables LLDP message transmit and receive modes for LLDP ◆ Protocol Data Units. (Options: Disabled, Enabled - TxRx, Rx only, Tx only; Default: Disabled) ◆...
| Configuring the Switch HAPTER Link Layer Discovery Protocol Mgmt Addr – The management address protocol packet includes the ◆ IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
| Configuring the Switch HAPTER Link Layer Discovery Protocol Use the LLDP-MED Configuration page to set the device information which LLDP- ONFIGURING is advertised for end-point devices. MED TLV LLDP-MED (Link Layer Discovery Protocol - Media Endpoint Discovery) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches.
Page 162
| Configuring the Switch HAPTER Link Layer Discovery Protocol Coordinates Location Latitude – Normalized to within 0-90 degrees with a maximum of 4 ◆ digits. It is possible to specify the direction to either North of the equator or South of the equator. Longitude –...
Page 163
| Configuring the Switch HAPTER Link Layer Discovery Protocol Trailing street suffix - Trailing street suffix. (Example: SW) ■ Street suffix - Street suffix. (Example: Ave, Platz) ■ House no. - House number. (Example: 21) ■ House no. suffix - House number suffix. (Example: A, 1/2) ■...
Page 164
| Configuring the Switch HAPTER Link Layer Discovery Protocol This network policy is potentially advertised and associated with multiple sets of application types supported on a given port. The application types specifically addressed are: Voice ■ Guest Voice ■ Softphone Voice ■...
Page 165
| Configuring the Switch HAPTER Link Layer Discovery Protocol endpoints frequently does not support multiple VLANs, if at all, and are typically configured to use an 'untagged’ VLAN or a single 'tagged’ data specific VLAN. When a network policy is defined for use with an 'untagged’...
| Configuring the Switch HAPTER Configuring the MAC Address Table NTERFACE To configure LLDP-MED TLVs: Click Configuration, LLDP-MED. Modify any of the timing parameters as required. Set the fast start repeat count, descriptive information for the end- point device, and policies applied to selected ports. Click Save.
Page 167
| Configuring the Switch HAPTER Configuring the MAC Address Table address table. You can also manually configure static addresses that are bound to a specific port. Basic/Advanced Configuration, MAC Table ARAMETERS These parameters are displayed: Aging Configuration ◆ Disable Automatic Aging - Disables the automatic aging of dynamic entries.
| Configuring the Switch HAPTER IEEE 802.1Q VLANs NTERFACE To configure the MAC Address Table: Click Configuration, MAC Table. Change the address aging time if required. Specify the way in which MAC addresses are learned on any port. Add any required static MAC addresses by clicking the Add New Static Entry button, entering the VLAN ID and MAC address, and marking the ports to which the address is to be mapped.
| Configuring the Switch HAPTER IEEE 802.1Q VLANs since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 256 VLANs based on the IEEE 802.1Q standard ◆...
| Configuring the Switch HAPTER IEEE 802.1Q VLANs NTERFACE To configure IEEE 802.1Q VLAN groups: Click Configuration, VLANs, VLAN Membership. Change the ports assigned to the default VLAN (VLAN 1) if required. To configure a new VLAN, click Add New VLAN, enter the VLAN ID, and then mark the ports to be assigned to the new group.
Page 171
| Configuring the Switch HAPTER IEEE 802.1Q VLANs Port Type – Configures how a port processes the VLAN ID in ingress ◆ frames. (Default: Unaware) C-port – For customer ports, each frame is assigned to the VLAN ■ indicated in the VLAN tag, and the tag is removed. S-port –...
| Configuring the Switch HAPTER IEEE 802.1Q VLANs are classified to the Port VLAN ID. If the classified VLAN ID of a frame transmitted on the port is different from the Port VLAN ID, a VLAN tag with the classified VLAN ID is inserted in the frame. When forwarding a frame from this switch along a path that contains any VLAN-aware devices, the switch should include VLAN tags.
| Configuring the Switch HAPTER Using Port Isolation SING SOLATION Use the Port Isolation Configuration page to prevent communications between customer ports within the same VLAN. Port Isolation can be used to prevent communications between ports within the same VLAN. An isolated port cannot forward any unicast, multicast, or broadcast traffic to any other ports in the same VLAN.
Page 174
| Configuring the Switch HAPTER Configuring MAC-based VLANs Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based and protocol-based VLANs are both enabled, priority ◆ is applied in this sequence, and then port-based VLANs last. ARAMETERS These parameters are displayed: ◆...
| Configuring the Switch HAPTER Protocol VLANs VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
| Configuring the Switch HAPTER Protocol VLANs LLC – Includes the DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) values. (Range: 0x00-0xff; Default: 0xff) SNAP – Includes OUI (Organizationally Unique Identifier) and PID (Protocol ID) values: OUI – A value in the format of xx-xx-xx where each pair (xx) in the ■...
| Configuring the Switch HAPTER Protocol VLANs Use the Group Name to VLAN Mapping Table to map a protocol group to a APPING ROTOCOL VLAN for each interface that will participate in the group. ROUPS TO ORTS Advanced Configuration, VCL, Protocol-based VLANs, Group to VLAN OMMAND SAGE When creating a protocol-based VLAN, only assign interfaces using this...
| Configuring the Switch HAPTER Configuring IP Subnet-based VLANs Figure 69: Assigning Ports to Protocol VLANs IP S VLAN ONFIGURING UBNET BASED Use the IP Subnet-based VLAN Membership Configuration page to map untagged ingress frames to a specified VLAN if the source address is found in the IP subnet-to-VLAN mapping table.
| Configuring the Switch HAPTER Managing VoIP Traffic IP Address – The IP address for a subnet. Valid IP addresses consist of ◆ four decimal numbers, 0 to 255, separated by periods. Mask Length – The network mask length. ◆ VLAN ID –...
| Configuring the Switch HAPTER Managing VoIP Traffic Use the Voice VLAN Configuration page to configure the switch for VoIP ONFIGURING traffic. First enable automatic detection of VoIP devices attached to the RAFFIC switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
Page 181
| Configuring the Switch HAPTER Managing VoIP Traffic When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list. Forced – The Voice VLAN feature is enabled on the port. ■ Security – Enables security filtering that discards any non-VoIP ◆...
| Configuring the Switch HAPTER Managing VoIP Traffic Figure 71: Configuring Global and Port Settings for a Voice VLAN Use the Voice VLAN OUI Table to identify VoIP devices attached to the ONFIGURING switch. VoIP devices can be identified by the manufacturer’s Organizational ELEPHONY Unique Identifier (OUI) in the source MAC address of received packets.
| Configuring the Switch HAPTER Quality of Service Click “Add new entry.” Enter a MAC address that specifies the OUI for VoIP devices in the network, and enter a description for the devices. Click Save. Figure 72: Configuring an OUI Telephony List UALITY OF ERVICE All switches or routers that access the Internet rely on class information to...
| Configuring the Switch HAPTER Quality of Service Use the QoS Ingress Port Classification page to set the basic QoS ONFIGURING parameters for a port, including the default traffic class, DP level (IEEE LASSIFICATION 802.1p), and DSCP-based QoS classification. Advanced Configuration, QoS, Port Classification ARAMETERS These parameters are displayed: QoS Ingress Port Classification...
| Configuring the Switch HAPTER Quality of Service Use the QoS Ingress Port Policers page to limit the bandwidth of frames ONFIGURING entering the ingress queue. This function allows the network manager to OLICIERS control the maximum rate for traffic received on an port. Port policing is configured on interfaces at the edge of a network to limit traffic into of the network.
| Configuring the Switch HAPTER Quality of Service Use the QoS Egress Port Schedulers page to show an overview of the QoS ONFIGURING GRESS Egress Port Schedulers, including the queue mode and weight. Click on any CHEDULER of the entries in the Port field to configure egress queue mode, queue shaper (rate and access to excess bandwidth), and port shaper.
| Configuring the Switch HAPTER Quality of Service Weight – A weight assigned to each of the queues (and thereby to ■ the corresponding traffic priorities). This weight sets the frequency at which each queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value.
| Configuring the Switch HAPTER Quality of Service Figure 76: Configuring Egress Port Schedulers and Shapers Use the QoS Egress Port Shapers page to show an overview of the QoS ONFIGURING GRESS Egress Port Shapers, including the rate for each queue and port. Click on HAPER any of the entries in the Port field to configure egress queue mode, queue shaper (rate and access to excess bandwidth), and port shaper...
| Configuring the Switch HAPTER Quality of Service Configuring QoS Egress Port Scheduler, Queue Scheduler and Port Shapers This configuration page can be access from the Port Scheduler or Port Shaper page. Refer to the description of these parameters under "Configuring Egress Port Scheduler".
Page 190
| Configuring the Switch HAPTER Quality of Service Configuring Port Remarking Mode Tag Remarking Mode – Configures the tag remarking mode used by ◆ this port: Classified – Uses classified PCP/DEI values. ■ Default – Uses default PCP/DEI values. ■ (Range: PCP –...
| Configuring the Switch HAPTER Quality of Service Use the QoS Port DSCP Configuration page to configure ingress translation ONFIGURING and classification settings and egress re-writing of DSCP values. DSCP T RANSLATION EWRITING Advanced Configuration, QoS, Port DSCP ARAMETERS These parameters are displayed: ◆...
| Configuring the Switch HAPTER Quality of Service Figure 80: Configuring Port DSCP Translation and Rewriting Use the DSCP-Based QoS Ingress Classification page to configure DSCP- DSCP- ONFIGURING based QoS ingress classification settings. BASED NGRESS LASSIFICATION Advanced Configuration, QoS, DSCP-Based QoS ARAMETERS These parameters are displayed: DSCP –...
| Configuring the Switch HAPTER Quality of Service Figure 81: Configuring DSCP-based QoS Ingress Classification . . . Use the DSCP Translation page to configure DSCP translation for ingress DSCP ONFIGURING traffic or DSCP re-mapping for egress traffic. RANSLATION Advanced Configuration, QoS, DSCP Translation ARAMETERS These parameters are displayed: DSCP –...
| Configuring the Switch HAPTER Quality of Service Click Save. Figure 82: Configuring DSCP Translation and Re-mapping . . . Use the DSCP Classification page to map DSCP values to a QoS class. DSCP ONFIGURING LASSIFICATION Advanced Configuration, QoS, DSCP Classification ARAMETERS These parameters are displayed: ◆...
| Configuring the Switch HAPTER Quality of Service Figure 83: Mapping DSCP to CoS Values Use the QoS Control List Configuration page to configure Quality of Service ONFIGURING policies for handling ingress packets based on Ethernet type, VLAN ID, ONTROL ISTS TCP/UDP port, DSCP, ToS, or VLAN priority tag.
| Configuring the Switch HAPTER Quality of Service Action – Indicates the classification action taken on ingress frame if ◆ the configured parameters are matched in the frame's content. If a frame matches the QCE, the following actions will be taken: Class (Classified QoS Class) –...
Page 198
| Configuring the Switch HAPTER Quality of Service Note that 800 (IPv4) and 86DD (IPv6) are excluded. A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), 8137 (IPX).
Page 199
| Configuring the Switch HAPTER Quality of Service IPv6 – IPv6 frame type includes the same settings as those used ■ for IPv4, except for the Source IP. When configuring a specific IPv6 source address, enter the least significant 32 bits (a.b.c.d) using the same type of mask as that used for an IPv4 address.
| Configuring the Switch HAPTER Quality of Service Figure 84: QoS Control List Configuration Use the Storm Control Configuration page to set limits on broadcast, ONFIGURING TORM multicast and unknown unicast traffic to control traffic storms which may ONTROL occur when a network device is malfunctioning, the network is not properly configured, or application programs are not well designed or properly configured.
| Configuring the Switch HAPTER Quality of Service Unit - The unit of measure. (Options: kbps, Mbps, fps or kfps; ◆ Default: kbps) NTERFACE To configure Storm Control: Click Configuration, QoS, Storm Control. Enable storm control for unicast, broadcast, or unknown traffic by marking the Enable box next to the required ports.
| Configuring the Switch HAPTER Quality of Service system. Drop precedence (DP1~DP3) is normally set from a lower to higher Quality of Service levels for red, yellow, and then green. The internal DSCP map is used to mark inbound traffic based on priority bits in the VLAN tag or Layer 2 traffic, or the IP Precedence or DSCP value for Layer 3 traffic.
| Configuring the Switch HAPTER Quality of Service NTERFACE To configure WRED: Click Configuration, QoS, WRED. Enable WRED for the required queues. Set the minimum thresholds at which the switch will start to randomly drop packets for queues 0-5. Then set the drop probability level at which the switch will start discarding more packets as the queue becomes more congested.
| Configuring the Switch HAPTER Configuring Local Port Mirroring Congestion Management Figure 88: ONFIGURING OCAL IRRORING Use the Mirroring & RSPAN Configuration page to mirror traffic from any local source port to a target port on the same switch for real-time Source Single analysis.
| Configuring the Switch HAPTER Configuring Remote Port Mirroring Tx only - Frames transmitted from this port are mirrored to the ■ destination port. Destination - Traffic from all configured source ports is mirrored to ◆ this port. (Default: Disabled) NTERFACE To configure local port mirroring: Click Basic/Advanced Configuration, Mirroring &...
| Configuring the Switch HAPTER Configuring Remote Port Mirroring Figure 90: Configuring Remote Port Mirroring Intermediate Switch Intermediate Switch RPSAN VLAN Uplink Port Uplink Port Destination Switch Source Switch Source Port Uplink Port Uplink Port Destination Port Ingress or egress traffic Tagged or untagged traffic is mirrored onto the RSPAN from the RSPAN VLAN is...
Page 207
| Configuring the Switch HAPTER Configuring Remote Port Mirroring session is allowed, either local or remote. Also, note that the source port and destination port cannot be configured on the same switch. MAC address learning is not supported on RSPAN uplink ports ■...
| Configuring the Switch HAPTER Configuring Remote Port Mirroring Intermediate – Uplink ports to intermediate switches. ◆ MAC Table learning must be disabled on intermediate ports. ◆ Destination Port – Specifies the destination port to monitor the traffic mirrored from source ports. A destination port can be configured on more than one switch for the same session.
| Configuring the Switch HAPTER Configuring Remote Port Mirroring Figure 92: Mirror Configuration (Intermediate) To configure remote port mirroring for an RSPAN destination switch: Click Basic/Advanced Configuration, Mirroring & RSPAN. Set the Mode to Enabled, and the Type to destination. Select the intermediate ports to add to the RSPAN VLAN, which will then pass traffic on to the destination ports.
Using UPnP under Windows XP - To access or manage the switch with the aid of UPnP under Windows XP, open My Network Places in the Explore file manager. An entry for “GSW-4876” will appear in the list of discovered devices. Double-click on this entry to access the switch's web management interface.
| Configuring the Switch HAPTER Configuring sFlow control points how often it or they should receive a SSDP advertisement message from this switch. Due to the unreliable nature of UDP, the switch sends SSDP messages periodically at the interval one-half of the advertising duration minus 30 seconds.
Page 212
| Configuring the Switch HAPTER Configuring sFlow Usage accounting ◆ Trending and capacity planning ◆ Advanced Configuration, UPnP ARAMETERS These parameters are displayed: Receiver Configuration Owner – sFlow can be configured in two ways: Through local ◆ management using the Web interface or through SNMP. This read-only field shows the owner of the current sFlow configuration and assumes values as follows: If sFlow is currently unconfigured/unclaimed, Owner shows...
Page 213
| Configuring the Switch HAPTER Configuring sFlow Port Configuration Port – Port identifier. ◆ Flow Sampler – The following parameters apply to flow sampling: ◆ Enabled – Enables/disables flow sampling on this port. ■ Sampling Rate – The number of packets out of which one sample ■...
ONITORING THE WITCH This chapter describes how to monitor all of the basic functions, configure or view system logs, and how to view traffic status or the address table. ISPLAYING ASIC NFORMATION BOUT THE YSTEM You can use the Monitor/System menu to display a basic description of the switch, log messages, or statistics on traffic used in managing the switch.
| Monitoring the Switch HAPTER Displaying Basic Information About the System Software Software Version – Version number of runtime code. ◆ Software Date – Release date of the switch software. ◆ Code Revision – Version control identifier of the switch software. ◆...
| Monitoring the Switch HAPTER Displaying Basic Information About the System NTERFACE To display CPU utilization: Click System, then CPU Load. Figure 97: CPU Load Use the System Log Information page to scroll through the logged system ISPLAYING and event messages. ESSAGES Monitor, System, Log ARAMETERS...
| Monitoring the Switch HAPTER Displaying Basic Information About the System Table Headings ID – Error ID. ◆ Level – Error level as described above. ◆ Time – The time of the system log entry. ◆ Message – The message text of the system log entry. ◆...
| Monitoring the Switch HAPTER Displaying Information About Ports Use the Detailed Log page to view the full text of specific log messages. ISPLAYING ETAILS Monitor, System, Detailed Log NTERFACE To display the text of a specific log message, click Monitor, System, Detailed Log.
| Monitoring the Switch HAPTER Displaying Information About Ports Use the Port Statistics Overview page to display a summary of basic ISPLAYING AN information on the traffic crossing each port. VERVIEW OF TATISTICS Monitor, Ports, Traffic Overview ARAMETERS These parameters are displayed: ◆...
| Monitoring the Switch HAPTER Displaying Information About Ports NTERFACE To display the queue counters, click Monitor, Ports, QoS Statistics. Figure 102: Queueing Counters Use the QoS Control List Status page to show the QCE entries configured ISPLAYING for different users or software modules, and whether or not there is a TATUS conflict.
| Monitoring the Switch HAPTER Displaying Information About Ports NTERFACE To display the show the status of QCE entries Click Monitor, Ports, QCL Status. Select the user type to display from the drop-down list at the top of the page. If any of the entries display a conflict, click Resolve Conflict to release the resource required by a QCE.
Page 223
| Monitoring the Switch HAPTER Displaying Information About Ports Receive/Transmit Size Counters – The number of received and ◆ transmitted packets (good and bad) split into categories based on their respective frame sizes. Receive/Transmit Queue Counters – The number of received and ◆...
| Monitoring the Switch HAPTER Displaying Information About Ports NTERFACE To display the detailed port statistics, click Monitor, Ports, Detailed Statistics. Figure 104: Detailed Port Statistics – 224 –...
| Monitoring the Switch HAPTER Displaying Information About Security Settings ISPLAYING NFORMATION BOUT ECURITY ETTINGS You can use the Monitor/Security menu to display statistics on management traffic, security controls for client access to the data ports, and the status of remote authentication access servers. Use the Access Management Statistics page to view statistics on traffic ISPLAYING CCESS...
| Monitoring the Switch HAPTER Displaying Information About Security Settings Use the Port Security Switch Status page to show information about MAC ISPLAYING address learning for each port, including the software module requesting NFORMATION BOUT port security services, the service state, the current number of learned WITCH ETTINGS FOR addresses, and the maximum number of secure addresses allowed.
| Monitoring the Switch HAPTER Displaying Information About Security Settings Limit Reached: The Port Security service is enabled by at least the ■ Limit Control user module, and that module has indicated that the limit is reached and no more MAC addresses should be taken in. Shutdown: The Port Security service is enabled by at least the Limit ■...
| Monitoring the Switch HAPTER Displaying Information About Security Settings Use the Port Security Port Status page to show the entries authorized by ISPLAYING port security services, including MAC address, VLAN ID, time added to NFORMATION BOUT table, age, and hold state. EARNED DDRESSES Monitor, Security, Network, Port Security, Port...
| Monitoring the Switch HAPTER Displaying Information About Security Settings Use the Network Access Server Switch Status page to show the port status ISPLAYING for authentication services, including 802.1X security state, last source TATUS FOR address used for authentication, and last ID. UTHENTICATION ERVICES Monitor, Security, Network, NAS, Switch...
| Monitoring the Switch HAPTER Displaying Information About Security Settings NTERFACE To display port status for authentication services, click Monitor, Security, Network, NAS, Switch. Figure 108: Network Access Server Switch Status Use the NAS Statistics Port selection page to display authentication ISPLAYING statistics for the selected port –...
Page 231
| Monitoring the Switch HAPTER Displaying Information About Security Settings Port Counters Receive EAPOL Counters Total – The number of valid EAPOL frames of any type that have been ◆ received by the switch. Response ID – The number of valid EAPOL Response Identity frames ◆...
Page 232
| Monitoring the Switch HAPTER Displaying Information About Security Settings Other Requests – ◆ 802.1X-based: Counts the number of times that the switch sends ■ an EAP Request packet following the first to the supplicant. Indicates that the backend server chose an EAP-method. MAC-based: Not applicable.
Page 233
| Monitoring the Switch HAPTER Displaying Information About Security Settings Selected Counters This table is visible when the port is one of the following administrative states: Multi 802.1X or MAC-based Auth. The table is identical to and is placed next to the Port Counters table, and will be empty if no MAC address is currently selected.
| Monitoring the Switch HAPTER Displaying Information About Security Settings Figure 109: NAS Statistics for Specified Port Use the ACL Status page to show the status for different security modules ISPLAYING which use ACL filtering, including ingress port, frame type, and forwarding TATUS action.
| Monitoring the Switch HAPTER Displaying Information About Security Settings IPv4: ACE will match all IPv4 frames. ■ IPv4/ICMP: ACE will match IPv4 frames with ICMP protocol. ■ IPv4/UDP: ACE will match IPv4 frames with UDP protocol. ■ IPv4/TCP: ACE will match IPv4 frames with TCP protocol. ■...
| Monitoring the Switch HAPTER Displaying Information About Security Settings Use the DHCP Snooping Port Statistics page to show statistics for various ISPLAYING types of DHCP protocol packets. TATISTICS FOR DHCP S NOOPING Monitor, Security, Network, DHCP, Snooping Statistics ARAMETERS These parameters are displayed: ◆...
| Monitoring the Switch HAPTER Displaying Information About Security Settings Figure 111: DHCP Snooping Statistics Use the DHCP Relay Statistics page to display statistics for the DHCP relay DHCP ISPLAYING service supported by this switch and DHCP relay clients. ELAY TATISTICS Monitor, Security, Network, DHCP, Relay Statistics ARAMETERS...
| Monitoring the Switch HAPTER Displaying Information About Security Settings Receive Bad Circuit ID – The number of packets with a Circuit ID ◆ option that did not match a known circuit ID. Receive Bad Remote ID – The number of packets with a Remote ID ◆...
| Monitoring the Switch HAPTER Displaying Information About Security Settings Monitor, Security, Network, ARP Inspection NTERFACE To display the Dynamic ARP Inspection Table, click Monitor, Security, Network, ARP Inspection. Figure 113: Dynamic ARP Inspection Table Open the Dynamic IP Source Guard Table to display entries sorted first by ISPLAYING NTRIES port, then VLAN ID, MAC address, and finally IP address.
| Monitoring the Switch HAPTER Displaying Information on Authentication Servers ISPLAYING NFORMATION ON UTHENTICATION ERVERS Use the Monitor/Authentication pages to display information on RADIUS authentication and accounting servers, including the IP address and statistics for each server. Use the RADIUS Overview page to display a list of configured ISPLAYING A IST OF authentication and accounting servers.
| Monitoring the Switch HAPTER Displaying Information on Authentication Servers Use the RADIUS Details page to display statistics for configured ISPLAYING authentication and accounting servers. The statistics map closely to those TATISTICS FOR specified in RFC4668 - RADIUS Authentication Client MIB. ONFIGURED UTHENTICATION ERVERS...
Page 242
| Monitoring the Switch HAPTER Displaying Information on Authentication Servers Accept, Access-Reject, Access-Challenge, timeout, or retransmission. Timeouts – The number of authentication timeouts to the server. ■ After a timeout, the client may retry to the same server, send to a different server, or give up.
Page 243
| Monitoring the Switch HAPTER Displaying Information on Authentication Servers Unknown Types – The number of RADIUS packets of unknown ■ types that were received from the server on the accounting port. Packets Dropped – The number of RADIUS packets that were ■...
| Monitoring the Switch HAPTER Displaying Information on RMON RMON ISPLAYING NFORMATION ON Use the monitor pages for RMON to display information on RMON statistics, alarms and event responses. Use the RMON Statistics Status Overview page to view a broad range of RMON ISPLAYING interface statistics, including a total count of different frame types and...
| Monitoring the Switch HAPTER Displaying Information on RMON 64 Bytes – The total number of packets (including bad packets) ◆ received that were 64 octets in length. x ~ y – The total number of packets (including bad packets) received ◆...
| Monitoring the Switch HAPTER Displaying Information on LACP LACP ISPLAYING NFORMATION ON Use the monitor pages for LACP to display information on LACP configuration settings, the functional status of participating ports, and statistics on LACP control packets. Use the LACP System Status page to display an overview of LACP groups. ISPLAYING AN LACP VERVIEW OF...
| Monitoring the Switch HAPTER Displaying Information on LACP LACP – Shows LACP status: ◆ Yes – LACP is enabled and the port link is up. ■ No – LACP is not enabled or the port link is down. ■ Backup –...
| Monitoring the Switch HAPTER Displaying Information on the Spanning Tree NTERFACE To display LACP statistics for local ports this switch, click Monitor, LACP, Port Statistics. Figure 123: LACP Port Statistics ISPLAYING NFORMATION ON THE PANNING Use the monitor pages for Spanning Tree to display information on spanning tree bridge status, the functional status of participating ports, and statistics on spanning tree protocol packets.
Page 252
| Monitoring the Switch HAPTER Displaying Information on the Spanning Tree Topology Flag – The current state of the Topology Change Notification ◆ flag (TCN) for this bridge instance. Topology Change Last – Time since the Spanning Tree was last ◆...
| Monitoring the Switch HAPTER Displaying Information on the Spanning Tree Edge – The current RSTP port (operational) Edge Flag. An Edge Port is ◆ a switch port to which no bridges are attached. The flag may be automatically computed or explicitly configured. Each Edge Port transitions directly to the Forwarding Port State, since there is no possibility of it participating in a loop.
| Monitoring the Switch HAPTER Displaying Information on the Spanning Tree Figure 125: Spanning Tree Detailed Bridge Status Use the Port Status page to display the STA functional status of ISPLAYING participating ports. TATUS FOR Monitor, Spanning Tree, Port Status ARAMETERS These parameters are displayed: Port –...
| Monitoring the Switch HAPTER Displaying Information on the Spanning Tree Forwarding – Port forwards packets, and continues learning ■ addresses. Uptime – The time since the bridge port was last initialized. ◆ NTERFACE To display information on spanning tree port status, click Monitor, Spanning Tree, Port Status.
| Monitoring the Switch HAPTER Displaying MVR Information NTERFACE To display information on spanning port statistics, click Monitor, Spanning Tree, Port Statistics. Figure 127: Spanning Tree Port Statistics MVR I ISPLAYING NFORMATION Use the monitor pages for MVR to display information on MVR statistics and active multicast groups.
| Monitoring the Switch HAPTER Displaying MVR Information NTERFACE To display information for MVR statistics, click Monitor, MVR, Statistics. Figure 128: MVR Statistics Use the MVR Group Information page to display statistics for IGMP protocol ISPLAYING messages used by MVR; and to shows information about the interfaces ROUP NFORMATION associated with multicast groups assigned to the MVR VLAN.
| Monitoring the Switch HAPTER Displaying MVR Information NTERFACE To display information for MVR statistics and multicast groups, click Monitor, MVR, Group Information. Figure 129: MVR Group Information Use the MVR SFM Information page to display MVR Source-Filtered ISPLAYING Multicast information including group, filtering mode (include or exclude), SFM I NFORMATION source address, and type (allow or deny).
| Monitoring the Switch HAPTER Showing IGMP Snooping Information IGMP S HOWING NOOPING NFORMATION Use the IGMP Snooping pages to display IGMP snooping statistics, port members of each service group, and information on source-specific groups. Use the IGMP Snooping Status page to display IGMP querier status, IGMP HOWING snooping statistics for each VLAN carrying IGMP traffic, and the ports...
| Monitoring the Switch HAPTER Showing IGMP Snooping Information NTERFACE To display IGMP snooping status information, click Monitor, IGMP Snooping, Status. Figure 131: IGMP Snooping Status Use the IGMP Snooping Group Information page to display the port IGMP HOWING members of each service group. NOOPING ROUP NFORMATION...
| Monitoring the Switch HAPTER Showing IGMP Snooping Information Use the IGMP SFM Information page to display IGMP Source-Filtered 4 SFM HOWING Multicast information including group, filtering mode (include or exclude), NFORMATION source address, and type (allow or deny). Monitor, IPMC, IGMP Snooping, IPv4 SFM Information ARAMETERS These parameters are displayed: VLAN ID –...
| Monitoring the Switch HAPTER Showing MLD Snooping Information MLD S HOWING NOOPING NFORMATION Use the MLD Snooping pages to display MLD snooping statistics, port members of each service group, and information on source-specific groups. Use the IGMP Snooping Status page to display MLD querier status and HOWING snooping statistics for each VLAN carrying multicast traffic, and the ports NOOPING...
| Monitoring the Switch HAPTER Showing MLD Snooping Information NTERFACE To display MLD snooping status information, click Monitor, MLD Snooping, Status. Figure 134: MLD Snooping Status Use the MLD Snooping Group Information page to display the port HOWING members of each service group. NOOPING ROUP NFORMATION...
| Monitoring the Switch HAPTER Showing MLD Snooping Information Use the MLD SFM Information page to display MLD Source-Filtered 6 SFM HOWING Multicast information including group, filtering mode (include or exclude), NFORMATION source address, and type (allow or deny). Monitor, IPMC, MLD Snooping, IPv6 SFM Information ARAMETERS These parameters are displayed: VLAN ID –...
| Monitoring the Switch HAPTER Displaying LLDP Information LLDP I ISPLAYING NFORMATION Use the monitor pages for LLDP to display information advertised by LLDP neighbors and statistics on LLDP control frames. Use the LLDP Neighbor Information page to display information about LLDP ISPLAYING devices connected directly to the switch’s ports which are advertising...
| Monitoring the Switch HAPTER Displaying LLDP Information Management Address – The IPv4 address of the remote device. If no ◆ management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement. If the neighbor device allows management access, clicking on an entry in this field will re-direct the web browser to the neighbor’s management interface.
Page 267
| Monitoring the Switch HAPTER Displaying LLDP Information applicable to Generic Endpoints (Class I), and any LLDP-MED Endpoint Device claiming compliance as a Communication Device (Class III) will also support all aspects of TIA-1057 applicable to both Media Endpoints (Class II) and Generic Endpoints (Class I). LLDP-MED Generic Endpoint (Class I) –...
| Monitoring the Switch HAPTER Displaying LLDP Information Location – The physical location of the device attached to an interface, ◆ including items such as the country, city, street number, building and room information. Auto-negotiation – Shows if MAC/PHY auto-negotiation is supported ◆...
| Monitoring the Switch HAPTER Displaying LLDP Information Rx Tw – The link partner's time the receiver would like the transmitter ◆ to hold off to allow time for it to wake from sleep. Fallback Receive Tw – The link partner's fallback receive Tw. ◆...
| Monitoring the Switch HAPTER Displaying LLDP Information Use the LLDP Port Statistics page to display statistics on LLDP global LLDP ISPLAYING counters and control frames. TATISTICS Monitor, LLDP, Port Statistics ARAMETERS These parameters are displayed: Global Counters Neighbor entries were last changed at – The time the LLDP ◆...
| Monitoring the Switch HAPTER Displaying the MAC Address Table Age-Outs – Each LLDP frame contains information about how long the ◆ LLDP information is valid (age-out time). If no new LLDP frame is received within the age-out time, the LLDP information is removed, and the Age-Out counter is incremented.
| Monitoring the Switch HAPTER Displaying Information About VLANs NTERFACE To display the address table, click Monitor, MAC Address Table. Figure 141: MAC Address Table VLAN ISPLAYING NFORMATION BOUT Use the monitor pages for VLANs to display information about the port members of VLANs, and the VLAN attributes assigned to each port.
| Monitoring the Switch HAPTER Displaying Information About VLANs Combined: Shows information for all active user modules. ■ VLAN ID – A VLAN which has created by one of the software modules. ◆ Port Members – The ports assigned to this VLAN. ◆...
| Monitoring the Switch HAPTER Displaying Information About VLANs Ingress Filtering – If ingress filtering is enabled and the ingress port ◆ is not a member of the classified VLAN of the frame, the frame is discarded. Frame Type – Shows whether the port accepts all frames or only ◆...
| Monitoring the Switch HAPTER Displaying Information About MAC-based VLANs MAC- VLAN ISPLAYING NFORMATION BOUT BASED Use the MAC-based VLAN Membership Status page to display the MAC address to VLAN map entries. Monitor, VCL, MAC-based VLAN ARAMETERS These parameters are displayed: MAC-based VLAN User –...
| Monitoring the Switch HAPTER Displaying Information About Flow Sampling ISPLAYING NFORMATION BOUT AMPLING Use the sFlow Statistics page to display information on sampled traffic, including the owner, receiver address, remaining sampling time, and statistics for UDP control packets and sampled traffic. Monitor, sFlow ARAMETERS These parameters are displayed:...
| Monitoring the Switch HAPTER Displaying Information About Flow Sampling packets that were sampled upon reception (ingress) on the port and Tx flow samples contains the number of packets that were sampled upon transmission (egress) on the port. Counter Samples – The total number of counter samples sent to the ◆...
Page 278
| Monitoring the Switch HAPTER Displaying Information About Flow Sampling – 278 –...
ERFORMING ASIC IAGNOSTICS This chapter describes how to test network connectivity using Ping for IPv4 or IPv6, and how to test network cables. INGING AN DDRESS The Ping page is used to send ICMP echo request packets to another node on the network to determine if it can be reached.
Page 280
| Performing Basic Diagnostics HAPTER Pinging an IPv4 or IPv6 Address After you press Start, the sequence number and round-trip time are displayed upon reception of a reply. The page refreshes automatically until responses to all packets are received, or until a timeout occurs. Figure 146: ICMP Ping –...
| Performing Basic Diagnostics HAPTER Running Cable Diagnostics UNNING ABLE IAGNOSTICS The VeriPHY page is used to perform cable diagnostics for all ports or selected ports to diagnose any cable faults (short, open, etc.) and report the cable length. Diagnostics, VeriPHY ARAMETERS These parameters are displayed on the VeriPHY Cable Diagnostics page: Port –...
ERFORMING YSTEM AINTENANCE This chapter describes how to perform basic maintenance tasks including upgrading software, restoring or saving configuration settings, and resetting the switch. ESTARTING THE WITCH Use the Restart Device page to restart the switch. Maintenance, Restart Device NTERFACE To restart the switch Click Maintenance, Restart Device.
PGRADING IRMWARE Use the Software Upload page to upgrade the switch’s system firmware by specifying a file provided by LevelOne. You can download firmware files for your switch from the Support section of the LevelOne web site at http://www.level1.com Maintenance, Software Upload...
| Performing System Maintenance HAPTER Activating the Alternate Image After the software image is uploaded, a page announces that the firmware update has been initiated. After about a minute, the firmware is updated and the switch is rebooted. While the firmware is being updated, Web access appears to be AUTION defunct.
| Performing System Maintenance HAPTER Managing Configuration Files ANAGING ONFIGURATION ILES Use the Maintenance Configuration pages to save the current configuration to a file on your computer, or to restore previously saved configuration settings to the switch. Use the Configuration Save page to save the current configuration settings AVING to a file on your local management station.
| Performing System Maintenance HAPTER Managing Configuration Files Use the Configuration Upload page to restore previously saved ESTORING configuration settings to the switch from a file on your local management ONFIGURATION station. ETTINGS Maintenance, Configuration, Upload NTERFACE To restore your current configuration settings: Click Maintenance, Configuration, Upload.
ECTION PPENDICES This section provides additional information and includes these items: "Software Specifications" on page 291 ◆ "Troubleshooting" on page 295 ◆ "License Information" on page 297 ◆ – 289 –...
| Software Specifications PPENDIX Management Features Up to 128 groups; port-based, protocol-based, tagged (802.1Q), VLAN S UPPORT private VLANs, voice VLANs, MAC-based VLANs, and IP subnet-based VLANs Supports four levels of priority LASS OF ERVICE Strict, Weighted Round Robin Queue mode and CoS configured by Ethernet type, VLAN ID, TCP/UDP port, DSCP, ToS bit, VLAN tag priority, or port Layer 3/4 priority mapping: IP DSCP remarking DiffServ supports DSCP remarking, ingress traffic policing, and egress...
ROUBLESHOOTING ROBLEMS CCESSING THE ANAGEMENT NTERFACE Table 14: Troubleshooting Chart Symptom Action Cannot connect using a Be sure the switch is powered up. ◆ web browser, or SNMP Check network cabling between the management station and ◆ software the switch. Check that you have a valid network connection to the switch ◆...
| Troubleshooting PPENDIX Using System Logs SING YSTEM If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
ICENSE NFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
| License Information PPENDIX The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 299
| License Information PPENDIX The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 300
| License Information PPENDIX The GNU General Public License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
LOSSARY Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 302
LOSSARY Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Page 303
LOSSARY Generic Multicast Registration Protocol. GMRP allows network devices to GMRP register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. Specifies a general method for the operation of MAC bridges, including the IEEE 802.1D Spanning Tree Protocol.
Page 304
LOSSARY On each subnetwork, one IGMP-capable device will act as the querier — IGMP Q UERY that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
Page 305
LOSSARY MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Page 306
LOSSARY Defines a network link aggregation and trunking method which specifies RUNK how to create a single high-speed logical link that combines several lower- speed physical links. Private VLANs provide port-based security and isolation between ports VLAN RIVATE within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports.
Page 307
LOSSARY Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Spanning Tree Algorithm is a technology that checks your network for any loops.
NDEX DSCP classification, QoS 195 acceptable frame type 171 rewriting, port 192 Access Control List See ACL translation, port 192 ACL 98 translation, QoS 194 binding to a port 98 dynamic addresses, displaying 167 address table 166 aging time 167 address, management access 31 ARP inspection 116 edge port, STA 136...
Page 310
NDEX snooping, description 144 RADIUS client 119 snooping, fast leave 147 RADIUS server 119 throttling 148 settings 119 ingress classification, QoS 193 TACACS+ client 62 ingress filtering 171 TACACS+ server 62 ingress rate limiting 185 IP address, setting 46 IP source guard, configuring static entries 114 IPv4 address main menu 36 DHCP 46...
Page 311
NDEX port classification 184 port policier 185 NTP, specifying servers 50 port remarking 189 port shaper 186 QCE 197 QCL status 221 passwords 31 queue scheduler 186 path cost 135 STA 135 port maximum frame size 57 RADIUS statistics 220 logon authentication 119 port classification, QoS 184 settings 119...
Page 312
NDEX interface settings 135 link type 137 unknown unicast storm, threshold 200 path cost 135 upgrading software 284 port priority 136 UPnP transmission hold count 130 advertisements 210 transmission limit 130 configuration 210 standards, IEEE 293 enabling advertisements 210 static addresses, setting 167 user statistics, port 220 account 58...