Download Print this page

Edge-Core ECS4510-12PD Web Management Manual

12-port gigabit ethernet layer 2 switch

Hide thumbs Also See for ECS4510-12PD:

Quick start manual (6 pages)

,

Installation manual (52 pages)

Table of Contents

Advertisement

Quick Links

Download this manual

12-Port Gigabit Ethernet

Layer 2 Switch

W e b M a n a g e m e n t G u i d e

ECS4510-12PD

Software Release v1.0.2.0

www.edge-core.com

Table of Contents

Advertisement

Chapters

Table of Contents

Need help?

Need help?

Do you have a question about the ECS4510-12PD and is the answer not in the manual?

Questions and answers

Summary of Contents for Edge-Core ECS4510-12PD

Page 1 12-Port Gigabit Ethernet Layer 2 Switch W e b M a n a g e m e n t G u i d e ECS4510-12PD Software Release v1.0.2.0 www.edge-core.com...
Page 2 W e b M a n a g e m e n t G u i d e ECS4510-12PD Gigabit Ethernet Switch Layer 2 Switch with 1 10/100/1000BASE-T (RJ-45) Port 1 10/100/1000BASE-T (RJ-45) PoE PSE Port, 8 10/100/1000BASE-T (RJ-45) PoE PD Ports,...
Page 3: How To Use This Guide
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Page 4 How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.
Page 5: Table Of Contents
ONTENTS OW TO UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults SING THE NTERFACE Connecting to the Web Interface Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ECTION ONFIGURATION ASIC...
Page 6 ONTENTS Showing System Files Automatic Operation Code Upgrade Setting the System Clock Setting the Time Manually Setting the SNTP Polling Interval Configuring NTP Configuring Time Servers Setting the Time Zone Configuring the Console Port Configuring Telnet Settings Displaying CPU Utilization Displaying Memory Utilization Resetting the System NTERFACE...
Page 7 ONTENTS 5 VLAN C ONFIGURATION IEEE 802.1Q VLANs Configuring VLAN Groups Adding Static Members to VLANs Configuring Dynamic VLAN Registration IEEE 802.1Q Tunneling Enabling QinQ Tunneling on the Switch Creating CVLAN to SPVLAN Mapping Entries Adding an Interface to a QinQ Tunnel Protocol VLANs Configuring Protocol VLAN Groups Mapping Protocol Groups to Interfaces...
Page 8 ONTENTS LASS OF ERVICE Layer 2 Queue Settings Setting the Default Priority for Interfaces Selecting the Queue Mode Mapping CoS Values to Egress Queues Layer 3/4 Priority Settings Setting Priority Processing to DSCP or CoS Mapping Ingress DSCP Values to Internal DSCP Values Mapping CoS Priorities to Internal DSCP Values 10 Q UALITY OF...
Page 9 ONTENTS Configuring HTTPS Configuring Global Settings for HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell Configuring the SSH Server Generating the Host Key Pair Importing User Public Keys Access Control Lists Setting A Time Range Showing TCAM Utilization Setting the ACL Name and Type Configuring a Standard IPv4 ACL Configuring an Extended IPv4 ACL...
Page 10 ONTENTS DHCP Snooping DHCP Snooping Configuration DHCP Snooping VLAN Configuration Configuring Ports for DHCP Snooping Displaying DHCP Snooping Binding Information 13 B ASIC DMINISTRATION ROTOCOLS Configuring Event Logging System Log Configuration Remote Log Configuration Sending Simple Mail Transfer Protocol Alerts Link Layer Discovery Protocol Setting LLDP Timing Attributes Configuring LLDP Interface Attributes...
Page 11 ONTENTS Switch Clustering Configuring General Settings for Clusters Cluster Member Configuration Managing Cluster Members Ethernet Ring Protection Switching ERPS Global Configuration ERPS Ring Configuration ERPS Forced and Manual Mode Operations Connectivity Fault Management Configuring Global Settings for CFM Configuring Interfaces for CFM Configuring CFM Maintenance Domains Configuring CFM Maintenance Associations Configuring Maintenance End Points...
Page 12 ONTENTS Displaying ARP Entries Setting the Switch’s IP Address (IP Version 4) Configuring the IPv4 Default Gateway Configuring IPv4 Interface Settings Setting the Switch’s IP Address (IP Version 6) Configuring the IPv6 Default Gateway Configuring IPv6 Interface Settings Configuring an IPv6 Address Showing IPv6 Addresses Showing the IPv6 Neighbor Cache Showing IPv6 Statistics...
Page 13 ONTENTS Filtering and Throttling IGMP Groups Enabling IGMP Filtering and Throttling Configuring IGMP Filter Profiles Configuring IGMP Filtering and Throttling for Interfaces Multicast VLAN Registration Configuring MVR Domain Settings Configuring MVR Group Address Profiles Configuring MVR Interface Status Assigning Static MVR Multicast Groups to Interfaces Displaying MVR Receiver Groups Displaying MVR Statistics ECTION...
Page 14 ONTENTS – 14 –...
Page 15: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
Page 16 IGURES Figure 32: Configuring Local Port Mirroring Figure 33: Configuring Local Port Mirroring Figure 34: Displaying Local Port Mirror Sessions Figure 35: Configuring Remote Port Mirroring Figure 36: Configuring Remote Port Mirroring (Source) Figure 37: Configuring Remote Port Mirroring (Intermediate) Figure 38: Configuring Remote Port Mirroring (Destination) Figure 39: Showing Port Statistics (Table) Figure 40: Showing Port Statistics (Chart)
Page 17 IGURES Figure 68: Creating Static VLANs Figure 69: Modifying Settings for Static VLANs Figure 70: Showing Static VLANs Figure 71: Configuring Static Members by VLAN Index Figure 72: Configuring Static VLAN Members by Interface Figure 73: Configuring Static VLAN Members by Interface Range Figure 74: Configuring Global Status of GVRP Figure 75: Configuring GVRP for an Interface Figure 76: Showing Dynamic VLANs Registered on the Switch...
Page 18 IGURES Figure 104: Configuring Global Settings for STA (STP) Figure 105: Configuring Global Settings for STA (RSTP) Figure 106: Configuring Global Settings for STA (MSTP) Figure 107: Displaying Global Settings for STA Figure 108: Configuring Interface Settings for STA Figure 109: STA Port Roles Figure 110: Displaying Interface Settings for STA Figure 111: Creating an MST Instance Figure 112: Displaying MST Instances...
Page 19 IGURES Figure 140: Configuring a Policy Map Figure 141: Showing Policy Maps Figure 142: Adding Rules to a Policy Map Figure 143: Showing the Rules for a Policy Map Figure 144: Attaching a Policy Map to a Port Figure 145: Configuring a Voice VLAN Figure 146: Configuring an OUI Telephony List Figure 147: Showing an OUI Telephony List Figure 148: Configuring Port Settings for a Voice VLAN...
Page 20 IGURES Figure 176: Showing Addresses Authenticated for Network Access Figure 177: Configuring HTTPS Figure 178: Downloading the Secure-Site Certificate Figure 179: Configuring the SSH Server Figure 180: Generating the SSH Host Key Pair Figure 181: Showing the SSH Host Key Pair Figure 182: Copying the SSH User’s Public Key Figure 183: Showing the SSH User’s Public Key Figure 184: Setting the Name of a Time Range...
Page 21 IGURES Figure 212: Protecting Against DoS Attacks Figure 213: Setting the Filter Type for IP Source Guard Figure 214: Configuring Static Bindings for IP Source Guard Figure 215: Displaying Static Bindings for IP Source Guard Figure 216: Showing the IP Source Guard Binding Table Figure 217: Configuring Global Settings for DHCP Snooping Figure 218: Configuring DHCP Snooping on a VLAN Figure 219: Configuring the Port Mode for DHCP Snooping...
Page 22 IGURES Figure 248: Showing the OID Subtree Configured for SNMP Views Figure 249: Creating an SNMP Group Figure 250: Showing SNMP Groups Figure 251: Setting Community Access Strings Figure 252: Showing Community Access Strings Figure 253: Configuring Local SNMPv3 Users Figure 254: Showing Local SNMPv3 Users Figure 255: Configuring Remote SNMPv3 Users Figure 256: Showing Remote SNMPv3 Users...
Page 23 IGURES Figure 284: Blocking an ERPS Ring Port Figure 285: Single CFM Maintenance Domain Figure 286: Multiple CFM Maintenance Domains Figure 287: Configuring Global Settings for CFM Figure 288: Configuring Interfaces for CFM Figure 289: Configuring Maintenance Domains Figure 290: Showing Maintenance Domains Figure 291: Configuring Detailed Settings for Maintenance Domains Figure 292: Creating Maintenance Associations Figure 293: Showing Maintenance Associations...
Page 24 IGURES Figure 320: Configuring a Dynamic IPv4 Address Figure 321: Showing the IPv4 Address Configured for an Interface Figure 322: Configuring the IPv6 Default Gateway Figure 323: Configuring General Settings for an IPv6 Interface Figure 324: Configuring an IPv6 Address Figure 325: Showing Configured IPv6 Addresses Figure 326: Showing IPv6 Neighbors Figure 327: Showing IPv6 Statistics (IPv6)
Page 25 IGURES Figure 356: Displaying IGMP Snooping Statistics – Query Figure 357: Displaying IGMP Snooping Statistics – VLAN Figure 358: Displaying IGMP Snooping Statistics – Port Figure 359: Enabling IGMP Filtering and Throttling Figure 360: Creating an IGMP Filtering Profile Figure 361: Showing the IGMP Filtering Profiles Created Figure 362: Adding Multicast Groups to an IGMP Filtering Profile Figure 363: Showing the Groups Assigned to an IGMP Filtering Profile Figure 364: Configuring IGMP Filtering and Throttling Interface Settings...
Page 26 IGURES – 26 –...
Page 27: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Web Page Configuration Buttons Table 4: Switch Main Menu Table 5: Port Statistics Table 6: LACP Port Counters Table 7: LACP Internal Configuration Information Table 8: LACP Remote Device Configuration Information Table 9: Traffic Segmentation Forwarding Table 10: Recommended STA Path Cost Range Table 11: Default STA Path Costs...
Page 28 ABLES Table 32: MEP Defect Descriptions Table 33: OAM Operation State Table 34: Address Resolution Protocol Table 35: Show IPv6 Neighbors - display description Table 36: Show IPv6 Statistics - display description Table 37: Show MTU - display description Table 38: Troubleshooting Chart –...
Page 29: Sectioni
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP. This section includes these chapters: ◆ "Introduction" on page 31 ◆ "Using the Web Interface" on page 41 – 29 –...
Page 30 Section I | Getting Started – 30 –...
Page 31: Introduction
Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 32: Description Of Software Features
Chapter 1 | Introduction Description of Software Features (Continued) Table 1: Key Features Feature Description IP Version 4 and 6 Supports IPv4 and IPv6 addressing, and management IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm...
Page 33 Chapter 1 | Introduction Description of Software Features This switch authenticates management access via the console port, Telnet, or a web UTHENTICATION browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol.
Page 34 Chapter 1 | Introduction Description of Software Features connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 6 trunks. Broadcast, multicast and unknown unicast storm suppression prevents traffic from TORM ONTROL overwhelming the network.When enabled on a port, the level of traffic passing...
Page 35 Chapter 1 | Introduction Description of Software Features ◆ Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached...
Page 36 Chapter 1 | Introduction Description of Software Features internal VLAN IDs. This is accomplished by inserting Service Provider VLAN (SPVLAN) tags into the customer’s frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network. This switch prioritizes each packet based on the required level of service, using four RAFFIC RIORITIZATION...
Page 37: System Defaults
Chapter 1 | Introduction System Defaults network policy, power, inventory, and device location details. The LLDP and LLDP- MED information can be used by SNMP applications to simplify troubleshooting, enhance network management, and maintain an accurate network topology. ERPS can be used to increase the availability and robustness of Ethernet rings, such THERNET as those used in Metropolitan Area Networks (MAN).
Page 38 Chapter 1 | Introduction System Defaults (Continued) Table 2: System Defaults Function Parameter Default Authentication Privileged Exec Level Username “admin” Password “admin” Normal Exec Level Username “guest” Password “guest” Enable Privileged Exec from Password “super” Normal Exec Level RADIUS Authentication Disabled TACACS+ Authentication Disabled...
Page 39 Chapter 1 | Introduction System Defaults (Continued) Table 2: System Defaults Function Parameter Default Congestion Control Rate Limiting Disabled Storm Control Broadcast: Enabled (64 kbits/sec) Multicast: Disabled Unknown Unicast: Disabled Status Disabled Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled, RSTP (Defaults: RSTP standard)
Page 40 Chapter 1 | Introduction System Defaults (Continued) Table 2: System Defaults Function Parameter Default Multicast Filtering IGMP Snooping (Layer 2) Snooping: Enabled Querier: Disabled Multicast VLAN Registration Disabled IGMP Proxy Reporting Enabled System Log Status Enabled Messages Logged to RAM Levels 0-7 (all) Messages Logged to Flash Levels 0-3...
Page 41: Using The Web Interface
Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6.x or above, or Mozilla Firefox 4.x or above).
Page 42: Navigating The Web Browser Interface
System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page Note: You can open a connection to the vendor’s web site by clicking on the Edge-Core logo. – 42 –...
Page 43: Configuration Options
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting.
Page 44: Main Menu
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Switch Main Menu Menu Description...
Page 45 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Console Sets console port connection parameters Telnet Sets Telnet connection parameters CPU Utilization Displays information on CPU utilization Memory Status Shows memory utilization parameters Reset Restarts the switch immediately, at a specified time, after a specified...
Page 46 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Dynamic Configure Aggregator Configures administration key for specific LACP groups Configure Aggregation Port Configure General Allows ports to dynamically join trunks Actor Configures parameters for link aggregation group members on the local side...
Page 47 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Modify Configures group name and administrative status Edit Member by VLAN Specifies VLAN attributes per VLAN Edit Member by Interface Specifies VLAN attributes per interface Edit Member by Interface Range Specifies VLAN attributes per interface range...
Page 48 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page MAC Address Static Configures static entries in the address table Show Displays static entries in the address table Dynamic Configure Aging Sets timeout for dynamically learned entries Show Dynamic MAC...
Page 49 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Traffic Rate Limit Sets the input and output rate limits for a port Storm Control Sets the broadcast storm threshold for each interface Auto Traffic Control Sets thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port...
Page 50 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Configure Policy Creates a policy map to apply to multiple interfaces Show Shows configured policy maps Modify Modifies the name of a policy map Add Rule Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic...
Page 51 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Show Information Summary Shows the configured accounting methods, and the methods applied to specific interfaces Statistics Shows basic accounting information recorded for user sessions Authorization Enables authorization of requested services Configure Method...
Page 52 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Secure Shell Configure Global Configures SSH server settings Configure Host Key Generate Generates the host key pair (public and private) Show Displays RSA and DSA host keys;...
Page 53 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page IP Filter Sets IP addresses of clients allowed management access via the web, SNMP, and Telnet Show Shows the addresses to be allowed management access Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresses...
Page 54 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Show Remote Device Information Port/Trunk Displays information about a remote device connected to a port on this switch Port/Trunk Details Displays detailed information about a remote device connected to this switch Show Device Statistics...
Page 55 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Show SNMPv3 Remote User Shows SNMPv3 users set from a remote device Configure Trap Configures trap managers to receive messages on key events that occur this switch Show Shows configured trap managers...
Page 56 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Configure Details Configures ring parameters Configure Operation Blocks a ring port using Forced Switch or Manual Switch commands Connectivity Fault Management Configure Global Configures global settings, including administrative status, cross-check start delay, link trace, and SNMP traps...
Page 57 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Show Remote MEP Shows MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database Show Remote MEP Details Displays detailed CFM information about a specified remote MEP in the...
Page 58 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Show MTU Shows the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch IP Service Domain Name Service...
Page 59 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Multicast IGMP Snooping General Enables multicast filtering; configures parameters for multicast snooping Multicast Router Add Static Multicast Router Assigns ports that are attached to a neighboring multicast router Show Static Multicast Router Displays ports statically configured as attached to a neighboring multicast router...
Page 60 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Show Trunk Statistics Shows statistics for protocol messages, number of active groups Multicast VLAN Registration Configure Domain Enables MVR for a domain, sets the MVR VLAN, forwarding priority, and upstream source IP Configure Profile Configures multicast stream addresses...
Page 61: Web Configuration
Section II Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: ◆ “Using the Web Interface” on page 41 ◆ “Basic Management Tasks”...
Page 62 Section II | Web Configuration – 62 –...
Page 63: Basic Management Tasks
Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames –...
Page 64: Displaying System Information
Chapter 3 | Basic Management Tasks Displaying System Information Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description –...
Page 65: Displaying Hardware/Software Versions
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆...
Page 66: Configuring Support For Jumbo Frames
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Web Interface To view hardware and software version information. Click System, then Switch. Figure 4: General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet.
Page 67: Displaying Bridge Extension Capabilities
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Web Interface To configure support for jumbo frames: Click System, then Capability. Enable or disable support for jumbo frames. Click Apply. Figure 5: Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System >...
Page 68 Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities ◆ Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration”...
Page 69: Managing System Files
Chapter 3 | Basic Management Tasks Managing System Files Managing System Files This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Copying Files via FTP/ Use the System > File (Copy) page to upload/download firmware or configuration TFTP or HTTP settings using FTP, TFTP or HTTP.
Page 70 Chapter 3 | Basic Management Tasks Managing System Files Note: The maximum number of user-defined configuration files is limited only by available flash memory space. Note: The file “Factory_Default_Config.cfg” can be copied to a file server or management station, but cannot be used as the destination file name on the switch.
Page 71: Saving The Running Configuration To A Local File
Chapter 3 | Basic Management Tasks Managing System Files Saving the Running Use the System > File (Copy) page to save the current configuration settings to a local file on the switch. The configuration settings are not automatically saved by Configuration to a the system for subsequent use when the switch is rebooted.
Page 72: Setting The Start-Up File
Chapter 3 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Setting the Use the System > File (Set Start-Up) page to specify the firmware or configuration Start-up File file to use for system initialization.
Page 73: Automatic Operation Code Upgrade
Chapter 3 | Basic Management Tasks Managing System Files To delete a file, mark it in the File List and click Delete. Figure 10: Displaying System Files Automatic Operation Use the System > File (Automatic Operation Code Upgrade) page to automatically Code Upgrade download an operation code file when a file newer than the currently installed one is discovered on the file server.
Page 74 Automatic Upgrade Location URL – Defines where the switch should search for the operation code upgrade file. The last character of this URL must be a forward slash (“/”). The ECS4510-12PD.bix filename must not be included since it is automatically appended by the switch. (Options: ftp, tftp)
Page 75 Chapter 3 | Basic Management Tasks Managing System Files The following syntax must be observed: tftp://host[/filedir]/ tftp:// – Defines TFTP protocol for the server connection. ■ host – Defines the IP address of the TFTP server. Valid IP addresses consist of ■...
Page 76 Chapter 3 | Basic Management Tasks Managing System Files tftp://192.168.0.1/switches/opcode/ ■ The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the TFTP root. The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: ftp://192.168.0.1/...
Page 77: Setting The System Clock
Chapter 3 | Basic Management Tasks Setting the System Clock If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0; new version 1.1.1.2 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image...
Page 78: Setting The Sntp Polling Interval
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To manually set the system clock: Click System, then Time. Select Configure General from the Step list. Select Manual from the Maintain Type list. Enter the time and date in the appropriate fields. Click Apply Figure 12: Manually Setting the System Clock Setting the SNTP...
Page 79: Configuring Ntp
Chapter 3 | Basic Management Tasks Setting the System Clock Click Apply Figure 13: Setting the Polling Interval for SNTP Configuring NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers.
Page 80: Configuring Time Servers
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 14: Configuring NTP Configuring Time Use the System > Time (Configure Time Server) pages to specify the IP address for Servers NTP/SNTP time servers, or to set the authentication key for NTP time servers. Specifying SNTP Time Servers Use the System >...
Page 81 Chapter 3 | Basic Management Tasks Setting the System Clock Figure 15: Specifying SNTP Time Servers Specifying NTP Time Servers Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. Parameters The following parameters are displayed: ◆...
Page 82 Chapter 3 | Basic Management Tasks Setting the System Clock Figure 16: Adding an NTP Time Server To show the list of configured NTP time servers: Click System, then Time. Select Configure Time Server from the Step list. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List Specifying NTP Authentication Keys Use the System >...
Page 83 Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To add an entry to NTP authentication key list: Click System, then Time. Select Configure Time Server from the Step list. Select Add NTP Authentication Key from the Action list. Enter the index number and MD5 authentication key string.
Page 84: Setting The Time Zone
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the Time Zone Use the System > Time (Configure Time Server) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 85: Configuring The Console Port
Chapter 3 | Basic Management Tasks Configuring the Console Port Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password (only configurable through the CLI), time outs, and basic communication settings.
Page 86 Chapter 3 | Basic Management Tasks Configuring the Console Port Note: The password for the console connection can only be configured through the CLI (see the “password” command in the CLI Reference Guide). Note: Password checking can be enabled or disabled for logging in to the console connection (see the “login”...
Page 87: Configuring Telnet Settings
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Page 88: Displaying Cpu Utilization
Chapter 3 | Basic Management Tasks Displaying CPU Utilization Web Interface To configure parameters for the console port: Click System, then Telnet. Specify the connection parameters as required. Click Apply Figure 22: Telnet Connection Settings Displaying CPU Utilization Use the System > CPU Utilization page to display information on CPU utilization. Parameters The following parameters are displayed: ◆...
Page 89: Displaying Memory Utilization
Chapter 3 | Basic Management Tasks Displaying Memory Utilization Figure 23: Displaying CPU Utilization Displaying Memory Utilization Use the System > Memory Status page to display memory utilization parameters. Parameters The following parameters are displayed: ◆ Free Size – The amount of memory currently free for use. ◆...
Page 90: Resetting The System
Chapter 3 | Basic Management Tasks Resetting the System Resetting the System Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. Command Usage ◆ This command resets the entire system. ◆...
Page 91 Chapter 3 | Basic Management Tasks Resetting the System MM - The minute at which to reload. (Range: 0-59) ■ Period Daily - Every day. ■ Weekly - Day of the week at which to reload. ■ (Range: Sunday ... Saturday) Monthly - Day of the month at which to reload.
Page 92 Chapter 3 | Basic Management Tasks Resetting the System Figure 26: Restarting the Switch (In) Figure 27: Restarting the Switch (At) Figure 28: Restarting the Switch (Regularly) – 92 –...
Page 93: Interface Configuration
Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including auto- negotiation, or manual setting of speed, duplex mode, and flow control. ◆ Local Port Mirroring – Sets the source and target ports for mirroring on the local switch.
Page 94: Port Configuration
Chapter 4 | Interface Configuration Port Configuration Port Configuration This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Configuring by Port Use the Interface > Port > General (Configure by Port List) page to enable/disable List an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 95 Chapter 4 | Interface Configuration Port Configuration ◆ Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/ disabled for ports 1-10. When auto-negotiation is enabled, you need to specify the capabilities to be advertised. When auto-negotiation is disabled, you can force the settings for speed, mode, and flow control.The following capabilities are supported.
Page 96: Configuring By Port Range
Chapter 4 | Interface Configuration Port Configuration Figure 29: Configuring Connections by Port List Configuring by Port Use the Interface > Port > General (Configure by Port Range) page to enable/ disable an interface, set auto-negotiation and the interface capabilities to Range advertise, or manually fix the speed, duplex mode, and flow control.
Page 97: Displaying Connection Status
Chapter 4 | Interface Configuration Port Configuration Figure 30: Configuring Connections by Port Range Displaying Use the Interface > Port > General (Show Information) page to display the current connection status, including link state, speed/duplex mode, flow control, and auto- Connection Status negotiation.
Page 98: Configuring Local Port Mirroring
Chapter 4 | Interface Configuration Port Configuration Web Interface To display port connection parameters: Click Interface, Port, General. Select Show Information from the Action List. Figure 31: Displaying Port Information Configuring Local Port Use the Interface > Port > Mirror page to mirror traffic from any source port to a Mirroring target port for real-time analysis.
Page 99 Chapter 4 | Interface Configuration Port Configuration ◆ When traffic matches the rules for both port mirroring, and for mirroring of VLAN traffic or packets based on a MAC address, the matching packets will not be sent to target port specified for port mirroring. ◆...
Page 100: Configuring Remote Port Mirroring
Chapter 4 | Interface Configuration Port Configuration To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 34: Displaying Local Port Mirror Sessions Configuring Remote Use the Interface > RSPAN page to mirror traffic from remote switches for analysis at a destination port on the local switch.
Page 101 Chapter 4 | Interface Configuration Port Configuration to a destination port on this switch (remote port mirroring as described in this section). ◆ Configuration Guidelines Take the following step to configure an RSPAN session: Use the VLAN Static List (see “Configuring VLAN Groups”...
Page 102 Chapter 4 | Interface Configuration Port Configuration IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When ■ 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally.
Page 103 Chapter 4 | Interface Configuration Port Configuration ◆ Source Port – Specifies one or more source ports to be mirrored. ◆ Type – Specifies the traffic type to be mirrored remotely. (Options: Rx, Tx, Both) ◆ Destination Port – Specifies the destination port to monitor the traffic mirrored from the source ports.
Page 104: Showing Port Or Trunk Statistics
Chapter 4 | Interface Configuration Port Configuration Figure 37: Configuring Remote Port Mirroring (Intermediate) Figure 38: Configuring Remote Port Mirroring (Destination) Showing Port or Trunk Use the Interface > Port/Trunk > Statistics or Chart page to display standard Statistics statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 105: Table 5: Port Statistics
Chapter 4 | Interface Configuration Port Configuration Parameters These parameters are displayed: Table 5: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
Page 106 Chapter 4 | Interface Configuration Port Configuration (Continued) Table 5: Port Statistics Parameter Description Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy. Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size.
Page 107 Chapter 4 | Interface Configuration Port Configuration (Continued) Table 5: Port Statistics Parameter Description 65-127 Byte Packets The total number of packets (including bad packets) received and transmitted where the number of octets fall within the specified range 128-255 Byte Packets (excluding framing bits but including FCS octets).
Page 108 Chapter 4 | Interface Configuration Port Configuration To show a chart of port statistics: Click Interface, Port, Chart. Select the statistics mode to display (Interface, Etherlike, RMON or All). If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list.
Page 109: Displaying Transceiver Data
Chapter 4 | Interface Configuration Port Configuration Displaying Use the Interface > Port > Transceiver page to display identifying information, and operational for optical transceivers which support Digital Diagnostic Monitoring Transceiver Data (DDM). Parameters These parameters are displayed: ◆ Port – Port number. (Range: 1-12) ◆...
Page 110: Configuring Transceiver Thresholds
Chapter 4 | Interface Configuration Port Configuration Configuring Use the Interface > Port > Transceiver page to configure thresholds for alarm and warning messages for optical transceivers which support Digital Diagnostic Transceiver Monitoring (DDM). This page also displays identifying information for supported Thresholds transceiver types, and operational parameters for transceivers which support DDM.
Page 111 Chapter 4 | Interface Configuration Port Configuration Threshold values for alarm and warning messages can be configured as described below. A high-threshold alarm or warning message is sent if the current value is ■ greater than or equal to the threshold, and the last sample value was less than the threshold.
Page 112: Performing Cable Diagnostics
Chapter 4 | Interface Configuration Port Configuration Performing Cable Use the Interface > Port > Cable Test page to test the cable attached to a port. The cable test will check for any cable faults (short, open, etc.). If a fault is found, the Diagnostics switch reports the length to the fault.
Page 113 Chapter 4 | Interface Configuration Port Configuration ◆ Test Result – The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found. To ensure more accurate measurement of the length to a fault, first disable power-saving mode on the link partner before running cable diagnostics.
Page 114: Trunk Configuration
Chapter 4 | Interface Configuration Trunk Configuration Trunk Configuration This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
Page 115: Configuring A Static Trunk
Chapter 4 | Interface Configuration Trunk Configuration Configuring a Use the Interface > Trunk > Static page to create a trunk, assign member ports, and configure the connection parameters. Static Trunk Figure 44: Configuring Static Trunks statically configured active links Command Usage ◆...
Page 116 Chapter 4 | Interface Configuration Trunk Configuration Figure 45: Creating Static Trunks To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list. Select a trunk identifier. Set the unit and port for an additional trunk member.
Page 117: Configuring A Dynamic Trunk
Chapter 4 | Interface Configuration Trunk Configuration Figure 47: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 48: Showing Information for Static Trunks Configuring a Use the Interface >...
Page 118 Chapter 4 | Interface Configuration Trunk Configuration ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. ◆...
Page 119 Chapter 4 | Interface Configuration Trunk Configuration When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port. When a dynamic port-channel is torn down, the configured timeout value will be retained. When the dynamic port-channel is constructed again, that timeout value will be used.
Page 120 Chapter 4 | Interface Configuration Trunk Configuration Note: Configuring the port partner sets the remote side of an aggregate link; i.e., the ports on the attached device. The command attributes have the same meaning as those used for the port actor. Web Interface To configure the admin key for a dynamic trunk: Click Interface, Trunk, Dynamic.
Page 121 Chapter 4 | Interface Configuration Trunk Configuration Figure 51: Enabling LACP on a Port To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings.
Page 122 Chapter 4 | Interface Configuration Trunk Configuration Select a Trunk. Figure 53: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Configure from the Action List. Modify the required interface settings.
Page 123: Displaying Lacp Port Counters
Chapter 4 | Interface Configuration Trunk Configuration Figure 55: Displaying Connection Parameters for Dynamic Trunks Displaying LACP Port Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Information - Counters) page to display statistics for LACP protocol messages. Counters Parameters These parameters are displayed:...
Page 124: Displaying Lacp Settings And Status For The Local Side
Chapter 4 | Interface Configuration Trunk Configuration Figure 56: Displaying LACP Port Counters Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Information - Internal) page to display the configuration settings and operational Settings and Status for state for the local side of a link aggregation.
Page 125 Chapter 4 | Interface Configuration Trunk Configuration (Continued) Table 7: LACP Internal Configuration Information Parameter Description ◆ Admin State, Aggregation – The system considers this link to be aggregatable; i.e., a Oper State potential candidate for aggregation. (continued) ◆ Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate.
Page 126: Displaying Lacp Settings And Status For The Remote Side
Chapter 4 | Interface Configuration Trunk Configuration Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Information - Neighbors) page to display the configuration settings and Settings and Status for operational state for the remote side of a link aggregation. the Remote Side Parameters These parameters are displayed:...
Page 127: Configuring Load Balancing
Chapter 4 | Interface Configuration Trunk Configuration Figure 58: Displaying LACP Port Remote Information Configuring Load Use the Interface > Trunk > Load Balance page to set the load-distribution method Balancing used among ports in aggregated links. Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Page 128 Chapter 4 | Interface Configuration Trunk Configuration Source and Destination MAC Address: All traffic with the same source ■ and destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from and destined for many different hosts.
Page 129: Saving Power
Chapter 4 | Interface Configuration Saving Power Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port. CLI References Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
Page 130 Chapter 4 | Interface Configuration Saving Power Parameters These parameters are displayed: ◆ Port – Power saving mode only applies to the Gigabit Ethernet ports using copper media. ◆ Power Saving Status – Adjusts the power provided to ports based on the length of the cable used to connect to other devices.
Page 131: Traffic Segmentation
Chapter 4 | Interface Configuration Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
Page 132: Configuring Uplink And Downlink Ports
Chapter 4 | Interface Configuration Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the downlink and uplink ports to use in the segmented group. Ports designated as and Downlink Ports downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 133 Chapter 4 | Interface Configuration Traffic Segmentation ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-12) ◆ Trunk – Trunk Identifier. (Range: 1-6) Web Interface To configure the members of the traffic segmentation group: Click Interface, Traffic Segmentation.
Page 134: Vlan Trunking
Chapter 4 | Interface Configuration VLAN Trunking To show the members of the traffic segmentation group: Click Interface, Traffic Segmentation. Select Configure Session from the Step list. Select Show from the Action list. Figure 63: Showing Traffic Segmentation Members VLAN Trunking Use the Interface >...
Page 135 Chapter 4 | Interface Configuration VLAN Trunking and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. ◆ VLAN trunking is mutually exclusive with the “access” switchport mode (see “Adding Static Members to VLANs”...
Page 136 Chapter 4 | Interface Configuration VLAN Trunking Figure 65: Configuring VLAN Trunking – 136 –...
Page 137: Vlan Configuration
VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer- specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 138 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs This switch supports the following VLAN features: ◆ Up to 4093 VLANs based on the IEEE 802.1Q standard ◆ Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol ◆...
Page 139 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
Page 140: Configuring Vlan Groups
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 67: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 141 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Modify ◆ VLAN ID – ID of configured VLAN (1-4093). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. Show ◆...
Page 142: Adding Static Members To Vlans
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Click Apply.
Page 143 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Parameters These parameters are displayed: Edit Member by VLAN ◆ VLAN – ID of configured VLAN (1-4093). ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-10) ◆...
Page 144 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs If ingress filtering is enabled and a port receives frames tagged for VLANs ■ for which it is not a member, these frames will be discarded. Ingress filtering does not affect VLAN independent BPDU frames, such as ■...
Page 145 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Web Interface To configure static members by the VLAN index: Click VLAN, Static. Select Edit Member by VLAN from the Action list. Set the Interface type to display as Port or Trunk. Modify the settings for any interface as required.
Page 146 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 72: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static. Select Edit Member by Interface Range from the Action list. Set the Interface type to display as Port or Trunk. Enter an interface range.
Page 147: Configuring Dynamic Vlan Registration
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Configuring Dynamic Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to enable GVRP and adjust the protocol timers per interface. VLAN Registration Parameters These parameters are displayed: Configure General ◆...
Page 148 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status –...
Page 149 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 75: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN from the Action list. Figure 76: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic.
Page 150: Ieee 802.1Q Tunneling
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 77: Showing the Members of a Dynamic VLAN IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 151 Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet.
Page 152 Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). The switch sends the packet to the proper egress port. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped.
Page 153 Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling After packet classification, the packet is written to memory for processing as a single-tagged or double-tagged packet. The switch sends the packet to the proper egress port. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped.
Page 154: Enabling Qinq Tunneling On The Switch
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see “Adding Static Members to VLANs” on page 142). Configure the QinQ tunnel uplink port to Uplink mode (see “Adding an Interface to a QinQ Tunnel”...
Page 155: Creating Cvlan To Spvlan Mapping Entries
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Click Apply. Figure 79: Enabling QinQ Tunneling Creating CVLAN to Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to SPVLAN SPVLAN Mapping mapping entry. Entries Command Usage ◆ The inner VLAN tag of a customer packet entering the edge router of a service provider’s network is mapped to an outer tag indicating the service provider VLAN that will carry this traffic across the 802.1Q tunnel.
Page 156 Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Web Interface To configure a mapping entry: Click VLAN, Tunnel. Select Configure Service from the Step list. Select Add from the Action list. Select an interface from the Port list. Specify the CVID to SVID mapping for packets exiting the specified port. Click Apply.
Page 157: Adding An Interface To A Qinq Tunnel
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the “switchport dot1q-tunnel service match cvid” command in the CLI Reference Guide. Adding an Interface to Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch.
Page 158: Protocol Vlans
Chapter 5 | VLAN Configuration Protocol VLANs Figure 82: Adding an Interface to a QinQ Tunnel Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 159: Configuring Protocol Vlan Groups
Chapter 5 | VLAN Configuration Protocol VLANs Configuring Protocol Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. VLAN Groups Parameters These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol.
Page 160: Mapping Protocol Groups To Interfaces
Chapter 5 | VLAN Configuration Protocol VLANs Figure 83: Configuring Protocol VLANs To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Show from the Action list. Figure 84: Displaying Protocol VLANs Mapping Protocol Use the VLAN >...
Page 161 Chapter 5 | VLAN Configuration Protocol VLANs If the frame is untagged and the protocol type matches, the frame is ■ forwarded to the appropriate VLAN. If the frame is untagged but the protocol type does not match, the frame is ■...
Page 162: Configuring Ip Subnet Vlans
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Show from the Action list. Select a port or trunk. Figure 86: Showing the Interface to Protocol Group Mapping Configuring IP Subnet VLANs Use the VLAN >...
Page 163 Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. Parameters These parameters are displayed: ◆ IP Address – The IP address for a subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.
Page 164: Configuring Mac-Based Vlans
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs To show the configured IP subnet VLANs: Click VLAN, IP Subnet. Select Show from the Action list. Figure 88: Showing IP Subnet VLANs Configuring MAC-based VLANs Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses.
Page 165 Chapter 5 | VLAN Configuration Configuring MAC-based VLANs ◆ Priority – The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority; Default: 0) Web Interface To map a MAC address to a VLAN: Click VLAN, MAC-Based. Select Add from the Action list.
Page 166: Configuring Vlan Mirroring
Chapter 5 | VLAN Configuration Configuring VLAN Mirroring Configuring VLAN Mirroring Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Page 167 Chapter 5 | VLAN Configuration Configuring VLAN Mirroring Click Apply. Figure 91: Configuring VLAN Mirroring To show the VLANs to be mirrored: Click VLAN, Mirror. Select Show from the Action list. Figure 92: Showing the VLANs to Mirror – 167 –...
Page 168 Chapter 5 | VLAN Configuration Configuring VLAN Mirroring – 168 –...
Page 169: Address Table Settings
Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 170 Chapter 6 | Address Table Settings Setting Static Addresses Parameters These parameters are displayed: ◆ VLAN – ID of configured VLAN. (Range: 1-4093) ◆ Interface – Port or trunk associated with the device assigned a static address. ◆ MAC Address – Physical address of a device mapped to this interface. Enter an address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Page 171: Changing The Aging Time
Chapter 6 | Address Table Settings Changing the Aging Time Figure 94: Displaying Static MAC Addresses Changing the Aging Time Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information.
Page 172: Displaying The Dynamic Address Table
Chapter 6 | Address Table Settings Displaying the Dynamic Address Table Displaying the Dynamic Address Table Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Page 173: Clearing The Dynamic Address Table
Chapter 6 | Address Table Settings Clearing the Dynamic Address Table Figure 96: Displaying the Dynamic MAC Address Table Clearing the Dynamic Address Table Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. Parameters These parameters are displayed: ◆...
Page 174: Configuring Mac Address Mirroring
Chapter 6 | Address Table Settings Configuring MAC Address Mirroring Figure 97: Clearing Entries in the Dynamic MAC Address Table Configuring MAC Address Mirroring Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 175 Chapter 6 | Address Table Settings Configuring MAC Address Mirroring Web Interface To mirror packets based on a MAC address: Click MAC Address, Mirror. Select Add from the Action list. Specify the source MAC address and destination port. Click Apply. Figure 98: Mirroring Packets Based on the Source MAC Address To show the MAC addresses to be mirrored: Click MAC Address, Mirror.
Page 176 Chapter 6 | Address Table Settings Configuring MAC Address Mirroring – 176 –...
Page 177: Spanning Tree Algorithm
Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA –...
Page 178 Chapter 7 | Spanning Tree Algorithm Overview ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 100: STP Root Ports and Designated Ports Designated Root Root Designated Port...
Page 179 Chapter 7 | Spanning Tree Algorithm Overview Figure 101: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 180: Configuring Loopback Detection
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Configuring Loopback Detection Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 181 Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection If an interface is shut down due to a detected loopback, and the release mode is set to “Auto, ” the selected interface will be automatically enabled when the shutdown interval has expired. If an interface is shut down due to a detected loopback, and the release mode is set to “Manual, ”...
Page 182: Configuring Global Settings For Sta
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Configuring Global Settings for STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. Command Usage ◆...
Page 183 Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Parameters These parameters are displayed: Basic Configuration of Global Settings ◆ Spanning Tree Status – Enables/disables STA on this switch. (Default: Enabled) ◆ Spanning Tree Type – Specifies the type of spanning tree used on this switch: STP: Spanning Tree Protocol (IEEE 802.1D);...
Page 184 Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) When the Switch Becomes Root ◆...
Page 185 Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Region Revision – The revision for this MSTI. (Range: 0-65535; Default: 0) ◆ Region Name – The name for this MSTI. (Maximum length: 32 characters; switch’s MAC address) ◆...
Page 186 Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 105: Configuring Global Settings for STA (RSTP) Figure 106: Configuring Global Settings for STA (MSTP) – 186 –...
Page 187: Displaying Global Settings For Sta
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch. Parameters The parameters displayed are described in the preceding section, except for the following items:...
Page 188: Configuring Interface Settings For Sta
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Figure 107: Displaying Global Settings for STA Configuring Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Configure) page to configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port.
Page 189: Table 10: Recommended Sta Path Cost Range
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Admin Path Cost – This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 190 Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Admin Edge Port – Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state. Specifying Edge Ports provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface...
Page 191 Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ BPDU Filter – BPDU filtering allows you to avoid transmitting BPDUs on configured edge ports that are connected to end nodes. By default, STA sends BPDUs to all ports regardless of whether administrative edge is enabled on a port.
Page 192: Displaying Interface Settings For Sta
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. Parameters These parameters are displayed: ◆...
Page 193 Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA ◆ Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. ◆...
Page 194: Configuring Multiple Spanning Trees
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Web Interface To display interface settings for STA: Click Spanning Tree, STA. Select Configure Interface from the Step list. Select Show Information from the Action list. Figure 110: Displaying Interface Settings for STA Configuring Multiple Spanning Trees Use the Spanning Tree >...
Page 195 Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To use multiple spanning trees: Set the spanning tree type to MSTP (page 182). Enter the spanning tree priority for the selected MST instance on the Spanning Tree > MSTP (Configure Global - Add) page. Add the VLANs that will share this MSTI on the Spanning Tree >...
Page 196 Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Figure 111: Creating an MST Instance To show the MSTP instances: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show from the Action list. Figure 112: Displaying MST Instances –...
Page 197 Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
Page 198 Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
Page 199: Configuring Interface Settings For Mstp
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. Parameters These parameters are displayed: ◆...
Page 200 Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Web Interface To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP. Select Configure Interface from the Step list. Select Configure from the Action list. Enter the priority and path cost for an interface Click Apply.
Page 201: Congestion Control
Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 202: Storm Control
Chapter 8 | Congestion Control Storm Control Web Interface To configure rate limits: Click Traffic, Rate Limit. Set the interface type to Port or Trunk. Enable the Rate Limit Status for the required interface. Set the rate limit for the individual ports. Click Apply.
Page 203 Chapter 8 | Congestion Control Storm Control port. Enabling hardware-level storm control on a port will disable automatic storm control on that port. ◆ The rate limits set by this function are also used by automatic storm control when the control response is set to rate control on the Auto Traffic Control (Configure Interface) page.
Page 204: Automatic Traffic Control
Chapter 8 | Congestion Control Automatic Traffic Control Figure 120: Configuring Storm Control Automatic Traffic Control Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. Command Usage ATC includes storm control for broadcast or multicast traffic.
Page 205 Chapter 8 | Congestion Control Automatic Traffic Control ◆ Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. ◆...
Page 206: Setting The Atc Timers
Chapter 8 | Congestion Control Automatic Traffic Control Setting the ATC Timers Use the Traffic > Auto Traffic Control (Configure Global) page to set the time at which to apply the control response after ingress traffic has exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
Page 207: Configuring Atc Thresholds And Responses
Chapter 8 | Congestion Control Automatic Traffic Control Figure 123: Configuring ATC Timers Configuring ATC Use the Traffic > Auto Traffic Control (Configure Interface) page to set the storm control mode (broadcast or multicast), the traffic thresholds, the control response, Thresholds and to automatically release a response of rate limiting, or to send related SNMP trap Responses...
Page 208 Chapter 8 | Congestion Control Automatic Traffic Control event is logged by the system and a Traffic Release Trap can be sent. (Default: Disabled) If automatic control release is not enabled and a control response of rate limiting has been triggered, you can manually stop the rate limiting response using the Manual Control Release attribute.
Page 209 Chapter 8 | Congestion Control Automatic Traffic Control Web Interface To configure the response timers for automatic storm control: Click Traffic, Automatic Traffic Control. Select Configure Interface from the Step field. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send.
Page 210 Chapter 8 | Congestion Control Automatic Traffic Control – 210 –...
Page 211: Class Of Service
Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high- priority queue will be transmitted before those in the lower-priority queues.
Page 212: Selecting The Queue Mode
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface –...
Page 213 Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues.
Page 214 Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: Click Traffic, Priority, Queue. Set the queue mode. If the weighted queue mode is selected, the queue weight can be modified if required. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table.
Page 215: Mapping Cos Values To Egress Queues
Chapter 9 | Class of Service Layer 2 Queue Settings Mapping CoS Values Use the Traffic > Priority > PHB to Queue page to specify the hardware output queues to use based on the internal per-hop behavior value. (For more information to Egress Queues on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see...
Page 216 Chapter 9 | Class of Service Layer 2 Queue Settings ◆ The specified mapping applies to all interfaces. Parameters These parameters are displayed: ◆ Port – Specifies a port. ◆ PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7, where 7 is the highest priority) ◆...
Page 217: Layer 3/4 Priority Settings
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 130: Showing CoS Values to Egress Queue Mapping Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
Page 218: Setting Priority Processing To Dscp Or Cos
Chapter 9 | Class of Service Layer 3/4 Priority Settings Setting Priority The switch allows a choice between using DSCP or CoS priority processing methods. Use the Priority > Trust Mode page to select the required processing Processing to method. DSCP or CoS Command Usage ◆...
Page 219: Mapping Ingress Dscp Values To Internal Dscp Values
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 131: Setting the Trust Mode Mapping Ingress DSCP Use the Traffic > Priority > DSCP to DSCP page to map DSCP values in incoming Values to Internal packets to per-hop behavior and drop precedence values for internal priority processing.
Page 220: Table 15: Default Mapping Of Dscp Values To Internal Phb/Drop Values
Chapter 9 | Class of Service Layer 3/4 Priority Settings ◆ Drop Precedence – Drop precedence used for Random Early Detection in controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) Table 15: Default Mapping of DSCP Values to Internal PHB/Drop Values ingress- dscp1 ingress-...
Page 221: Mapping Cos Priorities To Internal Dscp Values
Chapter 9 | Class of Service Layer 3/4 Priority Settings To show the DSCP to internal PHB/drop precedence map: Click Traffic, Priority, DSCP to DSCP. Select Show from the Action list. Select a port. Figure 133: Showing DSCP to DSCP Internal Mapping Mapping CoS Use the Traffic >...
Page 222: Table 16: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
Chapter 9 | Class of Service Layer 3/4 Priority Settings then starts dropping any packets regardless of color when the buffer fills up to 58 packets on Fast Ethernet ports and 80 packets on Gigabit Ethernet ports. ◆ The specified mapping applies to all interfaces. Parameters These parameters are displayed: ◆...
Page 223 Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 134: Configuring CoS to DSCP Internal Mapping To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Select a port. Figure 135: Showing CoS to DSCP Internal Mapping –...
Page 224 Chapter 9 | Class of Service Layer 3/4 Priority Settings – 224 –...
Page 225: Quality Of Service
Quality of Service This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 226: Configuring A Class Map
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic.
Page 227 Chapter 10 | Quality of Service Configuring a Class Map Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. ◆...
Page 228 Chapter 10 | Quality of Service Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 137: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 229 Chapter 10 | Quality of Service Configuring a Class Map Figure 138: Adding Rules to a Class Map To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 139: Showing the Rules for a Class Map –...
Page 230: Creating Qos Policies
Chapter 10 | Quality of Service Creating QoS Policies Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 226), modify service tagging, and enforce bandwidth...
Page 231 Chapter 10 | Quality of Service Creating QoS Policies ◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red.
Page 232 Chapter 10 | Quality of Service Creating QoS Policies (BP). Action may taken for traffic conforming to the maximum throughput, exceeding the maximum throughput, or exceeding the peak burst size. ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
Page 233 Chapter 10 | Quality of Service Creating QoS Policies Random Early Detection – RED starts dropping yellow and red packets when the buffer fills up to a moderately high level, and then starts dropping any packets regardless of color when the buffer fills up to a very high level. Command Usage ◆...
Page 234 Chapter 10 | Quality of Service Creating QoS Policies ◆ Meter – Check this to define the maximum throughput, burst rate, and the action that results from a policy violation. ◆ Meter Mode – Selects one of the following policing methods. Flow (Police Flow) –...
Page 235 Chapter 10 | Quality of Service Creating QoS Policies The rate cannot exceed the configured interface speed. Committed Burst Size (BC) – Burst in bytes. ■ (Range: 0-16000000 at a granularity of 4k bytes) Excess Burst Size (BE) – Burst in excess of committed burst size. ■...
Page 236 Chapter 10 | Quality of Service Creating QoS Policies Committed Burst Size (BC) – Burst in bytes. (Range: 0-16000000 at a ■ granularity of 4k bytes) Peak Information Rate (PIR) – Rate in kilobits per second. (Range: 0- ■ 1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) The rate cannot exceed the configured interface speed.
Page 237 Chapter 10 | Quality of Service Creating QoS Policies Web Interface To configure a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add from the Action list. Enter a policy name. Enter a description. Click Add. Figure 140: Configuring a Policy Map To show the configured policy maps: Click Traffic, DiffServ.
Page 238 Chapter 10 | Quality of Service Creating QoS Policies To edit the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add Rule from the Action list. Select the name of a policy map. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class.
Page 239: Attaching A Policy Map To A Port
Chapter 10 | Quality of Service Attaching a Policy Map to a Port To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 143: Showing the Rules for a Policy Map Attaching a Policy Map to a Port Use the Traffic >...
Page 240 Chapter 10 | Quality of Service Attaching a Policy Map to a Port Web Interface To bind a policy map to a port: Click Traffic, DiffServ. Select Configure Interface from the Step list. Check the box under the Ingress field to enable a policy map for a port. Select a policy map from the scroll-down box.
Page 241: Oip Traffic Configuration
VoIP Traffic Configuration This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Page 242: Configuring Voip Traffic
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
Page 243: Configuring Telephony Oui
Chapter 11 | VoIP Traffic Configuration Configuring Telephony OUI Figure 145: Configuring a Voice VLAN Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets.
Page 244: Configuring Voip Traffic Ports
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Click Apply. Figure 146: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Show from the Action list. Figure 147: Showing an OUI Telephony List Configuring VoIP Traffic Ports Use the Traffic >...
Page 245 Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Parameters These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) None – The Voice VLAN feature is disabled on the port. The port will not ■...
Page 246 Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Web Interface To configure VoIP traffic settings for a port: Click Traffic, VoIP. Select Configure Interface from the Step list. Configure any required changes to the VoIP settings each port. Click Apply.
Page 247: Security Measures
Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: ◆...
Page 248: Aaa Authorization And Accounting
Chapter 12 | Security Measures AAA Authorization and Accounting Note: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping. AAA Authorization and Accounting The authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch.
Page 249: Configuring Local/Remote Logon Authentication
Chapter 12 | Security Measures AAA Authorization and Accounting Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. Apply the method names to port or line interfaces. Note: This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
Page 250: Configuring Remote Logon Authentication Servers
Chapter 12 | Security Measures AAA Authorization and Accounting Web Interface To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods). Click Apply. Figure 149: Configuring the Authentication Sequence Configuring Remote Use the Security >...
Page 251 Chapter 12 | Security Measures AAA Authorization and Accounting remote logon authentication control management access via the console port, web browser, or Telnet. ◆ RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair. The user name, password, and privilege level must be configured on the authentication server.
Page 252 Chapter 12 | Security Measures AAA Authorization and Accounting Confirm Authentication Key – Re-type the string entered in the previous ■ field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. ◆...
Page 253 Chapter 12 | Security Measures AAA Authorization and Accounting Web Interface To configure the parameters for RADIUS or TACACS+ authentication: Click Security, AAA, Server. Select Configure Server from the Step list. Select RADIUS or TACACS+ server type. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server.
Page 254 Chapter 12 | Security Measures AAA Authorization and Accounting Figure 152: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list.
Page 255: Configuring Aaa Accounting
Chapter 12 | Security Measures AAA Authorization and Accounting To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 154: Showing AAA Server Groups Configuring AAA Use the Security >...
Page 256 Chapter 12 | Security Measures AAA Authorization and Accounting Exec – Administrative accounting for local console, Telnet, or SSH ■ connections. ◆ Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined.
Page 257 Chapter 12 | Security Measures AAA Authorization and Accounting Show Information – Summary ◆ Accounting Type - Displays the accounting service. ◆ Method Name - Displays the user-defined or default accounting method. ◆ Server Group Name - Displays the accounting server group. ◆...
Page 258 Chapter 12 | Security Measures AAA Authorization and Accounting Select Add from the Action list. Select the accounting type (802.1X, Command, Exec). Specify the name of the accounting method and server group name. Click Apply. Figure 156: Configuring AAA Accounting Methods To show the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting.
Page 259 Chapter 12 | Security Measures AAA Authorization and Accounting Select the accounting type (802.1X, Command, Exec). Enter the required accounting method. Click Apply. Figure 158: Configuring AAA Accounting Service for 802.1X Service Figure 159: Configuring AAA Accounting Service for Command Service Figure 160: Configuring AAA Accounting Service for Exec Service –...
Page 260: Configuring Aaa Authorization
Chapter 12 | Security Measures AAA Authorization and Accounting To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary. Figure 161: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: Click Security, AAA, Accounting.
Page 261 Chapter 12 | Security Measures AAA Authorization and Accounting ◆ AAA authentication through a RADIUS or TACACS+ server must be enabled before authorization is enabled. Parameters These parameters are displayed: Configure Method ◆ Authorization Type – Specifies the service as Exec, indicating administrative authorization for local console, Telnet, or SSH connections.
Page 262 Chapter 12 | Security Measures AAA Authorization and Accounting Specify the name of the authorization method and server group name. Click Apply. Figure 163: Configuring AAA Authorization Methods To show the authorization method applied to the EXEC service type and the assigned server group: Click Security, AAA, Authorization.
Page 263: Configuring User Accounts
Chapter 12 | Security Measures Configuring User Accounts Figure 165: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization. Select Show Information from the Step list. Figure 166: Displaying the Applied AAA Authorization Method Configuring User Accounts Use the Security >...
Page 264 Chapter 12 | Security Measures Configuring User Accounts ◆ Access Level – Specifies the user level. (Options: 0 - Normal, 15 - Privileged) Normal privilege level provides access to a limited number of the commands which display the current status of the switch, as well as several database clear and reset functions.
Page 265: Web Authentication
Chapter 12 | Security Measures Web Authentication To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 168: Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Page 266: Configuring Interface Settings For Web Authentication
Chapter 12 | Security Measures Web Authentication Note that this feature must also be enabled for any port where required under the Configure Interface menu. ◆ Session Timeout – Configures how long an authenticated session stays active before it must re-authenticate itself. (Range: 300-3600 seconds; Default: 3600 seconds) ◆...
Page 267 Chapter 12 | Security Measures Web Authentication ◆ Status – Configures the web authentication status for the port. ◆ Host IP Address – Indicates the IP address of each connected host. ◆ Remaining Session Time – Indicates the remaining time until the current authorization session for the host expires.
Page 268: Network Access (Mac Address Authentication)
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
Page 269: Table 17: Dynamic Qos Profiles
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Tunnel-Private-Group-ID = 1u,2t [VLAN ID list] ■ The VLAN identifier list is carried in the RADIUS “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,3u” where “u” indicates an untagged VLAN and “t” a tagged VLAN. ◆...
Page 270: Configuring Global Settings For Network Access
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Dynamic QoS assignment fails and the authentication result changes from success to failure when the following conditions occur: Illegal characters found in a profile value (for example, a non-digital ■...
Page 271: Configuring Network Access For Ports
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To configure aging status and reauthentication time for MAC address authentication: Click Security, Network Access. Select Configure Global from the Step list. Enable or disable aging for secure addresses, and modify the reauthentication time as required.
Page 272 Chapter 12 | Security Measures Network Access (MAC Address Authentication) authentication (including Network Access and IEEE 802.1X). (Range: 1-1024; Default: 1024) ◆ Guest VLAN – Specifies the VLAN to be assigned to the port when 802.1X Authentication fails. (Range: 0-4093, where 0 means disabled; Default: Disabled) The VLAN must already be created and active (see “Configuring VLAN Groups”...
Page 273: Configuring Port Link Detection
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Click Apply. Figure 172: Configuring Interface Settings for Network Access Configuring Port Link Use the Security > Network Access (Configure Interface - Link Detection) page to Detection send an SNMP trap and/or shut down a port when a link event occurs. Parameters These parameters are displayed: ◆...
Page 274: Configuring A Mac Address Filter
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To configure link detection on switch ports: Click Security, Network Access. Select Configure Interface from the Step list. Click the Link Detection button. Modify the link detection status, trigger condition, and the response for any port.
Page 275 Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ MAC Address Mask – The filter rule will check for the range of MAC addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match.
Page 276: Displaying Secure Mac Address Information
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Displaying Secure Use the Security > Network Access (Show Information) page to display the authenticated MAC addresses stored in the secure MAC address table. Information MAC Address on the secure MAC entries can be displayed and selected entries can be removed Information from the table.
Page 277: Configuring Https
Chapter 12 | Security Measures Configuring HTTPS Figure 176: Showing Addresses Authenticated for Network Access Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.
Page 278: Table 18: Https System Support
Chapter 12 | Security Measures Configuring HTTPS ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 6.x or above, or Mozilla Firefox 4.x or above. ◆ The following web browsers and operating systems currently support HTTPS: Table 18: HTTPS System Support Web Browser Operating System...
Page 279: Replacing The Default Secure-Site Certificate
Chapter 12 | Security Measures Configuring HTTPS Figure 177: Configuring HTTPS Replacing the Default Use the Security > HTTPS (Copy Certificate) page to replace the default secure-site certificate. Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
Page 280 Chapter 12 | Security Measures Configuring HTTPS ◆ Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. ◆ Confirm Password – Re-type the string entered in the previous field to ensure no errors were made.
Page 281: Configuring The Secure Shell
Chapter 12 | Security Measures Configuring the Secure Shell Configuring the Secure Shell The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 282 Chapter 12 | Security Measures Configuring the Secure Shell Import Client’s Public Key to the Switch – See “Importing User Public Keys” on page 286 to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 263.) The...
Page 283: Configuring The Ssh Server
Chapter 12 | Security Measures Configuring the Secure Shell The switch compares the checksum sent from the client against that computed for the original string it sent. If the two checksums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.
Page 284: Generating The Host Key Pair
Chapter 12 | Security Measures Configuring the Secure Shell ◆ Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits; Default:768) The server key is a private key that is never shared outside the switch. ■ The host key is shared with the SSH client, and is fixed at 1024 bits. ■...
Page 285 Chapter 12 | Security Measures Configuring the Secure Shell Parameters These parameters are displayed: ◆ Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA (Version 1), DSA (Version 2), Both; Default: Both) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 286: Importing User Public Keys
Chapter 12 | Security Measures Configuring the Secure Shell To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear. Click Clear.
Page 287 Chapter 12 | Security Measures Configuring the Secure Shell The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients.
Page 288: Access Control Lists
Chapter 12 | Security Measures Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.
Page 289 Chapter 12 | Security Measures Access Control Lists Command Usage The following restrictions apply to ACLs: ◆ The maximum number of ACLs is 64. ◆ The maximum number of rules per system is 512 rules. ◆ An ACL can have up to 64 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20.
Page 290: Setting A Time Range
Chapter 12 | Security Measures Access Control Lists Setting A Time Range Use the Security > ACL (Configure Time Range) page to sets a time range during which ACL functions are applied. Command Usage If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
Page 291 Chapter 12 | Security Measures Access Control Lists Figure 184: Setting the Name of a Time Range To show a list of time ranges: Click Security, ACL. Select Configure Time Range from the Step list. Select Show from the Action list. Figure 185: Showing a List of Time Ranges To configure a rule for a time range: Click Security, ACL.
Page 292: Showing Tcam Utilization
Chapter 12 | Security Measures Access Control Lists Figure 186: Add a Rule to a Time Range To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list. Figure 187: Showing the Rules Configured for a Time Range Showing TCAM Use the Security >...
Page 293: Setting The Acl Name And Type
Chapter 12 | Security Measures Access Control Lists For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs.
Page 294 Chapter 12 | Security Measures Access Control Lists ◆ Type – The following filter modes are supported: IP Standard: IPv4 ACL mode filters packets based on the source IPv4 ■ address. IP Extended: IPv4 ACL mode filters packets based on the source or ■...
Page 295: Configuring A Standard Ipv4 Acl
Chapter 12 | Security Measures Access Control Lists To show a list of ACLs: Click Security, ACL. Select Configure ACL from the Step list. Select Show from the Action list. Figure 190: Showing a List of ACLs Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to Configuring a configure a Standard IPv4 ACL.
Page 296: Configuring An Extended Ipv4 Acl
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to an IP Standard ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IP Standard from the Type list. Select the name of an ACL from the Name list.
Page 297 Chapter 12 | Security Measures Access Control Lists ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source/Destination Address Type – Specifies the source or destination IP address type.
Page 298 Chapter 12 | Security Measures Access Control Lists For example, use the code value and mask below to catch packets with the following flags set: SYN flag valid, use control-code 2, control bit mask 2 ■ Both SYN and ACK valid, use control-code 18, control bit mask 18 ■...
Page 299: Configuring A Standard Ipv6 Acl
Chapter 12 | Security Measures Access Control Lists Figure 192: Configuring an Extended IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to Configuring a configure a Standard IPv6ACL. Standard IPv6 ACL Parameters These parameters are displayed in the web interface: ◆...
Page 300: Configuring An Extended Ipv6 Acl
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to a Standard IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Standard from the Type list. Select the name of an ACL from the Name list.
Page 301 Chapter 12 | Security Measures Access Control Lists ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source/Destination Address Type – Specifies the source or destination IP address type. Use “Any” to include all possible addresses, or “IPv6-Prefix” to specify a range of addresses.
Page 302: Configuring A Mac Acl
Chapter 12 | Security Measures Access Control Lists Select the address type (Any or IPv6-prefix). If you select “Host, ” enter a specific address. If you select “IPv6-prefix, ” enter a subnet address and prefix length. Set any other required criteria, such as DSCP or next header type. Click Apply.
Page 303 Chapter 12 | Security Measures Access Control Lists ◆ Source/Destination Bit Mask – Hexadecimal mask for source or destination MAC address. ◆ Packet Format – This attribute includes the following packet types: Any – Any Ethernet packet type. ■ Untagged-eth2 – Untagged Ethernet II packets. ■...
Page 304: Configuring An Arp Acl
Chapter 12 | Security Measures Access Control Lists Figure 195: Configuring a MAC ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs ARP ACL based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see “Configuring Global Settings for ARP Inspection”...
Page 305 Chapter 12 | Security Measures Access Control Lists address range with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any) ◆ Source/Destination MAC Address – Source or destination MAC address. ◆ Source/Destination MAC Bit Mask – Hexadecimal mask for source or destination MAC address.
Page 306: Binding A Port To An Access Control List
Chapter 12 | Security Measures Access Control Lists Figure 196: Configuring a ARP ACL Binding a Port to an After configuring ACLs, use the Security > ACL (Configure Interface) page to bind Access Control List the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list and one MAC access list to any port.
Page 307: Arp Inspection
Chapter 12 | Security Measures ARP Inspection Select a port. Select the name of an ACL from the ACL list. Click Apply. Figure 197: Binding a Port to an ACL ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets.
Page 308: Configuring Global Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection ◆ By default, ARP Inspection is disabled both globally and on all VLANs. If ARP Inspection is globally enabled, then it becomes active only on the ■ VLANs where it has been enabled. When ARP Inspection is enabled globally, all ARP request and reply packets ■...
Page 309 Chapter 12 | Security Measures ARP Inspection Source MAC – Checks the source MAC address in the Ethernet header ■ against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
Page 310: Configuring Vlan Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection Web Interface To configure global settings for ARP Inspection: Click Security, ARP Inspection. Select Configure General from the Step list. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply.
Page 311 Chapter 12 | Security Measures ARP Inspection ◆ If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. Parameters These parameters are displayed: ◆...
Page 312: Configuring Interface Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection Configuring Interface Use the Security > ARP Inspection (Configure Interface) page to specify the ports that require ARP inspection, and to adjust the packet inspection rate. Settings for ARP Inspection Parameters These parameters are displayed: ◆...
Page 313: Displaying Arp Inspection Statistics
Chapter 12 | Security Measures ARP Inspection Displaying ARP Use the Security > ARP Inspection (Show Information - Show Statistics) page to display statistics about the number of ARP packets processed, or dropped for Inspection Statistics various reasons. Parameters These parameters are displayed: Table 19: ARP Inspection Statistics Parameter Description...
Page 314: Displaying The Arp Inspection Log
Chapter 12 | Security Measures ARP Inspection Figure 201: Displaying Statistics for ARP Inspection Displaying the ARP Use the Security > ARP Inspection (Show Information - Show Log) page to show Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components.
Page 315: Filtering Ip Addresses For Management Access
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Figure 202: Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Use the Security > IP Filter page to create a list of up to 15 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet.
Page 316 Chapter 12 | Security Measures Filtering IP Addresses for Management Access All – Configures IP address(es) for all groups. ■ ◆ Start IP Address – A single IP address, or the starting address of a range. ◆ End IP Address – The end address of a range. Web Interface To create a list of IP addresses authorized for management access: Click Security, IP Filter.
Page 317: Configuring Port Security
Chapter 12 | Security Measures Configuring Port Security Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Page 318 Chapter 12 | Security Measures Configuring Port Security ◆ Security Status – Enables or disables port security on an interface. (Default: Disabled) ◆ Port Status – The operational status: Secure/Down – Port security is disabled. ■ Secure/Up – Port security is enabled. ■...
Page 319: Configuring 802.1X Port Authentication
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 205: Configuring Port Security Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 320: Configuring 802.1X Global Settings
Chapter 12 | Security Measures Configuring 802.1X Port Authentication port can become unauthorized for all hosts if one attached host fails re- authentication or sends an EAPOL logoff message. Figure 206: Configuring Port Security 802.1x client 1. Client attempts to access a switch port. 2.
Page 321 Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ EAPOL Pass Through – Passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. (Default: Disabled) When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, EAPOL Pass Through can be enabled to allow the switch to forward EAPOL frames from other switches on to the authentication servers, thereby allowing the authentication process to still...
Page 322: Configuring Port Authenticator Settings For 802.1X
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 207: Configuring Global Settings for 802.1X Port Authentication Configuring Port Use the Security > Port Authentication (Configure Interface – Authenticator) page Authenticator to configure 802.1X port settings for the switch as the local authenticator. When 802.1X is enabled, you need to configure the parameters for the authentication Settings for 802.1X process that runs between the client and the switch (i.e., authenticator), as well as...
Page 323 Chapter 12 | Security Measures Configuring 802.1X Port Authentication Parameters These parameters are displayed: ◆ Port – Port number. ◆ Status – Indicates if authentication is enabled or disabled on the port. The status is disabled if the control mode is set to Force-Authorized. ◆...
Page 324 Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) ◆...
Page 325 Chapter 12 | Security Measures Configuring 802.1X Port Authentication page 140) and mapped on each port (See “Configuring Network Access for Ports” on page 271). Supplicant List ◆ Supplicant – MAC address of authorized client. Authenticator PAE State Machine ◆ State –...
Page 326: Configuring Port Supplicant Settings For 802.1X
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 208: Configuring Interface Settings for 802.1X Port Authenticator Configuring Port Use the Security > Port Authentication (Configure Interface – Supplicant) page to configure 802.1X port settings for supplicant requests issued from a port to an Supplicant Settings authenticator on another device.
Page 327 Chapter 12 | Security Measures Configuring 802.1X Port Authentication Parameters These parameters are displayed: ◆ Port – Port number. ◆ PAE Supplicant – Enables PAE supplicant mode. (Default: Disabled) If the attached client must be authenticated through another device in the network, supplicant status must be enabled.
Page 328: Displaying 802.1X Statistics
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 209: Configuring Interface Settings for 802.1X Port Supplicant Displaying 802.1X Use the Security > Port Authentication (Show Statistics) page to display statistics for Statistics dot1x protocol exchanges for any port. Parameters These parameters are displayed: Table 21: 802.1X Statistics...
Page 329 Chapter 12 | Security Measures Configuring 802.1X Port Authentication (Continued) Table 21: 802.1X Statistics Parameter Description Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator. Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Authenticator.
Page 330 Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 210: Showing Statistics for 802.1X Port Authenticator To display port supplicant statistics for 802.1X: Click Security, Port Authentication.
Page 331: Dos Protection
Chapter 12 | Security Measures DoS Protection Figure 211: Showing Statistics for 802.1X Port Supplicant DoS Protection Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource.
Page 332 Chapter 12 | Security Measures DoS Protection ◆ TCP Flooding Attack – Attacks in which a perpetrator sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service.
Page 333: Ip Source Guard
Chapter 12 | Security Measures IP Source Guard Web Interface To protect against DoS attacks: Click Security, DoS Protection. Enable protection for specific DoS attacks, and set the maximum allowed rate as required. Click Apply Figure 212: Protecting Against DoS Attacks IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic...
Page 334 Chapter 12 | Security Measures IP Source Guard Command Usage ◆ Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
Page 335: Configuring Static Bindings For Ip Source Guard
Chapter 12 | Security Measures IP Source Guard ◆ Max Binding Entry – The maximum number of entries that can be bound to an interface. (Range: 1-5; Default: 5) This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping (see “DHCP Snooping”...
Page 336 Chapter 12 | Security Measures IP Source Guard If there is an entry with the same VLAN ID and MAC address, and the type of ■ the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
Page 337: Displaying Information For Dynamic Ip Source Guard Bindings
Chapter 12 | Security Measures IP Source Guard Figure 214: Configuring Static Bindings for IP Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration. Select Show from the Action list. Figure 215: Displaying Static Bindings for IP Source Guard Displaying Use the Security >...
Page 338 Chapter 12 | Security Measures IP Source Guard Dynamic Binding List ◆ VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – Port to which this entry is bound. ◆...
Page 339: Dhcp Snooping
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 340 Chapter 12 | Security Measures DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or RELEASE ■ message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from a client, such as a DISCOVER, REQUEST, ■...
Page 341: Dhcp Snooping Configuration
Chapter 12 | Security Measures DHCP Snooping request, including the port and VLAN ID. This allows DHCP client-server exchange messages to be forwarded between the server and client without having to flood them to the entire VLAN. ◆ If DHCP Snooping Information Option 82 is enabled on the switch, information may be inserted into a DHCP request packet received over any VLAN (depending on DHCP snooping filtering rules).
Page 342: Dhcp Snooping Vlan Configuration
Chapter 12 | Security Measures DHCP Snooping ◆ DHCP Snooping Information Option Policy – Specifies how to handle DHCP client request packets which already contain Option 82 information. Drop – Drops the client’s request packet instead of relaying it. ■ Keep –...
Page 343: Configuring Ports For Dhcp Snooping
Chapter 12 | Security Measures DHCP Snooping ◆ When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled. ◆ When DHCP snooping is globally enabled, and DHCP snooping is then disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table.
Page 344 Chapter 12 | Security Measures DHCP Snooping ◆ When DHCP snooping is enabled both globally and on a VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed.
Page 345: Displaying Dhcp Snooping Binding Information
Chapter 12 | Security Measures DHCP Snooping Displaying DHCP Use the IP Service > DHCP > Snooping (Show Information) page to display entries in the binding table. Snooping Binding Information Parameters These parameters are displayed: ◆ MAC Address – Physical address associated with the entry. ◆...
Page 346 Chapter 12 | Security Measures DHCP Snooping Figure 220: Displaying the Binding Table for DHCP Snooping – 346 –...
Page 347: Basic Administration Protocols
Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 348: Configuring Event Logging
Chapter 13 | Basic Administration Protocols Configuring Event Logging Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.
Page 349 Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level.
Page 350: Remote Log Configuration
Chapter 13 | Basic Administration Protocols Configuring Event Logging This page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Page 351: Sending Simple Mail Transfer Protocol Alerts
Chapter 13 | Basic Administration Protocols Configuring Event Logging Web Interface To configure the logging of error messages to remote servers: Click Administration, Log, Remote. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. Click Apply.
Page 352: Link Layer Discovery Protocol
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Server IP Address – Specifies a list of up to three recipient SMTP servers. IPv4 or IPv6 addresses may be specified. The switch attempts to connect to the listed servers in sequential order if the first server fails to respond. Web Interface To configure SMTP alert messages: Click Administration, Log, SMTP.
Page 353: Setting Lldp Timing Attributes
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol network policy, power, inventory, and device location details. LLDP and LLDP-MED information can be used by SNMP applications to simplify troubleshooting, enhance network management, and maintain an accurate network topology. Setting LLDP Timing Use the Administration >...
Page 354 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
Page 355: Configuring Lldp Interface Attributes
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Configuring LLDP Use the Administration > LLDP (Configure Interface - Configure General) page to specify the message attributes for individual interfaces, including whether Interface Attributes messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Page 356 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Page 357 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Max Frame Size – The maximum frame size. (See “Configuring Support for ■ Jumbo Frames” on page 66 for information on configuring the maximum frame size for this switch MAC/PHY Configuration/Status – The MAC/PHY configuration and status ■...
Page 358: Configuring Lldp Interface Civic-Address
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 226: Configuring LLDP Interface Attributes Configuring Use the Administration > LLDP (Configure Interface – Add CA-Type) page to specify LLDP Interface the physical location of the device attached to an interface. Civic-Address Command Usage ◆...
Page 359 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol (Continued) Figure 227: LLDP MED Location CA Types CA Type Description CA Value Example Unit (apartment, suite) Apt 519 Floor Room 509B ◆ Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
Page 360: Displaying Lldp Local Device Information
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Select Show CA-Type from the Action list. Select an interface from the Port or Trunk list. Figure 229: Showing the Civic Address for an LLDP Interface Displaying LLDP Local Use the Administration > LLDP (Show Local Device Information) page to display Device Information information about the switch, such as its MAC address, chassis ID, management IP address, and port information.
Page 361: Table 24: System Capabilities
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Name – A string that indicates the system’s administratively assigned name (see “Displaying System Information” on page 64). ◆ System Description – A textual description of the network entity. This field is also displayed by the show system command.
Page 362: Table 25: Port Id Subtype
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
Page 363 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 230: Displaying Local Device Information for LLDP (General) Figure 231: Displaying Local Device Information for LLDP (Port) Figure 232: Displaying Local Device Information for LLDP (Port Details) – 363 –...
Page 364: Displaying Lldp Remote Device Information
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display information about devices connected directly to the switch’s ports which are Remote Device advertising information through LLDP, or to display detailed information about an Information LLDP-enabled device connected to a specific port on the local switch.
Page 365: Table 26: Port Id Subtype
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 26: Port ID Subtype ID Basis Reference Interface alias IfAlias (IETF RFC 2863) Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737) Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’...
Page 366: Table 27: Remote Port Auto-Negotiation Advertised Capability
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol value used by this agent to identify a particular protocol identity, and an octet string used to identify the protocols associated with a port of the remote system. Port Details – 802.3 Extension Port Information ◆...
Page 367 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Power Information ◆ Remote Power Class – The port Class of the given port associated with the remote system (PSE – Power Sourcing Equipment or PD – Powered Device). ◆...
Page 368 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Class 3 – Endpoint devices that directly supports end users of the IP ■ communication systems. Network Connectivity Device – Devices that provide access to the IEEE 802 ■ based LAN infrastructure for LLDP-MED endpoint devices. These may be any LAN access device including LAN switch/router, IEEE 802.1 bridge, IEEE 802.3 repeater, IEEE 802.11 wireless access point, or any device that supports the IEEE 802.1AB and MED extensions defined by this Standard...
Page 369 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ VLAN ID – The VLAN identifier (VID) for the port as defined in IEEE 802.1Q. A value of zero indicates that the port is using priority tagged frames, meaning that only the IEEE 802.1D priority level is significant and the default PVID of the ingress port is used instead.
Page 370 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Power Value – The total power in watts required by a PD device from a PSE device, or the total power a PSE device is capable of sourcing over a maximum length cable based on its current configuration.
Page 371 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 234: Displaying Remote Device Information for LLDP (Port Details) – 371 –...
Page 372: Displaying Device Statistics
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP- MED TLVs is shown in the following figure. Figure 235: Displaying Remote Device Information for LLDP (End Node) Displaying Device Use the Administration >...
Page 373 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources. ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired.
Page 374: Power Over Ethernet
Chapter 13 | Basic Administration Protocols Power over Ethernet Figure 236: Displaying LLDP Device Statistics (General) Figure 237: Displaying LLDP Device Statistics (Port) Power over Ethernet This switch supports IEEE 802.3af-2003 and IEEE 802.3at-2009 Power over Ethernet (PoE) specifications. Ports 1~8 support the IEEE 802.3at-2009 PoE Powered Device (PD) specification that enables DC power to be supplied to the switch using wires in the connecting Ethernet cable.
Page 375: Enabling Pse Power
Chapter 13 | Basic Administration Protocols Power over Ethernet Enabling PSE Power Use the Administration > PoE > PSE page to supply PoE power to Port 10. Command Usage ◆ This switch supports both the IEEE 802.3af PoE standards. To ensure that the correct power is supplied to powered devices (PD) compliant with this standard, a detection pulse is sent from Port 10 based on 802.3af to which an attached 802.3af PD will respond normally.
Page 376: Configuring Power Source Check
Chapter 13 | Basic Administration Protocols Power over Ethernet Configuring Power Use the Administration > PoE > PD (Configure) page to check for power supplied from PSE on Ports 1-8. Source Check Command Usage ◆ If power is supplied to more than one port, the switch will draw power from the numerically lowest numbered port (1-8) with an attached PSE.
Page 377: Simple Network Management Protocol
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show the power source status and operating mode (IEEE 8021.af or 802.1at) for all ports Click Administration, PoE, PD. Select Show from the Action list. Figure 240: Displaying the PSE Status Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network.
Page 378: Table 28: Snmpv3 Security Models And Levels
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Access to the switch from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having it’s own security levels.
Page 379: Configuring Global Settings For Snmp
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add Community) page to configure the community strings authorized for management access. Use the Administration > SNMP (Configure Trap) page to specify trap managers so that key events are reported by this switch to your management station.
Page 380: Setting The Local Engine Id
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure global settings for SNMP: Click Administration, SNMP. Select Configure Global from the Step list. Enable SNMP and the required trap types. Click Apply Figure 241: Configuring Global Settings for SNMP Setting the Local Use the Administration >...
Page 381: Specifying A Remote Engine Id
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure the local SNMP engine ID: Click Administration, SNMP. Select Configure Engine from the Step list. Select Set Engine ID from the Action list. Enter an ID of a least 9 hexadecimal characters. Click Apply Figure 242: Configuring the Local Engine ID for SNMP Specifying a Remote...
Page 382 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure a remote SNMP engine ID: Click Administration, SNMP. Select Configure Engine from the Step list. Select Add Remote Engine from the Action list. Enter an ID of a least 9 hexadecimal characters, and the IP address of the remote host.
Page 383: Setting Snmpv3 Views
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting SNMPv3 Views Use the Administration > SNMP (Configure View) page to configure SNMPv3 views which are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview”...
Page 384 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 245: Creating an SNMP View To show the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show View from the Action list. Figure 246: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP.
Page 385: Configuring Snmpv3 Groups
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 247: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list.
Page 386 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Security Level – The following security levels are only used for the groups assigned to the SNMP security model: noAuthNoPriv – There is no authentication or encryption used in SNMP ■...
Page 387: Table 29: Supported Notification Messages
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 29: Supported Notification Messages Model Level Group RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its...
Page 388 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol (Continued) Table 29: Supported Notification Messages Model Level Group swIpFilterRejectTrap 1.3.6.1.4.1.259.10.1.37.2.1.0.40 This trap is sent when an incorrect IP address is rejected by the IP Filter. swAtcBcastStormAlarmFireTrap 1.3.6.1.4.1.259.10.1.37.2.1.0.70 When broadcast traffic is detected as a storm, this trap is fired.
Page 389 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol (Continued) Table 29: Supported Notification Messages Model Level Group swMemoryUtiRisingThreshold 1.3.6.1.4.1.259.10.1.37.2.1.0.109 This notification indicates that the memory utilization Notification has risen from memoryUtiFallingThreshold to memoryUtiRisingThreshold. swMemoryUtiFallingThreshold 1.3.6.1.4.1.259.10.1.37.2.1.0.110 This notification indicates that the memory utilization Notification has fallen from memoryUtiRisingThreshold to memoryUtiFallingThreshold.
Page 390 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.
Page 391: Setting Community Access Strings
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 250: Showing SNMP Groups Setting Community Use the Administration > SNMP (Configure User - Add Community) page to configure up to five community strings authorized for management access by Access Strings clients using SNMP v1 and v2c.
Page 392 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To set a community access string: Click Administration, SNMP. Select Configure User from the Step list. Select Add Community from the Action list. Add new community strings as required, and select the corresponding access rights from the Access Mode list.
Page 393: Configuring Local Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Local Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 Users SNMPv3 trap messages sent from the local switch.
Page 394 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure a local SNMPv3 user: Click Administration, SNMP. Select Configure User from the Step list. Select Add SNMPv3 Local User from the Action list. Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified.
Page 395: Configuring Remote Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 254: Showing Local SNMPv3 Users Configuring Remote Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 Users SNMPv3 user is defined by a unique name.
Page 396 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
Page 397: Specifying Trap Managers
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 256: Showing Remote SNMPv3 Users Specifying Trap Use the Administration >...
Page 398 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To send an inform to a SNMPv3 host, complete these steps: Enable the SNMP agent (page 379). Create a local SNMPv3 user to use in the message exchange process (page 393).
Page 399 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Retry times – The maximum number of times to resend an inform ■ message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3) ◆ Community String – Specifies a valid community string for the new trap manager entry.
Page 400 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ UDP Port – Specifies the UDP port number used by the trap manager. (Default: 162) ◆ Security Level – When trap version 3 is selected, you must specify one of the following security levels.
Page 401 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 258: Configuring Trap Managers (SNMPv2c) Figure 259: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. –...
Page 402: Remote Monitoring
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 260: Showing Trap Managers Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 403 Chapter 13 | Basic Administration Protocols Remote Monitoring Parameters These parameters are displayed: ◆ Index – Index to this entry. (Range: 1-65535) ◆ Variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled. Note that etherStatsEntry.n uniquely defines the MIB variable, and etherStatsEntry.n.n defines the MIB variable, plus the etherStatsIndex.
Page 404 Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To configure an RMON alarm: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Alarm. Enter an index number, the MIB object to be polled (etherStatsEntry.n.n), the polling interval, the sample type, the thresholds, and the event to trigger.
Page 405: Configuring Rmon Events
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 262: Showing Configured RMON Alarms Configuring RMON Use the Administration > RMON (Configure Global - Add - Event) page to set the Events action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager.
Page 406 Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Community – A password-like community string sent with the trap operation to SNMP v1 and v2c hosts. Although the community string can be set on this configuration page, it is recommended that it be defined on the SNMP trap configuration page (see “Setting Community Access Strings”...
Page 407: Configuring Rmon History Samples
Chapter 13 | Basic Administration Protocols Remote Monitoring Select Show from the Action list. Click Event. Figure 264: Showing Configured RMON Events Configuring RMON Use the Administration > RMON (Configure Interface - Add - History) page to collect History Samples statistics on a physical interface to monitor network utilization, packet types, and errors.
Page 408 Chapter 13 | Basic Administration Protocols Remote Monitoring Parameters These parameters are displayed: ◆ Port – The port number on the switch. ◆ Index - Index to this entry. (Range: 1-65535) ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆...
Page 409 Chapter 13 | Basic Administration Protocols Remote Monitoring To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History. Figure 266: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON.
Page 410: Configuring Rmon Statistical Samples
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 267: Showing Collected RMON History Samples Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to collect statistics on a port, which can subsequently be used to monitor the network Statistical Samples for common errors and overall traffic rates.
Page 411 Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To enable regular sampling of statistics on a port: Click Administration, RMON. Select Configure Interface from the Step list. Select Add from the Action list. Click Statistics. Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 268: Configuring an RMON Statistical Sample...
Page 412 Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 269: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click Statistics.
Page 413: Switch Clustering
Chapter 13 | Basic Administration Protocols Switch Clustering Switch Clustering Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 414 Chapter 13 | Basic Administration Protocols Switch Clustering ◆ Commander Status – Enables or disables the switch as a cluster Commander. (Default: Disabled) ◆ IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster.
Page 415: Cluster Member Configuration
Chapter 13 | Basic Administration Protocols Switch Clustering Cluster Member Use the Administration > Cluster (Configure Member - Add) page to add Candidate switches to the cluster as Members. Configuration Parameters These parameters are displayed: ◆ Member ID – Specify a Member ID number for the selected Candidate switch. (Range: 1-36) ◆...
Page 416: Managing Cluster Members
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 273: Showing Cluster Members To show cluster candidates: Click Administration, Cluster. Select Configure Member from the Step list. Select Show Candidate from the Action list. Figure 274: Showing Cluster Candidates Managing Cluster Use the Administration >...
Page 417: Ethernet Ring Protection Switching
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Web Interface To manage a cluster member: Click Administration, Cluster. Select Show Member from the Step list. Select an entry from the Cluster Member List. Click Operate. Figure 275: Managing a Cluster Member Ethernet Ring Protection Switching Note: Information in this section is based on ITU-T G.8032/Y.1344.
Page 418 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Operational Concept Loop avoidance in the ring is achieved by guaranteeing that, at any time, traffic may flow on all but one of the ring links. This particular link is called the ring protection link (RPL), and under normal conditions this link is blocked to traffic.
Page 419 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 276: ERPS Ring Components East Port West Port RPL Owner (Idle State) CC Messages CC Messages Multi-ring/Ladder Network – ERPSv2 also supports multipoint-to-multipoint connectivity within interconnected rings, called a “multi-ring/ladder network” topology.
Page 420 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching controlled and protected by the ring it belongs to. In the example for the Normal Condition, the ring link between ring nodes C and D is part of ERP1, and, as such, are controlled and protected by ERP1.
Page 421 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching the ring, the RPL will be unblocked (Protection state) to ensure proper connectivity among all ring nodes until the failure is recovered. Configure ERPS timers (Configure Domain – Configure Details): Set the Guard timer to prevent ring nodes from receiving outdated R-APS messages, the Holdoff timer to filter out intermittent link faults, and the WTR timer to verify that the ring has stabilized before blocking the RPL after recovery from a signal...
Page 422: Erps Global Configuration
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS Global Use the Administration > ERPS (Configure Global) page to globally enable or disable ERPS on the switch. Configuration Parameters These parameters are displayed: ◆ ERPS Status – Enables ERPS on the switch. (Default: Disabled) ERPS must be enabled globally on the switch before it can enabled on an ERPS ring (by setting the Admin Status on the Configure Domain –...
Page 423 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Parameters These parameters are displayed: ◆ Domain Name – Name of an ERPS ring. (Range: 1-12 characters) ◆ Domain ID – ERPS ring identifier used in R-APS messages. (Range: 1-255) Show ◆...
Page 424 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Unknown – The interface is not in a known state (includes the domain ■ being disabled). ◆ Local SF – A signal fault generated on a link to the local node. ◆...
Page 425 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Flush FDB (forwarding database) logic which reduces amount of flush FDB ■ operations in the ring Support of multiple ERP instances on a single ring ■ Version 2 is backward compatible with Version 1. If version 2 is specified, the inputs and commands are forwarded transparently.
Page 426 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Node Type – Shows ERPS node type as one of the following: None – Node is neither Ring Protection Link (RPL) owner nor neighbor. ■ (This is the default setting.) RPL Owner –...
Page 427 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching protection reversion, or until there is another higher priority request (e.g., an SF condition) in the ring. A ring node that has one ring port in an SF condition and detects the SF condition cleared, continuously transmits the R-APS (NR –...
Page 428 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Upon receiving an R-APS (NR, RB) message, any blocking node should unblock its non-failed ring port. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush the FDB. Recovery for Forced Switching –...
Page 429 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB.
Page 430 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Recovery with non-revertive mode is handled as follows: ■ The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request does not perform any action. Then, after the operator issues the Clear command (Configure Operation page) at the RPL Owner Node, this ring node blocks the ring port attached to the RPL, transmits an R-APS (NR, RB)
Page 431 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching A sub-ring may be attached to a primary ring with or without a virtual ■ channel. A virtual channel is used to connect two interconnection points on the sub-ring, tunneling R-APS control messages across an arbitrary Ethernet network topology.
Page 432 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching No R-APS messages are inserted or extracted by other rings or sub- rings at the interconnection nodes where a sub-ring is attached. Hence there is no need for either additional bandwidth or for different VIDs/Ring IDs for the ring interconnection.
Page 433 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching The RPL owner node detects a failed link when it receives R-APS (SF - signal ■ fault) messages from nodes adjacent to the failed link. The owner then enters protection state by unblocking the RPL. However, using this standard recovery procedure may cause a non-EPRS device to become isolated when the ERPS device adjacent to it detects a continuity check message (CCM) loss event and blocks the link between the non-ERPS...
Page 434 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching switching mechanism. The reported defect need not be the same one that started the timer. ◆ Guard Timer – The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
Page 435 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ West/East – Connects to next ring node to the west/east. Each node must be connected to two neighbors on the ring. For convenience, the ports connected are referred to as east and west ports. Alternatively, the closest neighbor to the east should be the next node in the ring in a clockwise direction, and the closest neighbor to the west should be the next node in the ring in a counter-clockwise direction.
Page 436 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Web Interface To create an ERPS ring: Click Administration, ERPS. Select Configure Domain from the Step list. Select Add from the Action list. Enter a name for the ring in the “Domain Name” field. Click Apply.
Page 437 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 282: Creating an ERPS Ring To show the configure ERPS rings: Click Administration, ERPS. Select Configure Domain from the Step list. Select Show from the Action list. – 437 –...
Page 438: Erps Forced And Manual Mode Operations
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 283: Showing Configured ERPS Rings Use the Administration > ERPS (Configure Operation) page to block a ring ERPS Forced and port using Forced Switch or Manual Switch commands. Manual Mode Operations ARAMETERS These parameters are displayed:...
Page 439: Table 30: Erps Request/State Priority
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Protection switching on a forced switch request is completed when the ■ above actions are performed by each ring node. At this point, traffic flows around the ring are resumed. From this point on the following rules apply regarding processing of further forced switch commands: While an existing forced switch request is present in a ring, any new ■...
Page 440 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching the FS command was issued. This results in an unrecoverable FS condition. When performing a maintenance procedure (e.g., replacing, upgrading) on a ring node (or a ring link), it is recommended that FS commands be issued at the two adjacent ring nodes instead of directly issuing a FS command at the ring node under maintenance in order to avoid falling into the above mentioned unrecoverable...
Page 441 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching generated to inform the operator that the new MS request was not accepted. A ring node with a local manual switch command which receives an R-APS (MS) message with a different Node ID clears its manual switch request and starts transmitting R-APS (NR) messages.
Page 442: Connectivity Fault Management
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Click Apply. Figure 284: Blocking an ERPS Ring Port Connectivity Fault Management Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Page 443 Chapter 13 | Basic Administration Protocols Connectivity Fault Management connectivity across a maintenance domain, and are the entry points to the paths which interconnect the access points allocated to a service instance. ◆ A Maintenance Level allows maintenance domains to be nested in a hierarchical fashion, providing access to the specific network portions required by each operator.
Page 444 Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 286: Multiple CFM Maintenance Domains Customer MA Operator 1 MA Operator 2 MA Provider MA Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Page 445: Configuring Global Settings For Cfm
Chapter 13 | Basic Administration Protocols Connectivity Fault Management the configured time period, and fault alarms are enabled, a corresponding trap will be sent. No further fault alarms are sent until the fault notification generator has been reset by the passage of a configured time period without detecting any further faults.
Page 446 Chapter 13 | Basic Administration Protocols Connectivity Fault Management Parameters These parameters are displayed: Global Configuration ◆ CFM Status – Enables CFM processing globally on the switch. (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
Page 447 Chapter 13 | Basic Administration Protocols Connectivity Fault Management Before setting the aging time for cache entries, the cache must first be enabled in the Linktrace Cache attribute field. ◆ Link Trace Cache Size – The maximum size for the link trace cache. (Range: 1-4095 entries;...
Page 448 Chapter 13 | Basic Administration Protocols Connectivity Fault Management Web Interface To configure global settings for CFM: Click Administration, CFM. Select Configure Global from the Step list. Before enabling CFM processing on the switch, first configure the required CFM domains, maintenance associations, and static MEPs. Then set the delay time to wait for a remote MEP comes up before the switch starts cross-checking the end points learned through CCMs against those stored in the static list.
Page 449: Configuring Interfaces For Cfm
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Interfaces CFM processes are enabled by default for all physical interfaces, both ports and trunks. You can use the Administration > CFM (Configure Interface) page to change for CFM these settings. Command Usage ◆...
Page 450 Chapter 13 | Basic Administration Protocols Connectivity Fault Management Command Usage Configuring General Settings ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Page 451: Table 31: Remote Mep Priority Levels
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Fault Notification ◆ A fault alarm can generate an SNMP notification. It is issued when the MEP fault notification generator state machine detects that the configured time period (MEP Fault Notify Alarm Time) has passed with one or more defects indicated, and fault alarms are enabled at or above the specified priority level (MEP Fault Notify Lowest Priority).
Page 452 Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) ◆ MD Level – Authorized maintenance level for this domain. (Range: 0-7) ◆ MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this domain: Default –...
Page 453 Chapter 13 | Basic Administration Protocols Connectivity Fault Management Specify the manner in which MIPs can be created within each domain. Click Apply. Figure 289: Configuring Maintenance Domains To show the configured maintenance domains: Click Administration, CFM. Select Configure MD from the Step list. Select Show from the Action list.
Page 454: Configuring Cfm Maintenance Associations
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 291: Configuring Detailed Settings for Maintenance Domains Configuring CFM Use the Administration > CFM (Configure MA) pages to create and configure the Maintenance Maintenance Associations (MA) which define a unique CFM service instance. Each MA can be identified by its parent MD, the MD’s maintenance level, the VLAN Associations assigned to the MA, and the set of maintenance end points (MEPs) assigned to it.
Page 455 Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ If a maintenance point fails to receive three consecutive CCMs from any other MEP in the same MA, a connectivity failure is registered. ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs).
Page 456 Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MA Name Format – Specifies the name format for the maintenance association as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.1731 defined ICC-based format. Character String – IEEE 802.1ag defined character string format. This is an ■...
Page 457 Chapter 13 | Basic Administration Protocols Connectivity Fault Management Select an entry from the MD Index list. Specify the MAs assigned to each domain, the VLAN through which CFM messages are passed, and the manner in which MIPs can be created within each MA.
Page 458: Configuring Maintenance End Points
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Select Configure Details from the Action list. Select an entry from MD Index and MA Index. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters. Click Apply Figure 294: Configuring Detailed Settings for Maintenance Associations Configuring...
Page 459 Chapter 13 | Basic Administration Protocols Connectivity Fault Management Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Maintenance end point identifier. (Range: 1-8191) ◆...
Page 460: Configuring Remote Maintenance End Points
Chapter 13 | Basic Administration Protocols Connectivity Fault Management To show the configured maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 296: Showing Maintenance End Points Configuring Remote Use the Administration >...
Page 461 Chapter 13 | Basic Administration Protocols Connectivity Fault Management Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Identifier for a maintenance end point which exists on another CFM- enabled device within the same MA.
Page 462: Transmitting Link Trace Messages
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 298: Showing Remote Maintenance End Points Transmitting Link Use the Administration > CFM (Transmit Link Trace) page to transmit link trace Trace Messages messages (LTMs). These messages can isolate connectivity faults by tracing the path through a network to the designated target node (i.e., a remote maintenance end point).
Page 463 Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) ◆ Target MEP ID – The identifier of a remote MEP that is the target of a link trace ■...
Page 464: Transmitting Loop Back Messages
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Transmitting Loop Use the Administration > CFM (Transmit Loopback) page to transmit Loopback Messages (LBMs). These messages can be used to isolate or verify connectivity Back Messages faults by submitting a request to a target node (i.e., a remote MEP or MIP) to echo the message back to the source.
Page 465: Transmitting Delay-Measure Requests
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Web Interface To transmit loopback messages: Click Administration, CFM. Select Transmit Loopback from the Step list. Select an entry from MD Index and MA Index. Specify the source MEP, the target MEP using either its MEP identifier or MAC address, set the number of times the loopback message is to be sent.
Page 466 Chapter 13 | Basic Administration Protocols Connectivity Fault Management TxTimeStampf (Timestamp at the time of sending a frame with DM request information), and the receiving MEP responds with a frame with DM reply information with TxTimeStampf copied from the DM request information, RxTimeStampf (Timestamp at the time of receiving a frame with DM request information), and TxTimeStampb (Timestamp at the time of transmitting a frame with DM reply information):...
Page 467: Displaying Local Meps
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Web Interface To transmit delay-measure messages: Click Administration, CFM. Select Transmit Delay Measure from the Step list. Select an entry from MD Index and MA Index. Specify the source MEP, the target MEP using either its MEP identifier or MAC address, set the number of times the delay-measure message is to be sent, the interval, and the timeout.
Page 468: Displaying Details For Local Meps
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Level – Authorized maintenance level for this domain. ◆ Direction – Direction in which the MEP communicates CFM messages: Down indicates that the MEP is facing away from the switch, and transmits ■...
Page 469 Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MD Name – The maintenance domain for this entry. ◆ MA Name – Maintenance association to which this remote MEP belongs. ◆ MA Name Format – The format of the Maintenance Association name, including primary VID, character string, unsigned Integer 16, or RFC 2865 VPN ◆...
Page 470: Displaying Local Mips
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Select an entry from MD Index and MA Index. Select a MEP ID. Figure 303: Showing Detailed Information on Local MEPs Displaying Local MIPs Use the Administration > CFM > Show Information (Show Local MIP) page to show the MIPs on this device discovered by the CFM protocol.
Page 471: Displaying Remote Meps
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Web Interface To show information for the MIPs discovered by the CFM protocol: Click Administration, CFM. Select Show Information from the Step list. Select Show Local MIP from the Action list. Figure 304: Showing Information on Local MIPs Displaying Remote Use the Administration >...
Page 472: Displaying Details For Remote Meps
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Select Show Remote MEP from the Action list. Figure 305: Showing Information on Remote MEPs Displaying Details for Use the Administration > CFM > Show Information (Show Remote MEP Details) Remote MEPs page to show detailed information for MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.
Page 473 Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Port State – Port states include: Up – The port is functioning normally. ■ ■ Blocked – The port has been blocked by the Spanning Tree Protocol. ■ No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM.
Page 474: Displaying The Link Trace Cache
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 306: Showing Detailed Information on Remote MEPs Displaying the Link Use the Administration > CFM > Show Information (Show Link Trace Cache) page to Trace Cache show information about link trace operations launched from this device. Parameters These parameters are displayed: ◆...
Page 475 Chapter 13 | Basic Administration Protocols Connectivity Fault Management has another Down MEP at a higher MD level on the same bridge port that is causing the bridge port’s MAC_Operational parameter to be false. IngBlocked – The ingress port can be identified, but the target data frame ■...
Page 476: Displaying Fault Notification Settings
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Fault Use the Administration > CFM > Show Information (Show Fault Notification Generator) page to display configuration settings for the fault notification Notification Settings generator. Parameters These parameters are displayed: ◆...
Page 477: Displaying Continuity Check Errors
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Continuity Use the Administration > CFM > Show Information (Show Continuity Check Error) page to display the CFM continuity check errors logged on this device. Check Errors Parameters These parameters are displayed: ◆...
Page 478: Oam Configuration
Chapter 13 | Basic Administration Protocols OAM Configuration Figure 309: Showing Continuity Check Errors OAM Configuration The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loopback testing, and displaying remote device information.
Page 479 Chapter 13 | Basic Administration Protocols OAM Configuration (Continued) Table 33: OAM Operation State State Description Send Local And Remote The local OAM entity has discovered the peer but has not yet accepted or rejected the configuration of the peer. Send Local And Remote OAM peering is allowed by the local device.
Page 480: Displaying Statistics For Oam Messages
Chapter 13 | Basic Administration Protocols OAM Configuration If reporting is enabled and an errored frame link event occurs, the local OAM entity (this switch) sends an Event Notification OAMPDU to the remote OAM entity. The Errored Frame Event TLV includes the number of errored frames detected during the specified period.
Page 481: Displaying The Oam Event Log
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ OAMPDU – Message types transmitted and received by the OAM protocol, including Information OAMPDUs, unique Event OAMPDUs, Loopback Control OAMPDUs, and Organization Specific OAMPDUs. Web Interface To display statistics for OAM messages: Click Administration, OAM, Counters.
Page 482: Displaying The Status Of Remote Interfaces
Chapter 13 | Basic Administration Protocols OAM Configuration Figure 312: Displaying the OAM Event Log Displaying the Status Use the Administration > OAM > Remote Interface page to display information about attached OAM-enabled devices. of Remote Interfaces Parameters These parameters are displayed: ◆...
Page 483 Chapter 13 | Basic Administration Protocols OAM Configuration Web Interface To display information about attached OAM-enabled devices: Click Administration, OAM, Remote Interface. Figure 313: Displaying Status of Remote Interfaces – 483 –...
Page 484 Chapter 13 | Basic Administration Protocols OAM Configuration – 484 –...
Page 485: Ip Configuration
IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 486 Chapter 14 | IP Configuration Using the Ping Function ◆ The following are some results of the ping command: Normal response - The normal response occurs in one to ten seconds, ■ depending on network traffic. Destination does not respond - If the host does not respond, a “timeout” ■...
Page 487: Using The Trace Route Function
Chapter 14 | IP Configuration Using the Trace Route Function Using the Trace Route Function Use the IP > General > Trace Route page to show the route packets take to the specified destination. Parameters These parameters are displayed: ◆ Destination IP Address –...
Page 488: Address Resolution Protocol
Chapter 14 | IP Configuration Address Resolution Protocol Figure 315: Tracing the Route to a Network Device Address Resolution Protocol The switch uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address. When an IP frame is received by this switch (or any standards-based switch/router), it first looks up the MAC address corresponding to the destination IP address in the ARP cache.
Page 489: Setting The Arp Timeout
Chapter 14 | IP Configuration Address Resolution Protocol cache, and forwards the IP traffic on to the next hop. As long as this entry has not timed out, the switch will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request.
Page 490: Displaying Arp Entries
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Displaying ARP Entries Use the IP > ARP (Show Information) page to display dynamic entries in the ARP cache. The ARP cache contains entries for local interfaces, including subnet, host, and broadcast addresses.
Page 491: Configuring Ipv4 Interface Settings
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Web Interface To configure an IPv4 default gateway for the switch: Click System, IP. Select Configure Global from the Action list. Enter the IPv4 default gateway. Click Apply. Figure 318: Configuring the IPv4 Default Gateway Configuring IPv4 Use the System >...
Page 492 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ IP Address Type – Specifies a primary or secondary IP address. An interface can have only one primary IP address, but can have many secondary IP addresses. In other words, secondary addresses need to be specified if more than one IP subnet can be accessed through this interface.
Page 493 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 4) To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: Click System, IP. Select Configure Interface from the Action list. Select Add Address from the Step list. Select the VLAN through which the management station is attached, set the IP Address Mode to “DHCP”...
Page 494: Setting The Switch's Ip Address (Ip Version 6)
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) To show the IPv4 address configured for an interface: Click System, IP. Select Configure Interface from the Step list. Select Show Address from the Action list. Select an entry from the VLAN list. Figure 321: Showing the IPv4 Address Configured for an Interface Setting the Switch’s IP Address (IP Version 6) This section describes how to configure an IPv6 interface for management access...
Page 495: Configuring The Ipv6 Default Gateway
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring the IPv6 Use the IP > IPv6 Configuration (Configure Global) page to configure an IPv6 default gateway for the switch. Default Gateway Parameters These parameters are displayed: ◆...
Page 496 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) address, as well as an IPv6 global address if router advertisements are detected on the local interface. ◆ The option to explicitly enable IPv6 will also create a link-local address, but will not generate a global IPv6 address if auto-configuration is not enabled.
Page 497 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) cannot be disabled until all assigned addresses have been removed. (Default: Disabled) Disabling this parameter does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address. ◆...
Page 498 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ND NS Interval – The interval between transmitting IPv6 neighbor solicitation messages on an interface. (Range: 1000-3600000 milliseconds; Default: 1000 milliseconds is used for neighbor discovery operations, 0 milliseconds is advertised in router advertisements.
Page 499 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) address taken from the observed source address of the RA message, as well as on-link prefix information. However, note that unintended misconfigurations, or possibly malicious attacks on the network, may lead to bogus RAs being sent, which in turn can cause operational problems for hosts on the network.
Page 500: Configuring An Ipv6 Address
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring an IPv6 Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 interface for management access over the network. Address Command Usage ◆...
Page 501 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Page 502: Showing Ipv6 Addresses
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ ■ You can configure only one link-local address per interface. ■...
Page 503 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ IP Address – An IPv6 address assigned to this interface. In addition to the unicast addresses assigned to an interface, a host is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope).
Page 504: Showing The Ipv6 Neighbor Cache
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 325: Showing Configured IPv6 Addresses Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the Neighbor Cache IPv6 addresses detected for neighbor devices. Parameters These parameters are displayed: Table 35: Show IPv6 Neighbors - display description...
Page 505: Showing Ipv6 Statistics
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 35: Show IPv6 Neighbors - display description Field Description State The following states are used for static entries: (Continued) ◆ Incomplete -The interface for this entry is down. ◆...
Page 506: Table 36: Show Ipv6 Statistics - Display Description
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ UDP – User Datagram Protocol provides a datagram mode of packet switched communications. It uses IP as the underlying transport mechanism, providing access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets.
Page 507 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 36: Show IPv6 Statistics - display description Field Description Reassembly Failed The number of failures detected by the IPv6 re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IPv6 fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received.
Page 508 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 36: Show IPv6 Statistics - display description Field Description Router Solicit Messages The number of ICMP Router Solicit messages received by the interface. Router Advertisement The number of ICMP Router Advertisement messages received by the Messages interface.
Page 509 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 36: Show IPv6 Statistics - display description Field Description Multicast Listener The number of MLDv2 reports sent by the interface. Discovery Version 2 Reports UDP Statistics Input The total number of UDP datagrams delivered to UDP users.
Page 510: Showing The Mtu For Responding Destinations
Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 328: Showing IPv6 Statistics (ICMPv6) Figure 329: Showing IPv6 Statistics (UDP) Showing the MTU for Use the IP > IPv6 Configuration (Show MTU) page to display the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet- Responding too-big message along with an acceptable MTU to this switch.
Page 511 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 37: Show MTU - display description Field Description Since Time since an ICMP packet-too-big message was received from this destination. Destination Address which sent an ICMP packet-too-big message. Address Web Interface To show the MTU reported from other devices:...
Page 512 Chapter 14 | IP Configuration Setting the Switch’s IP Address (IP Version 6) – 512 –...
Page 513: Ip Services
IP Services This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see “DHCP Snooping” on page 339. This chapter provides information on the following IP services, including: ◆...
Page 514: Configuring A List Of Domain Names
Chapter 15 | IP Services Domain Name Service Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
Page 515 Chapter 15 | IP Services Domain Name Service checking with the specified name servers for a match (see “Configuring a List of Name Servers” on page 516). Parameters These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name.
Page 516: Configuring A List Of Name Servers
Chapter 15 | IP Services Domain Name Service Configuring a List of Use the IP Service > DNS - General (Add Name Server) page to configure a list of name servers to be tried in sequential order. Name Servers Command Usage ◆...
Page 517: Configuring Static Dns Host To Address Entries
Chapter 15 | IP Services Domain Name Service Figure 335: Showing the List of Name Servers for DNS Configuring Static Use the IP Service > DNS - Static Host Table (Add) page to manually configure static DNS Host to Address entries in the DNS table that are used to map domain names to IP addresses.
Page 518: Displaying The Dns Cache
Chapter 15 | IP Services Displaying the DNS Cache To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 337: Showing Static Entries in the DNS Table Displaying the DNS Cache Use the IP Service >...
Page 519: Dynamic Host Configuration Protocol
Chapter 15 | IP Services Dynamic Host Configuration Protocol Web Interface To display entries in the DNS cache: Click IP Service, DNS, Cache. Figure 338: Showing Entries in the DNS Cache Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) can dynamically allocate an IP address and other configuration information to network clients when they boot up.
Page 520: Configuring Dhcp Relay
Chapter 15 | IP Services Dynamic Host Configuration Protocol ◆ Text – A text string. (Range: 1-32 characters) Web Interface To configure a DHCP client identifier: Click IP Service, DHCP, Client. Mark the check box to enable this feature. Select the default setting, or the format for a vendor class identifier.
Page 521 Chapter 15 | IP Services Dynamic Host Configuration Protocol By default, the relay agent also fills in the Option 82 circuit-id field with information indicating the local interface over which the switch received the DHCP client request, including the VLAN ID, stack unit, and port. This allows DHCP client-server exchange messages to be forwarded between the server and client without having to flood them onto the entire VLAN.
Page 522 Chapter 15 | IP Services Dynamic Host Configuration Protocol the switch. The relay agent address is inserted into the DHCP request packet, and the switch then unicasts this packet to the DHCP server. If the policy is “keep, ” the DHCP request packet's option 82 content will ■...
Page 523 Chapter 15 | IP Services Dynamic Host Configuration Protocol Parameters These parameters are displayed: ◆ Insertion of Relay Information – Enable DHCP Option 82 information relay. (Default: Disabled) ◆ DHCP Option Policy – Specifies how to handle client requests which already contain DHCP Option 82 information: Drop - Floods the original request packet onto the VLAN that received it ■...
Page 524: Configuring The Pppoe Intermediate Agent
Chapter 15 | IP Services Configuring the PPPoE Intermediate Agent Set the frame format used for the remote ID. Enter up to five IP addresses for DHCP servers or relay servers in order of preference. Click Apply. Figure 341: Configuring DHCP Relay Information Option 82 Service Configuring the PPPoE Intermediate Agent This section describes how to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client...
Page 525 Chapter 15 | IP Services Configuring the PPPoE Intermediate Agent Parameters These parameters are displayed: ◆ PPPoE IA Global Status – Enables the PPPoE Intermediate Agent globally on the switch. (Default: Disabled) Note that PPPoE IA must be enabled globally before it can be enabled on an interface.
Page 526: Configuring Pppoe Ia Interface Settings
Chapter 15 | IP Services Configuring the PPPoE Intermediate Agent Configuring PPPoE IA Use the IP Service > PPPoE Intermediate Agent (Configure Interface) page to enable PPPoE IA on an interface, set trust status, enable vendor tag stripping, and set the Interface Settings circuit ID and remote ID.
Page 527: Showing Pppoe Ia Statistics
Chapter 15 | IP Services Configuring the PPPoE Intermediate Agent ◆ Remote ID – String identifying the remote identifier (or interface) on this switch to which the user is connected. (Range: 1-63 ASCII characters; Default: Port MAC address) ◆ Operational Remote ID – The configured circuit identifier. Web Interface To configure interface settings for PPPoE IA: Click IP Service, PPPoE Intermediate Agent.
Page 528 Chapter 15 | IP Services Configuring the PPPoE Intermediate Agent PADS – PPPoE Active Discovery Session-Confirmation messages. ■ PADT – PPPoE Active Discovery Terminate messages. ■ ◆ Dropped – Dropped PPPoA active discovery messages. Response from untrusted – Response from an interface which not been ■...
Page 529: Multicast Filtering
Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface. ◆...
Page 530: Layer 2 Igmp (Snooping And Query)
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch.
Page 531 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) from each of these sources. IGMPv3 hosts may also request that service be forwarded from any source except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources. Note: When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of...
Page 532: Configuring Igmp Snooping And Query Parameters
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Configuring IGMP Use the Multicast > IGMP Snooping > General page to configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report Snooping and Query messages, the switch forwards multicast traffic only to the ports that request it.
Page 533 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Page 534 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) multicast router receives this solicitation, it immediately issues an IGMP general query. A query solicitation can be sent whenever the switch notices a topology change, even if it is not the root bridge in spanning tree. ◆...
Page 535 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Router Port Expire Time – The time the switch waits after the previous querier stops before it considers it to have expired. (Range: 1-65535, Recommended Range: 300-500 seconds, Default: 300) ◆...
Page 536: Specifying Static Interfaces For A Multicast Router
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) page to statically attach an interface to a multicast router/switch. Interfaces for a Multicast Router Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Page 537 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 347: Configuring a Static Interface for a Multicast Router To show the static interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 538: Assigning Interfaces To Multicast Services
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 349: Showing Current Interfaces Attached a Multicast Router Assigning Interfaces Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) page to to Multicast Services statically assign a multicast service to an interface. Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see “Configuring IGMP Snooping and Query Parameters”...
Page 539 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an IGMP-enabled switch or multicast router), and enter the multicast IP address. Click Apply.
Page 540: Setting Igmp Snooping Status Per Interface
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Setting IGMP Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to configure IGMP snooping attributes for a VLAN. To configure snooping globally, refer to Snooping Status per “Configuring IGMP Snooping and Query Parameters”...
Page 541 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Multicast Router Termination – These messages are sent when a router stops IP multicast routing functions on an interface. Termination messages are sent by multicast routers when: Multicast forwarding is disabled on an interface. ■...
Page 542 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) If immediate leave is not used, a multicast router (or querier) will send a group- specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period.
Page 543 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Query Response Interval – The maximum time the system waits for a response to proxy general queries. (Range: 10-31744 tenths of a second; Default: 10 seconds) This command applies when the switch is serving as the querier (page 532), or as a proxy host when IGMP snooping proxy reporting is enabled...
Page 544 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) When IGMP Proxy Reporting is enabled, the source address is based on the following criteria: If a proxy query address is configured, the switch will use that address as ■...
Page 545: Filtering Igmp Query Packets And Multicast Data
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface. Select Show VLAN Information from the Action list. Figure 353: Showing Interface Settings for IGMP Snooping Filtering IGMP Query Use the Multicast >...
Page 546: Displaying Multicast Groups Discovered By Igmp Snooping
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 354: Dropping IGMP Query or Multicast Data Packets Displaying Multicast Use the Multicast > IGMP Snooping > Forwarding Entry page to display the Groups Discovered by forwarding entries learned through IGMP Snooping. IGMP Snooping Command Usage To display information about multicast groups, IGMP Snooping must first be...
Page 547: Displaying Igmp Snooping Statistics
Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Web Interface To show multicast groups learned through IGMP snooping: Click Multicast, IGMP Snooping, Forwarding Entry. Select the VLAN for which to display this information. Figure 355: Showing Multicast Groups Learned by IGMP Snooping Displaying IGMP Use the Multicast >...
Page 548 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent –...
Page 549 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Web Interface To display statistics for IGMP snooping query-related messages: Click Multicast, IGMP Snooping, Statistics. Select Show Query Statistics from the Action list. Select a VLAN. Figure 356: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: Click Multicast, IGMP Snooping, Statistics.
Page 550 Chapter 16 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 357: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: Click Multicast, IGMP Snooping, Statistics. Select Show Port Statistics from the Action list. Select a Port.
Page 551: Filtering And Throttling Igmp Groups
Chapter 16 | Multicast Filtering Filtering and Throttling IGMP Groups Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Page 552: Configuring Igmp Filter Profiles
Chapter 16 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 359: Enabling IGMP Filtering and Throttling Configuring IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page to create Filter Profiles an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
Page 553 Chapter 16 | Multicast Filtering Filtering and Throttling IGMP Groups Web Interface To create an IGMP filter profile and set its access mode: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add from the Action list. Enter the number for a profile, and set its access mode.
Page 554: Configuring Igmp Filtering And Throttling For Interfaces
Chapter 16 | Multicast Filtering Filtering and Throttling IGMP Groups Select the profile to configure, and add a multicast group address or range of addresses. Click Apply. Figure 362: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filter.
Page 555 Chapter 16 | Multicast Filtering Filtering and Throttling IGMP Groups set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk.
Page 556: Multicast Vlan Registration
Chapter 16 | Multicast Filtering Multicast VLAN Registration Figure 364: Configuring IGMP Filtering and Throttling Interface Settings Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network.
Page 557: Configuring Mvr Domain Settings
Chapter 16 | Multicast Filtering Multicast VLAN Registration Command Usage ◆ General Configuration Guidelines for MVR: Enable MVR for a domain on the switch, and select the MVR VLAN (see “Configuring MVR Domain Settings” on page 557). Create an MVR profile by specifying the multicast groups that will stream traffic to attached hosts, and assign the profile to an MVR domain (see “Configuring MVR Group Address Profiles”...
Page 558 Chapter 16 | Multicast Filtering Multicast VLAN Registration ◆ MVR Current Learned Groups – The number of MVR groups currently assigned to this domain. ◆ Forwarding Priority – The CoS priority assigned to all multicast traffic forwarded into this domain. (Range: 0-6, where 6 is the highest priority) This parameter can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency.
Page 559: Configuring Mvr Group Address Profiles
Chapter 16 | Multicast Filtering Multicast VLAN Registration Configuring MVR Use the Multicast > MVR (Configure Profile and Associate Profile) pages to assign the multicast group address for required services to one or more MVR domains. Group Address Profiles Command Usage ◆...
Page 560 Chapter 16 | Multicast Filtering Multicast VLAN Registration Click Apply. Figure 367: Configuring an MVR Group Address Profile To show the configured MVR group address profiles: Click Multicast, MVR. Select Configure Profile from the Step list. Select Show from the Action list. Figure 368: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: Click Multicast, MVR.
Page 561: Configuring Mvr Interface Status
Chapter 16 | Multicast Filtering Multicast VLAN Registration Figure 369: Assigning an MVR Group Address Profile to a Domain To show the MVR group address profiles assigned to a domain: Click Multicast, MVR. Select Associate Profile from the Step list. Select Show from the Action list.
Page 562 Chapter 16 | Multicast Filtering Multicast VLAN Registration membership for MVR receiver ports cannot be set to access mode (see“Adding Static Members to VLANs” on page 142). ◆ One or more interfaces may be configured as MVR source ports. A source port is able to both receive and send data for configured MVR groups or for groups which have been statically assigned (see “Assigning Static MVR Multicast...
Page 563 Chapter 16 | Multicast Filtering Multicast VLAN Registration ◆ Forwarding Status – Shows if MVR traffic is being forwarded or discarded. ◆ MVR Status – Shows the MVR status. MVR status for source ports is “Active” if MVR is globally enabled on the switch. MVR status for receiver ports is “Active” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
Page 564: Assigning Static Mvr Multicast Groups To Interfaces
Chapter 16 | Multicast Filtering Multicast VLAN Registration Assigning Static MVR Use the Multicast > MVR (Configure Static Group Member) page to statically bind multicast groups to a port which will receive long-term multicast streams Multicast Groups to associated with a stable set of hosts. Interfaces Command Usage ◆...
Page 565: Displaying Mvr Receiver Groups
Chapter 16 | Multicast Filtering Multicast VLAN Registration Figure 372: Assigning Static MVR Groups to a Port To show the static MVR groups assigned to an interface: Click Multicast, MVR. Select Configure Static Group Member from the Step list. Select Show from the Action list. Select an MVR domain.
Page 566: Displaying Mvr Statistics
Chapter 16 | Multicast Filtering Multicast VLAN Registration ◆ VLAN – The VLAN through which the service is received. Note that this may be different from the MVR VLAN if the group address has been statically assigned. ◆ Port – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN.
Page 567 Chapter 16 | Multicast Filtering Multicast VLAN Registration ◆ Trunk – Trunk identifier. (Range: 1-6) Query Statistics ◆ Querier IP Address – The IP address of the querier on this interface. ◆ Querier Expire Time – The time after which this querier is assumed to have expired.
Page 568 Chapter 16 | Multicast Filtering Multicast VLAN Registration ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface. Web Interface To display statistics for MVR query-related messages: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Query Statistics from the Action list.
Page 569 Chapter 16 | Multicast Filtering Multicast VLAN Registration To display MVR protocol-related statistics for a VLAN: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR domain. Select a VLAN. Figure 376: Displaying MVR Statistics –...
Page 570 Chapter 16 | Multicast Filtering Multicast VLAN Registration To display MVR protocol-related statistics for a port: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR domain. Select a Port. Figure 377: Displaying MVR Statistics –...
Page 571: Ection
Section III Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 573 ◆ “Troubleshooting” on page 577 ◆ “License Information” on page 579 – 571 –...
Page 572 Section III | Appendices – 572 –...
Page 573: A Software Specifications
Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, IP Filter Authentication Client Access Control Access Control Lists (512 rules), Port Authentication (802.1X), MAC Authentication, Port Security, DHCP Snooping, IP Source Guard Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX - 1000 Mbps at full duplex (SFP) Flow Control...
Page 574: Management Features
Appendix A | Software Specifications Management Features VLAN Support Up to 4093 groups; port-based, protocol-based, tagged (802.1Q), voice VLANs, IP subnet, MAC-based, QinQ tunnel, GVRP for automatic VLAN learning Class of Service Supports four levels of priority Strict, Weighted Round Robin (WRR), or a combination of strict and weighted queueing Layer 3/4 priority mapping: IP DSCP Quality of Service DiffServ supports class maps, policy maps, and service policies...
Page 575: Standards
Appendix A | Software Specifications Standards Standards Ethernet Service OAM (ITU-T Y.1731) - partial support IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs...
Page 576 Appendix A | Software Specifications Management Information Bases Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs IPV6-MIB (RFC 2065) IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052)
Page 577: B Troubleshooting
Troubleshooting Problems Accessing the Management Interface Table 38: Troubleshooting Chart Symptom Action ◆ Cannot connect using web Be sure the switch is powered up. browser or SNMP software ◆ Check network cabling between the management station and the switch. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
Page 578: Using System Logs
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 579: Information
License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 580 Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 581 Appendix C | License Information The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 582 Appendix C | License Information The GNU General Public License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 583: Glossary
Glossary Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 584 Glossary Domain Name Service. A system used for translating host names for network nodes into IP addresses. DSCP Differentiated Services Code Point Service. DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
Page 585 Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
Page 586 Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Page 587 Glossary Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages. Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated...
Page 588 Glossary RADIUS Remote Authentication Dial-in User Service. RA is a logon authentication protocol that DIUS uses software running on a central server to control access to RADIUS-compliant devices on the network. RMON Remote Monitoring. RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types.
Page 589 Glossary TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. User Datagram Protocol. UD provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP- like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets.
Page 590 Glossary – 590 –...
Page 591: Index
Index Numerics address table 169 aging time 171 802.1Q tunnel 150 aging time, displaying 171 access 157 aging time, setting 171 configuration, guidelines 153 ARP ACL 304 configuration, limitations 153 ARP description 488 CVID to SVID map 155 ARP inspection 307 description 150 ACL filter 310 ethernet type 154...
Page 592 Index cross-check message, CFM 442 CVLAN to SPVLAN map 155 cable diagnostics 112 canonical format indicator 222 basic operations 444 default IPv4 gateway, configuration 490 continuity check errors 477 default IPv6 gateway, configuration 495 continuity check messages 433 default priority, ingress port 211 cross-check message 442 default settings, system 37 delay measure request 465...
Page 593 Index traffic between CIR and BE, configuring response 234 event logging 348 traffic between CIR and PIR, configuring response 235 excess burst size, QoS policy 234 trTCM metering 235 exec command privileges, accounting 255 two-rate, three-color meter 231 exec settings violating traffic, configuring response 236 accounting 256 authorization 261...
Page 594 Index groups, displaying 539 IPv6 address Layer 2 530 EUI format 501 query 530 EUI-64 setting 501 snooping 530 explicit configuration 496 snooping & query, parameters 532 global unicast 501 snooping, configuring 532 link-local 502 snooping, immediate leave 541 manual configuration (global unicast) 501 IGMP services, displaying 546 manual configuration (link-local) 502 IGMP snooping...
Page 595 Index timing attributes, configuring 353 memory TLV 352 status 89 TLV, management address 355 utilization, showing 89 TLV, port description 356 mirror port TLV, system capabilities 356 configuring 98 TLV, system description 356 configuring local traffic 98 TLV, system name 356 configuring remote traffic 100 LLDP-MED 352 MSTP 194...
Page 596 Index MAC address filter 272 configuring 94 port configuration 271 duplex mode 95 reauthentication 270 flow control 95 secure MAC information 276 forced selection on combo ports 94 mirroring 98 authentication keys, specifying 82 mirroring local traffic 98 specifying servers 81 mirroring remote traffic 100 NTP, setting the system clock 81 multicast storm threshold 203...
Page 597 Index local users, configuring 393 remote users, configuring 395 RADIUS user configuration 393 logon authentication 251 views 383 settings 251 SNTP rate limit setting the system clock 78 port 201 specifying servers 80 setting 201 software remote engine ID 380 displaying version 65 remote logging 350 downloading 69...
Page 598 Index switch settings restoring 71 VLAN trunking 134 saving 71 – VLANs 137 system clock 802.1Q tunnel mode 157 setting 77 acceptable frame type 143 setting manually 77 adding static members 142 setting the time zone 84 creating 140 setting with NTP 81 description 137 setting with SNTP 78 displaying port members by interface 146...
Page 600 ECS4510-12PD E082013/ST-R01 149100000229A...