Page 1: User Manual
GEL-1061 10-Port L2 Managed Gigabit Switch, 2 x SFP GEP-1061 10-Port L2 Managed Gigabit PoE Switch, 2 x SFP, 802.3at PoE+, 125W GEL-2861 28-Port L2 Managed Gigabit Switch, 4 x SFP User Manual V2.0 Digital Data Communications Asia Co., Ltd.
Page 2 U se r M a n u a l GEL-1061 10-Port L2 Managed Gigabit Switch with 8 10/100/1000BASE-T (RJ-45) Ports and 2 Gigabit SFP Ports GEP-1061 10-Port L2 Managed Gigabit PoE Switch with 8 10/100/1000BASE-T (RJ-45) 802.3 af/at PoE Ports...
Page 3: How To Use This Guide
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Page 4 How to Use This Guide For information on how to install the switch, see the following guide: Installation Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
Page 5: Table Of Contents
Contents How to Use This Guide Contents Figures Tables Section I Getting Started 1 Introduction Key Features Description of Software Features Address Resolution Protocol System Defaults Section II Web Configuration 2 Using the Web Interface Connecting to the Web Interface Navigating the Web Browser Interface Dashboard Home Page...
Page 6 Contents Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/ TFTP or HTTP Saving the Running Configuration to a Local File Setting the Start-up File Showing System Files Automatic Operation Code Upgrade Setting the System Clock Setting the Time Manually Setting the SNTP Polling Interval Configuring NTP Configuring Time Servers...
Page 7 Contents Displaying LACP Settings and Status for the Remote Side Configuring Load Balancing Saving Power Configuring Local Port Mirroring Configuring Remote Port Mirroring Traffic Segmentation Enabling Traffic Segmentation Configuring Uplink and Downlink Ports 5 VLAN Configuration IEEE 802.1Q VLANs Configuring VLAN Groups Adding Static Members to VLANs Protocol VLANs Configuring Protocol VLAN Groups...
Page 8 Contents 8 Congestion Control Rate Limiting Storm Control 9 Class of Service Layer 2 Queue Settings Setting the Default Priority for Interfaces Selecting the Queue Mode Layer 3/4 Priority Settings Setting Priority Processing to DSCP or CoS Mapping Ingress DSCP Values to Internal DSCP Values Mapping CoS Priorities to Internal DSCP Values 10 Quality of Service Overview...
Page 9 Contents Configuring HTTPS Configuring Global Settings for HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell Configuring the SSH Server Generating the Host Key Pair Importing User Public Keys Access Control Lists Showing TCAM Utilization Setting the ACL Name and Type Configuring a Standard IPv4 ACL Configuring an Extended IPv4 ACL Configuring a Standard IPv6 ACL...
Page 10 Contents DoS Protection IPv4 Source Guard Configuring Ports for IPv4 Source Guard Configuring Static Bindings for IPv4 Source Guard Displaying Information for Dynamic IPv4 Source Guard Bindings 13 Basic Administration Protocols Configuring Event Logging System Log Configuration Remote Log Configuration Sending Simple Mail Transfer Protocol Alerts Link Layer Discovery Protocol Setting LLDP Timing Attributes...
Page 11 Contents Configuring RMON Events Configuring RMON History Samples Configuring RMON Statistical Samples Setting a Time Range LBD Configuration Configuring Global Settings for LBD Configuring Interface Settings for LBD 14 Multicast Filtering Overview Layer 2 IGMP (Snooping and Query for IPv4) Configuring IGMP Snooping and Query Parameters Specifying Static Interfaces for a Multicast Router Assigning Interfaces to Multicast Services...
Page 12 Contents 16 IP Services Domain Name Service Configuring General DNS Service Parameters Configuring a List of Domain Names Configuring a List of Name Servers Configuring Static DNS Host to Address Entries Displaying the DNS Cache Dynamic Host Configuration Protocol Specifying a DHCP Client Identifier Configuring DHCP Relay Service Enabling DHCP Dynamic Provision 17 IP Configuration...
Page 13 Contents Using System Logs C License Information The GNU General Public License Glossary Index – 13 –...
Page 14 Contents – 14 –...
Page 15: Figures
Figures Figure 1: Dashboard Figure 2: Home Page Figure 3: Front Panel Indicators Figure 4: System Information Figure 5: General Switch Information Figure 6: Configuring Support for Jumbo Frames Figure 7: Displaying Bridge Extension Configuration Figure 8: Copy Firmware Figure 9: Saving the Running Configuration Figure 10: Setting Start-Up Files Figure 11: Displaying System Files Figure 12: Configuring Automatic Code Upgrade...
Page 16 Figures Figure 30: Restarting the Switch (At) Figure 31: Restarting the Switch (Regularly) Figure 32: Configuring Connections by Port List Figure 33: Configuring Connections by Port Range Figure 34: Displaying Port Information Figure 35: Showing Port Statistics (Table) Figure 36: Showing Port Statistics (Chart) Figure 37: Configuring a History Sample Figure 38: Showing Entries for History Sampling Figure 39: Showing Status of Statistical History Sample...
Page 17 Figures Figure 65: Configuring Remote Port Mirroring (Source) Figure 66: Configuring Remote Port Mirroring (Intermediate) Figure 67: Configuring Remote Port Mirroring (Destination) Figure 68: Enabling Traffic Segmentation Figure 69: Configuring Members for Traffic Segmentation Figure 70: Showing Traffic Segmentation Members Figure 71: VLAN Compliant and VLAN Non-compliant Devices Figure 72: Creating Static VLANs Figure 73: Modifying Settings for Static VLANs...
Page 18 Figures Figure 100: Determining the Root Port Figure 101: Configuring Interface Settings for STA Figure 102: STA Port Roles Figure 103: Displaying Interface Settings for STA Figure 104: Creating an MST Instance Figure 105: Displaying MST Instances Figure 106: Modifying the Priority for an MST Instance Figure 107: Displaying Global Settings for an MST Instance Figure 108: Adding a VLAN to an MST Instance Figure 109: Displaying Members of an MST Instance...
Page 19 Figures Figure 135: Configuring Port Settings for a Voice VLAN Figure 136: Configuring the Authentication Sequence Figure 137: Authentication Server Operation Figure 138: Configuring Remote Authentication Server (RADIUS) Figure 139: Configuring Remote Authentication Server (TACACS+) Figure 140: Configuring AAA Server Groups Figure 141: Showing AAA Server Groups Figure 142: Configuring Global Settings for AAA Accounting Figure 143: Configuring AAA Accounting Methods...
Page 20 Figures Figure 170: Showing a List of ACLs Figure 171: Configuring a Standard IPv4 ACL Figure 172: Configuring an Extended IPv4 ACL Figure 173: Configuring a Standard IPv6 ACL Figure 174: Configuring an Extended IPv6 ACL Figure 175: Configuring a MAC ACL Figure 176: Configuring a ARP ACL Figure 177: Binding a Port to an ACL Figure 178: Showing ACL Statistics...
Page 21 Figures Figure 205: Configuring LLDP Interface Attributes Figure 206: Configuring the Civic Address for an LLDP Interface Figure 207: Showing the Civic Address for an LLDP Interface Figure 208: Displaying Local Device Information for LLDP (General) Figure 209: Displaying Local Device Information for LLDP (Port) Figure 210: Displaying Local Device Information for LLDP (Port Details) Figure 211: Displaying Remote Device Information for LLDP (Port) Figure 212: Displaying Remote Device Information for LLDP (Port Details)
Page 22 Figures Figure 240: Showing SNMP Notification Logs Figure 241: Showing SNMP Statistics Figure 242: Configuring an RMON Alarm Figure 243: Showing Configured RMON Alarms Figure 244: Configuring an RMON Event Figure 245: Showing Configured RMON Events Figure 246: Configuring an RMON History Sample Figure 247: Showing Configured RMON History Samples Figure 248: Showing Collected RMON History Samples Figure 249: Configuring an RMON Statistical Sample...
Page 23 Figures Figure 275: Adding Multicast Groups to an IGMP Filtering Profile Figure 276: Showing the Groups Assigned to an IGMP Filtering Profile Figure 277: Configuring IGMP Filtering and Throttling Interface Settings Figure 278: Configuring General Settings for MLD Snooping Figure 279: Configuring Immediate Leave for MLD Snooping Figure 280: Configuring a Static Interface for an IPv6 Multicast Router Figure 281: Showing Static Interfaces Attached an IPv6 Multicast Router Figure 282: Showing Current Interfaces Attached an IPv6 Multicast Router...
Page 24 Figures Figure 310: Showing IPv6 Neighbors Figure 311: Showing IPv6 Statistics (IPv6) Figure 312: Showing IPv6 Statistics (ICMPv6) Figure 313: Showing IPv6 Statistics (UDP) Figure 314: Showing Reported MTU Values – 24 –...
Page 25: Tables
Tables Table 1: Key Features Table 2: System Defaults Table 3: Web Page Configuration Buttons Table 4: Switch Main Menu Table 5: Predefined Summer-Time Parameters Table 6: Port Statistics Table 7: LACP Port Counters Table 8: LACP Internal Configuration Information Table 9: LACP Remote Device Configuration Information Table 10: Traffic Segmentation Forwarding Table 11: Recommended STA Path Cost Range...
Page 26 Tables Table 30: Options 60, 66 and 67 Statements Table 31: Options 55 and 124 Statements Table 32: Show IPv6 Neighbors - display description Table 33: Show IPv6 Statistics - display description Table 34: Show MTU - display description Table 35: Troubleshooting Chart –...
Page 27: Section I
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: ◆ "Introduction" on page 29 –...
Page 28 Section I | Getting Started – 28 –...
Page 29: Introduction
Introduction This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 30: Description Of Software Features
Chapter 1 | Introduction Description of Software Features (Continued) Table 1: Key Features Feature Description IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4094 using IEEE 802.1Q, port-based, protocol-based, voice VLANs,...
Page 31 Chapter 1 | Introduction Description of Software Features Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/Telnet/web management access. MAC address filtering and IP source guard also provide authenticated port access. While DHCP snooping is provided to prevent malicious attacks from insecure ports.
Page 32 Chapter 1 | Introduction Description of Software Features Static MAC Addresses A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 33 Chapter 1 | Introduction Description of Software Features members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP). Virtual LANs The switch supports up to 4094 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
Page 34: Address Resolution Protocol
Chapter 1 | Introduction Description of Software Features allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. Address Resolution The switch uses ARP to convert between IP addresses and MAC (hardware) addresses.
Page 35: System Defaults
Chapter 1 | Introduction System Defaults System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults. Table 2: System Defaults Function Parameter...
Page 36 Chapter 1 | Introduction System Defaults (Continued) Table 2: System Defaults Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status...
Page 37 Chapter 1 | Introduction System Defaults (Continued) Table 2: System Defaults Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address 192.168.1.1 Subnet Mask 255.255.255.0 Default Gateway Not configured DHCP Client: Enabled BOOTP Disabled Enabled Cache Timeout: 20 minutes Multicast Filtering IGMP Snooping (Layer 2) Snooping: Enabled...
Page 38 Chapter 1 | Introduction System Defaults – 38 –...
Page 39: Web Configuration
Section II Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: ◆ "Using the Web Interface" on page 41 ◆ "Basic Management Tasks"...
Page 40 Section II | Web Configuration – 40 –...
Page 41: Using The Web Interface
Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 9, Mozilla Firefox 39, or Google Chrome 44, or more recent versions).
Page 42: Navigating The Web Browser Interface
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface commands issued through the web interface. See “Configuring Interface Settings for STA” on page 175. Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds.
Page 43 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Note: You can open a connection to the vendor’s web site by clicking on the Level 1 logo. – 43 –...
Page 44: Home Page
Figure 2: Home Page Note: This manual covers the GEL-1061 Gigabit Ethernet switch, the GEP-1061 Gigabit Ethernet PoE switch, and the GEL 2861 Gigabit Ethernet switch. Other than the difference in port count, and support for PoE, there are no significant differences.
Page 45: Panel Display
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 3: Web Page Configuration Buttons Button Action Saves current configuration settings Displays help for the selected page. Refreshes the current page. Displays the site map. Logs out of the management interface. Sends mail to the vendor.
Page 46: Main Menu
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Switch Main Menu Menu Description...
Page 47 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Time Configure General Manual Manually sets the current time SNTP Configures SNTP polling interval Configures NTP authentication parameters Configure Time Server Configures a list of SNTP servers Configure SNTP Server Sets the IP address for SNTP time servers...
Page 48 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Trunk Static Configure Trunk Creates a trunk, along with the first port member Show Shows the configured trunk identifiers Add Member Specifies ports to group into static trunks Show Member...
Page 49 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Mirror Sets the source and target ports for mirroring Show Shows the configured mirror sessions RSPAN Mirrors traffic from remote switches for analysis at a destination port on the local switch Traffic Segmentation Configure Global...
Page 50 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Static Configures static entries in the address table Show Displays static entries in the address table MAC Notification Configure Global Issues a trap when a dynamic MAC address is added or removed Configure Interface Enables MAC authentication traps on the current interface...
Page 51 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page DSCP to DSCP Maps DSCP values in incoming packets to per-hop behavior and drop precedence values for internal priority processing Show Shows the DSCP to DSCP mapping list CoS to DSCP...
Page 52 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Server Configure Server Configures RADIUS and TACACS server message exchange settings Configure Group Specifies a group of authentication servers and sets the priority sequence Show Shows the authentication server groups and priority sequence...
Page 53 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Configure MAC Filter Specifies MAC addresses exempt from authentication Show Shows the list of exempt MAC addresses Show Information Shows the authenticated MAC address list HTTPS Secure HTTP...
Page 54 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page IP Filter Sets IP addresses of clients allowed management access via the web, SNMP, and Telnet Show Shows the addresses to be allowed management access Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresses...
Page 55 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page LLDP Configure Global Configures global LLDP timing parameters Configure Interface Configure General Sets the message transmission mode; enables SNMP notification; and sets the LLDP attributes to advertise Add CA-Type Specifies the physical location of the device attached to an interface...
Page 56 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Configure Group Adds a group with access policies for assigned users Show Shows configured groups and access policies Configure User Add SNMPv3 Local User Configures SNMPv3 users on this switch Show SNMPv3 Local User...
Page 57 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Time Range Configures the time to apply an ACL or PoE port Specifies the name of a time range Show Shows the name of configured time ranges Add Rule...
Page 58 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Dynamic Provision Enables dynamic provisioning via DHCP Multicast IGMP Snooping General Enables multicast filtering; configures parameters for multicast snooping Multicast Router Add Static Multicast Router Assigns ports that are attached to a neighboring multicast router...
Page 59 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page MLD Snooping General Enables multicast filtering; configures parameters for IPv6 multicast snooping Interface Configures Immediate Leave status for a VLAN Multicast Router Add Static Multicast Router Assigns ports that are attached to a neighboring multicast router...
Page 60 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface – 60 –...
Page 61: Basic Management Tasks
Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames –...
Page 62: Displaying System Information
Chapter 3 | Basic Management Tasks Displaying System Information Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description –...
Page 63: Displaying Hardware/Software Versions
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆...
Page 64: Configuring Support For Jumbo Frames
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Web Interface To view hardware and software version information. Click System, then Switch. Figure 5: General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet and 10 Gigabit Ethernet ports or trunks.
Page 65: Displaying Bridge Extension Capabilities
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Web Interface To configure support for jumbo frames: Click System, then Capability. Enable or disable support for jumbo frames. Click Apply. Figure 6: Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System >...
Page 66: Figure 7: Displaying Bridge Extension Configuration
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities ◆ Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration”...
Page 67: Managing System Files
Chapter 3 | Basic Management Tasks Managing System Files Managing System Files This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Copying Files via FTP/ Use the System > File (Copy) page to upload/download firmware or configuration TFTP or HTTP settings using FTP, TFTP or HTTP.
Page 68: Figure 8: Copy Firmware
Chapter 3 | Basic Management Tasks Managing System Files names is 32 characters for files on the switch or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “. ” , “-”, “_”) Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch.
Page 69: Saving The Running Configuration To A Local File
Chapter 3 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Saving the Running Use the System > File (Copy) page to save the current configuration settings to a Configuration to a local file on the switch.
Page 70: Setting The Start-Up File
Chapter 3 | Basic Management Tasks Managing System Files Figure 9: Saving the Running Configuration If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Setting the Use the System >...
Page 71: Showing System Files
Chapter 3 | Basic Management Tasks Managing System Files Showing System Files Use the System > File (Show) page to show the files in the system directory, or to delete a file. Note: Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted.
Page 72 LEVEL 1-xx61.bix are considered to be unique files. Thus, if the upgrade file is stored as LEVEL 1-xx61.bix (or even LeveL 1-xx61.bix) on a case- sensitive server, then the switch (requesting gel-1061-series.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Page 73 Automatic Upgrade Location URL – Defines where the switch should search for the operation code upgrade file. The last character of this URL must be a forward slash (“/”). The GEL-1061-series.bix filename must not be included since it is automatically appended by the switch. (Options: ftp, tftp)
Page 74 Chapter 3 | Basic Management Tasks Managing System Files directory name must be separated from the host, and in nested directory structures, from the parent directory, with a prepended forward slash “/”. / – The forward slash must be the last character of the URL. ■...
Page 75: Setting The System Clock
Chapter 3 | Basic Management Tasks Setting the System Clock Enter the URL of the FTP or TFTP server, and the path and directory containing the operation code. Click Apply. Figure 12: Configuring Automatic Code Upgrade If a new image is found at the specified location, the following type of messages will be displayed during bootup.
Page 76: Setting The Time Manually
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the Time Use the System > Time (Configure General - Manual) page to set the system time on the switch manually without using SNTP. Manually Parameters The following parameters are displayed: ◆...
Page 77: Setting The Sntp Polling Interval
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the SNTP Use the System > Time (Configure General - SNTP) page to set the polling interval at which the switch will query the specified time servers. Polling Interval Parameters The following parameters are displayed: ◆...
Page 78: Configuring Time Servers
Chapter 3 | Basic Management Tasks Setting the System Clock You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
Page 79: Figure 16: Specifying Sntp Time Servers
Chapter 3 | Basic Management Tasks Setting the System Clock Parameters The following parameters are displayed: ◆ SNTP Server IP Address – Sets the IPv4 or IPv6 address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence.
Page 80: Figure 17: Adding An Ntp Time Server
Chapter 3 | Basic Management Tasks Setting the System Clock ◆ Authentication Key – Specifies the number of the key in the NTP Authentication Key List to use for authentication with the configured server. NTP authentication is optional. If enabled on the System > Time (Configure General) page, you must also configure at least one key on the System >...
Page 81: Figure 19: Adding An Ntp Authentication Key
Chapter 3 | Basic Management Tasks Setting the System Clock Specifying NTP Authentication Keys Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list. Parameters The following parameters are displayed: ◆...
Page 82: Setting The Time Zone
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 20: Showing the NTP Authentication Key List Setting the Time Zone Use the System > Time (Configure Time Zone) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 83: Configuring Summer Time
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 21: Setting the Time Zone Configuring Use the Summer Time page to set the system clock forward during the summer Summer Time months (also known as daylight savings time). In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less.
Page 84: Table 5: Predefined Summer-Time Parameters
Chapter 3 | Basic Management Tasks Setting the System Clock Table 5: Predefined Summer-Time Parameters Region Start Time, Day, Week, & Month End Time, Day, Week, & Month Rel. Offset Australia 00:00:00, Sunday, Week 5 of October 23:59:59, Sunday, Week 5 of March 60 min Europe 00:00:00, Sunday, Week 5 of March...
Page 85: Configuring The Console Port
Chapter 3 | Basic Management Tasks Configuring the Console Port Figure 22: Configuring Summer Time Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 86: Figure 23: Console Port Settings
Chapter 3 | Basic Management Tasks Configuring the Console Port per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits) ◆ Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2;...
Page 87: Configuring Telnet Settings
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Page 88: Displaying Cpu Utilization
Chapter 3 | Basic Management Tasks Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. Web Interface To configure parameters for the console port: Click System, then Telnet.
Page 89: Configuring Cpu Guard
Chapter 3 | Basic Management Tasks Configuring CPU Guard Figure 25: Displaying CPU Utilization Configuring CPU Guard Use the System > CPU Guard page to set the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second.
Page 90: Displaying Memory Utilization
Chapter 3 | Basic Management Tasks Displaying Memory Utilization ◆ Trap Status – If enabled, an alarm message will be generated when utilization exceeds the high watermark or exceeds the maximum threshold. (Default: Disabled) Once the high watermark is exceeded, utilization must drop beneath the low watermark before the alarm is terminated, and then exceed the high watermark again before another alarm is triggered.
Page 91: Resetting The System
Chapter 3 | Basic Management Tasks Resetting the System ◆ Total – The total amount of system memory. Web Interface To display memory utilization: Click System, then Memory Status. Figure 27: Displaying Memory Utilization Resetting the System Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval.
Page 92 Chapter 3 | Basic Management Tasks Resetting the System Immediately – Restarts the system immediately. ■ In – Specifies an interval after which to reload the switch. (The specified ■ time must be equal to or less than 24 days.) hours –...
Page 93: Figure 28: Restarting The Switch (Immediately)
Chapter 3 | Basic Management Tasks Resetting the System When prompted, confirm that you want reset the switch. Figure 28: Restarting the Switch (Immediately) Figure 29: Restarting the Switch (In) – 93 –...
Page 94: Figure 30: Restarting The Switch (At)
Chapter 3 | Basic Management Tasks Resetting the System Figure 30: Restarting the Switch (At) Figure 31: Restarting the Switch (Regularly) – 94 –...
Page 95: Interface Configuration
Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including auto- negotiation, or manual setting of speed, duplex mode, and flow control. ◆ Displaying Statistics – Shows Interface, Etherlike, and RMON port statistics in table or chart form.
Page 96: Port Configuration
Chapter 4 | Interface Configuration Port Configuration Port Configuration This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Configuring by Use the Interface > Port > General (Configure by Port List) page to enable/disable Port List an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 97 Chapter 4 | Interface Configuration Port Configuration 10f - Supports 10 Mbps full-duplex operation. ■ 100h - Supports 100 Mbps half-duplex operation. ■ 100f - Supports 100 Mbps full-duplex operation. ■ 1000f - Supports 1000 Mbps full-duplex operation. ■ Sym - Symmetric exchange of transmit and receive pause frames. ■...
Page 98: Configuring By Port Range
Chapter 4 | Interface Configuration Port Configuration Figure 32: Configuring Connections by Port List Configuring by Use the Interface > Port > General (Configure by Port Range) page to enable/ disable an interface, set auto-negotiation and the interface capabilities to Port Range advertise, or manually fix the speed, duplex mode, and flow control.
Page 99: Displaying Connection Status
Chapter 4 | Interface Configuration Port Configuration Figure 33: Configuring Connections by Port Range Displaying Use the Interface > Port > General (Show Information) page to display the current Connection Status connection status, including link state, speed/duplex mode, flow control, and auto- negotiation.
Page 100: Showing Port Or Trunk Statistics
Chapter 4 | Interface Configuration Port Configuration Web Interface To display port connection parameters: Click Interface, Port, General. Select Show Information from the Action List. Figure 34: Displaying Port Information Showing Port or Trunk Use the Interface > Port/Trunk > Statistics or Chart page to display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as Statistics well as a detailed breakdown of traffic based on the RMON MIB.
Page 101 Chapter 4 | Interface Configuration Port Configuration (Continued) Table 6: Port Statistics Parameter Description Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. Transmitted Errors The number of outbound packets that could not be transmitted because of errors.
Page 102 Chapter 4 | Interface Configuration Port Configuration (Continued) Table 6: Port Statistics Parameter Description SQE Test Errors A count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface. Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame.
Page 103: Figure 35: Showing Port Statistics (Table)
Chapter 4 | Interface Configuration Port Configuration (Continued) Table 6: Port Statistics Parameter Description Output Octets in kbits per Number of octets leaving this interface in kbits/second. second Output Packets per second Number of packets leaving this interface per second. Output Utilization The output utilization rate for this interface.
Page 104: Displaying Statistical History
Chapter 4 | Interface Configuration Port Configuration Figure 36: Showing Port Statistics (Chart) Displaying Statistical Use the Interface > Port > History or Interface > Trunk > History page to display statistical history for the specified interfaces. History Command Usage For a description of the statistics displayed on these pages, see ◆...
Page 105 Chapter 4 | Interface Configuration Port Configuration ◆ History Name – Name of sample interval. (Range: 1-32 characters) ◆ Interval - The interval for sampling statistics. (Range: 1-86400 minutes) ◆ Requested Buckets - The number of samples to take. (Range: 1-96) Show ◆...
Page 106: Figure 37: Configuring A History Sample
Chapter 4 | Interface Configuration Port Configuration Figure 37: Configuring a History Sample To show the configured entries for a history sample: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Show from the Action menu. Select an interface from the Port or Trunk list. Figure 38: Showing Entries for History Sampling To show the configured parameters for a sampling entry: Click Interface, Port, Statistics, or Interface, Trunk, Statistics.
Page 107: Figure 39: Showing Status Of Statistical History Sample
Chapter 4 | Interface Configuration Port Configuration Figure 39: Showing Status of Statistical History Sample To show statistics for the current interval of a sample entry: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Show Details from the Action menu. Select Current Entry from the options for Mode.
Page 108: Displaying Transceiver Data
Chapter 4 | Interface Configuration Port Configuration To show ingress or egress traffic statistics for a sample entry: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Show Details from the Action menu. Select Input Previous Entry or Output Previous Entry from the options for Mode.
Page 109: Configuring Transceiver Thresholds
Chapter 4 | Interface Configuration Port Configuration problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters. Web Interface To display identifying information and functional parameters for optical transceivers: Click Interface, Port, Transceiver. Select a port from the scroll-down list.
Page 110 Chapter 4 | Interface Configuration Port Configuration The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters.
Page 111: Trunk Configuration
Chapter 4 | Interface Configuration Trunk Configuration Threshold events are triggered as described above to avoid a hysteresis ■ effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low threshold.
Page 112 Chapter 4 | Interface Configuration Trunk Configuration The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP). Static trunks have to be manually configured at both ends of the link, and the switches must comply with the Cisco EtherChannel standard. On the other hand, LACP configured ports can automatically negotiate a trunked link with LACP-configured ports on another device.
Page 113: Configuring A Static Trunk
Chapter 4 | Interface Configuration Trunk Configuration Configuring a Use the Interface > Trunk > Static page to create a trunk, assign member ports, and configure the connection parameters. Static Trunk Figure 44: Configuring Static Trunks statically configured active links Command Usage ◆...
Page 114: Figure 45: Creating Static Trunks
Chapter 4 | Interface Configuration Trunk Configuration Figure 45: Creating Static Trunks To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list. Select a trunk identifier. Set the unit and port for an additional trunk member.
Page 115: Configuring A Dynamic Trunk
Chapter 4 | Interface Configuration Trunk Configuration Figure 47: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 48: Showing Information for Static Trunks Configuring a Use the Interface >...
Page 116 Chapter 4 | Interface Configuration Trunk Configuration ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. ◆...
Page 117 Chapter 4 | Interface Configuration Trunk Configuration Short Timeout – Specifies a fast timeout of 3 seconds. ■ The timeout is set in the LACP timeout bit of the Actor State field in transmitted LACPDUs. When the partner switch receives an LACPDU set with a short timeout from the actor switch, the partner adjusts the transmit LACPDU interval to 1 second.
Page 118: Figure 50: Configuring The Lacp Aggregator Admin Key
Chapter 4 | Interface Configuration Trunk Configuration System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. ◆ Port Priority – If a link goes down, LACP port priority is used to select a backup link.
Page 119: Figure 51: Enabling Lacp On A Port
Chapter 4 | Interface Configuration Trunk Configuration To enable LACP for a port: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click General. Enable LACP on the required ports. Click Apply. Figure 51: Enabling LACP on a Port To configure LACP parameters for group members: Click Interface, Trunk, Dynamic.
Page 120: Figure 52: Configuring Lacp Parameters On A Port
Chapter 4 | Interface Configuration Trunk Configuration Figure 52: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step list. Select Show Member from the Action list. Select a Trunk.
Page 121: Displaying Lacp Port Counters
Chapter 4 | Interface Configuration Trunk Configuration Figure 54: Configuring Connection Settings for a Dynamic Trunk To show connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step list. Select Show from the Action list. Figure 55: Showing Connection Parameters for Dynamic Trunks Displaying LACP Use the Interface >...
Page 122: Displaying Lacp Settings And Status For The Local Side
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To display LACP port counters: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Counters. Select a group member from the Port list. Figure 56: Displaying LACP Port Counters Displaying LACP Use the Interface >...
Page 123 Chapter 4 | Interface Configuration Trunk Configuration (Continued) Table 8: LACP Internal Configuration Information Parameter Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State ◆ Expired – The actor’s receive machine is in the expired state; ◆...
Page 124: Displaying Lacp Settings And Status For The Remote Side
Chapter 4 | Interface Configuration Trunk Configuration Figure 57: Displaying LACP Port Internal Information Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Neighbors) page to display the configuration settings and operational state for the remote side of a link aggregation.
Page 125: Configuring Load Balancing
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To display LACP settings and status for the remote side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Neighbors. Select a group member from the Port list.
Page 126 Chapter 4 | Interface Configuration Trunk Configuration different hosts. Do not use this mode for switch-to-server trunk links where the destination IP address is the same for all traffic. Destination MAC Address: All traffic with the same destination MAC ■ address is output on the same link in a trunk.
Page 127: Saving Power
Chapter 4 | Interface Configuration Saving Power Click Interface, Trunk, Load Balance. Select the required method from the Load Balance Mode list. Click Apply. Figure 59: Configuring Load Balancing Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port.
Page 128: Figure 60: Enabling Power Savings
Chapter 4 | Interface Configuration Saving Power determine whether or not it can reduce the signal amplitude used on a particular link. Note: Power savings can only be implemented on Gigabit Ethernet ports when using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters.
Page 129: Configuring Local Port Mirroring
Chapter 4 | Interface Configuration Configuring Local Port Mirroring Configuring Local Port Mirroring Use the Interface > Mirror page to mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 130: Configuring Remote Port Mirroring
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring Specify the traffic type to be mirrored. Click Apply. Figure 62: Configuring Local Port Mirroring To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 63: Displaying Local Port Mirror Sessions Configuring Remote Port Mirroring Use the Interface >...
Page 131: Figure 64: Configuring Remote Port Mirroring
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring Figure 64: Configuring Remote Port Mirroring Intermediate Switch Intermediate Switch RPSAN VLAN Uplink Port Uplink Port Destination Switch Source Switch Source Port Uplink Port Uplink Port Destination Port Tagged or untagged traffic Ingress or egress traffic from the RSPAN VLAN is is mirrored onto the RSPAN...
Page 132 Chapter 4 | Interface Configuration Configuring Remote Port Mirroring ◆ RSPAN Limitations The following limitations apply to the use of RSPAN on this switch: RSPAN Ports – Only ports can be configured as an RSPAN source, ■ destination, or uplink; static and dynamic trunks are not allowed. A port can only be configured as one type of RSPAN interface –...
Page 133 Chapter 4 | Interface Configuration Configuring Remote Port Mirroring Intermediate - Specifies this device as an intermediate switch, ■ transparently passing mirrored traffic from one or more sources to one or more destinations. Destination - Specifies this device as a switch configured with a ■...
Page 134: Figure 65: Configuring Remote Port Mirroring (Source)
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring Figure 65: Configuring Remote Port Mirroring (Source) Figure 66: Configuring Remote Port Mirroring (Intermediate) Figure 67: Configuring Remote Port Mirroring (Destination) – 134 –...
Page 135: Traffic Segmentation
Chapter 4 | Interface Configuration Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports.
Page 136: Configuring Uplink And Downlink Ports
Chapter 4 | Interface Configuration Traffic Segmentation Figure 68: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the downlink and uplink ports to use in the segmented group. Ports designated as and Downlink Ports downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 137: Figure 69: Configuring Members For Traffic Segmentation
Chapter 4 | Interface Configuration Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Parameters These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆...
Page 138: Figure 70: Showing Traffic Segmentation Members
Chapter 4 | Interface Configuration Traffic Segmentation To show the members of the traffic segmentation group: Click Interface, Traffic Segmentation. Select Configure Session from the Step list. Select Show from the Action list. Figure 70: Showing Traffic Segmentation Members – 138 –...
Page 139: Vlan Configuration
VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ Protocol VLANs – Configures VLAN groups based on specified protocols. ◆ MAC-based VLANs – Maps untagged ingress frames to a specified VLAN if the source MAC address is found in the IP MAC address-to-VLAN mapping table.
Page 140: Figure 71: Vlan Compliant And Vlan Non-Compliant Devices
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs This switch supports the following VLAN features: ◆ Up to 4094 VLANs based on the IEEE 802.1Q standard ◆ Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol ◆...
Page 141 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
Page 142: Configuring Vlan Groups
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Configuring VLAN Use the VLAN > Static (Add) page to create or remove VLAN groups, set administrative status, or specify Remote VLAN type (see “Configuring Remote Port Groups Mirroring” on page 130). To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups.
Page 143: Figure 72: Creating Static Vlans
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Click Apply. Figure 72: Creating Static VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Enable the L3 Interface field to specify that a VLAN will be used as a Layer 3 interface.
Page 144: Adding Static Members To Vlans
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To show the configuration settings for VLAN groups: Click VLAN, Static. Select Show from the Action list. Figure 74: Showing Static VLANs Adding Static Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or Edit Member by Interface Range) pages to configure port members for the selected Members to VLANs VLAN index, interface, or a range of interfaces.
Page 145 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. ◆ PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN.
Page 146: Figure 75: Configuring Static Members By Vlan Index
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Edit Member by Interface All parameters are the same as those described under the preceding section for Edit Member by VLAN. Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below.
Page 147: Figure 76: Configuring Static Vlan Members By Interface
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To configure static members by interface: Click VLAN, Static. Select Edit Member by Interface from the Action list. Select a port or trunk configure. Modify the settings for any interface as required. Click Apply.
Page 148: Protocol Vlans
Chapter 5 | VLAN Configuration Protocol VLANs Figure 77: Configuring Static VLAN Members by Interface Range Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 149: Configuring Protocol Vlan Groups
Chapter 5 | VLAN Configuration Protocol VLANs Configuring Protocol Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. VLAN Groups Parameters These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol.
Page 150: Mapping Protocol Groups To Interfaces
Chapter 5 | VLAN Configuration Protocol VLANs Figure 78: Configuring Protocol VLANs To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Show from the Action list. Figure 79: Displaying Protocol VLANs Mapping Protocol Use the VLAN >...
Page 151 Chapter 5 | VLAN Configuration Protocol VLANs If the frame is untagged and the protocol type matches, the frame is ■ forwarded to the appropriate VLAN. If the frame is untagged but the protocol type does not match, the frame is ■...
Page 152: Configuring Mac-Based Vlans
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Figure 80: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Show from the Action list. Select a port or trunk.
Page 153 Chapter 5 | VLAN Configuration Configuring MAC-based VLANs ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, or protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Page 154: Figure 82: Configuring Mac-Based Vlans
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Figure 82: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: Click VLAN, MAC-Based. Select Show from the Action list. Figure 83: Showing MAC-Based VLANs – 154 –...
Page 155: Address Table Settings
Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 156: Figure 84: Configuring Mac Address Learning
Chapter 6 | Address Table Settings Configuring MAC Address Learning ◆ Also note that MAC address learning cannot be disabled if any of the following conditions exist: 802.1X Port Authentication has been globally enabled on the switch (see ■ “Configuring 802.1X Global Settings” on page 293).
Page 157: Setting Static Addresses
Chapter 6 | Address Table Settings Setting Static Addresses Setting Static Addresses Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved.
Page 158: Figure 85: Configuring Static Mac Addresses
Chapter 6 | Address Table Settings Setting Static Addresses Web Interface To configure a static MAC address: Click MAC Address, Static. Select Add from the Action list. Specify the VLAN, the port or trunk to which the address will be assigned, the MAC address, and the time to retain this entry.
Page 159: Changing The Aging Time
Chapter 6 | Address Table Settings Changing the Aging Time Changing the Aging Time Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information.
Page 160: Figure 88: Displaying The Dynamic Mac Address Table
Chapter 6 | Address Table Settings Displaying the Dynamic Address Table Parameters These parameters are displayed: ◆ Sort Key - You can sort the information displayed based on MAC address, VLAN or interface (port or trunk). ◆ MAC Address – Physical address associated with this interface. ◆...
Page 161: Clearing The Dynamic Address Table
Chapter 6 | Address Table Settings Clearing the Dynamic Address Table Clearing the Dynamic Address Table Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. Parameters These parameters are displayed: ◆...
Page 162: Issuing Mac Address Traps
Chapter 6 | Address Table Settings Issuing MAC Address Traps Issuing MAC Address Traps Use the MAC Address > MAC Notification pages to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed. Parameters These parameters are displayed: Configure Global ◆...
Page 163: Figure 91: Issuing Mac Address Traps (Interface Configuration)
Chapter 6 | Address Table Settings Issuing MAC Address Traps To enable MAC address traps at the interface level: Click MAC Address, MAC Notification. Select Configure Interface from the Step list. Enable MAC notification traps for the required ports. Click Apply. Figure 91: Issuing MAC Address Traps (Interface Configuration) –...
Page 164 Chapter 6 | Address Table Settings Issuing MAC Address Traps – 164 –...
Page 165: Spanning Tree Algorithm
Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA –...
Page 166: Figure 92: Stp Root Ports And Designated Ports
Chapter 7 | Spanning Tree Algorithm Overview Figure 92: STP Root Ports and Designated Ports Designated Root Root Designated Port Port Designated Bridge Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Page 167: Configuring Loopback Detection
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 183).
Page 168 Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Note: Loopback detection will not be active if Spanning Tree is disabled on the switch. Note: When configured for manual release mode, then a link down/up event will not release the port from the discarding state. Parameters These parameters are displayed: ◆...
Page 169: Configuring Global Settings For Sta
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 95: Configuring Port Loopback Detection Configuring Global Settings for STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. Command Usage ◆...
Page 170 Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. To allow multiple spanning trees to operate over the network, you must ■...
Page 171 Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA The setting has no effect if BPDU flooding is disabled on a port (see "Configuring Interface Settings for STA"). ◆ Cisco Prestandard Status – Configures spanning tree operation to be compatible with Cisco prestandard versions.
Page 172 Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 173: Figure 96: Configuring Global Settings For Sta (Stp)
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Modify any of the required attributes. Note that the parameters displayed for the spanning tree types (STP, RSTP, MSTP) varies as described in the preceding section. Click Apply Figure 96: Configuring Global Settings for STA (STP) Figure 97: Configuring Global Settings for STA (RSTP) –...
Page 174: Displaying Global Settings For Sta
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 98: Configuring Global Settings for STA (MSTP) Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch. Parameters The parameters displayed are described in the preceding section, except for the following items:...
Page 175: Configuring Interface Settings For Sta
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Configuration Changes – The number of times the Spanning Tree has been reconfigured.
Page 176: Table 11: Recommended Sta Path Cost Range
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) When spanning tree is enabled globally (Configuring Global Settings for STA) or enabled on an interface by this command, loopback detection is disabled.
Page 177: Figure 100: Determining The Root Port
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA (Continued) Table 11: Recommended STA Path Cost Range Port Type IEEE 802.1D-1998 IEEE 802.1w-2001 Gigabit Ethernet 3-10 2,000-200,000 10G Ethernet 200-20,000 Table 12: Default STA Path Costs Port Type Short Path Cost Long Path Cost (IEEE 802.1D-1998)
Page 178 Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Auto – The switch automatically determines if the interface is attached to a ■ point-to-point link or to shared media. (This is the default setting.) ◆ Root Guard – STA allows a bridge with a lower bridge identifier (or same identifier and lower MAC address) to take over as the root bridge at any time.
Page 179 Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA When edge port is set as auto, the operational state is determined automatically by the Bridge Detection State Machine described in 802.1D-2004, where the edge port state may change dynamically based on environment changes (e.g., receiving a BPDU or not within the required interval).
Page 180: Displaying Interface Settings For Sta
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Click Apply. Figure 101: Configuring Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. Parameters These parameters are displayed: ◆...
Page 181: Figure 102: Sta Port Roles
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA All ports are discarding when the switch is booted, then some of them ■ change state to learning, and then to forwarding. ◆ Forward Transitions – The number of times this port has transitioned from the Learning state to the Forwarding state.
Page 182: Figure 103: Displaying Interface Settings For Sta
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. The criteria used for determining the port role is based on root bridge ID, root path cost, designated bridge, designated port, port priority, and port number, in that order and as applicable to the role under question.
Page 183: Configuring Multiple Spanning Trees
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Configuring Multiple Spanning Trees Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. Command Usage MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide- scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 184: Figure 104: Creating An Mst Instance
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Web Interface To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 185: Figure 106: Modifying The Priority For An Mst Instance
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
Page 186: Figure 108: Adding A Vlan To An Mst Instance
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
Page 187: Configuring Interface Settings For Mstp
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. Parameters These parameters are displayed: ◆...
Page 188: Figure 110: Configuring Mstp Interface Settings
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Web Interface To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP. Select Configure Interface from the Step list. Select Configure from the Action list. Enter the priority and path cost for an interface Click Apply.
Page 189: Congestion Control
Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 190: Storm Control
Chapter 8 | Congestion Control Storm Control Web Interface To configure rate limits: Click Traffic, Rate Limit. Set the interface type to Port or Trunk. Enable the Rate Limit Status for the required interface. Set the rate limit for required interfaces. Click Apply.
Page 191: Figure 113: Configuring Storm Control
Chapter 8 | Congestion Control Storm Control Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Type – Indicates the port type (1000BASE-T, 1000BASE SFP, or 10GBASE SFP+). ◆ Unknown Unicast – Specifies storm control for unknown unicast traffic. ◆...
Page 192 Chapter 8 | Congestion Control Storm Control – 192 –...
Page 193: Class Of Service
Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high- priority queue will be transmitted before those in the lower-priority queues.
Page 194: Selecting The Queue Mode
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface –...
Page 195 Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues.
Page 196: Figure 115: Setting The Queue Mode (Strict)
Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: Click Traffic, Priority, Queue. Set the queue mode. If the weighted queue mode is selected, the queue weight can be modified if required. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table.
Page 197: Layer 3/4 Priority Settings
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 117: Setting the Queue Mode (Strict and WRR) Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
Page 198: Setting Priority Processing To Dscp Or Cos
Chapter 9 | Class of Service Layer 3/4 Priority Settings Setting Priority The switch allows a choice between using DSCP or CoS priority processing methods. Use the Priority > Trust Mode page to select the required processing Processing to method. DSCP or CoS Command Usage ◆...
Page 199: Mapping Ingress Dscp Values To Internal Dscp Values
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 118: Setting the Trust Mode Mapping Use the Traffic > Priority > DSCP to DSCP page to map DSCP values in incoming packets to per-hop behavior and drop precedence values for internal priority Ingress DSCP Values processing.
Page 200: Figure 119: Configuring Dscp To Dscp Internal Mapping
Chapter 9 | Class of Service Layer 3/4 Priority Settings ◆ Drop Precedence – Drop precedence used for controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) Table 13: Default Mapping of DSCP Values to Internal PHB/Drop Values ingress- dscp1 ingress-...
Page 201: Mapping Cos Priorities To Internal Dscp Values
Chapter 9 | Class of Service Layer 3/4 Priority Settings To show the DSCP to internal PHB/drop precedence map: Click Traffic, Priority, DSCP to DSCP. Select Show from the Action list. Figure 120: Showing DSCP to DSCP Internal Mapping Mapping Use the Traffic >...
Page 202: Figure 121: Configuring Cos To Dscp Internal Mapping
Chapter 9 | Class of Service Layer 3/4 Priority Settings ◆ CFI – Canonical Format Indicator. Set to this parameter to “0” to indicate that the MAC address information carried in the frame is in canonical format. (Range: 0-1) ◆ PHB –...
Page 203: Figure 122: Showing Cos To Dscp Internal Mapping
Chapter 9 | Class of Service Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Figure 122: Showing CoS to DSCP Internal Mapping – 203 –...
Page 204 Chapter 9 | Class of Service Layer 3/4 Priority Settings – 204 –...
Page 205: Quality Of Service
Quality of Service This chapter describes the following tasks required to apply QoS policies: ◆ Class Map – Creates a map which identifies a specific class of traffic. ◆ Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic.
Page 206: Configuring A Class Map
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic.
Page 207: Figure 123: Configuring A Class Map
Chapter 10 | Quality of Service Configuring a Class Map ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command.
Page 208: Figure 124: Showing Class Maps
Chapter 10 | Quality of Service Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 124: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 209: Figure 125: Adding Rules To A Class Map
Chapter 10 | Quality of Service Configuring a Class Map Figure 125: Adding Rules to a Class Map To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 126: Showing the Rules for a Class Map –...
Page 210: Creating Qos Policies
Chapter 10 | Quality of Service Creating QoS Policies Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 206).
Page 211 Chapter 10 | Quality of Service Creating QoS Policies If the packet has been precolored as yellow or green and if ■ Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented.
Page 212: Figure 127: Configuring A Policy Map
Chapter 10 | Quality of Service Creating QoS Policies Web Interface To configure a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add from the Action list. Enter a policy name. Enter a description. Click Apply. Figure 127: Configuring a Policy Map To show the configured policy maps: Click Traffic, DiffServ.
Page 213: Figure 129: Adding Rules To A Policy Map
Chapter 10 | Quality of Service Creating QoS Policies To edit the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add Rule from the Action list. Select the name of a policy map. Click on the Action field, and set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class.
Page 214: Attaching A Policy Map To A Port
Chapter 10 | Quality of Service Attaching a Policy Map to a Port To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 130: Showing the Rules for a Policy Map Attaching a Policy Map to a Port Use the Traffic >...
Page 215: Figure 131: Attaching A Policy Map To A Port
Chapter 10 | Quality of Service Attaching a Policy Map to a Port Click Apply. Figure 131: Attaching a Policy Map to a Port – 215 –...
Page 216 Chapter 10 | Quality of Service Attaching a Policy Map to a Port – 216 –...
Page 217: Voip Traffic Configuration
VoIP Traffic Configuration This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Page 218: Configuring Voip Traffic
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
Page 219: Configuring Telephony Oui
Chapter 11 | VoIP Traffic Configuration Configuring Telephony OUI Figure 132: Configuring a Voice VLAN Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets.
Page 220: Configuring Voip Traffic Ports
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Enter a description for the devices. Click Apply. Figure 133: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Show from the Action list.
Page 221 Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Parameters These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) None – The Voice VLAN feature is disabled on the port. The port will not ■...
Page 222: Figure 135: Configuring Port Settings For A Voice Vlan
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports When VoIP Mode is set to Auto, the Remaining Age will be displayed. Otherwise, if the VoIP Mode is Disabled or set to Manual, the remaining age will display “NA. ” Web Interface To configure VoIP traffic settings for a port: Click Traffic, VoIP.
Page 223: Security Measures
Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: ◆...
Page 224: Aaa (Authentication, Authorization And Accounting)
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Note: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping. AAA (Authentication, Authorization and Accounting) The authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch.
Page 225: Configuring Local/Remote Logon Authentication
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. Apply the method names to port or line interfaces. Note: This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
Page 226: Configuring Remote Logon Authentication Servers
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods). Click Apply. Figure 136: Configuring the Authentication Sequence Configuring Use the Security >...
Page 227 Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Command Usage ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
Page 228 Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Confirm Authentication Key – Re-type the string entered in the previous ■ field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. ◆...
Page 229: Figure 138: Configuring Remote Authentication Server (Radius)
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the parameters for RADIUS or TACACS+ authentication: Click Security, AAA, Server. Select Configure Server from the Step list. Select RADIUS or TACACS+ server type. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server.
Page 230: Figure 139: Configuring Remote Authentication Server (Tacacs+)
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 139: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list.
Page 231: Configuring Aaa Accounting
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 141: Showing AAA Server Groups Configuring Use the Security >...
Page 232 Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Exec – Administrative accounting for local console, Telnet, or SSH ■ connections. ◆ Privilege Level – The CLI privilege levels (0-15). This parameter only applies to Command accounting. ◆ Method Name – Specifies an accounting method for service requests. The “default”...
Page 233: Figure 142: Configuring Global Settings For Aaa Accounting
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) VTY Method Name – Specifies a user defined method name to apply to ■ Telnet and SSH connections. Show Information – Summary ◆ Accounting Type - Displays the accounting service. ◆...
Page 234: Figure 143: Configuring Aaa Accounting Methods
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list. Select the accounting type (802.1X, Command, Exec).
Page 235: Figure 144: Showing Aaa Accounting Methods
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 144: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: Click Security, AAA, Accounting. Select Configure Service from the Step list.
Page 236: Figure 146: Configuring Aaa Accounting Service For Command Service
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 146: Configuring AAA Accounting Service for Command Service Figure 147: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting.
Page 237: Configuring Aaa Authorization
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 148: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Statistics.
Page 238 Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Parameters These parameters are displayed: Configure Method ◆ Authorization Type – Specifies the service as: Command – Administrative authorization to apply to commands entered ■ at specific CLI privilege levels. Exec –...
Page 239: Figure 150: Configuring Aaa Authorization Methods
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the authorization method applied to the Exec service type and the assigned server group: Click Security, AAA, Authorization. Select Configure Method from the Step list. Specify the name of the authorization method and server group name. Click Apply.
Page 240: Figure 152: Configuring Aaa Authorization Methods For Exec Service
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply. Figure 152: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type:...
Page 241: Configuring User Accounts
Chapter 12 | Security Measures Configuring User Accounts Configuring User Accounts Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. Command Usage ◆ The default guest name is “guest” with the password “guest. ” The default administrator name is “admin”...
Page 242: Figure 154: Configuring User Accounts
Chapter 12 | Security Measures Configuring User Accounts Encrypted Password – Encrypted password. ■ The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP or FTP server.
Page 243: Network Access (Mac Address Authentication)
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 155: Showing User Accounts Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
Page 244: Table 15: Dynamic Qos Profiles
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server. ◆...
Page 245: Configuring Global Settings For Network Access
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Any unsupported profiles in the Filter-ID attribute are ignored. For example, if the attribute is “map-ip-dscp=2:3;service-policy-in=p1, ” then the switch ignores the “map-ip-dscp” profile. ◆ When authentication is successful, the dynamic QoS information may not be passed from the RADIUS server due to one of the following conditions (authentication result remains unchanged): The Filter-ID attribute cannot be found to carry the user profile.
Page 246: Configuring Network Access For Ports
Chapter 12 | Security Measures Network Access (MAC Address Authentication) The maximum number of secure MAC addresses supported for the switch system is 1024. Web Interface To configure aging status and reauthentication time for MAC address authentication: Click Security, Network Access. Select Configure Global from the Step list.
Page 247: Figure 157: Configuring Interface Settings For Network Access
Chapter 12 | Security Measures Network Access (MAC Address Authentication) the VLANs have already been created on the switch. (GVRP is not used to create the VLANs.) (Default: Enabled) The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Page 248: Configuring A Mac Address Filter
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Configuring a Use the Security > Network Access (Configure MAC Filter) page to designate specific MAC addresses or MAC address ranges as exempt from authentication. MAC Address Filter MAC addresses present in MAC Filter tables activated on a port are treated as pre- authenticated on that port.
Page 249: Displaying Secure Mac Address Information
Chapter 12 | Security Measures Network Access (MAC Address Authentication) To show the MAC address filter table for MAC authentication: Click Security, Network Access. Select Configure MAC Filter from the Step list. Select Show from the Action list. Figure 159: Showing the MAC Address Filter Table for Network Access Displaying Secure Use the Security >...
Page 250: Figure 160: Showing Addresses Authenticated For Network Access
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Attribute – Indicates a static or dynamic address. ■ Web Interface To display the authenticated MAC addresses stored in the secure MAC address table: Click Security, Network Access. Select Show Information from the Step list. Use the sort key to display addresses based MAC address, interface, or attribute.
Page 251: Configuring Https
Chapter 12 | Security Measures Configuring HTTPS Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Configuring Global Use the Security >...
Page 252: Replacing The Default Secure-Site Certificate
Chapter 12 | Security Measures Configuring HTTPS Parameters These parameters are displayed: ◆ HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) ◆ HTTPS Port – Specifies the TCP port number used for HTTPS connection to the switch’s web interface.
Page 253 Chapter 12 | Security Measures Configuring HTTPS When you have obtained these, place them on your TFTP server and transfer them to the switch to replace the default (unrecognized) certificate with an authorized one. Note: The switch must be reset for the new certificate to be activated. To reset the switch, see “Resetting the System”...
Page 254: Configuring The Secure Shell
Chapter 12 | Security Measures Configuring the Secure Shell Figure 162: Downloading the Secure-Site Certificate Configuring the Secure Shell The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments.
Page 255 Chapter 12 | Security Measures Configuring the Secure Shell To use the SSH server, complete these steps: Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 256: Configuring The Ssh Server
Chapter 12 | Security Measures Configuring the Secure Shell Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it.
Page 257: Figure 163: Configuring The Ssh Server
Chapter 12 | Security Measures Configuring the Secure Shell Parameters These parameters are displayed: ◆ SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) ◆ Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
Page 258: Generating The Host Key Pair
Chapter 12 | Security Measures Configuring the Secure Shell Generating the Use the Security > SSH (Configure Host Key - Generate) page to generate a host public/private key pair used to provide secure communications between an SSH Host Key Pair client and the switch.
Page 259: Importing User Public Keys
Chapter 12 | Security Measures Configuring the Secure Shell To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the option to save the host key from memory to flash by clicking Save, or select the host-key type to clear and click Clear.
Page 260: Figure 166: Copying The Ssh User's Public Key
Chapter 12 | Security Measures Configuring the Secure Shell The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. ◆ TFTP Server IP Address – The IP address of the TFTP server that contains the public key file you wish to import.
Page 261: Access Control Lists
Chapter 12 | Security Measures Access Control Lists Figure 167: Showing the SSH User’s Public Key Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4/IPv6 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type).
Page 262: Showing Tcam Utilization
Chapter 12 | Security Measures Access Control Lists possible depends on too many factors to be precisely determined. It depends on the amount of hardware resources reserved at runtime for this purpose. Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize hardware resources more efficiency.
Page 263 Chapter 12 | Security Measures Access Control Lists rules, Quality of Service (QoS) processes, QinQ, MAC-based VLANs, VLAN translation, or traps. For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs.
Page 264: Setting The Acl Name And Type
Chapter 12 | Security Measures Access Control Lists Figure 168: Showing TCAM Utilization Setting the Use the Security > ACL (Configure ACL - Add) page to create an ACL. ACL Name and Type Parameters These parameters are displayed: ◆ ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆...
Page 265: Figure 169: Creating An Acl
Chapter 12 | Security Measures Access Control Lists Web Interface To configure the name and type of an ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add from the Action list. Fill in the ACL Name field, and select the ACL type. Click Apply.
Page 266: Configuring A Standard Ipv4 Acl
Chapter 12 | Security Measures Access Control Lists Configuring a Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL. Standard IPv4 ACL Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆...
Page 267: Configuring An Extended Ipv4 Acl
Chapter 12 | Security Measures Access Control Lists Figure 171: Configuring a Standard IPv4 ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to configure Extended IPv4 ACL an Extended IPv4 ACL. Parameters These parameters are displayed: ◆...
Page 268 Chapter 12 | Security Measures Access Control Lists The following items are under TCP Control Code – Decimal number (representing a bit string) that specifies ■ flag bits in byte 14 of the TCP header. (Range: 0-63) Control Code Bit Mask – Decimal number representing the code bits to ■...
Page 269: Configuring A Standard Ipv6 Acl
Chapter 12 | Security Measures Access Control Lists Select the address type (Any, Host, or IP). If you select “Host, ” enter a specific address. If you select “IP, ” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or control code.
Page 270: Figure 173: Configuring A Standard Ipv6 Acl
Chapter 12 | Security Measures Access Control Lists 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ Source Prefix-Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address).
Page 271: Configuring An Extended Ipv6 Acl
Chapter 12 | Security Measures Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page to configure an Extended IPv6 ACL. Extended IPv6 ACL Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆...
Page 272 Chapter 12 | Security Measures Access Control Lists are a small number of such extension headers, each identified by a distinct Next Header value. IPv6 supports the values defined for the IPv4 Protocol field in RFC 1700, and includes these commonly used headers: : Hop-by-Hop Options (RFC 2460) : TCP Upper-layer Header (RFC 1700) 17 : UDP Upper-layer Header (RFC 1700)
Page 273: Configuring A Mac Acl
Chapter 12 | Security Measures Access Control Lists Figure 174: Configuring an Extended IPv6 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC MAC ACL ACL based on hardware addresses, packet format, and Ethernet type. Parameters These parameters are displayed: ◆...
Page 274 Chapter 12 | Security Measures Access Control Lists Tagged-802.3 – Tagged Ethernet 802.3 packets. ■ ◆ VID – VLAN ID. (Range: 1-4094) ◆ VID Bit Mask – VLAN bit mask. (Range: 0-4095) ◆ Ethernet Type – This option can only be used to filter Ethernet II formatted packets.
Page 275: Configuring An Arp Acl
Chapter 12 | Security Measures Access Control Lists Figure 175: Configuring a MAC ACL Configuring an Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter ARP ACL suspicious traffic (see “Configuring Global Settings for ARP Inspection”...
Page 276 Chapter 12 | Security Measures Access Control Lists ◆ Source/Destination MAC Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any) ◆...
Page 277: Binding A Port To An Access Control List
Chapter 12 | Security Measures Access Control Lists Figure 176: Configuring a ARP ACL Binding a Port to an After configuring ACLs, use the Security > ACL (Configure Interface – Configure) Access Control List page to bind the ports that need to filter traffic to the appropriate ACLs. Parameters These parameters are displayed: ◆...
Page 278: Showing Acl Hardware Counters
Chapter 12 | Security Measures Access Control Lists Select the name of an ACL from the ACL list. Click Apply. Figure 177: Binding a Port to an ACL Showing ACL Use the Security > ACL > Configure Interface (Show Hardware Counters) page to show statistics for ACL hardware counters.
Page 279: Arp Inspection
Chapter 12 | Security Measures ARP Inspection Web Interface To show statistics for ACL hardware counters: Click Security, ACL. Select Configure Interface from the Step list. Select Show Hardware Counters from the Action list. Select a port. Select ingress or egress traffic. Figure 178: Showing ACL Statistics ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for...
Page 280: Configuring Global Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection Command Usage Enabling & Disabling ARP Inspection ◆ ARP Inspection is controlled on a global and VLAN basis. ◆ By default, ARP Inspection is disabled both globally and on all VLANs. If ARP Inspection is globally enabled, then it becomes active only on the ■...
Page 281 Chapter 12 | Security Measures ARP Inspection IP – Checks the ARP body for invalid and unexpected IP addresses. These ■ addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.
Page 282: Configuring Vlan Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection ◆ Log Message Number – The maximum number of entries saved in a log message. (Range: 0-256; Default: 5) ◆ Log Interval – The interval at which log messages are sent. (Range: 0-86400 seconds;...
Page 283: Figure 180: Configuring Vlan Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection ◆ If Static is specified, ARP packets are only validated against the selected ACL – packets are filtered according to any matching rules, packets not matching any rules are dropped, and the DHCP snooping bindings database check is bypassed.
Page 284: Configuring Interface Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection Configuring Use the Security > ARP Inspection (Configure Interface) page to specify the ports that require ARP inspection, and to adjust the packet inspection rate. Interface Settings for ARP Inspection Parameters These parameters are displayed: ◆...
Page 285: Displaying Arp Inspection Statistics
Chapter 12 | Security Measures ARP Inspection Displaying Use the Security > ARP Inspection (Show Information - Show Statistics) page to display statistics about the number of ARP packets processed, or dropped for ARP Inspection various reasons. Statistics Parameters These parameters are displayed: Table 17: ARP Inspection Statistics Parameter Description...
Page 286: Displaying The Arp Inspection Log
Chapter 12 | Security Measures ARP Inspection Figure 182: Displaying Statistics for ARP Inspection Displaying the Use the Security > ARP Inspection (Show Information - Show Log) page to show ARP Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components.
Page 287: Filtering Ip Addresses For Management Access
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Figure 183: Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Use the Security > IP Filter page to create a list of up to 15 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet.
Page 288: Figure 184: Creating An Ip Address Filter For Management Access
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Telnet – Configures IP address(es) for the Telnet group. ■ All – Configures IP address(es) for all groups. ■ ◆ Start IP Address – A single IP address, or the starting address of a range. ◆...
Page 289: Configuring Port Security
Chapter 12 | Security Measures Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 185: Showing IP Addresses Authorized for Management Access Configuring Port Security Use the Security >...
Page 290 Chapter 12 | Security Measures Configuring Port Security ◆ When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table. ◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
Page 291: Configuring 802.1X Port Authentication
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Current MAC Count – The number of MAC addresses currently associated with this interface. ◆ MAC Filter – Shows if MAC address filtering has been set under Security > Network Access (Configure MAC Filter) as described on page 248.
Page 292: Figure 187: Configuring Port Authentication
Chapter 12 | Security Measures Configuring 802.1X Port Authentication This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request.
Page 293: Configuring 802.1X Global Settings
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) ◆ The RADIUS server and client also have to support the same EAP authentication type –...
Page 294: Configuring Port Authenticator Settings For 802.1X
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Configuring Use the Security > Port Authentication (Configure Interface – Authenticator) page to configure 802.1X port settings for the switch as the local authenticator. When Port Authenticator 802.1X is enabled, you need to configure the parameters for the authentication Settings for 802.1X process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication...
Page 295 Chapter 12 | Security Measures Configuring 802.1X Port Authentication Multi-Host – Allows multiple host to connect to this port. ■ In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re- authentication or sends an EAPOL logoff message.
Page 296 Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Re-authentication Status – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) ◆...
Page 297: Figure 189: Configuring Interface Settings For 802.1X Port Authenticator
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Reauthentication State Machine ◆ State – Current state (including initialize, reauthenticate). Web Interface To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Modify the authentication settings for each port as required.
Page 298: Displaying 802.1X Statistics
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Displaying Use the Security > Port Authentication (Show Statistics) page to display statistics for dot1x protocol exchanges for any port. 802.1X Statistics Parameters These parameters are displayed: Table 19: 802.1X Statistics Parameter Description Authenticator...
Page 299: Dhcp Snooping
Chapter 12 | Security Measures DHCP Snooping (Continued) Table 19: 802.1X Statistics Parameter Description Rx EAP LenError The number of EAPOL frames that have been received by this Supplicant in which the Packet Body Length field is invalid. Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Supplicant.
Page 300 Chapter 12 | Security Measures DHCP Snooping Command Usage DHCP Snooping Process ◆ Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on a non-secure interface from outside the network or fire wall. When DHCP snooping is enabled globally and enabled on a VLAN interface, DHCP messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped.
Page 301 Chapter 12 | Security Measures DHCP Snooping If a DHCP packet from a client passes the filtering criteria above, it will only ■ be forwarded to trusted ports in the same VLAN. If a DHCP packet is from server is received on a trusted port, it will be ■...
Page 302: Dhcp Snooping Global Configuration
Chapter 12 | Security Measures DHCP Snooping these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information. DHCP Snooping Use the Security > DHCP Snooping (Configure Global) page to enable DHCP Global Configuration Snooping globally on the switch, or to configure MAC Address Verification.
Page 303: Dhcp Snooping Vlan Configuration
Chapter 12 | Security Measures DHCP Snooping inserts the relay agent’s address (when DHCP snooping is enabled), and forwards the packets to trusted ports. (This is the default policy.) Web Interface To configure global settings for DHCP Snooping: Click Security, DHCP Snooping. Select Configure Global from the Step list.
Page 304: Configuring Ports For Dhcp Snooping
Chapter 12 | Security Measures DHCP Snooping Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN. (Range: 1-4094) ◆ DHCP Snooping Status – Enables or disables DHCP snooping for the selected VLAN. When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Page 305: Figure 193: Configuring The Port Mode For Dhcp Snooping
Chapter 12 | Security Measures DHCP Snooping Parameters These parameters are displayed: ◆ Trust Status – Enables or disables a port as trusted. (Default: Disabled) ◆ Max Number – The maximum number of DHCP clients which can be supported per interface. (Range: 1-32; Default: 16) ◆...
Page 306: Displaying Dhcp Snooping Binding Information
Chapter 12 | Security Measures DHCP Snooping Displaying DHCP Use the Security > DHCP Snooping (Show Information) page to display entries in the binding table. Snooping Binding Information Parameters These parameters are displayed: ◆ MAC Address – Physical address associated with the entry. ◆...
Page 307: Dos Protection
Chapter 12 | Security Measures DoS Protection Figure 194: Displaying the Binding Table for DHCP Snooping DoS Protection Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource.
Page 308: Ipv4 Source Guard
Chapter 12 | Security Measures IPv4 Source Guard ◆ TCP Xmas Scan – A so-called TCP XMAS scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a TCP RST packet.
Page 309 Chapter 12 | Security Measures IPv4 Source Guard Command Usage Filter Type ◆ Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
Page 310: Figure 196: Setting The Filter Type For Ipv4 Source Guard
Chapter 12 | Security Measures IPv4 Source Guard SIP – Enables traffic filtering based on IP addresses stored in the binding ■ table. SIP-MAC – Enables traffic filtering based on IP addresses and ■ corresponding MAC addresses stored in the binding table. ◆...
Page 311: Configuring Static Bindings For Ipv4 Source Guard
Chapter 12 | Security Measures IPv4 Source Guard Configuring Use the Security > IP Source Guard > Static Binding (Configure ACL Table and Configure MAC Table) pages to bind a static address to a port. Table entries include Static Bindings a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, for IPv4 Source Guard and port identifier.
Page 312 Chapter 12 | Security Measures IPv4 Source Guard Parameters These parameters are displayed: Add – Configure ACL Table ◆ Port – The port to which a static entry is bound. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆...
Page 313: Displaying Information For Dynamic Ipv4 Source Guard Bindings
Chapter 12 | Security Measures IPv4 Source Guard Figure 197: Configuring Static Bindings for IPv4 Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Binding. Select Configure ACL Table or Configure MAC Table from the Step list. Select Show from the Action list.
Page 314: Figure 199: Showing The Ipv4 Source Guard Binding Table
Chapter 12 | Security Measures IPv4 Source Guard Dynamic Binding List ◆ VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – Port to which this entry is bound. ◆...
Page 315: Basic Administration Protocols
Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 316: Configuring Event Logging
Chapter 13 | Basic Administration Protocols Configuring Event Logging Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.
Page 317: Figure 200: Configuring Settings For System Memory Logs
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level.
Page 318: Remote Log Configuration
Chapter 13 | Basic Administration Protocols Configuring Event Logging Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory. This page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM;...
Page 319: Sending Simple Mail Transfer Protocol Alerts
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Server IP Address – Specifies the IPv4 or IPv6 address of a remote server which will be sent syslog messages. ◆ Port - Specifies the UDP port number used by the remote server. (Range: 1-65535;...
Page 320: Figure 203: Configuring Smtp Alert Messages
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Email Source Address – Sets the email address used for the “From” field in alert messages. You may use a symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. (Range: 1-41 characters) ◆...
Page 321: Link Layer Discovery Protocol
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 322 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol increase the probability that multiple, rather than single changes, are reported in each transmission. This attribute must comply with the rule: (4 * Delay Interval) ≤ Transmission Interval ◆ Reinitialization Delay – Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down.
Page 323: Configuring Lldp Interface Attributes
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 204: Configuring LLDP Timing Attributes Configuring LLDP Use the Administration > LLDP (Configure Interface - Configure General) page to Interface Attributes specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Page 324 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages. Management Address – The management address protocol packet ■ includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Page 325 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol VLAN ID – The port’s default VLAN identifier (PVID) indicates the VLAN with ■ which untagged or priority-tagged frames are associated (see “IEEE 802.1Q VLANs” on page 139). (Default: Enabled) VLAN Name –...
Page 326 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Network Policy – This option advertises network policy configuration ■ information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption. (Default: Enabled) ◆...
Page 327: Configuring Lldp Interface Civic-Address
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 205: Configuring LLDP Interface Attributes Configuring Use the Administration > LLDP (Configure Interface – Add CA-Type) page to specify the physical location of the device attached to an interface. LLDP Interface Civic-Address Command Usage...
Page 328: Figure 206: Configuring The Civic Address For An Lldp Interface
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol (Continued) Table 21: LLDP MED Location CA Types CA Type Description CA Value Example Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519 Floor Room 509B ◆ Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
Page 329: Displaying Lldp Local Device Information
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: Click Administration, LLDP. Select Configure Interface from the Step list. Select Show CA-Type from the Action list. Select an interface from the Port or Trunk list. Figure 207: Showing the Civic Address for an LLDP Interface Displaying LLDP Use the Administration >...
Page 330: Table 23: System Capabilities
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s administratively assigned name (see “Displaying System Information”...
Page 331: Table 24: Port Id Subtype
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
Page 332: Figure 208: Displaying Local Device Information For Lldp (General)
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 208: Displaying Local Device Information for LLDP (General) Figure 209: Displaying Local Device Information for LLDP (Port) Figure 210: Displaying Local Device Information for LLDP (Port Details) – 332 –...
Page 333: Displaying Lldp Remote Device Information
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display information about devices connected directly to the switch’s ports which are Remote Device advertising information through LLDP, or to display detailed information about an Information LLDP-enabled device connected to a specific port on the local switch.
Page 334: Table 25: Remote Port Auto-Negotiation Advertised Capability
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 23, "System Capabilities," on page 330.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled.
Page 335 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol (Continued) Table 25: Remote Port Auto-Negotiation Advertised Capability Capability 100BASE-TX full duplex mode 100BASE-T2 half duplex mode 100BASE-T2 full duplex mode PAUSE for full-duplex links Asymmetric PAUSE for full-duplex links Symmetric PAUSE for full-duplex links Asymmetric and Symmetric PAUSE for full-duplex links 1000BASE-X, -LX, -SX, -CX half duplex mode...
Page 336 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆...
Page 337 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – Network Policy ◆ Application Type – The primary application) defined for this network policy: Voice ■ Voice Signaling ■ Guest Signaling ■ Guest Voice Signaling ■ Softphone Voice ■...
Page 338 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ECS ELIN – Emergency Call Service Emergency Location Identification ■ Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ◆...
Page 339: Figure 211: Displaying Remote Device Information For Lldp (Port)
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To display LLDP information for a remote port: Click Administration, LLDP. Select Show Remote Device Information from the Step list. Select Port, Port Details, Trunk, or Trunk Details. When the next page opens, select a port on this switch and the index for a remote device attached to this port.
Page 340: Figure 212: Displaying Remote Device Information For Lldp (Port Details)
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 212: Displaying Remote Device Information for LLDP (Port Details) – 340 –...
Page 341: Displaying Device Statistics
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP- MED TLVs is shown in the following figure. Figure 213: Displaying Remote Device Information for LLDP (End Node) Displaying Use the Administration > LLDP (Show Device Statistics) page to display statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages Device Statistics transmitted or received on all local interfaces.
Page 342 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources. ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired.
Page 343: Power Over Ethernet
Chapter 13 | Basic Administration Protocols Power over Ethernet Figure 214: Displaying LLDP Device Statistics (General) Figure 215: Displaying LLDP Device Statistics (Port) Power over Ethernet The GEP-1061 switch can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device.
Page 344: Setting The Switch's Overall Poe Power Budget
Chapter 13 | Basic Administration Protocols Power over Ethernet Ports can be set to one of three power priority levels, critical, high, or low. To control the power supply within the switch’s budget, ports set at critical to high priority have power enabled in preference to those ports set at low priority.
Page 345: Setting The Port Poe Power Budget
Chapter 13 | Basic Administration Protocols Power over Ethernet Set the maximum PoE power provided by the switch, and enable the compatible mode if required. Click Apply. Figure 216: Setting the Switch’s PoE Budget Setting the Port Use the Administration > PoE > PSE page to set the maximum power provided to a port.
Page 346 Chapter 13 | Basic Administration Protocols Power over Ethernet ◆ If the power demand from devices connected to all switch ports exceeds the power budget set for the switch, the port power priority settings are used to control the supplied power. For example: If a device is connected to a low-priority port and causes the switch to ■...
Page 347: Simple Network Management Protocol
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To set the PoE power budget for a port: Click Administration, PoE, PSE. Enable PoE power on selected ports. Set the priority and the power budget. And specify a time range during which PoE will be provided to an interface. Click Apply.
Page 348: Table 27: Snmpv3 Security Models And Levels
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol information using network management software. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.
Page 349: Configuring Global Settings For Snmp
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Command Usage Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages.
Page 350: Setting The Local Engine Id
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure global settings for SNMP: Click Administration, SNMP. Select Configure Global from the Step list. Enable SNMP and the required trap types. Click Apply Figure 218: Configuring Global Settings for SNMP Setting the Use the Administration >...
Page 351: Specifying A Remote Engine Id
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure the local SNMP engine ID: Click Administration, SNMP. Select Configure Engine from the Step list. Select Set Engine ID from the Action list. Enter an ID of a least 9 hexadecimal characters. Click Apply Figure 219: Configuring the Local Engine ID for SNMP Specifying a...
Page 352: Figure 220: Configuring A Remote Engine Id For Snmp
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure a remote SNMP engine ID: Click Administration, SNMP. Select Configure Engine from the Step list. Select Add Remote Engine from the Action list. Enter an ID of a least 9 hexadecimal characters, and the IP address of the remote host.
Page 353: Setting Snmpv3 Views
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting SNMPv3 Views Use the Administration > SNMP (Configure View) page to configure SNMPv3 views which are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview”...
Page 354: Figure 222: Creating An Snmp View
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 222: Creating an SNMP View To show the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show View from the Action list. Figure 223: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP.
Page 355: Configuring Snmpv3 Groups
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 224: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list.
Page 356 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Security Level – The following security levels are only used for the groups assigned to the SNMP security model: noAuthNoPriv – There is no authentication or encryption used in SNMP ■...
Page 357: Table 28: Supported Notification Messages
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 28: Supported Notification Messages Model Level Group RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its...
Page 358 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol (Continued) Table 28: Supported Notification Messages Model Level Group Private Traps swPowerStatusChangeTrap 1.3.6.1.4.1.22426.43.103.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.22426.43.103.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled.
Page 359 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol (Continued) Table 28: Supported Notification Messages Model Level Group dot1agCfmLoopFindTrap 1.3.6.1.4.1.22426.43.103.2.1.0.100 This trap is sent when a MEP receives its own CCMs. dot1agCfmMepUnknownTrap 1.3.6.1.4.1.22426.43.103.2.1.0.101 This trap is sent when a CCM is received from an unexpected MEP.
Page 360 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol (Continued) Table 28: Supported Notification Messages Model Level Group userauthDeleteUserTrap 1.3.6.1.4.1.22426.43.103.2.1.0.210 This trap is sent when a user account is deleted. userauthModifyUserPrivilegeTrap 1.3.6.1.4.1.22426.43.103.2.1.0.211 This trap is sent when user privilege is modified. cpuGuardControlTrap 1.3.6.1.4.1.22426.43.103.2.1.0.213 This trap is sent when CPU utilization rises above...
Page 361: Figure 226: Creating An Snmp Group
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.
Page 362: Setting Community Access Strings
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting Community Use the Administration > SNMP (Configure Community – Add) page to configure up to five community strings authorized for management access by clients using Access Strings SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Page 363: Configuring Local Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show the community access strings: Click Administration, SNMP. Select Configure Community from the Step list. Select Show from the Action list. Figure 229: Showing Community Access Strings Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to Local SNMPv3 Users authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch.
Page 364: Figure 230: Configuring Local Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. (Range: 8-32 characters) ◆...
Page 365: Figure 231: Showing Local Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show local SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Local User from the Action list. Figure 231: Showing Local SNMPv3 Users To change a local SNMPv3 local user group: Click Administration, SNMP.
Page 366: Configuring Remote Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page to identify the source of SNMPv3 inform messages sent from the local switch. Each Remote SNMPv3 Users SNMPv3 user is defined by a unique name.
Page 367: Figure 233: Configuring Remote Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure a remote SNMPv3 user: Click Administration, SNMP. Select Configure User from the Step list. Select Add SNMPv3 Remote User from the Action list. Enter a name and assign it to a group. Enter the IP address to identify the source of SNMPv3 inform messages sent from the local switch.
Page 368: Specifying Trap Managers
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 234: Showing Remote SNMPv3 Users Specifying Use the Administration > SNMP (Configure Trap) page to specify the host devices to Trap Managers be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers.
Page 369 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Parameters These parameters are displayed: SNMP Version 1 ◆ IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version –...
Page 370 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol SNMP Version 3 ◆ IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. ◆...
Page 371: Figure 235: Configuring Trap Managers (Snmpv1)
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 235: Configuring Trap Managers (SNMPv1) Figure 236: Configuring Trap Managers (SNMPv2c)
Page 372: Creating Snmp Notification Logs
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 237: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 238: Showing Trap Managers Creating SNMP Use the Administration >...
Page 373 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications. ◆ If notification logging is not configured, when the switch reboots, some SNMP traps (such as warm start) cannot be logged.
Page 374: Showing Snmp Statistics
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 239: Creating SNMP Notification Logs To show configured SNMP notification logs: Click Administration, SNMP. Select Configure Notify Filter from the Step list. Select Show from the Action list. Figure 240: Showing SNMP Notification Logs Showing Use the Administration >...
Page 375 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Encoding errors – The total number of ASN.1 or BER errors encountered by the SNMP entity when decoding received SNMP messages. ◆ Number of requested variables – The total number of MIB objects which have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs.
Page 376: Remote Monitoring
Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To show SNMP statistics: Click Administration, SNMP. Select Show Statistics from the Step list. Figure 241: Showing SNMP Statistics Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis.
Page 377: Configuring Rmon Alarms
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring Use the Administration > RMON (Configure Global - Add - Alarm) page to define specific criteria that will generate response events. Alarms can be set to test data RMON Alarms over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval).
Page 378: Figure 242: Configuring An Rmon Alarm
Chapter 13 | Basic Administration Protocols Remote Monitoring alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 379: Configuring Rmon Events
Chapter 13 | Basic Administration Protocols Remote Monitoring To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 243: Showing Configured RMON Alarms Configuring RMON Use the Administration > RMON (Configure Global - Add - Event) page to set the Events action to take when an alarm is triggered.
Page 380 Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Type – Specifies the type of event to initiate: None – No event is generated. ■ Log – Generates an RMON log entry when the event is triggered. Log ■ messages are processed based on the current configuration settings for event logging (see “System Log Configuration”...
Page 381: Configuring Rmon History Samples
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 244: Configuring an RMON Event To show configured RMON events: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Event. Figure 245: Showing Configured RMON Events Configuring RMON Use the Administration >...
Page 382 Chapter 13 | Basic Administration Protocols Remote Monitoring Command Usage ◆ Each index number equates to a port on the switch. ◆ If history collection is already enabled on an interface, the entry must be deleted before any changes can be made. ◆...
Page 383: Figure 246: Configuring An Rmon History Sample
Chapter 13 | Basic Administration Protocols Remote Monitoring Enter an index number, the sampling interval, the number of buckets to use, and the name of the owner for this entry. Click Apply Figure 246: Configuring an RMON History Sample To show configured RMON history samples: Click Administration, RMON.
Page 384: Configuring Rmon Statistical Samples
Chapter 13 | Basic Administration Protocols Remote Monitoring To show collected RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click History. Figure 248: Showing Collected RMON History Samples Configuring RMON Use the Administration >...
Page 385: Figure 249: Configuring An Rmon Statistical Sample
Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To enable regular sampling of statistics on a port: Click Administration, RMON. Select Configure Interface from the Step list. Select Add from the Action list. Click Statistics. Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 249: Configuring an RMON Statistical Sample...
Page 386: Figure 250: Showing Configured Rmon Statistical Samples
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 250: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click Statistics.
Page 387: Setting A Time Range
Chapter 13 | Basic Administration Protocols Setting a Time Range Setting a Time Range Use the Administration > Time Range page to set a time range during which various functions are applied, including applied ACLs or PoE. Command Usage ◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
Page 388: Figure 252: Setting The Name Of A Time Range
Chapter 13 | Basic Administration Protocols Setting a Time Range Web Interface To configure a time range: Click Administration, Time Range. Select Add from the Action list. Enter the name of a time range. Click Apply. Figure 252: Setting the Name of a Time Range To show a list of time ranges: Click Administration, Time Range.
Page 389: Lbd Configuration
Chapter 13 | Basic Administration Protocols LBD Configuration Figure 254: Add a Rule to a Time Range To show the rules configured for a time range: Click Administration, Time Range. Select Show Rule from the Action list. Figure 255: Showing the Rules Configured for a Time Range LBD Configuration The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings.
Page 390: Configuring Global Settings For Lbd
Chapter 13 | Basic Administration Protocols LBD Configuration spanning tree protocol, general loopback detection cannot be enabled on the same interface. ◆ When a loopback event is detected on an interface or when a interface is released from a shutdown state caused by a loopback event, a trap message is sent and the event recorded in the system log.
Page 391: Figure 256: Configuring Global Settings For Lbd
Chapter 13 | Basic Administration Protocols LBD Configuration ◆ Trap – Sends a trap when a loopback condition is detected, or when the switch recovers from a loopback condition. (Options: Both, Detect, None, Recover; Default: None) Both – Sends an SNMP trap message when a loopback condition is ■...
Page 392: Configuring Interface Settings For Lbd
Chapter 13 | Basic Administration Protocols LBD Configuration Configuring Interface Use the Administration > LBD (Configure Interface) page to enable loopback Settings for LBD detection on an interface, to display the loopback operational state, and the VLANs which are looped back. Parameters These parameters are displayed: ◆...
Page 393: Multicast Filtering
Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface. ◆...
Page 394: Layer 2 Igmp (Snooping And Query For Ipv4)
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch. In this case (Layer 2) IGMP Query can be used to actively ask the attached hosts if they want to receive a specific multicast service.
Page 395 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Note: When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN.
Page 396: Configuring Igmp Snooping And Query Parameters
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Configuring IGMP Use the Multicast > IGMP Snooping > General page to configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report Snooping and Query messages, the switch forwards multicast traffic only to the ports that request it.
Page 397 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Page 398 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) multicast router receives this solicitation, it immediately issues an IGMP general query. A query solicitation can be sent whenever the switch notices a topology change, even if it is not the root bridge in spanning tree. ◆...
Page 399: Figure 259: Configuring General Settings For Igmp Snooping
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Router Port Expire Time – The time the switch waits after the previous querier stops before it considers it to have expired. (Range: 1-65535, Recommended Range: 300-500 seconds, Default: 300) ◆...
Page 400: Specifying Static Interfaces For A Multicast Router
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) page to statically attach an interface to a multicast router/switch. Interfaces for a Multicast Router Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Page 401: Figure 260: Configuring A Static Interface For A Multicast Router
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To specify a static interface attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Add Static Multicast Router from the Action list. Select the VLAN which will forward all the corresponding multicast traffic, and select the port or trunk attached to the multicast router.
Page 402: Assigning Interfaces To Multicast Services
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch. To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router.
Page 403: Figure 263: Assigning An Interface To A Multicast Service
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Multicast IP – The IP address for a specific multicast service. Web Interface To statically assign an interface to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Add Static Member from the Action list.
Page 404: Setting Igmp Snooping Status Per Interface
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 264: Showing Static Interfaces Assigned to a Multicast Service Setting IGMP Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to configure IGMP snooping attributes for a VLAN. To configure snooping globally, refer to Snooping Status “Configuring IGMP Snooping and Query Parameters”...
Page 405 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) unsolicited periodically on all router interfaces on which multicast forwarding is enabled. They are sent upon the occurrence of these events: Upon the expiration of a periodic (randomized) timer. ■...
Page 406 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. ◆...
Page 407 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service. ◆ Proxy Reporting – Enables IGMP Snooping with Proxy Reporting. (Options: Enabled, Disabled, Using Global Status;...
Page 408 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Query Response Interval – The maximum time the system waits for a response to general queries. (Range: 10-31740 tenths of a second in multiples of 10; Default: 10 seconds) This attribute applies when the switch is serving as the querier (page 396), or as...
Page 409: Figure 265: Configuring Igmp Snooping On A Vlan
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Select the VLAN to configure and update the required parameters. Click Apply. Figure 265: Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface.
Page 410: Filtering Igmp Query Packets And Multicast Data
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Filtering IGMP Query Use the Multicast > IGMP Snooping > Interface (Configure Interface) page to configure an interface to drop IGMP query packets or multicast data packets. Packets and Multicast Data Parameters...
Page 411: Displaying Multicast Groups Discovered By Igmp Snooping
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Displaying Multicast Use the Multicast > IGMP Snooping > Forwarding Entry page to display the forwarding entries learned through IGMP Snooping. Groups Discovered by IGMP Snooping Command Usage To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page...
Page 412: Displaying Igmp Snooping Statistics
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Displaying IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP snooping protocol-related statistics for the specified interface. Snooping Statistics Parameters These parameters are displayed: ◆...
Page 413 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ V3 Warning Count – The number of times the query version received (Version 3) does not match the version configured for this interface. VLAN, Port, and Trunk Statistics Input Statistics ◆...
Page 414: Figure 269: Displaying Igmp Snooping Statistics - Query
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 269: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: Click Multicast, IGMP Snooping, Statistics. Select Show VLAN Statistics from the Action list. Select a VLAN.
Page 415: Figure 270: Displaying Igmp Snooping Statistics - Vlan
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 270: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: Click Multicast, IGMP Snooping, Statistics. Select Show Port Statistics from the Action list. Select a Port.
Page 416: Filtering And Throttling Igmp Groups
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Page 417: Configuring Igmp Filter Profiles
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 272: Enabling IGMP Filtering and Throttling Configuring IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page to create Filter Profiles an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
Page 418: Figure 273: Creating An Igmp Filtering Profile
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Web Interface To create an IGMP filter profile and set its access mode: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add from the Action list. Enter the number for a profile, and set its access mode.
Page 419: Configuring Igmp Filtering And Throttling For Interfaces
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Select the profile to configure, and add a multicast group address or range of addresses. Click Apply. Figure 275: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filter.
Page 420 Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk.
Page 421: Mld Snooping (Snooping And Query For Ipv4)
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv4) Figure 277: Configuring IGMP Filtering and Throttling Interface Settings MLD Snooping (Snooping and Query for IPv4) Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Page 422 Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv4) An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address.
Page 423: Setting Immediate Leave Status For Mld Snooping Per Interface
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv4) Click Apply. Figure 278: Configuring General Settings for MLD Snooping Setting Immediate Use the Multicast > MLD Snooping > Interface page to configure Immediate Leave status for a VLAN. Leave Status for MLD Snooping Parameters...
Page 424: Specifying Static Interfaces For An Ipv6 Multicast Router
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv4) Figure 279: Configuring Immediate Leave for MLD Snooping Specifying Static Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast Router) Interfaces for an page to statically attach an interface to an IPv6 multicast router/switch. IPv6 Multicast Router Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
Page 425: Figure 280: Configuring A Static Interface For An Ipv6 Multicast Router
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv4) Figure 280: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: Click Multicast, MLD Snooping, Multicast Router. Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 426: Assigning Interfaces To Ipv6 Multicast Services
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv4) Assigning Interfaces Use the Multicast > MLD Snooping > MLD Member (Add Static Member) page to statically assign an IPv6 multicast service to an interface. to IPv6 Multicast Services Multicast filtering can be dynamically configured using MLD snooping and query messages (see...
Page 427: Figure 283: Assigning An Interface To An Ipv6 Multicast Service
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv4) Figure 283: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: Click Multicast, MLD Snooping, MLD Member. Select Show Static Member from the Action list. Select the VLAN for which to display this information.
Page 428: Showing Mld Snooping Groups And Source List
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv4) Figure 285: Showing Current Interfaces Assigned to an IPv6 Multicast Service Showing MLD Use the Multicast > MLD Snooping > Group Information page to display known Snooping Groups multicast groups, member ports, the means by which each group was learned, and the corresponding source list.
Page 429: Figure 286: Showing Ipv6 Multicast Services And Corresponding Sources
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv4) Web Interface To display known MLD multicast groups: Click Multicast, MLD Snooping, Group Information. Select the port or trunk, and then select a multicast service assigned to that interface.
Page 430 Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv4) – 430 –...
Page 431: Ip Tools
IP Tools This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace Route – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol –...
Page 432: Figure 287: Pinging A Network Device
Chapter 15 | IP Tools Using the Ping Function Network or host unreachable - The gateway found no corresponding entry ■ in the route table. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
Page 433: Using The Trace Route Function
Chapter 15 | IP Tools Using the Trace Route Function Using the Trace Route Function Use the Tools > Trace Route page to show the route packets take to the specified destination. Parameters These parameters are displayed: ◆ Destination IP Address – Alias or IPv4/IPv6 address of the host. ◆...
Page 434: Address Resolution Protocol
Chapter 15 | IP Tools Address Resolution Protocol Figure 288: Tracing the Route to a Network Device Address Resolution Protocol If IP routing is enabled (page 673), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next.
Page 435: Displaying Dynamic Or Local Arp Entries
Chapter 15 | IP Tools Address Resolution Protocol cache, and forwards the IP traffic on to the next hop. As long as this entry has not timed out, the router will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request.
Page 436 Chapter 15 | IP Tools Address Resolution Protocol – 436 –...
Page 437: Ip Services
IP Services This chapter describes the following IP services: ◆ – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ DHCP Client – Specifies the DHCP client identifier for an interface. ◆...
Page 438: Configuring A List Of Domain Names
Chapter 16 | IP Services Domain Name Service then the switch will automatically enabled DNS host name-to-address translation. Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names.
Page 439: Figure 291: Configuring A List Of Domain Names For Dns
Chapter 16 | IP Services Domain Name Service ◆ When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see “Configuring a List of Name Servers”...
Page 440: Configuring A List Of Name Servers
Chapter 16 | IP Services Domain Name Service Figure 292: Showing the List of Domain Names for DNS Configuring a List Use the IP Service > DNS - General (Add Name Server) page to configure a list of of Name Servers name servers to be tried in sequential order.
Page 441: Configuring Static Dns Host To Address Entries
Chapter 16 | IP Services Domain Name Service Figure 293: Configuring a List of Name Servers for DNS To show the list name servers: Click IP Service, DNS. Select Show Name Servers from the Action list. Figure 294: Showing the List of Name Servers for DNS Configuring Use the IP Service >...
Page 442: Displaying The Dns Cache
Chapter 16 | IP Services Domain Name Service Web Interface To configure static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Add from the Action list. Enter a host name and the corresponding address. Click Apply. Figure 295: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table.
Page 443: Dynamic Host Configuration Protocol
Chapter 16 | IP Services Dynamic Host Configuration Protocol Parameters These parameters are displayed: ◆ No. – The entry number for each resource record. ◆ Flag – The flag is always “4” indicating a cache entry and therefore unreliable. ◆ Type –...
Page 444: Specifying A Dhcp Client Identifier
Chapter 16 | IP Services Dynamic Host Configuration Protocol Specifying a DHCP Use the IP Service > DHCP > Client page to specify the DHCP client identifier for a VLAN interface. Client Identifier Command Usage ◆ The class identifier is used identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
Page 445: Configuring Dhcp Relay Service
Chapter 16 | IP Services Dynamic Host Configuration Protocol ◆ Vendor Class ID – The following options are supported when the check box is marked to enable this feature: Default – The default string is the model number. ■ Text – A text string. (Range: 1-32 characters) ■...
Page 446: Figure 299: Layer 3 Dhcp Relay Service
Chapter 16 | IP Services Dynamic Host Configuration Protocol Option 82 information contains information which can identify both the relay agent and the interface through which the DHCP request was received: ◆ The DHCP Relay Information Option Remote ID (RID) is the access node identifier –...
Page 447 Chapter 16 | IP Services Dynamic Host Configuration Protocol VLAN or a non-management VLAN, it will process it according to the configured relay information option policy: If the policy is “replace, ” the DHCP request packet’s option 82 content ■ (the RID and CID sub-option) is replaced with information provided by the switch.
Page 448 Chapter 16 | IP Services Dynamic Host Configuration Protocol A DHCP relay server has been set on the switch, and the switch receives a ■ reply packet on a non-management VLAN. Parameters These parameters are displayed: ◆ Insertion of Relay Information – Enable DHCP Option 82 information relay. (Default: Disabled) ◆...
Page 449: Enabling Dhcp Dynamic Provision
Chapter 16 | IP Services Dynamic Host Configuration Protocol Figure 300: Configuring DHCP Relay Service Enabling DHCP Use the IP Service > DHCP > Dynamic Provision to enable dynamic provisioning via Dynamic Provision DHCP. Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems.
Page 450: Figure 301: Enabling Dynamic Provisioning Via Dhcp
Chapter 16 | IP Services Dynamic Host Configuration Protocol Figure 301: Enabling Dynamic Provisioning via DHCP – 450 –...
Page 451: Ip Configuration
IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server.
Page 452: Configuring Ipv4 Interface Settings
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Web Interface To configure an IPv4 default gateway for the switch: Click System, IP. Select Configure Global from the Action list. Enter the IPv4 default gateway. Click Apply. Figure 302: Configuring the IPv4 Default Gateway Configuring IPv4 Use the System >...
Page 453 Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ IP Address Type – Specifies a primary or secondary IP address. An interface can have only one primary IP address, but can have many secondary IP addresses. In other words, secondary addresses need to be specified if more than one IP subnet can be accessed through this interface.
Page 454: Figure 303: Configuring A Static Ipv4 Address
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 303: Configuring a Static IPv4 Address To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: Click System, IP. Select Configure Interface from the Step list. Select Add Address from the Action list.
Page 455: Setting The Switch's Ip Address (Ip Version 6)
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Note: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Page 456: Configuring The Ipv6 Default Gateway
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) segments, the switch must be configured with a global unicast address. Both link-local and global unicast address types can either be dynamically assigned (using the Configure Interface page) or manually configured (using the Add IPv6 Address page).
Page 457: Configuring Ipv6 Interface Settings
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring IPv6 Use the System > IPv6 Configuration (Configure Interface) page to configure general IPv6 settings for the selected VLAN, including auto-configuration of a Interface Settings global unicast interface address, explicit configuration of a link local interface address, the MTU size, and neighbor discovery protocol settings for duplicate address detection and the neighbor solicitation interval.
Page 458 Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) have the “other stateful configuration” flag set, the switch will attempt to acquire other non-address configuration information (such as a default gateway). If auto-configuration is not selected, then an address must be manually ■...
Page 459 Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) remain in a “tentative” state. If no duplicate link-local address is found, duplicate address detection is started for the remaining IPv6 addresses. If a duplicate address is detected, it is set to “duplicate” state, and a warning ■...
Page 460 Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Prior to submitting a client request to a DHCPv6 server, the switch should be configured with a link-local address using the Address Autoconfig option. The state of the Managed Address Configuration flag (M flag) and Other Stateful Configuration flag (O flag) received in Router Advertisement messages will determine the information this switch should attempt to acquire from the DHCPv6 server as described below.
Page 461: Configuring An Ipv6 Address
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 307: Configuring General Settings for an IPv6 Interface Configuring an Use the System > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 IPv6 Address interface for management access over the network.
Page 462 Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) automatically create the low-order 64 bits in the host portion of the address. You can also manually configure the global unicast address by entering the ■ full address and prefix length. ◆...
Page 463: Figure 308: Configuring An Ipv6 Address
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) known as EUI-48 format), it must be converted into EUI-64 format by inverting the universal/local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address.
Page 464: Showing Ipv6 Addresses
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing IPv6 Use the System > IPv6 Configuration (Show IPv6 Address) page to display the IPv6 addresses assigned to an interface. Addresses Parameters These parameters are displayed: ◆...
Page 465: Showing The Ipv6 Neighbor Cache
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Select a VLAN from the list. Figure 309: Showing Configured IPv6 Addresses Showing the IPv6 Use the System > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the IPv6 addresses detected for neighbor devices.
Page 466: Showing Ipv6 Statistics
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 32: Show IPv6 Neighbors - display description Field Description The following states are used for static entries: ◆ Incomplete - The interface for this entry is down. ◆...
Page 467 Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) feed back information about more suitable routes (that is, the next hop router) to use for a specific destination. ◆ UDP – User Datagram Protocol provides a datagram mode of packet switched communications.
Page 468 Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 33: Show IPv6 Statistics - display description Field Description Reassembled Succeeded The number of IPv6 datagrams successfully reassembled. Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments.
Page 469 Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 33: Show IPv6 Statistics - display description Field Description Parameter Problem The number of ICMP Parameter Problem messages received by the Messages interface. Echo Request Messages The number of ICMP Echo (request) messages received by the interface.
Page 470 Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 33: Show IPv6 Statistics - display description Field Description Group Membership The number of ICMPv6 Group Membership Reduction messages sent. Reduction Messages Multicast Listener The number of MLDv2 reports sent by the interface. Discovery Version 2 Reports UDP Statistics Input...
Page 471 Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 312: Showing IPv6 Statistics (ICMPv6) Figure 313: Showing IPv6 Statistics (UDP) – 471 –...
Page 472: Showing The Mtu For Responding Destinations
Chapter 17 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the MTU Use the System > IPv6 Configuration (Show MTU) page to display the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet- for Responding too-big message along with an acceptable MTU to this switch.
Page 473: Appendices
Section III Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 475 ◆ “Troubleshooting” on page 479 ◆ “License Information” on page 481 – 473 –...
Page 474 Section III | Appendices – 474 –...
Page 475: A Software Specifications
Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, IP Filter Authentication General Security Access Control Lists (512 rules), Port Authentication (802.1X), MAC Authentication, Port Security, DHCP Snooping, IP Source Guard Measures Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/ZX: 1000 Mbps at full duplex (SFP,) Flow Control...
Page 476: Management Features
Appendix A | Software Specifications Management Features VLAN Support 4094 Up to groups; port-based, protocol-based, tagged (802.1Q), voice VLANs, MAC-based Class of Service Supports four levels of priority Strict, Weighted Round Robin (WRR), or a combination of strict and weighted queueing Layer 3/4 priority mapping: IP DSCP Quality of Service DiffServ...
Page 477: Standards
Appendix A | Software Specifications Standards Standards IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet...
Page 478 Appendix A | Software Specifications Management Information Bases Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP MIB (RFC 2011) IP Forwarding Table MIB (RFC 2096) IP Multicasting related MIBs IPV6-MIB (RFC 2065)
Page 479: B Troubleshooting
Troubleshooting Problems Accessing the Management Interface Table 35: Troubleshooting Chart Symptom Action ◆ Cannot connect using Be sure the switch is powered on. Telnet, web browser, or ◆ Check network cabling between the management station and the SNMP software switch. Make sure the ends are properly connected and there is no damage to the cable.
Page 480: Using System Logs
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 481: C License Information
License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 482 Appendix C | License Information The GNU General Public License The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Page 483 Appendix C | License Information The GNU General Public License You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for...
Page 484 Appendix C | License Information The GNU General Public License If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
Page 485: Glossary
Glossary Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 486 Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a well- defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Page 487 Glossary ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol.
Page 488 Glossary IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
Page 489 Glossary Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages.
Page 490 Glossary RADIUS Remote Authentication Dial-in User Service. RA is a logon authentication protocol that DIUS uses software running on a central server to control access to RADIUS-compliant devices on the network. RMON Remote Monitoring. RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types.
Page 491 Glossary TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. User Datagram Protocol. UD provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP- like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets.
Page 492 Glossary – 492 –...
Page 493: Index
Index Numerics authentication MAC address authentication 243 802.1X MAC, configuring ports 246 authenticator, configuring 294 network access 243 global settings 293 public key 256 port authentication 291 port authentication accounting 231 BOOTP 452 BPDU 166 filter 179 accounting 802.1X port settings 231 flooding when STA disabled on VLAN 170 accounting exec command privileges 231 flooding when STA globally disabled 170...
Page 494 Index default IPv4 gateway, configuration 451 DSA encryption 258 default IPv6 gateway, configuration 456 DSCP 197 default priority, ingress port 193 enabling 198 default settings, system 35 ingress map, drop precedence 200 DHCP 443 mapping to internal values 199 class identifier 445 DSCP to PHB/drop precedence 200 client 452 dynamic addresses...
Page 495 Index IGMP learning mode, ACL table or MAC table 310 filter profiles, configuration 417 MAC table, learning mode 310 filter, parameters 417 setting filter criteria 309 filtering & throttling 416 setting maximum bindings 310 filtering & throttling, creating profile 417 IP statistics 466 filtering &...
Page 496 Index Link Layer Discovery Protocol See LLDP memory link type, STA 177 status 90 LLDP 321 utilization, showing 90 device statistics details, displaying 343 mirror port device statistics, displaying 341 configuring 129 display device information 333 configuring local traffic 129 displaying remote information 333 configuring remote traffic 130 interface attributes, configuring 323...
Page 497 Index MAC address filter 247 power savings port configuration 246 configuring 127 secure MAC information 249 enabling per port 127 priority, default port ingress 193 authentication keys, specifying 81 private key 254 client, enabling 77 problems, troubleshooting 479 setting the system clock 79 protocol migration 179 specifying servers 79 protocol VLANs 148...
Page 498 Index RSTP 165 BPDU shutdown 179 global settings, configuring 169 detecting loopbacks 167 global settings, displaying 174 edge port 178 interface settings, configuring 175 global settings, configuring 169 interface settings, displaying 180 global settings, displaying 174 interface settings, configuring 175 interface settings, displaying 180 link type 177 secure shell 254...
Page 499 Index time zone, setting 82 description 139 time, setting 75 displaying port members by interface 147 traffic segmentation 135 displaying port members by interface range 148 assigning ports 135 displaying port members by VLAN index 146 enabling 135 dynamic assignment 246 sessions, assigning ports 137 egress mode 144 sessions, creating 136...
Page 500 E052016/ST-R02 150200001416A...

This manual is also suitable for:

Gep-1061 Gel-2861

LevelOne GEL-1061 User Manual

How to Use this Guide

Contents

Figures

Tables

Section I

Getting Started

1 Introduction

Web Configuration

2 Using the Web Interface

3 Basic Management Tasks

4 Interface Configuration

5 VLAN Configuration

6 Address Table Settings

7 Spanning Tree Algorithm

8 Congestion Control

9 Class of Service

10 Quality of Service

11 Voip Traffic Configuration

12 Security Measures

Quick Links

User Manual

Related Manuals for LevelOne GEL-1061

Summary of Contents for LevelOne GEL-1061