Download  Print this page
   
1
2
Table of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653

Advertisement

ADMINISTRATION
GUIDE
Cisco 500 Series Stackable Managed Switch
Administration Guide

Advertisement

Table of Contents

   Related Manuals for Cisco 500 Series

   Summary of Contents for Cisco 500 Series

  • Page 1 ADMINISTRATION GUIDE Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 2 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
  • Page 3: Table Of Contents

    Chapter 3: Administration: System Log Setting System Log Settings Setting Remote Logging Settings Viewing Memory Logs Chapter 4: Administration: File Management System Files Upgrade/Backup Firmware/Language Active Image Download/Backup Configuration/Log Configuration Files Properties Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 4 System Modes Chapter 6: Administration Device Models System Settings Console Settings (Autobaud Rate Support) Management Interface System Mode and Stack Management User Accounts Defining Idle Session Timeout Time Settings System Log File Management Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 5 Configuring Port and VLAN Mirroring Viewing CPU Utilization and Secure Core Technology Chapter 9: Administration: Discovery Bonjour LLDP and CDP Configuring LLDP Configuring CDP CDP Statistics Chapter 10: Port Management Configuring Ports Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 6 Macro Failure and the Reset Operation How the Smartport Feature Works Auto Smartport Error Handling Default Configuration Relationships with Other Features and Backwards Compatibility Common Smartport Tasks Configuring Smartport Using The Web-based Interface Built-in Smartport Macros Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 7 Rapid Spanning Tree Settings Multiple Spanning Tree MSTP Properties VLANs to a MSTP Instance MSTP Instance Settings MSTP Interface Settings Chapter 16: Managing MAC Address Tables Static MAC Addresses Dynamic MAC Addresses Reserved MAC Addresses Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 8 IPv6 Management and Interfaces Domain Name Chapter 19: IP Configuration: RIPv2 Overview How Rip Operates on the Device Configuring RIP Chapter 20: IP Configuration: VRRP Overview Configurable Elements of VRRP Configuring VRRP Chapter 21: Security Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 9 Overview of 802.1X Authenticator Overview Common Tasks 802.1X Configuration Through the GUI Defining Time Ranges Authentication Method and Port Mode Support Chapter 23: Security: IPv6 First Hop Security IPv6 First Hop Security Overview Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 10 Common Tasks SSH Client Configuration Through the GUI Chapter 25: Security: SSH Server Overview Common Tasks SSH Server Configuration Pages Chapter 26: Security: Secure Sensitive Data Management Introduction SSD Rules SSD Properties Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 11 Chapter 29: SNMP SNMP Versions and Workflow Model OIDs SNMP Engine ID Configuring SNMP Views Creating SNMP Groups Managing SNMP Users Defining SNMP Communities Defining Trap Settings Notification Recipients SNMP Notification Filters Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 12: Chapter 1: Getting Started

    If you are using a pop-up blocker, make sure it is disabled. Browser Restrictions If you are using IPv6 interfaces on your management station, use the IPv6 global address and not the IPv6 link local address to access the device from your browser. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 13: Launching The Configuration Utility

    IP address, the power LED is on solid. Logging In The default username is cisco and the default password is cisco. The first time that you log in with the default username and password, you are required to enter a new password.
  • Page 14 Getting Started Starting the Web-based Configuration Utility If this is the first time that you logged on with the default user ID (cisco) and the STEP 3 default password (cisco) or your password has expired, the Change Password Page appears. See Password Expiration for additional information.
  • Page 15 Getting Started page. If you did not select this option, the initial page is the Getting Started page. If you did select this option, the initial page is the System Summary page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 16: Quick Start Device Configuration

    Configure Port Mirroring Port and VLAN Mirroring page There are two hot links on the Getting Started page that take you to Cisco web pages for more information. Clicking on the Support link takes you to the device product support page, and clicking on the Forums link takes you to the Support Community page.
  • Page 17: Interface Naming Conventions

    SG500X and Sx500 devices - see Administration: Stack Management for more details). • TCAM size, see TCAM Utilization • Stack ports are different on these devices. See Default Stack and Network Ports. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 18 Enabling IPv4 routing is done differently in the devices, as follows: SG500XSG500XG/ESW2-550X—IPv4 routing must be enabled in the IPv4 Interface page. Sx500—When the device is switched from Layer 2 to Layer 3 system mode, IPv4 routing is automatically enabled. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 19: Window Navigation

    Configuration and sets the device parameters according to the data in the Running Configuration. Username Displays the name of the user logged on to the device. The default username is cisco. (The default password is cisco). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 20 SYSLOG Alert Status icon is no longer displayed. To display the page when there is not an active SYSLOG message, Click Status and Statistics > View Log > RAM Memory. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 21 Click to clear the statistic counters for the selected Counters interface. Clear Logs Clears log files. Clear Table Clears table entries. Close Returns to main page. If any changes were not applied to the Running Configuration, a message appears. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 22 2. Click Close to return to the main page. Enter the query filtering criteria and click Go. The results are displayed on the page. Refresh Clich Refresh to refresh the counter values. Test Click Test to perform the related tests. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 23 Getting Started Window Navigation Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 24: Chapter 2: Status And Statistics

    The Interface page displays traffic statistics per port. The refresh rate of the information can be selected. This page is useful for analyzing the amount of traffic that is both sent and received and its dispersion (Unicast, Multicast, and Broadcast). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 25 To clear or view statistics counters: • Click Clear Interface Counters to clear counters for the interface displayed. • Click View All Interfaces Statistics to see all ports on a single page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 26: Etherlike Statistics

    To clear statistics counters: • Click Clear Interface Counters to clear the selected interfaces counters. • Click View All Interfaces Statistics to see all ports on a single page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 27: Gvrp Statistics

    • Invalid Protocol ID—Invalid protocol ID errors. • Invalid Attribute Type—Invalid attribute ID errors. • Invalid Attribute Value—Invalid attribute value errors. • Invalid Attribute Length—Invalid attribute length errors. • Invalid Event—Invalid events. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 28: 802.1x Eap Statistics

    EAP Response Frames Received—EAP Response frames received by the port (other than Resp/ID frames). • EAP Request/ID Frames Transmitted—EAP Req/ID frames transmitted by the port. • EAP Request Frames Transmitted—EAP Request frames transmitted by the port. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 29: Acl Statistics

    The interfaces on which packets were forwarded or rejected based on ACL rules are displayed. To manage statistics counters: • Click Refresh to reset the counters. • Click Clear Counters to clear the counters of all interfaces. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 30: Tcam Utilization

    • IPv6 Multicast Routing—Number of TCAM entries used for IPv6 routing. In Use—Number of TCAM entries used for IPv6 routing. Maximum—Number of available TCAM entries that can be used for IPv6 routing. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 31: Health

    Define interesting changes in counter values, such as “reached a certain number of late collisions” (defines the alarm), and then specify what action to perform when this event occurs (log, trap, or log and trap). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 32: Rmon Statistics

    Undersize Packets—Undersized packets (less than 64 octets) received. • Oversize Packets—Oversized packets (over 2000 octets) received. • Fragments—Fragments (packets with less than 64 octets, excluding framing bits, but including FCS octets) received. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 33: Rmon History

    After the data is sampled and stored, it appears in the History Table page that can be viewed by clicking History Table. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 34: Rmon History Table

    The History Table page displays interface-specific statistical network samplings. The samples were configured in the History Control table described above. To view RMON history statistics: Click Status and Statistics > RMON > History. STEP 1 Click History Table. STEP 2 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 35 FCS (Frame Check Sequence) with an integral number of octets (FCS Error) or a bad FCS with a non-integral octet (Alignment Error) number. • Collisions—Collisions received. • Utilization—Percentage of current interface traffic compared to maximum traffic that the interface can handle. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 36: Rmon Events Control

    Log (Event Log Table)—Add a log entry to the Event Log table when the alarm is triggered. Trap (SNMP Manager and SYSLOG Server)—Send a trap to the remote log server when the alarm goes off. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 37: Rmon Alarms

    After a falling alarm is issued, the next alarm is issued when a rising threshold is crossed. One or more alarms are bound to an event, which indicates the action to be taken when the alarm occurs. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 38 Falling Event—Select an event to be performed when a falling event is triggered. • Startup Alarm—Select the first event from which to start generation of alarms. Rising is defined by crossing the threshold from a low-value threshold to a higher-value threshold. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 39: View Log

    Owner—Enter the name of the user or network management system that receives the alarm. Click Apply. The RMON alarm is saved to the Running Configuration file. STEP 4 View Log Viewing Memory Logs. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 40: Chapter 3: Administration: System Log

    (-) on each side (except for Emergency that is indicated by the letter F). For example, the log message "%INIT-I-InitCompleted: … " has a severity level of I, meaning Informational. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 41 Time and sent in a single message. The aggregated messages are sent in the order of their arrival. Each message states the number of times it was aggregated. • Max. Aggregation Time—Enter the interval of time that SYSLOG messages are aggregated. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 42: Setting Remote Logging Settings

    IPv4 address of SYSLOG messages sent to SYSLOG servers. • IPv6 Source Interface—Select the source interface whose IPv6 address will be used as the source IPv6 address of SYSLOG messages sent to SYSLOG servers. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 43 Minimum Severity—Select the minimum level of system log messages to be sent to the server. Click Apply. The Add Remote Log Server page closes, the SYSLOG server is STEP 5 added, and the Running Configuration file is updated. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 44: Viewing Memory Logs

    Log Settings page. Flash logs remain when the device is rebooted. You can clear the logs manually. To view the Flash logs, click Status and Statistics > View Log > Flash Memory. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 45 • Log Index—Log entry number. • Log Time—Time when message was generated. • Severity—Event severity. • Description—Message text describing the event. To clear the messages, click Clear Logs. The messages are cleared. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 46: Chapter 4: Administration: File Management

    The possible methods of file transfer are: • Internal copy • HTTP/HTTPS that uses the facilities that the browser provides • TFTF/SCP client, requiring a TFTP/SCP server Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 47 The device has been operating continuously for 24 hours. No configuration changes have been made to the Running Configuration in the previous 24 hours. The Startup Configuration is identical to the Running Configuration. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 48 Copy one configuration file type to another configuration file type as described in the Copy/Save Configuration section. • Enable automatically uploading a configuration file from a DHCP server to the device, as described in the section. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 49: Upgrade/backup Firmware/language

    Image can be updated prior to connecting a unit to the stack. This is the recommended method. • Upgrade device or stack. If the stack is updated, the slave units are automatically updated. This is done as follows: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 50 Select one of the following Save Action:: • Upgrade—Specifies that the file type on the device is to be replaced with a new version of that file type located on a TFTP server. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 51 If you selected via SCP (Over SSH), see SSH Client Authentication STEP 5 instructions. Then, enter the following fields: (only unique fields are described, for non-unique fields, see the descriptions above) Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 52 SCP Server Definition—Select whether to specify the SCP server by IP address or by domain name. • IP Version—Select whether an IPv4 or an IPv6 address is used. • IPv6 Address Type—Select the IPv6 address type (if used). The options are: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 53: Active Image

    To select the active image: Click Administration > File Management > Active Image. STEP 1 The page displays the following: • Active Image—Displays the image file that is currently active on the device. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 54: Download/backup Configuration/log

    Management Interface section. Configuration File Backwards Compatibility When restoring configuration files from an external device to the device, the following compatibility issues might arise: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 55 To backup or restore the system configuration file: Click Administration > File Management > Download/Backup Configuration/ STEP 1 Log. Select the Transfer Method. STEP 2 If you selected via TFTP, enter the parameters. Otherwise, skip to STEP STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 56 TFTP Server Definition—Select whether to specify the TFTP server by IP address or by domain name. b. IP Version—Select whether an IPv4 or an IPv6 address is used. c. IPv6 Address Type—Select the IPv6 address type (if used). The options are: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 57 (\ or /), the leading letter of the file name must not be a period (.), and the file name must be between 1 and 160 characters. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”). Click Apply. The file is upgraded or backed up. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 58 SSH user authentication method (password or public/private key), set a username and password on the device, if the password method is selected, and generate an RSA or DSA key if required. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 59 Source File Name—Enter the name of the source file. • Destination File Type—Select the configuration file type. Only valid file types are displayed. (The file types are described in the Files and File Types section). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 60: Configuration Files Properties

    Click Administration > File Management > Configuration Files Properties. STEP 1 This page displays the following fields: • Configuration File Name—Type of system file. • Creation Time—Date and time that file was modified. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 61: Copy/save Configuration

    Select the Source File Name to be copied. Only valid file types are displayed STEP 2 (described in the Files and File Types section). Select the Destination File Name to be overwritten by the source file. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 62: Auto Configuration/image Update Via Dhcp

    Auto Configuration/Image Update via DHCP The Auto Configuration/Image Update feature provides a convenient method to automatically configure Cisco 200, 300 and 500 switches in a network and upgrade their firmware. This process enables the administrator to remotely ensure that the configuration and firmware of these devices in the network are up-to-date.
  • Page 63 TFTP Only—The download is done through TFTP, regardless of the file extension of the configuration file name. • SCP Only—The download is done through SCP (over SSH), regardless of the file extension of the configuration file name. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 64 • If the DHCP server did not send the indirect file name of the firmware image file, the Backup Indirect Image File Name (from the DHCP Auto Configuration/Image Update page) is used. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 65 TFTP/SCP server address parameter has not been configured, then: SCP—The Auto Configuration process is halted. TFTP—The device sends TFTP Request messages to a limited Broadcast address (for IPv4) or ALL NODES address (for IPv6) on its IP Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 66 • If Auto Configuration is enabled, the Auto Configuration process is triggered when the configuration file name is received from a DHCP server or a backup configuration file name has been configured. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 67 In IPv4, to ensure that a device downloads the configuration and images file as intended during the Auto Configuration/Image Update process, it is recommended that the device is always assigned the same IP address. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 68 Place a configuration file in the working directory. This file can be created by copying a configuration file from a device. When the device is booted, this becomes the Running Configuration file. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 69 Defining an IPv4 Interface in Layer 2 STEP 2 System Mode Defining IPv4 Interface in Layer 3 System Mode pages, and/ or define the device as a stateless DHCPv6 client in the IPv6 Interface page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 70 —If Auto By File Extension is selected, you can indicate a file extension here. Any file with this extension is downloaded using SCP. If no extension is entered, the default file extension .scp is used. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 71 Backup Configuration File Name—Enter the backup configuration file name. • Backup Indirect Image File Name—Enter the indirect image file name to a file that holds the path to the image. be used. This is An example of an Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 72 Administration: File Management indirect image file name is: indirect-cisco.scp. This file contains the path and name of the firmware image. The following fields are displayed: • Last Auto Configuration/Image Server IP Address—Address of the last backup server. • Last Auto Configuration File Name—Name of the last configuration file name.
  • Page 73: Chapter 5: Administration: Stack Management

    System Modes Overview Devices can either function on their own (Standalone mode), or they can be connected into a stack of up to eight devices in various stacking modes (see Stack Unit Mode). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 74 Until the stack recovers to the new chain topology, the stack port that is currently down, loops-back the packets that were supposed to be sent through it, so that the packets arrive at their Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 75: Types Of Units In Stack

    Hybrid stack mode, its system mode reverts to the default system mode (SG500X/EWS2-550X: L3 and L2, Sx500: L2). If a stack’s unit IDs were manually-configured, those units whose ID is greater than 4 are switched to auto numbering. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 76: Unit Leds

    • Ring Topology—Each unit is connected to the neighboring unit. The last unit is connected to the first unit. The following shows a ring topology of an eight-unit stack: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 77: Topology Discovery

    During topology discovery, each unit in a stack exchanges packets, which contain topology information. After the topology discovery process is completed, each unit contains the stack mapping information of all units in the stack. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 78: Unit Id Assignment

    ID. Unit 1 does not join the stack and is shut down. It did not win the master selection process between the master-enabled units (1 or 2). Duplicate Unit Shut Down Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 79 Duplication Between Two Units With Auto Number Unit ID If a new stack has more than the maximum number of units (8), all extra units are shut NOTE down. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 80: Master Selection Process

    Any of its stack ports has a link up or down. • The stack changes between ring and chain formation. When units are added or removed to and from a stack, it triggers topology changes, master election process, and/or unit ID assignment. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 81 The best unit is the unit with the higher uptime in segments of 10 minutes. The other unit is made the backup. Auto-numbered Master-enabled Unit Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 82: Unit Failure In Stack

    1. The newer Unit 1 does not join the stack and is shutdown. User-assigned Master-enabled Unit Unit Failure in Stack Failure of Master Unit If the Master fails, the backup unit takes over the master role and continues to operate the stack normally. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 83 Clear and reset the configuration of the slave unit to default (to prevent an incorrect configuration from the new master unit). As a result, there is no traffic forwarding on the slave unit. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 84: Software Auto Synchronization In Stack

    All units in a native stack must be of the same type (either all Sx500s, all SG500Xs/ESW2-550Xs or all SG500XGs). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 85 Native Stacking mode. Disabled Stack consists of all ESW2-550Xs Enabled/ 1G/10G or 1G/5G in Native Stacking mode. Disabled Stack consists of all Sx500s in 1G/5G (default) or 1G Native Stacking mode. supported. Copper/SFP (Combo) Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 86 LEDs (system, FAN, unit IDs, network ports and stack ports LEDs) are turned on. The information regarding the stack unit mode is displayed as a SYSLOG error in the master unit. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 87 It is retained after bootup in the following cases: • SG500X/ESW2-550X devices: Standalone to Native Stacking—Retained only when the unit is forced to become the master with unit ID = 1 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 88: Stack Ports

    When two neighboring units are connected, the ports connecting them are automatically assigned to a stack LAG. This feature enables increasing the stack bandwidth of the stack port beyond that of a single port. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 89 (inactive). Recommended Stack Connections The following tables describe the optimal way to connect units in a stack according to the type of units in the stack. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 90 Case 2: XG1 to one neighbor and XG2 to another neighbor Case 3: S1 and S2 to same neighbor Case 4: XG1 and XG2 to same neighbor S1+S2 to same neighbor and XG1+XG2 to another neighbor Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 91 SG500X/ESW2-550X Devices—S1-S2-10G are stack ports by default. You can manually reconfigure S1-S2-10G and S1-S2-5G as network ports or stack ports. • SG500XG Devices—Any ports can be stack or network. By default the device is standalone. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 92: Port Speeds

    Two units can only be connected in a stack if the ports on both ends of the link are of the same speed. This is done by configuring the stack ports speed to: • Auto Speed mode • Same speed on each side of the connection Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 93 Passive Copper Cable Cisco SFP- H10GB-CU5M – Passive Copper Cable Cisco SFP-10G- supported supported supported supported Cisco SFP-10G- supported supported supported supported Cisco SFP-10G- supported supported supported supported 1G SFP Module MGBSX1 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 94 Cisco SFP-H10GB-CU1M – Passive Copper Cable 1G - 10G Cisco SFP-H10GB-CU3M – Passive Copper Cable 1G - 10G Cisco SFP-H10GB-CU5M – Passive Copper Cable 1G - 10G Cisco SFP-10G-SR Cisco SFP-10G-LRM Cisco SFP-10G-LR 1G SFP Module MGBSX1 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 95 1G SFP Module MGBT1 1G SFP Module MGBLX1 1G SFP Module MGBBX1 100Mbs SFP Module MFELX1 Not supported 100Mbs SFP Module MFEFX1 Not supported 100Mbs SFP Module MFEBX1 Not supported Other SFPs Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 96: Default Configuration

    RIP and VRRP are not supported in Basic Hybrid stack mode. System Modes Use the System Mode and Stack Management page to perform the following: • Change the stack mode of a device to Standalone. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 97 Stacking mode). If you want to downgrade software from a device that was configured in a hybrid stacking mode to a software version that does not support hybrid stacking, configure the device to Native Stacking mode first. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 98 Stack Master—Select the master unit of the stack. The following options are available: Auto Select—System selects the master. See Master Selection Process. Unit 1—Select unit 1 as the master unit after reboot. Unit 2—Select unit 2 as the master unit after reboot. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 99 When you click on the arrows connecting the devices, a tooltip displays the unit number, the type of stack ports connected the units and the numbers of the connected units. See an example of this below: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 100 Unit 1 Stack Connection Speed—Select the speed for the stack ports. Select Auto for the system to select the speed. Click Apply and Reboot. The parameters are copied to the Running Configuration STEP 3 file and the stack is rebooted. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 101 Administration: Stack Management System Modes Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 102: Chapter 6: Administration

    System Log • File Management • Rebooting the Device • Routing Resources • Health • Diagnostics • Discovery - Bonjour • Discovery - LLDP • Discovery - CDP • Ping • Traceroute Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 103: Device Models

    SF500-48MP-K9 48-Port 10/100 Max-PoE Stackable 740W Managed Switch SF500-48P SF500-48P-K9 48-Port 10/100 PoE Stackable 375W Managed Switch SG500-28 SG5000-28-K9 28-Port Gigabit Stackable Managed Switch SG500-28MPP SG500-28MPP-K9 28-Port Gigabit PoE Managed 740W Switch Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 104 Switch ESW2-550X-48 ESW2-550X-48- 48-Port Gigabit with 4-Port 10- Gigabit Stackable Managed Switch ESW2-550X- ESW2-550X- 48-Port Gigabit with 4-Port 10- 48DC 48DC-K9 Gigabit Stackable Managed Switch SG500XG-8F8T SG500XG-8F8T- 16-Port 10-Gigabit Stackable Managed Switch Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 105: System Settings

    System Object ID—Unique vendor identification of the network management subsystem contained in the entity (used in SNMP). • System Uptime—Time that has elapsed since the last reboot. • Current Time—Current system time. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 106 Language MD5 Checksum—MD5 checksum of the language file. TCP/UDP Services Status: • HTTP Service—Whether HTTP is enabled/disabled. • HTTPS Service—Whether HTTPS is enabled/disabled. • SNMP Service—Whether SNMP is enabled/disabled. • Telnet Service—Whether Telnet is enabled/disabled. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 107 Host Name—Select the host name of this device. This is used in the prompt of CLI commands: Use Default—The default hostname (System Name) of these switches is: switch123456, where 123456 represents the last three bytes of the device MAC address in hex format. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 108: Console Settings (autobaud Rate Support)

    To enable Auto Detection or to manually set the baud rate of the console: Click Administration > Console Settings. STEP 1 Select one of the following: STEP 2 • Auto Detection—The console baud rate is detected automatically. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 109: Management Interface

    To set the idle session timeout for various types of sessions: Click Administration > Idle Session Timeout. STEP 1 Select the timeout for the each session from the corresponding list. The default STEP 2 timeout value is 10 minutes. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 110: Time Settings

    You are performing actions on a remote device, and these actions might create loss of connectivity to the remote device. Pre-scheduling a reboot restores the working configuration and enables restoring the connectivity to Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 111 This process erases the Startup Configuration file and the backup configuration file. The stack unit ID is set to auto, and in Sx500, the system mode is set to Layer 2. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 112: Routing Resources

    If IPv4 routing is enabled on the device, the following table describes the number of TCAM entries used by the various features: Table 5: Logical Entity IPv4 IP Neighbor 1 entry IP Address on an interface 2 entries IP Remote Route 1 entry Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 113 Routes (1 TCAM entry per route)—Count is the number of routes recorded on the device and TCAM Entries is the number of TCAM entries being used for the routes. • Total—Displays the number of TCAM entries which are currently being used. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 114 Use Default—On Sx500 the number of TCAM entries is 25% of the TCAM size. On SG500X/SG500XG the number of Router TCAM entries is 50% of the Router TCAM size. User Defined—Enter a value. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 115 In Use—Number of TCAM entries utilized for IPv6 Multicast routing. Maximum—Maximum number of TCAM entries available for IPv6 Multicast routing. • Maximum TCAM Entries for Non-IP Rules—Number of TCAM entries available for non-IP rules. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 116: Health

    In this case, the following actions are performed by the device if it overheats and during the cool down period after overheating: Event Action At least one temperature The following are generated: sensor exceeds the • SYSLOG message Warning threshold • SNMP trap Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 117 N/A—Fan ID is not applicable for the specific model. • Fan Direction—(On relevant devices) The direction that the fans are working in (for example: Front to Back). • Temperature—The options are: OK—The temperature is below the warning threshold. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 118: Diagnostics

    Critical—Temperature is above the critical threshold If the device is in Native Stack mode, the Health page displays the above fields for each unit: Diagnostics Administration: Diagnostics. Discovery - Bonjour See Bonjour. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 119: Discovery - Lldp

    IP addresses of the type specified in the IP Version field will be displayed. If the Auto option is selected, the system computes the source NOTE address based on the destination address. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 120 STEP 3 added to the list of messages, indicating the result of the ping operation. View the results of ping in the Ping Counters and Status section of the page. STEP 4 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 121: Traceroute

    A page appears showing the Round Trip Time (RTT) and status for each trip in the fields: • Index—Displays the number of the hop. • Host—Displays a stop along the route to the destination. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 122 Administration Traceroute • Round Trip Time (1-3)—Displays the round trip time in (ms) for the first through third frame and the status of the first through third operation. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 123 Administration Traceroute Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 124: Chapter 7: Administration: Time Settings

    This section describes the options for configuring the system time, time zone, and Daylight Savings Time (DST). It covers the following topics: • System Time Options • SNTP Modes • Configuring System Time Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 125: System Time Options

    After the time has been set by any of the above sources, it is not set again by the browser. SNTP is the recommended method for time setting. NOTE Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 126: Sntp Modes

    The device supports having all of the above modes active at the same time and selects the best system time received from an SNTP server, according to an algorithm based on the closest stratum (distance from the reference clock). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 127: Configuring System Time

    The Clock Source Setting needs to be set to either of the above in NOTE order for RIP MD5 authentication to work. This also helps features that associate with time, for example: Time Based ACL, Port, 802.1 port authentication that are supported on some devices. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 128 —DST is set manually, typically for a country other than the USA or a European country. Enter the parameters described below. Recurring —DST occurs on the same date every year. By Dates Selecting allows customization of the start and stop of DST: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 129: Adding A Unicast Sntp Server

    Click Administration > Time Settings > SNTP Unicast. STEP 1 Enter the following fields: STEP 2 • SNTP Client Unicast—Select to enable the device to use SNTP-predefined Unicast clients with Unicast SNTP servers. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 130 Delay—Estimated round-trip delay of the server's clock relative to the local clock over the network path between them, in milliseconds. The host determines the value of this delay using the algorithm described in RFC 2030. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 131 (distance from the reference clock) that is reachable. The server with the lowest stratum is considered to be the primary server. The server with the next lowest stratum Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 132: Configuring The Sntp Mode

    The packets are transmitted to all SNTP servers on the subnet. If the system is in Layer 3 system mode, click Add to select the interface for SNTP STEP 3 reception/transmission. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 133: Defining Sntp Authentication

    Click Apply to update the device. STEP 3 Click Add. STEP 4 Enter the following parameters: STEP 5 • Authentication Key ID—Enter the number used to identify this SNTP authentication key internally. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 134: Time Range

    The time-range feature can be used for the following: • Limit access of computers to the network during business hours (for example), after which the network ports are locked, and access to the rest Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 135 Click Administration > Time Settings > Recurring Range. STEP 1 The existing recurring time ranges are displayed (filtered per a specific, absolute time range.) Select the absolute time range to which to add the recurring range. STEP 2 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 136 • Recurring Ending Time—Enter the date and time that the Time Range ends on a recurring basis. Click Apply STEP 5 Click Time Range to access the Absolute Time Range STEP 6 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 137 Administration: Time Settings Configuring System Time Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 138: Chapter 8: Administration: Diagnostics

    Copper Test page. Preconditions to Running the Copper Port Test Before running the test, do the following: • (Mandatory) Disable Short Reach mode (see the Port Management > Green Ethernet > Properties page) Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 139 Unknown Test Result—Error has occurred. • Distance to Fault—Distance from the port to the location on the cable where the fault was discovered. • Operational Port Status—Displays whether port is up or down. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 140: Displaying Optical Module Status

    MFELX1: 100BASE-LX SFP transceiver, for single-mode fiber, 1310 nm wavelength, supports up to 10 km. The following GE SFP (1000Mbps) transceivers are supported: • MGBBX1: 1000BASE-BX-20U SFP transceiver, for single-mode fiber, 1310 nm wavelength, supports up to 40 km. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 141 Transmitter Fault—Remote SFP reports signal loss. Values are True, False, and No Signal (N/S). • Loss of Signal—Local SFP reports signal loss. Values are True and False. • Data Ready—SFP is operational. Values are True and False Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 142: Configuring Port And Vlan Mirroring

    Source Interface—Interface, port, or VLAN from which traffic is sent to the analyzer port. • Type—Type of monitoring: incoming to the port (Rx), outgoing from the port (Tx), or both. • Status— Displays one of the following values: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 143: Viewing Cpu Utilization And Secure Core Technology

    The device uses the Secure Core Technology (SCT) feature to ensure that the device receives and processes management and protocol traffic, no matter how much total traffic is received SCT is enabled by default on the device and cannot be disabled. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 144 STEP 2 Select the Refresh Rate (time period in seconds) that passes before the statistics STEP 3 are refreshed. A new sample is created for each time period. Click Apply. STEP 4 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 145 Administration: Diagnostics Viewing CPU Utilization and Secure Core Technology Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 146: Chapter 9: Administration: Discovery

    Services page. When Bonjour Discovery and IGMP are both enabled, the IP Multicast address of Bonjour appears on the Adding IP Multicast Group Address page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 147: Bonjour In Layer 3 System Mode

    Bonjour Discovery advertisements sent by other devices. To configure Bonjour when the device is in Layer 3 system mode: Click Administration > Discovery - Bonjour. STEP 1 Select Enable to enable Bonjour Discovery globally. STEP 2 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 148: Lldp And Cdp

    Apply). LLDP and CDP LLDP (Link Layer Discovery Protocol) and CDP (Cisco Discovery Protocol) are link layer protocols for directly-connected LLDP and CDP-capable neighbors to advertise themselves and their capabilities. By default, the device sends an LLDP/ CDP advertisement periodically to all its interfaces and processes incoming LLDP and CDP packets as required by the protocols.
  • Page 149: Configuring Lldp

    This section describes how to configure LLDP. It covers the following topics: • LLDP Overview • LLDP Properties • LLDP Port Settings • LLDP MED Network Policy • LLDP MED Port Settings • LLDP Port Status • LLDP Local Information Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 150: Lldp Overview

    3. Create LLDP MED network policies by using the LLDP MED Network Policy page. 4. Associate LLDP MED network policies and the optional LLDP-MED TLVs to the desired interfaces by using the LLDP MED Port Settings page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 151: Lldp Properties

    LLDP frame transmissions, due to changes in the LLDP local systems MIB. • Chassis ID Advertisement—Select one of the following options for advertisement in the LLDP messages: MAC Address —Advertise the MAC address of the device. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 152: Lldp Port Settings

    Tx & Rx—Publishes and discovers. Disable—Indicates that LLDP is disabled on the port. • SNMP Notification—Select Enable to send notifications to SNMP notification recipients; for example, an SNMP managing system, when there is a topology change. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 153 Auto Advertise—Specifies that the software automatically chooses a management address to advertise from all the IP addresses of the device. In case of multiple IP addresses, the software chooses the lowest Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 154: Lldp Med Network Policy

    Voice over Internet Protocol (VoIP), Emergency Call Service (E-911) by using IP Phone location information. • Troubleshooting information. LLDP MED sends alerts to network managers upon: Port speed and duplex mode conflicts Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 155 Click Apply to add this setting to the Running Configuration file. STEP 3 To define a new policy, click Add. STEP 4 Enter the values: STEP 5 • Network Policy Number—Select the number of the policy to be created. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 156: Lldp Med Port Settings

    This page displays the following LLDP MED settings for all ports (only fields not described in the Edit page are listed): • Location—Whether Location TLV is transmitted. • PoE—Whether POE-PSE TLV is transmitted. • Inventory—Whether Inventory TLV is transmitted. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 157 LLDP. Location ECS ELIN—Enter the Emergency Call Service (ECS) ELIN location to be published by LLDP. Click Apply. The LLDP MED port settings are written to the Running Configuration STEP 5 file. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 158 • Remote PoE—PoE information advertised by the neighbor. • # of neighbors—Number of neighbors discovered. • Neighbor Capability of 1st Device—Displays the primary functions of the neighbor; for example: Bridge or Router. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 159: Lldp Local Information

    Address Subtype—Type of management IP address that is listed in the Management Address field; for example, IPv4. • Address—Returned address most appropriate for management use,typically a Layer 3 address. • Interface Subtype—Numbering method used for defining the interface number. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 160 • Remote Tx Echo—Indicates the local link partner’s reflection of the remote link partner’s Tx value. • Remote Rx Echo—Indicates the local link partner’s reflection of the remote link partner’s Rx value. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 161 • Model Name—Device model name. • Asset ID—Asset ID. Location Information • Civic—Street address. • Coordinates—Map coordinates: latitude, longitude, and altitude. • ECS ELIN—Emergency Call Service (ECS) Emergency Location Identification Number (ELIN). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 162: Lldp Neighbor Information

    Chassis ID Subtype—Type of chassis ID (for example, MAC address). • Chassis ID—Identifier of the 802 LAN neighboring device's chassis. • Port ID Subtype—Type of the port identifier that is shown. • Port ID—Identifier of port. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 163 Bits 8 through 15 are reserved. • Enabled System Capabilities—Primary enabled function(s) of the device. Management Address Table • Address Subtype—Managed address subtype; for example, MAC or IPv4. • Address—Managed address. • Interface Subtype—Port subtype. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 164 802.3 Link Aggregation • Aggregation Capability—Indicates if the port can be aggregated. • Aggregation Status—Indicates if the port is currently aggregated. • Aggregation Port ID—Advertised aggregated port ID. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 165 PoE Power Source—Port’s power source. • PoE Power Priority—Port’s power priority. • PoE Power Value—Port’s power value. • Hardware Revision –Hardware version. • Firmware Revision—Firmware version. • Software Revision—Software version. • Serial Number—Device serial number. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 166 10.2.4 of the ANSI-TIA-1057 standard: • Civic—Civic or street address. • Coordinates—Location map coordinates—latitude, longitude, and altitude. • ECS ELIN—Device’s Emergency Call Service (ECS) Emergency Location Identification Number (ELIN). • Unknown—Unknown location information. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 167: Lldp Statistics

    —Total number of received frames that were discarded. Errors —Total number of received frames with errors. • Rx TLVs Discarded —Total number of received TLVs that were discarded. Unrecognized —Total number of received TLVs that were unrecognized. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 168: Lldp Overloading

    Size (Bytes)—Total mandatory TLV byte size. Status—If the mandatory TLV group is being transmitted, or if the TLV group was overloaded. • LLDP MED Capabilities Size (Bytes)—Total LLDP MED capabilities packets byte size. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 169 —Total LLDP MED inventory TLVs packets byte size. Status —If the LLDP MED inventory packets were sent, or if they were overloaded. • Total Total (Bytes)—Total number of bytes of LLDP information in each packet Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 170: Configuring Cdp

    • CDP Statistics CDP Properties Similar to LLDP, the Cisco Discovery Protocol (CDP) is a link layer protocol for directly-connected neighbors to advertise themselves and their capabilities to each other. Unlike LLDP, CDP is a Cisco proprietary protocol. CDP Configuration Workflow The followings is sample workflow for configuring CDP on the device.
  • Page 171 • CDP Transmission Rate—The rate in seconds at which CDP advertisement updates are sent. The following options are possible: Use Default—Use the default rate (60 seconds) User Defined—Enter the rate in seconds. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 172 The conflict can be Voice VLAN data, Native VLAN, or Duplex. By setting these properties it is possible to select the types of information to be provided to devices that support the LLDP protocol. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 173 Syslog Voice VLAN Mismatch—Select to enable sending a SYSLOG message when a voice VLAN mismatch is detected. This means that the voice VLAN information in the incoming frame does not match what the local device is advertising. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 174 • Address TLV Address1-3—IP addresses (advertised in the device address TLV). • Port TLV Port ID—Identifier of port advertised in the port TLV. • Capabilities TLV Capabilities—Capabilities advertised in the port TLV) Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 175 Request ID—Last power request ID received echoes the Request-ID field last received in a Power Requested TLV. It is 0 if no Power Requested TLV was received since the interface last transitioned to Up. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 176 The CDP Neighbor Information page contains the following fields for the link partner (neighbor): • Device ID—Neighbors device ID. • System Name—Neighbors system name. • Local Interface—Number of the local port to which the neighbor is connected. • Advertisement Version—CDP protocol version. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 177 Power Drawn—Amount of power consumed by neighbor on the interface. • Version—Neighbors software version. Clicking on the Clear Table button disconnect all connected devices if from CDP, NOTE and if Auto Smartport is enabled change all port types to default. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 178: Cdp Statistics

    To clear all counters on all interfaces, click Clear All Interface Counters. To clear all counters on an interface, select it and click Clear Interface Counters. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 179 Administration: Discovery CDP Statistics Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 180: Chapter 10: Port Management

    4. Configure the LACP parameters for the ports that are members or candidates of a dynamic LAG by using the LACP page. 5. Configure Green Ethernet and 802.3 Energy Efficient Ethernet by using the Properties page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 181: Port Configuration

    Copper Ports—Regular, not Combo, support the following values: 10M, 100M, and 1000M (type: Copper). Combo Ports Copper—Combo port connected with copper CAT5 cable, supports the following values: 10M, 100M, and 1000M (type: ComboC). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 182 10M or 100M. At port speed of 1G, the mode is always full duplex. The possible options are: Half—The interface supports transmission between the device and the client in only one direction at a time. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 183 Flow Control—Enable or disable 802.3x Flow Control, or enable the auto- negotiation of Flow Control on the port (only when in Full Duplex mode). • MDI/MDIX—Media Dependent Interface (MDI)/Media Dependent Interface with Crossover (MDIX) status on the port. The options are: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 184 Automatic Recovery Interval has passed. To configure error recovery settings: Click Port Management > Error Recovery Settings. STEP 1 Enter the following fields: STEP 2 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 185 Click Port Management > Error Recovery Settings. STEP 1 The list of inactivated interfaces along with their Suspension Reason is displayed. Select the interface to be reactivated. STEP 2 Click Reactivate. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 186: Loopback Detection

    LAGs, the LBD is transmitted on every active port member in LAG). When a loop is detected, the switch performs the following actions: • Sets the receiving ports or LAGs to Error Disable state. • Issues an appropriate SNMP trap. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 187: Configuring Loopback Detection

    Click Apply to save the configuration to the Running Configuration file. STEP 4 The following fields are displayed for each interface, regarding the Loopback Detection State: • Administrative—Loopback detection is enabled. • Operational—Loopback detection is enabled but not active on the interface. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 188: Link Aggregation

    Dynamic—A LAG is dynamic if LACP is enabled on it. The group of ports assigned to dynamic LAG are candidate ports. LACP determines which candidate ports are active member ports. The non-active candidate ports are standby ports ready to replace any failing active member ports. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 189 When the port is removed from the LAG, its original configuration is reapplied. • Protocols, such as Spanning Tree, consider all the ports in the LAG to be one port. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 190 LAG on the Edit LAG Membership page. To select the load balancing algorithm of the LAG: Click Port Management > Link Aggregation > LAG Management. STEP 1 Select one of the following Load Balance Algorithm: STEP 2 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 191 Port List to the LAG Members list. Up to eight ports per static LAG can be assigned, and 16 ports can be assigned to a dynamic LAG These are candidate ports. Click Apply. LAG membership is saved to the Running Configuration file. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 192: Configuring Lag Settings

    (the Flow Control default is disabled). It is recommended to keep auto-negotiation enabled on both sides of an aggregate link, or disabled on both sides, while ensuring that link speeds are identical. • Operational Auto Negotiation—Displays the auto-negotiation setting. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 193: Configuring Lacp

    LAGs. Click Apply. The Running Configuration file is updated. STEP 4 Configuring LACP A dynamic LAG is LACP-enabled, and LACP is run on every candidate port defined in the LAG. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 194 LACP With No Link Partner In order for LACP to create a LAG, the ports on both link ends should be configured for LACP, meaning that the ports send LACP PDUs and handle received PDUs. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 195 LACP Timeout—Time interval between the sending and receiving of consecutive LACP PDUs. Select the periodic transmissions of LACP PDUs, which occur at either a Long or Short transmission speed, depending upon the expressed LACP timeout preference. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 196: Udld

    Energy-Detect Mode—(Not available on SG500XG) On an inactive link, the port moves into inactive mode, saving power while keeping the Administrative status of the port Up. Recovery from this mode to full Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 197 Green Ethernet mode. The saved energy displayed is only related to Green Ethernet. The amount of energy saved by EEE is not displayed. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 198: Az Energy Efficient Ethernet Feature

    When using 802.3az EEE, systems on both sides of the link can disable portions of their functionality and save power during periods of no traffic. 802.3az EEE supports IEEE 802.3 MAC operation at 100 Mbps and 1000 Mbps: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 199 802.3az EEE operation after auto-negotiation is completed. The 802.3az EEE TLV is used to fine tune system wake-up and refresh durations. Availability of 802.3az EEE Please see the release notes for a complete listing of products that support EEE. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 200 Check the 802.3 Energy Efficient Ethernet (EEE) mode on the port (it is enabled by default). c. Select whether to enable or disable advertisement of 802.3az EEE capabilities through LLDP in 802.3 Energy Efficient Ethernet (EEE) LLDP (it is enabled by default). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 201 This value is updated each time there is an event that affects power saving. • 802.3 Energy Efficient Ethernet (EEE)— Globally enable or disable EEE mode (only available if there are GE ports on the device). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 202 Short Reach—State of the port regarding Short Reach mode: Administrative—Displays whether Short Reach mode was enabled. Operational—Displays whether Short Reach mode is currently operating. Reason—If Short-Reach mode is not operational, displays the reason. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 203 (advertisement of EEE capabilities through LLDP) if there are GE ports on the device. Click Apply. The Green Ethernet port settings are written to the Running STEP 7 Configuration file. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 204: Chapter 11: Port Management: Unidirectional Link Detection

    The purpose of UDLD is to detect ports on which the neighbor does not receive traffic from the local device (unidirectional link) and to shut down those ports. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 205: Udld Operation

    If the link state of the port is determined to be bi-directional and the UDLD information times out while the link on the port is still up, UDLD tries to re- establish the state of the port. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 206 Device is in normal UDLD mode: A notification is issued. Device is in aggressive UDLD mode. The port is shut down. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 207: Usage Guidelines

    Recovery Settings page Usage Guidelines Cisco does not recommend enabling UDLD on ports that are connected to devices on which UDLD is not supported or disabled. Sending UDLD packets on a port connected to a device that does not support UDLD causes more traffic on the port without providing benefits.
  • Page 208: Dependencies On Other Features

    UDLD is disabled by default on all ports of the device. • Default message time is 15 seconds. • Default expiration time is 45 seconds (3 times the message time). • Default port UDLD state: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 209: Before You Start

    STEP 1 a. Select a port. b. Select either Default, Disabled, Normal or Aggressive as the port’s UDLD status. If you select Default, the port receives the global setting. Click Apply. STEP 2 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 210: Configuring Udld

    If the link is bi-directional, the device shuts down after the UDLD information times out. The port state is marked as undetermined. Click Apply to save the settings to the Running Configuration file. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 211 UDLD message was received or the UDLD message did not contain the local device ID in it. Disabled—UDLD has been disabled on this port. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 212 Undetermined—The state of the link between the port and its connected port cannot be determined either because no UDLD message was received or the UDLD message did not contain the local device ID in it. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 213 Neighbor Expiration Time (Sec.)—Displays the time that must pass before the device attempts to determine the port UDLD status. This is three times the Message Time. • Neighbor Message Time (Sec.)—Displays the time between UDLD messages. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 214: Chapter 12: Smartport

    • Auto Smartport • Error Handling • Default Configuration • Relationships with Other Features and Backwards Compatibility • Common Smartport Tasks • Configuring Smartport Using The Web-based Interface • Built-in Smartport Macros Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 215: Overview

    Voice VLAN and Smartport, described in the Voice VLAN section. • LLDP/CDP for Smartport, described in the Configuring LLDP Configuring CDP sections, respectively. Additionally, typical work flows are described in the Common Smartport Tasks section. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 216: What Is A Smartport

    "the anti-macro," serves to undo all configuration performed by "the macro" when that interface happens to become a different Smartport type. You can apply a Smartport macro by the following methods: • The associated Smartport type. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 217: Special Smartport Types

    Smartport. The following describe these special Smartport types: • Default An interface that does not (yet) have a Smartport type assigned to it has the Default Smartport status. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 218: Smartport Macros

    View Macro Source button on the Smartport Type Settings page. A macro and the corresponding anti-macro are paired together in association with each Smartport type. The macro applies the configuration and the anti-macro removes it. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 219: Applying A Smartport Type To An Interface

    Auto Smartport: If the Auto Smartport Global Operational state, the interface Auto Smartport state, and the Persistent Status are all Enable, the Smartport type is set to this dynamic type. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 220: Macro Failure And The Reset Operation

    Smartport Interface Settings page, selecting the radio button of the desired interface, and clicking Edit. Then, select the Smartport type you want to assign and adjust the parameters as necessary before clicking Apply. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 221: Auto Smartport

    Status. If the Persistent Status is enabled, the interface configuration is retained. If not, the Smartport Type reverts to Default. Enabling Auto Smartport Auto Smartport can be enabled globally in the Properties page in the following ways: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 222: Identifying Smartport Type

    The device detects the type of device attached to the port, based on the CDP/ LLDP capabilities. This mapping is shown in the following tables: CDP Capabilities Mapping to Smartport Type Capability Name CDP Bit Smartport Type Router 0x01 Router TB Bridge 0x02 Wireless Access Point Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 223 Station Only IETF RFC 4293 Host C-VLAN Component of a VLAN Bridge Switch IEEE Std. 802.1Q S-VLAN Component of a VLAN Bridge Switch IEEE Std. 802.1Q Two-port MAC Relay (TPMR) IEEE Std. Ignore 802.1Q Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 224: Multiple Devices Attached To The Port

    (assuming the configuration was saved). The Smartport type and the configuration of the interface are not changed unless Auto Smartport detects an attaching device with a different Smartport type. If the Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 225: Error Handling

    Voice VLAN, relies on both CDP and LLDP to detect attaching device's Smartport type, and detects Smartport type IP phone, IP phone + Desktop, Switch, and Wireless Access Point. Voice VLAN for a description of the voice factory defaults. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 226: Relationships With Other Features And Backwards Compatibility

    Smartport > Interface Settings page. Select the interface, and click Edit. STEP 6 Select Auto Smartport in the Smartport Application field. STEP 7 Check or uncheck Persistent Status if desired. STEP 8 Click Apply. STEP 9 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 227 5. In the Edit page, modify the fields. 6. Click Apply to rerun the macro if the parameters were changed, or Restore Defaults to restore default parameter values to built-in macros if required. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 228: Configuring Smartport Using The Web-based Interface

    The Smartport feature is configured in the Smartport > Properties, Smartport Type Settings and Interface Settings pages. For Voice VLAN configuration, see Voice VLAN. For LLDP/CDP configuration, see the Configuring LLDP Configuring CDP sections, respectively. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 229: Smartport Properties

    Auto Smartport can assign Smartport types to interfaces. If unchecked, Auto Smartport does not assign that Smartport type to any interface. Click Apply. This sets the global Smartport parameters on the device. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 230: Smartport Type Settings

    Smartport type. The macro must have already been paired with an anti-macro. Pairing of the two macros is done by name and is described in the Smartport Macro section. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 231: Smartport Interface Settings

    Smartport macro so that the configuration at an interface is up to date. For instance, reapplying a switch Smartport macro at a device interface makes the interface a member of the VLANs created Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 232 Resetting the interface of unknown type does not reset the configuration NOTE performed by the macro that failed. This clean up must be done manually. To assign a Smartport type to an interface or activate Auto Smartport on the interface: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 233: Built-in Smartport Macros

    The following describes the pair of built-in macros for each Smartport type. For each Smartport type there is a macro to configure the interface and an anti macro to remove the configuration. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 234 $native_vlan port security max $max_hosts port security mode max-addresses port security discard trap 60 smartport storm-control broadcast level 10 smartport storm-control include-multicast smartport storm-control broadcast enable spanning-tree portfast Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 235 $native_vlan #single host port security max 1 port security mode max-addresses port security discard trap 60 smartport storm-control broadcast level 10 smartport storm-control include-multicast smartport storm-control broadcast enable spanning-tree portfast Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 236 $native_vlan #single host port security max 1 port security mode max-addresses port security discard trap 60 smartport storm-control broadcast level 10 smartport storm-control include-multicast smartport storm-control broadcast enable spanning-tree portfast no_guest]] Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 237 $native_vlan port security max $max_hosts port security mode max-addresses port security discard trap 60 smartport storm-control broadcast level 10 smartport storm-control broadcast enable spanning-tree portfast no_server [no_server] #macro description No server Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 238 $max_hosts port security mode max-addresses port security discard trap 60 smartport storm-control broadcast level 10 smartport storm-control include-multicast smartport storm-control broadcast enable spanning-tree portfast no_host [no_host] #macro description No host Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 239 60 smartport storm-control broadcast level 10 smartport storm-control include-multicast smartport storm-control broadcast enable spanning-tree portfast no_ip_camera [no_ip_camera] #macro description No ip_camera no switchport access vlan no switchport mode no port security Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 240 10 smartport storm-control include-multicast smartport storm-control broadcast enable spanning-tree portfast no_ip_phone [no_ip_phone] #macro description no ip_phone #macro keywords $voice_vlan #macro key description: $voice_vlan: The voice VLAN ID #Default Values are Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 241 $native_vlan port security max $max_hosts port security mode max-addresses port security discard trap 60 smartport storm-control broadcast level 10 smartport storm-control include-multicast smartport storm-control broadcast enable spanning-tree portfast no_ip_phone_desktop Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 242 #$voice_vlan = 1 #the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan $native_vlan spanning-tree link-type point-to-point no_switch [no_switch] #macro description No switch #macro keywords $voice_vlan Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 243 #macro key description: $voice_vlan: The voice VLAN ID no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no smartport storm-control broadcast enable no smartport storm-control broadcast level no spanning-tree link-type Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 244 Smartport Built-in Smartport Macros [ap] #macro description ap #macro keywords $native_vlan $voice_vlan #macro key description: $native_vlan: The untag VLAN which will be configured on the port Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 245 Smartport Built-in Smartport Macros Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 246: Chapter 13: Port Management: Poe

    Eliminates the need to run 110/220 V AC power to all devices on a wired LAN. • Removes the necessity for placing all network devices next to power sources. • Eliminates the need to deploy double cabling systems in an enterprise significantly decreasing installation costs. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 247: Poe Configuration Considerations

    There are two factors to consider in the PoE feature: • The amount of power that the PSE can supply • The amount of power that the PD is actually attempting to consume Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 248 The PoE switches can detect and supply power to pre-standard legacy PoE PDs. Due to the support of legacy PoE, it is possible that a PoE device acting as a PSE may mistakenly detect and supply Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 249: Poe Properties

    PoE ports, and enable them after changing the power configuration. • Traps—Enable or disable traps. If traps are enabled, you must also enable SNMP and configure at least one SNMP Notification Recipient. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 250: Poe Settings

    PoE Class Limit mode. That mode is configured in the PoE Properties page. When the power consumed on the port exceeds the class limit, the port power is turned off. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 251 PoE Properties page is Power Limit. Displays the maximum amount of power permitted on this port. • Power Consumption—Displays the amount of power in milliwatts assigned to the powered device connected to the selected interface. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 252 Signatures are the means by which the powered device identifies itself to the PSE. Signatures are generated during powered device detection, classification, or maintenance. Click Apply. The PoE settings for the port are written to the Running Configuration STEP 4 file. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 253 Port Management: PoE PoE Settings Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 254: Chapter 14: Vlan Management

    A VLAN is a logical group of ports that enables devices associated with it to communicate with each other over the Ethernet MAC layer, regardless of the physical LAN segment of the bridged network to which they are connected. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 255: Vlan Description

    VLAN, and the original frame does not have a VLAN tag. • Removes the VLAN tag from the frame if the egress port is an untagged member of the target VLAN, and the original frame has a VLAN tag. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 256 With QinQ, the device adds an ID tag known as Service Tag (S-tag) to forward traffic over the network. The S-tag is used to segregate traffic between various customers, while preserving the customer VLAN tags. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 257: Private Vlan

    VLAN per private VLAN. • Community VLAN (also known as a Secondary VLAN)—To create a sub- group of ports (community) within a VLAN, the ports must be added a Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 258 VLANs in the private VLAN. Inter-switch trunk ports send and receive tagged traffic of the private VLAN’s various VLANs (primary, isolated and the communities). The switch supports 16 primary VLANs and 256 secondary VLANs. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 259: Traffic Flow

    The following describes traffic flow from hosts to servers/routers or other hosts. Figure 1 Traffic from Hosts to Servers/Routers Server Promiscous Promiscous Isolated vlan Community Vlan Isolated Isolated Community Community Community Isolated 1 Isolated 2 Community 1 Community 1 Community 1 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 260 The following describes server/router traffic (reply to host). Figure 2 Server/Router Traffic to Hosts Server Promiscous Promiscous Primary VLAN Isolated Isolated Community Community Community Isolated 1 Isolated 2 Community 1 Community 1 Community 1 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 261 IP connectivity. IP connectivity requires traffic to pass on a primary VLAN. Features Not Supported on Private VLAN Port Modes The following features not supported on private VLAN port modes: • GVRP Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 262 MSTP—All VLANs in a private VLAN must be assigned to the same MSTP instance. • IP Source Guard—Binding an ACL on IP source guard ports with private VLAN is not recommended due to the amount of TCAM resources needed. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 263: Regular Vlans

    6. If required, configure VLAN groups as described in the MAC-based Groups Protocol-based VLANs sections. 7. If required, configure TV VLAN as described in the Access Port Multicast TV VLAN Customer Port Multicast TV VLAN sections. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 264 To change the default VLAN: Click VLAN Management > Default VLAN Settings. STEP 1 Enter the value for the following field: STEP 2 • Current Default VLAN ID—Displays the current default VLAN ID. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 265 The page enables the creation of either a single VLAN or a range of VLANs. To create a single VLAN, select the VLAN radio button, enter the VLAN ID, and STEP 3 optionally the VLAN Name. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 266: Interface Settings

    Interface VLAN Mode—Select the interface mode for the VLAN. The options are: General—The interface can support all functions as defined in the IEEE 802.1q specification. The interface can be a tagged or untagged member of one or more VLANs. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 267 VLAN is used to allow Layer 2 connectivity from promiscuous ports to isolated ports and to community ports. • Secondary VLAN - Host—Select an isolated or community VLAN for those hosts that only require a single secondary VLAN. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 268: Vlan Membership

    Click VLAN Management > Port to VLAN. STEP 1 Select a VLAN and the interface type (Port or LAG), and click Go to display or to STEP 2 change the port characteristic with respect to the VLAN. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 269 The Port VLAN Membership page displays all ports on the device along with a list of VLANs to which each port belongs. If the port-based authentication method for an interface is 802.1x and the Administrative Port Control is Auto, then: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 270 Select a port, and click the Join VLAN button. STEP 3 Enter the values for the following fields: STEP 4 • Interface—Select a Port or LAG. Select the Unit/Slot on a 500 Series device. • Mode—Displays the port VLAN mode that was selected in the Interface Settings page.
  • Page 271: Private Vlan Settings

    VLAN. The primary VLAN is used to allow Layer 2 connectivity from promiscuous ports to isolated ports and to community ports. • Isolated VLAN ID—An isolated VLAN is used to allow isolated ports to send traffic to the primary VLAN. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 272: Gvrp Settings

    To define GVRP settings for an interface: Click VLAN Management > GVRP Settings. STEP 1 Select GVRP Global Status to enable GVRP globally. STEP 2 Click Apply to set the global GVRP status. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 273: Vlan Groups

    MAC-to-VLAN mapping of the ingress interface. • Protocol-Based VLAN—If a protocol-based VLAN has been defined, the VLAN is taken from the (Ethernet type) protocol-to-VLAN mapping of the ingress interface. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 274 Basic Hybrid - Layer 3 SG500XG Same as Sx500 Workflow To define a MAC-based VLAN group: 1. Assign a MAC address to a VLAN group ID (using the MAC-Based Groups page). 2. For each required interface: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 275 Click VLAN Management > VLAN Groups > MAC-Based Groups to VLAN. STEP 1 Click Add. STEP 2 Enter the values for the following fields: STEP 3 • Group Type—Displays that the group is MAC-Based. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 276 Protocol / DSAP-SSAP—Displays the protocol value in hex. • Group ID—Displays the protocol group ID to which the interface is added. Click the Add Button. The Add Protocol-Based Group page appears STEP 2 Enter the following fields:. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 277 Enter the following fields. STEP 3 • Interface—Port or LAG number assigned to VLAN according to protocol- based group. • Group ID—Protocol group ID. • VLAN ID—Attaches the interface to a user-defined VLAN ID. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 278: Voice Vlan

    The following are typical voice deployment scenarios with appropriate configurations: • UC3xx/UC5xx hosted: All Cisco phones and VoIP endpoints support this deployment model. For this model, the UC3xx/UC5xx, Cisco phones and VoIP endpoints reside in the same voice VLAN. The voice VLAN of UC3xx/ UC5xx defaults to VLAN 100.
  • Page 279 VoIP endpoints register with an on-premise IP PBX. • IP Centrex/ITSP hosted: Cisco CP-79xx, SPA5xx phones and SPA8800 endpoints support this deployment model. For this model, the VLAN used by the phones is determined by the network configuration. There may or may not be separate voice and data VLANs.
  • Page 280 CDP and/or LLDP-MED. Voice End-Points To have a voice VLAN work properly, the voice devices, such as Cisco phones and VoIP endpoints, must be assigned to the voice VLAN where it sends and receives its voice traffic.
  • Page 281 Communication (UC) devices, are advertising their voice VLAN, the voice VLAN from the device with the lowest MAC address is used. If connecting the device to a Cisco UC device, you may need to NOTE configure the port on the UC device using the switchport voice vlan command to ensure the UC device advertises its voice VLAN in CDP at the port.
  • Page 282 You can disable the automatic update between Voice VLAN and LLDP-MED and use his own network policies. Working with the OUI mode, the device can additionally configure the mapping and remarking (CoS/802.1p) of the voice traffic based on the OUI. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 283 The device default configuration on Auto Voice VLAN, Auto Smartports, CDP, and LLDP cover most common voice deployment scenarios. This section describes how to deploy voice VLAN when the default configuration does not apply. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 284 Telephony OUI. Configure Telephony OUI in the Telephony OUI page. STEP 2 Configure Telephony OUI VLAN membership for ports in the Telephony OUI STEP 3 Interface page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 285: Voice Vlan Configuration

    • CoS/802.1p —Select a CoS/802.1p value that to be used by LLDP-MED as Administration > Discovery > LLDP > LLDP a voice network policy. Refer to MED Network Policy for additional details. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 286 LAN that are Auto Voice VLAN enabled. This only resets the voice VLAN to the default voice vlan if the Source Type is in the NOTE Inactive state. To view Auto Voice VLAN parameters: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 287 Source MAC Address— MAC address of a UC from which the voice configuration was received. • Source Type— Type of UC from which voice configuration was received. The following options are available: Default—Default voice VLAN configuration on the device Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 288 Voice VLAN. The OUI Global table can hold up to 128 OUIs. This section covers the following topics: • Telephony OUI Table • Telephone OUI Interface Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 289 Delete. If you then click Restore, the system recovers the known OUIs. To add a new OUI, click Add. STEP 4 Enter the values for the following fields: STEP 5 • Telephony OUI—Enter a new OUI. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 290 Voice VLAN QoS Mode—Select one of the following options: All—QoS attributes are applied on all packets that are classified to the Voice VLAN. Telephony Source MAC Address—QoS attributes are applied only on packets from IP phones. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 291: Access Port Multicast Tv Vlan

    Any VLAN can be configured as a Multicast-TV VLAN. A port assigned to a Multicast-TV VLAN: • Joins the Multicast-TV VLAN. • Packets passing through egress ports in the Multicast TV VLAN are untagged. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 292: Igmp Snooping

    Regular VLAN Multicast TV VLAN VLAN Membership Source and all receiver Source and receiver ports ports must be static cannot be members in the members in the same same data VLAN. data VLAN. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 293 Multicast TV VLAN—VLAN to which the Multicast packets are assigned. Click Add to associate a Multicast group to a VLAN. Any VLAN can be selected. STEP 2 When a VLAN is selected, it becomes a Multicast TV VLAN. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 294: Customer Port Multicast Tv Vlan

    The box forwards the packets from the network port to the subscriber's devices based on the VLAN tag of the packet. Each VLAN is mapped to one of the MUX access ports. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 295 To support the CPE MUX with subscribers VLANs, subscribers may require multiple video providers, and each provider is assigned a different external VLAN. CPE (internal) Multicast VLANs must be mapped to the Multicast provider (external) VLANs. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 296: Port Multicast Vlan Membership

    The Candidate Customer Ports list contains all access ports configured on the STEP 4 device. Move the required ports to the Member Customer Ports field. Click Apply. The new settings are modified, and written to the Running Configuration file. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 297 VLAN Management Customer Port Multicast TV VLAN Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 298: Chapter 15: Spanning Tree

    STP provides a tree topology for any arrangement of switches and interconnecting links, by creating a unique path between end stations on a network, and thereby eliminating loops. Cisco 500 Series Managed Switch Administration Guide...
  • Page 299: Stp Status And Global Settings

    Click Spanning Tree > STP Status & Global Settings. STEP 1 Enter the parameters. STEP 2 Global Settings: • Spanning Tree State—Select to enable on the device. • STP Loopback Guard—Select to enable Loopback Guard on the device. Cisco 500 Series Managed Switch Administration Guide...
  • Page 300 Root Bridge ID—The Root Bridge priority concatenated with the MAC address of the Root Bridge. • Root Port—The port that offers the lowest cost path from this bridge to the Root Bridge. (This is significant when the bridge is not the root.) Cisco 500 Series Managed Switch Administration Guide...
  • Page 301: Spanning Tree Interface Settings

    Fast Link optimizes the STP protocol convergence. The options are: Enable—Enables Fast Link immediately. Auto—Enables Fast Link a few seconds after the interface becomes active. This allows STP to resolve loops before enabling Fast Link. Disable—Disables Fast Link. Cisco 500 Series Managed Switch Administration Guide...
  • Page 302 The priority is a value from 0 to 240, set in increments of 16. • Port State—Displays the current STP state of a port. Cisco 500 Series Managed Switch Administration Guide...
  • Page 303: Rapid Spanning Tree Settings

    The RSTP Interface Settings page enables you to configure RSTP per port. Any configuration that is done on this page is active when the global STP mode is set to RSTP or MSTP. Cisco 500 Series Managed Switch Administration Guide...
  • Page 304 Point to Point Administrative Status is set to Auto. • Role—Displays the role of the port that was assigned by STP to provide STP paths. The possible roles are: Root —Lowest cost path to forward packets to the Root Bridge. Cisco 500 Series Managed Switch Administration Guide...
  • Page 305 MAC addresses. Forwarding —The port is in Forwarding mode. The port can forward traffic and learn new MAC addresses. Click Apply. The Running Configuration file is updated. STEP 7 Cisco 500 Series Managed Switch Administration Guide...
  • Page 306: Multiple Spanning Tree

    MSTP bridges inside the region itself. For two or more switches to be in the same MST region, they must have the same VLANs to MST instance mapping, the same configuration revision number, and the same region name. Cisco 500 Series Managed Switch Administration Guide...
  • Page 307: Vlans To A Mstp Instance

    Configuration on this page (and all of the MSTP pages) applies if the system STP mode is MSTP. Up to 16 MST instances can be defined on the 500 Series switches in addition to instance zero. Cisco 500 Series Managed Switch Administration Guide...
  • Page 308: Mstp Instance Settings

    Status and Global Settings. To enter MSTP instance settings: Click Spanning Tree > MSTP Instance Settings. STEP 1 Enter the parameters. STEP 2 • Instance ID—Select an MST instance to be displayed and defined. Cisco 500 Series Managed Switch Administration Guide...
  • Page 309: Mstp Interface Settings

    Interface Type equals to—Select whether to display the list of ports or LAGs. Click Go. The MSTP parameters for the interfaces on the instance are displayed. STEP 3 Select an interface, and click Edit. STEP 4 Cisco 500 Series Managed Switch Administration Guide...
  • Page 310 LAN, which provides the lowest root path cost from the LAN to the Root Bridge for the MST instance. Alternate—The interface provides an alternate path to the root device from the root interface. Cisco 500 Series Managed Switch Administration Guide...
  • Page 311 Remain Hops—Displays the hops remaining to the next destination. • Forward Transitions—Displays the number of times the port has changed from the Forwarding state to the Blocking state. Click Apply. The Running Configuration file is updated. STEP 6 Cisco 500 Series Managed Switch Administration Guide...
  • Page 312: Chapter 16: Managing Mac Address Tables

    MAC address that is not found in the tables, they are transmitted/broadcasted to all the ports on the relevant VLAN. Such frames are referred to as unknown Unicast frames. The device supports a maximum of 8K static and dynamic MAC addresses. Cisco 500 Series Managed Switch Administration Guide...
  • Page 313: Static Mac Addresses

    Delete on timeout—The MAC address is deleted when aging occurs. Secure—The MAC address is secure when the interface is in classic locked mode (see Configuring Port Security). Click Apply. A new entry appears in the table. STEP 4 Cisco 500 Series Managed Switch Administration Guide...
  • Page 314: Dynamic Mac Addresses

    LAGs. Click Go. The Dynamic MAC Address Table is queried and the results are STEP 3 displayed. To delete all of the dynamic MAC addresses. click Clear Table. Cisco 500 Series Managed Switch Administration Guide...
  • Page 315: Reserved Mac Addresses

    Action—Select one of the following actions to be taken upon receiving a packet that matches the selected criteria: Bridge —Forward the packet to all VLAN members. Discard —Delete the packet. Click Apply. A new MAC address is reserved. STEP 4 Cisco 500 Series Managed Switch Administration Guide...
  • Page 316: Chapter 17: Multicast

    The data is sent only to relevant ports. Forwarding the data only to the relevant ports conserves bandwidth and host resources on links. Cisco 500 Series Managed Switch Administration Guide...
  • Page 317 (S,G) is supported by IGMPv3 and MLDv2, while IGMPv1/2 and MLDv1 support only (*.G), which is just the group ID. The device supports a maximum of 256 static and dynamic Multicast group addresses. Only one of filtering options can be configured per VLAN. Cisco 500 Series Managed Switch Administration Guide...
  • Page 318: Typical Multicast Setup

    When a device learns that a host is using IGMP/MLD messages to register to receive a Multicast stream, optionally from a specific source, the device adds the registration to the MFDB. Cisco 500 Series Managed Switch Administration Guide...
  • Page 319 Queries must be sent at a rate that is aligned to the snooping table aging time. If queries are sent at a rate lower than the aging time, the subscriber cannot receive the Multicast packets. This is performed in the IGMP/MLD Snooping Edit page. Cisco 500 Series Managed Switch Administration Guide...
  • Page 320: Multicast Address Properties

    For IPv6, this is mapped by taking the 32 low-order bits of the Multicast address, and adding the prefix of 33:33. For example, the IPv6 Multicast address FF00:1122:3344 is mapped to Layer 2 Multicast 33:33:11:22:33:44. IGMP/MLD Proxy IGMP/MLD Proxy is a simple IP Multicast protocol. Cisco 500 Series Managed Switch Administration Guide...
  • Page 321 • A Multicast packet received on a downstream interface on which the proxy device is the querier is forwarded on the upstream interface and on all Cisco 500 Series Managed Switch Administration Guide...
  • Page 322: Multicast Properties

    The MAC Group Address page has the following functions: • Query and view information from the Multicast Forwarding Data Base (MFDB), relating to a specific VLAN ID or a specific MAC address group. This Cisco 500 Series Managed Switch Administration Guide...
  • Page 323 The page displays: • VLAN ID—The VLAN ID of the Multicast group. • MAC Group Address—The MAC address of the group. Select either port or LAG from the Filter: Interface Type menu. STEP 7 Cisco 500 Series Managed Switch Administration Guide...
  • Page 324: Ip Multicast Group Addresses

    IP Version equals to—Select IPv6 or IPv4. • IP Multicast Group Address equals to—Define the IP address of the Multicast group to be displayed. This is only relevant when the Forwarding mode is (S,G). Cisco 500 Series Managed Switch Administration Guide...
  • Page 325 Forbidden—Specifies that this port is forbidden from joining this group on this VLAN. • None—Indicates that the port is not currently a member of this Multicast group on this VLAN. This is selected by default until Static or Forbidden is selected. Cisco 500 Series Managed Switch Administration Guide...
  • Page 326: Ipv4 Multicast Configuration

    IGMP Snooping Status—Select to enable IGMP Snooping on the VLAN. The device monitors network traffic to determine which hosts have asked to be sent Multicast traffic. The device performs IGMP snooping only when IGMP snooping and Bridge Multicast filtering are both enabled. Cisco 500 Series Managed Switch Administration Guide...
  • Page 327 If the Auto option is selected, the system takes the source IP address NOTE from the IP address defined on the outgoing interface. Select a VLAN, and click Edit. STEP 4 Enter the parameters as described above. STEP 5 Cisco 500 Series Managed Switch Administration Guide...
  • Page 328: Igmp Interface Settings

    Multicast packets with a TTL value less than the threshold are not forwarded on the interface. The default value of 0 means all Multicast packets are forwarded on the interface. A value of 256 means that no Multicast packets are forwarded on the interface. Cisco 500 Series Managed Switch Administration Guide...
  • Page 329 A value of 256 means that no Multicast packets are forwarded on the interface. Configure the TTL threshold only on border routers. Conversely, routers on which you configure a TTL threshold value automatically become border routers. Cisco 500 Series Managed Switch Administration Guide...
  • Page 330: Igmp Proxy

    • Downstream Protection—Select one of the following options: Use Global—Use the status set in the global block. Disable—This disables forwarding of IPv4 Multicast traffic from downstream interfaces. Enable—This enables forwarding from downstream interfaces. Cisco 500 Series Managed Switch Administration Guide...
  • Page 331 Uptime—Length of time in hours, minutes, and seconds that the entry has been in the IP Multicast routing table. • Expiry Time—Length of time in hours, minutes, and seconds until the entry is removed from the IP Multicast routing table. Cisco 500 Series Managed Switch Administration Guide...
  • Page 332: Ipv6 Multicast Configuration

    Multicast traffic. The device performs MLD snooping only when MLD snooping and Bridge Multicast filtering are both enabled. • MRouter Ports Auto Learn—Select to enable Auto Learn of the Multicast router. Cisco 500 Series Managed Switch Administration Guide...
  • Page 333 Multicast routers in the VLAN that perform source-specific IP Multicast forwarding. Otherwise, select MLDv1. Select a VLAN, and click Edit. STEP 4 Enter the parameters as described above. STEP 5 Click Apply. The Running Configuration file is updated. STEP 6 Cisco 500 Series Managed Switch Administration Guide...
  • Page 334 A value of 256 means that no Multicast packets are forwarded on the interface. Configure the TTL threshold only on border routers. Conversely, routers on which you configure a TTL threshold value automatically become border routers. Cisco 500 Series Managed Switch Administration Guide...
  • Page 335 A value of 256 means that no Multicast packets are forwarded on the interface. Configure the TTL threshold only on border routers. Conversely, routers on which you configure a TTL threshold value automatically become border routers. Cisco 500 Series Managed Switch Administration Guide...
  • Page 336: Mld Proxy

    • Downstream Protection—Select one of the following options: Use Global—Use the status set in the global block. Disable—This disables forwarding of IPv6 Multicast traffic from downstream interfaces. Enable—This enables forwarding from downstream interfaces. Cisco 500 Series Managed Switch Administration Guide...
  • Page 337 Uptime—Length of time in hours, minutes, and seconds that the entry has been in the IP Multicast routing table. • Expiry Time—Length of time in hours, minutes, and seconds until the entry is removed from the IP Multicast routing table. Cisco 500 Series Managed Switch Administration Guide...
  • Page 338: Igmp/mld Snooping Ip Multicast Group

    Included Ports—The list of destination ports for the Multicast stream. • Excluded Ports—The list of ports not included in the group. • Compatibility Mode—The oldest IGMP/MLD version of registration from the hosts the device receives on the IP group address. Cisco 500 Series Managed Switch Administration Guide...
  • Page 339: Multicast Router Ports

    Mrouter is not learned on this port (i.e. MRouter Ports Auto-Learn is not enabled on this port). • None—The port is not currently a Multicast router port. Click Apply to update the device. STEP 5 Cisco 500 Series Managed Switch Administration Guide...
  • Page 340: Forward All

    Click Apply. The Running Configuration file is updated. STEP 5 Unregistered Multicast This feature can be used to ensure that the customer receives only the Multicast groups requested (registered) and not others that may be transmitted in the network (unregistered). Cisco 500 Series Managed Switch Administration Guide...
  • Page 341 Forwarding—Enables forwarding of unregistered Multicast frames to the selected interface. Filtering—Enables filtering (rejecting) of unregistered Multicast frames to the selected interface. Click Apply. The settings are saved, and the Running Configuration file is updated. STEP 5 Cisco 500 Series Managed Switch Administration Guide...
  • Page 342: Chapter 18: Ip Configuration

    Layer 2 system mode, this refers to all Sx500 devices and SG500X devices (in Hybrid mode) that have been manually set to Layer 2 mode. The MTU for layer 3 traffic on the SG500X, SG500XG and ESW2-550X is limited to 9000 bytes. Cisco 500 Series Managed Switch Administration Guide...
  • Page 343 If the ARP response shows that the IPv4 address is in use, the device sends a DHCPDECLINE message to the offering DHCP server, and sends another DHCPDISCOVER packet that restarts the process. Cisco 500 Series Managed Switch Administration Guide...
  • Page 344 With factory default settings, when no statically-defined or DHCP-acquired IP address is available, the default IP address is used. When the other IP addresses become available, the addresses are automatically used. The default IP address is always on the management VLAN. Cisco 500 Series Managed Switch Administration Guide...
  • Page 345: Loopback Interface

    VLAN, and no layer 2 protocol can be enabled on it. The IPv6 link-local interface identifier is 1. When the switch is in Layer 2 system mode, the following rules are supported: • Only one loopback interface is supported. Cisco 500 Series Managed Switch Administration Guide...
  • Page 346: Ipv4 Management And Interfaces

    IP Configuration > IPv6 Management and Interfaces > IPv6 Addresses page. IPv4 Management and Interfaces IPv4 Interface IPv4 interfaces can be defined on the device when it is in Layer 2 or Layer 3 system mode. Cisco 500 Series Managed Switch Administration Guide...
  • Page 347 Prefix Length—Select and enter the length of the IPv4 address prefix. • Loopback Interface—Select to enable the configuration of a loopback interface (see Loopback Interface). • Loopback IP Address—Enter the IPv4 address of the loopback interface. Cisco 500 Series Managed Switch Administration Guide...
  • Page 348 IP subnets configured on the device. The device continues to bridge traffic between devices in the same VLAN. Additional IPv4 routes for routing to non-directly attached subnets can be configured in the IPv4 Static Routes page. Cisco 500 Series Managed Switch Administration Guide...
  • Page 349 Duplicated—A duplicated IP address was detected for the default IP address. Delayed—The assignment of the IP address is delayed for 60 second if DHCP Client is enabled on startup in order to give time to discover DHCP address. Cisco 500 Series Managed Switch Administration Guide...
  • Page 350 When the system is in one of the stacking modes with a Backup Master present, CAUTION Cisco recommends configuring the IP address as a static address to prevent disconnecting from the network during a Stacking Master switchover. This is because when the backup master takes control of the stack, when using DHCP, it might receive a different IP address than the one that was received by the stack’s...
  • Page 351: Ipv4 Routes

    Enter values for the following fields: STEP 3 • Destination IP Prefix—Enter the destination IP address prefix. • Mask—Select and enter information for one of the following: Network Mask—IP route prefix for the destination IP. Cisco 500 Series Managed Switch Administration Guide...
  • Page 352: Access List

    IP subnets directly connected to it. A directly-connected IP subnet is the subnet to which an IPv4 interface of the device is connected. When the device is required to send/route a packet to a local device, it searches Cisco 500 Series Managed Switch Administration Guide...
  • Page 353 IP Address—The IP address of the IP device. • MAC Address—The MAC address of the IP device. • Status—Whether the entry was manually entered or dynamically learned. Click Add. STEP 4 Enter the parameters: STEP 5 Cisco 500 Series Managed Switch Administration Guide...
  • Page 354: Arp Proxy

    Select ARP Proxy to enable the device to respond to ARP requests for remotely- STEP 2 located nodes with the device MAC address. Click Apply. The ARP proxy is enabled, and the Running Configuration file is STEP 3 updated. Cisco 500 Series Managed Switch Administration Guide...
  • Page 355 A trusted port is a port that is connected to a DHCP server and is allowed to assign DHCP addresses. DHCP messages received on trusted ports are allowed to pass through the device. Cisco 500 Series Managed Switch Administration Guide...
  • Page 356 The main goal of option 82 is to help to the DHCP server select the best IP subnet (network pool) from which to obtain an IP address. The following Option 82 options are available on the device: Cisco 500 Series Managed Switch Administration Guide...
  • Page 357 Snooping is not enabled and DHCP Relay is enabled. DHCP Relay DHCP Relay VLAN with IP Address VLAN without IP Address Packet arrives Packet arrives Packet arrives Packet arrives without Option with Option without with Option Option 82 Cisco 500 Series Managed Switch Administration Guide...
  • Page 358 Relay – Insertion without Option sent with the Option 82 discards the Disabled original packet Bridge – no Option 82 Option 82 is Bridge – Packet is sent inserted with the original Option 82 Cisco 500 Series Managed Switch Administration Guide...
  • Page 359 Snooping is disabled: DHCP Relay DHCP Relay VLAN with IP Address VLAN without IP Address Packet arrives Packet arrives Packet arrives Packet arrives without with Option without with Option Option 82 Option 82 Cisco 500 Series Managed Switch Administration Guide...
  • Page 360 Option 82 without Option 82 Option 82 Bridge – Packet is sent Bridge – Bridge – Packet is sent Packet is sent without with the Option 82 with the Option 82 Option 82 Cisco 500 Series Managed Switch Administration Guide...
  • Page 361: Dhcp Snooping Binding Database

    DHCP packets entering the device through trusted ports. The DHCP Snooping Binding database contains the following data: input port, input VLAN, MAC address of the client and IP address of the client if it exists. Cisco 500 Series Managed Switch Administration Guide...
  • Page 362 DHCPNAK to deny the address request. Device snoops packet. If an entry exists in the DHCP Snooping Binding table that STEP 5 matches the packet, the device replaces it with IP-MAC binding on receipt of DHCPACK. Cisco 500 Series Managed Switch Administration Guide...
  • Page 363 Otherwise the packet is forwarded to trusted interfaces only, and the entry is removed from database. Cisco 500 Series Managed Switch Administration Guide...
  • Page 364 Option 82 Insertion Not enabled Option 82 Passthrough Not enabled Verify MAC Address Enabled Backup DHCP Snooping Not enabled Binding Database DHCP Relay Disabled Configuring DHCP Work Flow To configure DHCP Relay and DHCP Snooping: Cisco 500 Series Managed Switch Administration Guide...
  • Page 365 —Select to back up the DHCP Snooping Binding database on the device’s flash memory. Backup Database Update Interval —Enter how often the DHCP Snooping Binding database is to be backed up (if Backup Database is selected). Cisco 500 Series Managed Switch Administration Guide...
  • Page 366 Relay > DHCP Snooping Trusted Interfaces. Select the interface and click Edit. STEP 2 Select Trusted Interface (Yes or No). STEP 3 Click Apply to save the settings to the Running Configuration file. STEP 4 Cisco 500 Series Managed Switch Administration Guide...
  • Page 367 Active—IP Source Guard is active on the device. Inactive—IP Source Guard is not active on the device. • Reason— No Problem No Resource No Snoop VLAN Trust Port To add an entry, click Add. STEP 2 Cisco 500 Series Managed Switch Administration Guide...
  • Page 368: Dhcp Server

    (that can be infinite). If the DHCP client does not renew the allocated IP Address, the IP address is revoked at the end of this period, and the client must request another IP address. This is done in the Network Pools page. Cisco 500 Series Managed Switch Administration Guide...
  • Page 369 IP address from the configured pool. Do this in the IP Configuration > IPv4 Interface page. View the allocated IP addresses using the Address Binding page. IP addresses STEP 7 can be deleted in this page. Cisco 500 Series Managed Switch Administration Guide...
  • Page 370 If the message arrived via DHCP relay, the address used belongs to the IP subnet specified by minimum IP address and IP mask of the pool and the pool is a remote pool. Up to eight network pools can be defined. Cisco 500 Series Managed Switch Administration Guide...
  • Page 371 Minutes—The number of minutes in the lease. A days value and an hours value must be added before a minutes value can be added. • Default Router IP Address (Option 3)— Enter the default router for the DHCP client. Cisco 500 Series Managed Switch Administration Guide...
  • Page 372 By default, the DHCP server assumes that all pool addresses in a pool may be assigned to clients. A single IP address or a range of IP addresses can be excluded. The excluded addresses are excluded from all DHCP pools. Cisco 500 Series Managed Switch Administration Guide...
  • Page 373 • Identifier Type—Set how to identify the specific static host. Client Identifier—Enter a unique identification of the client specified in hexadecimal notation, such as: 01b60819681172. MAC Address—Enter the MAC address of the client. Cisco 500 Series Managed Switch Administration Guide...
  • Page 374 File Server Host Name (sname/Option 66)—Enter the name of the TFTP/SCP server. • Configuration File Name (file/Option 67)—Enter the name of the file that is used as a configuration file. Click Apply. The Running Configuration file is updated. STEP 3 Cisco 500 Series Managed Switch Administration Guide...
  • Page 375 IP—Select if you want to enter an IP address when this is relevant for the DHCP option selected. IP List—Enter list of IP addresses separated by commas. Integer—Select if you want to enter an integer value of the parameter for the DHCP option selected. Cisco 500 Series Managed Switch Administration Guide...
  • Page 376 The IP address is revoked at the end of this period, at which time the client must request another IP address. • State—The possible options are: Cisco 500 Series Managed Switch Administration Guide...
  • Page 377: Ipv6 Management And Interfaces

    Tunnel). Tunneling treats the IPv4 network as a virtual IPv6 local link, with mappings from each IPv4 address to a link local IPv6 address. The device detects IPv6 frames by the IPv6 Ethertype. Cisco 500 Series Managed Switch Administration Guide...
  • Page 378: Ipv6 Global Configuration

    In Layer 2 system mode, click Administration > Management Interface > IPv6 STEP 1 Global Configuration. In Layer 3 system mode, click IP Configuration > IPv6 Management and Interfaces > IPv6 Global Configuration. Enter values for the following fields: STEP 2 Cisco 500 Series Managed Switch Administration Guide...
  • Page 379: Ipv6 Interface

    An IPv6 interface can be configured on a port, LAG, VLAN, loopback interface or tunnel. As opposed to other types of interfaces, a tunnel interface is first created in the IPv6 Tunnel page and then IPv6 interface is configured on the tunnel in this page. Cisco 500 Series Managed Switch Administration Guide...
  • Page 380 Infinite (no refresh unless the server sends this option) or User Defined to set a value. To configure additional IPv6 parameters, enter the following fields: STEP 7 • IPv6 Address Auto Configuration—Select to enable automatic address configuration from router advertisements sent by neighbors. Cisco 500 Series Managed Switch Administration Guide...
  • Page 381 DHCPv6 server. DHCPv6 Client Details The Details button displays information received on the interface from a DHCPv6 server. It is active when the interface selected is defined as a DHCPv6 stateless client. Cisco 500 Series Managed Switch Administration Guide...
  • Page 382 POSIX Timezone String—Timezone received from the DHCPv6 server. • Configuration Server—Server containing configuration file received from the DHCPv6 server. • Configuration Path Name—Path to configuration file on the configuration server received from the DHCPv6 server. Cisco 500 Series Managed Switch Administration Guide...
  • Page 383: Ipv6 Tunnel

    6to4 is an automatic tunneling mechanism that uses the underlying IPv4 network as a non-Broadcast multiple-access link layer for IPv6. Only one 6to4 tunnel is supported on a device. The 6to4 tunnel is supported only when IPv6 Forwarding is supported. Cisco 500 Series Managed Switch Administration Guide...
  • Page 384 Click Apply to save the ISATAP parameters to the Running Configuration file. STEP 4 To add a tunnel, select an interface (which was defined as a tunnel in the IPv6 STEP 5 Interfaces page) in the IPv6 Tunnel Table and click Add. Cisco 500 Series Managed Switch Administration Guide...
  • Page 385 • Destination—(For manual tunnel only) Select one of the following options to specify the destination address of the tunnel: Host Name—DNS name of the remote host. IPv4 Address—IPv4 address of the remote host. Cisco 500 Series Managed Switch Administration Guide...
  • Page 386: Defining Ipv6 Addresses

    If a link local address exists on the interface, this entry replaces the address in the configuration. Global—An IPv6 address that is a global Unicast IPV6 type that is visible and reachable from other networks. Cisco 500 Series Managed Switch Administration Guide...
  • Page 387 The following sections describe how to configure IPv6 routers. Router Advertisement IPv6 routers are able to advertise their prefixes to neighboring devices. This feature can be enabled or suppressed per interface, as follows: Cisco 500 Series Managed Switch Administration Guide...
  • Page 388 • Neighbor Solicitation Retransmissions Interval—Set the interval to determine the time between retransmissions of neighbor solicitation messages to a neighbor when resolving the address or when probing the reachability of a neighbor. Cisco 500 Series Managed Switch Administration Guide...
  • Page 389 Enter the following fields: STEP 5 • Prefix Address—The IPv6 network. This argument must be in the form documented in RFC 4293 where the address is specified in hexadecimal— using 16-bit values between colons. Cisco 500 Series Managed Switch Administration Guide...
  • Page 390 (L-bit set). No-Onlink—Configures the specified prefix as not onlink. A no onlink prefix is inserted into the routing table as a connected prefix but advertised with a L-bit clear. Cisco 500 Series Managed Switch Administration Guide...
  • Page 391: Ipv6 Default Router List

    Default Router IPv6 Address—Link local IP address of the default router. • Type—The default router configuration that includes the following options: Static—The default router was manually added to this table through the Add button. Dynamic—The default router was dynamically configured. Cisco 500 Series Managed Switch Administration Guide...
  • Page 392: Defining Ipv6 Neighbors Information

    IPv6 subnet as the device. This is the IPv6 equivalent of the IPv4 ARP Table. When the device needs to communicate with its neighbors, the device uses the IPv6 Neighbor Table to determine the MAC addresses based on their IPv6 addresses. Cisco 500 Series Managed Switch Administration Guide...
  • Page 393 Delay state for a predefined Delay Time. If no reachability confirmation is received, the state changes to Probe. Probe —Neighbor is no longer known to be reachable, and Unicast Neighbor Solicitation probes are being sent to verify the reachability. Cisco 500 Series Managed Switch Administration Guide...
  • Page 394 If only Lower Than is specified, the range is from the value entered for the network/length argument to the Lower Than. If both the Greater Than and Lower Than arguments are entered, the range is between the values used for Greater Than and Greater Than. Cisco 500 Series Managed Switch Administration Guide...
  • Page 395 • Greater Than—Minimum prefix length to be used for matching. Select one of the following options: No Limit—No minimum prefix length to be used for matching. User Defined—Minimum prefix length to be matched. Cisco 500 Series Managed Switch Administration Guide...
  • Page 396 User Defined—Only the specified IPv6 address can be the source. • Prefix length—Enter the prefix length of the source IPv6 address. • Action—Select one of the following options: Permit—Permit passage of the source IPv6 Address. Cisco 500 Series Managed Switch Administration Guide...
  • Page 397: Viewing Ipv6 Route Tables

    Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. Global—An IPv6 address that is a global Unicast IPV6 type that is visible and reachable from other networks. Cisco 500 Series Managed Switch Administration Guide...
  • Page 398: Dhcpv6 Relay

    Interface List—This is a per-interface list of DHCPv6 servers. When a DHCPv6 packet is received on an interface, the packet is relayed both to the servers on the interface list (if it exists) and to the servers on the global destination list. Cisco 500 Series Managed Switch Administration Guide...
  • Page 399 To enable DHCPv6 on an interface and optionally add a DHCPv6 server for an STEP 2 interface, click Add. Enter the fields: • Source Interface—Select the interface (port, LAG, VLAN or tunnel) for which DHCPv6 Relay is enabled. Cisco 500 Series Managed Switch Administration Guide...
  • Page 400: Domain Name

    Polling Timeout—Enter the number of seconds that the device will wait for a response to a DNS query. • Polling Interval—Enter how often (in seconds) the device sends DNS query packets after the number of retries has been exhausted. Cisco 500 Series Managed Switch Administration Guide...
  • Page 401 If a link local address exists on the interface, this entry replaces the address in the configuration. Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks. Cisco 500 Series Managed Switch Administration Guide...
  • Page 402: Search List

    There can be up to 64 static entries. • Dynamic Entries—These are mapping pairs that were either added by the system as a result of being used by the user, or and an entry for each IP Cisco 500 Series Managed Switch Administration Guide...
  • Page 403 Remaining TTL (Sec)— If this is a dynamic entry, how much longer will it remain in the cache. To add a host mapping, click Add. STEP 3 Enter the parameters. STEP 4 • IP Version—Select Version 6 for IPv6 or Version 4 for IPv4. Cisco 500 Series Managed Switch Administration Guide...
  • Page 404 0 through 9, the underscore and the hyphen. A period (.) is used to separate labels. • IP Address—Enter a single address or up to eight associated IP addresses (IPv4 or IPv6). Click Apply. The settings are saved to the Running Configuration file. STEP 5 Cisco 500 Series Managed Switch Administration Guide...
  • Page 405: Chapter 19: Ip Configuration: Ripv2

    The IP Routing control is available on the SG500X/ESW2-550X models only. To NOTE enable IP Routing, go to Configuration > Management and IP Interface > IPv4 Interface page. The device supports RIP version 2, which is based on the following standards: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 406: How Rip Operates On The Device

    The offset is set per interface and, for example, can reflect the speed, delay, or some other quality of that particular interface. In this way, the relative cost of the interfaces can be adjusted as desired. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 407: Passive Mode

    Transmission of routing update messages over a specific IP interface can be disabled. In this case, the router is passive, and only receives the updated RIP information on this interface. By default, transmission of routing updates on an IP interface is enabled. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 408 You can determine whether static or connected routes are redistributed by RIP by configuring the Redistribute Static Route or Redistribute Connected Route feature, respectively. These feature are disabled by default and can be enabled globally. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 409 If the metric value of a static route is greater than 15, the route is not advertised to other routers using RIP. • User Defined Metric Causes RIP to use the metric value entered by the user. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 410 Plain text or password—Uses a key password (string) that is sent along with the route to another router. The receiving router compares this key to its own configured key. If they are the same, it accepts the route. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 411: Configuring Rip

    Optional actions (if these are not performed, default values are used by the system) Enable/disable RIP to advertise static or connected routes and its metric on the IP interface, using the RIPv2 Properties page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 412 Default Route Advertisement—Select to enable sending the default route to the RIP domain. This route will serve as the default router. • Default Metric—Enter the value of the default metric (refer to Redistribution Feature). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 413 If the metric value of a static route is greater than 15, the static route is not advertised to other routers using RIP. • User Defined Metric—Enter the value of the metric. Click Apply. The settings are written to the Running Configuration file. STEP 7 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 414 IP interface. The following options are available: None—There is no authentication performed. Text—The key password entered below is used for authentication. MD5—The MD5 digest of the key chain selected below is used for authentication. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 415 For example, the IP destination is a Broadcast address, or the metric is 0 or greater than 16 • Update Sent—Specifies the number of packets sent by RIP on the IP interface. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 416: Access Lists

    To create access lists, do the following: 1. Create an access list with a single IP address, using the Access List Settings page. 2. Add additional IP addresses if required, using the Source IPv4 Address List page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 417 To modify the parameters of an access list, click Add to open the Edit Access List STEP 2 page and modify any of the following fields: • Access List Name—Name of the access list. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 418 Action—Action for the access list. The following options are available: Permit—Permit entry of packets from the IP address(es) in the access list. Deny—Reject entry of packets from the IP address(es) in the access list. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 419: Chapter 20: Ip Configuration: Vrrp

    VRRP also enables load sharing of traffic. Traffic can be shared equitably among available routers by configuring VRRP in such a way that traffic to and from LAN clients are shared by multiple routers. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 420 The VRRP router that is the IP address owner responds/processes packets whose NOTE destination is to the IP address. The VRRP router that is the virtual router master, but not the IP address owner, does not respond/process those packets. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 421 The following shows a LAN topology in which VRRP is configured. Routers A and B share the traffic to and from clients 1 through 4 and Routers A and B act as virtual router backups to each other if either router fails. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 422 For virtual router 2, rB is the owner of IP address 192.168.2.2 and virtual router master, and rA is the virtual router backup to rB. Clients 3 and 4 are configured with the default gateway IP address of 192.168.2.2. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 423: Configurable Elements Of Vrrp

    VRRP router to operate in VRRPv3. • All the existing VRRP routers of the virtual router operate in VRRPv2. In this case, configure your new VRRP router to operate in VRRPv2. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 424 The VRRP routers that are non-owners must be configured with an IP interface on the same IP subnet as the IP addresses of the virtual router. The corresponding IP subnets must be configured manually in the VRRP router, not DHCP assigned. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 425: Vrrp Router Priority And Preemption

    If both have the same priority, the one with the higher IP address value is selected to become the virtual router master. By default, a preemptive feature is enabled, which functions as follows: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 426: Vrrp Advertisements

    Click IP Configuration > IPv4 Management and Interfaces > VRRP > Virtual STEP 1 Routers. To add a virtual router, click ADD. STEP 2 Enter the following fields: STEP 3 • Interface—Interface on which virtual router is defined. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 427 Virtual Router Identifier—The virtual router identification number. • Virtual Router MAC Address—The virtual MAC address of the virtual router • Virtual Router IP Address Table—IP addresses associated with this virtual router. • Description—The virtual router name. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 428: Vrrp Statistics

    The following fields are displayed for every interface on which VRRP is enabled: • Interface—Displays the interface on which VRRP is enabled. • Invalid Checksum—Displays number of packets with invalid checksums. • Invalid Packet Length—Displays number of packets with invalid packet lengths. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 429 Invalid Authentication—Displays number of packets that failed authentication. Select an interface. STEP 2 Click Clear Interface Counters to clear the counters for that interface. STEP 3 Click All Clear Interface Counters to clear all the counters. STEP 4 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 430: Chapter 21: Security

    Configuring TCP/UDP Services • Defining Storm Control • Access Control Access control of end-users to the network through the device is described in the following sections: • Management Access Method • Management Access Method Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 431: Defining Users

    First Hop Security Defining Users The default username/password is cisco/cisco. The first time that you log in with the default username and password, you are required to enter a new password. Password complexity is enabled by default. If the password that you choose is not complex enough (Password Complexity Settings are enabled in the Password Strength page), you are prompted to create another password.
  • Page 432 CLI commands that do not change the device configuration. Read/Limited Write CLI Access (7)—User cannot access the GUI, and can only access some CLI commands that change the device configuration. See the CLI Reference Guide for more information. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 433 • Contain no character that is repeated more than three times consecutively. • Do not repeat or reverse the users name or any variant reached by changing the case of the characters. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 434: Configuring Tacacs

    The device can act as a TACACS+ client that uses the TACACS+ server for the following services: • Authentication—Provides authentication of users logging onto the device by using usernames and user-defined passwords. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 435 The user can enable accounting of login sessions using either a RADIUS or TACACS+ server. The user-configurable, TCP port used for TACACS+ server accounting is the same TCP port that is used for TACACS+ server authentication and authorization. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 436 To use a TACACS+ server, do the following: Open an account for a user on the TACACS+ server. STEP 1 Configure that server along with the other parameters in the TACACS+ and Add STEP 2 TACACS+ Server pages. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 437 TACACS+ server times out. If a value is not entered in the Add TACACS+ Server page for a specific server, the value is taken from this field. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 438 • Link Local Interface—Select the link local interface (if IPv6 Address Type Link Local is selected) from the list. • Server IP Address/Name—Enter the IP address or name of the TACACS+ server. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 439: Configuring Radius

    Remote Authorization Dial-In User Service (RADIUS) servers provide a centralized 802.1X or MAC-based network access control. The device is a RADIUS client that can use a RADIUS server to provide centralized security. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 440: Accounting Using A Radius Server

    No default RADIUS server is defined by default. • If you configure a RADIUS server, the accounting feature is disabled by default. Interactions With Other Features You cannot enable accounting on both a RADIUS and TACACS+ server. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 441: Radius Workflow

    RADIUS server before a failure is considered to have occurred. • Timeout for Reply—Enter the number of seconds that the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 442 If a link local address exists on the interface, this entry replaces the address in the configuration. Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 443 Login—RADIUS server is used for authenticating users that ask to administer the device. 802. 1 X—RADIUS server is used for 802.1x authentication. All—RADIUS server is used for authenticating user that ask to administer the device and for 802.1X authentication. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 444: Key Management

    Key Identifier—Integer identifier for the key chain. • Key String—Value of the key chain string. Enter one of the following options: User Defined (Encrypted)—Enter an encrypted version. User Defined (Plaintext)—Enter a plaintext version Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 445 Click Apply. The settings are written to the Running Configuration file. STEP 3 Creating a Key Settings Use the Key Chain Settings page to add a key to an already existing key chain. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 446 • Duration—Length of time that the key identifier is valid. Enter the following fields: Days—Number of days that the key-identifier is valid. Hours—Number of hours that the key-identifier is valid. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 447: Management Access Method

    Source IP Address—IP addresses or subnets. Access to management methods might differ among user groups. For example, one user group might be able to access the device module only by using an HTTPS Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 448: Active Access Profile

    Click OK to select the active access profile or click Cancel to discontinue the STEP 3 action. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 449 Applies to Interface—Select the interface attached to the rule. The options are: All—Applies to all ports, VLANs, and LAGs. User Defined—Applies to selected interface. • Interface—Enter the interface number if User Defined was selected. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 450: Defining Profile Rules

    IT management center. In this way, the device can still be managed and has gained another layer of security. To add profile rules to an access profile: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 451 Or select Deny to deny access. • Applies to Interface—Select the interface attached to the rule. The options are: All—Applies to all ports, VLANs, and LAGs. User Defined—Applies only to the port, VLAN, or LAG selected. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 452: Management Access Authentication

    For example, if the selected authentication methods are RADIUS and Local, and all configured RADIUS servers are queried in priority order and do not reply, the user is authorized/authenticated locally. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 453 These username and password pairs are defined in the User Accounts page. The Local or None authentication method must always be NOTE selected last. All authentication methods selected after Local or None are ignored. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 454: Secure Sensitive Data Management

    2. Request that the certificate be certified by a CA. 3. Import the signed certificate into the device. Default Settings and Configuration By default, the device contains a certificate that can be modified. HTTPS is enabled by default. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 455: Ssl Server Authentication Settings

    Certificate Request—Displays the key created when the Generate Certificate Request button is pressed. Click Generate Certificate Request. This creates a key that must be entered on STEP 5 the Certification Authority (CA). Copy it from the Certificate Request field. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 456: Ssh Server

    The Details button displays the certificate and RSA key pair. This is used to copy the certificate and RSA key-pair to another device (using copy/paste). When you click Display Sensitive Data as Encrypted, the private keys are displayed in encrypted form. SSH Server Security: SSH Server. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 457: Ssh Client

    Telnet Service—Indicates whether the Telnet service is enabled or disabled. • SSH Service—Indicates whether the SSH server service is enabled or disabled. Click Apply. The services are written to the Running Configuration file. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 458: Defining Storm Control

    When the rate of Broadcast, Multicast, or Unknown Unicast frames is higher than the user-defined threshold, frames received beyond the threshold are discarded. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 459: Configuring Port Security

    MAC addresses. The MAC addresses can be either dynamically learned or statically configured. Port security monitors received and learned packets. Access to locked ports is limited to users with specific MAC addresses. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 460 (see the 802.1x, Host and Session Authentication page). To configure port security: Click Security > Port Security. STEP 1 Select an interface to be modified, and click Edit. STEP 2 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 461 Forward—Forwards packets from an unknown source without learning the MAC address. Shutdown—Discards packets from any unlearned source, and shuts down the port. The port remains shut down until reactivated, or until the device is rebooted. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 462: 460

    One method of resisting DoS attacks employed by the device is the use of SCT. SCT is enabled by default on the device and cannot be disabled. The Cisco device is an advanced device that handles management traffic, protocol traffic and snooping traffic, in addition to end-user (TCP) traffic.
  • Page 463: Types Of Dos Attacks

    Invasor Trojan—A trojan enables the attacker to download a zombie agent (or the trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 464: Defense Against Dos Attacks

    DoS Prevention is enabled. A SYN attack cannot be blocked if there is an ACL active on an interface. Default Configuration The DoS Prevention feature has the following defaults: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 465: Configuring Dos Prevention

    Stacheldraht Distribution, Invasor Trojan, and Back Orifice Trojan. If System-Level Prevention or System-Level and Interface-Level Prevention is STEP 5 selected, enable one or more of the following DoS Prevention options: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 466 Click Security > Denial of Service Prevention > SYN Protection. STEP 1 Enter the parameters. STEP 2 • Block SYN-FIN Packets—Select to enable the feature. All TCP packets with both SYN and FIN flags are dropped on all ports. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 467 Addresses defined to be illegal in the Martian Addresses page. • Addresses that are illegal from the point of view of the protocol, such as loopback addresses, including addresses within the following ranges: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 468 —Enter the prefix of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled. Click Apply. The Martian addresses are written to the Running Configuration file. STEP 5 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 469 This feature is only available when the device is in Layer 2 system mode in Sx300 and SG500 devices and in SG500X and SG500XG devices in Native mode. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 470 Click Security > Denial of Service Prevention > ICMP Filtering. STEP 1 Click Add. STEP 2 Enter the parameters. STEP 3 • Interface—Select the interface on which the ICMP filtering is being defined. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 471 Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format. Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 472: Dhcp Snooping

    If a port is DHCP trusted, filtering of static IP addresses can be configured, even though IP Source Guard is not active in that condition by enabling IP Source Guard on the port. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 473: Configuring Ip Source Guard Work Flow

    Enable IP Source Guard on the untrusted interfaces as required in the Security > IP STEP 5 Source Guard > Interface Settings page. View entries to the Binding database in the Security > IP Source Guard > Binding STEP 6 Database page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 474: Enabling Ip Source Guard

    Select the port/LAG and click Edit. Select Enable in the IP Source Guard field to STEP 3 enable IP Source Guard on the interface. Click Apply to copy the setting to the Running Configuration file. STEP 4 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 475: Binding Database

    Status—Displays whether interface is active. • Type—Displays whether entry is dynamic or static. • Reason—If the interface is not active, displays the reason. The following reasons are possible: No Problem—Interface is active. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 476: Arp Inspection

    After the attack, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host. The following shows an example of ARP cache poisoning. ARP Cache Poisoning Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 477: How Arp Prevents Cache Poisoning

    If the packet's IP address was not found in the ARP access control rules or in the DHCP Snooping Binding database the packet is invalid and is dropped. A SYSLOG message is generated. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 478: Interaction Between Arp Inspection And Dhcp Snooping

    Dynamic ARP Inspection Not enabled. ARP Packet Validation Not enabled ARP Inspection Enabled on Not enabled VLAN Log Buffer Interval SYSLOG message generation for dropped packets is enabled at 5 seconds interval Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 479: Arp Inspection Work Flow

    Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast addresses. • Log Buffer Interval—Select one of the following options: Retry Frequency—Enable sending SYSLOG messages for dropped packets. Entered the frequency with which the messages are sent. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 480: Defining Dynamic Arp Inspection Interfaces Settings

    To add an entry, click Add. STEP 2 Enter the fields: STEP 3 • ARP Access Control Name—Enter a user-created name. • IP Address—IP address of packet. • MAC Address—MAC address of packet. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 481: Defining Arp Inspection Access Control Rules

    To associate an ARP Access Control group with a VLAN, click Add. Select the STEP 3 VLAN number and select a previously-defined ARP Access Control group. Click Apply. The settings are defined, and the Running Configuration file is STEP 4 updated. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 482: First Hop Security

    Security First Hop Security First Hop Security Security: IPv6 First Hop Security Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 483: Chapter 22: Security: 802.1x Authentication

    802.1x authentication restricts unauthorized clients from connecting to a LAN through publicity-accessible ports. 802.1x authentication is a client-server model. In this model, network devices have the following specific roles. • Client or supplicant • Authenticator • Authentication server Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 484 Security > 802.1X/MAC/Web Authentication > Host and Authentication): • Single-host—Supports port-based authentication with a single client per port. • Multi-host—Supports port-based authentication with a multiple clients per port. • Multi-sessions—Supports client-based authentication with a multiple clients per port. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 485: Authentication Server

    (802.1X-Based, MAC-Based, and/or WEB-Based) is enabled. When RADIUS accounting is enabled, you can log authentication attempts and gain visibility of who and what is connecting to your network with an audit trail. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 486: Authenticator Overview

    Port Host Modes Ports can be placed in the following port host modes (configured in the Security > 802.1X/MAC/Web Authentication > Host and Authentication page): • Single-Host Mode Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 487 This status is assigned to each client connected to the port. This mode requires a TCAM lookup. Since Layer 3 mode switches do not have a TCAM lookup allocated for Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 488: Multiple Authentication Methods

    Multiple methods can run at the same time. When one method finishes successfully, the client becomes authorized, the methods with lower priority are stopped and the methods with higher priority continue. When one of authentication methods running simultaneously fails, the other methods continue. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 489 (such as printers and IP phones) that do not have the 802.1X supplicant capability. MAC-based authentication uses the MAC address of the connecting device to grant or deny network access. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 490 Quiet Time. When the session is timed-out, the username/password is discarded, and the guest must re-enter them to open a new session. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 491 System Mode WBA Supported Sx300 Layer 2 Layer 3 Sx500, Layer 2 Sx500ESW2- Layer 3 550X SG500X Native Basic Hybrid - Layer 2 Basic Hybrid - Layer 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 492 • The guest VLAN cannot be used as the Voice VLAN or an unauthenticated VLAN. VLAN and RADIUS-VLAN Assignment to see a summary of the modes in which guest VLAN is supported. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 493 Layer 2 system mode. The SG500X and SG500XG devices act like Sx500 devices when they are in basic and advanced hybrid stacking mode. For a device to be authenticated and authorized at a port which is DVA-enabled: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 494 Device in L3 Device in L2 802.1x † † † † † † Legend: †—The port mode supports the guest VLAN and RADIUS-VLAN assignment N/S—The port mode does not support the authentication method. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 495 A value of 0 specifies the unlimited number of login attempts. The duration of the quiet period and the maximum number of login attempts can be set in the Port Authentication page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 496: Common Tasks

    Click Security > 802.1X/MAC/Web Authentication > Port Authentication . STEP 1 Select the required port and click Edit. STEP 2 Enter the fields required for the port. STEP 3 The fields in this page are described in 802.1X Port Authentication. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 497: Configuration Through The Gui

    802.1X Configuration Through the GUI Web-based authentication is only supported in Layer 2 mode on Sx300 and SG500 NOTE devices. On SG500XG and SG500X devices, it is supported in Native and Advanced Hybrid XG mode Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 498 If the port state changes from Authorized to Not Authorized, the port is added to the guest VLAN only after the Guest VLAN timeout has expired. • Trap Settings—To enable traps, select one of more of the following options: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 499: X Port Authentication

    Force Authorized before making changes. When the configuration is complete, return the port control to its previous state. A port with 802.1x defined on it cannot become a member of a LAG. NOTE Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 500 Selected—Enables using a guest VLAN for unauthorized ports. If a guest VLAN is enabled, the unauthorized port automatically joins the VLAN selected in the Guest VLAN ID field in the 802.1X Port Authentication Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 501 If the port is not in Force-Authorized or Force-Unauthorized, it is in NOTE Auto Mode and the authenticator displays the state of the authentication in progress. After the port is authenticated, the state is shown as Authenticated. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 502: Defining Host And Session Authentication

    Defining Host and Session Authentication The Host and Session Authentication page enables defining the mode in which 802.1X operates on the port and the action to perform if a violation has been detected. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 503 Trap Frequency—Defines how often traps are sent to the host. This field can be defined only if multiple hosts are disabled. Click Apply. The settings are written to the Running Configuration file. STEP 4 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 504: Viewing Authenticated Hosts

    Administrative Port Control is Force Unauthorized. • Remaining Time(Sec)—The time remaining for the port to be locked. Select a port. STEP 2 Click Unlock. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 505 Select Set as Default Display Language if this language is the default language. STEP 4 the default language pages are displayed if the end user does not select a language. Click Apply and the settings are saved to the Running Configuration file. STEP 5 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 506 The selected color is shown in the Text field. Header and Footer Background Color—Enter the ASCII code of the header and footer background color. The selected color is shown in the Text field. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 507 If so, the username and password must be included in the login page. • Username Textbox—Select for a username textbox to be displayed. • Username Textbox Label—Select the label to be displayed before the username textbox. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 508 Edit5. The following fields are displayed: STEP 11 • Copyright—Select to enable displaying copyright text. • Copyright Text—Enter the copyright text. Click Apply and the settings are saved to the Running Configuration file. STEP 12 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 509: Defining Time Ranges

    To set the default language of the GUI interface as the default language for Web- based authentication, click Set Default Display Language. Defining Time Ranges Time Range for an explanation of this feature. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 510: Authentication Method And Port Mode Support

    Web-based authentication requires TCAM support for input traffic classification NOTE and can be supported only by the full multi-sessions mode. You can simulate the single-host mode by setting Max Hosts parameter to 1 in the Port Authentication page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 511 Frames are Frames Frames are Frames dropped bridged based multi- dropped on the static bridged sessions unless VLAN based on they configuration the static belongs VLAN to the configurat unauthent icated VLANs Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 512 VLAN they VLAN Radius configuration the static unless belongs VLAN VLAN they to the unless configurat belongs to unauthent they icated belongs unauthent VLANs to the icated unauthent VLANs icated VLANs Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 513: Chapter 23: Security: Ipv6 First Hop Security

    • Attack Protection • Policies, Global Parameters and System Defaults • Common Tasks • Default Settings and Configuration • Default Settings and Configuration • Configuring IPv6 First Hop Security through Web GUI Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 514: Ipv6 First Hop Security Overview

    Name Description CPA message Certification Path Advertisement message CPS message Certification Path Solicitation message DAD-NS message Duplicate Address Detection Neighbor Solicitation message FCFS-SAVI First Come First Served - Source Address Validation Improvement Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 515 Defaults. IPv6 First Hop Security Pipe If IPv6 First Hop Security is enabled on a VLAN, the switch traps the following messages: • Router Advertisement (RA) messages • Router Solicitation (RS) messages Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 516 Trapped RS,CPS NS and NA messages are also passed to the ND Inspection feature. ND Inspection validates these messages, drops illegal messages, and passes legal messages to the IPv6 Source Guard feature. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 517 Security, and hosts and routers inside this perimeter are trusted devices. For example, in Figure 9 Switch B and Switch C are inner links inside the protected area. Figure 9 IPv6 First Hop Security Perimeter Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 518: Router Advertisement Guard

    If a message does not pass verification, it is dropped. If the logging packet drop configuration on the FHS common component is enabled, a rate limited SYSLOG message is sent. Neighbor Discovery Inspection Neighbor Discovery (ND) Inspection supports the following functions: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 519: Dhcpv6 Guard

    DHCPv6 Guard policy attached to the interface. If a message does not pass verification, it is dropped. If the logging packet drop configuration on the FHS common component is enabled, a rate limited SYSLOG message is sent. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 520: Neighbor Binding Integrity

    If a message does not pass this verification, it is dropped and a rate limited SYSLOG message is sent. Neighbor Binding Table Overflow When there is no free space to create a new entry, no entry is created and a SYSLOG message is sent. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 521 NDP message, the switch binds the address to the interface. Subsequent NDP messages containing this IPV6 address can be checked against the same binding anchor to confirm that the originator owns the source IP address. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 522 In the same way that other IPv6 First Hop Security features function, NB Integrity behavior on an interface is specified by an NB Integrity policy attached to an interface. These policies are configured in the Neighbor Binding Settings page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 523: Ipv6 Source Guard

    The Neighbor Binding table contains the IPv6 address, but it is bound to another interface. IPv6 Source Guard initiates the Neighbor Recovery process by sending DAD_NS messages for the unknown source IPv6 addresses. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 524: Attack Protection

    NS message (Duplicate Address Detection Neighbor Solicitation message (DAD_NS) message). A malicious host could send reply to a DAD_NS message advertising itself as an IPv6 host having the given IPv6 address. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 525: Policies, Global Parameters And System Defaults

    INCOMPLETE state in the Neighbor Discovery cache. This provides protection against the table being flooded by hackers. Policies, Global Parameters and System Defaults Each feature of FHS can be enabled or disabled individually. No feature is enabled by default. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 526 You can only attach 1 policy (for a specific feature) to a VLAN. You can attach multiple policies (for a specific feature) to an interface if they specify different VLANs. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 527: Common Tasks

    In this same page, set the global configuration values that are used if no values are STEP 2 set in a policy. If required, either configure a user-defined policy or add rules to the default STEP 3 policies for the feature. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 528 If required, either configure a user-defined policy or add rules the default policies STEP 3 for the feature. Add any manual entries required in the Neighbor Binding Table page STEP 4 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 529: Default Settings And Configuration

    ICMPv6 Redirect messages • Certification Path Advertisement (CPA) messages • Certification Path Solicitation (CPS) message • DHCPv6 messages The FHS features are disabled by default. Before You Start No preliminary tasks are required. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 530: Configuring Ipv6 First Hop Security Through Web Gui

    First Hop Security. To attach this policy to an interface: • Attach Policy to VLAN—Click to jump to Policy Attachment (VLAN) page where you can attach this policy to a VLAN. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 531 Maximal Hop Limit—This field indicates whether the RA Guard policy will check the maximum hop limit of the packet received. No Verification—Disables verification of the high boundary of the hop- count limit. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 532 Preference value. The following values are acceptable: low, medium and high (see RFC4191). • Maximal Router Preference—This field indicates whether the RA Guard policy will verify the maximum advertised Default Router Preference value in RA messages within an RA Guard policy. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 533 Click Security > IPv6 First Hop Security > DHCPv6 Guard Settings. STEP 1 Enter the following global configuration fields: STEP 2 • DHCPv6 Guard VLAN List—Enter one or more VLANs on which DHCPv6 Guard is enabled. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 534 Match Reply Prefixes—Select to enable verification of the advertised prefixes in received DHCP reply messages within a DHCPv6 Guard policy. Inherited—Value is inherited from either the VLAN or system default (no verification). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 535 Click Security > IPv6 First Hop Security > ND Inspection Settings. STEP 1 Enter the following global configuration fields: STEP 2 • ND Inspection VLAN List—Enter one or more VLANs on which ND Inspection is enabled. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 536 Router—Role of device is router. • Drop Unsecure—See above. • Minimal Security Level—See above. • Validate Source MAC—See above. Click Apply to add the settings to the Running Configuration file. STEP 5 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 537 Global Address Binding Configuration: • Binding from NDP Messages—To change the global configuration of allowed configuration methods of global IPv6 addresses within an IPv6 Neighbor Binding policy, select one of the following options: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 538 Neighbor Binding Logging—Select one of the following options to specify logging: Inherited—Logging option is the same as the global value. Enable—Enable logging of Binding table main events. Disable—Disable logging of Binding table main events. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 539 Click Apply to add the settings to the Running Configuration file. STEP 5 To attach this policy to an interface: • Attach Policy to VLAN—Click to jump to Policy Attachment (VLAN) page where you can attach this policy to a VLAN. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 540 Policy Attachment (VLAN) page where you can attach this policy to a VLAN. • Attach Policy to Interface—Click to jump to Policy Attachment (Port) page where you can attach this policy to a port. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 541 VLAN List—Select the VLANs to which the policy is attached. Select All VLANs or enter a range of VLANs. Click Apply to add the settings to the Running Configuration file. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 542 Expiry Time (Sec.)—Remaining time in seconds until the entry will be removed, if it is not confirmed. • TCAM Overflow—Entries marked as No have not been added to the TCAM because TCAM overflow Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 543 Click Security > IPv6 First Hop Security > FHS Status. STEP 1 Select a port, LAG or VLAN for which the FHS state is reported. STEP 2 The following fields are displayed for the selected interface: STEP 3 • FHS Status Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 544 Match Reply Prefixes:—Is DHCP reply prefixes verification enabled. Match Server Address:—Is DHCP server addresses verification enabled. Minimal Preference:—Is verification of the minimal preference enabled. Maximal Preference:—Is verification of the maximum preference enabled. • ND Inspection Status Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 545 IPv6 Source Guard Status: IPv6 Source Guard State on Current VLAN:—Is IPv6 Source Guard enabled on the current VLAN. Port Trust:—Whether the port is trusted and how it received its trusted status. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 546 DHCPv6 Messages—The number of received and dropped messages are displayed for the following types of DHCPv6 messages: ADV— Advertise messages REP—Reply messages REC—Reconfigure messages REL-REP—Relay reply messages LEAS-REP—Lease query reply messages RLS—Released messages Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 547 The following fields are displayed in the FHS Dropped Message Table • Feature— Type of message dropped (DHCPv6 Guard, RA Guard and so on). • Count—Number of messages dropped. • Reason—Reason that the messages were dropped. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 548: Chapter 24: Security: Ssh Client

    SCP server to a device. With respect to SSH, the SCP running on the device is an SSH client application and the SCP server is a SSH server application. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 549: Protection Methods

    SSH server. This is not done through the device’s management system, although, after a username has been established on the server, the server password can be changed through the device’s management system. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 550 SSH server. To facilitate this process, an additional feature enables secure transfer of the encrypted private key to all switches in the system. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 551: Ssh Server Authentication

    If no matching IP address/host name is found, the search is completed and authentication fails. • If the entry for the SSH server is not found in the list of trusted servers, the process fails. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 552: Ssh Client Authentication

    The following algorithms are supported on the client side: • Key Exchange Algorithm-diffie-hellman • Encryption Algorithms aes128-cbc 3des-cbc arcfour aes192-cbc aes256-cbc • Message Authentication Code Algorithms hmac-sha1 hmac-md5 Compression algorithms are not supported. NOTE Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 553: Before You Begin

    SSH User Authentication page can be used. Set up a username/password on the SSH server or modify the password on the STEP 3 SSH server. This activity depends on the server and is not described here. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 554: Ssh Client Configuration Through The Gui

    Identify the server in the Change User Password on SSH Server page. STEP 1 Enter the new password. STEP 2 Click Apply. STEP 3 SSH Client Configuration Through the GUI This section describes the pages used to configure the SSH Client feature. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 555 Key Source—Auto Generated or User Defined. • Fingerprint—Fingerprint generated from the key. To handle an RSA or DSA key, select either RSA or DSA and perform one of the STEP 6 following actions: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 556 IP Version—If you selected to specify the SSH server by IP address, select whether that IP address is an IPv4 or IPv6 address. • IP Address Type—If the SSH server IP address is an IPv6 address, select the IPv6 address type. The options are: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 557 Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 558 Old Password—This must match the password on the server. • New Password—Enter the new password and confirm it in the Confirm Password field. Click Apply. The password on the SSH server is modified. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 559: Chapter 25: Security: Ssh Server

    SSH server application, such as PuTTY. The public keys are entered in the device. The users can then open an SSH session on the device through the external SSH server application. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 560: Common Tasks

    Log on to device B and open the SSH Server Authentication page. Select either STEP 3 the RSA or DSA key, click Edit and paste in the key from device A. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 561: Ssh Server Configuration Pages

    STEP 1 Select the following fields: STEP 2 • SSH User Authentication by Password—Select to perform authentication of the SSH client user using the username/password configured in the local database (see Defining Users). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 562 Each key is also automatically created when the appropriate user-configured key is deleted by the user. To regenerate an RSA or DSA key or to copy in an RSA/DSA key generated on another device: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 563 If the key is already being displayed as plaintext, you can click Display Sensitive Data as Encrypted. to display the text in encrypted form. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 564: Chapter 26: Security: Secure Sensitive Data Management

    SSD provides users with the flexibility to configure the desired level of protection no protection with sensitive data in plaintext, minimum on their sensitive data; from protection with encryption based on the default passphrase, and better protection with encryption based on user-defined passphrase. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 565: Ssd Management

    A device comes with a set of default SSD rules. An administrator can add, delete, and change SSD rules as desired. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 566 User Type will be applied). Specific—The rule applies to a specific user. Default User (cisco)—The rule applies to the default user (cisco). Level 15—The rule applies to users with privilege level 15. All—The rule applies to all users.
  • Page 567 Plaintext Only *Plaintext Both *Plaintext, Encrypted * The Read mode of a session can be temporarily changed in the SSD Properties page if the new read mode does not violate the read permission. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 568 SSD rules. A device depends on its user authentication process to authenticate and authorize management access. To protect a device and its data including sensitive data and SSD configurations from unauthorized access, it Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 569 SNMP Secure Encrypted Only Encrypted Insecure Encrypted Only Encrypted The default rules can be modified, but they cannot be deleted. If the SSD default rules have been changed, they can be restored. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 570: Ssd Properties

    A passphrase must comply with the following rules: • Length—Between 8-16 characters. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 571: Local Passphrase

    File passphrase control provides additional protection for a user-defined passphrase, and the sensitive data that are encrypted with the key generated from the user-defined passphrase, in text-based configuration files. The following are the existing passphrase control modes: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 572: Configuration File Integrity Control

    Otherwise, the file is accepted for further processing. A device checks for the integrity of a text-based configuration file when the file is downloaded or copied to the Startup Configuration file. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 573: Configuration Files

    • The SSD indicator is used to enforce SSD read permissions on text-based configuration files, but is ignored when copying the configuration files to the Running or Startup Configuration file. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 574: Ssd Control Block

    SSD control block. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 575: Running Configuration File

    If the passphrase is encrypted, it is ignored. • When directly configuring the passphrase, (non file copy), in the Running Configuration, the passphrase in the command must be entered in plaintext. Otherwise, the command is rejected. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 576: Backup And Mirror Configuration File

    The user should not manually change the file SSD indicator that conflicts with the sensitive data, if any, in the file. Otherwise, plaintext sensitive data may be unexpectedly exposed. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 577 This is zero touch because the target devices learn the passphrase directly from the configuration file. Devices that are out-of-the-box or in factory default states use the default NOTE anonymous user to access the SCP server. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 578: Ssd Management Channels

    The Menu CLI interface is only allowed to users if their read permissions are Both or Plaintext Only. Other users are rejected. Sensitive data in the Menu CLI is always displayed as plaintext. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 579: Configuring Ssd

    Click Apply. The settings are saved to the Running Configuration file. STEP 4 To change the local passphrase: Click Change Local Passphrase, and enter a new Local Passphrase: STEP 1 • Default—Use the devices default passphrase. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 580 Specific User—Select and enter the specific user name to which this rule applies (this user does not necessarily have to be defined). Default User (cisco)—Indicates that this rule applies to the default user. Level 15—Indicates that this rule applies to all users with privilege level All—Indicates that this rule applies to all users.
  • Page 581 Click Apply. The settings are saved to the Running Configuration file. STEP 3 The following actions can be performed on selected rules: STEP 4 • Add, Edit or Delete rules • Restore to Default—Restore a user-modified default rule to the default rule. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 582: Chapter 27: Access Control

    Either a DENY or PERMIT action is applied to frames whose contents match the filter. The device supports a maximum of 512 ACLs, and a maximum of 512 ACEs. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 583 If a frame matches the filter in an ACL, it is defined as a flow with the name of that ACL. In advanced QoS, these frames can be referred to using this Flow name, and QoS can be applied to these frames. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 584: Acl Logging

    IGMP type. • For layer 4 packets the SYSLOG includes the information (if applicable): source port, destination port, and TCP flag. The following are examples of possible SYSLOGs: • For a non-IP packet: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 585: Configuring Acls

    ACL Binding page. 2. If the ACL is part of the class map and not bound to an interface, then it can be modified. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 586: Mac-based Acls

    ACE, 2 TCAM rules are allocated and the second TCAM rule is allocated to the next ACE, and so forth. To add rules (ACEs) to an ACL: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 587 1's). You need to translate the 1's to a decimal integer and you write 0 for each four zeros. In this example since 1111 1111 = 255, the mask would be written: as 0.0.0.255. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 588: Ipv4-based Acls

    ACLs are also used as the building elements of flow definitions for per-flow QoS NOTE handling. The IPv4 Based ACL page enables adding ACLs to the system. The rules are defined in the IPv4 Based ACE page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 589 • Action—Select the action assigned to the packet matching the ACE. The options are as follows: Permit —Forward packets that meet the ACE criteria. Deny —Drop packets that meet the ACE criteria. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 590 —Matches packets belonging to the IPv6 over IPv4 route through a gateway IPV6:FRAG —Matches packets belonging to the IPv6 over IPv4 Fragment Header IDRP —Inter-Domain Routing Protocol RSVP —ReSerVation Protocol —Authentication Header IPV6:ICMP —Internet Control Message Protocol Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 591 Any—Match to all source ports. Single from list—Select a single TCP/UDP source port to which packets are matched. This field is active only if 800/6-TCP or 800/17-UDP is selected in the Select from List drop-down menu. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 592 ICMP Code—The ICMP messages can have a code field that indicates how to handle the message. Select one of the following options to configure whether to filter on this code: Any—Accept all codes. User Defined—Enter an ICMP code for filtering purposes. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 593: Ipv6-based Acls

    STEP 3 case-sensitive. Click Apply. The IPv6-based ACL is saved to the Running Configuration file. STEP 4 Adding Rules (ACEs) for an IPv6-Based ACL Each IPv6-based rule consumes two TCAM rules. NOTE Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 594 UDP—User Datagram Protocol. Transmits packets but does not guarantee their delivery. ICMP—Matches packets to the Internet Control Message Protocol (ICMP). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 595 Filtered packets are either forwarded or dropped. Filtering packets by TCP flags increases packet control, which increases network security. Set—Match if the flag is SET. Unset—Match if the flag is Not SET. Dont care—Ignore the TCP flag. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 596: Acl Binding

    ACL. To bind an ACL to a VLAN: Click Access Control > ACL Binding (VLAN). STEP 1 Select a VLAN and click Edit. STEP 2 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 597 • Default Action—Action of the ACL’s rules (drop any/permit any). To unbind all ACLs from an interface, select the interface, and click Clear. NOTE Select an interface, and click Edit. STEP 4 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 598 Click Apply. The ACL binding is modified, and the Running Configuration file is STEP 6 updated. If no ACL is selected, the ACL(s) that is previously bound to the interface are NOTE unbound. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 599 Access Control ACL Binding Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 600: Chapter 28: Quality Of Service

    This section covers the following topics: • QoS Features and Components • Configuring QoS - General • QoS Basic Mode • QoS Advanced Mode • Managing QoS Statistics Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 601: Qos Features And Components

    CoS/802.1p to Queue page or the DSCP to Queue page (depending on whether the trust mode is CoS/802.1p or DSCP, respectively). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 602: Qos Modes

    ACLs bonded directly to interfaces remain bonded. • When changing from QoS Basic mode to Advanced mode, the QoS Trust mode configuration in Basic mode is not retained. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 603: Qos Workflow

    Configure the selected mode by performing one of the following: STEP 8 a. Configure Basic mode, as described in Workflow to Configure Basic QoS Mode b. Configure Advanced mode, as described in Workflow to Configure Advanced QoS Mode. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 604: Configuring Qos - General

    Enter the parameters. STEP 1 • Interface—Select the port or LAG. • Default CoS—Select the default CoS (Class-of-Service) value to be assigned for incoming packets (that do not have a VLAN tag). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 605: Configuring Qos Queues

    WRR queues. Only after the strict priority queues have been emptied is traffic from the WRR queues forwarded. (The relative portion from each WRR queue depends on its weight). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 606 —Displays the amount of bandwidth assigned to the queue. These values represent the percent of the WRR weight. Click Apply. The queues are configured, and the Running Configuration file is STEP 3 updated. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 607 Queue 7 Queues Notes Values (8 queues 1- (8 is the highest (0-7, 7 being 8, 8 is the priority used for the highest) highest stack control priority) traffic) Stack Standalone Background Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 608 STEP 1 Enter the parameters. STEP 2 • 802.1p—Displays the 802.1p priority tag values to be assigned to an egress queue, where 0 is the lowest and 7 is the highest priority. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 609: Mapping Dscp To Queue

    The device is in QoS Basic mode and DSCP is the trusted mode, or • The device is in QoS Advanced mode and the packets belongs to flows that is DSCP trusted Non-IP packets are always classified to the best-effort queue. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 610 The following tables describe the default DSCP to queue mapping for a 8-queue system where 7 is highest and 8 is used for stack control purposes. DSCP Queue DSCP Queue DSCP Queue Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 611 Quality of Service Configuring QoS - General DSCP Queue DSCP Queue DSCP Queue DSCP Queue DSCP Queue Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 612 Select the Output Queue (traffic forwarding queue) to which the DSCP value is STEP 2 mapped. Select Restore Defaults to restore the factory CoS default setting for this STEP 3 interface. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 613: Configuring Bandwidth

    The % column is the ingress rate limit for the port divided by the total port bandwidth. Select an interface, and click Edit. STEP 2 Select the Port or LAG interface. 500 series switches also have an option to STEP 3 select Unit/Port. Enter the fields for the selected interface: STEP 4 •...
  • Page 614: Configuring Egress Shaping Per Queue

    The Egress Shaping Per Queue page displays the rate limit and burst size for each queue. Select an interface type (Port or LAG), and click Go. STEP 2 Select a Port/LAG, and click Edit. STEP 3 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 615 48 ports or more have two packet processors. Rate limiting is calculated separately for each packet processor in a unit and for each unit in a stack. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 616: Tcp Congestion Avoidance

    To configure TCP congestion avoidance: Click Quality of Service > General > TCP Congestion Avoidance. STEP 1 Click Enable to enable TCP congestion avoidance, and click Apply. STEP 2 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 617: Qos Basic Mode

    Select the Trust Mode while the device is in Basic mode. If a packet CoS level and STEP 2 DSCP tag are mapped to separate queues, the Trust mode determines the queue to which the packet is assigned: Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 618: Interface Qos Settings

    QoS State of the Port is Enabled—Port prioritize traffic on ingress is based on the system wide configured trusted mode, which is either CoS/ 802.1p trusted mode or DSCP trusted mode. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 619: Qos Advanced Mode

    QoS specification. An aggregate policer applies the QoS to one or more class maps, and thus one or more flows. An aggregate policer can support class maps from different policies. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 620: Workflow To Configure Advanced Qos Mode

    Mapping page. This in turn opens the DSCP Remarking page. 2. Create ACLs, as described in Create ACL Workflow. 3. If ACLs were defined, create class maps and associate the ACLs with them by using the Class Mapping page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 621 Default Mode Status field. This provides basic QoS functionality on Advanced QoS, so that you can trust CoS/DSCP on Advanced QoS by default (without having to create a policy). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 622 DSCP value used in the other domain to identify the same type of traffic. These settings are active when the system is in the QoS basic mode, and once activated they are active globally. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 623: Defining Class Mapping

    (see Configuring a Policy). The Class Mapping page shows the list of defined class maps and the ACLs comprising each, and enables you to add/delete class maps. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 624: Qos Policers

    You can measure the rate of traffic that matches a pre-defined set of rules, and to enforce limits, such as limiting the rate of file-transfer traffic that is allowed on a port. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 625 Assigning a policer to a class map is done when a class map is added to a policy. If the policer is an aggregate policer, you must create it using the Aggregate Policer page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 626: Defining Aggregate Policers

    Out of Profile DSCP—The DSCP values of packets exceeding the defined CIR value are remapped to a value based on the Out Of Profile DSCP Mapping Table. Click Apply. The Running Configuration file is updated. STEP 4 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 627: Configuring A Policy

    Click Quality of Service > QoS Advanced Mode > Policy Class Maps. STEP 1 Select a policy in the Filter, and click Go. All class maps in that policy are STEP 2 displayed. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 628 Aggregate—The policer for the policy is an aggregate policer. • Aggregate Policer—Available in Layer 2 system mode only. If Police Type is Aggregate, select a previously-defined (in the Aggregate Policer page) aggregate policer. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 629: Policy Binding

    Click Quality of Service > QoS Advanced Mode > Policy Binding. STEP 1 Select a Policy Name and Interface Type if required. STEP 2 Click Go. The policy is selected. STEP 3 Select the following for the policy/interface: STEP 4 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 630: Managing Qos Statistics

    This page is not displayed when the device is in Layer 3 mode. NOTE Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 631 In-Profile Bytes—Number of in-profile packets that were received. • Out-of-Profile Bytes—Number of out-of-profile packets that were received. Click Add. STEP 2 Select an Aggregate Policer Name, one of the previously-created Aggregate STEP 3 Policers for which statistics are displayed. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 632: Viewing Queues Statistics

    Drop Precedence—Lowest drop precedence has the lowest probability of being dropped. • Total Packets—Number of packets forwarded or tail dropped. • Tail Drop Packets—Percentage of packets that were tail dropped. Click Add. STEP 2 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 633 Queue—Select the queue for which statistics are displayed. • Drop Precedence—Enter drop precedence that indicates the probability of being dropped. Click Apply. The Queue Statistics counter is added, and the Running Configuration STEP 4 file is updated. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 634: Chapter 29: Snmp

    SNMP Versions and Workflow The device functions as SNMP agent and supports SNMPv1, v2, and v3. It also reports system events to trap receivers using the traps defined in the supported MIBs (Management Information Base). Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 635: Snmpv1 And V2

    SNMP Workflow For security reasons, SNMP is disabled by default. Before you can NOTE manage the device via SNMP, you must turn on SNMP on the Security >TCP/ UDP Services page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 636 Define users by using the SNMP Users page where they can be associated with a STEP 4 group. If the SNMP Engine ID is not set, then users may not be created. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 637: Supported Mibs

    52-Port Gigabit Stackable Managed Switch 9.6.1.81.52.1 SG500-52P 52-Port Gigabit PoE Stackable Managed 9.6.1.81.52.2 Switch SG500X-24 24-Port Gigabit with 4-Port 10-Gigabit 9.6.1.85.24.1 Stackable Managed Switch SG500X 24P 24-Port Gigabit with 4-Port 10-Gigabit PoE 9.6.1.85.24.2 Stackable Managed Switch Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 638: Snmp Engine Id

    ID. Local information is stored in four MIB variables that are read-only (snmpEngineId, snmpEngineBoots, snmpEngineTime, and snmpEngineMaxMessageSize). When the engine ID is changed, all configured users and groups are erased. CAUTION Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 639 If a link local address exists on the interface, this entry replaces the address in the configuration. Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 640: Configuring Snmp Views

    Down arrow to descend to the level of the selected node's children. Click nodes in the view to pass from one node to its sibling. Use the scrollbar to bring siblings in view. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 641: Creating Snmp Groups

    This is done for each frame. • Privacy—SNMP frames can carry encrypted data. Thus, in SNMPv3, there are three levels of security: • No security (No authentication and no privacy) Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 642 Privacy security levels are assigned to the group. Authentication and No Privacy—Authenticates SNMP messages, and ensures the SNMP message origin is authenticated but does not encrypt them. Authentication and Privacy—Authenticates SNMP messages, and encrypts them. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 643: Managing Snmp Users

    An engine ID must first be configured on the device. This is done in the Engine ID page. • An SNMPv3 group must be available. An SNMPv3 group is defined in the Groups page. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 644 None—No user authentication is used. MD5—A password that is used for generating a key by the MD5 authentication method. SHA—A password that is used for generating a key by the SHA (Secure Hash Algorithm) authentication method. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 645: Defining Snmp Communities

    Advanced Mode—The access rights of a community are defined by a group (defined in the Groups page). You can configure the group with a specific security model. The access rights of a group are Read, Write, and Notify. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 646 By default, it applies to the entire MIB. If this is selected, enter the following fields: Access Mode—Select the access rights of the community. The options are: Read Only—Management access is restricted to read-only. Changes cannot be made to the community. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 647: Defining Trap Settings

    Select Enable for SNMP Notifications to specify that the device can send SNMP STEP 2 notifications. Select Enable for Authentication Notifications to enable SNMP authentication STEP 3 failure notification. Click Apply. The SNMP Trap settings are written to the Running Configuration file. STEP 4 Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 648: Notification Recipients

    Enter the following fields: STEP 2 • Informs IPv4 Source Interface—Select the source interface whose IPv4 address will be used as the source IPv4 address in inform messages for communication with IPv4 SNMP servers. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 649 UDP Port—Enter the UDP port used for notifications on the recipient device. • Notification Type—Select whether to send Traps or Informs. If both are required, two recipients must be created. • Timeout—Enter the number of seconds the device waits before re-sending informs. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 650: Defining Snmpv3 Notification Recipients

    IPv4 SNMP servers. • Traps IPv6 Source Interface—Select the source interface whose IPv6 address will be used as the source IPv6 address in trap messages for communication with IPv6 SNMP servers. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 651 In order to receive notifications, this user must be defined on the SNMP User page, and its engine ID must be remote. • Security Level—Select how much authentication is applied to the packet. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 652: Snmp Notification Filters

    Notification Recipients SNMPv3 page. The notification filter enables filtering the type of SNMP notifications that are sent to the management station based on the OID of the notification to be sent. Cisco 500 Series Stackable Managed Switch Administration Guide...
  • Page 653 Select or deselect Include in filter. If this is selected, the selected MIBs are STEP 4 included in the filter, otherwise they are excluded. Click Apply. The SNMP views are defined and the running configuration is STEP 5 updated. Cisco 500 Series Stackable Managed Switch Administration Guide...

Comments to this Manuals

Symbols: 0
Latest comments: