Download Print this page

LevelOne GEL-5261 User Manual

LevelOne GEL-5261 User Manual

52-port l2 managed gigabit switch

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

GEL-5261

52-Port L2 Managed Gigabit Switch

User Manual

V1.0

Digital Data Communications Asia Co., Ltd.

http://www.level1.com

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the GEL-5261 and is the answer not in the manual?

Questions and answers

Summary of Contents for LevelOne GEL-5261

Page 1: User Manual
GEL-5261 52-Port L2 Managed Gigabit Switch User Manual V1.0 Digital Data Communications Asia Co., Ltd. http://www.level1.com...
Page 2 User Manual GEL-5261 L2 Managed Gigabit Ethernet Switch with 48 10/100/1000BASE-T (RJ-45) Ports and 4 Gigabit SFP Ports E062017/ST-R01...
Page 3: How To Use This Guide
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Page 4 How to Use This Guide For information on how to install the switch, see the following guide: Quick Start Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
Page 5: Table Of Contents
Contents How to Use This Guide Contents Figures Tables Section I Getting Started 1 Introduction Key Features Description of Software Features Address Resolution Protocol System Defaults Section II Web Configuration 2 Using the Web Interface Connecting to the Web Interface Navigating the Web Browser Interface Dashboard Configuration Options...
Page 6 Contents Managing System Files Copying Files via FTP/SFTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting the Start-up File Showing System Files Automatic Operation Code Upgrade Setting the System Clock Setting the Time Manually Setting the SNTP Polling Interval Configuring NTP Configuring Time Servers Setting the Time Zone...
Page 7 Displaying LACP Settings and Status for the Remote Side Configuring Load Balancing Contents Saving Power Configuring Local Port Mirroring Configuring Remote Port Mirroring Sampling Traffic Flows Configuring sFlow Receiver Settings Configuring an sFlow Polling Instance Traffic Segmentation Enabling Traffic Segmentation Configuring Uplink and Downlink Ports 5 VLAN Configuration IEEE 802.1Q VLANs...
Page 8 Contents Configuring Global Settings for STA Displaying Global Settings for STA Configuring Interface Settings for STA Displaying Interface Settings for STA Configuring Multiple Spanning Trees Configuring Interface Settings for MSTP 8 Congestion Control Rate Limiting Storm Control 9 Class of Service Layer 2 Queue Settings Setting the Default Priority for Interfaces Selecting the Queue Mode...
Page 9 Configuring AAA Authorization Configuring User Accounts Contents Web Authentication Configuring Global Settings for Web Authentication Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Configuring Global Settings for Network Access Configuring Network Access for Ports Configuring a MAC Address Filter Displaying Secure MAC Address Information Configuring HTTPS Configuring Global Settings for HTTPS...
Page 10 Contents DHCP Snooping DHCP Snooping Global Configuration DHCP Snooping VLAN Configuration Configuring Ports for DHCP Snooping Displaying DHCP Snooping Binding Information IPv4 Source Guard Configuring Ports for IPv4 Source Guard Configuring Static Bindings for IPv4 Source Guard Displaying Information for Dynamic IPv4 Source Guard Bindings ARP Inspection Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection...
Page 11 Configuring Local SNMPv3 Users Configuring Remote SNMPv3 Users Contents Specifying Trap Managers Creating SNMP Notification Logs Showing SNMP Statistics Remote Monitoring Configuring RMON Alarms Configuring RMON Events Configuring RMON History Samples Configuring RMON Statistical Samples Switch Clustering Configuring General Settings for Clusters Cluster Member Configuration Managing Cluster Members Setting a Time Range...
Page 12 Contents Configuring IGMP Filter Profiles Configuring IGMP Filtering and Throttling for Interfaces MLD Snooping (Snooping and Query for IPv6) Configuring MLD Snooping and Query Parameters Setting Immediate Leave Status for MLD Snooping per Interface Specifying Static Interfaces for an IPv6 Multicast Router Assigning Interfaces to IPv6 Multicast Services Showing MLD Snooping Groups and Source List Displaying MLD Snooping Statistics...
Page 13 Contents 17 General IP Routing Overview Initial Configuration IP Routing and Switching Routing Path Management Routing Protocols Configuring Static Routes Displaying the Routing Table 18 IP Services Domain Name Service Configuring General DNS Service Parameters Configuring a List of Domain Names Configuring a List of Name Servers Configuring Static DNS Host to Address Entries Displaying the DNS Cache...
Page 14 Contents Glossary Index – 14 –...
Page 15: Figures
Figures Figure 1: Dashboard Figure 2: System Information Figure 3: General Switch Information Figure 4: Configuring Support for Jumbo Frames Figure 5: Displaying Bridge Extension Configuration Figure 6: Copy Firmware Figure 7: Saving the Running Configuration Figure 8: Setting Start-Up Files Figure 9: Displaying System Files Figure 10: Configuring Automatic Code Upgrade Figure 11: Manually Setting the System Clock...
Page 16 Figures Figure 30: Configuring Connections by Port List Figure 31: Configuring Connections by Port Range Figure 32: Displaying Port Information Figure 33: Showing Port Statistics (Table) Figure 34: Showing Port Statistics (Chart) Figure 35: Configuring a History Sample Figure 36: Showing Entries for History Sampling Figure 37: Showing Status of Statistical History Sample Figure 38: Showing Current Statistics for a History Sample Figure 39: Showing Ingress Statistics for a History Sample...
Page 17 Figures Figure 65: Configuring Remote Port Mirroring (Intermediate) Figure 66: Configuring Remote Port Mirroring (Destination) Figure 67: Configuring an sFlow Receiver Figure 68: Showing sFlow Receivers Figure 69: Configuring an sFlow Instance Figure 70: Showing sFlow Instances Figure 71: Enabling Traffic Segmentation Figure 72: Configuring Members for Traffic Segmentation Figure 73: Showing Traffic Segmentation Members Figure 74: VLAN Compliant and VLAN Non-compliant Devices...
Page 18 Figures Figure 100: STP Root Ports and Designated Ports Figure 101: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree Figure 102: Spanning Tree – Common Internal, Common, Internal Figure 103: Configuring Port Loopback Detection Figure 104: Configuring Global Settings for STA (STP) Figure 105: Configuring Global Settings for STA (RSTP) Figure 106: Configuring Global Settings for STA (MSTP) Figure 107: Displaying Global Settings for STA...
Page 19 Figures Figure 135: Adding Rules to a Policy Map Figure 136: Showing the Rules for a Policy Map Figure 137: Attaching a Policy Map to a Port Figure 138: Configuring a Voice VLAN Figure 139: Configuring an OUI Telephony List Figure 140: Showing an OUI Telephony List Figure 141: Configuring Port Settings for a Voice VLAN Figure 142: Configuring the Authentication Sequence...
Page 20 Figures Figure 170: Downloading the Secure-Site Certificate Figure 171: Configuring the SSH Server Figure 172: Generating the SSH Host Key Pair Figure 173: Showing the SSH Host Key Pair Figure 174: Copying the SSH User’s Public Key Figure 175: Showing the SSH User’s Public Key Figure 176: Showing TCAM Utilization Figure 177: Creating an ACL Figure 178: Showing a List of ACLs...
Page 21 Figures Figure 205: Configuring Interface Settings for ARP Inspection Figure 206: Displaying Statistics for ARP Inspection Figure 207: Displaying the ARP Inspection Log Figure 208: Configuring Settings for System Memory Logs Figure 209: Showing Error Messages Logged to System Memory Figure 210: Configuring Settings for Remote Logging of Error Messages Figure 211: Configuring SMTP Alert Messages Figure 212: Configuring LLDP Timing Attributes...
Page 22 Figures Figure 240: Showing Remote SNMPv3 Users Figure 241: Configuring Trap Managers (SNMPv1) Figure 242: Configuring Trap Managers (SNMPv2c) Figure 243: Configuring Trap Managers (SNMPv3) Figure 244: Showing Trap Managers Figure 245: Creating SNMP Notification Logs Figure 246: Showing SNMP Notification Logs Figure 247: Showing SNMP Statistics Figure 248: Configuring an RMON Alarm Figure 249: Showing Configured RMON Alarms...
Page 23 Figures Figure 275: Showing Configured ERPS Rings Figure 276: Blocking an ERPS Ring Port Figure 277: Configuring Global Settings for LBD Figure 278: Configuring Interface Settings for LBD Figure 279: Multicast Filtering Concept Figure 280: Configuring General Settings for IGMP Snooping Figure 281: Configuring a Static Interface for a Multicast Router Figure 282: Showing Static Interfaces Attached a Multicast Router Figure 283: Showing Current Interfaces Attached a Multicast Router...
Page 24 Figures Figure 310: Displaying MLD Snooping Statistics – Query Figure 311: Displaying MLD Snooping Statistics – Summary (Port/Trunk) Figure 312: Displaying MLD Snooping Statistics – Summary (VLAN) Figure 313: Clearing MLD Snooping Statistics Figure 314: Enabling MLD Filtering and Throttling Figure 315: Creating an MLD Filtering Profile Figure 316: Showing the MLD Filtering Profiles Created Figure 317: Adding Multicast Groups to an MLD Filtering Profile...
Page 25 Figures Figure 345: Configuring General Settings for DNS Figure 346: Configuring a List of Domain Names for DNS Figure 347: Showing the List of Domain Names for DNS Figure 348: Configuring a List of Name Servers for DNS Figure 349: Showing the List of Name Servers for DNS Figure 350: Configuring Static Entries in the DNS Table Figure 351: Showing Static Entries in the DNS Table Figure 352: Showing Entries in the DNS Cache...
Page 26 Figures – 26 –...
Page 27: Tables
Tables Table 1: Key Features Table 2: System Defaults Table 3: Web Page Configuration Buttons Table 4: Switch Main Menu Table 5: Predefined Summer-Time Parameters Table 6: Port Statistics Table 7: LACP Port Counters Table 8: LACP Internal Configuration Information Table 9: LACP Remote Device Configuration Information Table 10: Traffic Segmentation Forwarding Table 11: Recommended STA Path Cost Range...
Page 28 Tables Table 30: ARP Statistics Table 31: Show IPv6 Neighbors - display description Table 32: Show IPv6 Statistics - display description Table 33: Show MTU - display description Table 34: Options 60, 66 and 67 Statements Table 35: Options 55 and 124 Statements Table 36: Troubleshooting Chart –...
Page 29: Getting Started
Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: ◆ "Introduction" on page 31 –...
Page 30 Section I | Getting Started – 30 –...
Page 31: Introduction
Introduction This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 32 Chapter 1 | Introduction Key Features (Continued) Table 1: Key Features Feature Description Address Table Address Table 16K MAC addresses in the forwarding table (shared with L2 unicast, L2 multicast, IPv4 multicast, IPv6 multicast); 1K static MAC addresses; 511 L2 IPv4 multicast groups (shared with MAC address table); 56 entries in host table (8 static ARP + 48 dynamic ARP);...
Page 33: Description Of Software Features
Chapter 1 | Introduction Description of Software Features Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Storm suppression prevents broadcast, multicast, and unknown unicast traffic storms from engulfing the network.
Page 34 Chapter 1 | Introduction Description of Software Features packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard (now incorporated in IEEE 802.3-2002). Rate Limiting This feature controls the maximum rate for traffic transmitted or received on an interface.
Page 35 Chapter 1 | Introduction Description of Software Features IEEE 802.1D Bridge The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses. Store-and-Forward The switch copies each frame into its memory before forwarding them to another port.
Page 36 Chapter 1 | Introduction Description of Software Features ◆ Simplify network management for node changes/moves by remotely configuring VLAN membership for any port, rather than having to manually change the network connection. ◆ Provide data security by restricting all traffic to the originating VLAN, except where a connection is explicitly defined via the switch's routing service.
Page 37: Address Resolution Protocol
Chapter 1 | Introduction Description of Software Features Address Resolution The switch uses ARP and Proxy ARP to convert between IP addresses and MAC (hardware) addresses. This switch supports conventional ARP, which locates the Protocol MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Page 38: System Defaults
Chapter 1 | Introduction System Defaults System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults. Table 2: System Defaults Function Parameter...
Page 39 Chapter 1 | Introduction System Defaults (Continued) Table 2: System Defaults Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status...
Page 40 Chapter 1 | Introduction System Defaults (Continued) Table 2: System Defaults Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Queue Weight Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 Class of Service Enabled IP Precedence Priority...
Page 41: Web Configuration
Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: ◆ "Using the Web Interface" on page 43 ◆ "Basic Management Tasks" on page 63 ◆...
Page 42 Section II | Web Configuration ◆ "IP Services" on page 527 – 42 –...
Page 43: Using The Web Interface
Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 9, Mozilla Firefox 39, or Google Chrome 44, or more recent versions).
Page 44: Navigating The Web Browser Interface
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface switch port attached to your management station to fast forwarding (i.e., enable Admin Edge Port) to improve the switch’s response time to management commands issued through the web interface. See “Configuring Interface Settings for STA”...
Page 45: Figure 1: Dashboard
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Figure 1: Dashboard – 45 –...
Page 46: Configuration Options
Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Front Panel Indicators GEL-5261 You can open a connection to the vendor’s web site by clicking on the Level One logo.
Page 47: Main Menu
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Switch Main Menu Menu Description...
Page 48 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Reset Restarts the switch immediately, at a specified time, after a specified delay, or at a periodic interval Interface Port General Configure by Port List...
Page 49 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Show Information Counters Displays statistics for LACP protocol messages Internal Displays configuration settings and operational state for the local side of a link aggregation Neighbors Displays configuration settings and operational state for the remote...
Page 50 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Tunnel IEEE 802.1Q (QinQ) Tunneling Configure Global Sets tunnel mode for the switch Configure Interface Sets the tunnel mode for any participating interface Protocol Configure Protocol Creates a protocol group, specifying supported protocols...
Page 51 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page MSTP Multiple Spanning Tree Algorithm Configure Global Configures initial VLAN and priority for an MST instance Modify Configures the priority or an MST instance Show Configures global settings for an MST instance Add Member...
Page 52 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Show Rule Shows the rules used to enforce bandwidth policing for a policy map Configure Interface Applies a policy map to an ingress port VoIP Voice over IP Configure Global...
Page 53 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Configure Service Sets the authorization method applied used for the console port, and for Telnet Show Information Shows the configured authorization methods, and the methods applied to specific interfaces User Accounts Configures user names, passwords, and access levels...
Page 54 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Adds an ACL based on IP or MAC address filtering Show Shows the name and type of configured ACLs Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes...
Page 55 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page ARP Inspection Configure General Enables inspection globally, configures validation of additional address components, and sets the log rate for packet inspection Configure VLAN Enables ARP inspection on specified VLANs Configure Interface...
Page 56 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Configure Engine Set Engine ID Sets the SNMP v3 engine ID on this switch Add Remote Engine Sets the SNMP v3 engine ID for a remote device Show Remote Engine Shows configured engine ID for remote devices Configure View...
Page 57 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Show Alarm Shows all configured alarms Event Shows all configured events Configure Interface History Periodically samples statistics on a physical interface Statistics Enables collection of statistics on a physical interface Show...
Page 58 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Trace Route Shows the route packets take to the specified destination Shows entries in the Address Resolution Protocol cache General Routing Interface Add Address...
Page 59 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Static Host Table Configures static entries for domain name to address mapping Show Shows the list of static mapping entries Modify Modifies the static address mapped to the selected host name Cache...
Page 60 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Add Multicast Group Range Assigns multicast groups to selected profile Show Multicast Group Range Shows multicast groups assigned to a profile Configure Interface Assigns IGMP filter profiles to port interfaces and sets throttling action Statistics...
Page 61 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface (Continued) Table 4: Switch Main Menu Menu Description Page Summary Shows summary statistics for querier and report/leave messages Clear Clears all MLD statics or statistics for specified VLAN/port –...
Page 62 Chapter 2 | Using the Web Interface Navigating the Web Browser Interface – 62 –...
Page 63: Basic Management Tasks
Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames –...
Page 64: Displaying System Information
Chapter 3 | Basic Management Tasks Displaying System Information Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description –...
Page 65: Displaying Hardware/Software Versions
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆...
Page 66: Configuring Support For Jumbo Frames
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Web Interface To view hardware and software version information. Click System, then Switch. Figure 3: General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet and 10 Gigabit Ethernet ports or trunks.
Page 67: Displaying Bridge Extension Capabilities
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Web Interface To configure support for jumbo frames: Click System, then Capability. Enable or disable support for jumbo frames. Click Apply. Figure 4: Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System >...
Page 68: Figure 5: Displaying Bridge Extension Configuration
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities ◆ Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration”...
Page 69: Managing System Files
Chapter 3 | Basic Management Tasks Managing System Files Managing System Files This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Copying Files via FTP/ Use the System > File (Copy) page to upload/download firmware or configuration SFTP/TFTP or HTTP settings using FTP, SFTP, TFTP or HTTP.
Page 70 Chapter 3 | Basic Management Tasks Managing System Files TFTP Download – Copies a file from the switch to a TFTP server. ■ ◆ FTP/SFTP/TFTP Server IP Address – The IP address of an FTP/SFTP/TFTP server. ◆ User Name – The user name for SFTP/FTP server access. ◆...
Page 71: Saving The Running Configuration To A Local File
Chapter 3 | Basic Management Tasks Managing System Files Figure 6: Copy Firmware If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Saving the Running Use the System >...
Page 72: Setting The Start-Up File
Chapter 3 | Basic Management Tasks Managing System Files Select the current startup file on the switch to overwrite or specify a new file name. Then click Apply. Figure 7: Saving the Running Configuration If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System >...
Page 73: Showing System Files
Chapter 3 | Basic Management Tasks Managing System Files Showing System Files Use the System > File (Show) page to show the files in the system directory, or to delete a file. Note: Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted.
Page 74 Chapter 3 | Basic Management Tasks Managing System Files ◆ The path to the directory must also be defined. If the file is stored in the root directory for the FTP/TFTP service, then use the “/” to indicate this (e.g., ftp:// 192.168.0.1/).
Page 75 Chapter 3 | Basic Management Tasks Managing System Files ◆ The switch will immediately restart after the upgrade file is successfully written to the file system and set as the startup image. Parameters The following parameters are displayed: ◆ Automatic Opcode Upgrade – Enables the switch to search for an upgraded operation code file during the switch bootup process.
Page 76 Chapter 3 | Basic Management Tasks Managing System Files Examples The following examples demonstrate the URL syntax for a TFTP server at IP address 192.168.0.1 with the operation code image stored in various locations: tftp://192.168.0.1/ ■ The image file is in the TFTP root directory. tftp://192.168.0.1/switch-opcode/ ■...
Page 77: Setting The System Clock
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 10: Configuring Automatic Code Upgrade If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.2.1.3;...
Page 78: Setting The Time Manually
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the Time Use the System > Time (Configure General - Manual) page to set the system time on the switch manually without using SNTP. Manually Parameters The following parameters are displayed: ◆...
Page 79: Setting The Sntp Polling Interval
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the SNTP Use the System > Time (Configure General - SNTP) page to set the polling interval at Polling Interval which the switch will query the specified time servers. Parameters The following parameters are displayed: ◆...
Page 80: Configuring Time Servers
Chapter 3 | Basic Management Tasks Setting the System Clock You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
Page 81: Figure 14: Specifying Sntp Time Servers
Chapter 3 | Basic Management Tasks Setting the System Clock Parameters The following parameters are displayed: ◆ SNTP Server IP Address – Sets the IPv4 address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence.
Page 82: Figure 15: Adding An Ntp Time Server
Chapter 3 | Basic Management Tasks Setting the System Clock ◆ Authentication Key – Specifies the number of the key in the NTP Authentication Key List to use for authentication with the configured server. NTP authentication is optional. If enabled on the System > Time (Configure General) page, you must also configure at least one key on the System >...
Page 83: Figure 17: Adding An Ntp Authentication Key
Chapter 3 | Basic Management Tasks Setting the System Clock Specifying NTP Authentication Keys Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list. Parameters The following parameters are displayed: ◆...
Page 84: Setting The Time Zone
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 18: Showing the NTP Authentication Key List Setting the Time Zone Use the System > Time (Configure Time Zone) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 85: Configuring Summer Time
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 19: Setting the Time Zone Configuring Use the Summer Time page to set the system clock forward during the summer months (also known as daylight savings time). Summer Time In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less.
Page 86: Table 5: Predefined Summer-Time Parameters
Chapter 3 | Basic Management Tasks Setting the System Clock Table 5: Predefined Summer-Time Parameters Australia 00:00:00, Sunday, Week 5 of October 23:59:59, Sunday, Week 5 of March 60 min Europe 00:00:00, Sunday, Week 5 of March 23:59:59, Sunday, Week 5 of October 60 min New Zealand 00:00:00, Sunday, Week 1 of October 23:59:59, Sunday, Week 3 of March 60 min...
Page 87: Configuring The Console Port
Chapter 3 | Basic Management Tasks Configuring the Console Port Figure 20: Configuring Summer Time Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 88: Figure 21: Console Port Settings
Chapter 3 | Basic Management Tasks Configuring the Console Port per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits) ◆ Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2;...
Page 89: Configuring Telnet Settings
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Page 90: Displaying Cpu Utilization
Chapter 3 | Basic Management Tasks Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. Web Interface To configure parameters for the console port: Click System, then Telnet.
Page 91: Configuring Cpu Guard
Chapter 3 | Basic Management Tasks Configuring CPU Guard Figure 23: Displaying CPU Utilization Configuring CPU Guard Use the System > CPU Guard page to set the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second.
Page 92: Displaying Memory Utilization
Chapter 3 | Basic Management Tasks Displaying Memory Utilization ◆ Trap Status – If enabled, an alarm message will be generated when utilization exceeds the high watermark or exceeds the maximum threshold. (Default: Disabled) Once the high watermark is exceeded, utilization must drop beneath the low watermark before the alarm is terminated, and then exceed the high watermark again before another alarm is triggered.
Page 93: Resetting The System
Chapter 3 | Basic Management Tasks Resetting the System ◆ Total – The total amount of system memory. Web Interface To display memory utilization: Click System, then Memory Status. Figure 25: Displaying Memory Utilization Resetting the System Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval.
Page 94 Chapter 3 | Basic Management Tasks Resetting the System Immediately – Restarts the system immediately. ■ In – Specifies an interval after which to reload the switch. (The specified ■ time must be equal to or less than 24 days.) hours –...
Page 95: Figure 26: Restarting The Switch (Immediately)
Chapter 3 | Basic Management Tasks Resetting the System When prompted, confirm that you want reset the switch. Figure 26: Restarting the Switch (Immediately) Figure 27: Restarting the Switch (In) – 95 –...
Page 96: Figure 28: Restarting The Switch (At)
Chapter 3 | Basic Management Tasks Resetting the System Figure 28: Restarting the Switch (At) Figure 29: Restarting the Switch (Regularly) – 96 –...
Page 97: Interface Configuration
Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including auto- negotiation, or manual setting of speed, duplex mode, and flow control. ◆ Displaying Statistics – Shows Interface, Etherlike, and RMON port statistics in table or chart form.
Page 98: Port Configuration
Chapter 4 | Interface Configuration Port Configuration Port Configuration This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Configuring by Use the Interface > Port > General (Configure by Port List) page to enable/disable an interface, set auto-negotiation and the interface capabilities to advertise, or Port List manually fix the speed, duplex mode, and flow control.
Page 99 Chapter 4 | Interface Configuration Port Configuration capabilities to be advertised. When auto-negotiation is disabled, you can force the settings for speed, mode, and flow control.The following capabilities are supported. 10h - Supports 10 Mbps half-duplex operation. ■ 10f - Supports 10 Mbps full-duplex operation. ■...
Page 100: Configuring By Port Range
Chapter 4 | Interface Configuration Port Configuration Figure 30: Configuring Connections by Port List Configuring by Use the Interface > Port > General (Configure by Port Range) page to enable/ Port Range disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 101: Displaying Connection Status
Chapter 4 | Interface Configuration Port Configuration Figure 31: Configuring Connections by Port Range Displaying Use the Interface > Port > General (Show Information) page to display the current connection status, including link state, speed/duplex mode, flow control, and auto- Connection Status negotiation.
Page 102: Showing Port Or Trunk Statistics
Chapter 4 | Interface Configuration Port Configuration Web Interface To display port connection parameters: Click Interface, Port, General. Select Show Information from the Action List. Figure 32: Displaying Port Information Showing Port or Trunk Use the Interface > Port/Trunk > Statistics or Chart page to display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as Statistics well as a detailed breakdown of traffic based on the RMON MIB.
Page 103 Chapter 4 | Interface Configuration Port Configuration (Continued) Table 6: Port Statistics Parameter Description Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. Transmitted Errors The number of outbound packets that could not be transmitted because of errors.
Page 104 Chapter 4 | Interface Configuration Port Configuration (Continued) Table 6: Port Statistics Parameter Description SQE Test Errors A count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface. Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame.
Page 105: Figure 33: Showing Port Statistics (Table)
Chapter 4 | Interface Configuration Port Configuration (Continued) Table 6: Port Statistics Parameter Description Number of octets leaving this interface in kbits/second. Output Octets in kbits per second Output Packets per second Number of packets leaving this interface per second. Output Utilization The output utilization rate for this interface.
Page 106: Displaying Statistical History
Chapter 4 | Interface Configuration Port Configuration Figure 34: Showing Port Statistics (Chart) Displaying Statistical Use the Interface > Port > History or Interface > Trunk > History page to display statistical history for the specified interfaces. History Command Usage For a description of the statistics displayed on these pages, see ◆...
Page 107 Chapter 4 | Interface Configuration Port Configuration ◆ History Name – Name of sample interval. (Range: 1-32 characters) ◆ Interval - The interval for sampling statistics. (Range: 1-86400 minutes) ◆ Requested Buckets - The number of samples to take. (Range: 1-96) Show ◆...
Page 108: Figure 35: Configuring A History Sample
Chapter 4 | Interface Configuration Port Configuration Figure 35: Configuring a History Sample To show the configured entries for a history sample: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Show from the Action menu. Select an interface from the Port or Trunk list. Figure 36: Showing Entries for History Sampling To show the configured parameters for a sampling entry: Click Interface, Port, Statistics, or Interface, Trunk, Statistics.
Page 109: Figure 37: Showing Status Of Statistical History Sample
Chapter 4 | Interface Configuration Port Configuration Figure 37: Showing Status of Statistical History Sample To show statistics for the current interval of a sample entry: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Show Details from the Action menu. Select Current Entry from the options for Mode.
Page 110: Displaying Transceiver Data
Chapter 4 | Interface Configuration Port Configuration To show ingress or egress traffic statistics for a sample entry: Click Interface, Port, Statistics, or Interface, Trunk, Statistics. Select Show Details from the Action menu. Select Input Previous Entry or Output Previous Entry from the options for Mode.
Page 111: Configuring Transceiver Thresholds
Chapter 4 | Interface Configuration Port Configuration problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters. Web Interface To display identifying information and functional parameters for optical transceivers: Click Interface, Port, Transceiver. Select a port from the scroll-down list.
Page 112 Chapter 4 | Interface Configuration Port Configuration The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters.
Page 113: Performing Cable Diagnostics
Chapter 4 | Interface Configuration Port Configuration Threshold events are triggered as described above to avoid a hysteresis ■ effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low threshold.
Page 114 Chapter 4 | Interface Configuration Port Configuration ◆ Cable diagnostics can only be performed on twisted-pair media. ◆ This cable test is only accurate for Gigabit Ethernet cables 7 - 100 meters long. ◆ The test takes approximately 5 seconds. The switch displays the results of the test immediately upon completion, including common cable failures, as well as the status and approximate length to a fault.
Page 115: Trunk Configuration
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To test the cable attached to a port: Click Interface, Port, Cable Test. Click Test for any port to start the cable test. Figure 42: Performing Cable Tests Trunk Configuration This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
Page 116: Configuring A Static Trunk
Chapter 4 | Interface Configuration Trunk Configuration Command Usage Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Page 117: Figure 44: Creating Static Trunks
Chapter 4 | Interface Configuration Trunk Configuration Command Usage ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible. ◆...
Page 118: Figure 45: Adding Static Trunks Members
Chapter 4 | Interface Configuration Trunk Configuration To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list. Select a trunk identifier. Set the unit and port for an additional trunk member. Click Apply.
Page 119: Configuring A Dynamic Trunk
Chapter 4 | Interface Configuration Trunk Configuration To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 47: Showing Information for Static Trunks Configuring a Use the Interface > Trunk > Dynamic pages to set the administrative key for an aggregation group, enable LACP on a port, configure protocol parameters for local Dynamic Trunk and partner ports, or to set Ethernet connection parameters.
Page 120 Chapter 4 | Interface Configuration Trunk Configuration ◆ Ports are only allowed to join the same Link Aggregation Group (LAG) if (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured). However, if the LAG admin key is set, then the port admin key must be set to the same value for a port to be allowed to join that group.
Page 121 Chapter 4 | Interface Configuration Trunk Configuration When a dynamic port-channel is torn down, the configured timeout value will be retained. When the dynamic port-channel is constructed again, that timeout value will be used. ◆ System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
Page 122: Figure 49: Configuring The Lacp Aggregator Admin Key
Chapter 4 | Interface Configuration Trunk Configuration If an LAG already exists with the maximum number of allowed port ■ members, and LACP is subsequently enabled on another port using a higher priority than an existing member, the newly configured port will replace an existing port member that has a lower priority.
Page 123: Figure 50: Enabling Lacp On A Port
Chapter 4 | Interface Configuration Trunk Configuration Click Apply. Figure 50: Enabling LACP on a Port To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner.
Page 124: Figure 52: Showing Members Of A Dynamic Trunk
Chapter 4 | Interface Configuration Trunk Configuration To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step list. Select Show Member from the Action list. Select a Trunk. Figure 52: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic.
Page 125: Displaying Lacp Port Counters
Chapter 4 | Interface Configuration Trunk Configuration To show connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step list. Select Show from the Action list. Figure 54: Showing Connection Parameters for Dynamic Trunks Displaying LACP Use the Interface >...
Page 126: Displaying Lacp Settings And Status For The Local Side
Chapter 4 | Interface Configuration Trunk Configuration Select a group member from the Port list. Figure 55: Displaying LACP Port Counters Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Information - Internal) page to display the configuration settings and operational Settings and Status state for the local side of a link aggregation.
Page 127: Figure 56: Displaying Lacp Port Internal Information
Chapter 4 | Interface Configuration Trunk Configuration (Continued) Table 8: LACP Internal Configuration Information Parameter Description Admin State, ◆ Aggregation – The system considers this link to be aggregatable; i.e., a Oper State potential candidate for aggregation. (continued) ◆ Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate.
Page 128: Displaying Lacp Settings And Status For The Remote Side
Chapter 4 | Interface Configuration Trunk Configuration Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Neighbors) page to display the configuration settings and operational state for the remote side of a link aggregation. for the Remote Side Parameters These parameters are displayed:...
Page 129: Configuring Load Balancing
Chapter 4 | Interface Configuration Trunk Configuration Figure 57: Displaying LACP Port Remote Information Configuring Use the Interface > Trunk > Load Balance page to set the load-distribution method used among ports in aggregated links. Load Balancing Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Page 130: Figure 58: Configuring Load Balancing
Chapter 4 | Interface Configuration Trunk Configuration Source and Destination MAC Address: All traffic with the same source ■ and destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from and destined for many different hosts.
Page 131: Saving Power
Chapter 4 | Interface Configuration Saving Power Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port. Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
Page 132: Configuring Local Port Mirroring
Chapter 4 | Interface Configuration Configuring Local Port Mirroring ◆ Power Saving Status – Adjusts the power provided to ports based on the length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements. (Default: Enabled on Gigabit Ethernet RJ-45 ports) Web Interface To enable power savings:...
Page 133: Figure 61: Configuring Local Port Mirroring
Chapter 4 | Interface Configuration Configuring Local Port Mirroring (remote port mirroring as described in “Configuring Remote Port Mirroring” on page 134). ◆ Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port. ◆...
Page 134: Configuring Remote Port Mirroring
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring To display the configured mirror sessions: Click Interface, Port, Mirror. Select Show from the Action List. Figure 62: Displaying Local Port Mirror Sessions Configuring Remote Port Mirroring Use the Interface > RSPAN page to mirror traffic from remote switches for analysis at a destination port on the local switch.
Page 135 Chapter 4 | Interface Configuration Configuring Remote Port Mirroring Command Usage ◆ Traffic can be mirrored from one or more source ports to a destination port on the same switch (local port mirroring as described in “Configuring Local Port Mirroring” on page 132), or from one or more source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section).
Page 136 Chapter 4 | Interface Configuration Configuring Remote Port Mirroring MAC address learning is not supported on RSPAN uplink ports when RSPAN ■ is enabled on the switch. Therefore, even if spanning tree is enabled after RSPAN has been configured, MAC address learning will still not be re- started on the RSPAN uplink ports.
Page 137: Figure 64: Configuring Remote Port Mirroring (Source)
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring to an RSPAN VLAN. Also, note that the VLAN > Static (Show) page will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. ◆ Type –...
Page 138: Sampling Traffic Flows
Chapter 4 | Interface Configuration Sampling Traffic Flows Figure 65: Configuring Remote Port Mirroring (Intermediate) Figure 66: Configuring Remote Port Mirroring (Destination) Sampling Traffic Flows The flow sampling (sFlow) feature embedded on this switch, together with a remote sFlow Collector, can provide network administrators with an accurate, detailed and real-time overview of the types and levels of traffic present on their network.
Page 139: Configuring Sflow Receiver Settings
Chapter 4 | Interface Configuration Sampling Traffic Flows Note: The terms “collector”, “receiver” and “owner”, in the context of this chapter, all refer to a remote server capable of receiving the sFlow datagrams generated by the sFlow agent of the switch. As the Collector receives streams from the various sFlow agents (other switches or routers) throughout the network, a timely, network-wide picture of utilization and traffic flows is created.
Page 140: Figure 67: Configuring An Sflow Receiver
Chapter 4 | Interface Configuration Sampling Traffic Flows used to indicate the appropriate number of zeros required to fill the undefined fields. ◆ Receiver Socket Port – The UDP port on which the sFlow Collector is listening for sFlow streams. (Range: 1-65534) ◆...
Page 141: Configuring An Sflow Polling Instance
Chapter 4 | Interface Configuration Sampling Traffic Flows Figure 68: Showing sFlow Receivers Configuring an sFlow Use the Interface > sFlow (Configure Details – Add) page to enable an sFlow polling data source that polls periodically based on a specified time interval, or an sFlow Polling Instance data source instance that takes samples periodically based on the number of packets processed.
Page 142: Figure 69: Configuring An Sflow Instance
Chapter 4 | Interface Configuration Sampling Traffic Flows Click Apply. Figure 69: Configuring an sFlow Instance Web Interface To show configured instances: Click Interface, sFlow. Select Configure Details from the Step list. Select Show from the Action list. Select the owner name from the scroll-down list. Select sFlow type as Sampling or Polling.
Page 143: Traffic Segmentation
Chapter 4 | Interface Configuration Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports.
Page 144: Configuring Uplink And Downlink Ports
Chapter 4 | Interface Configuration Traffic Segmentation Figure 71: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the downlink and uplink ports to use in the segmented group. Ports designated as and Downlink Ports downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 145: Figure 72: Configuring Members For Traffic Segmentation
Chapter 4 | Interface Configuration Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Parameters These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆...
Page 146: Figure 73: Showing Traffic Segmentation Members
Chapter 4 | Interface Configuration Traffic Segmentation To show the members of the traffic segmentation group: Click Interface, Traffic Segmentation. Select Configure Session from the Step list. Select Show from the Action list. Figure 73: Showing Traffic Segmentation Members – 146 –...
Page 147: Vlan Configuration
VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer- specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆...
Page 148: Figure 74: Vlan Compliant And Vlan Non-Compliant Devices
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs This switch supports the following VLAN features: ◆ Up to 4094 VLANs based on the IEEE 802.1Q standard ◆ Distributed VLAN learning across multiple switches using explicit tagging. ◆ Port overlapping, allowing a port to participate in multiple VLANs ◆...
Page 149: Configuring Vlan Groups
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch.
Page 150 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Modify ◆ VLAN ID – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. ◆ L3 Interface –...
Page 151: Figure 75: Creating Static Vlans
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 75: Creating Static VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Enable the L3 Interface field to specify that a VLAN will be used as a Layer 3 interface.
Page 152: Adding Static Members To Vlans
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To show the configuration settings for VLAN groups: Click VLAN, Static. Select Show from the Action list. Figure 77: Showing Static VLANs Adding Static Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or Edit Member by Interface Range) pages to configure port members for the selected Members to VLANs VLAN index, interface, or a range of interfaces.
Page 153 Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. ◆ PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN.
Page 154: Figure 78: Configuring Static Members By Vlan Index
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Edit Member by Interface All parameters are the same as those described under the preceding section for Edit Member by VLAN. Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below.
Page 155: Figure 79: Configuring Static Vlan Members By Interface
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To configure static members by interface: Click VLAN, Static. Select Edit Member by Interface from the Action list. Select a port or trunk configure. Modify the settings for any interface as required. Click Apply.
Page 156: Ieee 802.1Q Tunneling
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 80: Configuring Static VLAN Members by Interface Range IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 157: Figure 81: Qinq Operational Concept
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet.
Page 158 Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). The switch sends the packet to the proper egress port. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped.
Page 159 Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling After packet classification, the packet is written to memory for processing as a single-tagged or double-tagged packet. The switch sends the packet to the proper egress port. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped.
Page 160: Enabling Qinq Tunneling On The Switch
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see “Adding Static Members to VLANs” on page 152). Configure the QinQ tunnel uplink port to Uplink mode (see “Adding an Interface to a QinQ Tunnel”...
Page 161: Creating Cvlan To Spvlan Mapping Entries
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Enable Tunnel Status, and specify the TPID if a client attached to a tunnel port is using a non-standard ethertype to identify 802.1Q tagged frames. Click Apply. Figure 82: Enabling QinQ Tunneling Creating Use the VLAN >...
Page 162: Figure 83: Configuring Cvlan To Spvlan Mapping Entries
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling ◆ Service VLAN ID – VLAN ID for the outer VLAN tag. (Range: 1-4094) Web Interface To configure a mapping entry: Click VLAN, Tunnel. Select Configure Service from the Step list. Select Add from the Action list. Select an interface from the Port list.
Page 163: Adding An Interface To A Qinq Tunnel
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the “switchport dot1q-tunnel service match cvid” command in the CLI Reference Guide. Adding an Interface Follow the guidelines under in the preceding section to set up a QinQ tunnel on the switch.
Page 164: Protocol Vlans
Chapter 5 | VLAN Configuration Protocol VLANs Figure 85: Adding an Interface to a QinQ Tunnel Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 165: Configuring Protocol Vlan Groups
Chapter 5 | VLAN Configuration Protocol VLANs Configuring Protocol Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. VLAN Groups Parameters These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol.
Page 166: Mapping Protocol Groups To Interfaces
Chapter 5 | VLAN Configuration Protocol VLANs Figure 86: Configuring Protocol VLANs To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Show from the Action list. Figure 87: Displaying Protocol VLANs Mapping Protocol Use the VLAN >...
Page 167 Chapter 5 | VLAN Configuration Protocol VLANs If the frame is untagged and the protocol type matches, the frame is ■ forwarded to the appropriate VLAN. If the frame is untagged but the protocol type does not match, the frame is ■...
Page 168: Configuring Mac-Based Vlans
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Figure 88: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Show from the Action list. Select a port or trunk.
Page 169 Chapter 5 | VLAN Configuration Configuring MAC-based VLANs ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, or protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Page 170: Figure 90: Configuring Mac-Based Vlans
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Figure 90: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: Click VLAN, MAC-Based. Select Show from the Action list. Figure 91: Showing MAC-Based VLANs – 170 –...
Page 171: Address Table Settings
Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 172: Clearing The Dynamic Address Table
Chapter 6 | Address Table Settings Clearing the Dynamic Address Table ◆ Life Time – Shows the time to retain the specified address. Web Interface To show the dynamic address table: Click MAC Address, Dynamic. Select Show Dynamic MAC from the Action list. Select the Sort Key (MAC Address, VLAN, or Interface).
Page 173: Changing The Aging Time
Chapter 6 | Address Table Settings Changing the Aging Time Web Interface To clear the entries in the dynamic address table: Click MAC Address, Dynamic. Select Clear Dynamic MAC from the Action list. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface).
Page 174: Configuring Mac Address Learning
Chapter 6 | Address Table Settings Configuring MAC Address Learning Specify a new aging time. Click Apply. Figure 94: Setting the Address Aging Time Configuring MAC Address Learning Use the MAC Address > Learning Status page to enable or disable MAC address learning on an interface.
Page 175: Figure 95: Configuring Mac Address Learning
Chapter 6 | Address Table Settings Configuring MAC Address Learning Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-52) ◆ Trunk – Trunk Identifier. (Range: 1-8) ◆ Status –...
Page 176: Setting Static Addresses
Chapter 6 | Address Table Settings Setting Static Addresses Setting Static Addresses Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved.
Page 177: Figure 96: Configuring Static Mac Addresses
Chapter 6 | Address Table Settings Setting Static Addresses Web Interface To configure a static MAC address: Click MAC Address, Static. Select Add from the Action list. Specify the VLAN, the port or trunk to which the address will be assigned, the MAC address, and the time to retain this entry.
Page 178: Issuing Mac Address Traps
Chapter 6 | Address Table Settings Issuing MAC Address Traps Issuing MAC Address Traps Use the MAC Address > MAC Notification pages to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed. Parameters These parameters are displayed: Configure Global ◆...
Page 179: Figure 99: Issuing Mac Address Traps (Interface Configuration)
Chapter 6 | Address Table Settings Issuing MAC Address Traps To enable MAC address traps at the interface level: Click MAC Address, MAC Notification. Select Configure Interface from the Step list. Enable MAC notification traps for the required ports. Click Apply. Figure 99: Issuing MAC Address Traps (Interface Configuration) –...
Page 180 Chapter 6 | Address Table Settings Issuing MAC Address Traps – 180 –...
Page 181: Spanning Tree Algorithm
Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA –...
Page 182: Figure 100: Stp Root Ports And Designated Ports
Chapter 7 | Spanning Tree Algorithm Overview Figure 100: STP Root Ports and Designated Ports Root Designated Designated Bridge Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Page 183: Configuring Loopback Detection
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 199).
Page 184 Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Note: Loopback detection will not be active if Spanning Tree is disabled on the switch. Note: When configured for manual release mode, then a link down/up event will not release the port from the discarding state. Parameters These parameters are displayed: ◆...
Page 185: Configuring Global Settings For Sta
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 103: Configuring Port Loopback Detection Configuring Global Settings for STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. Command Usage ◆...
Page 186 Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. To allow multiple spanning trees to operate over the network, you must ■...
Page 187 Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Cisco Prestandard Status – Configures spanning tree operation to be compatible with Cisco prestandard versions. (Default: Disabled) Cisco prestandard versions prior to Cisco IOS Release 12.2(25)SEC do not fully follow the IEEE standard, causing some state machine procedures to function incorrectly.
Page 188 Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. Default: 15 ■...
Page 189: Figure 104: Configuring Global Settings For Sta (Stp)
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Click Apply Figure 104: Configuring Global Settings for STA (STP) Figure 105: Configuring Global Settings for STA (RSTP) – 189 –...
Page 190: Displaying Global Settings For Sta
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 106: Configuring Global Settings for STA (MSTP) Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch. Parameters The parameters displayed are described in the preceding section, except for the following items:...
Page 191: Configuring Interface Settings For Sta
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Configuration Changes – The number of times the Spanning Tree has been reconfigured.
Page 192: Table 11: Recommended Sta Path Cost Range
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 185) or when spanning tree is disabled on a specific port. When flooding is enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the Spanning Tree BPDU Flooding attribute (page...
Page 193: Figure 108: Determining The Root Port
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA (Continued) Table 12: Default STA Path Costs Port Type Short Path Cost Long Path Cost (IEEE 802.1D-1998) (IEEE 802.1D-2004) Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 Administrative path cost cannot be used to directly determine the root port on a switch.
Page 194 Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Admin Edge Port – Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state. Specifying Edge Ports provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface...
Page 195 Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA configurations because an administrator must manually enable the port. (Default: Disabled) BPDU guard can only be configured on an interface if the edge port attribute is not disabled (that is, if edge port is set to enabled or auto). ◆...
Page 196: Displaying Interface Settings For Sta
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 109: Configuring Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. Parameters These parameters are displayed: ◆...
Page 197: Figure 110: Sta Port Roles
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA ◆ Forward Transitions – The number of times this port has transitioned from the Learning state to the Forwarding state. ◆ Designated Cost – The cost for a packet to travel from this port to the root in the current Spanning Tree configuration.
Page 198: Figure 111: Displaying Interface Settings For Sta
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. The criteria used for determining the port role is based on root bridge ID, root path cost, designated bridge, designated port, port priority, and port number, in that order and as applicable to the role under question.
Page 199: Configuring Multiple Spanning Trees
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Configuring Multiple Spanning Trees Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. Command Usage MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide- scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 200: Figure 112: Creating An Mst Instance
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Web Interface To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 201: Figure 114: Modifying The Priority For An Mst Instance
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
Page 202: Figure 116: Adding A Vlan To An Mst Instance
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
Page 203: Configuring Interface Settings For Mstp
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. Parameters These parameters are displayed: ◆...
Page 204: Figure 118: Configuring Mstp Interface Settings
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Web Interface To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP. Select Configure Interface from the Step list. Select Configure from the Action list. Enter the priority and path cost for an interface Click Apply.
Page 205: Congestion Control
Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 206: Storm Control
Chapter 8 | Congestion Control Storm Control Web Interface To configure rate limits: Click Traffic, Rate Limit. Set the interface type to Port or Trunk. Enable the Rate Limit Status for the required interface. Set the rate limit for required interfaces. Click Apply.
Page 207 Chapter 8 | Congestion Control Storm Control ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these features on the same interface. Parameters These parameters are displayed: ◆...
Page 208: Figure 121: Configuring Storm Control
Chapter 8 | Congestion Control Storm Control Figure 121: Configuring Storm Control – 208 –...
Page 209: Class Of Service
Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high- priority queue will be transmitted before those in the lower-priority queues.
Page 210: Selecting The Queue Mode
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface –...
Page 211 Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues.
Page 212: Figure 123: Setting The Queue Mode (Strict)
Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: Click Traffic, Priority, Queue. Set the queue mode. If the weighted queue mode is selected, the queue weight can be modified if required. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table.
Page 213: Layer 3/4 Priority Settings
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 125: Setting the Queue Mode (Strict and WRR) Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
Page 214: Setting Priority Processing To Dscp Or Cos
Chapter 9 | Class of Service Layer 3/4 Priority Settings Setting Priority The switch allows a choice between using DSCP or CoS priority processing Processing to methods. Use the Priority > Trust Mode page to select the required processing method. DSCP or CoS Command Usage ◆...
Page 215: Mapping Cos Priorities To Per-Hop Behavior
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 126: Setting the Trust Mode Mapping Use the Traffic > Priority > CoS to Queue page to map CoS/CFI values in incoming packets to per-hop behavior for priority processing. CoS Priorities to Per- hop Behavior Command Usage...
Page 216: Mapping Dscp Priorities To Per-Hop Behavior
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map CoS/CFI values to Queue precedence: Click Traffic, Priority, CoS to Queue. Set the Queue for any of the CoS/CFI combinations. Click Apply. Figure 127: Configuring CoS to Queue Mapping Mapping Use the Traffic >...
Page 217: Table 14: Default Mapping Of Dscp Values To Queue/Cfi
Chapter 9 | Class of Service Layer 3/4 Priority Settings Parameters These parameters are displayed: ◆ Port – Specifies a port. ◆ DSCP – DSCP value in ingress packets. (Range: 0-63) ◆ Queue – Per-hop behavior, or the priority used for this router hop. (Range: 0-7) Table 14: Default Mapping of DSCP Values to Queue/CFI ingress- dscp1...
Page 218: Figure 128: Configuring Dscp To Queue Mapping
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 128: Configuring DSCP to Queue Mapping – 218 –...
Page 219 Quality of Service This chapter describes the following tasks required to apply QoS policies: ◆ Class Map – Creates a map which identifies a specific class of traffic. ◆ Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic.
Page 220: Quality Of Service Overview
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic.
Page 221: Figure 129: Configuring A Class Map
Chapter 10 | Quality of Service Configuring a Class Map ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command.
Page 222: Figure 130: Showing Class Maps
Chapter 10 | Quality of Service Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 130: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 223: Creating Qos Policies
Chapter 10 | Quality of Service Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 132: Showing the Rules for a Class Map Creating QoS Policies Use the Traffic >...
Page 224 Chapter 10 | Quality of Service Creating QoS Policies Add Rule ◆ Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification upon which a policy can act. A policy map can contain up to 32 class maps. ◆...
Page 225: Figure 133: Configuring A Policy Map
Chapter 10 | Quality of Service Creating QoS Policies Figure 133: Configuring a Policy Map To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list. Figure 134: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ.
Page 226: Attaching A Policy Map To A Port
Chapter 10 | Quality of Service Attaching a Policy Map to a Port Figure 135: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 136: Showing the Rules for a Policy Map Attaching a Policy Map to a Port Use the Traffic >...
Page 227: Figure 137: Attaching A Policy Map To A Port
Chapter 10 | Quality of Service Attaching a Policy Map to a Port ◆ Ingress – Applies the selected rule to ingress traffic. Web Interface To bind a policy map to a port: Click Traffic, DiffServ. Select Configure Interface from the Step list. Check the box under the Ingress field to enable a policy map for a port.
Page 228 Chapter 10 | Quality of Service Attaching a Policy Map to a Port – 228 –...
Page 229 VoIP Traffic Configuration This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Page 230: Voip Traffic Configuration Overview
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
Page 231: Configuring Telephony Oui
Chapter 11 | VoIP Traffic Configuration Configuring Telephony OUI Figure 138: Configuring a Voice VLAN Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets.
Page 232: Configuring Voip Traffic Ports
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Enter a description for the devices. Click Apply. Figure 139: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Show from the Action list.
Page 233 Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Parameters These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) None – The Voice VLAN feature is disabled on the port. The port will not ■...
Page 234: Figure 141: Configuring Port Settings For A Voice Vlan
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports When VoIP Mode is set to Auto, the Remaining Age will be displayed. Otherwise, if the VoIP Mode is Disabled or set to Manual, the remaining age will display “NA.” Web Interface To configure VoIP traffic settings for a port: Click Traffic, VoIP.
Page 235: Security Measures
Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: ◆...
Page 236: Aaa (Authentication, Authorization And Accounting)
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) with invalid MAC to IP Address bindings, which forms the basis for certain “man-in-the-middle” attacks. Note: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Page 237: Configuring Local/Remote Logon Authentication
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. Apply the method names to port or line interfaces.
Page 238: Configuring Remote Logon Authentication Servers
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods). Click Apply. Figure 142: Configuring the Authentication Sequence Configuring Use the Security >...
Page 239 Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Command Usage ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
Page 240 Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Confirm Authentication Key – Re-type the string entered in the previous ■ field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. ◆...
Page 241: Figure 144: Configuring Remote Authentication Server (Radius)
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the parameters for RADIUS or TACACS+ authentication: Click Security, AAA, Server. Select Configure Server from the Step list. Select RADIUS or TACACS+ server type. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server.
Page 242: Figure 145: Configuring Remote Authentication Server (Tacacs+)
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 145: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list.
Page 243: Configuring Aaa Accounting
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 147: Showing AAA Server Groups Configuring Use the Security >...
Page 244 Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Exec – Administrative accounting for local console, Telnet, or SSH ■ connections. ◆ Privilege Level – The CLI privilege levels (0-15). This parameter only applies to Command accounting. ◆ Method Name – Specifies an accounting method for service requests. The “default”...
Page 245: Figure 148: Configuring Global Settings For Aaa Accounting
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) VTY Method Name – Specifies a user defined method name to apply to ■ Telnet and SSH connections. Show Information – Summary ◆ Accounting Type - Displays the accounting service. ◆...
Page 246: Figure 149: Configuring Aaa Accounting Methods
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list. Select the accounting type (802.1X, Command, Exec).
Page 247: Figure 150: Showing Aaa Accounting Methods
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 150: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: Click Security, AAA, Accounting. Select Configure Service from the Step list.
Page 248: Figure 152: Configuring Aaa Accounting Service For Command Service
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 152: Configuring AAA Accounting Service for Command Service Figure 153: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting.
Page 249: Configuring Aaa Authorization
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 154: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Statistics.
Page 250 Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Parameters These parameters are displayed: Configure Method ◆ Authorization Type – Specifies the service as: Command – Administrative authorization to apply to commands entered ■ at specific CLI privilege levels. Exec –...
Page 251: Figure 156: Configuring Aaa Authorization Methods
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the authorization method applied to the Exec service type and the assigned server group: Click Security, AAA, Authorization. Select Configure Method from the Step list. Specify the name of the authorization method and server group name. Click Apply.
Page 252: Figure 158: Configuring Aaa Authorization Methods For Exec Service
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply. Figure 158: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type:...
Page 253: Configuring User Accounts
Chapter 12 | Security Measures Configuring User Accounts Configuring User Accounts Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. Command Usage ◆ The default guest name is “guest” with the password “guest.” The default administrator name is “admin”...
Page 254: Figure 160: Configuring User Accounts
Chapter 12 | Security Measures Configuring User Accounts Encrypted Password – Encrypted password. ■ The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP or FTP server.
Page 255: Web Authentication
Chapter 12 | Security Measures Web Authentication Figure 161: Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries.
Page 256: Configuring Interface Settings For Web Authentication
Chapter 12 | Security Measures Web Authentication ◆ Quiet Period – Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts. (Range: 1-180 seconds; Default: 60 seconds) ◆ Login Attempts – Configures the amount of times a supplicant may attempt and fail authentication before it must wait the configured quiet period.
Page 257: Network Access (Mac Address Authentication)
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Revert – Restores the previous configuration settings. ◆ Re-authenticate – Ends all authenticated web sessions for selected host IP addresses in the Authenticated Host List, and forces the users to re- authenticate.
Page 258 Chapter 12 | Security Measures Network Access (MAC Address Authentication) Command Usage ◆ MAC address authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 259: Table 15: Dynamic Qos Profiles
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Table 15: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate rate-limit-input=100 (kbps) rate-limit-output=rate rate-limit-output=200 (kbps) 802.1p switchport-priority-default=value switchport-priority-default=2 IP ACL ip-access-group-in=ip-acl-name ip-access-group-in=ipv4acl IPv6 ACL ipv6-access-group-in=ipv6-acl-name ipv6-access-group-in=ipv6acl MAC ACL mac-access-group-in=mac-acl-name...
Page 260: Configuring Global Settings For Network Access
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.
Page 261: Configuring Network Access For Ports
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 164: Configuring Global Settings for Network Access Configuring Use the Security > Network Access (Configure Interface) page to configure MAC Network Access authentication on switch ports, including enabling address authentication, setting the maximum MAC count, and enabling dynamic VLAN or dynamic QoS for Ports assignments.
Page 262 Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server through the 802.1X authentication process are applied to the port, providing the VLANs have already been created on the switch.
Page 263: Configuring A Mac Address Filter
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 165: Configuring Interface Settings for Network Access Configuring a Use the Security > Network Access (Configure MAC Filter) page to designate specific MAC addresses or MAC address ranges as exempt from authentication. MAC Address Filter MAC addresses present in MAC Filter tables activated on a port are treated as pre- authenticated on that port.
Page 264: Displaying Secure Mac Address Information
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Enter a filter ID, MAC address, and optional mask. Click Apply. Figure 166: Configuring a MAC Address Filter for Network Access To show the MAC address filter table for MAC authentication: Click Security, Network Access.
Page 265 Chapter 12 | Security Measures Network Access (MAC Address Authentication) Interface – Specifies a port interface. ■ Attribute – Displays static or dynamic addresses. ■ ◆ Authenticated MAC Address List MAC Address – The authenticated MAC address. ■ Interface – The port interface associated with a secure MAC address. ■...
Page 266: Configuring Https
Chapter 12 | Security Measures Configuring HTTPS Figure 168: Showing Addresses Authenticated for Network Access Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.
Page 267: Table 16: Https System Support
Chapter 12 | Security Measures Configuring HTTPS The client and server generate session keys for encrypting and decrypting ■ data. ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 11, Mozilla Firefox 53, or Google Chrome 59, or more recent versions.
Page 268: Replacing The Default Secure-Site Certificate
Chapter 12 | Security Measures Configuring HTTPS Figure 169: Configuring HTTPS Replacing the Default Use the Security > HTTPS (Copy Certificate) page to replace the default secure-site Secure-site Certificate certificate. When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
Page 269: Figure 170: Downloading The Secure-Site Certificate
Chapter 12 | Security Measures Configuring HTTPS Private Key Source File Name – Name of private key file stored on the TFTP ◆ server. Private Password – Password stored in the private key file. This password is ◆ used to verify authorization for certificate use, and is verified when downloading the certificate to the switch.
Page 270: Configuring The Secure Shell
Chapter 12 | Security Measures Configuring the Secure Shell Configuring the Secure Shell The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 271 Chapter 12 | Security Measures Configuring the Secure Shell Import Client’s Public Key to the Switch – See “Importing User Public Keys” on page 275 to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 253.) The...
Page 272: Configuring The Ssh Server
Chapter 12 | Security Measures Configuring the Secure Shell The switch compares the checksum sent from the client against that computed for the original string it sent. If the two checksums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.
Page 273: Generating The Host Key Pair
Chapter 12 | Security Measures Configuring the Secure Shell ◆ Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits; Default:768) The server key is a private key that is never shared outside the switch. ■ The host key is shared with the SSH client, and is fixed at 1024 bits. ■...
Page 274: Figure 172: Generating The Ssh Host Key Pair
Chapter 12 | Security Measures Configuring the Secure Shell Parameters These parameters are displayed: ◆ Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA (Version 1), DSA (Version 2), Both; Default: Both) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 275: Importing User Public Keys
Chapter 12 | Security Measures Configuring the Secure Shell To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the option to save the host key from memory to flash by clicking Save, or select the host-key type to clear and click Clear.
Page 276: Figure 174: Copying The Ssh User's Public Key
Chapter 12 | Security Measures Configuring the Secure Shell The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. ◆ TFTP Server IP Address – The IP address of the TFTP server that contains the public key file you wish to import.
Page 277: Access Control Lists
Chapter 12 | Security Measures Access Control Lists Figure 175: Showing the SSH User’s Public Key Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4/IPv6 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type).
Page 278: Showing Tcam Utilization
Chapter 12 | Security Measures Access Control Lists possible depends on too many factors to be precisely determined. It depends on the amount of hardware resources reserved at runtime for this purpose. Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize hardware resources more efficiency.
Page 279 Chapter 12 | Security Measures Access Control Lists rules, Quality of Service (QoS) processes, QinQ, MAC-based VLANs, VLAN translation, or traps. For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs.
Page 280: Setting The Acl Name And Type
Chapter 12 | Security Measures Access Control Lists Figure 176: Showing TCAM Utilization Setting the Use the Security > ACL (Configure ACL - Add) page to create an ACL. ACL Name and Type Parameters These parameters are displayed: ◆ ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆...
Page 281: Figure 177: Creating An Acl
Chapter 12 | Security Measures Access Control Lists MAC – MAC ACL mode filters packets based on the source or destination ■ MAC address and the Ethernet frame type (RFC 1060). ARP – ARP ACL specifies static IP-to-MAC address bindings used for ARP ■...
Page 282: Configuring A Standard Ipv4 Acl
Chapter 12 | Security Measures Access Control Lists Figure 178: Showing a List of ACLs Configuring a Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL Standard IPv4 ACL. Parameters These parameters are displayed: ◆...
Page 283: Configuring An Extended Ipv4 Acl
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to an IPv4 Standard ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IP Standard from the Type list. Select the name of an ACL from the Name list.
Page 284 Chapter 12 | Security Measures Access Control Lists ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source/Destination Address Type – Specifies the source or destination IP address type. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP”...
Page 285 Chapter 12 | Security Measures Access Control Lists ◆ Service Type – Packet priority settings based on the following criteria: Precedence – IP precedence level. (Range: 0-7) ■ DSCP – DSCP priority level. (Range: 0-63) ■ ◆ Time Range – Name of a time range. Web Interface To add rules to an IPv4 Extended ACL: Click Security, ACL.
Page 286: Configuring A Standard Ipv6 Acl
Chapter 12 | Security Measures Access Control Lists Figure 180: Configuring an Extended IPv4 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to Standard IPv6 ACL configure a Standard IPv6ACL. Parameters These parameters are displayed: ◆...
Page 287: Configuring An Extended Ipv6 Acl
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to a Standard IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Standard from the Type list. Select the name of an ACL from the Name list.
Page 288 Chapter 12 | Security Measures Access Control Lists ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source Address Type – Specifies the source IP address type. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-Prefix”...
Page 289: Figure 182: Configuring An Extended Ipv6 Acl
Chapter 12 | Security Measures Access Control Lists 60 : Destination Options (RFC 2460) ◆ Time Range – Name of a time range. Web Interface To add rules to an Extended IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list.
Page 290: Configuring A Mac Acl
Chapter 12 | Security Measures Access Control Lists Configuring a Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. MAC ACL Parameters These parameters are displayed: ◆...
Page 291: Figure 183: Configuring A Mac Acl
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to a MAC ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select MAC from the Type list. Select the name of an ACL from the Name list.
Page 292: Configuring An Arp Acl
Chapter 12 | Security Measures Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter ARP ACL suspicious traffic (see “Configuring Global Settings for ARP Inspection”...
Page 293: Binding A Port To An Access Control List
Chapter 12 | Security Measures Access Control Lists Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny). Select the packet type (Request, Response, All). Select the address type (Any, Host, or IP). If you select “Host,”...
Page 294: Showing Acl Hardware Counters
Chapter 12 | Security Measures Access Control Lists ◆ Counter – Enables counter for ACL statistics. Web Interface To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select Configure from the Action list. Select IP, MAC or IPv6 from the Type options.
Page 295: Figure 186: Showing Acl Statistics
Chapter 12 | Security Measures Access Control Lists ◆ Direction – Displays statistics for ingress or egress traffic. ◆ Query – Displays statistics for selected criteria. ◆ ACL Name – The ACL bound this port. ◆ Action – Shows if action is to permit or deny specified packets. ◆...
Page 296: Filtering Ip Addresses For Management Access
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Filtering IP Addresses for Management Access Use the Security > IP Filter page to create a list of up to 15 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet.
Page 297: Figure 187: Creating An Ip Address Filter For Management Access
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Web Interface To create a list of IP addresses authorized for management access: Click Security, IP Filter. Select Add from the Action list. Select the management interface to filter (Web, SNMP, Telnet, All). Enter the IP addresses or range of addresses that are allowed management access to an interface.
Page 298: Configuring Port Security
Chapter 12 | Security Measures Configuring Port Security Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Page 299 Chapter 12 | Security Measures Configuring Port Security Parameters These parameters are displayed: ◆ Port – Port identifier. ◆ Security Status – Enables or disables port security on a port. (Default: Disabled) ◆ Port Status – The operational status: Secure/Down – Port security is disabled. ■...
Page 300: Configuring 802.1X Port Authentication
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To configure port security: Click Security, Port Security. Mark the check box in the Security Status column to enable security, set the action to take when an invalid address is detected on a port, and set the maximum number of MAC addresses allowed on the port.
Page 301: Figure 190: Configuring Port Authentication
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet.
Page 302: Configuring 802.1X Global Settings
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Configuring 802.1X Use the Security > Port Authentication (Configure Global) page to configure IEEE Global Settings 802.1X port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Parameters These parameters are displayed: ◆...
Page 303 Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ This switch can be configured to serve as the authenticator on selected ports by setting the Control Mode to Auto on this configuration page, and as a supplicant on other ports by the setting the control mode to Force-Authorized on this page and enabling the PAE supplicant on the Supplicant configuration page.
Page 304 Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Max Count – The maximum number of hosts that can connect to a port when the Multi-Host operation mode is selected. (Range: 1-1024; Default: 5) ◆ Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
Page 305 Chapter 12 | Security Measures Configuring 802.1X Port Authentication Guest VLAN – All traffic for the port is assigned to a guest VLAN. The guest ■ VLAN must be separately configured (See “Configuring VLAN Groups” on page 149) and mapped on each port (See “Configuring Network Access for Ports”...
Page 306: Displaying 802.1X Statistics
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 192: Configuring Interface Settings for 802.1X Port Authenticator Displaying Use the Security > Port Authentication (Show Statistics) page to display statistics for 802.1X Statistics dot1x protocol exchanges for any port. Parameters These parameters are displayed: Table 17: 802.1X Statistics...
Page 307 Chapter 12 | Security Measures Configuring 802.1X Port Authentication (Continued) Table 17: 802.1X Statistics Parameter Description Rx EAP Resp/Id The number of EAP Resp/Id frames that have been received by this Authenticator. Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Authenticator.
Page 308: Dos Protection
Chapter 12 | Security Measures DoS Protection Web Interface To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Figure 193: Showing Statistics for 802.1X Port Authenticator DoS Protection Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks.
Page 309 Chapter 12 | Security Measures DoS Protection victim. The victim should crash due to the many interrupts required to send ICMP Echo response packets. (Default: Enabled) ◆ TCP Flooding Attack – Attacks in which a perpetrator sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a target and never returns ACK packets.
Page 310: Dhcp Snooping
Chapter 12 | Security Measures DHCP Snooping ◆ WinNuke Attack Rate – Maximum allowed rate. (Range: 64-2000 kbits/second; Default: 1000 kbits/second) Web Interface To protect against DoS attacks: Click Security, DoS Protection. Enable protection for specific DoS attacks, and set the maximum allowed rate as required.
Page 311 Chapter 12 | Security Measures DHCP Snooping messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped. ◆ Table entries are only learned for trusted interfaces. An entry is added or removed dynamically to the DHCP snooping table when a client receives or releases an IP address from a DHCP server.
Page 312 Chapter 12 | Security Measures DHCP Snooping Additional considerations when the switch itself is a DHCP client – The port(s) ■ through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server.
Page 313: Dhcp Snooping Global Configuration
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping Use the Security > DHCP Snooping (Configure Global) page to enable DHCP Global Configuration Snooping globally on the switch, or to configure MAC Address Verification. Parameters These parameters are displayed: General ◆...
Page 314: Figure 195: Configuring Global Settings For Dhcp Snooping
Chapter 12 | Security Measures DHCP Snooping ◆ DHCP Snooping Information Option TR101 Board ID – Sets the board identifier used in Option 82 information based on TR-101 syntax. (Range: 0-9; Default: undefined) ◆ DHCP Snooping Information Option Policy – Specifies how to handle DHCP client request packets which already contain Option 82 information.
Page 315: Dhcp Snooping Vlan Configuration
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping Use the Security > DHCP Snooping (Configure VLAN) page to enable or disable VLAN Configuration DHCP snooping on specific VLANs. Command Usage ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Page 316: Configuring Ports For Dhcp Snooping
Chapter 12 | Security Measures DHCP Snooping Configuring Ports Use the Security > DHCP Snooping (Configure Interface) page to configure switch for DHCP Snooping ports as trusted or untrusted. Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network.
Page 317: Displaying Dhcp Snooping Binding Information
Chapter 12 | Security Measures DHCP Snooping Specify the mode used for sending circuit ID information, and an arbitrary string if required. Click Apply Figure 197: Configuring the Port Mode for DHCP Snooping Displaying DHCP Use the Security > DHCP Snooping (Show Information) page to display entries in the binding table.
Page 318: Ipv4 Source Guard
Chapter 12 | Security Measures IPv4 Source Guard Web Interface To display the binding table for DHCP Snooping: Click IP Service, DHCP, Snooping. Select Show Information from the Step list. Use the Store or Clear function if required. Figure 198: Displaying the Binding Table for DHCP Snooping IPv4 Source Guard IPv4 Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic...
Page 319 Chapter 12 | Security Measures IPv4 Source Guard VLAN ID, source IP address, and port number against all entries in the binding table. Use the SIP-MAC option to check these same parameters, plus the source MAC address. If no matching entry is found, the packet is dropped. Note: Multicast addresses cannot be used by IP Source Guard.
Page 320: Configuring Static Bindings For Ipv4 Source Guard
Chapter 12 | Security Measures IPv4 Source Guard SIP-MAC – Enables traffic filtering based on IP addresses and ■ corresponding MAC addresses stored in the binding table. ◆ Filter Table – Sets the source guard learning model to search for addresses in the ACL binding table or the MAC address binding table.
Page 321 Chapter 12 | Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Page 322: Figure 200: Configuring Static Bindings For Ipv4 Source Guard
Chapter 12 | Security Measures IPv4 Source Guard ◆ VLAN – ID of a configured VLAN or a range of VLANs. (Range: 1-4094) ◆ IP Address – A valid unicast IP address, including classful types A, B or C. ◆ Port –...
Page 323: Displaying Information For Dynamic Ipv4 Source Guard Bindings
Chapter 12 | Security Measures IPv4 Source Guard Select Show from the Action list. Figure 201: Displaying Static Bindings for IPv4 Source Guard Displaying Use the Security > IP Source Guard > Dynamic Binding page to display the source- Information for guard binding table for a selected interface.
Page 324: Arp Inspection
Chapter 12 | Security Measures ARP Inspection Figure 202: Showing the IPv4 Source Guard Binding Table ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the- middle”...
Page 325: Configuring Global Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection If ARP Inspection is disabled globally, then it becomes inactive for all ■ VLANs, including those where inspection is enabled. When ARP Inspection is disabled, all ARP request and reply packets will ■ bypass the ARP Inspection engine and their switching behavior will match that of all other packets.
Page 326 Chapter 12 | Security Measures ARP Inspection ARP Inspection Logging ◆ By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis.
Page 327: Configuring Vlan Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection Web Interface To configure global settings for ARP Inspection: Click Security, ARP Inspection. Select Configure General from the Step list. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply.
Page 328: Figure 204: Configuring Vlan Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection ◆ If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. Parameters These parameters are displayed: ◆...
Page 329: Configuring Interface Settings For Arp Inspection
Chapter 12 | Security Measures ARP Inspection Configuring Use the Security > ARP Inspection (Configure Interface) page to specify the ports Interface Settings for that require ARP inspection, and to adjust the packet inspection rate. $$$ ARP Inspection Parameters These parameters are displayed: ◆...
Page 330: Displaying Arp Inspection Statistics
Chapter 12 | Security Measures ARP Inspection Displaying Use the Security > ARP Inspection (Show Information - Show Statistics) page to ARP Inspection display statistics about the number of ARP packets processed, or dropped for various reasons. Statistics Parameters These parameters are displayed: Table 18: ARP Inspection Statistics Parameter Description...
Page 331: Displaying The Arp Inspection Log
Chapter 12 | Security Measures ARP Inspection Figure 206: Displaying Statistics for ARP Inspection Displaying the Use the Security > ARP Inspection (Show Information - Show Log) page to show ARP Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components.
Page 332: Figure 207: Displaying The Arp Inspection Log
Chapter 12 | Security Measures ARP Inspection Figure 207: Displaying the ARP Inspection Log – 332 –...
Page 333: Basic Administration Protocols
Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 334: Configuring Event Logging
Chapter 13 | Basic Administration Protocols Configuring Event Logging Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.
Page 335: Figure 208: Configuring Settings For System Memory Logs
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level.
Page 336: Remote Log Configuration
Chapter 13 | Basic Administration Protocols Configuring Event Logging Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory. This page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM;...
Page 337: Sending Simple Mail Transfer Protocol Alerts
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Server IP Address – Specifies the IPv4 or IPv6 address of a remote server which will be sent syslog messages. ◆ Port - Specifies the UDP port number used by the remote server. (Range: 1-65535;...
Page 338: Figure 211: Configuring Smtp Alert Messages
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Email Source Address – Sets the email address used for the “From” field in alert messages. You may use a symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. (Range: 1-41 characters) ◆...
Page 339: Link Layer Discovery Protocol
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 340 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol increase the probability that multiple, rather than single changes, are reported in each transmission. This attribute must comply with the rule: (4 * Delay Interval)  Transmission Interval ◆ Reinitialization Delay – Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down.
Page 341: Configuring Lldp Interface Attributes
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 212: Configuring LLDP Timing Attributes Configuring LLDP Use the Administration > LLDP (Configure Interface - Configure General) page to Interface Attributes specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Page 342 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages. Management Address – The management address protocol packet ■ includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Page 343 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol VLAN ID – The port’s default VLAN identifier (PVID) indicates the VLAN with ■ which untagged or priority-tagged frames are associated (see “IEEE 802.1Q VLANs” on page 147). (Default: Enabled) VLAN Name –...
Page 344 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ MED-Location Civic Address – Configures information for the location of the attached device included in the MED TLV field of advertised messages, including the country and the device type. Country –...
Page 345: Configuring Lldp Interface Civic-Address
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 213: Configuring LLDP Interface Attributes Configuring Use the Administration > LLDP (Configure Interface – Add CA-Type) page to specify LLDP Interface the physical location of the device attached to an interface. Civic-Address Command Usage ◆...
Page 346: Figure 214: Configuring The Civic Address For An Lldp Interface
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol (Continued) Table 21: LLDP MED Location CA Types CA Type Description CA Value Example Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519 Floor Room 509B ◆ Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
Page 347: Displaying Lldp Local Device Information
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: Click Administration, LLDP. Select Configure Interface from the Step list. Select Show CA-Type from the Action list. Select an interface from the Port or Trunk list. Figure 215: Showing the Civic Address for an LLDP Interface Displaying LLDP Use the Administration >...
Page 348: Table 23: System Capabilities
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s administratively assigned name (see “Displaying System Information”...
Page 349: Table 24: Port Id Subtype
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
Page 350: Figure 216: Displaying Local Device Information For Lldp (General)
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 216: Displaying Local Device Information for LLDP (General) Figure 217: Displaying Local Device Information for LLDP (Port) Figure 218: Displaying Local Device Information for LLDP (Port Details) – 350 –...
Page 351: Displaying Lldp Remote Device Information
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display Remote Device information about devices connected directly to the switch’s ports which are advertising information through LLDP, or to display detailed information about an Information LLDP-enabled device connected to a specific port on the local switch.
Page 352: Table 25: Remote Port Auto-Negotiation Advertised Capability
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 23, "System Capabilities," on page 348.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled.
Page 353 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol (Continued) Table 25: Remote Port Auto-Negotiation Advertised Capability Capability 100BASE-TX full duplex mode 100BASE-T2 half duplex mode 100BASE-T2 full duplex mode PAUSE for full-duplex links Asymmetric PAUSE for full-duplex links Symmetric PAUSE for full-duplex links Asymmetric and Symmetric PAUSE for full-duplex links 1000BASE-X, -LX, -SX, -CX half duplex mode...
Page 354 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆...
Page 355 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – Network Policy ◆ Application Type – The primary application(s) defined for this network policy: Voice ■ Voice Signaling ■ Guest Signaling ■ Guest Voice Signaling ■ Softphone Voice ■...
Page 356 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ECS ELIN – Emergency Call Service Emergency Location Identification ■ Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ◆...
Page 357: Figure 219: Displaying Remote Device Information For Lldp (Port)
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To display LLDP information for a remote port: Click Administration, LLDP. Select Show Remote Device Information from the Step list. Select Port, Port Details, Trunk, or Trunk Details. When the next page opens, select a port on this switch and the index for a remote device attached to this port.
Page 358: Figure 220: Displaying Remote Device Information For Lldp (Port Details)
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 220: Displaying Remote Device Information for LLDP (Port Details) – 358 –...
Page 359: Displaying Device Statistics
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP- MED TLVs is shown in the following figure. Figure 221: Displaying Remote Device Information for LLDP (End Node) Displaying Use the Administration > LLDP (Show Device Statistics) page to display statistics for Device Statistics LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
Page 360 Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources. ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired.
Page 361: Figure 222: Displaying Lldp Device Statistics (General)
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 222: Displaying LLDP Device Statistics (General) Figure 223: Displaying LLDP Device Statistics (Port) – 361 –...
Page 362: Simple Network Management Protocol
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Page 363: Table 26: Snmpv3 Security Models And Levels
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 26: SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security noAuthNoPriv public defaultview none none Community string only (read only) noAuthNoPriv private defaultview defaultview none Community string only...
Page 364: Configuring Global Settings For Snmp
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Use the Administration > SNMP (Configure Engine) page to change the local engine ID. If you want to change the default engine ID, it must be changed before configuring other parameters. Use the Administration >...
Page 365: Setting The Local Engine Id
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting the Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change Local Engine ID the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch.
Page 366: Specifying A Remote Engine Id
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying a Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to Remote Engine ID configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 367: Setting Snmpv3 Views
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show the remote SNMP engine IDs: Click Administration, SNMP. Select Configure Engine from the Step list. Select Show Remote Engine from the Action list. Figure 227: Showing Remote Engine IDs for SNMP Setting SNMPv3 Views Use the Administration >...
Page 368: Figure 228: Creating An Snmp View
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP view of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Add View from the Action list. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view.
Page 369: Figure 230: Adding An Oid Subtree To An Snmp View
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Add OID Subtree from the Action list. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view.
Page 370: Configuring Snmpv3 Groups
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group SNMPv3 Groups which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views.
Page 371: Table 27: Supported Notification Messages
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 27: Supported Notification Messages Model Level Group RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its...
Page 372 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol (Continued) Table 27: Supported Notification Messages Model Level Group Private Traps swPowerStatusChangeTrap 1.3.6.1.4.1.22426.44.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.22426.44.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled.
Page 373 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol (Continued) Table 27: Supported Notification Messages Model Level Group swCpuUtiFallingNotification 1.3.6.1.4.1.22426.44.2.1.0.108 This notification indicates that the CPU utilization has fallen from cpuUtiRisingThreshold to cpuUtiFallingThreshold. swMemoryUtiRisingThreshold 1.3.6.1.4.1.22426.44.2.1.0.109 This notification indicates that the memory utilization has risen from Notification memoryUtiFallingThreshold to...
Page 374: Figure 232: Creating An Snmp Group
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.
Page 375: Setting Community Access Strings
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting Community Use the Administration > SNMP (Configure User - Add Community) page to Access Strings configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Page 376: Configuring Local Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show the community access strings: Click Administration, SNMP. Select Configure User from the Step list. Select Show Community from the Action list. Figure 235: Showing Community Access Strings Configuring Use the Administration >...
Page 377 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and ■ encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required.
Page 378: Figure 236: Configuring Local Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 236: Configuring Local SNMPv3 Users To show local SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Local User from the Action list. Figure 237: Showing Local SNMPv3 Users To change a local SNMPv3 local user group: Click Administration, SNMP.
Page 379: Configuring Remote Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Click Apply Figure 238: Changing a Local SNMPv3 User Group Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page to identify the source of SNMPv3 inform messages sent from the local switch. Each Remote SNMPv3 Users SNMPv3 user is defined by a unique name.
Page 380 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and ■ encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required.
Page 381: Figure 239: Configuring Remote Snmpv3 Users
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 239: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 240: Showing Remote SNMPv3 Users –...
Page 382: Specifying Trap Managers
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying Use the Administration > SNMP (Configure Trap) page to specify the host devices to Trap Managers be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers.
Page 383 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Community String – Specifies a valid community string for the new trap manager entry. (Range: 1-32 characters, case sensitive) Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User –...
Page 384 Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Inform – Notifications are sent as inform messages. Note that this option is ■ only available for version 2c and 3 hosts. (Default: traps are used) Timeout – The number of seconds to wait for an acknowledgment ■...
Page 385: Figure 241: Configuring Trap Managers (Snmpv1)
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Click Apply Figure 241: Configuring Trap Managers (SNMPv1) Figure 242: Configuring Trap Managers (SNMPv2c) Figure 243: Configuring Trap Managers (SNMPv3) – 385 –...
Page 386: Creating Snmp Notification Logs
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 244: Showing Trap Managers Creating SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to create an SNMP notification log.
Page 387: Figure 245: Creating Snmp Notification Logs
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ When a trap host is created using the Administration > SNMP (Configure Trap – Add) page described on page 382, a default notify filter will be created. Parameters These parameters are displayed: ◆...
Page 388: Showing Snmp Statistics
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 246: Showing SNMP Notification Logs Showing Use the Administration > SNMP (Show Statistics) page to show counters for SNMP input and output protocol data units. SNMP Statistics Parameters The following counters are displayed: ◆...
Page 389: Figure 247: Showing Snmp Statistics
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ SNMP packets output – The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service. ◆ Too big errors – The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “tooBig.”...
Page 390: Remote Monitoring
Chapter 13 | Basic Administration Protocols Remote Monitoring Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 391 Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Sample Type – Tests for absolute or relative changes in the specified variable. Absolute – The variable is compared directly to the thresholds at the end ■ of the sampling period. Delta –...
Page 392: Figure 248: Configuring An Rmon Alarm
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 248: Configuring an RMON Alarm To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 249: Showing Configured RMON Alarms –...
Page 393: Configuring Rmon Events
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Global - Add - Event) page to set the action to take when an alarm is triggered. The response can include logging the Events alarm or sending a message to a trap manager.
Page 394: Figure 250: Configuring An Rmon Event
Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To configure an RMON event: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Event. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event.
Page 395: Configuring Rmon History Samples
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 251: Showing Configured RMON Events Configuring RMON Use the Administration > RMON (Configure Interface - Add - History) page to collect History Samples statistics on a physical interface to monitor network utilization, packet types, and errors.
Page 396: Figure 252: Configuring An Rmon History Sample
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆ Buckets - The number of buckets requested for this entry. (Range: 1-65536; Default: 8) The number of buckets granted are displayed on the Show page. ◆...
Page 397: Figure 253: Showing Configured Rmon History Samples
Chapter 13 | Basic Administration Protocols Remote Monitoring Select a port from the list. Click History. Figure 253: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list.
Page 398: Configuring Rmon Statistical Samples
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to Statistical Samples collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. Command Usage ◆...
Page 399: Figure 255: Configuring An Rmon Statistical Sample
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 255: Configuring an RMON Statistical Sample To show configured RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click Statistics.
Page 400: Switch Clustering
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 257: Showing Collected RMON Statistical Samples Switch Clustering Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 401: Configuring General Settings For Clusters
Chapter 13 | Basic Administration Protocols Switch Clustering ◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN: Create VLAN 4093 (see “Configuring VLAN Groups” on page 149). Add the participating ports to this VLAN (see “Adding Static Members to VLANs”...
Page 402: Cluster Member Configuration
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure a switch cluster: Click Administration, Cluster. Select Configure Global from the Step list. Set the required attributes for a Commander or a managed candidate. Click Apply Figure 258: Configuring a Switch Cluster Cluster Member Use the Administration >...
Page 403: Figure 259: Configuring A Cluster Members
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure cluster members: Click Administration, Cluster. Select Configure Member from the Step list. Select Add from the Action list. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate.
Page 404: Managing Cluster Members
Chapter 13 | Basic Administration Protocols Switch Clustering To show cluster candidates: Click Administration, Cluster. Select Configure Member from the Step list. Select Show Candidate from the Action list. Figure 261: Showing Cluster Candidates Managing Cluster Use the Administration > Cluster (Show Member) page to manage another switch in the cluster.
Page 405: Setting A Time Range
Chapter 13 | Basic Administration Protocols Setting a Time Range Web Interface To manage a cluster member: Click Administration, Cluster. Select Show Member from the Step list. Select an entry from the Cluster Member List. Click Operate. Figure 262: Managing a Cluster Member Setting a Time Range Use the Administration >...
Page 406: Figure 263: Setting The Name Of A Time Range
Chapter 13 | Basic Administration Protocols Setting a Time Range ◆ Mode Absolute – Specifies a specific time or time range. ■ Start/End – Specifies the hours, minutes, month, day, and year at which ■ to start or end. Periodic – Specifies a periodic interval. ■...
Page 407: Figure 265: Add A Rule To A Time Range
Chapter 13 | Basic Administration Protocols Setting a Time Range To configure a rule for a time range: Click Administration, Time Range. Select Add Rule from the Action list. Select the name of time range from the drop-down list. Select a mode option of Absolute or Periodic. Fill in the required parameters for the selected mode.
Page 408: Ethernet Ring Protection Switching
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Ethernet Ring Protection Switching Note: Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links.
Page 409: Figure 267: Erps Ring Components
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching A link/node failure is detected by the nodes adjacent to the failure. These nodes block the failed link and report the failure to the ring using R-APS (SF) messages. This message triggers the RPL owner to unblock the RPL, and all nodes to flush their forwarding database.
Page 410: Figure 268: Ring Interconnection Architecture (Multi-Ring/Ladder Network)
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching formed by the ring links of ERP2 and the ring link between the interconnection nodes that is controlled by ERP1. ERP2 is a sub-ring. Ring node A is the RPL owner node for ERP1, and ring node E is the RPL owner node for ERP2.
Page 411 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching port connected to the next node in the ring to the east (or clockwise direction) and another port facing west in the ring. Configure the RPL owner (Configure Domain – Configure Details): Configure one node in the ring as the Ring Protection Link (RPL) owner.
Page 412: Erps Global Configuration
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ The switch takes about 350 ms to detect link-up on 1000Base-T copper ports, so the convergence time on this port type is more than 50 ms. ◆ One VLAN must be added to an ERPS domain as the CVLAN. This can be designated as any VLAN, other than the management VLAN.
Page 413 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching the RPL owner node and non-owner node state machines will start, and the ring will enter the active state. Limitations When configuring a ring port, note that these ports cannot be part of a spanning tree, nor can they be members of a static or dynamic trunk.
Page 414 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Interface – The port or trunk which is configured as a ring port. ◆ Port State – The operational state: Blocking – The transmission and reception of traffic is blocked and the ■...
Page 415 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Version – Specifies compatibility with the following ERPS versions: 1 - ERPS version 1 based on ITU-T G.8032/Y.1344. ■ 2 - ERPS version 2 based on ITU-T G.8032/Y.1344 Version 2. (This is the ■...
Page 416 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching In addition, only ring ports may be added to the Control VLAN. No other ■ ports can be members of this VLAN. Also, the ring ports of the Control VLAN must be tagged. ■...
Page 417 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Revertive – Sets the method of recovery to Idle State through revertive or non- revertive mode. (Default: Enabled) Revertive behavior allows the switch to automatically return the RPL from ■...
Page 418 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Recovery with Non-revertive Mode – In non-revertive operation, the ■ ring does not automatically revert when all ring links and ring nodes have recovered and no external requests are active. Non-revertive operation is handled in the following way: The RPL Owner Node does not generate a response on reception of an R-APS (NR) messages.
Page 419 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL that does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB.
Page 420 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request, starts the WTB timer and waits for it to expire. While the WTB timer is running, any latent R-APS (MS) message is ignored due to the higher priority of the WTB running signal.
Page 421 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching The ring node identifier is used to identify a node in R-APS messages for both automatic and manual switching recovery operations. For example, a node that has one ring port in SF condition and detects that the condition has been cleared, will continuously transmit R-APS (NR) messages with its own Node ID as priority information over both ring ports, informing its neighbors that no request is present at this node.
Page 422: Figure 270: Sub-Ring With Virtual Channel
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 270: Sub-ring with Virtual Channel Interconnection Node RPL Port Ring Node Major Ring Sub-ring with Virtual Channel Virtual Channel Sub-ring without R-APS Virtual Channel – Under certain circumstances it ■...
Page 423: Figure 272: Non-Erps Device Protection
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching If this command is disabled, the following strings are used as the node identifier: ERPSv1: 01-19-A7-00-00-01 ■ ERPSv2: 01-19-A7-00-00-[Ring ID] ■ ◆ Propagate TC – Enables propagation of topology change messages from a secondary ring to the primary ring.
Page 424 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching When non-ERPS device protection is enabled on an RPL owner node, it will ■ send non-standard health-check packets to poll the ring health when it enters the protection state. It does not use the normal procedure of waiting to receive an R-APS (NR - no request) message from nodes adjacent to the recovered link.
Page 425 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching This is enough time to allow a reporting ring node to transmit two R-APS messages and allow the ring to identify the latent condition. This delay timer is activated on the RPL owner node. When the relevant delay timer expires, the RPL owner node initiates the reversion process by transmitting an R-APS (NR, RB) message.
Page 426: Figure 273: Creating An Erps Ring
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Local FS – Shows if a forced switch command was issued on this interface. ◆ Local MS – Shows if a manual switch command was issued on this interface. ◆...
Page 427: Figure 274: Creating An Erps Ring
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching To configure the ERPS parameters for a ring: Click Administration, ERPS. Select Configure Domain from the Step list. Select Configure Details from the Action list. Configure the ERPS parameters for this node. Note that spanning tree protocol cannot be configured on the ring ports, nor can these ports be members of a static or dynamic trunk.
Page 428: Erps Forced And Manual Mode Operations
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching To show the configured ERPS rings: Click Administration, ERPS. Select Configure Domain from the Step list. Select Show from the Action list. Figure 275: Showing Configured ERPS Rings ERPS Forced and Use the Administration >...
Page 429: Table 28: Erps Request/State Priority
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching A ring node accepting an R-APS (FS) message, without any local higher priority requests unblocks any blocked ring port. This action subsequently unblocks the traffic channel over the RPL. The ring node accepting an R-APS (FS) message, without any local higher priority requests stops transmission of R-APS messages.
Page 430 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching (Continued) Table 28: ERPS Request/State Priority Request / State and Status Type Priority R-APS (NR, RB) remote R-APS (NR) remote lowest If an Ethernet Ring Node is in the Forced Switch state, local SF is ignored. Recovery for forced switching under revertive and non-revertive ■...
Page 431 Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching not have an SF condition. This action subsequently unblocks the traffic channel over the RPL. A ring node accepting an R-APS (MS) message, without any local higher priority requests stops transmitting R-APS messages. A ring node receiving an R-APS (MS) message flushes its FDB.
Page 432: Lbd Configuration
Chapter 13 | Basic Administration Protocols LBD Configuration Web Interface To block a ring port: Click Administration, ERPS. Select Configure Domain from the Step list. Select Configure Operation from the Action list. Select the domain name from the drop-down list. Specify a Forced Switch, Manual Switch, or Clear operation.
Page 433: Configuring Global Settings For Lbd
Chapter 13 | Basic Administration Protocols LBD Configuration ◆ Loopback detection must be enabled both globally and on an interface for loopback detection to take effect. Configuring Global Use the Administration > LBD (Configure Global) page to enable loopback Settings for LBD detection globally, specify the interval at which to transmit control frames, the interval to wait before releasing an interface from shutdown state, the response to a detected loopback, and the traps to send.
Page 434: Figure 277: Configuring Global Settings For Lbd
Chapter 13 | Basic Administration Protocols LBD Configuration When the loopback detection response is changed, any ports placed in shutdown state by the loopback detection process will be immediately restored to operation regardless of the remaining recover time. ◆ Trap – Sends a trap when a loopback condition is detected, or when the switch recovers from a loopback condition.
Page 435: Configuring Interface Settings For Lbd
Chapter 13 | Basic Administration Protocols LBD Configuration Configuring Interface Use the Administration > LBD (Configure Interface) page to enable loopback Settings for LBD detection on an interface, to display the loopback operational state, and the VLANs which are looped back. Parameters These parameters are displayed: ◆...
Page 436 Chapter 13 | Basic Administration Protocols LBD Configuration – 436 –...
Page 437: Multicast Filtering
Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface. ◆...
Page 438: Layer 2 Igmp (Snooping And Query For Ipv4)
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router.
Page 439 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) forwarded from any source except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources. Note: When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of...
Page 440: Configuring Igmp Snooping And Query Parameters
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Configuring IGMP Use the Multicast > IGMP Snooping > General page to configure the switch to Snooping and Query forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards multicast traffic only to the ports that request it.
Page 441 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Page 442 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) multicast router receives this solicitation, it immediately issues an IGMP general query. A query solicitation can be sent whenever the switch notices a topology change, even if it is not the root bridge in spanning tree. ◆...
Page 443: Figure 280: Configuring General Settings For Igmp Snooping
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Router Port Expire Time – The time the switch waits after the previous querier stops before it considers it to have expired. (Range: 1-65535, Recommended Range: 300-500 seconds, Default: 300) ◆...
Page 444: Specifying Static Interfaces For A Multicast Router
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) Interfaces for a page to statically attach an interface to a multicast router/switch. Multicast Router Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Page 445: Figure 281: Configuring A Static Interface For A Multicast Router
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To specify a static interface attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Add Static Multicast Router from the Action list. Select the VLAN which will forward all the corresponding multicast traffic, and select the port or trunk attached to the multicast router.
Page 446: Assigning Interfaces To Multicast Services
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch. To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router.
Page 447: Figure 284: Assigning An Interface To A Multicast Service
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Multicast IP – The IP address for a specific multicast service. Web Interface To statically assign an interface to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Add Static Member from the Action list.
Page 448: Setting Igmp Snooping Status Per Interface
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 285: Showing Static Interfaces Assigned to a Multicast Service Setting IGMP Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to configure IGMP snooping attributes for a VLAN. To configure snooping globally, refer to Snooping Status “Configuring IGMP Snooping and Query Parameters”...
Page 449 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) unsolicited periodically on all router interfaces on which multicast forwarding is enabled. They are sent upon the occurrence of these events: Upon the expiration of a periodic (randomized) timer. ■...
Page 450 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. ◆...
Page 451 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service. ◆ Proxy Reporting – Enables IGMP Snooping with Proxy Reporting. (Options: Enabled, Disabled, Using Global Status;...
Page 452 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Query Response Interval – The maximum time the system waits for a response to general queries. (Range: 10-31740 tenths of a second in multiples of 10; Default: 10 seconds) This attribute applies when the switch is serving as the querier (page 440), or as...
Page 453: Figure 286: Configuring Igmp Snooping On A Vlan
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Select the VLAN to configure and update the required parameters. Click Apply. Figure 286: Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface.
Page 454: Filtering Igmp Query Packets And Multicast Data
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Filtering IGMP Query Use the Multicast > IGMP Snooping > Interface (Configure Interface) page to Packets and Multicast configure an interface to drop IGMP query packets or multicast data packets. Data Parameters These parameters are displayed:...
Page 455: Displaying Multicast Groups Discovered By Igmp Snooping
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Displaying Multicast Use the Multicast > IGMP Snooping > Forwarding Entry page to display the Groups Discovered forwarding entries learned through IGMP Snooping. by IGMP Snooping Command Usage To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page...
Page 456: Displaying Igmp Snooping Statistics
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Displaying IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP snooping Snooping Statistics protocol-related statistics for the specified interface. Parameters These parameters are displayed: ◆...
Page 457 Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ V3 Warning Count – The number of times the query version received (Version 3) does not match the version configured for this interface. VLAN, Port, and Trunk Statistics Input Statistics ◆...
Page 458: Figure 290: Displaying Igmp Snooping Statistics - Query
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 290: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: Click Multicast, IGMP Snooping, Statistics. Select Show VLAN Statistics from the Action list. Select a VLAN.
Page 459: Figure 291: Displaying Igmp Snooping Statistics - Vlan
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 291: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: Click Multicast, IGMP Snooping, Statistics. Select Show Port Statistics from the Action list. Select a Port.
Page 460: Filtering And Throttling Igmp Groups
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Page 461: Configuring Igmp Filter Profiles
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 293: Enabling IGMP Filtering and Throttling Configuring IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page to create Filter Profiles an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
Page 462: Figure 294: Creating An Igmp Filtering Profile
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Web Interface To create an IGMP filter profile and set its access mode: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add from the Action list. Enter the number for a profile, and set its access mode.
Page 463: Configuring Igmp Filtering And Throttling For Interfaces
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Select the profile to configure, and add a multicast group address or range of addresses. Click Apply. Figure 296: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filter.
Page 464 Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk.
Page 465: Mld Snooping (Snooping And Query For Ipv6)
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 298: Configuring IGMP Filtering and Throttling Interface Settings MLD Snooping (Snooping and Query for IPv6) Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Page 466 Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address.
Page 467: Setting Immediate Leave Status For Mld Snooping Per Interface
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Click Apply. Figure 299: Configuring General Settings for MLD Snooping Setting Immediate Use the Multicast > MLD Snooping > Interface page to configure Immediate Leave Leave Status for status for a VLAN.
Page 468: Specifying Static Interfaces For An Ipv6 Multicast Router
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 300: Configuring Immediate Leave for MLD Snooping Specifying Static Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast Router) page to statically attach an interface to an IPv6 multicast router/switch. Interfaces for an IPv6 Multicast Router Depending on your network connections, MLD snooping may not always be able...
Page 469: Figure 301: Configuring A Static Interface For An Ipv6 Multicast Router
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 301: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: Click Multicast, MLD Snooping, Multicast Router. Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 470: Assigning Interfaces To Ipv6 Multicast Services
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Assigning Interfaces Use the Multicast > MLD Snooping > MLD Member (Add Static Member) page to to IPv6 Multicast statically assign an IPv6 multicast service to an interface. Services Multicast filtering can be dynamically configured using MLD snooping and query messages (see...
Page 471: Figure 304: Assigning An Interface To An Ipv6 Multicast Service
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 304: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: Click Multicast, MLD Snooping, MLD Member. Select Show Static Member from the Action list. Select the VLAN for which to display this information.
Page 472: Showing Mld Snooping Groups And Source List
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 306: Showing Current Interfaces Assigned to an IPv6 Multicast Service Showing MLD Use the Multicast > MLD Snooping > Group Information page to display known multicast groups, member ports, the means by which each group was learned, and Snooping Groups the corresponding source list.
Page 473: Displaying Mld Snooping Statistics
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Web Interface To display known MLD multicast groups: Click Multicast, MLD Snooping, Group Information. Select the port or trunk, and then select a multicast service assigned to that interface.
Page 474 Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Join Success – The number of times a multicast group was successfully joined. ◆ Group – The number of MLD groups active on this interface. Output Same as input parameters listed above, except that the direction of transmission is outbound.
Page 475 Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Physical Interface (Port/Trunk) ◆ Querier Transmit ■ General – The number of general queries sent from this interface. ■ Group Specific – The number of group specific queries sent from this ■...
Page 476 Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Other Expire – Time after which remote querier is assumed to have ■ expired. Self Addr – IPv6 address of local querier on this interface. ■ Self Expire – Time after which local querier is assumed to have expired. ■...
Page 477: Figure 308: Displaying Mld Snooping Statistics - Input
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Web Interface To display MLD snooping input-related message statistics: Click Multicast, MLD Snooping, Statistics. Select Input. Figure 308: Displaying MLD Snooping Statistics – Input To display MLD snooping output-related message statistics: Click Multicast, MLD Snooping, Statistics.
Page 478: Figure 310: Displaying Mld Snooping Statistics - Query
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD query message statistics: Click Multicast, MLD Snooping, Statistics. Select Query. Figure 310: Displaying MLD Snooping Statistics – Query – 478 –...
Page 479: Figure 311: Displaying Mld Snooping Statistics - Summary (Port/Trunk)
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD summary statistics for a port or trunk: Click Multicast, MLD Snooping, Statistics. Select Summary. Select a port or trunk. Figure 311: Displaying MLD Snooping Statistics – Summary (Port/Trunk) –...
Page 480: Figure 312: Displaying Mld Snooping Statistics - Summary (Vlan)
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD summary statistics for a VLAN: Click Multicast, MLD Snooping, Statistics. Select Summary. Select a VLAN. Figure 312: Displaying MLD Snooping Statistics – Summary (VLAN) – 480 –...
Page 481: Filtering And Throttling Mld Groups
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups To clear MLD statistics: Click Multicast, MLD Snooping, Statistics. Select Clear. Select All or enter the required interface. Click Clear. Figure 313: Clearing MLD Snooping Statistics Filtering and Throttling MLD Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Page 482: Enabling Mld Filtering And Throttling
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups Enabling MLD Use the Multicast > MLD Snooping > Filter (Configure General) page to enable Filtering and IGMP filtering and throttling globally on the switch. Throttling Parameters These parameters are displayed: ◆...
Page 483: Figure 315: Creating An Mld Filtering Profile
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, MLD join reports are only processed when the multicast group is not in the controlled range.
Page 484: Figure 316: Showing The Mld Filtering Profiles Created
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups Figure 316: Showing the MLD Filtering Profiles Created To add a range of multicast groups to an MLD filter profile: Click Multicast, MLD Snooping, Filter. Select Configure Profile from the Step list. Select Add Multicast Group Range from the Action list.
Page 485: Configuring Mld Filtering And Throttling For Interfaces
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups To show the multicast groups configured for an MLD filter profile: Click Multicast, MLD Snooping, Filter. Select Configure Profile from the Step list. Select Show Multicast Group Range from the Action list. Select the profile for which to display this information.
Page 486: Filtering Mld Query Packets On An Interface
Chapter 14 | Multicast Filtering Filtering MLD Query Packets on an Interface ◆ Current Multicast Groups – Displays the current multicast groups the interface has joined. ◆ Throttling Action Mode – Sets the action to take when the maximum number of multicast groups for the interface has been exceeded.
Page 487: Figure 320: Dropping Mld Query Packets
Chapter 14 | Multicast Filtering Filtering MLD Query Packets on an Interface This feature can be used to drop any query packets received on the specified interface. If this switch is acting as a Querier, this prevents it from being affected by messages received from another Querier.
Page 488 Chapter 14 | Multicast Filtering Filtering MLD Query Packets on an Interface – 488 –...
Page 489: Ip Tools
IP Tools This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace Route – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol –...
Page 490: Figure 321: Pinging A Network Device
Chapter 15 | IP Tools Using the Ping Function Network or host unreachable - The gateway found no corresponding entry ■ in the route table. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
Page 491: Using The Trace Route Function
Chapter 15 | IP Tools Using the Trace Route Function Using the Trace Route Function Use the Tools > Trace Route page to show the route packets take to the specified destination. Parameters These parameters are displayed: ◆ Destination IP Address – Alias or IPv4/IPv6 address of the host. ◆...
Page 492: Address Resolution Protocol
Chapter 15 | IP Tools Address Resolution Protocol Figure 322: Tracing the Route to a Network Device Address Resolution Protocol If IP routing is enabled (page 673), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next.
Page 493: Basic Arp Configuration
Chapter 15 | IP Tools Address Resolution Protocol cache, and forwards the IP traffic on to the next hop. As long as this entry has not timed out, the router will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request.
Page 494: Configuring Static Arp Addresses
Chapter 15 | IP Tools Address Resolution Protocol Web Interface To configure the timeout for the ARP cache or to enable Proxy ARP for a VLAN (i.e., IP subnetwork): Click Tools, ARP. Select Configure General from the Step List. Enable Proxy ARP for subnetworks that do not have routing or a default gateway.
Page 495: Figure 325: Configuring Static Arp Entries
Chapter 15 | IP Tools Address Resolution Protocol Parameters These parameters are displayed: ◆ IP Address – IP address statically mapped to a physical MAC address. (Valid IP addresses consist of four numbers, 0 to 255, separated by periods.) ◆ MAC Address –...
Page 496: Displaying Dynamic Or Local Arp Entries
Chapter 15 | IP Tools Address Resolution Protocol Figure 326: Displaying Static ARP Entries Displaying Dynamic Use the Tools > ARP page to display dynamic or local entries in the ARP cache. The ARP cache contains static entries, and entries for local interfaces, including subnet, or Local ARP Entries host, and broadcast addresses.
Page 497: Displaying Arp Statistics
Chapter 15 | IP Tools Address Resolution Protocol Displaying Use the Tools > ARP (Show Information) page to display statistics for ARP messages ARP Statistics crossing all interfaces on this switch. Parameters These parameters are displayed: Table 30: ARP Statistics Parameter Description Received Request...
Page 498 Chapter 15 | IP Tools Address Resolution Protocol – 498 –...
Page 499: Ip Configuration
IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server.
Page 500 Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Command Usage ◆ This section describes how to configure a single local interface for initial access to the switch. To configure multiple IP interfaces, set up an IP interface for each VLAN.
Page 501: Figure 329: Configuring A Static Ipv4 Address
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ Subnet Mask – This mask identifies the host address bits used for routing to specific subnets. (Default: None) ◆ Restart DHCP – Requests a new IP address from the DHCP server. Web Interface To set a static IPv4 address for the switch: Click IP, General, Routing Interface.
Page 502: Figure 330: Configuring A Dynamic Ipv4 Address
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) IP will be enabled but will not function until a BOOTP or DHCP reply is received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server.
Page 503: Setting The Switch's Ip Address (Ip Version 6)
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 331: Showing the Configured IPv4 Address for an Interface Setting the Switch’s IP Address (IP Version 6) This section describes how to configure an IPv6 interface for management access over the network, or for creating an interface to multiple subnets.
Page 504: Configuring Ipv6 Interface Settings
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) An IPv6 default gateway can only be successfully set when a network ■ interface that directly connects to the gateway has been configured on the switch. An IPv6 address must be configured according to RFC 2373 “IPv6 ■...
Page 505 Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Discovery to discover each other's presence, to determine each other's link- layer addresses, to find routers and to maintain reachability information about the paths to active neighbors. The key parameters used to facilitate this process are the number of attempts made to verify whether or not a duplicate address exists on the same network segment, and the interval between neighbor solicitations used to verify reachability information.
Page 506 Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) If a non-default value is configured, an MTU option is included in the router ■ advertisements sent from this device. This option is provided to ensure that all nodes on a link use the same MTU value in cases where the link MTU is not otherwise well known.
Page 507 Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) neighbor. Therefore, avoid using very short intervals for normal IPv6 operations. When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself. ◆...
Page 508: Figure 333: Configuring General Settings For An Ipv6 Interface
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) This combination is known as DHCPv6 stateless autoconfiguration, in which a DHCPv6 server does not assign stateful addresses to IPv6 hosts, but does assign stateless configuration settings. Web Interface To configure general IPv6 settings for the switch: Click IP, IPv6 Configuration.
Page 509: Configuring An Ipv6 Address
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring an Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 IPv6 Address interface for management access over the network, or for creating an interface to multiple subnets.
Page 510 Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access, or for creating an interface to multiple subnets. By default, all ports on the switch are members of VLAN 1.
Page 511: Showing Ipv6 Addresses
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ You can configure only one link-local address per interface. ■...
Page 512: Figure 335: Showing Configured Ipv6 Addresses
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) In addition to the unicast addresses assigned to an interface, a node is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope). FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes.
Page 513: Showing The Ipv6 Neighbor Cache
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the Neighbor Cache IPv6 addresses detected for neighbor devices. Parameters These parameters are displayed: Table 31: Show IPv6 Neighbors - display description Field Description...
Page 514: Showing Ipv6 Statistics
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To show neighboring IPv6 devices: Click IP, IPv6 Configuration. Select Show IPv6 Neighbors from the Action list. Figure 336: Showing IPv6 Neighbors Showing Use the IP > IPv6 Configuration (Show Statistics) page to display statistics about IPv6 Statistics IPv6 traffic passing through this switch.
Page 515: Table 32: Show Ipv6 Statistics - Display Description
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: Table 32: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
Page 516 Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 32: Show IPv6 Statistics - display description Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source- Routed via this entity, and the Source-Route processing was successful.
Page 517 Chapter 16 | IP Configuration interface. Setting the Switch’s IP Address (IP Version 6) – 517 –...
Page 518 Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) (Continued) Table 32: Show IPv6 Statistics - display description Table 32: Show IPv6 Statistics - display description Field Description Field Description Neighbor Advertisement The number of ICMP Neighbor Advertisement messages received by Messages the interface.
Page 519 Chapter 16 | IP Configuration No Port Errors The total number of received UDP datagrams for which there was no Setting the Switch’s IP Address (IP Version 6) application at the destination port. – 519 –...
Page 520: Figure 337: Showing Ipv6 Statistics (Ipv6)
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) (Continued) Table 32: Show IPv6 Statistics - display description Field Description Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. Output The total number of UDP datagrams sent from this entity.
Page 521: Figure 338: Showing Ipv6 Statistics (Icmpv6)
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 338: Showing IPv6 Statistics (ICMPv6) Figure 339: Showing IPv6 Statistics (UDP) – 521 –...
Page 522: Showing The Mtu For Responding Destinations
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum for Responding transmission unit (MTU) cache for destinations that have returned an ICMP packet- too-big message along with an acceptable MTU to this switch.
Page 523: General Ip Routing
General IP Routing This chapter provides information on network functions including: ◆ Static Routes – Configures static routes to other network segments. ◆ Routing Table – Displays routing entries learned through statically configured entries. Overview This switch supports IP routing and routing path management via static routing definitions.
Page 524: Ip Routing And Switching
Chapter 17 | General IP Routing IP Routing and Switching Figure 341: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Untagged VLAN 1 VLAN 2 Tagged or Untagged Tagged or Untagged Tagged or Untagged Tagged or Untagged Intra-subnet traffic (Layer 2 switching) IP Routing and Switching IP Switching (or packet forwarding) encompasses tasks required to forward packets...
Page 525: Routing Protocols
Chapter 17 | General IP Routing IP Routing and Switching If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node. However, if the packet belongs to a subnet not included on this switch, then the packet should be sent to the next hop router (with the MAC address of the router itself used as the destination MAC address, and the destination IP address of the destination node).
Page 526: Configuring Static Routes
Chapter 17 | General IP Routing Configuring Static Routes Configuring Static Routes You can enter static routes in the routing table using the IP > Routing > Static Routes (Add) page. Static routes may be required to force the use of a specific route to a subnet.
Page 527: Figure 342: Configuring Static Routes
Chapter 17 | General IP Routing Displaying the Routing Table Figure 342: Configuring Static Routes To display static routes: Click IP, Routing, Static Routes. Select Show from the Action List. Figure 343: Displaying Static Routes Displaying the Routing Table Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces through static routes.
Page 528: Figure 344: Displaying The Routing Table
Chapter 17 | General IP Routing Displaying the Routing Table forwarding decision on a particular packet. The typical components within a FIB entry are a network prefix, a router (i.e., VLAN) interface, and next hop information. ◆ The Routing Table (and the “show ip route” command described in the CLI Reference Guide) only display routes which are currently accessible for forwarding.
Page 529: Ip Services
IP Services This chapter describes the following IP services: ◆ – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ Multicast DNS – Configures multicast DNS host name-to-address mapping on the local network without the need for a dedicated DNS server.
Page 530: Configuring A List Of Domain Names
Chapter 18 | IP Services Domain Name Service Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
Page 531: Figure 346: Configuring A List Of Domain Names For Dns
Chapter 18 | IP Services Domain Name Service ◆ If all name servers are deleted, DNS will automatically be disabled. Parameters These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name.
Page 532: Figure 348: Configuring A List Of Name Servers For Dns
Chapter 18 | IP Services Domain Name Service Configuring a List Use the IP Service > DNS - General (Add Name Server) page to configure a list of of Name Servers name servers to be tried in sequential order. Command Usage ◆...
Page 533: Configuring Static Dns Host To Address Entries
Chapter 18 | IP Services Domain Name Service To show the list name servers: Click IP Service, DNS. Select Show Name Servers from the Action list. Figure 349: Showing the List of Name Servers for DNS Configuring Use the IP Service > DNS - Static Host Table (Add) page to manually configure static Static DNS Host entries in the DNS table that are used to map domain names to IP addresses.
Page 534: Displaying The Dns Cache
Chapter 18 | IP Services Domain Name Service Figure 350: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 351: Showing Static Entries in the DNS Table Displaying the DNS Use the IP Service >...
Page 535: Figure 352: Showing Entries In The Dns Cache
Chapter 18 | IP Services Multicast Domain Name Service ◆ TTL – The time to live reported by the name server. ◆ Host – The host name associated with this record. Web Interface To display entries in the DNS cache: Click IP Service, DNS, Cache.
Page 536: Dynamic Host Configuration Protocol
Chapter 18 | IP Services Dynamic Host Configuration Protocol Announcing – The responder sends an unsolicited mDNS Response ■ containing all of its newly registered resource records (both shared records, and unique records that have completed the probing step). Updating – The responder repeats the Announcing step to update ■...
Page 537: Specifying A Dhcp Client Identifier
Chapter 18 | IP Services Dynamic Host Configuration Protocol Specifying a DHCP Use the IP Service > DHCP > Client page to specify the DHCP client identifier for a Client Identifier VLAN interface. Command Usage ◆ The class identifier is used identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
Page 538: Enabling Dhcp Dynamic Provision
Chapter 18 | IP Services Dynamic Host Configuration Protocol ◆ Vendor Class ID – The following options are supported when the check box is marked to enable this feature: Default – The default string is the model number. ■ Text – A text string. (Range: 1-32 characters) ■...
Page 539: Figure 356: Configuring Dhcp Relay Service
Chapter 18 | IP Services Dynamic Host Configuration Protocol Command Usage ◆ You must specify the IP address for at least one active DHCP server. Otherwise, the switch’s DHCP relay agent will not be able to forward client requests to a DHCP server.
Page 540: Figure 357: Enabling Dynamic Provisioning Via Dhcp
Chapter 18 | IP Services Dynamic Host Configuration Protocol Enabling DHCP Use the IP Service > DHCP > Dynamic Provision to enable dynamic provisioning via Dynamic Provision DHCP. Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems.
Page 541: Appendices
Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 541 ◆ “Troubleshooting” on page 545 ◆ “License Information” on page 547 – 539 –...
Page 542 Section III | Appendices – 540 –...
Page 543: Software Features
Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, IP Filter Authentication General Security Access Control Lists (512 rules), Port Authentication (802.1X), MAC Authentication, Port Security, DHCP Snooping, IP Source Guard Measures Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LHX/ZX: 1000 Mbps at full duplex (SFP) Flow Control...
Page 544: Management Features
Appendix A | Software Specifications Management Features VLAN Support Up to 4094 groups; port-based, protocol-based, tagged (802.1Q), voice VLANs, MAC-based, QinQ tunnel Class of Service Supports four levels of priority Strict, Weighted Round Robin (WRR), or a combination of strict and weighted queueing Layer 3/4 priority mapping: IP DSCP Quality of Service DiffServ...
Page 545: Standards
Appendix A | Software Specifications Standards Standards IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet...
Page 546 Appendix A | Software Specifications Management Information Bases Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP MIB (RFC 2011) IP Forwarding Table MIB (RFC 2096)
Page 547: Troubleshooting
Troubleshooting Problems Accessing the Management Interface Table 36: Troubleshooting Chart Symptom Action ◆ Cannot connect using Be sure the switch is powered on. Telnet, web browser, or ◆ Check network cabling between the management station and the SNMP software switch. Make sure the ends are properly connected and there is no damage to the cable.
Page 548: Using System Logs
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 549: License Information
License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 550 Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 551 Appendix C | License Information The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 552 Appendix C | License Information The GNU General Public License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 553 Glossary Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 554 Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a well- defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Page 555 Glossary ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol.
Page 556: Ip Multicast Filtering
Glossary IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
Page 557 Glossary Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages.
Page 558 Glossary RADIUS Remote Authentication Dial-in User Service. RA is a logon authentication protocol that DIUS uses software running on a central server to control access to RADIUS-compliant devices on the network. RMON Remote Monitoring. RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types.
Page 559 Glossary TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. User Datagram Protocol. UD provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP- like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets.
Page 560 Glossary – 558 –...
Page 561 Index Numerics address table 171 aging time 173 802.1Q tunnel 156 aging time, displaying 173 access 163 aging time, setting 173 configuration, guidelines 159 configuration, limitations 159 configuration 493 CVID to SVID map 161 description 492 description 156 proxy 493 ethernet type 160 statistics 497 interface configuration 163...
Page 562 Index class map policy map, description 221 DiffServ 220 QoS policy 223 Class of Service See CoS service policy 226 clustering switches, management access 400 setting CoS for matching packets 224 community string 375 configuration files, restoring defaults 69 default domain name 527 configuration settings displaying the cache 532 domain name list 527...
Page 563 Index query interval 451 query response interval 452 firmware query suppression 439 displaying version 65 router port expire time 443 upgrading 69 static host interface 439 upgrading automatically 73 static multicast routing 444 upgrading with FTP or TFP 73 static port assignment 446 version, displaying 65 static router interface 439 static router port, configuring 444...
Page 564 Index TLV 343 TLV, inventory 343 jumbo frame 66 TLV, location 343 TLV, MED capabilities 343 TLV, network policy 343 local engine ID 365 logging private 270 messages, displaying 335 public 270 syslog traps 336 user public, importing 275 to syslog servers 337 key pair log-in, web interface 44 host 270...
Page 565 Index query, maximum response time 466 STA 197 robustness value 466 PoE time range 405 static port assignment 470 policy map static router port 468 DiffServ 223 unknown multicast, handling 466 port authentication 300 version 466 port priority MSTP 199 configuring 209 global settings, configuring 185 default ingress 209...
Page 566 Index query interval, IGMP snooping query response interval, IGMP snooping 452 – 564 –...
Page 567 Index queue weight, assigning to CoS 211 enabling traps, mac-address changes 178 filtering IP addresses 296 global settings, configuring 364 trap manager 382 RADIUS users, configuring 376 – logon authentication 239 SNMPv3 365 settings 239 engine ID 365 rate limit engine identifier, local 365 port 205 engine identifier, remote 365...
Page 568 Index displaying 69 static 116 setting 69 Type Length Value static addresses, setting 176 See LLDP TLV static routes, configuring 524 statistics ARP 497 unknown unicast storm, threshold 207 history for port 106 unregistered data flooding, IGMP snooping 442 history for trunk 106 upgrading software 69 statistics, port 102 user account 253...
Page 569 Index web interface access requirements 43 configuration buttons 46 menu list 47 panel display 46 – 567 –...
Page 570 Index E062017/ST-R01 – 568 –...