Page 2
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate.
Table of Contents Table of Contents Contents Overview ..........................3 Table of Contents ..........................5 Part I: User’s Guide ..................15 Chapter 1 Getting to Know Your Switch......................17 1.1 Introduction ............................17 1.2 Data Center Bridging (DCB) ......................17 1.2.1 PFC, ETS, and DCBX Standards ....................18 1.2.2 DCB Configuration ........................19 1.3 Bridging Example ..........................21 1.4 High Performance Switching Example ....................22...
Page 6
Table of Contents Chapter 3 Switch Hardware Overview.......................49 3.1 Front Panel Connections ........................49 3.1.1 (Q)SFP+ Transceiver Slots .....................49 3.2 Rear Panel ............................51 3.2.1 Power Connection ........................51 3.3 Switch LEDs .............................52 Chapter 4 The Web Configurator ........................53 4.1 Introduction ............................53 4.2 System Login ..........................53 4.3 The Web Configurator Layout ......................54 4.3.1 Change Your Password...
Page 7
Table of Contents 7.1 Introduction to IEEE 802.1Q Tagged VLANs .................81 7.1.1 Forwarding Tagged and Untagged Frames ................81 7.2 Automatic VLAN Registration ......................82 7.2.1 GARP ............................82 7.2.2 GVRP ............................82 7.3 Port VLAN Trunking .........................83 7.4 Select the VLAN Type ........................83 7.5 802.1Q Static VLAN ..........................83 7.5.1 VLAN Status ...........................84 7.5.2 VLAN Details ...........................85...
Page 8
Table of Contents 11.5 Rapid Spanning Tree Protocol Status ..................114 11.6 Configure Multiple Rapid Spanning Tree Protocol ..............116 11.7 Multiple Rapid Spanning Tree Protocol Status ................ 117 11.8 Configure Multiple Spanning Tree Protocol ................119 11.8.1 Multiple Spanning Tree Protocol Port Configuration ............122 11.9 Multiple Spanning Tree Protocol Status ...................123 Chapter 12...
Page 9
Table of Contents 17.1 About Port Security ........................148 17.2 Port Security Setup ........................148 17.3 VLAN MAC Address Limit ......................150 Chapter 18 Classifier............................151 18.1 About the Classifier and QoS ......................151 18.2 Configuring the Classifier ......................151 18.3 Viewing and Editing Classifier Configuration ................154 18.4 Classifier Example ........................156 Chapter 19 Policy Rule ............................157...
Page 10
Table of Contents 22.1.2 IGMP Filtering ........................172 22.1.3 IGMP Snooping ........................172 22.1.4 IGMP Snooping and VLANs ....................173 22.2 Multicast Status ..........................173 22.3 Multicast Setting ...........................174 22.4 IGMP Snooping VLAN .........................177 22.5 IGMP Filtering Profile ........................178 22.6 MVR Overview ..........................179 22.6.1 Types of MVR Ports ......................180 22.6.2 MVR Modes .........................180 22.6.3 How MVR Works .........................180 22.7 General MVR Configuration ......................181...
H A PT ER Getting to Know Your Switch This chapter introduces the main features and applications of the Switch. 1.1 Introduction This is a high-speed, layer-2, enhanced Ethernet switch with FCoE (Fiber Channel over Ethernet) and DCB (Data Center Bridging) features. The Switch comes with: •...
Chapter 1 Getting to Know Your Switch The following table explains the acronyms in the graphic. Table 1 DCB Graphic Key LABEL DESCRIPTION Enhanced Ethernet Switch LLAN Legacy Local Area Network (Ethernet) ELAN Enhanced LAN (Ethernet & FCoE) Fiber Channel Forwarder Storage Access Network 1.2.1 PFC, ETS, and DCBX Standards DCB may use PFC, ETS, application priority and DCBX to adapt to the FCoE.
Chapter 1 Getting to Know Your Switch • PFC (Priority-based Flow Control, IEEE 802.1Qbb -2011) is a flow control mechanism that uses a PAUSE frame to suspend traffic of a certain priority rather than drop it when there is network congestion (lossless).
Page 20
Chapter 1 Getting to Know Your Switch • 0, 1 and 2 to traffic class 2 (LAN) • 3, 4, 5 and 6 to ID 1 (SAN) • 7 to 0, the default traffic class. If there is network congestion, bandwidth can be allocated based on the priority of the traffic received on that port.
Chapter 1 Getting to Know Your Switch • Set PFC to auto (Willing = True) if you want the Switch to accept PFC priority configuration from another switch. In the following example, switch A sends its LLDP PDU with PFC TLV, local priorities 3, 4, 5 and auto (Willing field is set to true, meaning it is willing to accept PFC priorities from the peer).
Chapter 1 Getting to Know Your Switch 1.4 High Performance Switching Example The Switch is ideal for connecting two geographically dispersed networks that need high bandwidth. In the following example, a company uses the optional 10 Gigabit uplink modules to connect the headquarters to a branch office network.
Chapter 1 Getting to Know Your Switch Shared resources such as a server can be used by all ports in the same VLAN as the server. In the following figure only ports that need access to the server need to be part of VLAN 1. Ports can belong to other VLAN groups too.
Chapter 1 Getting to Know Your Switch • SNMP. The device can be monitored and/or managed by an SNMP manager. See Section 36.3 on page 276. 1.8 Good Habits for Managing the Switch Do the following things regularly to make the Switch more secure and to manage the Switch more effectively.
H A PT ER Tutorials This chapter provides some examples of using the web configurator to set up and use the Switch. The tutorials include: • How to Use DHCP Snooping on the Switch • How to Use DHCP Relay on the Switch •...
Page 26
Chapter 2 Tutorials Access the Switch from the MGMT port through http://192.168.0.1 by default. Log into the Switch by entering the username (default: admin) and password (default: 1234). Go to Advanced Application > VLAN > Static VLAN, and create a VLAN with ID of 100. Add ports 5, 6 and 7 in the VLAN by selecting Fixed in the Control field as shown.
Page 27
Chapter 2 Tutorials Go to Advanced Application > IP Source Guard > DHCP snooping > Configure, activate and specify VLAN 100 as the DHCP VLAN as shown. Click Apply. Click the Port link at the top right corner. The DHCP Snooping Port Configure screen appears. Select Trusted in the Server Trusted state field for port 5 because the DHCP server is connected to port 5.
Chapter 2 Tutorials Go to Advanced Application > IP Source Guard > DHCP snooping > Configure > VLAN, show VLAN 100 by entering 100 in the Start VID and End VID fields and click Apply. Then select Yes in the Enabled field of the VLAN 100 entry shown at the bottom section of the screen. If you want to add more information in the DHCP request packets such as source VLAN ID or system name, you can also select the Option82 and Information fields in the entry.
Chapter 2 Tutorials 2.2.1 DHCP Relay Tutorial Introduction In this example, you have configured your DHCP server (192.168.2.3) and want to have it assign a specific IP address (say 172.16.1.18) and gateway information to DHCP client A based on the system name, VLAN ID and port number in the DHCP request.
Page 30
Chapter 2 Tutorials Go to Basic Setting > Switch Setup and set the VLAN type to 802.1Q. Click Apply to save the settings to the run-time memory. Click Advanced Application > VLAN > Static VLAN. In the Static VLAN screen, select ACTIVE, enter a descriptive name (VLAN 102 for example) in the Name field and enter 102 in the VLAN Group ID field.
Page 31
Chapter 2 Tutorials Click Add to save the settings to the run-time memory. Settings in the run-time memory are lost when the Switch’s power is turned off. Click the VLAN Status link in the Static VLAN screen and then the VLAN Port Setting link in the VLAN Status screen.
Chapter 2 Tutorials 10 Click Apply to save your changes back to the run-time memory. 11 Click the Save link in the upper right corner of the web configurator to save your configuration permanently. 2.2.3 Configuring DHCP Relay Follow the steps below to enable DHCP relay on the Switch and allow the Switch to add relay agent information (such as the VLAN ID) to DHCP requests.
Chapter 2 Tutorials Click the Save link in the upper right corner of the web configurator to save your configuration permanently. The DHCP server can then assign a specific IP address based on the DHCP request. 2.2.4 Troubleshooting Check the client A’s IP address. If it did not receive the IP address 172.16.1.18, make sure: Client A is connected to the Switch’s port 2 in VLAN 102.
Chapter 2 Tutorials 2.3.1 Configuring Switch A Click Advanced Application > PPPoE > Intermediate Agent. Select Active then click Apply. Click Port on the top of the screen. Select Untrusted for port 5 and enter userC as Circuit-id and 00134900000A as Remote-id. Select Trusted for port 12 and then leave the other fields empty.
Page 35
Chapter 2 Tutorials The Intermediate Agent screen appears. Click VLAN on the top of the screen. Enter 1 for both Start VID and End VID since both the Switch and PPPoE server are in VLAN 1 in this example. Click Apply. Then select Yes to enable PPPoE IA in VLAN 1 and also select Circuit-id and Remote-id to allow the Switch to add these two strings to frames tagged with VLAN 1 and pass to the PPPoE server.
Chapter 2 Tutorials 2.3.2 Configuring Switch B The example uses an XGS4700-48F as switch B. Click Advanced Application > PPPoE > Intermediate Agent. Select Active then click Apply. Click Port on the top of the screen. Select Trusted for ports 11 and 12 and then click Apply. Then Click Intermediate Agent on the top of the screen.
Page 37
Chapter 2 Tutorials The Intermediate Agent screen appears. Click VLAN on the top of the screen. Enter 1 for both Start VID and End VID. Click Apply. Then select Yes to enable PPPoE IA in VLAN 1 and also select Circuit-id and Remote-id to allow the Switch to add these two strings to frames tagged with VLAN 1 and pass to the PPPoE server.
Chapter 2 Tutorials The settings are completed now. If you miss some settings above, subscriber C could not successfully receive an IP address assigned by the PPPoE Server. If this happens, make sure you follow the steps exactly in this tutorial. 2.4 How to Use Error Disable and Recovery on the Switch This tutorial shows you how to shut down a port when: •...
Page 39
Chapter 2 Tutorials Click Advanced Application > Errdisable > CPU Protection, select ARP as the reason, enter 100 as the rate limit (packets per second) for the first entry (port *) to apply the setting to all ports. Then click Apply. Click Advanced Application >...
Chapter 2 Tutorials 2.5 Creating a VLAN VLANs confine broadcast frames to the VLAN group in which the port(s) belongs. You can do this with port-based VLAN or tagged static VLAN with fixed port members. In this example, you want to configure port 1 as a member of VLAN 2. Figure 7 Initial Setup Network Example: VLAN Click Advanced Application >...
Chapter 2 Tutorials Note: The VLAN Group ID field in this screen and the VID field in the IP Setup screen refer to the same VLAN ID. Since the VLAN2 network is connected to port 1 on the Switch, select Fixed to configure port 1 to be a permanent member of the VLAN only.
Chapter 2 Tutorials 2.7 How to Set Up a Guest VLAN All ports on the Switch are in VLAN 1 by default. Say you enable IEEE 802.1x authentication on ports 1 to 8. Clients that connect to these ports should provide the correct user name and password in order to access the ports.
Page 43
Chapter 2 Tutorials Go to Basic Setting > Switch Setup and set the VLAN type to 802.1Q. Click Apply to save the settings to the run-time memory. Click Advanced Application > VLAN > Static VLAN. In the Static VLAN screen, select ACTIVE, enter a descriptive name (VLAN 200 for example) in the Name field and enter 200 in the VLAN Group ID field.
Page 44
Chapter 2 Tutorials Click Add to save the settings to the run-time memory. Settings in the run-time memory are lost when the Switch’s power is turned off. Click the VLAN Status link in the Static VLAN screen and then the VLAN Port Setting link in the VLAN Status screen.
Chapter 2 Tutorials 10 Click Apply to save your changes back to the run-time memory. 11 Click the Save link in the upper right corner of the web configurator to save your configuration permanently. 2.7.2 Enabling IEEE 802.1x Port Authentication Follow the steps below to enable port authentication to validate access to ports 1~8 to clients based on a RADIUS server.
Chapter 2 Tutorials Select the first Active checkbox to enable 802.1x authentication on the Switch. Select the Active checkboxes for ports 1 to 8 to turn on 802.1x authentication on the selected ports. Click Apply. 2.7.3 Enabling Guest VLAN Click the Guest Vlan link in the 802.1x screen. XS3900-48F User’s Guide...
Page 47
Chapter 2 Tutorials Select Active and enter the guest VLAN ID (200 in this example) on ports 1, 2 and 3. The Switch puts unauthenticated clients in the specified guest VLAN. Set Host-mode to Multi-Secure to have the Switch authenticate each client that connects to one of these ports, and specify the maximum number of clients that the Switch will authenticate on each of these port (5 in this example).
H A PT ER Switch Hardware Overview This chapter describes the front panel and rear panel of the Switch and shows you how to make the hardware connections. • See the Module Hardware Installation Guide to see how to install the power and fan modules in the Switch.
Page 50
Chapter 3 Switch Hardware Overview Form-Factor Pluggable (SFP) Transceiver MultiSource Agreement (MSA). See the SFF committee’s INF-8074i specification Rev 1.0 for details. You can change transceivers while the Switch is operating. You can use different transceivers to connect to Ethernet switches with different types of fiber-optic connectors. •...
Chapter 3 Switch Hardware Overview Open the transceiver’s latch (latch styles vary). Figure 12 Opening the Transceiver’s Latch Example Pull the transceiver out of the slot. Figure 13 Transceiver Removal Example 3.2 Rear Panel The following figures show the rear panel of the Switch. The rear panels contain: •...
Chapter 3 Switch Hardware Overview Connect the female end of the power cord to the module power socket. Connect the other end of the cord to a power outlet. The power modules can be disconnected from the power source individually. Use the following procedure to disconnect the Switch from a power source.
H A PT ER The Web Configurator This section introduces the configuration and functions of the web configurator. 4.1 Introduction The web configurator is an HTML-based management interface that allows easy Switch setup and management via Internet browser. Use Internet Explorer 6.0 and later or Firefox 2.0 and later versions.
Chapter 4 The Web Configurator The login screen appears. The default username is admin and associated default password is 1234. The date and time display as shown if you have not configured a time server nor manually entered a time and date in the General Setup screen. Figure 15 Web Configurator: Login Click OK to view the first web configurator screen.
Page 55
Chapter 4 The Web Configurator The following figure shows the navigating components of a web configurator screen. Figure 16 The Web Configurator Layout A - Click the menu items to open submenu links, and then click on a submenu link to open the screen in the main window.
Page 56
Chapter 4 The Web Configurator In the navigation panel, click a main link to reveal a list of submenu links. Table 9 Navigation Panel Sub-links Overview ADVANCED BASIC SETTING IP APPLICATION MANAGEMENT APPLICATION The following table describes the links in the navigation panel. Table 10 Navigation Panel Links LINK DESCRIPTION...
Page 57
Chapter 4 The Web Configurator Table 10 Navigation Panel Links (continued) LINK DESCRIPTION Static Multicast This link takes you to a screen where you can configure static multicast MAC addresses for Forwarding port(s). These static multicast MAC addresses do not age out. Filtering This link takes you to a screen to set up filtering rules.
Chapter 4 The Web Configurator Table 10 Navigation Panel Links (continued) LINK DESCRIPTION DiffServ This link takes you to screens where you can enable DiffServ, configure marking rules and set DSCP-to-IEEE802.1p mappings. DHCP This link takes you to screens where you can configure the DHCP settings. Management Maintenance This link takes you to screens where you can perform firmware and configuration file...
Chapter 4 The Web Configurator 4.4 Saving Your Configuration When you are done modifying the settings in a screen, click Apply to save your changes back to the run-time memory. Settings in the run-time memory are lost when the Switch’s power is turned off.
Page 60
Chapter 4 The Web Configurator bit and flow control set to none. The password will also be reset to “1234” and the IP address to 192.168.1.1. To upload the configuration file, do the following: Connect to the console port using a computer with terminal emulation software. See Section 3.2 on page 51 for details.
Chapter 4 The Web Configurator 4.7 Logging Out of the Web Configurator Click Logout in a screen to exit the web configurator. You have to log in with your password again after you log out. This is recommended after you finish a management session for security reasons. Figure 19 Web Configurator: Logout Screen 4.8 Help The web configurator’s online help has descriptions of individual screens and some supplementary...
Page 62
Chapter 4 The Web Configurator XS3900-48F User’s Guide...
H A PT ER System Status and Port Statistics This chapter describes the system status (web configurator home page) and port details screens. 5.1 Overview The home screen of the web configurator displays a port statistical summary with links to each port showing statistical details.
Chapter 5 System Status and Port Statistics Table 11 Port Status (continued) LABEL DESCRIPTION Link This field displays the speed (1000M for 1000 Mbps, 10G for 10 Gbps, and 40G for 40 Gbps) and the duplex (F for full duplex). This field displays Down if the port is not connected to any device.
Page 67
Chapter 5 System Status and Port Statistics Figure 21 Status: Port Details The following table describes the labels in this screen. Table 12 Status > Port Details LABEL DESCRIPTION Port Info Port NO. This field displays the port number you are viewing. Name This field displays the name of the port.
Page 68
Chapter 5 System Status and Port Statistics Table 12 Status > Port Details (continued) LABEL DESCRIPTION Rx KB/s This field shows the transmission speed of data received on this port in kilobytes per second. Up Time This field shows the total amount of time the connection has been up. Tx Packet The following fields display detailed information about frames transmitted.
Page 69
Chapter 5 System Status and Port Statistics Table 12 Status > Port Details (continued) LABEL DESCRIPTION This field shows the number of frames (including bad frames) received that were 64 octets in length. 65-127 This field shows the number of frames (including bad frames) received that were between 65 and 127 octets in length.
H A PT ER Basic Setting This chapter describes how to configure the System Info, General Setup, Switch Setup, IP Setup and Port Setup screens. 6.1 Overview The System Info screen displays general Switch information (such as firmware version number) and hardware polling information (such as fan speeds).
Page 71
Chapter 6 Basic Setting The following table describes the labels in this screen. Table 13 Basic Setting > System Info LABEL DESCRIPTION System Name This field displays the descriptive name of the Switch for identification purposes. Product Model This field displays the model number of the Switch. ZyNOS F/W This field displays the version number of the Switch 's current firmware including the date Version...
Chapter 6 Basic Setting 6.3 General Setup Use this screen to configure general settings such as the system name and time. Click Basic Setting and General Setup in the navigation panel to display the screen as shown. Figure 23 Basic Setting > General Setup The following table describes the labels in this screen.
Chapter 6 Basic Setting Table 14 Basic Setting > General Setup (continued) LABEL DESCRIPTION Current Time This field displays the time you open this menu (or refresh the menu). New Time Enter the new time in hour, minute and second format. The new time then appears in the (hh:min:ss) Current Time field after you click Apply.
Chapter 6 Basic Setting VLAN also increases network performance by limiting broadcasts to a smaller and more manageable logical broadcast domain. In traditional switched environments, all broadcast frames go to each and every individual port. With VLAN, all broadcasts are confined to a specific broadcast domain.
Page 75
Chapter 6 Basic Setting Table 15 Basic Setting > Switch Setup (continued) LABEL DESCRIPTION GARP Timer: Switches join VLANs by making a declaration. A declaration is made by issuing a Join message using GARP. Declarations are withdrawn by issuing a Leave message. A Leave All message terminates all registrations.
Chapter 6 Basic Setting 6.6 IP Setup Use the IP Setup screen to configure the default gateway device, the default domain name server and add IP domains. Figure 25 Basic Setting > IP Setup The following table describes the labels in this screen. Table 16 Basic Setting >...
Page 77
Chapter 6 Basic Setting Table 16 Basic Setting > IP Setup (continued) LABEL DESCRIPTION IP Address Enter the in-band management port IP address of your Switch in dotted decimal notation. For example, 192.168.1.1. IP Subnet Enter the in-band management port IP subnet mask of your Switch in dotted decimal Mask notation, for example, 255.255.255.0.
Chapter 6 Basic Setting 6.7 Port Setup Use this screen to configure Switch port settings. 6.7.1 Auto-negotiation Auto-negotiation allows one port to negotiate with a peer port automatically to obtain the connection speed and duplex mode that both ends support. When auto-negotiation is turned on, a port on the Switch negotiates with the peer automatically to determine the connection speed and duplex mode.
Page 79
Chapter 6 Basic Setting The following table describes the labels in this screen. Table 18 Basic Setting > Port Setup LABEL DESCRIPTION Port This is the port index number. Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a port-by-port basis.
Page 80
Chapter 6 Basic Setting Table 18 Basic Setting > Port Setup (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
H A PT ER VLAN The type of screen you see here depends on the VLAN Type you selected in the Switch Setup screen. This chapter shows you how to configure 802.1Q tagged and port-based VLANs. 7.1 Introduction to IEEE 802.1Q Tagged VLANs A tagged VLAN uses an explicit tag (VLAN ID) in the MAC header to identify the VLAN membership of a frame across bridges - they are not confined to the switch on which they were created.
Chapter 7 VLAN 7.2 Automatic VLAN Registration GARP and GVRP are the protocols used to automatically register VLAN membership across switches. 7.2.1 GARP GARP (Generic Attribute Registration Protocol) allows network switches to register and de-register attribute values with other GARP participants within a bridged LAN. GARP is a protocol that provides a generic mechanism for protocols that serve a more specific application, for example, GVRP.
Chapter 7 VLAN 7.3 Port VLAN Trunking Enable VLAN Trunking on a port to allow frames belonging to unknown VLAN groups to pass through that port. This is useful if you want to set up VLAN groups on end devices without having to configure the same VLAN groups on intermediary devices.
Chapter 7 VLAN You also use the Static VLAN screen to create VLAN IDs for static (normal) or private (primary, isolated or community) VLANs. 7.5.1 VLAN Status Section 7.1 on page 81 for more information on 802.1Q VLAN. Click Advanced Application > VLAN from the navigation panel to display the VLAN Status screen as shown next.
Chapter 7 VLAN 7.5.2 VLAN Details Use this screen to view detailed port settings and status of the VLAN group. See Section 7.1 on page 81 for more information on static 802.1Q VLAN. Click on an index number in the VLAN Status screen to display VLAN details.
Chapter 7 VLAN 7.5.3 Configure a Static VLAN or Private VLAN Use this screen to create 802.1Q VLAN IDs and set VLAN members for Normal (static) or Private (Primary, Isolated or Community) VLANs. You must create VLAN IDs for Private (Primary, Isolated or Community) VLANs before configuring Advanced Application >...
Page 87
Chapter 7 VLAN Table 22 Advanced Application > VLAN > Static VLAN (continued) LABEL DESCRIPTION VLAN Type Select Normal (static) or Private. For Private VLANs, select Primary, Isolated or Community. Association Primary private VLANs can associate with several (secondary) Community private VLANs VLAN List and up to one (secondary) Isolated private VLAN.
Chapter 7 VLAN 7.5.4 Configure VLAN Port Settings Use the VLAN Port Setting screen to configure the static VLAN (IEEE 802.1Q) settings on a port. Section 7.1 on page 81 for more information on 802.1Q VLAN. Click the VLAN Port Setting link in the VLAN Status screen.
Chapter 7 VLAN Table 23 Advanced Application > VLAN > VLAN Port Setting (continued) LABEL DESCRIPTION PVID A PVID (Port VLAN ID) is a tag that adds to incoming untagged frames received on a port so that the frames are forwarded to the VLAN group that the tag defines. Enter a number between 1 and 4094 as the port VLAN ID.
Page 90
Chapter 7 VLAN services). All untagged incoming frames will be classified based on their source IP subnet and prioritized accordingly. That is, video services receive the highest priority and data the lowest. Figure 33 Subnet Based VLAN Application Example Tagged Frames Internet Untagged Frames...
Chapter 7 VLAN The following table describes the labels in this screen. Table 24 Advanced Application > VLAN > VLAN Port Setting > Subnet Based VLAN Setup LABEL DESCRIPTION Active Select this check box to activate this subnet based VLANs on the Switch. DHCP-Vlan When DHCP snooping is enabled DHCP clients can renew their IP address through the DHCP Override...
Chapter 7 VLAN For example, ports 1, 2, 3 and 4 belong to static VLAN 100, and ports 4, 5, 6, 7 belong to static VLAN 120. You can configure a protocol based VLAN A with priority 2 for ARP traffic received on port 1, 2 and 3.
Page 93
Chapter 7 VLAN Table 25 Advanced Application > VLAN > VLAN Port Setting > Protocol Based VLAN Setup LABEL DESCRIPTION Ethernet-type Use the drop down list box to select a predefined protocol to be included in this protocol based VLAN or select Others and type the protocol number in hexadecimal notation. For example, the IP protocol in hexadecimal notation is 0800, and Novell IPX protocol is 8137.
Chapter 7 VLAN Leave the priority set to 0 and click Add. Figure 37 Protocol Based VLAN Configuration Example EXAMPLE To add more ports to this protocol based VLAN. Click the index number of the protocol based VLAN entry. Click 1 Change the value in the Port field to the next port you want to add.
Chapter 7 VLAN Table 26 Advanced Application > VLAN > Private VLAN Status LABEL DESCRIPTION Private VLAN These fields show information for the all private VLANs. See also Advanced Application > Status Private VLAN. Primary This field shows the primary VLAN ID in a private VLAN. VLAN Secondary This field shows the secondary VLAN ID in a private VLAN.
Page 96
Chapter 7 VLAN The following screen shows users on a port-based, all-connected VLAN configuration. Figure 39 Advanced Application > VLAN > Port Based VLAN Setup (All Connected) XS3900-48F User’s Guide...
Page 97
Chapter 7 VLAN The following screen shows users on a port-based, port-isolated VLAN configuration. Figure 40 Advanced Application > VLAN: Port Based VLAN Setup (Port Isolation) XS3900-48F User’s Guide...
Page 98
Chapter 7 VLAN The following table describes the labels in this screen. Table 27 Advanced Application > VLAN: Port Based VLAN Setup LABEL DESCRIPTION Setting Choose All connected or Port isolation. Wizard All connected means all ports can communicate with each other, that is, there are no virtual LANs.
H A PT ER Static MAC Forward Setup Use these screens to configure static MAC address forwarding. 8.1 Overview This chapter discusses how to configure forwarding rules based on MAC addresses of devices on your network. 8.2 Configuring Static MAC Forwarding A static MAC address is an address that has been manually entered in the MAC address table.
Page 100
Chapter 8 Static MAC Forward Setup The following table describes the labels in this screen. Table 28 Advanced Application > Static MAC Forwarding LABEL DESCRIPTION Active Select this check box to activate your rule. You may temporarily deactivate a rule without deleting it by clearing this check box.
H A PT ER Static Multicast Forward Setup Use these screens to configure static multicast address forwarding. 9.1 Static Multicast Forwarding Overview A multicast MAC address is the MAC address of a member of a multicast group. A static multicast address is a multicast MAC address that has been manually entered in the multicast table.
Chapter 9 Static Multicast Forward Setup Figure 42 No Static Multicast Forwarding Figure 43 Static Multicast Forwarding to A Single Port Figure 44 Static Multicast Forwarding to Multiple Ports 9.2 Configuring Static Multicast Forwarding Use this screen to configure rules to forward specific multicast frames, such as streaming or control frames, to specific port(s).
Page 103
Chapter 9 Static Multicast Forward Setup Click Advanced Application > Static Multicast Forwarding to display the configuration screen as shown. Figure 45 Advanced Application > Static Multicast Forwarding The following table describes the labels in this screen. Table 29 Advanced Application > Static Multicast Forwarding LABEL DESCRIPTION Active...
Page 104
Chapter 9 Static Multicast Forward Setup Table 29 Advanced Application > Static Multicast Forwarding (continued) LABEL DESCRIPTION Port This field displays the port(s) within a identified VLAN group to which frames containing the specified multicast MAC address will be forwarded. Delete Click Delete to remove the selected entry from the summary table.
HAPTER Filtering This chapter discusses MAC address port filtering. 10.1 Configure a Filtering Rule Configure the Switch to filter traffic based on the traffic’s source, destination MAC addresses and/or VLAN group (ID). Click Advanced Application > Filtering in the navigation panel to display the screen as shown next.
Page 106
Chapter 10 Filtering Table 30 Advanced Application > FIltering (continued) LABEL DESCRIPTION Type a MAC address in a valid MAC address format, that is, six hexadecimal character pairs. Type the VLAN group identification number. Click Add to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
HAPTER Spanning Tree Protocol The Switch supports Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP) as defined in the following standards. • IEEE 802.1D Spanning Tree Protocol • IEEE 802.1w Rapid Spanning Tree Protocol •...
Chapter 11 Spanning Tree Protocol Table 31 STP Path Costs RECOMMENDED RECOMMENDED LINK SPEED ALLOWED RANGE VALUE RANGE Path Cost 1Gbps 3 to 10 1 to 65535 Path Cost 10Gbps 1 to 5 1 to 65535 On each bridge, the bridge communicates with the root through the root port. The root port is the port on this Switch with the lowest path cost to the root (the root path cost).
Chapter 11 Spanning Tree Protocol In the following example, there are two RSTP instances (MRSTP 1 and MRSTP2) on switch A. Figure 47 MRSTP Network Example To set up MRSTP, activate MRSTP on the Switch and specify which port(s) belong to which spanning tree.
Page 110
Chapter 11 Spanning Tree Protocol 11.1.5.1 MSTP Network Example The following figure shows a network example where two VLANs are configured on the two switches. If the switches are using STP or RSTP, the link for VLAN 2 will be blocked as STP and RSTP allow only one link in the network and block the redundant link.
Page 111
Chapter 11 Spanning Tree Protocol Devices that belong to the same MST region are configured to have the same MSTP configuration identification settings. These include the following parameters: • Name of the MST region • Revision level as the unique number for the MST region •...
Chapter 11 Spanning Tree Protocol 11.2 Spanning Tree Protocol Status Screen The Spanning Tree Protocol status screen changes depending on what standard you choose to implement on your network. Click Advanced Application > Spanning Tree Protocol to see the screen as shown. Figure 52 Advanced Application >...
Chapter 11 Spanning Tree Protocol 11.4 Configure Rapid Spanning Tree Protocol Use this screen to configure RSTP settings, see Section 11.1 on page 107 for more information on RSTP. Click RSTP in the Advanced Application > Spanning Tree Protocol screen. Figure 54 Advanced Application >...
Chapter 11 Spanning Tree Protocol Table 34 Advanced Application > Spanning Tree Protocol > RSTP (continued) LABEL DESCRIPTION Max Age This is the maximum time (in seconds) a switch can wait without receiving a BPDU before attempting to reconfigure. All switch ports (except for designated ports) should receive BPDUs at regular intervals.
Page 115
Chapter 11 Spanning Tree Protocol Note: This screen is only available after you activate RSTP on the Switch. Figure 55 Advanced Application > Spanning Tree Protocol > Status: RSTP The following table describes the labels in this screen. Table 35 Advanced Application > Spanning Tree Protocol > Status: RSTP LABEL DESCRIPTION Configuration...
Chapter 11 Spanning Tree Protocol 11.6 Configure Multiple Rapid Spanning Tree Protocol To configure MRSTP, click MRSTP in the Advanced Application > Spanning Tree Protocol screen. See Section 11.1 on page 107 for more information on MRSTP. Figure 56 Advanced Application > Spanning Tree Protocol > MRSTP The following table describes the labels in this screen.
Chapter 11 Spanning Tree Protocol Table 36 Advanced Application > Spanning Tree Protocol > MRSTP (continued) LABEL DESCRIPTION Hello Time This is the time interval in seconds between BPDU (Bridge Protocol Data Units) configuration message generations by the root switch. The allowed range is 1 to 10 seconds.
Page 118
Chapter 11 Spanning Tree Protocol Note: This screen is only available after you activate MRSTP on the Switch. Figure 57 Advanced Application > Spanning Tree Protocol > Status: MRSTP The following table describes the labels in this screen. Table 37 Advanced Application > Spanning Tree Protocol > Status: MRSTP LABEL DESCRIPTION Configuration...
Chapter 11 Spanning Tree Protocol 11.8 Configure Multiple Spanning Tree Protocol To configure MSTP, click MSTP in the Advanced Application > Spanning Tree Protocol screen. Section 11.1.5 on page 109 for more information on MSTP. Figure 58 Advanced Application > Spanning Tree Protocol > MSTP XS3900-48F User’s Guide...
Page 120
Chapter 11 Spanning Tree Protocol The following table describes the labels in this screen. Table 38 Advanced Application > Spanning Tree Protocol > MSTP LABEL DESCRIPTION Status Click Status to display the MSTP Status screen (see Figure 60 on page 123).
Page 121
Chapter 11 Spanning Tree Protocol Table 38 Advanced Application > Spanning Tree Protocol > MSTP (continued) LABEL DESCRIPTION Enabled VLAN(s) This field displays which VLAN(s) are mapped to this MST instance. Port This field displays the port number. Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports.
Chapter 11 Spanning Tree Protocol 11.8.1 Multiple Spanning Tree Protocol Port Configuration To configure MSTP ports, click Port in the Advanced Application > Spanning Tree Protocol > MSTP screen. Figure 59 Advanced Application > Spanning Tree Protocol > MSTP > Port The following table describes the labels in this screen.
Chapter 11 Spanning Tree Protocol 11.9 Multiple Spanning Tree Protocol Status Click Advanced Application > Spanning Tree Protocol in the navigation panel to display the status screen as shown next. See Section 11.1.5 on page 109 for more information on MSTP. Note: This screen is only available after you activate MSTP on the Switch.
Page 124
Chapter 11 Spanning Tree Protocol Table 40 Advanced Application > Spanning Tree Protocol > Status: MSTP (continued) LABEL DESCRIPTION Port ID This is the priority and number of the port on the Switch through which this Switch must communicate with the root of the Spanning Tree. Configuration This field displays the configuration name for this MST region.
HAPTER Bandwidth Control This chapter shows you how you can cap the maximum bandwidth using the Bandwidth Control screen. 12.1 Bandwidth Control Overview Bandwidth control means defining a maximum allowable bandwidth for incoming and/or out-going traffic flows on a port. 12.1.1 CIR and PIR The Committed Information Rate (CIR) is the guaranteed bandwidth for the incoming traffic flow on a port.
Chapter 12 Bandwidth Control 12.2 Bandwidth Control Setup Click Advanced Application > Bandwidth Control in the navigation panel to bring up the screen as shown next. Figure 61 Advanced Application > Bandwidth Control The following table describes the related labels in this screen. Table 41 Advanced Application >...
Page 127
Chapter 12 Bandwidth Control Table 41 Advanced Application > Bandwidth Control (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
HAPTER Broadcast Storm Control This chapter introduces and shows you how to configure the broadcast storm control feature. 13.1 Broadcast Storm Control Setup Broadcast storm control limits the number of broadcast, multicast and destination lookup failure (DLF) packets the Switch receives per second on the ports. When the maximum number of allowable broadcast, multicast and/or DLF packets is reached per second, the subsequent packets are discarded.
Page 129
Chapter 13 Broadcast Storm Control Table 42 Advanced Application > Broadcast Storm Control (continued) LABEL DESCRIPTION Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a port-by-port basis.
HAPTER Mirroring This chapter discusses port mirroring setup screens. 14.1 Port Mirroring Setup Port mirroring allows you to copy a traffic flow to a monitor port (the port you copy the traffic to) in order that you can examine the traffic from the monitor port without interference. Click Advanced Application >...
Page 131
Chapter 14 Mirroring Table 43 Advanced Application > Mirroring (continued) LABEL DESCRIPTION Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a port-by-port basis.
HAPTER Link Aggregation This chapter shows you how to logically aggregate physical links to form one logical, higher- bandwidth link. 15.1 Link Aggregation Overview Link aggregation (trunking) is the grouping of physical ports into one logical higher-capacity link. You may want to trunk ports if for example, it is cheaper to use multiple lower-speed links than to under-utilize a high-speed, but more costly, single-port link.
Chapter 15 Link Aggregation Configure trunk groups or LACP before you connect the Ethernet switch to avoid causing network topology loops. 15.2.1 Link Aggregation ID LACP aggregation ID consists of the following information Table 44 Link Aggregation ID: Local Switch SYSTEM PRIORITY MAC ADDRESS PORT PRIORITY...
Page 134
Chapter 15 Link Aggregation Table 46 Advanced Application > Link Aggregation Status (continued) LABEL DESCRIPTION Synchronized These are the ports that are currently transmitting data as one logical link in this trunk Ports group. Aggregator ID Link Aggregator ID consists of the following: system priority, MAC address, key, port priority and port number.
Chapter 15 Link Aggregation 15.4 Link Aggregation Setting Click Advanced Application > Link Aggregation > Link Aggregation Setting to display the screen shown next. See Section 15.1 on page 132 for more information on link aggregation. Figure 65 Advanced Application > Link Aggregation > Link Aggregation Setting The following table describes the labels in this screen.
Page 136
Chapter 15 Link Aggregation Table 47 Advanced Application > Link Aggregation > Link Aggregation Setting (continued) LABEL DESCRIPTION Criteria Select the outgoing traffic distribution type. Packets from the same source and/or to the same destination are sent over the same link within the trunk. By default, the Switch uses the src-dst-mac distribution type.
Chapter 15 Link Aggregation 15.5 Link Aggregation Control Protocol Click in the Advanced Application > Link Aggregation > Link Aggregation Setting > LACP to display the screen shown next. See Section 15.2 on page 132 for more information on dynamic link aggregation.
Chapter 15 Link Aggregation Table 48 Advanced Application > Link Aggregation > Link Aggregation Setting > LACP (continued) LABEL DESCRIPTION System LACP system priority is a number between 1 and 65,535. The switch with the lowest system Priority priority (and lowest port number if system priority is the same) becomes the LACP “server”. The LACP “server”...
Page 139
Chapter 15 Link Aggregation Configure static trunking - Click Advanced Application > Link Aggregation > Link Aggregation Setting. In this screen activate trunk group T1, select the traffic distribution algorithm used by this group and select the ports that should belong to this group as shown in the figure below.
HAPTER Port Authentication This chapter describes the IEEE 802.1x and MAC authentication methods. 16.1 Port Authentication Overview Port authentication is a way to validate access to ports on the Switch to clients based on an external server (authentication server). The Switch supports the following methods for port authentication: •...
Chapter 16 Port Authentication provides the login credentials, the Switch sends an authentication request to a RADIUS server. The RADIUS server validates whether this client is allowed access to the port. Figure 69 IEEE 802.1x Authentication Process New Connection Identity Request Login Credentials Authentication Request Access Challenge...
Chapter 16 Port Authentication on the source MAC address of the client connecting to a port on the Switch along with a password configured specifically for MAC authentication on the Switch. Figure 70 MAC Authentication Process New Connection Authentication Request Authentication Reply Session Granted/Denied 16.2 Port Authentication Configuration...
Chapter 16 Port Authentication 16.2.1 Activate IEEE 802.1x Security Use this screen to activate IEEE 802.1x security. In the Port Authentication screen click 802.1x to display the configuration screen as shown. Figure 72 Advanced Application > Port Authentication > 802.1x The following table describes the labels in this screen.
Chapter 16 Port Authentication Table 49 Advanced Application > Port Authentication > 802.1x (continued) LABEL DESCRIPTION Reauth Specify if a subscriber has to periodically re-enter his or her username and password to stay connected to the port. Reauth-period Specify the length of time required to pass before a client has to re-enter his or her username and password to stay connected to the port.
Page 145
Chapter 16 Port Authentication Use this screen to enable and assign a guest VLAN to a port. In the Port Authentication > 802.1x screen click Guest Vlan to display the configuration screen as shown. Figure 74 Advanced Application > Port Authentication > 802.1x > Guest VLAN The following table describes the labels in this screen.
Chapter 16 Port Authentication Table 50 Advanced Application > Port Authentication > 802.1x > Guest VLAN (continued) LABEL DESCRIPTION Host-mode Specify how the Switch authenticates users when more than one user connect to the port (using a hub). Select Multi-Host to authenticate only the first user that connects to this port. If the first user enters the correct credential, any other users are allowed to access the port without authentication.
Page 147
Chapter 16 Port Authentication The following table describes the labels in this screen. Table 51 Advanced Application > Port Authentication > MAC Authentication LABEL DESCRIPTION Active Select this check box to permit MAC authentication on the Switch. Note: You must first enable MAC authentication on the Switch before configuring it on each port.
HAPTER Port Security This chapter shows you how to set up port security. 17.1 About Port Security Port security allows only packets with dynamically learned MAC addresses and/or configured static MAC addresses to pass through a port on the Switch. The Switch can learn up to 32K MAC addresses in total with no limit on individual ports other than the sum cannot exceed 32K.
Page 149
Chapter 17 Port Security The following table describes the labels in this screen. Table 52 Advanced Application > Port Security LABEL DESCRIPTION Port List Enter the number of the port(s) (separated by a comma) on which you want to enable port security and disable MAC address learning.
Chapter 17 Port Security 17.3 VLAN MAC Address Limit Use this screen to set the MAC address learning limit on per-port and per-VLAN basis. Click VLAN MAC Address Limit in the Advanced Application > Port Security screen to display the screen as shown.
HAPTER Classifier This chapter introduces and shows you how to configure the packet classifier on the Switch. 18.1 About the Classifier and QoS Quality of Service (QoS) refers to both a network's ability to deliver data with minimum delay, and the networking methods used to control the use of bandwidth.
Page 152
Chapter 18 Classifier Click Advanced Application > Classifier in the navigation panel to display the configuration screen as shown. Figure 78 Advanced Application > Classifier The following table describes the labels in this screen. Table 54 Advanced Application > Classifier LABEL DESCRIPTION Active...
Page 153
Chapter 18 Classifier Table 54 Advanced Application > Classifier (continued) LABEL DESCRIPTION VLAN Select Any to classify traffic from any VLAN or select the second option and specify the source VLAN ID in the field provided. Priority Select Any to classify traffic from any priority level or select the second option and specify a priority level in the field provided.
Chapter 18 Classifier Table 54 Advanced Application > Classifier (continued) LABEL DESCRIPTION Click Add to insert the entry in the summary table below and save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
Page 155
Chapter 18 Classifier Table 56 Common Ethernet Types and Protocol Number ETHERNET TYPE PROTOCOL NUMBER Banyan Systems 0BAD BBN Simnet 5208 IBM SNA 80D5 AppleTalk AARP 80F3 Some of the most common IP ports are: Table 57 Common IP Ports PORT NUMBER PORT NAME Telnet...
Chapter 18 Classifier 18.4 Classifier Example The following screen shows an example of configuring a classifier that identifies all traffic from MAC address 00:50:ba:ad:4f:81 on port 2. Figure 80 Classifier: Example EXAMPLE After you have configured a classifier, you can configure a policy to define action(s) on the classified traffic flow.
HAPTER Policy Rule This chapter shows you how to configure policy rules. 19.1 Policy Rules Overview A classifier distinguishes traffic into flows based on the configured criteria (refer to Chapter 18 on page 151 for more information). A policy rule ensures that a traffic flow gets the requested treatment in the network.
Page 158
Chapter 19 Policy Rule Click Advanced Applications > Policy Rule in the navigation panel to display the screen as shown. Figure 81 Advanced Application > Policy Rule The following table describes the labels in this screen. Table 58 Advanced Application > Policy Rule LABEL DESCRIPTION Active...
Page 159
Chapter 19 Policy Rule Table 58 Advanced Application > Policy Rule (continued) LABEL DESCRIPTION Classifier(s) This field displays the active classifier(s) you configure in the Classifier screen. Select the classifier(s) to which this policy rule applies. To select more than one classifier, press [SHIFT] and select the choices at the same time.
Chapter 19 Policy Rule Table 58 Advanced Application > Policy Rule (continued) LABEL DESCRIPTION Out-of-profile Select the action(s) to be performed for out-of-profile traffic. action Select Drop the packet to discard the out-of-profile traffic. Select Change the DSCP value to replace the DSCP field with the value specified in the Out of profile DSCP field.
Chapter 19 Policy Rule 19.4 Policy Example The figure below shows an example Policy screen where you configure a policy to limit bandwidth and discard out-of-profile traffic on a traffic flow classified using the Example classifier (refer to Section 18.4 on page 156).
HAPTER Queuing Method This chapter introduces the queuing methods supported. 20.1 Queuing Method Overview Queuing is used to help solve performance degradation when there is network congestion. Use the Queuing Method screen to configure queuing algorithms for outgoing traffic. See also Priority Queue Assignment in Switch Setup and 802.1p Priority in Port Setup for related information.
Chapter 20 Queuing Method 20.1.3 Weighted Round Robin Scheduling (WRR) Round Robin Scheduling services queues on a rotating basis and is activated only when a port has more traffic than it can handle. A queue is given an amount of bandwidth irrespective of the incoming traffic on that port.
Page 164
Chapter 20 Queuing Method The following table describes the labels in this screen. Table 60 Advanced Application > Queuing Method LABEL DESCRIPTION Port This label shows the port you are configuring. Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a port-by-port basis.
HAPTER VLAN Stacking This chapter shows you how to configure VLAN stacking on your Switch. See the chapter on VLANs for more background information on Virtual LAN. 21.1 VLAN Stacking Overview A service provider can use VLAN stacking to allow it to distinguish multiple customers VLANs, even those with the same (customer-assigned) VLAN ID, within its network.
Chapter 21 VLAN Stacking adding tag 37 to distinguish customer A and tag 48 to distinguish customer B at edge device 1 and then stripping those tags at edge device 2 as the data frames leave the network. Figure 85 VLAN Stacking Example 21.2 VLAN Stacking Port Roles Each port can have three VLAN stacking “roles”, Normal, Access Port and Tunnel Port (the latter is for Gigabit ports only).
Chapter 21 VLAN Stacking 21.3 VLAN Tag Format A VLAN tag (service provider VLAN stacking or customer IEEE 802.1Q) consists of the following three fields. Table 61 VLAN Tag Format Type Priority Type is a standard Ethernet type code identifying the frame and indicates that whether the frame carries IEEE 802.1Q tag information.
Chapter 21 VLAN Stacking Table 63 802.1Q Frame (SP)TPID (Service Provider) Tag Protocol IDentifier Data Frame data VLAN ID Frame Check Sequence 21.4 Configuring VLAN Stacking Click Advanced Applications > VLAN Stacking to display the screen as shown. Figure 86 Advanced Application > VLAN Stacking The following table describes the labels in this screen.
Chapter 21 VLAN Stacking Table 64 Advanced Application > VLAN Stacking (continued) LABEL DESCRIPTION Tunnel TPID is a standard Ethernet type code identifying the frame and indicates whether the frame TPID carries IEEE 802.1Q tag information. Enter a four-digit hexadecimal number from 0000 to FFFF that the Switch adds in the outer VLAN tag of the frames sent on the tunnel port(s).
Chapter 21 VLAN Stacking Table 65 Advanced Application > VLAN Stacking > Port-based QinQ (continued) LABEL DESCRIPTION Priority Select a priority level (from 0 to 7). This is the service provider’s priority level that adds to the frames received on this port. "0"...
Page 171
Chapter 21 VLAN Stacking Table 66 Advanced Application > VLAN Stacking > Selective QinQ (continued) LABEL DESCRIPTION SPVID SPVID is the service provider’s VLAN ID (the outer VLAN tag). Enter the service provider ID (from 1 to 4094) for frames received on this port. See Chapter 7 on page 81 for more background information on VLAN ID.
HAPTER Multicast This chapter shows you how to configure various multicast features. 22.1 Multicast Overview Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender to 1 recipient) or Broadcast (1 sender to everybody on the network). Multicast delivers IP packets to just a group of hosts on the network.
Chapter 22 Multicast 22.1.4 IGMP Snooping and VLANs The Switch can perform IGMP snooping on up to 16 VLANs. You can configure the Switch to automatically learn multicast group membership of any VLANs. The Switch then performs IGMP snooping on the first 16 VLANs that send IGMP packets. This is referred to as auto mode. Alternatively, you can specify the VLANs that IGMP snooping should be performed on.
Chapter 22 Multicast 22.3 Multicast Setting Click Advanced Applications > Multicast > Multicast Setting link to display the screen as shown. See Section 22.1 on page 172 for more information on multicasting. Figure 90 Advanced Application > Multicast > Multicast Setting The following table describes the labels in this screen.
Page 175
Chapter 22 Multicast Table 68 Advanced Application > Multicast > Multicast Setting (continued) LABEL DESCRIPTION Unknown Specify the action to perform when the Switch receives an unknown multicast frame. Multicast Frame Select Drop to discard the frame(s). Select Flooding to send the frame(s) to all ports. Reserved The IP address range of 224.0.0.0 to 224.0.0.255 are reserved for multicasting on the Multicast Group...
Page 176
Chapter 22 Multicast Table 68 Advanced Application > Multicast > Multicast Setting (continued) LABEL DESCRIPTION Throttling IGMP throttling controls how the Switch deals with the IGMP reports when the maximum number of the IGMP groups a port can join is reached. Select Deny to drop any new IGMP join report received on this port until an existing multicast forwarding table entry is aged out.
Chapter 22 Multicast 22.4 IGMP Snooping VLAN Click Advanced Applications > Multicast in the navigation panel. Click the Multicast Setting link and then the IGMP Snooping VLAN link to display the screen as shown. See Section 22.1.4 on page 173 for more information on IGMP Snooping VLAN.
Chapter 22 Multicast Table 69 Advanced Application > Multicast > Multicast Setting > IGMP Snooping VLAN (continued) LABEL DESCRIPTION Click Add to insert the entry in the summary table below and save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non- volatile memory when you are done configuring.
Chapter 22 Multicast The following table describes the labels in this screen. Table 70 Advanced Application > Multicast > Multicast Setting > IGMP Filtering Profile LABEL DESCRIPTION Profile Name Enter a descriptive name for the profile for identification purposes. To configure additional rule(s) for a profile that you have already added, enter the profile name and specify a different IP multicast address range.
Chapter 22 Multicast The following figure shows a network example. The subscriber VLAN (1, 2 and 3) information is hidden from the streaming media server, S. In addition, the multicast VLAN information is only visible to the Switch and S. Figure 93 MVR Network Example VLAN 1 Multicast VLAN...
Chapter 22 Multicast port in the same subscriber VLAN, the receiving port will still be on the list of forwarding destination for the multicast traffic. Otherwise, the Switch removes the receiver port from the forwarding table. Figure 94 MVR Multicast Television Example VLAN 1 Multicast VLAN 22.7 General MVR Configuration...
Page 182
Chapter 22 Multicast Note: Your Switch automatically creates a static VLAN (with the same VID) when you create a multicast VLAN in this screen. Figure 95 Advanced Application > Multicast > Multicast Setting > MVR The following table describes the related labels in this screen. Table 71 Advanced Application >...
Chapter 22 Multicast Table 71 Advanced Application > Multicast > Multicast Setting > MVR (continued) LABEL DESCRIPTION Source Port Select this option to set this port as the MVR source port that sends and receives multicast traffic. All source ports must belong to a single multicast VLAN. Receiver Port Select this option to set this port as a receiver port that only receives multicast traffic.
Chapter 22 Multicast Note: A port can belong to more than one multicast VLAN. However, IP multicast group addresses in different multicast VLANs cannot overlap. Figure 96 Advanced Application > Multicast > Multicast Setting > MVR: Group Configuration The following table describes the labels in this screen. Table 72 Advanced Application >...
Page 185
Chapter 22 Multicast News and Movie channels) from the remote streaming media server, S. Computers A, B and C in VLAN 1 are able to receive the traffic. Figure 97 MVR Configuration Example News: 224.1.4.10 ~ 224.1.4.50 Movie: 230.1.2.50 ~230.1.2.60 VLAN 1 Multicast VID 200 To configure the MVR settings on the Switch, create a multicast group in the MVR screen and set...
Page 186
Chapter 22 Multicast To set the Switch to forward the multicast group traffic to the subscribers, configure multicast group settings in the Group Configuration screen. The following figure shows an example where two multicast groups (News and Movie) are configured for the multicast VLAN 200. Figure 99 MVR Group Configuration Example EXAMPLE Figure 100 MVR Group Configuration Example...
HAPTER This chapter describes how to configure authentication, authorization and accounting settings on the Switch. 23.1 Authentication, Authorization and Accounting (AAA) Authentication is the process of determining who a user is and validating access to the Switch. The Switch can authenticate users who try to log in based on user accounts configured on the Switch itself.
Chapter 23 AAA 23.1.2 RADIUS and TACACS+ RADIUS and TACACS+ are security protocols used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device.
Page 189
Chapter 23 AAA authentication and accounting features on the Switch. Click on the RADIUS Server Setup link in the AAA screen to view the screen as shown. Figure 103 Advanced Application > AAA > RADIUS Server Setup The following table describes the labels in this screen. Table 74 Advanced Application >...
Page 190
Chapter 23 AAA Table 74 Advanced Application > AAA > RADIUS Server Setup (continued) LABEL DESCRIPTION Delete Check this box if you want to remove an existing RADIUS server entry from the Switch. This entry is deleted when you click Apply. Apply Click Apply to save your changes to the Switch’s run-time memory.
Chapter 23 AAA 23.2.2 TACACS+ Server Setup Use this screen to configure your TACACS+ server settings. See Section 23.1.2 on page 188 more information on TACACS+ servers. Click on the TACACS+ Server Setup link in the Authentication and Accounting screen to view the screen as shown. Figure 104 Advanced Application >...
Page 192
Chapter 23 AAA Table 75 Advanced Application > AAA > TACACS+ Server Setup (continued) LABEL DESCRIPTION Shared Secret Specify a password (up to 32 alphanumeric characters) as the key to be shared between the external TACACS+ server and the Switch. This key is not sent over the network. This key must be the same on the external TACACS+ server and the Switch.
Chapter 23 AAA 23.2.3 AAA Setup Use this screen to configure authentication, authorization and accounting settings on the Switch. Click on the AAA Setup link in the AAA screen to view the screen as shown. Figure 105 Advanced Application > AAA > AAA Setup The following table describes the labels in this screen.
Page 194
Chapter 23 AAA Table 76 Advanced Application > AAA > AAA Setup (continued) LABEL DESCRIPTION Login These fields specify which database the Switch should use (first, second and third) to authenticate administrator accounts (users for Switch management). Configure the local user accounts in the Access Control > Logins screen. The TACACS+ and RADIUS are external servers.
Chapter 23 AAA Table 76 Advanced Application > AAA > AAA Setup (continued) LABEL DESCRIPTION Mode The Switch supports two modes of recording login events. Select: • start-stop - to have the Switch send information to the accounting server when a user begins a session, during a user’s session (if it lasts past the Update Period), and when a user ends a session.
Chapter 23 AAA The following table describes the VSAs supported on the Switch. Note that these attributes only work when you enable authorization (see Section 23.2.3 on page 193). Table 77 Supported VSAs FUNCTION ATTRIBUTE Ingress Bandwidth Vendor-Id = 890 Assignment Vendor-Type = 1 Vendor-data =...
Chapter 23 AAA Refer to RFC 2865 for more information about RADIUS attributes used for authentication. Refer to RFC 2866 and RFC 2869 for RADIUS attributes used for accounting. This section lists the attributes used by authentication and accounting functions on the Switch. In cases where the attribute has a specific format associated with it, the format is specified.
Page 198
Chapter 23 AAA 23.3.2.1 Attributes Used for Accounting System Events NAS-IP-Address NAS-Identifier Acct-Status-Type Acct-Session-ID - The format of Acct-Session-Id is date+time+8-digit sequential number, for example, 2007041917210300000001. (date: 2007/04/19, time: 17:21:03, serial number: 00000001) Acct-Delay-Time 23.3.2.2 Attributes Used for Accounting Exec Events The attributes are listed in the following table along with the time that they are sent (the difference between Console and Telnet/SSH Exec events is that the Telnet/SSH events utilize the Calling- Station-Id attribute):...
Page 199
Chapter 23 AAA 23.3.2.3 Attributes Used for Accounting IEEE 802.1x Events The attributes are listed in the following table along with the time of the session they are sent: Table 81 RADIUS Attributes - Exec Events via Console ATTRIBUTE START INTERIM-UPDATE STOP User-Name...
HAPTER IP Source Guard Use IP source guard to filter unauthorized DHCP and ARP packets in your network. 24.1 IP Source Guard Overview IP source guard uses a binding table to distinguish between authorized and unauthorized DHCP and ARP packets in your network. A binding contains these key attributes: •...
Chapter 24 IP Source Guard 24.1.1 IP Source Guard Menu Overview Table 82 IP Source Guard Menu Overview MENU SUB-MENU 1 SUB-MENU 2 SUB-MENU 3 IP Source Guard Static Binding DHCP Snooping Configure Port VLAN ARP Inspection VLAN Status Log Status Configure Port VLAN...
Page 202
Chapter 24 IP Source Guard The DHCP snooping database maintains the dynamic bindings for DHCP snooping and ARP inspection in a file on an external TFTP server. If you set up the DHCP snooping database, the Switch can reload the dynamic bindings from the DHCP snooping database after the Switch restarts.
Chapter 24 IP Source Guard Configure trusted and untrusted ports, and specify the maximum number of DHCP packets that each port can receive per second. Configure static bindings. 24.1.3 ARP Inspection Overview Use ARP inspection to filter unauthorized ARP packets on the network. This can prevent many kinds of man-in-the-middle attacks, such as the one in the following example.
Chapter 24 IP Source Guard The Switch discards ARP packets on untrusted ports in the following situations: • The sender’s information in the ARP packet does not match any of the current bindings. • The rate at which ARP packets arrive is too high. 24.1.3.3 Syslog The Switch can send syslog messages to the specified syslog server (Chapter 38 on page...
Chapter 24 IP Source Guard Table 83 IP Source Guard (continued) LABEL DESCRIPTION Type This field displays how the Switch learned the binding. static: This binding was learned from information provided manually by an administrator. dhcp-snooping: This binding was learned by snooping DHCP packets. This field displays the source VLAN ID in the binding.
Page 206
Chapter 24 IP Source Guard Table 84 IP Source Guard Static Binding (continued) LABEL DESCRIPTION Clear Click Clear to reset the fields to the factory defaults. Index This field displays a sequential number for each binding. MAC Address This field displays the source MAC address in the binding. IP Address This field displays the IP address assigned to the MAC address in the binding.
Chapter 24 IP Source Guard 24.4 DHCP Snooping Use this screen to look at various statistics about the DHCP snooping database. To open this screen, click Advanced Application > IP Source Guard > DHCP Snooping. Figure 110 DHCP Snooping The following table describes the labels in this screen. Table 85 DHCP Snooping LABEL DESCRIPTION...
Page 208
Chapter 24 IP Source Guard Table 85 DHCP Snooping (continued) LABEL DESCRIPTION Write delay timer This field displays how long (in seconds) the Switch tries to complete a specific update in the DHCP snooping database before it gives up. Abort timer This field displays how long (in seconds) the Switch waits to update the DHCP snooping database after the current bindings change.
Chapter 24 IP Source Guard Table 85 DHCP Snooping (continued) LABEL DESCRIPTION Last ignored bindings This section displays the number of times and the reasons the Switch ignored counters bindings the last time it read bindings from the DHCP binding database. You can clear these counters by restarting the Switch or using CLI commands.
Page 210
Chapter 24 IP Source Guard still available after a restart. To open this screen, click Advanced Application > IP Source Guard > DHCP Snooping > Configure. Figure 111 DHCP Snooping Configure The following table describes the labels in this screen. Table 86 DHCP Snooping Configure LABEL DESCRIPTION...
Chapter 24 IP Source Guard Table 86 DHCP Snooping Configure (continued) LABEL DESCRIPTION Renew DHCP Enter the location of a DHCP snooping database, and click Renew if you want the Snooping URL Switch to load it. You can use this to load dynamic bindings from a different DHCP snooping database than the one specified in Agent URL.
Chapter 24 IP Source Guard The following table describes the labels in this screen. Table 87 DHCP Snooping Port Configure LABEL DESCRIPTION Port This field displays the port number. If you configure the * port, the settings are applied to all of the ports. Server Trusted state Select whether this port is a trusted port (Trusted) or an untrusted port (Untrusted).
Chapter 24 IP Source Guard Table 88 DHCP Snooping VLAN Configure (continued) LABEL DESCRIPTION End VID Enter the highest VLAN ID you want to manage in the section below. Apply Click this to display the specified range of VLANs in the section below. This field displays the VLAN ID of each VLAN in the range specified above.
Chapter 24 IP Source Guard Table 89 ARP Inspection Status (continued) LABEL DESCRIPTION Port This field displays the source port of the discarded ARP packet. Expiry (sec) This field displays how long (in seconds) the MAC address filter remains in the Switch. You can also delete the record manually (Delete).
Chapter 24 IP Source Guard Table 90 ARP Inspection VLAN Status LABEL DESCRIPTION Request This field displays the total number of ARP Request packets received from the VLAN since the Switch last restarted. Reply This field displays the total number of ARP Reply packets received from the VLAN since the Switch last restarted.
Chapter 24 IP Source Guard Table 91 ARP Inspection Log Status (continued) LABEL DESCRIPTION Reason This field displays the reason the log message was generated. dhcp deny: An ARP packet was discarded because it violated a dynamic binding with the same MAC address and VLAN ID. static deny: An ARP packet was discarded because it violated a static binding with the same MAC address and VLAN ID.
Chapter 24 IP Source Guard The following table describes the labels in this screen. Table 92 ARP Inspection Configure LABEL DESCRIPTION Active Select this to enable ARP inspection on the Switch. You still have to enable ARP inspection on specific VLAN and specify trusted ports. Filter Aging Time Filter aging time This setting has no effect on existing MAC address filters.
Page 218
Chapter 24 IP Source Guard open this screen, click Advanced Application > IP Source Guard > ARP Inspection > Configure > Port. Figure 118 ARP Inspection Port Configure The following table describes the labels in this screen. Table 93 ARP Inspection Port Configure LABEL DESCRIPTION Port...
Chapter 24 IP Source Guard 24.7.2 ARP Inspection VLAN Configure Use this screen to enable ARP inspection on each VLAN and to specify when the Switch generates log messages for receiving ARP packets from each VLAN. To open this screen, click Advanced Application >...
HAPTER Loop Guard This chapter shows you how to configure the Switch to guard against loops on the edge of your network. 25.1 Loop Guard Overview Loop guard allows you to configure the Switch to shut down a port if it detects that packets sent out on that port loop back to the Switch.
Page 221
Chapter 25 Loop Guard The following figure shows port N on switch A connected to switch B. Switch B is in loop state. When broadcast or multicast packets leave port N and reach switch B, they are sent back to port N on A as they are rebroadcast from B.
Chapter 25 Loop Guard Note: After resolving the loop problem on your network you can re-activate the disabled port via the web configurator (see Section 6.7 on page 78) or via commands (see the Ethernet Switch CLI Reference Guide). 25.2 Loop Guard Setup Click Advanced Application >...
Page 223
Chapter 25 Loop Guard Table 95 Advanced Application > Loop Guard (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
HAPTER VLAN Mapping This chapter shows you how to configure VLAN mapping on the Switch. 26.1 VLAN Mapping Overview With VLAN mapping enabled, the Switch can map the VLAN ID and priority level of packets received from a private network to those used in the service provider’s network. The Switch checks incoming traffic from the switch ports (non-management ports) against the VLAN mapping table first, the MAC learning table and then the VLAN table before forwarding them through the Gigabit uplink port.
Chapter 26 VLAN Mapping 26.2 Enabling VLAN Mapping Click Advanced Application and then VLAN Mapping in the navigation panel to display the screen as shown. Figure 126 VLAN Mapping The following table describes the labels in this screen. Table 96 VLAN Mapping LABEL DESCRIPTION Active...
Chapter 26 VLAN Mapping 26.3 Configuring VLAN Mapping Click the VLAN Mapping Configure link in the VLAN Mapping screen to display the screen as shown. Use this screen to enable and edit the VLAN mapping rule(s). Figure 127 VLAN Mapping Configuration The following table describes the labels in this screen.
HAPTER Layer 2 Protocol Tunneling This chapter shows you how to configure layer-2 protocol tunneling on the Switch. 27.1 Layer 2 Protocol Tunneling Overview Layer-2 protocol tunneling (L2PT) is used on the service provider's edge devices. L2PT allows edge switches (1 and 2 in the following figure) to tunnel layer-2 STP (Spanning Tree Protocol), CDP (Cisco Discovery Protocol) and VTP (VLAN Trunking Protocol) packets between customer switches (A, B and C in the following figure) connected through the service provider’s network.
Chapter 27 Layer 2 Protocol Tunneling To emulate a point-to-point topology between two customer switches at different sites, such as A and B, you can enable protocol tunneling on edge switches 1 and 2 for PAgP (Port Aggregation Protocol), LACP or UDLD (UniDirectional Link Detection). Figure 129 L2PT Network Example Service Provider's Network...
Chapter 27 Layer 2 Protocol Tunneling 27.2 Configuring Layer 2 Protocol Tunneling Click Advanced Application > Layer 2 Protocol Tunneling in the navigation panel to display the screen as shown. Figure 130 Advanced Application > Layer 2 Protocol Tunneling The following table describes the labels in this screen. Table 98 Advanced Application >...
Page 231
Chapter 27 Layer 2 Protocol Tunneling Table 98 Advanced Application > Layer 2 Protocol Tunneling (continued) LABEL DESCRIPTION Select this option to have the Switch tunnel STP (Spanning Tree Protocol) packets so that STP can run properly across the service provider’s network and spanning trees can be set up based on bridge information from all (local and remote) networks.
HAPTER sFlow This chapter shows you how to configure sFlow to have the Switch monitor traffic in a network and send information to an sFlow collector for analysis. 28.1 sFlow Overview sFlow (RFC 3176) is a standard technology for monitoring switched networks. An sFlow agent embedded on a switch or router gets sample data and packet statistics from traffic forwarded through its ports.
Chapter 28 sFlow 28.2 sFlow Port Configuration Click Advanced Application > sFlow in the navigation panel to display the screen as shown. Figure 132 Advanced Application > sFlow The following table describes the labels in this screen. Table 99 Advanced Application > sFlow LABEL DESCRIPTION Active...
Chapter 28 sFlow Table 99 Advanced Application > sFlow (continued) LABEL DESCRIPTION Collector Enter the IP address of the sFlow collector. Address Note: You must have the sFlow collector already configured in the sFlow > Collector screen. The sFlow collector does not need to be in the same subnet as the Switch, but it must be accessible from the Switch.
Page 235
Chapter 28 sFlow Table 100 Advanced Application > sFlow > Collector (continued) LABEL DESCRIPTION Clear Click Clear to reset the fields to the factory defaults. Index This field displays the index number of this entry. Collector This field displays IP address of the sFlow collector. Address UDP Port This field displays port number the Switch uses to send sFlow datagram to the collector.
HAPTER PPPoE This chapter describes how the Switch gives a PPPoE termination server additional information that the server can use to identify and authenticate a PPPoE client. 29.1 PPPoE Intermediate Agent Overview A PPPoE Intermediate Agent (PPPoE IA) is deployed between a PPPoE server and PPPoE clients. It helps the PPPoE server identify and authenticate clients by adding subscriber line specific information to PPPoE discovery packets from clients on a per-port or per-port-per-VLAN basis before forwarding them to the PPPoE server.
Chapter 29 PPPoE Table 103 PPPoE IA Remote ID Sub-option Format SubOpt Length Value 0x02 MAC Address or String (1 byte) (1 byte) (63 bytes) The 1 in the first field identifies this as an Agent Circuit ID sub-option and 2 identifies this as an Agent Remote ID sub-option.
Chapter 29 PPPoE Trusted ports are connected to PPPoE servers. • If a PADO (PPPoE Active Discovery Offer), PADS (PPPoE Active Discovery Session-confirmation), or PADT (PPPoE Active Discovery Terminate) packet is sent from a PPPoE server and received on a trusted port, the Switch forwards it to all other ports. •...
Page 239
Chapter 29 PPPoE Click Advanced Application > PPPoE > Intermediate Agent in the navigation panel to display the screen as shown. Figure 135 Advanced Application > PPPoE > Intermediate Agent The following table describes the labels in this screen. Table 106 Advanced Application > PPPoE > Intermediate Agent LABEL DESCRIPTION Active...
Chapter 29 PPPoE Table 106 Advanced Application > PPPoE > Intermediate Agent (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
Chapter 29 PPPoE Table 107 Advanced Application > PPPoE > Intermediate Agent > Port (continued) LABEL DESCRIPTION Server Trusted Select whether this port is a trusted port (Trusted) or an untrusted port (Untrusted). State Trusted ports are uplink ports connected to PPPoE servers. •...
Page 242
Chapter 29 PPPoE Click the VLAN link in the Intermediate Agent > Port screen to display the screen as shown. Figure 137 Advanced Application > PPPoE > Intermediate Agent > Port > VLAN The following table describes the labels in this screen. Table 108 Advanced Application >...
Chapter 29 PPPoE 29.3.3 PPPoE IA for VLAN Use this screen to set whether the PPPoE Intermediate Agent is enabled on a VLAN and whether the Switch appends the Circuit ID and/or Remote ID to PPPoE discovery packets from a specific VLAN. Click the VLAN link in the Intermediate Agent screen to display the screen as shown.
HAPTER Error Disable This chapter shows you how to configure the rate limit for control packets on a port, and set the Switch to take an action (such as to shut down a port or stop sending packets) on a port when the Switch detects a pre-configured error.
Chapter 30 Error Disable 30.3 The Error Disable Screen Use this screen to configure error disable related settings. Click Advanced Application > Errdisable in the navigation panel to open the following screen. Advanced Application > Errdisable Figure 139 30.4 CPU Protection Configuration Use this screen to limit the maximum number of control packets (ARP, BPDU and/or IGMP) that the Switch can receive or transmit on a port.
Chapter 30 Error Disable The following table describes the labels in this screen. Table 110 Advanced Application > Errdisable > CPU protection LABEL DESCRIPTION Reason Select the type of control packet you want to configure here. Port This field displays the port number. Use this row to make the setting the same for all ports.
Chapter 30 Error Disable Table 111 Advanced Application > Errdisable > Errdisable Detect (continued) LABEL DESCRIPTION Mode Select the action that the Switch takes when the number of control packets exceed the rate limit on a port, set in the Advanced Application > Errdisable > CPU protection screen. •...
Page 248
Chapter 30 Error Disable Table 112 Advanced Application > Errdisable > Errdisable Recovery (continued) LABEL DESCRIPTION Timer Status Select this option to allow the Switch to wait for the specified time interval to activate a port or allow specific packets on a port, after the error was gone. Deselect this option to turn off this rule.
HAPTER Private VLAN 31.1 Private VLAN Overview Use private VLAN if you want you to block traffic between ports in the same VLAN. Community and Isolated VLANs are secondary private VLANs that must be associated with a Primary private VLAN. •...
Page 250
Chapter 31 Private VLAN Table 113 PVLAN Graphic Key (continued) LABEL DESCRIPTION C-VLAN 101 Community private VLAN I-VLAN 102 Isolated private VLAN Tagged Private VLANs can span switches but trunking ports must be VLAN-trunking ports - see Advanced > VLAN Status > VLAN Port Setting. Table 114 Spanning PVLAN Graphic Key LABEL DESCRIPTION...
Chapter 31 Private VLAN Note: Isolation in VLAN > VLAN Port Setting (see Section 7.5.4 on page 88) has a higher priority than private VLAN settings, so promiscuous ports with Isolation in VLAN > VLAN Port Setting enabled will not be able to communicate with each other.
Page 252
Chapter 31 Private VLAN Table 115 Advanced Application > Private VLAN (continued) LABEL DESCRIPTION Associated VLAN Enter the VLAN ID of a previously created VLAN here. Note: The VLAN ID and Mode selected here must be the same as the VLAN ID and created in Advanced Application >...
HAPTER Static Route This chapter shows you how to configure static routes. 32.1 Static Routing Overview The Switch uses IP for communication with management computers, for example using HTTP, Telnet, SSH, or SNMP. Use IP static routes to have the Switch respond to remote management stations that are not reachable through the default gateway.
Chapter 32 Static Route 32.2 Configuring Static Routing Click IP Application > Static Routing in the navigation panel to display the screen as shown. Figure 145 IP Application > Static Routing The following table describes the related labels you use to create a static route. Table 116 IP Application >...
Page 255
Chapter 32 Static Route Table 116 IP Application > Static Routing (continued) LABEL DESCRIPTION Name This field displays the descriptive name for this route. This is for identification purposes only. Destination This field displays the IP network address of the final destination. Address Subnet Mask This field displays the subnet mask for this destination.
HAPTER Differentiated Services This chapter shows you how to configure Differentiated Services (DiffServ) on the Switch. 33.1 DiffServ Overview Quality of Service (QoS) is used to prioritize source-to-destination traffic flows. All packets in the flow are given the same priority. You can use CoS (class of service) to give different priorities to different packet types.
Chapter 33 Differentiated Services various traffic policies to the traffic flows. For example, one traffic policy would be to give higher drop precedence to one traffic flow over others. In our example packets in the Bronze traffic flow are more likely to be dropped when congestion occurs than the packets in the Platinum traffic flow as they move across the DiffServ network.
Chapter 33 Differentiated Services 33.2.1 TRTCM - Color-blind Mode All packets are evaluated against the PIR. If a packet exceeds the PIR it is marked red. Otherwise it is evaluated against the CIR. If it exceeds the CIR then it is marked yellow. Finally, if it is below the CIR then it is marked green.
Chapter 33 Differentiated Services Click IP Application > DiffServ in the navigation panel to display the screen as shown. Figure 150 IP Application > DiffServ The following table describes the labels in this screen. Table 117 IP Application > DiffServ LABEL DESCRIPTION Active...
Page 260
Chapter 33 Differentiated Services Note: You cannot enable both TRTCM and Bandwidth Control at the same time. Figure 151 IP Application > DiffServ > 2-rate 3 Color Marker The following table describes the labels in this screen. Table 118 IP Application > DiffServ > 2-rate 3 Color Marker LABEL DESCRIPTION Active...
Chapter 33 Differentiated Services Table 118 IP Application > DiffServ > 2-rate 3 Color Marker (continued) LABEL DESCRIPTION DSCP Use this section to specify the DSCP values that you want to assign to packets based on the color they are marked via TRTCM. green Specify the DSCP value to use for packets with low packet loss priority.
Page 262
Chapter 33 Differentiated Services The following table describes the labels in this screen. Table 120 IP Application > DiffServ > DSCP Setting LABEL DESCRIPTION 0 … 63 This is the DSCP classification identification number. To set the IEEE 802.1p priority mapping, select the priority level from the drop-down list box. Apply Click Apply to save your changes to the Switch’s run-time memory.
HAPTER DHCP This chapter shows you how to configure the DHCP feature. 34.1 DHCP Overview DHCP (Dynamic Host Configuration Protocol RFC 2131 and RFC 2132) allows individual computers to obtain TCP/IP configuration at start-up from a server. When you configure the Switch as a relay agent, then the Switch forwards DHCP requests to DHCP server on your network.
Chapter 34 DHCP 34.3 DHCP Relay Configure DHCP relay on the Switch if the DHCP clients and the DHCP server are not in the same broadcast domain. During the initial IP address leasing, the Switch helps to relay network information (such as the IP address and subnet mask) between a DHCP client and a DHCP server. Once the DHCP client obtains an IP address and can connect to the network, network information renewal is done between the DHCP client and the DHCP server without the help of the Switch.
Chapter 34 DHCP 34.3.2 Configuring DHCP Global Relay Configure global DHCP relay in the DHCP Relay screen. Click IP Application > DHCP in the navigation panel and click the Global link to display the screen as shown. Figure 154 IP Application > DHCP > Global The following table describes the labels in this screen.
Chapter 34 DHCP 34.3.3 Global DHCP Relay Configuration Example The follow figure shows a network example where the Switch is used to relay DHCP requests for the VLAN1 and VLAN2 domains. There is only one DHCP server that services the DHCP clients in both domains.
Chapter 34 DHCP Note: You must set up a management IP address for each VLAN that you want to configure DHCP settings for on the Switch. See Section 6.6 on page 76 information on how to do this. Figure 157 IP Application > DHCP > VLAN The following table describes the labels in this screen.
Page 268
Chapter 34 DHCP the academic buildings (VLAN 2) are sent to the other DHCP server with an IP address of 172.23.10.100. Figure 158 DHCP Relay for Two VLANs DHCP:192.168.1.100 VLAN 1 VLAN 2 DHCP:172.23.10.100 For the example network, configure the VLAN Setting screen as shown. Figure 159 DHCP Relay for Two VLANs Configuration Example EXAMPLE XS3900-48F User’s Guide...
HAPTER Maintenance This chapter explains how to configure the maintenance screens that let you maintain the firmware and configuration files. 35.1 The Maintenance Screen Use this screen to manage firmware and your configuration files. Click Management > Maintenance in the navigation panel to open the following screen. Management >...
Chapter 35 Maintenance 35.2 Load Factory Default Follow the steps below to reset the Switch back to the factory defaults. In the Maintenance screen, click the Click Here button next to Load Factory Default to clear all Switch configuration information you configured and return to the factory defaults. Click OK to reset all Switch configurations to the factory defaults.
Chapter 35 Maintenance In the Maintenance screen, click the Config 1 button next to Reboot System to reboot and load configuration one. The following screen displays. Figure 162 Reboot System: Confirmation Click OK again and then wait for the Switch to restart. This takes up to two minutes. This does not affect the Switch’s configuration.
Chapter 35 Maintenance 35.6 Restore a Configuration File Restore a previously saved configuration from your computer to the Switch using the Restore Configuration screen. Figure 164 Management > Maintenance > Restore Configuration Type the path and file name of the configuration file you wish to restore in the File Path text box or click Browse to display the Choose File screen from which you can locate it.
Chapter 35 Maintenance 35.8 FTP Command Line This section shows some examples of uploading to or downloading files from the Switch using FTP commands. First, understand the filename conventions. 35.8.1 Filename Conventions The configuration file (also known as the romfile or ROM) contains the factory default settings in the screens such as password, Switch setup, IP Setup, and so on.
Chapter 35 Maintenance Be sure to upload the correct model firmware as uploading the wrong model firmware may damage your device. 35.8.2 FTP Command Line Procedure Launch the FTP client on your computer. Enter open, followed by a space and the IP address of your Switch. Press [ENTER] when prompted for a username (the default is “admin”).
Page 275
Chapter 35 Maintenance • The IP address(es) in the Remote Management screen does not match the client IP address. If it does not match, the Switch will disconnect the FTP session immediately. XS3900-48F User’s Guide...
HAPTER Access Control This chapter describes how to control access to the Switch. 36.1 Access Control Overview A console port and FTP are allowed one session each, Telnet and SSH share nine sessions, up to five Web sessions (five different usernames and passwords) and/or limitless SNMP access control sessions are allowed.
Chapter 36 Access Control SNMP version 3. The next figure illustrates an SNMP management operation. SNMP is only available if TCP/IP is configured. Figure 167 SNMP Management Model An SNMP managed network consists of two main components: agents and a manager. An agent is a management software module that resides in a managed Switch (the Switch).
Chapter 36 Access Control 36.3.2 Supported MIBs MIBs let administrators collect statistics and monitor status and performance. The Switch supports the following MIBs: • SNMP MIB II (RFC 1213) • RFC 1157 SNMP v1 • RFC 1493 Bridge MIBs • RFC 1643 Ethernet MIBs •...
Page 279
Chapter 36 Access Control Table 130 SNMP System Traps (continued) OPTION OBJECT LABEL OBJECT ID DESCRIPTION fanairflow FanAirFlowEventOn 1.3.6.1.4.1.890.1.5.8.74.31.2.1 Fan module and power module fan air- flow must be in the same direction (front-to-back or back-to-front) on the same Switch. This trap is sent when the airflows are not in the same direction.
Page 280
Chapter 36 Access Control Table 131 SNMP InterfaceTraps (continued) OPTION OBJECT LABEL OBJECT ID DESCRIPTION autonegotiation AutonegotiationFailedEventOn 1.3.6.1.4.1.890.1.5.8.74.31.2.1 This trap is sent when an Ethernet interface fails to auto-negotiate with the peer Ethernet interface. AutonegotiationFailedEventClear 1.3.6.1.4.1.890.1.5.8.74.31.2.2 This trap is sent when an Ethernet interface auto-negotiates with the peer Ethernet interface.
Page 281
Chapter 36 Access Control Table 132 AAA Traps (continued) OPTION OBJECT LABEL OBJECT ID DESCRIPTION accounting RADIUSAcctNotReachableEventOn 1.3.6.1.4.1.890.1.5.8.74.31.2.1 This trap is sent when there is no response message from the RADIUS accounting server. RADIUSAcctNotReachableEventClear 1.3.6.1.4.1.890.1.5.8.74.31.2.2 This trap is sent when the RADIUS accounting server can be reached.
Chapter 36 Access Control 36.3.4 Configuring SNMP From the Access Control screen, display the SNMP screen. You can click Access Control to go back to the Access Control screen. Figure 168 Management > Access Control > SNMP The following table describes the labels in this screen. Table 135 Management >...
Chapter 36 Access Control Table 135 Management > Access Control > SNMP (continued) LABEL DESCRIPTION Username Enter the username to be sent to the SNMP manager along with the SNMP v3 trap. Note: This username must match an existing account on the Switch (configured in the Management >...
Chapter 36 Access Control Table 136 Management > Access Control > SNMP > Trap Group (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
Chapter 36 Access Control Table 137 Management > Access Control > SNMP > User (continued) LABEL DESCRIPTION Authentication Select an authentication algorithm. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower.
Page 286
Chapter 36 Access Control Note: It is highly recommended that you change the default administrator password (1234). • A non-administrator (username is something other than admin) is someone who can view but not configure Switch settings. Click Management > Access Control > Logins to view the screen as shown. Figure 171 Management >...
Chapter 36 Access Control 36.5 Service Access Control Overview This section introduces some of the services you can use to access and manage the Switch. 36.5.1 SSH Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Chapter 36 Access Control Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server.
Page 289
Chapter 36 Access Control HTTP connection requests from a web browser go to port 80 (by default) on the Switch’s WS (web server). Figure 174 HTTPS Implementation Note: If you disable HTTP in the Service Access Control screen, then the Switch blocks all HTTP connection attempts.
Page 290
Chapter 36 Access Control After you log in, you will see the red address bar with the message Certificate Error. Click on Certificate Error next to the address bar and click View certificates. Figure 176 Certificate Error (Internet Explorer 7 or 8) EXAMPLE Click Install Certificate...
Page 291
Chapter 36 Access Control 36.5.2.4 Mozilla Firefox Warning Messages When you attempt to access the Switch HTTPS server, a This Connection is Unstructed screen may display. If that is the case, click I Understand the Risks and then the Add Exception... button.
Page 292
Chapter 36 Access Control Confirm the HTTPS server URL matches. Click Confirm Security Exception to proceed to the web configurator login screen. Figure 179 Security Alert (Mozilla Firefox) EXAMPLE 36.5.2.5 The Main Screen After you accept the certificate and enter the login username and password, the Switch main screen appears.
Chapter 36 Access Control Mozilla Firefox) or next to the address bar (in 7 or 8) denotes a secure Internet Explorer connection. Figure 180 Example: Lock Denoting a Secure Connection EXAMPLE 36.5.3 Configuring Service Port Access Control Service Access Control allows you to decide what services you may use to access the Switch. You may also change the default service port and configure “trusted computer(s)”...
Chapter 36 Access Control The following table describes the fields in this screen. Table 139 Management > Access Control > Service Access Control LABEL DESCRIPTION Services Services you may use to access the Switch are listed here. Active Select this option for the corresponding services that you want to allow to access the Switch. Service Port For Telnet, SSH, FTP, HTTP or HTTPS services, you may change the default service port by typing the new port number in the Server Port field.
Page 295
Chapter 36 Access Control The following table describes the labels in this screen. Table 140 Management > Access Control > Remote Management LABEL DESCRIPTION Entry This is the client set index number. A “client set” is a group of one or more “trusted computers”...
HAPTER Diagnostic This chapter explains the Diagnostic screen. 37.1 Diagnostic Click Management > Diagnostic in the navigation panel to open this screen. Use this screen to check system logs, ping IP addresses or perform port tests. Figure 183 Management > Diagnostic The following table describes the labels in this screen.
HAPTER Syslog This chapter explains the syslog screens. 38.1 Syslog Overview The syslog protocol allows devices to send event notification messages across an IP network to syslog servers that collect the event messages. A syslog-enabled device can generate a syslog message and send it to a syslog server.
Chapter 38 Syslog 38.2 Syslog Setup Click Management > Syslog in the navigation panel to display this screen. The syslog feature sends logs to an external syslog server. Use this screen to configure the device’s system logging settings. Figure 184 Management > Syslog The following table describes the labels in this screen.
Chapter 38 Syslog 38.3 Syslog Server Setup Click Management > Syslog > Syslog Server Setup to open the following screen. Use this screen to configure a list of external syslog servers. Figure 185 Management > Syslog > Server Setup The following table describes the labels in this screen. Table 144 Management >...
HAPTER Cluster Management This chapter introduces cluster management. 39.1 Clustering Management Status Overview Cluster Management allows you to manage switches through one Switch, called the cluster manager. The switches must be directly connected and be in the same VLAN group so as to be able to communicate with one another.
Chapter 39 Cluster Management In the following example, switch A in the basement is the cluster manager and the other switches on the upper floors of the building are cluster members. Figure 186 Clustering Application Example 39.2 Cluster Management Status Click Management >...
Chapter 39 Cluster Management The following table describes the labels in this screen. Table 146 Management > Cluster Management LABEL DESCRIPTION Status This field displays the role of this Switch within the cluster. Manager Member (you see this if you access this screen in the cluster member switch directly and not via the cluster manager) None (neither a manager nor a member of a cluster) Manager...
Chapter 39 Cluster Management configurator home page. This cluster member web configurator home page and the home page that you'd see if you accessed it directly are different. Figure 188 Cluster Management: Cluster Member Web Configurator Screen EXAMPLE EXAMPLE 39.2.1.1 Uploading Firmware to a Cluster Member Switch You can use FTP to upload firmware to a cluster member switch through the cluster manager switch as shown in the following example.
Chapter 39 Cluster Management The following table explains some of the FTP parameters. Table 147 FTP Upload to Cluster Member Example FTP PARAMETER DESCRIPTION Enter “admin”. User The web configurator password default is 1234. Password Enter this command to list the name of cluster member switch’s firmware and configuration file.
Page 305
Chapter 39 Cluster Management The following table describes the labels in this screen. Table 148 Management > Clustering Management > Configuration LABEL DESCRIPTION Clustering Manager Active Select Active to have this Switch become the cluster manager switch. A cluster can only have one manager.
HAPTER MAC Table This chapter introduces the MAC Table screen. 40.1 MAC Table Overview The MAC Table screen (a MAC table is also known as a filtering database) shows how frames are forwarded or filtered across the Switch’s ports. When a device (which may belong to a VLAN group) sends a packet which is forwarded to a port on the Switch, the MAC address of the device is shown on the Switch’s MAC Table.
Chapter 40 MAC Table 40.2 Viewing the MAC Table Click Management > MAC Table in the navigation panel to display the following screen. Use this screen to search specific MAC addresses. You can also directly add dynamic MAC address(es) into the static MAC forwarding table or MAC filtering table from the MAC table using this screen.
Page 308
Chapter 40 MAC Table Table 149 Management > MAC Table (continued) LABEL DESCRIPTION Transfer Click this to perform the MAC address transferring you selected in the Transfer Type field. Cancel Click this to begin configuring the search criteria afresh. The Total Number of This field displays the total number of MAC addresses learned on the Switch.
HAPTER ARP Table This chapter introduces ARP Table. 41.1 ARP Table Overview Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network.
Chapter 41 ARP Table 41.2 The ARP Table Screen Click Management > ARP Table in the navigation panel to open the following screen. Use the ARP table to view IP-to-MAC address mapping(s) and remove specific dynamic ARP entries. Figure 193 Management > ARP Table EXAMPLE The following table describes the labels in this screen.
HAPTER Configure Clone This chapter shows you how you can copy the settings of one port onto other ports. 42.1 Configure Clone Cloning allows you to copy the basic and advanced settings from a source port to a destination port or ports.
Page 312
Chapter 42 Configure Clone The following table describes the labels in this screen. Table 151 Management > Configure Clone LABEL DESCRIPTION Source/ Enter the source port under the Source label. This port’s attributes are copied. Destination Enter the destination port or ports under the Destination label. These are the ports which Port are going to have the same attributes as the source port.
HAPTER Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • Switch Access and Login • Switch Configuration 43.1 Power, Hardware Connections, and LEDs The Switch does not turn on.
Chapter 43 Troubleshooting Disconnect and re-connect the power adaptor or cord to the Switch (in AC models or if the AC power supply is connected in AC/DC models). If the problem continues, contact the vendor. 43.2 Switch Access and Login I forgot the IP address for the Switch.
Page 315
Chapter 43 Troubleshooting Reset the device to its factory defaults, and try to access the Switch with the default IP address. Section 4.6 on page If the problem continues, contact the vendor, or try one of the advanced suggestions. Advanced Suggestions •...
Chapter 43 Troubleshooting Click the Display button in the System Log field in the Management > Diagnostic screen to check for unauthorized access to your Switch. To avoid unauthorized access, configure the secured client setting in the Management > Access Control > Remote Management screen for telnet, HTTP and SSH (see Section 36.6 on page 294).
PP EN D I X Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. •...
Page 318
Appendix A Common Services Table 152 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION HTTPS HTTPS is a secured http session often used in e- commerce. ICMP User-Defined Internet Control Message Protocol is often used for diagnostic or routing purposes. 4000 This is a popular Internet chat program.
Page 319
Appendix A Common Services Table 152 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION SQL-NET 1521 Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers. TCP/UDP Secure Shell Remote Login Program.
Page 320
Appendix A Common Services XS3900-48F User’s Guide...
This publication is subject to change without notice. Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Page 322
Appendix B Legal Information • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. •...
Index Index Numbers 802.1P priority back up, configuration file basic settings basic setup tutorial binding binding table building access control BPDUs (Bridge Protocol Data Units) limitations login account Bridge Protocol Data Units (BPDUs) remote management service port SNMP accounting setup address learning, MAC 90, 92 certifications...
Page 324
Index setup DHCP relay option 82 specification trusted ports status untrusted ports switch models DHCP snooping database diagnostics web configurator Ethernet port test cluster manager ping cluster member system log command interface Differentiated Service (DiffServ) Common and Internal Spanning Tree (CIST) DiffServ activate Common and Internal Spanning Tree, See...
Page 325
Index fan speed hardware monitor file transfer using FTP hello time command example hops filename convention, configuration HTTPS configuration certificates file names implementation filtering public keys, private keys rules HTTPS example filtering database, MAC table firmware upgrade 271, 303 flow control back pressure IEEE 802.1p, priority IEEE802.3x...
Page 326
Index loop guard, vs STP L2PT access port configuration MAC (Media Access Control) encapsulation MAC address 71, 309 LACP maximum number per port 149, 150 MAC address MAC address learning 74, 90, 92, 99, 149 mode specify limit overview MAC authentication PAgP aging time point to point...
Page 327
Index MST Instance, See MSTI NTP (RFC-1305) MST region MSTI MST ID MSTI (Multiple Spanning Tree Instance) MSTP 107, 109 other documentation bridge ID 123, 124 configuration 119, 122 configuration digest forwarding delay Hello Time hello time PAGP Max Age password max age administrator...
Page 328
Index port setup port status port VLAN trunking RADIUS advantages port-based VLAN and authentication all connected Network example port isolation server settings wizard settings ports setup “standby” Rapid Spanning Tree Protocol, See RSTP. diagnostics mirroring reboot speed/duplex load configuration power reboot system voltage Reference Guide, CLI...
Page 329
Index SFP+ Direct Attach Copper (DAC) link aggregation SFP+ ports port transceiver removal port details Simple Network Management Protocol, see SNMP power SNMP 24, 276 114, 117, 123 agent VLAN and MIB 107, 231 authentication bridge ID 115, 118 communities bridge priority 113, 116 management model...
Page 330
Index TACACS+ (Terminal Access Controller Access- Control System Plus) tagged VLAN UDLD temperature indicator UniDirectional Link Detection, see UDLD time untrusted ports current ARP inspection time zone DHCP snooping Time (RFC-868) PPPoE IA time server user profiles time service protocol format trademarks transceiver...
Page 331
Index VLAN stacking 165, 167 configuration example frame format port roles 166, 168 port-based Q-in-Q priority selective Q-in-Q VLAN Trunking Protocol, see VTP VLAN, protocol based, See protocol based VLAN VLAN, subnet based, See subnet based VLANs warranty note web configurator 23, 53 getting help layout...
Need help?
Do you have a question about the XS-3900-48F and is the answer not in the manual?
Questions and answers