ADMINISTRATION GUIDE Cisco Small Business Pro ESW 500 Series Switches
6bZg^XVh =ZVYfjVgiZgh 8^hXd HnhiZbh! >cX# HVc ?dhZ! 86 6h^V EVX^[^X =ZVYfjVgiZgh 8^hXd HnhiZbh JH6 EiZ# AiY# H^c\VedgZ :jgdeZ =ZVYfjVgiZgh 8^hXd HnhiZbh >ciZgcVi^dcVa 7K 6bhiZgYVb! I]Z CZi]ZgaVcYh 8^hXd ]Vh bdgZ i]Vc '%% d[[^XZh ldgaYl^YZ# 6YYgZhhZh! e]dcZ cjbWZgh! VcY [Vm cjbWZgh VgZ a^hiZY dc i]Z 8^hXd LZWh^iZ Vi lll#X^hXd#Xdb$\d$d[[^XZh# 889:! 88:CI! 8^hXd :dh! 8^hXd Ajb^c! 8^hXd CZmjh! 8^hXd HiVY^jbK^h^dc! 8^hXd IZaZEgZhZcXZ! 8^hXd LZW:m! i]Z 8^hXd ad\d! 98:! VcY LZaXdbZ id i]Z =jbVc CZildg` VgZ i
Contents Chapter : Getting Started 12 Introduction 12 Typical Installation Methods 13 Default Configuration settings on the ESW 500 Series Switches Physical Connectivity Connecting to the Switch 14 14 17 Using the Default Static IP Address 17 Using a Dynamic IP Address Allocated to the Switch By DHCP 22 Using the Cisco Configuration Assistant (CCA) 24 Navigating The Cisco Switch Configuration Utility Using the Management Buttons Performing Common Configuration Tasks 29 29 30 Checking th
Contents Help 60 Defining System Information 60 Viewing Device Health 62 Resetting the Device 64 Managing Cisco Discovery Protocol 65 Defining the Bonjour Discovery Protocol 68 TCAM Utilization 70 Chapter : Managing Smart Ports 72 Configuring Smart Ports for Desktops 73 Configuring Smart Ports for IP Phones and Desktops 77 Configuring Smart Ports for Access Points 80 Configuring Smart Ports for Switches 82 Configuring Smart Ports for Routers 84 Configuring Smart ports for Guests
Contents Mapping Authentication Profiles 115 Defining TACACS+ 117 Modifying TACACS+ Settings Defining RADIUS Modifying RADIUS Server Settings Defining Access Methods 120 122 126 127 Defining Access Profiles 128 Defining Profile Rules 131 Modifying Profile Rules Defining Traffic Control Defining Storm Control Modifying Storm Control Defining Port Security Modifying Port Security Defining 802.1x 135 137 138 140 141 145 146 Defining 802.
Contents Defining Martian Addresses Defining DHCP Snooping 183 185 Defining DHCP Snooping Properties 186 Defining DHCP Snooping on VLANs 188 Defining Trusted Interfaces 189 Binding Addresses to the DHCP Snooping Database 191 Query By 192 Query Results 193 Defining IP Source Guard 195 Configuring IP Source Guard Properties 195 Defining IP Source Guard Interface Settings 197 Querying the IP Source Binding Database 199 TCAM Resources 200 Query By 201 Query Results 201 Defining Dy
Contents Assigning Ports to Multiple VLANs 226 Defining Interface Settings 229 Modifying VLAN Interface Settings Defining GVRP Settings Modifying GVRP Settings Defining Protocol Groups Modifying Protocol Groups Defining a Protocol Port Chapter : Configuring IP Information 230 232 234 236 237 238 241 IP Addressing 241 Defining DHCP Relay 243 Defining DHCP Relay Interfaces 245 Managing ARP 247 ARP Table 249 Modifying ARP Settings 250 Domain Name System Defining DNS Servers 251 251
Contents Modifying a Multicast Group 268 Defining Multicast Forwarding 269 Modifying Multicast Forwarding Defining Unregistered Multicast Settings Chapter : Configuring Spanning Tree 271 272 275 Defining STP Properties 275 Global Settings 276 Defining Spanning Tree Interface Settings 278 Modifying Interface Settings 282 Defining Rapid Spanning Tree 284 Modifying RTSP 287 Defining Multiple Spanning Tree 289 Defining MSTP Properties 290 Defining MSTP Instance to VLAN 291 Defining
Contents Configuring Bandwidth 319 Modifying Bandwidth Settings 320 Configuring VLAN Rate Limit 322 Modifying the VLAN Rate Limit 324 Defining Advanced QoS Mode 324 Configuring DSCP Mapping 325 Defining Class Mapping 327 Defining Aggregate Policer 329 Modifying QoS Aggregate Policer Configuring Policy Table Modifying the QoS Policy Profile Defining Policy Binding Modifying QoS Policy Binding Settings Defining QoS Basic Mode Rewriting DSCP Values Chapter : Configuring SNMP 331 332 335
Contents Modifying SNMP Notifications 365 Defining SNMP Filter Settings 367 Managing Cisco Discovery Protocol 370 Chapter : Managing System Files 373 Software Upgrade 374 Save Configuration 375 Copy Configuration 377 Via TFTP 378 Via HTTP 379 Active Image 379 DHCP Auto Configuration 381 Chapter : Managing Power-over-Ethernet Devices Defining PoE Settings Chapter : Managing System Logs 382 382 386 Enabling System Logs 386 Viewing the Device Memory Logs 388 Clearing Message Logs
Contents Resetting GVRP Statistics Counters Viewing EAP Statistics Managing RMON Statistics 403 403 405 Viewing RMON Statistics 406 Resetting RMON Statistics Counters 408 Configuring RMON History 408 Defining RMON History Control 408 Viewing the RMON History Table 411 Defining RMON Events Control 413 Modifying RMON Event Log Settings 415 Viewing the RMON Events Logs 416 Defining RMON Alarms 417 Modifying RMON Alarm Settings Chapter : Aggregating Ports 421 424 Defining EtherChann
Getting Started Introduction Getting Started Introduction Thank you for choosing the Cisco Small Business Pro ESW 500 Series Switch. The ESW 500 series is a family of Ethernet switches that addresses network infrastructure and access needs of small business customers for voice, data, PCs, Servers, and video applications. They are simple to deploy and manage for use with IP phones, Access Points, IP cameras, and Network Attached Storage servers as well as most any Ethernet device.
Getting Started Typical Installation Methods • Performing Common Configuration Tasks, page 30 • Using The Switch Console Port, page 48 Typical Installation Methods The first step in any installation scenario is to connect to the switch and configure basic connectivity to ensure it communicates with the rest of the network.
Getting Started Typical Installation Methods In the third scenario, called Heterogeneous Network, you are adding an ESW 500 switch to a network which does not have any Cisco Small Business products. Default Configuration settings on the ESW 500 Series Switches The ESW 500 series switches ship with a default configuration that enables simplified installation and plug and play when connected into a Cisco Small Business network such as SBCS.
Getting Started Typical Installation Methods The ESW 540-24/24P and ESW 540-48 use shared ports. When connecting to uplink ports, the GE ports take precedence over the Copper ports. For example, on an ESW 540-24, if you plug a device into GE1, you cannot use port 11.
Getting Started Typical Installation Methods ESW-520-24/24P ESW-520-48/48P ESW-540-24/24P ESW-540-48 ESW 500 Series Switches Administration Guide 16
Getting Started Connecting to the Switch Connecting to the Switch This section contains information for starting the Switch Configuration Utility to provision the switch features. There are four different options to connect to the switch, three of which launch the Switch Configuration Utility.
Getting Started Connecting to the Switch STEP 3 If your PC is using a static IP address, make note of your current IP address settings, and record them for future use. STEP 4 Place the PC on the same subnet of the switch by configuring the PC with the following parameters: • Static IP address — 192.168.10.11 • Subnet mask — 255.255.255.0 • Default gateway — 192.168.10.
Getting Started Connecting to the Switch Log In page STEP 6 Enter a user name and password. The default user name is cisco and the default password is cisco. Passwords are both case sensitive and alpha-numeric. Click Log In. STEP 7 While the system is verifying the login attempt, the Log In Progress Indicator appears. The indicator dots rotate clockwise to indicate that the system is still working. If the login attempt is successful, the Change Username/Password Page opens.
Getting Started Connecting to the Switch Switch Configuration Utility - System Dashboard STEP 9 Click Monitor & Device Properties > System Management > IP Addressing > IPv4 Interface. The IPv4 Interface page opens.
Getting Started Connecting to the Switch IPv4 Interface Page NOTE It is expected that the IP address to be assigned to the switch is known prior to installation, based on the network topology. STEP 10 Select the Static IP address radio button and enter the IP Address, Network Mask and User Defined Default Gateway. These must match the IP addressing subnet in the network in which the ESW 500 switch will be deployed. Click Apply. NOTE The PC loses the connection to the switch at this point.
Getting Started Connecting to the Switch NOTE If you will be using this PC for further switch configuration, it will need to be on the same subnet as the switch. Using a Dynamic IP Address Allocated to the Switch By DHCP If this method of obtaining an IP address is used, you will need to have access to a configuration device that would allow you to see what IP addresses the DHCP server allocates.
Getting Started Connecting to the Switch Log In page STEP 2 Enter a user name and password. The default user name is cisco and the default password is cisco. Passwords are both case sensitive and alpha-numeric. STEP 3 Click Log In. The Switch Configuration Utility - System Dashboard Page opens. STEP 4 A window opens that prompts you to change your username and password from the default. Choose a new username and password, then click Apply.
Getting Started Connecting to the Switch Switch Configuration Utility - System Dashboard STEP 5 You are now ready to proceed with additional switch configuration. Using the Cisco Configuration Assistant (CCA) NOTE To perform an installation using CCA, you must have a PC with Windows Vista Ultimate or Windows XP, Service Pack 1 or later installed and CCA version 2.2 or higher installed.
Getting Started Connecting to the Switch STEP 1 Power on the ESW 500 series switch. STEP 2 Connect one of the designated uplink ports on the ESW 500 series switch to the expansion port on the UC520 or one of the switch ports on the SR520. STEP 3 Connect the PC with CCA installed to any access switch port on the ESW 500 or alternately, the UC500 or Small Business Pro router. STEP 4 Launch CCA. To verify you have CCA version 2.2 or higher, click Help > About. The version page opens.
Getting Started Connecting to the Switch Connect page STEP 6 Once you have connected to the community, the Topology View opens and displays the ESW 500 Series Switch. Right-click on the switch and it displays three options: • Device Manager • Properties • Annotation You can now continue with configuring the switch by two different options; use CCA to do all of the configuration, or use the Device Manager to go to the switch Configuration Utility.
Getting Started Connecting to the Switch CCA Topology View page STEP 7 Click on Device Manager. The Log In page will launch in a new browser window. Log In page STEP 8 Enter a user name and password. The default user name is cisco and the default password is cisco. Passwords are both case sensitive and alpha-numeric. STEP 9 Click Log In. The Switch Configuration Utility - System Dashboard Page opens.
Getting Started Connecting to the Switch STEP 10 A window opens that prompts you to change your username and password from the default. Choose a new username and password, then click Apply. Switch Configuration Utility - System Dashboard STEP 11 You are now ready to proceed with additional switch configuration.
Getting Started Navigating The Cisco Switch Configuration Utility Navigating The Cisco Switch Configuration Utility The Cisco Switch Configuration Utility is a web-based device manager that is used to provision the switch. You must have IP connectivity between the PC and the switch to configure the switch. The following section describes how to navigate within the interface.
Getting Started Performing Common Configuration Tasks Performing Common Configuration Tasks Once the Switch Configuration Utility has been launched and you have logged into the switch, these are some examples of the common configuration tasks you can perform. Use the menus in the left navigation panel to choose a specific area of configuration. Checking the Software Version To check the version of the software on the switch, click About at the top of the page.
Getting Started Performing Common Configuration Tasks System Information Page From this page you can configure the hostname of the switch, location and contact information for support. Also, you can view important information such as the system uptime, software version, MAC Address and Serial Number (SN). Viewing what Devices are Attached to the Switch To view what devices there are attached to the switch, click Monitor & Device Properties > CDP. The CDP page opens.
Getting Started Performing Common Configuration Tasks CDP Page Review the ports for connecting IP Phones, PCs, Access Points and the uplink to the Cisco UC520 or SR520. You can change the Voice VLAN from the default of 100 if required. Configuring the VLAN Settings for the Switch To add or edit the default VLAN settings, click on VLAN & Port Settings > VLAN Management > Properties. The Properties page opens.
Getting Started Performing Common Configuration Tasks Properties Page Configuring individual ports using Cisco Smartport Roles Smartport Roles make it easy to provision switch ports by automatically applying the appropriate configuration for attached IP phones, access points, or other devices to optimize network performance.
Getting Started Performing Common Configuration Tasks Role Router Description Switch • • Guest • • • • Server Printer VS Camera • • • Other • Access Point • • • Configured for optimal connection to a router or firewall for WAN connectivity Configured as an uplink port to another switch or router Layer 2 port for fast convergence Enables 802.
Getting Started Performing Common Configuration Tasks NOTE The G in the port tables denotes 10/100/1000 (Gigabit) copper or GBIC ports on the ESW520 series switches, and denotes the single G1 interface on the 8 port versions of the switch. The following steps show one example of using the Smart Ports Setting Wizard to configure access points. It is not necessary to configure your switch in this manner. STEP 1 Click on the System Dashboard, and then on the Smartports Wizard. The Smart Ports Wizard opens.
Getting Started Performing Common Configuration Tasks Smart Ports Setting Wizard STEP 3 Click Next. The Access Point window opens. To ensure all VLANs in the network are trunked to the Wireless Access Points, select the drop-down list beside Trunk Allowed VLANs. Select vlan 100 from the drop-down list to allow voice over wireless. Smart Ports Settings Wizard - Access Point STEP 4 Click Allow to ensure that VLAN100 shows up in the allowed list, and then click Apply.
Getting Started Performing Common Configuration Tasks Smart Ports Settings Wizard - Access Point STEP 5 A confirmation page opens. Review your changes and click OK. Smart Ports Settings Wizard - Access Point Setting Status STEP 6 Return to the System Dashboard and click on the Smart Ports Wizard.
Getting Started Performing Common Configuration Tasks Smart Ports Setting Checking the Device Power Consumption Check the overview of the power consumption on the switch. Click System Dashboard > PoE Settings. The PoE Settings page opens.
Getting Started Performing Common Configuration Tasks PoE Settings Page Click Edit to change a PoE setting. The number of PoE devices supported on a switch depends on the power requirements for each device and the switch model in question. To help illustrate this, the PoE Device Support table shows the recommended number of POE devices for 3 different scenarios: Scenario 1 — Assumes the POE devices connected to the switch are all IEEE 802.3af Class 2 devices which draw less than 7.
Getting Started Performing Common Configuration Tasks PoE Device Support ESW 500 Series Switch Total Power Scenario 1 PoE Devices drawing < 7W Scenario 2 PoE Devices drawing < 11W Scenario 3 PoE Devices drawing < 15.4 W ESW 520-8P 60 Watts Up to 15.4 Watts to each port up to the total budget ESW 540-8P 120 Watts Up to 15.
Getting Started Performing Common Configuration Tasks Save Configuration Page The Save Configuration Page contains the following fields: Source File Name — Indicates the device configuration file to copy and the intended usage of the copied file (Running, Startup, or Backup). Destination File Name — Indicates the device configuration file to copy to and the intended usage of the file (Running, Startup, or Backup). Define the relevant fields and then Click Apply. The Configuration Files are updated.
Getting Started Performing Common Configuration Tasks STEP 1 Ensure the PC has IP connectivity to the ESW 500 series switch. STEP 2 The switch can be upgraded through the TFTP or HTTP protocol. If you choose to use TFTP, the PC needs to have a TFTP server running on it. A free TFTP server can be downloaded from: http://www.solarwinds.com/downloads/index.aspx STEP 3 Download the latest ESW 500 series software file from: www.cisco.
Getting Started Performing Common Configuration Tasks For HTTP: Click Browse and navigate to the file name of the image. STEP 6 Once the download is complete, click on Maintenance > File Management > Active Image The Active Image page opens. Active Image Page STEP 7 Choose the new image from the drop-down list under After Reset and click Apply. STEP 8 Save the switch configuration. Click Maintenance > File Management > Save Configuration. The Save Configuration page opens.
Getting Started Performing Common Configuration Tasks Save Configuration Page STEP 9 Keep the defaults for Source File Name and Destination File Name and click Apply. STEP 10 Reset the switch by clicking on Monitor & Device Properties > System Management > Restart / Reset.
Getting Started Performing Common Configuration Tasks Restart / Reset Page STEP 11 Click on Reset / Reboot and the switch should reboot with the new image. STEP 12 After the switch has completed rebooting and is up and running, log back in. STEP 13 Ensure the software has been upgraded by clicking on About at the top of the Dashboard page.
Getting Started Performing Common Configuration Tasks Resetting the Device The Restart / Reset Page enables the device to be reset from a remote location. Save all changes to the Running Configuration file before resetting the device by clicking on Maintenance > File Management > Save Configuration. Define the relevant fields and then click Apply. This prevents losing the current device configuration. To reset the device: STEP 1 Click Monitor & Device Properties > System Management > Restart / Reset.
Getting Started Performing Common Configuration Tasks NOTE If using CCA to launch the Switch Configuration Utility, right-click on switch > Device Manager. Refresh the topology screen to get the latest IP address for the switch. Manual Reset The Switch can be reset by inserting a pin or paper clip into the RESET opening. Pressing the manual reset for 0 to 10 seconds reboots the switch. Pressing the manual reset for longer than 10 seconds results in the switch being reset to factory defaults.
Getting Started Using The Switch Console Port Using The Switch Console Port The switch features a menu-based console interface for basic configuration of the switch and management of your network. The switch can be configured using the menu-based interface through the console port or through a telnet connection. This section describes console interface configuration. TIP Configuration of the switch through the Console Port requires advanced skills. This should only be attempted by trained personnel.
Getting Started Using The Switch Console Port STEP 4 On the PC, launch a terminal emulation program such as HyperTerminal (bundled with Windows) or Putty (freeware) and configure a new connection with the following settings: • Speed or Bits Per Second — 115200 • Data Bits — 8 • Stop Bit — 1 • Parity — None • Flow Control — None • Serial Port — Choose the appropriate serial or COM port on the PC that the console cable is connected to STEP 5 Save these settings and open a connection using the
Getting Started Using The Switch Console Port STEP 8 Scroll down to option 6, IP Configuration, and press Enter. The IP Configuration Menu opens. STEP 9 Highlight option 1, IPv4 Address Configuration, and press Enter. The IPv4 Address Configuration Menu opens. STEP 10 Highlight option 1, IPv4 Address Settings, and press Enter. The IPv4 Address Settings page opens.
Getting Started Using The Switch Console Port The current IP address setting for the ESW 500 series switch is shown. If the switch is already connected to the network and obtained an IP address via DHCP, this is the IP address which is used to launch the ESW 500 Switch Configuration Utility. If you need to change the IP address to a static IP address, perform the following steps: STEP 1 Use the Right arrow key to highlight Edit, then press Enter. The IPv4 Address field should be highlighted.
Managing Device Information Understanding the Dashboards Managing Device Information This section provides information for defining both basic and advanced system information.
Managing Device Information Understanding the Dashboards System Dashboard (ESW-520-24) Page ESW 500 Series Switches Administration Guide 53
Managing Device Information Understanding the Dashboards System Dashboard (ESW-520-24P) Page ESW 500 Series Switches Administration Guide 54
Managing Device Information Understanding the Dashboards System Dashboard (ESW-520-48) Page ESW 500 Series Switches Administration Guide 55
Managing Device Information Understanding the Dashboards System Dashboard (ESW-520-48P) Page ESW 500 Series Switches Administration Guide 56
Managing Device Information Understanding the Dashboards System Dashboard (ESW-540-24) Page ESW 500 Series Switches Administration Guide 57
Managing Device Information Understanding the Dashboards System Dashboard (ESW-540-24P) Page ESW 500 Series Switches Administration Guide 58
Managing Device Information Understanding the Dashboards System Dashboard (ESW-540-48) Page You can edit a specific port on the switch by clicking on that port from the device view. The System Dashboard page contains the following port indicators in the device graphical representation: • Green — Indicates the port is currently operating. The System Dashboard pages contains the links to the following: Ports • Smart Ports Wizard — Opens the Smart Ports Wizard page.
Managing Device Information Defining System Information Common Tasks • PoE Settings — Opens the PoE Settings Page (PoE switches only) • Restart / Reset — Opens the Restart/Reset Page. • Save Configuration — Opens the Save Configuration Page. Help • Device Help — Opens the online help. • More help at Cisco.com — Provides a link to online Technical Support. Defining System Information The System Information Page contains parameters for configuring general device information.
Managing Device Information Defining System Information STEP 1 Click Monitor & Device Properties > System Management > System Information. The System Information Page opens: System Information Page The System Information Page contains the following fields: • System Name — Displays the user configured name of the system. • System Location — Defines the location where the system is currently running. The field range is from 0-160 characters. • System Contact — Defines the name of the contact person.
Managing Device Information Viewing Device Health Minutes and Seconds. For example: 41 days, 2 hours, 22 minutes and 15 seconds. • Base MAC Address — Displays the device MAC address. • Software Version — Displays the software version number. • Boot Version — Indicates the system boot version currently running on the device. • Jumbo Frame — Indicates if Jumbo Frames are enabled . Jumbo Frames become active after resetting the device. (Jumbo Frames are not available on ESW-520 devices).
Managing Device Information Viewing Device Health STEP 1 Click Monitor & Device Properties > System Management > Health. The Health Page opens: Health Page The Health Page contains the following fields: • Power Supply Status — Displays the power supply status. Power supply 1 is displayed as PS in the interface, while the redundant power supply is displayed as RPS. The possible field values are: - OK — Indicates the power supply is operating normally.
Managing Device Information Resetting the Device - Not Present -- Indicates the fan is not present. Resetting the Device The Restart / Reset page enables the device to be reset from a remote location. Save all changes to the Running Configuration file before resetting the device. This prevents the current device configuration from being lost.To open the Restart / Reset Page: STEP 1 Click Monitor & Device Properties > System Management > Restart / Reset.
Managing Device Information Managing Cisco Discovery Protocol Managing Cisco Discovery Protocol The Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol that enables devices to advertise their existence to other devices by CDP sending out periodic updates to a Multicast address. In addition, CDP allows devices to receive information about other devices on the same LAN or on the remote WAN side. The system supports CDP versions 1 and 2.
Managing Device Information Managing Cisco Discovery Protocol • Voice VLAN — The Voice VLAN field displays the current Voice VLAN used by the switch. The default is VLAN #100. This VLAN carries the voice traffic, and is also advertised through the CDP to the other elements in the network. The user can change the Voice VLAN via this screen. The following fields display Neighbors Information and are Read-only. • Device ID — Indicates the device ID that is advertised by neighboring devices.
Managing Device Information Managing Cisco Discovery Protocol • Port ID — Indicates the neighboring device’s port from which the CDP packet was sent. STEP 2 Select Enable in the CDP Status field to enable the Cisco Discovery Protocol on the device. STEP 3 Define a VLAN ID to be advertised by the device in the Voice VLAN field. STEP 4 Click Apply. CDP is enabled, and the device is updated. To view additional neighboring device CDP information: STEP 1 Click Monitor & Device Properties > CDP.
Managing Device Information Defining the Bonjour Discovery Protocol • Advertisement Version — Indicates the CDP version advertised by the neighboring device. • Native VLAN — Defines the ID number of the VLAN on the neighbor device. • Duplex — Displays the duplex state of connection between the current device and the neighbor device. The possible field values are: - Full — Indicates that the interface supports transmission between the device and the client in both directions simultaneously.
Managing Device Information Defining the Bonjour Discovery Protocol The Bonjour screen contains information for enabling/disabling Bonjour on the device, specifying a Service Type and the related port used for publishing devices over the network. A Service Type is the type of service registration performed as part of the device system start up. It is intended to assure the uniqueness of the published service and proclaims the related information.
Managing Device Information TCAM Utilization - HTTP — Specifies the Service Type selected is HTTP. This service is enabled by default, and can be user-disabled but not deleted. The service uses the default port 80. The port can be changed using the menu CLI. - HTTPS — Specifies the Service Type selected is secured HTTP. This service is enabled by default, and can be user-disabled, but not deleted. The service uses the default port 443. The port can be changed using the menu CLI.
Managing Device Information TCAM Utilization STEP 1 Click Monitor & Device Properties > System Management > TCAM Utilization. The TCAM Utilization Page opens: TCAM Utilization Page The TCAM Utilization Page contains the following field: • TCAM Utilization – Indicates the percentage of the available TCAM resources which are used. For example, if more ACLs and policy maps are defined, the system uses more TCAM resources.
Managing Smart Ports Managing Smart Ports The Smart Ports wizards provide network managers with quick and simple solution to configuring the devices by understanding and automatically configuring the port settings for various network devices, including: • Desktop — Allows network administrators to define settings for personal desktop users. • IP Phone and Desktop —Allows network administrators to define settings between the switch and the IP Phone.
Managing Smart Ports Configuring Smart Ports for Desktops NOTE By default, the user ports are configured as IP Phone + Desktop for PoE switches and Desktop for non-PoE switches. For devices other than IP Phone and Desktop, users need to configure the smartport role per device (e.g., switch, access point etc.). A port will be deactivated or has degraded service by connecting a switch or an access point to IP phone + desktop smartport respectively because of mismatched port role.
Managing Smart Ports Configuring Smart Ports for Desktops STEP 1 Open the Switch Configuration Utility. The web application automatically opens to the System Dashboard Page. System Dashboard Page STEP 2 Click Smart Ports Wizard under Ports on the System Dashboard Page.
Managing Smart Ports Configuring Smart Ports for Desktops Smart Ports Setting Page STEP 3 Select a port or range of ports. STEP 4 Select Desktop in the Assign Profile drop-down list. Click Next. The Smart Ports Desktop Settings Page opens: Smart Ports Desktops Settings Page The Smart Ports Desktops Settings Page contains the following fields: • Port — Indicates the port to which Smart Port wizard settings are applied. • VLAN Port Mode — Indicates the VLAN port mode enabled on the port.
Managing Smart Ports Configuring Smart Ports for Desktops - Access — Indicates a port belongs to a single untagged VLAN. This is the default setting for ports that are connected to desktops. • VLAN ID — Indicates the VLAN to which the port belongs. • Port Security Mode — Defines the locked port type. The possible field value is: - Dynamic Lock — Locks the port with current learned addresses.
Managing Smart Ports Configuring Smart Ports for IP Phones and Desktops STEP 6 Click Apply. The Desktop port settings are saved, and the device is updated. Configuring Smart Ports for IP Phones and Desktops The Smart Ports for IP Phones and Desktops Page allows network administrators to define settings between the switch and the IP Phone. This helps ensure proper network management for voice traffic. The Smart Port IP Phone and Desktop wizard allows network mangers to connect a phone and a PC.
Managing Smart Ports Configuring Smart Ports for IP Phones and Desktops Smart Ports IP Phones and Desktop Settings Page The Smart Ports IP Phones and Desktop Settings Page contains the following fields: • Ports — Indicates the port to which Smart Port wizard settings are applied. • VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The possible value is: - Trunk — Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged.
Managing Smart Ports Configuring Smart Ports for IP Phones and Desktops • Max MAC Addresses — Indicates the maximum number of MAC addresses that can be learned on the port. A maximum of 3 MAC addresses can be learned on the port. • Port Security Action — Indicates the action applied to packets arriving on a locked port. The possible field value is: - Discard — Discards packets from any unlearned source. This is the default value.
Managing Smart Ports Configuring Smart Ports for Access Points Configuring Smart Ports for Access Points The Smart Ports for Access Points Page allows network administrators to manage the connection between the switch and wireless access points. To configure smart ports for access points: STEP 1 Open the Switch Configuration Utility. The web application automatically opens to the System Dashboard Page. STEP 2 Click Smart Ports Wizard under Ports on the System Dashboard Page.
Managing Smart Ports Configuring Smart Ports for Access Points Smart Ports for Access Points Settings Page The Smart Ports for Access Points Settings Page contains the following fields: • Ports — Indicates the port to which Smart Port wizard settings are applied. • VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The possible value is: - Trunk — Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged.
Managing Smart Ports Configuring Smart Ports for Switches STEP 7 Select which trunks are permitted in the VLAN using the Allow and Exclude buttons. STEP 8 Click Apply. The Access Point port settings are saved, and the device is updated. STEP 9 Click OK. The Smart ports Setting page opens. Configuring Smart Ports for Switches The Smart Ports Switch Settings Page allows network administrators to manage network settings between switches.
Managing Smart Ports Configuring Smart Ports for Switches STEP 4 Select Switch in the Assign Profile drop-down list. Click Next. The Smart Ports Switch Setting Page opens: Smart Ports Switch Settings Page The Smart Ports Switch Settings Page contains the following fields: • Ports — Indicates the port to which Smart Port wizard settings are applied. • VLAN Port Mode — Indicates the VLAN port mode enabled on the port.
Managing Smart Ports Configuring Smart Ports for Routers • Macro Description — Indicates the type of device connected to the port. For switches, this field is always Switch. STEP 5 Select a VLAN in the Trunk Native VLAN ID drop-down list. STEP 6 Select which trunks are permitted in the VLAN using the Add and Delete buttons. STEP 7 Click Apply. The switching port settings are saved, and the device is updated. STEP 8 Click OK. The Smart ports Setting page opens.
Managing Smart Ports Configuring Smart Ports for Routers Smart Ports Setting Page STEP 3 Select a port or range of ports. STEP 4 Select Router in the Assign Profile drop-down list. STEP 5 Click Next.
Managing Smart Ports Configuring Smart Ports for Routers Smart Port Router Settings Page The Edit Smart Port Router Page contains the following fields: • Ports — Indicates the port to which Smart Port wizard settings are applied. • VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The possible value is: - Trunk — Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged. This is the default setting for ports that are connected to routers.
Managing Smart Ports Configuring Smart ports for Guests STEP 7 Select with trunks are permitted in the VLAN using the Add and Delete buttons. STEP 8 Click Apply. The routing port settings are saved, and the device is updated. STEP 9 Click OK. The Smart ports Setting page opens. Configuring Smart ports for Guests The Smart Ports Setting Page allows network administrators to manage network settings between the switch and a guest in the company.
Managing Smart Ports Configuring Smart ports for Guests Smartports Guest Settings Page The Smartports Guest Settings Page contains the following fields: • Ports — Indicates the port to which Smart ports Wizard settings are applied. • VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The value is: - Access — Indicates the value is Access. • Trunk Native VLAN ID — Defines the VLAN receiving untagged packets at ingress. The default value is VLAN 1.
Managing Smart Ports Configuring Smart ports for Servers Configuring Smart ports for Servers The Smart ports Setting Page allows network administrators to define settings between the device and a server. To configure ports using the Server: STEP 1 Open the Small Business Pro web application. The web application automatically opens to the Ports are enabled for the Smart Port wizards by default.
Managing Smart Ports Configuring Smart ports for Servers Smart ports Server Settings Page The Smart ports Server Settings Page contains the following fields: • Ports — Indicates the port to which Smart ports Wizard settings are applied. • VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The value is: - Access — Indicates the value is Access. • • Trunk Native VLAN ID — Indicates the VLAN to which the port belongs.
Managing Smart Ports Configuring Smart ports for Printers Forwarding state when the port link is up. Fast Link optimizes the STP protocol convergence. STP convergence can take 30-60 seconds in large networks. • Spanning Tree BPDU Guard — Indicates if BPDU Guard is enabled on the interface. • QoS Policy — Indicates that the default QoS policy settings are applied to the port. The Default policy is voice-map. • Macro Description— Indicates the type of device connected to the port.
Managing Smart Ports Configuring Smart ports for Printers Smart ports Setting Page STEP 5 Click Next. The Smartports Printer Settings Page opens: Smartports Printer Settings Page The Smartports Printer Settings Page contains the following fields: • Ports — Indicates the port to which Smart ports Wizard settings are applied. • VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The value is: - Access — Indicates the value is Access.
Managing Smart Ports Configuring Smart ports for Printers • Trunk Native VLAN ID — Indicates the VLAN to which the port belongs. The default is VLAN 1 – the user can change this VLAN by selecting one of the created VLANs via the drop down list. • Port Security Mode — Defines the locked port type. The field value is: Dynamic Lock . • Max MAC Addresses — Indicates the maximum number of MAC addresses that can be learned on the port. A maximum of three MAC addresses can be learned on the port.
Managing Smart Ports Configuring Smart ports for VS Camera Configuring Smart ports for VS Camera The Smart ports Setting Page allows network administrators to define settings between the device and a video surveillance camera. To configure ports using a VS camera: STEP 1 Open the Small Business Pro web application. The web application automatically opens to the Ports are enabled for the Smart Port wizards by default.
Managing Smart Ports Configuring Smart ports for VS Camera Smart ports VS Camera Settings Page The Smart ports Server Settings Page contains the following fields: • Ports — Indicates the port to which Smart ports Wizard settings are applied. • VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The value is: - Access — Indicates the value is Access. • • Trunk Native VLAN ID — Indicates the VLAN to which the port belongs.
Managing Smart Ports Configuring Smart Ports for Other • Spanning Tree Port Fast — Indicates Fast Link is enabled on the port. If Fast Link mode is enabled for a port, the Port State is automatically placed in the Forwarding state when the port link is up. Fast Link optimizes the STP protocol convergence. STP convergence can take 30-60 seconds in large networks. • Spanning Tree BPDU Guard — Indicates if BPDU Guard is enabled on the interface.
Managing Smart Ports Configuring Smart Ports for Other For more information on configuring SPAN (Port Mirroring), see Chapter 19, Managing Device Diagnostics. To remove any previous Smart Ports configuration from a port, configure smart ports for other: STEP 1 Open the Switch Configuration Utility. The web application automatically opens to the System Dashboard Page. STEP 2 Click Smart Ports Wizard under Ports on the System Dashboard Page.
Managing Smart Ports Configuring Smart Ports for Other Smart Ports Other Page The Edit Smart Port Other Page contains the following fields: • Ports — Indicates the port to which Smart Port wizard settings are applied. • VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The possible value is: - Trunk — Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged. This is the default setting for ports that are connected to routers.
Configuring System Time Defining System Time Configuring System Time The device supports the Simple Network Time Protocol (SNTP). SNTP assures accurate network device clock time synchronization up to the millisecond. Time synchronization is performed by a network SNTP server. The device operates only as an SNTP client, and cannot provide time services to other systems.
Configuring System Time Defining System Time STEP 1 Click Monitor & Device Properties > System Management > Time > System Time. The System Time Page opens: System Time Page The System Time Page contains the following fields: • Clock Source — Indicates the source used to set the system clock. The possible field values: - Use Local Settings — The system time is set on the local device. This is the default value. - Use SNTP Server — Sets the system time via an SNTP server.
Configuring System Time Defining System Time while the local time in New York is GMT –5. There are two types of daylight settings, either by a specific date in a particular year or a recurring setting irrespective of the year. For a specific setting in a particular year complete the Daylight Savings area, and for a recurring setting, complete the Recurring area. • Daylight Savings — Enables the Daylight Savings Time (DST) on the device based on the devices location.
Configuring System Time Defining System Time - Month — The month of the year in which DST ends. The possible field range is Jan-Dec. - Year — The year in which the configured DST ends. - Time — The time at which DST starts. The field format is Hour:Minute, for example, 05:30. • Recurring — Select if the DST period in countries other than USA or European is constant from year to year. The possible field values are: • From — Indicates the day and time that DST begins each year.
Configuring System Time Defining SNTP Settings Defining SNTP Settings The SNTP Settings Page contains information for enabling SNTP servers, as well as adding new SNTP servers. In addition, the SNTP Settings Page enables the device to request and accept SNTP traffic from a server. To define SNTP global settings: STEP 1 Click Monitor & Device Properties > System Management > Time > SNTP Settings.
Configuring System Time Defining SNTP Settings • Encryption Key ID — Indicates the Key Identification used to communicate between the SNTP server and device. The range is 1 - 4294967295. • Preference — The SNTP server providing SNTP system time information. The possible field values are: - Primary — The primary server provides SNTP information. - Secondary — The backup server provides SNTP information. - In progress — The SNTP server is currently sending or receiving SNTP information.
Configuring System Time Defining SNTP Authentication Add SNTP Server Page The Add SNTP Server Page contains the following fields: • SNTP Server — The SNTP server’s IP address. • Enable Poll Interval — Select whether or not the device polls the selected SNTP server for system time information. • Encryption Key ID — Select if Key Identification is used to communicate between the SNTP server and device. The range is 1 - 4294967295. STEP 3 Define the relevant fields. STEP 4 Click Apply.
Configuring System Time Defining SNTP Authentication STEP 1 Click Monitor & Device Properties > System Management > Time > SNTP Authentication. The SNTP Authentication Page opens: SNTP Authentication Page The SNTP Authentication Page contains the following fields: • Enable SNTP Authentication — Indicates if authenticating an SNTP session between the device and an SNTP server is enabled on the device.
Configuring System Time Defining SNTP Authentication Add SNTP Authentication Page The Add SNTP Authentication Page contains the following fields: • Encryption Key ID — Defines the Key Identification used to authenticate the SNTP server and device. The range is 1 - 4294967295. • Authentication Key — Defines the key used for authentication. • Trusted Key — Indicates if an encryption key is used (Unicast/Anycast) or elected (Broadcast) to authenticate the SNTP server.
Configuring Device Security Passwords Management Configuring Device Security The Security Suite contains the following topics: • Passwords Management • Defining Authentication • Defining Access Methods • Defining Traffic Control • Defining 802.1x • Defining Access Control • Defining DoS Prevention • Defining DHCP Snooping • Defining Dynamic ARP Inspection Passwords Management This section contains information for defining passwords.
Configuring Device Security Passwords Management STEP 1 Click Security > Users and Passwords > User Authentication. The User Authentication Page opens: User Authentication Page The User Authentication Page contains the following fields: • STEP 2 User Name — Displays the user name. Click the Add button.
Configuring Device Security Passwords Management • User Name — Specifies the user name. • Password — Specifies the new password. The password is not displayed. As it is entered an * corresponding to each character is displayed in the field. (Range: 1-159 characters) • Confirm Password — Confirms the new password. The password entered into this field must be exactly the same as the password entered in the Password field. STEP 3 Define the relevant fields STEP 4 Click Apply.
Configuring Device Security Defining Authentication STEP 3 Define the relevant fields. STEP 4 Click Apply. The local user settings are modified, and the device is updated. Defining Authentication The Authentication section contains the following pages: • Defining Profiles • Mapping Authentication Profiles • Defining TACACS+ • Defining RADIUS Defining Profiles Authentication profiles allow network administrators to assign authentication methods for user authentication.
Configuring Device Security Defining Authentication STEP 1 Click Security > Authentication > Profiles. The Profiles Page opens: Profiles Page The Profiles Page contains the following fields: • Profile Name — Displays the Profile name defined for the Login Table. • Methods — Defines the user authentication methods. The order of the authentication methods defines the order in which authentication is attempted.
Configuring Device Security Defining Authentication Add Authentication Profile Page The Add Authentication Profile Page contains the following fields: • Profile Name — Defines the Authentication profile name. • Authentication Method — Defines the user authentication methods. The order of the authentication methods defines the order in which authentication is attempted.
Configuring Device Security Defining Authentication Modifying an Authentication Profile STEP 1 Click Security > Authentication > Profiles. The Profiles Page opens: STEP 2 Click the Edit Button. The Edit Authentication Profile Page opens: Edit Authentication Profile Page The Edit Authentication Profile Page contains the following fields: • Profile Name — Displays the Authentication profile name. • Authentication Methods — Defines the user authentication methods.
Configuring Device Security Defining Authentication Mapping Authentication Profiles After authentication profiles are defined, authentication profiles can be applied to management access methods. For example, console users can be authenticated by one authentication profile, while Telnet users are authenticated by another authentication profile. Authentication methods are selected using arrows. The order in which the methods are selected is the order by which the authentication methods are used.
Configuring Device Security Defining Authentication • Secure Telnet (SSH) — Indicates that Authentication profiles are used to authenticate Secure Shell (SSH) users. SSH provides clients secure and encrypted remote connections to a device. • Secure HTTP — Configures the device Secure HTTP settings. Optional Methods — Lists available authentication methods. - Local — Authenticates the user at the device level. The device checks the user name and password for authentication.
Configuring Device Security Defining Authentication Defining TACACS+ The devices provide Terminal Access Controller Access Control System (TACACS+) client support. TACACS+ provides centralized security for validation of users accessing the device. TACACS+ provides a centralized user management system, while still retaining consistency with RADIUS and other authentication processes.
Configuring Device Security Defining Authentication STEP 1 Click Security > Authentication > TACACS+. The TACACS+ Page opens: TACACS+ Page The TACACS+ Page contains the following fields: • Source IP Address — Displays the device source IP address used for the TACACS+ session between the device and the TACACS+ server. • Key String — Defines the authentication and encryption key for TACACS+ server. The key must match the encryption key used on the TACACS+ server.
Configuring Device Security Defining Authentication • Timeout for Reply — Displays the amount of time in seconds that passes before the connection between the device and the TACACS+ times out. The field range is 1-1000 seconds. • Single Connection — Maintains a single open connection between the device and the TACACS+ server when selected. • Status — Displays the connection status between the device and the TACACS+ server.
Configuring Device Security Defining Authentication - • Use Default — Uses the default value for the parameter. If Use Default check box is selected, the global value of 0.0.0.0. is used and interpreted as a request to use the IP address of the outgoing IP interface. Key String — Defines the authentication and encryption key for TACACS+ server. The key must match the encryption key used on the TACACS+ server. The possible values are: - User Defined — Allows the user to define the Key String value.
Configuring Device Security Defining Authentication Edit TACACS+ Server Page The Edit TACACS+ Server Page contains the following fields: • Host IP Address — Defines the TACACS+ Server IP address. • Priority — Defines the order in which the TACACS+ servers are used. The default is 0. • Source IP Address — Defines the device source address used for the TACACS+ session between the device and the TACACS+ server. • Key String — Defines the authentication and encryption key for TACACS+ server.
Configuring Device Security Defining Authentication • Single Connection — Maintains a single open connection between the device and the TACACS+ server when selected • Use Default — Indicates that the factory default value is used. STEP 3 Define the relevant fields. STEP 4 Click Apply. The TACACS+ settings are modified, and the device is updated. Defining RADIUS Remote Authorization Dial-In User Service (RADIUS) servers provide additional security for networks.
Configuring Device Security Defining Authentication • Radius Accounting — Defines the authentication method used for RADIUS session accounting. Possible field values are: - 802.1x — 802.1x authentication is used to initiate accounting. - Login — Login authentication is used to initiate accounting. - Both — Both 802.1x and login authentication are used to initiate accounting. - None — No authentication is used to initiate accounting. • Default Retries — Provides the default retries.
Configuring Device Security Defining Authentication • Dead Time — Defines the amount of time (minutes) that a RADIUS server is bypassed for service requests. The range is 0-2000. The Dead Time default is 0 minutes. • Key String — Defines the default key string used for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. This key must match the RADIUS encryption. • Usage Type — Specifies the RADIUS server authentication type. The default value is Login.
Configuring Device Security Defining Authentication • Priority — Displays the server priority. The possible values are 0-65535, where 1 is the highest value. The RADIUS Server priority is used to configure the server query order. • Source IP Address — Defines the source IP address that is used for communication with RADIUS servers. • Authentication Port — Identifies the authentication port. The authentication port is used to verify the RADIUS server authentication.
Configuring Device Security Defining Authentication STEP 4 Click Apply. The RADIUS Server is added, and the device is updated. Modifying RADIUS Server Settings STEP 1 Click Security > Authentication > RADIUS. The RADIUS Page opens: STEP 2 Click the Edit button. The Edit RADIUS Server Page opens: Edit RADIUS Server Page The Edit RADIUS Server Page contains the following fields: • IP Address — Defines the RADIUS Server IP address. • Priority — Displays the server priority.
Configuring Device Security Defining Access Methods • Accounting Port — Indicates the port used to send login and logout messages to the RADIUS server. The accounting port default is 1813. • Number of Retries — Defines the number of transmitted requests sent to RADIUS server before a failure occurs. The possible field values are 1 - 10. Three is the default value.
Configuring Device Security Defining Access Methods • Defining Profile Rules Defining Access Profiles Access profiles are profiles and rules for accessing the device. Access to management functions can be limited to user groups. User groups are defined for interfaces according to IP addresses or IP subnets. Access profiles contain management methods for accessing and managing the device.
Configuring Device Security Defining Access Methods STEP 1 Click Security > Access Method > Access Profiles. The Access Profiles Page opens: Access Profiles Page The Access Profiles Page contains the following fields: STEP 2 • Access Profile Name — Defines the access profile name. The access profile name can contain up to 32 characters. • Current Active Access Profile — Defines the access profile currently active. Click the Add button.
Configuring Device Security Defining Access Methods Add Access Profile Page The Add Access Profile Page contains the following fields: • Access Profile Name — Defines the access profile name. The access profile name can contain up to 32 characters. • Rule Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access.
Configuring Device Security Defining Access Methods - HTTP — Assigns HTTP access to the rule. If selected, users accessing the device using HTTP meeting access profile criteria are permitted or denied access to the device. - Secure HTTP (HTTPS) — Assigns HTTPS access to the rule. If selected, users accessing the device using HTTPS meeting access profile criteria are permitted or denied access to the device. - SNMP — Assigns SNMP access to the rule.
Configuring Device Security Defining Access Methods • Rule Priority • Interface • Management Method • IP Address • Prefix Length • Forwarding Action To define profile rules: STEP 1 Click Security > Access Method > Profile Rules. The Profile Rules Page opens: Profile Rules Page The Profile Rules Page contains the following fields: • Access Profile Name — Displays the access profile to which the rule is attached. • Priority — Defines the rule priority.
Configuring Device Security Defining Access Methods • Interface — Indicates the interface type to which the rule applies. The possible field values are: - Port — Attaches the rule to the selected port. - EtherChannel — Attaches the rule to the selected EtherChannel. - VLAN — Attaches the rule to the selected VLAN. • Management Method — Defines the management method for which the rule is defined. Users with this access profile can access the device using the management method selected.
Configuring Device Security Defining Access Methods Add Profile Rule Page The Add Profile Rule Page contains the following fields: • Access Profile Name — Defines the access profile name. The access profile name can contain up to 32 characters. • Rule Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access.
Configuring Device Security Defining Access Methods - HTTP — Assigns HTTP access to the rule. If selected, users accessing the device using HTTP meeting access profile criteria are permitted or denied access to the device. - Secure HTTP (SSL) — Assigns HTTPS access to the rule. If selected, users accessing the device using HTTPS meeting access profile criteria are permitted or denied access to the device. - Secure Telnet (SSH) — Assigns SSH access to the rule.
Configuring Device Security Defining Access Methods Edit Profile Rule Page The Edit Profile Rule Page contains the following fields: • Access Profile Name — Defines the access profile name. The access profile name can contain up to 32 characters. • Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access. The rule number is essential to matching packets to rules, as packets are matched on a first-fit basis.
Configuring Device Security Defining Traffic Control - HTTP — Assigns HTTP access to the rule. If selected, users accessing the device using HTTP meeting access profile criteria are permitted or denied access to the device. - Secure HTTP (SSL) — Assigns HTTPS access to the rule. If selected, users accessing the device using HTTPS meeting access profile criteria are permitted or denied access to the device. - Secure Telnet (SSH) — Assigns SSH access to the rule.
Configuring Device Security Defining Traffic Control • Defining Storm Control • Defining Port Security Defining Storm Control Storm Control enables limiting the amount of Multicast and Broadcast frames accepted and forwarded by the device. When Layer 2 frames are forwarded, Broadcast and Multicast frames are flooded to all ports on the relevant VLAN. This occupies bandwidth, and loads all nodes connected on all ports.
Configuring Device Security Defining Traffic Control STEP 1 Click Security > Traffic Control > Storm Control. The Storm Control Page opens: Storm Control Page The Storm Control Page contains the following fields: • Unknown Unicast Group Control — On ESW 520 devices, sets the Unknown Unicast Control as the Broadcast Mode globally defined on the device. • Rate Threshold — On FE devices, sets the maximum rate (packets per second) at which unknown packets are forwarded.
Configuring Device Security Defining Traffic Control - Disable — Disables Broadcast packet types to be forwarded. • • Broadcast Rate Threshold — Indicates the maximum rate (kilobits per second) at which unknown packets are forwarded. - For FE ports, the rate is 70 - 100,000 Kbps. - For GE ports, the rate is 3,500 - 100,000 Kbps. Broadcast Mode — Specifies the Broadcast mode currently enabled on the device.
Configuring Device Security Defining Traffic Control • Port — Indicates the port from which storm control is enabled. • Enable Broadcast Control — Indicates if Broadcast packet types are forwarded on the specific interface. The possible field values are: - Checked — Enables Broadcast packet types to be forwarded. - Unchecked — Disables Broadcast packet types to be forwarded. • Broadcast Mode — Specifies the Broadcast mode currently enabled on the interface.
Configuring Device Security Defining Traffic Control locked. When a packet is received on a locked port, and the packet source MAC address is not tied to that port (either it was learned on a different port, or it is unknown to the system), the protection mechanism is invoked, and can provide various options. Unauthorized packets arriving at a locked port are either: • Forwarded • Discarded with no trap • Discarded with a trap • Cause the port to be shut down.
Configuring Device Security Defining Traffic Control STEP 1 Click Security > Traffic Control > Port Security. The Port Security Page opens: Port Security Page The Port Security Page contains the following fields: • Ports Radio Button — Indicates the Port on which port security is configured. • EtherChannels Radio Button — Indicates the EtherChannel on which port security is configured. • Interface — Displays the port or EtherChannel name. • Interface Status — Indicates the port security status.
Configuring Device Security Defining Traffic Control - Classic Lock — Locks the port using the classic lock mechanism. The port is immediately locked, regardless of the number of addresses that have already been learned. - Limited Dynamic Lock — Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both relearning and aging MAC addresses are enabled.
Configuring Device Security Defining Traffic Control Modifying Port Security STEP 1 Click Security > Traffic Control > Port Security. The Port Security Page opens: STEP 2 Click the Edit Button. The Edit Port Security Page opens: Edit Port Security Page The Edit Port Security Page contains the following fields: • Interface — Select the port or EtherChannel name. • Lock Interface — Indicates the port security status.
Configuring Device Security Defining 802.1x maximum addresses allowed on the port. Both relearning and aging MAC addresses are enabled. Previously learned MAC addresses are not deleted but are converted to a static MAC address. • Max Entries — Specifies the number of MAC addresses that can be learned on the port. The Max Entries field is enabled only if Locked is selected in the Interface Status field. In addition, the Limited Dynamic Lock mode is selected. The possible range is 1-128. The default is 1.
Configuring Device Security Defining 802.1x • Authenticators — Specifies the port, which is authenticated before permitting system access. • Supplicants — Specifies host connected to the authenticated port requesting to access the system services. • Authentication Server — Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the supplicant is authorized to access system services.
Configuring Device Security Defining 802.1x STEP 1 Click Security > 802.1X > Properties. The 802.1X Properties Page opens: 802.1X Properties Page The 802.1X Properties Page contains the following fields: • Port Based Authentication State — Enables Port-based Authentication on the device. The possible field values are: - Enable — Enables port-based authentication on the device. - Disable — Disables port-based authentication on the device.
Configuring Device Security Defining 802.1x - Checked — Enables using a Guest VLAN for unauthorized ports. If a Guest VLAN is enabled, the unauthorized port automatically joins the VLAN selected in the VLAN List field. - Unchecked — Disables use of a Guest VLAN for unauthorized ports. This is the default. • Guest VLAN ID — Contains a list of VLANs. The Guest VLAN is selected from the VLAN list. STEP 2 Define the relevant fields. STEP 3 Click Apply. The 802.
Configuring Device Security Defining 802.1x STEP 1 Click Security > 802.1X > Port Authentication. The 802.1X Port Authentication Page opens: 802.1X Port Authentication Page The 802.1X Port Authentication Page contains the following fields: • Copy From Entry Number — Copies the port authentication configuration from the specified table entry. • To Entry Number(s) — Assigns the copied port authentication configuration to the specified table entry. • Port — Displays the list of interfaces.
Configuring Device Security Defining 802.1x - 802.1x & MAC — Enables 802.1x + MAC Authentication on the device. In the case of 802.1x + MAC, 802.1x takes precedence. • Periodic Reauthentication — Enables port reauthentication. The default value is disabled. • Reauthentication Period — Specifies the number of seconds in which the selected port is reauthenticated (Range: 300-4294967295). The field default is 3600 seconds. • Authenticator State — Specifies the port authorization state.
Configuring Device Security Defining 802.1x STEP 3 Click Apply. The 802.1X port authentication settings are defined, and the device is updated. Modifying 8021X Security STEP 1 Click Security > 802.1X > Port Authentication. The 802.1X Properties Page opens: STEP 2 Click the Edit button.
Configuring Device Security Defining 802.1x - auto — Enables port-based authentication on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client. - forceAuthorized— Indicates the interface is in an authorized state without being authenticated. The interface re-sends and receives normal traffic without client port-based authentication.
Configuring Device Security Defining 802.1x - Unchecked — Port authentication according to the Reauthentication settings above. • Authenticator State — Specifies the port authorization state. The possible field values are as follows: - Initialize — Enables port-based authentication on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client.
Configuring Device Security Defining 802.1x Defining Authentication The 802.1X Authentication Page allows network managers to configure advanced port-based authentication settings for specific ports and VLANs. STEP 1 Click Security > 802.1X > Authentication. The 802.1X Authentication Page opens: 802.1X Authentication Page The 802.1X Authentication Page contains the following fields: • Port — Displays the port number for which the Multiple Hosts configuration is displayed.
Configuring Device Security Defining 802.1x • Action on Violation — Defines the action to be applied to packets arriving in single-host mode, from a host whose MAC address is not the supplicant MAC address. The possible field values are: - Forward — Forwards the packet. - Discard — Discards the packets. This is the default value. - Shut Down — Discards the packets and shuts down the port. The ports remains shut down until reactivated, or until the device is reset.
Configuring Device Security Defining 802.1x Modifying Authentication Settings STEP 1 Click Security > 802.1X > Authentication. The 802.1X Port Authentication Page opens: STEP 2 Click the Edit button. The Edit Authentication Page opens: Edit Authentication Page The Edit Authentication Page contains the following fields: • Port — Displays the port number for which advanced port-based authentication is enabled. • Host Authentication — Defines the Host Authentication mode.
Configuring Device Security Defining 802.1x - Discard — Discards the packets. This is the default value. - Shut Down — Discards the packets and shuts down the port. The ports remains shut down until reactivated, or until the device is reset. • Enable Traps — Indicates if traps are enabled for Multiple Hosts. The possible field values are: - Checked — Indicates that traps are enabled for Multiple hosts. - Unchecked — Indicates that traps are disabled for Multiple hosts.
Configuring Device Security Defining 802.1x STEP 1 Click Security > 802.1X > Authenticated Hosts. The Authenticated Host Page opens: Authenticated Hosts Page The Authenticated Hosts Page contains the following fields: • User Name — Lists the supplicants that were authenticated, and are permitted on each port. • Port — Displays the port number. • Session time — Displays the amount of time (in seconds) the supplicant was logged on the port.
Configuring Device Security Defining Access Control - RADIUS — Indicates the supplicant was authenticated by a RADIUS server. • MAC Address — Displays the supplicant MAC address. Defining Access Control Access Control Lists (ACL) allow network managers to define classification actions and rules for specific ingress ports. Your switch supports up to 256 ACLs. Packets entering an ingress port, with an active ACL, are either admitted or denied entry. If they are denied entry, the user can disable the port.
Configuring Device Security Defining Access Control MAC Based ACL Page The MAC Based ACL Page contains the following fields: • ACL Name — Displays the user-defined MAC based ACLs. • Priority — Indicates the ACE priority, which determines which ACE is matched to a packet on a first-match basis. The possible field values are 1-2147483647. • Source MAC Address — Defines the source MAC address to match the ACE. • Source MAC Mask — Defines the source MAC mask to match the ACE.
Configuring Device Security Defining Access Control • 802.1p Mask — Displays the wildcard bits to be applied to the CoS. • Ethertype — Displays the Ethernet type of the packet. • Action — Indicates the ACL forwarding action. For example, the port can be shut down, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding. Possible field values are: - Permit — Forwards packets which meet the ACL criteria.
Configuring Device Security Defining Access Control - MAC Address — Matches the source MAC address from which packets are addressed to the ACE. - Wildcard Mask — Indicates the source MAC Address wild card mask. Wildcards are used to mask all or part of a source MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important.
Configuring Device Security Defining Access Control STEP 3 Define the relevant fields. STEP 4 Click Apply. The MAC Based ACL is defined, and the device is updated. Adding Rule to MAC Based ACL STEP 1 Click Security > Access Control Lists (ACL) > MAC Based ACL. The MAC Based ACL Page opens. STEP 2 Select an existing ACL from the ACL Name drop-down list. STEP 3 Click the Add Rule button.
Configuring Device Security Defining Access Control - MAC Address — Matches the source MAC address from which packets are addressed to the ACE. - Wildcard Mask — Indicates the source MAC Address wild card mask. Wildcards are used to mask all or part of a source MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important.
Configuring Device Security Defining Access Control STEP 4 Define the relevant fields. STEP 5 Click Apply. The ACL Rule is defined, and the device is updated. Modifying MAC Based ACL STEP 1 Click Security > Access Control Lists (ACL) > MAC Based ACL. The MAC Based ACL Page opens. STEP 2 Click the Edit button. The Rule Settings Page opens: Rule Settings Page The Rule Settings Page contains the following fields: • ACL Name — Displays the user-defined MAC based ACLs.
Configuring Device Security Defining Access Control - Wildcard Mask — Indicates the source MAC Address wild card mask. Wildcards are used to mask all or part of a source MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important.
Configuring Device Security Defining Access Control STEP 4 Click Apply. The MAC Based ACL is modified, and the device is updated. Defining IP Based ACL The IP Based ACL Page page contains information for defining IP Based ACLs, including defining the ACEs defined for IP Based ACLs. To define an IP based ACL: STEP 1 Click Security > Access Control Lists (ACL) > IP Based ACL.
Configuring Device Security Defining Access Control • Protocol — Creates an ACE based on a specific protocol. The possible field values are: - ICMP — Internet Control Message Protocol (ICMP). The ICMP allows the gateway or destination host to communicate with the source host. For example, to report a processing error. - IGMP — Internet Group Management Protocol (IGMP). Allows hosts to notify their local switch or router that they want to receive transmissions assigned to a specific multicast group.
Configuring Device Security Defining Access Control - AH — Authentication Header (AH). Provides source host authentication and data integrity. - EIGRP — Enhanced Interior Gateway Routing Protocol (EIGRP). Provides fast convergence, support for variable-length subnet mask, and supports multiple network layer protocols.
Configuring Device Security Defining Access Control • - IP Address — Displays the source port IP address to which packets are addressed to the ACE. - Wildcard Mask — Displays the source IP address wildcard mask. Wildcard masks specify which bits are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all the bits are important. For example, if the source IP address 149.36.184.198 and the wildcard mask is 255.36.
Configuring Device Security Defining Access Control Add IP Based ACL Page The Add IP Based ACL Page contains the following fields: • ACL Name — Defines the user-defined IP based ACLs. • New Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-match basis. • Protocol — Creates an ACE based on a specific protocol. For a list of available protocols, see the Protocol field description in the IP Based ACL Page above.
Configuring Device Security Defining Access Control - Psh — Push - Rst — Reset - Syn — Synchronize - Fin — Final • ICMP — Indicates if ICMP packets are permitted on the network. The possible field values are as follows: • ICMP Code — Indicates and ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code.
Configuring Device Security Defining Access Control • Traffic Class — Indicates the traffic class to which the packets are matched. The possible field values are: - Checked — Matches packets to traffic classes. - Unchecked — Does not match packets to traffic classes. • Action — Indicates the action assigned to the packet matching the ACL. Packets are forwarded or dropped.
Configuring Device Security Defining Access Control Edit IP Based ACL Page The Edit IP Based ACL Page contains the following fields: • ACL Name — Displays the user-defined based ACLs. • New Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-match basis. • Protocol — Creates an ACE based on a specific protocol. For a list of available protocols, see the Protocol field description in the ACL Page above.
Configuring Device Security Defining Access Control • ICMP Code — Indicates and ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. • IGMP — Filters packets by IGMP message or message types. • Source - IP Address — Matches the source port IP address from which packets are addressed to the ACE. - Wildcard Mask — Defines the source IP address wildcard mask.
Configuring Device Security Defining Access Control STEP 3 Define the relevant fields, STEP 4 Click Apply. The IP Based ACL is modified, and the device is updated. Adding an IP Based Rule STEP 1 Click Security > Access Control Lists (ACL) > IP Based ACL. The IP Based ACL Page opens: STEP 2 Select an ACL from the ACL Name drop-down list. STEP 3 Click the Add Rule button.
Configuring Device Security Defining Access Control • Source Port — Defines the TCP/UDP source port to which the ACE is matched. This field is active only if 800/6-TCP or 800/17-UDP are selected in the Select from List drop-down list. The possible field range is 0 - 65535. • Destination Port — Defines the TCP/UDP destination port. This field is active only if 800/6-TCP or 800/17-UDP are selected in the Select from List dropdown list. The possible field range is 0 - 65535.
Configuring Device Security Defining Access Control STEP 4 Define the relevant fields, STEP 5 Click Apply. The IP Based ACL is modified, and the device is updated. Defining ACL Binding When an ACL is bound to an interface, all the ACE rules that have been defined are applied to the selected interface. Whenever an ACL is assigned on a port or a EtherChannel flows from that ingress interface that do not match the ACL are matched to the default rule, which is Drop unmatched packets.
Configuring Device Security Defining Access Control • To Entry Number(s) — Assigns the copied ACL binding configuration to the specified table entry. • Ports/EtherChannels — Indicates the interface to which the ACL is bound. For each entry, an interface has a bound ACL. • Interface — Indicates the interface to which the associated ACL is bound. • ACL Name — Indicates the ACL which is bound to the associated interface. • Type — Indicates the ACL type to which is bound to the interface.
Configuring Device Security Defining DoS Prevention STEP 4 Click Apply. The ACL binding is defined, and the device is updated. Defining DoS Prevention Denial of Service (DOS) increases network security by preventing packets with invalid IP addresses from entering the network. DoS eliminates packets from malicious networks which can compromise a network’s stability. The device provides a Security Suite that allows administrators to match, discard, and redirect packets based on packet header values.
Configuring Device Security Defining DoS Prevention STEP 1 Click Security > DoS Prevention > Global Settings. The Global Settings Page opens: Global Settings Page The Global Settings Page contains the following fields: • Security Suite Status — Indicates if DoS security is enabled on the device. The possible field values are: • Enable — Enables DoS security. • Disable — Disables DoS security on the device. This is the default value.
Configuring Device Security Defining DoS Prevention • Back Orifice Trojan — Discards UDP packets with destination UDP port equal to 31337 and source UDP port equal to 1024. STEP 2 Define the relevant fields. STEP 3 Click Apply. The DoS prevention global settings are defined, and the device is updated. Defining Martian Addresses Martian Address Filtering enables discarding IP packets from invalid IP addresses.
Configuring Device Security Defining DoS Prevention STEP 1 Click Security > DoS Prevention > Martian Addresses. The Martian Addresses Page opens: Martian Addresses Page The Martian Addresses Page contains the following fields: • Include Reserved Martian Addresses — Indicates that packets arriving from Martian addresses are dropped. Enabled is the default value. When enabled, the following IP addresses are included: - 0.0.0.0/8 (except 0.0.0.0/32), 127.0.0.0/8 - 192.0.2.0/24 , 224.0.0.0/4 - 240.0.
Configuring Device Security Defining DHCP Snooping Add Martian Addresses Page The Add Martian Addresses Page contains the following fields: • IP Address — Enter the Martian IP addresses for which DoS attack is enabled. The possible values are: - One of the addresses in the Martian IP address list. - New IP Address — Enter an IP Address that is not on the list. • Mask — Enter the Mask for which DoS attack is enabled. • Prefix Length — Defines the IP route prefix for the destination IP.
Configuring Device Security Defining DHCP Snooping The DHCP Snooping Table contains the untrusted interfaces MAC address, IP address, Lease Time, VLAN ID, and interface information.
Configuring Device Security Defining DHCP Snooping STEP 1 Click Security > DHCP Snooping > Properties. The DHCP Snooping Properties Page opens: DHCP Snooping Properties Page The DHCP Snooping Properties Page contains the following fields: • Enable DHCP Snooping — Indicates if DHCP Snooping is enabled on the device. The possible field values are: - Checked — Enables DHCP Snooping on the device. - Unchecked — Disables DHCP Snooping on the device. This is the default value.
Configuring Device Security Defining DHCP Snooping - Checked — Verifies (on an untrusted port) that the source MAC address of the Layer 2 header matches the client hardware address as appears in the DHCP Header (part of the payload). - Unchecked — Disables verifying that the source MAC address of the Layer 2 header matches the client hardware address as appears in the DHCP Header. This is the default value. • Backup Database — Indicates if the DHCP Snooping Database learning and update is enabled.
Configuring Device Security Defining DHCP Snooping STEP 1 Click Security > DHCP Snooping > VLAN Settings. The DHCP Snooping VLAN Settings Page opens: DHCP Snooping VLAN Settings Page The DHCP Snooping VLAN Settings Page contains the following fields: STEP 2 • VLAN ID — Indicates the VLAN to be added to the Enabled VLAN list. • Enabled VLANs — Contains a list of VLANs for which DHCP Snooping is enabled. Enter the VLAN name from the VLAN ID list and click Add.
Configuring Device Security Defining DHCP Snooping STEP 1 Click Security > DHCP Snooping > Trusted Interfaces. The Trusted Interfaces Page opens: Trusted Interfaces Page The Trusted Interfaces Page contains the following fields: • Ports — Displays the ports which can be defined as trusted. • EtherChannels — Displays the EtherChannels which can be defined as trusted. Trusted Interface Table • Interface — Contains a list of existing interfaces.
Configuring Device Security Defining DHCP Snooping Edit Trusted Interface Page The Edit Trusted Interface Page contains the following field: • Interface — Contains a list of existing interfaces. • Trust Status — Indicates whether the interface is a Trusted Interface. - Enable — Interface is in trusted mode. - Disable — Interface is in untrusted mode. STEP 4 Define the fields. STEP 5 Click Apply. The Trusted Interfaces configuration is defined and the device is updated.
Configuring Device Security Defining DHCP Snooping STEP 1 Click Security > DHCP Snooping > Binding Database. The Binding Database Page opens: Binding Database Page STEP 2 Define any of the following fields as a query filter: Query By • MAC Address — Indicates the MAC addresses recorded in the DHCP Database. The Database can be queried by MAC address. • IP Address — Indicates the IP addresses recorded in the DHCP Database The Database can be queried by IP address.
Configuring Device Security Defining DHCP Snooping - EtherChannel — Queries the VLAN database by EtherChannel number. STEP 3 Click Query. The results appear in the Query Results table. Query Results The Query Results table contains the following fields: • MAC Address — Indicates the MAC address found during the query. • VLAN ID — Displays the VLAN ID to which the IP address is attached in the DHCP Snooping Database. • IP Address — Indicates the IP address found during the query.
Configuring Device Security Defining DHCP Snooping Add DHCP Snooping Entry Page The window displays the following fields: • Type — Displays the IP address binding type. The possible field values are: - Static — Indicates the IP address is static. - Dynamic — Indicates the IP address is defined as a dynamic address in the DHCP database. • VLAN ID — Displays the VLAN ID to which the IP address is attached in the DHCP Snooping Database. • IP Address — Indicates the IP address found during the query.
Configuring Device Security Defining DHCP Snooping Defining IP Source Guard IP Source Guard is a security feature that restricts the client IP traffic to those source IP addresses configured in the DHCP Snooping Binding Database and in manually configured IP source bindings. For example, IP Source Guard can help prevent traffic attacks caused when a host tries to use the IP address of its neighbor.
Configuring Device Security Defining DHCP Snooping STEP 1 Click Security > DHCP Snooping > IP Source Guard > Properties. The IP Source Guard Properties Page opens: IP Source Guard Properties Page The IP Source Guard Properties Page contains the following fields: • IP Source Guard Status — Enables the use of IP Source Guard status on the device. - Enable — Indicates that IP Source Guard is enabled for the device. - Disable — Indicates that IP Source Guard is disabled for the device.
Configuring Device Security Defining DHCP Snooping Defining IP Source Guard Interface Settings In the IP Source Guard Interface Settings Page, IP Source Guard can be enabled on DHCP Snooping untrusted interfaces, permitting the transmission of DHCP packets allowed by DHCP Snooping. If source IP address filtering is enabled, packet transmission is permitted as follows: • IPv4 traffic — Only IPv4 traffic with a source IP address that is associated with the specific port is permitted.
Configuring Device Security Defining DHCP Snooping STEP 1 Click Security > DHCP Snooping > IP Source Guard > Interface Settings. The IP Source Guard Interface Settings Page opens: IP Source Guard Interface Settings Page The IP Source Guard Interface Settings Page contains the following radio buttons and fields: • Ports — Displays the port on which the IP source guard is enabled. • EtherChannels — Displays the EtherChannels on which the IP source guard is enabled.
Configuring Device Security Defining DHCP Snooping Edit Interface Settings Page STEP 3 Define the fields. STEP 4 Click Apply. The new IP Source Guard Interface configuration is added, and the device is updated. Querying the IP Source Binding Database The IP Source Guard Binding Database Page enables network managers to query and view information about inactive addresses recorded in the DHCP Database.
Configuring Device Security Defining DHCP Snooping STEP 1 Click Security > DHCP Snooping > IP Source Guard > Binding Database. The IP Source Guard Binding Database Page opens: IP Source Guard Binding Database Page The IP Source Guard Binding Database Page contains the following fields: TCAM Resources • Insert Inactive — The IP Source Guard Database uses the TCAM resources for managing the database. If TCAM resources are not available, IP source guard addresses may become inactive.
Configuring Device Security Defining DHCP Snooping Query By STEP 2 In the Query By section, select and define the preferred filter for searching the IP Source Guard Database: • MAC Address — Queries the database by MAC address. • IP Address — Queries the database by IP address. • VLAN — Queries the database by VLAN ID. • Interface — Queries the database by interface number. The possible field values are: - Port — Queries the database by a specific port number.
Configuring Device Security Defining Dynamic ARP Inspection - VLAN — Indicates that DHCP Snooping is not enabled on the VLAN. - Trusted Port — Indicates the port is a trusted port. - Resource Problem — Indicates that the TCAM is full. STEP 4 Define the relevant fields. Click Apply and the device is updated. Defining Dynamic ARP Inspection Dynamic Address Resolution Protocol (ARP) is a TCP/IP protocol for translating IP addresses into MAC addresses.
Configuring Device Security Defining Dynamic ARP Inspection If the packet’s IP address was not found in the ARP Inspection List, and DHCP snooping is enabled for a VLAN, a search of the DHCP Snooping Database is performed. If the IP address is found, the packet is valid and is forwarded. NOTE ARP inspection is performed only on untrusted interfaces.
Configuring Device Security Defining Dynamic ARP Inspection STEP 1 Click Security > ARP Inspection > Properties. The ARP Inspection Properties Page opens: ARP Inspection Properties Page The ARP Inspection Properties Page contains the following fields: • Enable ARP Inspection — Enables ARP Inspection on the device. The possible field values are: - Checked — Enables ARP Inspection on the device. - Unchecked — Disables ARP Inspection on the device. This is the default value.
Configuring Device Security Defining Dynamic ARP Inspection • Log Buffer Interval — Defines the minimal interval between successive Syslog messages. The possible field values are: - Retry Frequency — Frequency at which the log is updated. The possible range is 0-86400 seconds. 0 seconds specifies immediate transmissions of Syslog messages. The default value is 5 seconds. - Never — Log is never updated. STEP 2 Define the fields. STEP 3 Click Apply.
Configuring Device Security Defining Dynamic ARP Inspection STEP 1 Click Security > ARP Inspection > Trusted Interfaces. The ARP Inspection Trusted Interfaces Page opens: ARP Inspection Trusted Interfaces Page The ARP Inspection Trusted Interfaces Page contains the following fields: • Ports — Specifies the Port on which ARP Inspection Trust mode can be enabled. • EtherChannels — Specifies the EtherChannel for which the Trusted Interface settings are displayed.
Configuring Device Security Defining Dynamic ARP Inspection STEP 2 Click Edit. The Edit Interface Settings Page opens: Edit Interface Settings Page STEP 3 Define the fields. STEP 4 Click Apply. The Trusted Interface’s configuration is modified, and the device is updated. Defining ARP Inspection List The ARP Inspection List Page provides information for creating static ARP Binding Lists.
Configuring Device Security Defining Dynamic ARP Inspection STEP 1 Click Security > ARP Inspection > ARP Inspection List. The ARP Inspection List Page opens: ARP Inspection List Page The ARP Inspection List Page contains the following fields: • ARP Inspection List Name — Pull-down lists name of the Inspection List. • Delete and Add Buttons — Delete or Add user-defined ARP Inspection Lists.
Configuring Device Security Defining Dynamic ARP Inspection Add ARP list Page STEP 3 Define the fields and click Apply. The new ARP Inspection List is added and the device is updated. Adding a Binding List entry STEP 1 Select an ARP Inspection List Name from the drop-down list. STEP 2 Click Add under Static ARP Table. The Add ARP Binding Page opens: Add ARP Binding Page STEP 3 Define the fields. STEP 4 Click Apply. The add ARP Binding entry is added, and the device is updated.
Configuring Device Security Defining Dynamic ARP Inspection Assigning ARP Inspection VLAN Settings The ARP Inspection VLAN Settings Page contains fields for enabling ARP Inspection on VLANs. In the Enabled VLAN table, users assign static ARP Inspection Lists to enabled VLANs.
Configuring Device Security Defining Dynamic ARP Inspection STEP 1 Click Security > ARP Inspection > VLAN Settings. The ARP Inspection VLAN Settings Page opens: ARP Inspection VLAN Settings Page The ARP Inspection VLAN Settings Page contains the following fields: • VLAN ID — A user-defined VLAN ID to add to the Enabled VLANs list. • List Name — Contains a list of VLANs in which ARP Inspection is enabled.
Configuring Device Security Defining Dynamic ARP Inspection Add ARP VLAN Settings Page The Add ARP VLAN Settings Page contains the following fields: • VLAN ID — Select the VLAN which includes the specified ARP Inspection List. • List Name — Select a static ARP Inspection List to assign to the VLAN. These lists are defined in the ARP Inspection List Page. STEP 3 Define the fields. STEP 4 Click Apply. The new ARP VLAN configuration is defined, and the device is updated.
Configuring Ports Port Settings Configuring Ports Port Settings The Port Settings Page contains fields for defining port parameters. To define port settings: STEP 1 Click VLAN & Port Settings > Port Management > Port Settings. The Port Settings Page opens: Port Settings Page The Port Settings Page contains the following fields: • Copy From Entry Number — Copies the port configuration from the specified table entry.
Configuring Ports Port Settings • Port Type — Displays the port type. The possible field values are: - 100M — Copper - 1000M — Copper (copper cable). - 1000M — ComboC (combo port with copper cable 3). - 1000M — ComboF (combo port with optic fiber cable). - 1000M FiberOptics — Indicates the port has a fiber optic port connection. • Port Status — Displays the port connection status. The possible field values are: - Up — Port is connected. - Down — Port is disconnected.
Configuring Ports Port Settings Modifying Port Settings STEP 1 Click VLAN & Port Settings > Port Management > Port Settings. The Port Settings Page opens: STEP 2 Click a specific entry’s Edit button. The Edit Port Page opens: Edit Port Page The Edit Port Page contains the following fields: • Port — Displays the port number. • Description — Use this field to optionally define a name for the port. • Port Type — Displays the port type.
Configuring Ports Port Settings - 100M — Copper - 1000M — Copper (copper cable). - 1000M — ComboC (combo port with copper cable 3). - 1000M — ComboF (combo port with optic fiber cable). - 1000M FiberOptics — Indicates the port has a fiber optic port connection. • Admin Status — Indicates whether the port is currently operational or nonoperational. The possible field values are: - Up — Indicates the port is currently operating. - Down — Indicates the port is currently not operating.
Configuring Ports Port Settings • Admin Advertisement — Specifies the capabilities to be advertised by the Port. The possible field values are: - Max Capability — Indicates that all port speeds and Duplex mode settings can be accepted. - 10 Half — Indicates that the port is advertising a 10 mbps speed and half Duplex mode setting. - 10 Full — Indicates that the port is advertising a 10 mbps speed and full Duplex mode setting.
Configuring Ports Port Settings Ethernet cable can be used, and the pairs are matched up properly. When two hubs or switches are connected to each other, or two end stations are connected to each other, a crossover cable is used to ensure that the correct pairs are connected. The possible field values are: - MDIX — Use for hubs and switches. - Auto — Use to automatically detect the cable type. - MDI — Use for end stations. STEP 3 • Current MDI/MDIX — Displays the current MDI/MDIX setting.
Configuring VLANs Configuring VLANs VLANs are logical subgroups with a Local Area Network (LAN) which combine user stations and network devices into a single unit, regardless of the physical LAN segment to which they are attached. VLANs allow network traffic to flow more efficiently within subgroups. VLANs use software to reduce the amount of time it takes for network changes, additions, and moves to be implemented.
Configuring VLANs Defining VLAN Properties Defining VLAN Properties The VLAN Properties Page provides information and global parameters for configuring and working with VLANs. To define VLAN properties: STEP 1 Click VLAN & Port Settings > VLAN Management > Properties. The VLAN Properties Page opens. VLAN Properties Page The VLAN Properties Page contains the following fields: • VLAN ID — Displays the VLAN ID. • VLAN Name — Displays the user-defined VLAN name. • Type — Displays the VLAN type.
Configuring VLANs Defining VLAN Properties • Authentication — Indicates whether unauthorized users can access a Guest VLAN. The possible field values are: - Enable — Enables unauthorized users to use the Guest VLAN. - Disable — Disables unauthorized users from using the Guest VLAN. STEP 2 Click the Add button.
Configuring VLANs Defining VLAN Properties Modifying VLANs STEP 1 Click VLAN & Port Settings > VLAN Management > Properties. The VLAN Properties Page opens. STEP 2 Click Edit. The Edit VLAN Page opens: Edit VLAN Page The Edit VLAN Page contains information for enabling VLAN guest authentication, and includes the following fields: • VLAN ID — Displays the VLAN ID. • VLAN Name — Defines the VLAN name. • Disable Authentication — Indicates whether unauthorized users can access a Guest VLAN.
Configuring VLANs Defining VLAN Properties STEP 3 Define the relevant fields. STEP 4 In the Port List, select the ports to include in the VLAN and click the adjacent right arrow. The selected ports then appear in the VLAN Members list. STEP 5 Click Apply. The VLAN Settings are defined, and the device is updated. Defining VLAN Membership The Port to VLAN Page contains a table that maps VLAN parameters to ports. Ports are assigned VLAN membership by toggling through the Port Control settings.
Configuring VLANs Defining VLAN Properties • VLAN Name — Displays the VLAN name. • VLAN Type — Indicates the VLAN type. The possible field values are: - Dynamic — Indicates the VLAN was dynamically created through GVRP. - Static — Indicates the VLAN is user-defined. - Default — Indicates the VLAN is the default VLAN. • Ports — Indicates that ports are described in the page. • EtherChannels — Indicates that EtherChannels are described in the page.
Configuring VLANs Defining VLAN Properties Edit Interface Status Page The Edit Interface Status Page contains the following fields: • VLAN ID — Displays the VLAN ID. • VLAN Name — Displays the VLAN name. • Interface — Defines the port or EtherChannel attached to the VLAN. • Interface Status — Defines the current interface’s membership status in the VLAN. The possible field values are: - Untagged — Indicates the interface is an untagged VLAN member. Packets forwarded by the interface are untagged.
Configuring VLANs Assigning Ports to Multiple VLANs Assigning Ports to Multiple VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you want it to carry traffic for one or more VLANs, and any intermediate network devices or the host at the other end of the connection supports VLANs.
Configuring VLANs Assigning Ports to Multiple VLANs STEP 1 Click VLAN & Port Settings > VLAN Management > VLAN to Port. The VLAN To Port Page opens: VLAN To Port Page The VLAN To Port Page contains the following fields: • Ports — Indicates that ports are described in the page. • EtherChannels — Indicates that EtherChannels are described in the page. • Port — Displays the port number. • Mode — Indicates the port mode.
Configuring VLANs Assigning Ports to Multiple VLANs • Join VLAN — Defines the VLANs to which the interface is joined. Pressing the Join VLAN button displays the Join VLAN to Port Page. Select the VLAN to which to add the port, select the VLANs to be tagged or untagged and click >>. To remove the VLAN allocation to the port, select the VLAN already assigned to the port and click <<. STEP 2 • VLANs — Specifies the VLAN in which the port is a member.
Configuring VLANs Defining Interface Settings Defining Interface Settings The VLAN Interface Setting Page provides parameters for managing ports that are part of a VLAN. The port default VLAN ID (PVID) is configured on the VLAN Port Settings page. All untagged packets arriving to the device are tagged by the ports PVID. STEP 1 Click VLAN & Port Settings > VLAN Management > Interface Settings.
Configuring VLANs Defining Interface Settings • Interface — The port number included in the VLAN. • Interface VLAN Mode — Indicates the port mode. Possible values are: - General — The port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full 802.1Q mode). - Access — The port belongs to a single untagged VLAN. When a port is in Access mode, the packet types which are accepted on the port (packet type) cannot be designated.
Configuring VLANs Defining Interface Settings Edit VLAN Port Page The Edit VLAN Port Page contains the following fields: • Interface — The port or EtherChannel associated with this VLAN interface configuration. • VLAN Mode — Indicates the port mode. Possible values are: - General — The port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full 802.1Q mode). - Access — The port belongs to a single untagged VLAN.
Configuring VLANs Defining GVRP Settings • Ingress Filtering — Ingress filtering discards packets which do not include an ingress port. The possible values are: - Enable — Ingress filtering is activated on the port. - Disable — Ingress filtering is not activated on the port. STEP 4 Define the relevant fields. STEP 5 Click Apply. The VLAN Interface settings are modified, and the device is updated.
Configuring VLANs Defining GVRP Settings STEP 1 Click VLAN & Port Settings > VLAN Management > GVRP Settings. The GVRP Settings Page opens: GVRP Settings Page The GVRP Settings Page contains the following fields: • GVRP Global Status — Indicates if GVRP is enabled on the device. The possible field values are: - Enable — Enables GVRP on the device. - Disable — Disables GVRP on the device. • Copy From Entry Number — Copies GVRP parameters from the specified table entry.
Configuring VLANs Defining GVRP Settings • GVRP State — Indicates if GVRP is enabled on the interface. The possible field values are: - Enabled — Enables GVRP on the selected interface. - Disabled — Disables GVRP on the selected interface. • Dynamic VLAN Creation — Indicates if Dynamic VLAN creation is enabled on the interface. The possible field values are: - Enabled — Enables Dynamic VLAN creation on the interface. - Disabled — Disables Dynamic VLAN creation on the interface.
Configuring VLANs Defining GVRP Settings Edit GVRP Page The Edit GVRP Page contains the following fields: • Interface — Port or EtherChannel described by the GVRP settings entry. • GVRP State — Indicates if GVRP is enabled on the interface. The possible field values are: - Enable — Enables GVRP on the selected interface. - Disable — Disables GVRP on the selected interface. • Dynamic VLAN Creation — Indicates if Dynamic VLAN creation is enabled on the interface.
Configuring VLANs Defining Protocol Groups Defining Protocol Groups The Protocol Group Page contains information which describes the protocol names and the VLAN Ethernet type. Interfaces can be classified as a specific protocol based interface. STEP 1 Click VLAN & Port Settings > VLAN Management > Protocol Group. The Protocol Group Page opens: Protocol Group Page The Protocol Group Page contains the following fields: STEP 2 • Frame Type — Displays the packet type.
Configuring VLANs Defining Protocol Groups Add Protocol Group Page The Add Protocol Group Page provides information for configuring new VLAN protocol groups. The Add Protocol Group Page contains the following fields. • Frame Type — Displays the packet type. • Protocol Value — Defines the User-defined protocol value. The options are as follows: - Protocol Value — The possible values are IP, IPX, or ARP. - Ethernet-Based Protocol Value — Specify the value in hexadecimal format.
Configuring VLANs Defining a Protocol Port Edit Protocol Group Page The Edit Protocol Group Page contains the following fields. • Frame Type — Displays the packet type. • Protocol Value — Displays the User-defined protocol value. • Group ID (Hex) — Defines the Protocol group ID to which the interface is added. The possible value range is 1-2147483647 in hexadecimal format. STEP 3 Define the relevant fields. STEP 4 Click Apply. The Protocol group is modified, and the device is updated.
Configuring VLANs Defining a Protocol Port STEP 1 Click VLAN & Port Settings > VLAN Management > Protocol Port. The Protocol Port Page opens: Protocol Port Page The Protocol Port Page contains the following fields. STEP 2 • Interface — Port or EtherChannel number added to a protocol group. • Protocol Group ID — Protocol group ID to which the interface is added. Protocol group IDs are defined in the Protocol Group Table. • VLAN ID — Attaches the interface to a user-defined VLAN ID.
Configuring VLANs Defining a Protocol Port Add Protocol Port to VLAN Page The Add Protocol Port to VLAN Page contains the following fields. • Interface — Port or EtherChannel number added to a protocol group. • Group ID — Protocol group ID to which the interface is added. Protocol group IDs are defined in the Protocol Group Table. • VLAN ID — Attaches the interface to a user-defined VLAN ID. • VLAN Name — Attaches the interface to a user-defined VLAN Name. STEP 3 Define the relevant fields.
Configuring IP Information IP Addressing Configuring IP Information The IP address and default gateway can be either dynamically or statically configured. In Layer 2, a static IP address is configured on the IPv4 Interface Page. The Management VLAN is set to VLAN 1 by default, but can be modified.
Configuring IP Information IP Addressing STEP 1 Click Monitor & Device Properties > System Management > IP Addressing > IPv4 Interface. The IPv4 Interface Page opens: IPv4 Interface Page The IPv4 Interface Page contains the following fields: • Get Dynamic IP from DHCP Server — Retrieves the IP addresses using DHCP. • Static IP Address — Permanent IP addresses are defined by the administrator. IP addresses are either configured on the Default VLAN or are user-defined.
Configuring IP Information Defining DHCP Relay • Active Default Gateway — Active default gateway’s IP Address. • Remove User Defined — Removes the selected IP address from the interface. The possible field values are: - Checked — Removes the IP address from the interface. - Unchecked — Maintains the IP address assigned to the Interface. STEP 2 Define the relevant fields. STEP 3 Click Apply. The IP information is defined, and the device is updated.
Configuring IP Information Defining DHCP Relay STEP 1 Click Monitor & Device Properties > System Management > IP Addressing > DHCP Relay > DHCP Server. The DHCP Server Page opens: DHCP Server Page The DHCP Server Page Server contains the following fields: • DHCP Relay — Enable or disable DHCP Server on the device. The possible values are: - Enable — Enables DHCP Relay on the device. - Disable — Disables DHCP Relay on the device. • Option 82 — Indicates if Option 82 is enabled for DHCP.
Configuring IP Information Defining DHCP Relay Interfaces Add DHCP Server Page The Add DHCP Server Page contains the following field: • DHCP Server IP Address — Defines the IP address assigned to the DHCP server. STEP 3 Define the relevant fields. STEP 4 Click Apply. The DHCP Server is defined, and the device is updated.
Configuring IP Information Defining DHCP Relay Interfaces STEP 1 Click Monitor & Device Properties > System Management > IP Addressing > DHCP Relay > DHCP Interfaces. The DHCP Interfaces Page opens: DHCP Interfaces Page The DHCP Interfaces Page contains the following fields: • Check Box — Removes DHCP relay from an interface. The possible field values are: - Checked — Check this box and press Delete to remove the selected DHCP Relay interface.
Configuring IP Information Managing ARP Add DHCP Interface Page The Add DHCP Interface Page contains the following field: • Interface — Selects the interface to define DHCP Relay. The possible field value is: - VLAN — Defines the DHCP Relay on the selected VLAN. STEP 3 Select the Interface on which to define a DHCP Relay. STEP 4 Click Apply. A DHCP Relay Interface is defined, and the device is updated.
Configuring IP Information Managing ARP STEP 1 Click Monitor & Device Properties > System Management > IP Addressing > ARP. The ARP Page opens: ARP Page The ARP Page contains the following fields. • ARP Entry Age Out — Defines the amount of time (seconds) that pass between ARP requests about an ARP table entry. After this period, the entry is deleted from the table. The range is 1 - 40000000, where zero indicates that entries are never cleared from the cache. The default value is 60,000 seconds.
Configuring IP Information Managing ARP ARP Table • Interface — Indicates the interface for which the ARP parameters are defined. • IP Address — Indicates the station IP address, which is associated with the MAC address. • MAC Address — Indicates the station MAC address, which is associated in the ARP table with the IP address. • Status — Indicates the ARP Table entry status. Possible field values are: - Dynamic — Indicates the ARP entry was learned dynamically.
Configuring IP Information Managing ARP Modifying ARP Settings STEP 1 Click Monitor & Device Properties > System Management > IP Addressing > ARP. The ARP Page opens: STEP 2 Click the Edit button. The Edit ARP Page opens: Edit ARP Page The Edit ARP Page contains the following fields: • VLAN — Indicates the ARP-enabled interface. • IP Address — Indicates the station IP address, which is associated with the MAC address filled in below.
Configuring IP Information Domain Name System Domain Name System Domain Name System (DNS) converts user-defined domain names into IP addresses. Each time a domain name is assigned, the DNS service translates the name into a numeric IP address. For example, www.ipexample.com is translated into 192.87.56.2. DNS servers maintain databases of domain names and their corresponding IP addresses.
Configuring IP Information Domain Name System STEP 1 Click Monitor & Device Properties > System Management > Domain Name System (DNS) > DNS Servers. The DNS Servers Page opens: DNS Servers Page The DNS Servers Page contains the following fields. • Enable DNS — Enables translating the DNS names into IP addresses. The possible field values are: - Checked — Translates the domains into IP addresses. - Unchecked — Disables translating domains into IP addresses.
Configuring IP Information Domain Name System - Checked — Removes the selected DNS server - Unchecked — Maintains the current DNS server list. DNS Server Details STEP 2 • DNS Server — Displays the DNS server’s IP address, up to four DNS servers can be defined. • Active Server — Specifies the DNS server that is currently active. Click the Add button. The Add DNS Server Page opens: Add DNS Server Page The Add DNS Server Page allows system administrators to define new DNS servers.
Configuring IP Information Domain Name System STEP 1 Click Monitor & Device Properties > System Management > Domain Name System (DNS) > Host Mapping. The Host Mapping Page opens: Host Mapping Page The Host Mapping Page contains the following fields: STEP 2 • Host Names — Displays a user-defined default domain name. When defined, the default domain name is applied to all unqualified host names. The Host Name field can contain up to 158 characters. • IP Address — Displays the DNS host IP address.
Configuring IP Information Domain Name System Add Host Name Page The Add Host Name Page contains the following fields: • Host Name — Displays a user-defined default domain name. When defined, the default domain name is applied to all unqualified host names. The Host Name field can contain up to 158 characters. • IP Address — Displays the DNS host IP address. • IP Address 2 (optional) — Indicates the second network assigned to the interface.
Defining Address Tables Defining Static Addresses Defining Address Tables MAC addresses are stored in either the Static Address or the Dynamic Address databases. A packet addressed to a destination stored in one of the databases is forwarded immediately to the port. The Dynamic Address Table can be sorted by interface, VLAN, and MAC Address. MAC addresses are dynamically learned as packets from sources arrive at the device.
Defining Address Tables Defining Static Addresses STEP 1 Click VLAN & Port Settings > Address Tables > Static. The Static Page opens: Static Page The Static Page contains the following fields: • VLAN ID — Displays the VLAN ID number to which the entry refers. • MAC Address — Displays the MAC address to which the entry refers. • Interface — Displays the interface to which the entry refers: - Port — The specific port number to which the forwarding database parameters refer.
Defining Address Tables Defining Static Addresses - Delete on Timeout — The MAC address is deleted when a timeout occurs. - Secure — The MAC Address is defined for locked ports. STEP 2 Click the Add button. The Add Static MAC Address Page opens: Add Static MAC Address Page The Add Static MAC Address Page contains the following fields: • Interface — Defines the interface to which the entry refers: - Port — The specific port number to which the forwarding database parameters refer.
Defining Address Tables Defining Dynamic Addresses STEP 3 Define the relevant fields. STEP 4 Click Apply. The Static MAC Address is added, and the device is updated. Defining Dynamic Addresses The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Defining Address Tables Defining Dynamic Addresses STEP 1 Click VLAN & Port Settings > Address Tables > Dynamic. The Dynamic Page opens: Dynamic Page The Dynamic Page contains the following fields: • Aging Interval — Specifies the amount of time in seconds the MAC address remains in the Dynamic MAC Address table before it is timed out, if no traffic from the source is detected. The default value is 300 seconds. • Clear Table — If checked, clears the MAC address table.
Defining Address Tables Defining Dynamic Addresses Query By Section In the Query By section, select the preferred option for sorting the addresses table: • Interface — Specifies the interface for which the table is queried. The query can search for a specific port or EtherChannel. • MAC Address — Specifies the MAC address for which the table is queried. • VLAN ID — Specifies the VLAN ID for which the table is queried.
Configuring Multicast Forwarding IGMP Snooping Configuring Multicast Forwarding The Multicast section contains the following pages: • IGMP Snooping • Defining Multicast Group • Defining Multicast Forwarding • Defining Unregistered Multicast Settings IGMP Snooping When IGMP Snooping is enabled globally, all IGMP packets are forwarded to the CPU. The CPU analyzes the incoming packets and determines: • Which ports want to join which Multicast groups.
Configuring Multicast Forwarding IGMP Snooping NOTE In addition to the ESW500 switch configuration, PIM router (for example, the UC500) is configured in upstream router. To enable IGMP Snooping: STEP 1 Click VLAN & Port Settings > Multicast > IGMP Snooping. The IGMP Snooping Page opens: IGMP Snooping Page The IGMP Snooping Page contains the following fields: • Enable IGMP Snooping Status — Indicates that the device monitors network traffic to determine which hosts want to receive multicast traffic.
Configuring Multicast Forwarding IGMP Snooping • IGMP Snooping Status — Indicates if IGMP snooping is enabled on the specific VLAN. The possible field values are: - Enabled — IGMP Snooping is enabled on the VLAN. - Disabled — IGMP Snooping is not enabled on the VLAN. • Host Timeout — Indicates the amount of the time the Host waits to receive a message before it times out. The default value is 260 seconds.
Configuring Multicast Forwarding IGMP Snooping Edit IGMP Snooping Page The Edit IGMP Snooping Page contains the following fields: • VLAN ID — Specifies the VLAN ID. • IGMP Status Enable — Indicates if IGMP snooping is enabled on the VLAN. The possible field values are: - Enable — Enables IGMP Snooping on the VLAN. - Disable — Disables IGMP Snooping on the VLAN. • Auto Learn — Indicates if Auto Learn is enabled on the device.
Configuring Multicast Forwarding Defining Multicast Group STEP 4 Click Apply. The IGMP Snooping Parameters are modified, and the device is updated. Defining Multicast Group The Multicast Group Page displays the ports and EtherChannels that are members of Multicast service groups. The Port and EtherChannel tables also reflect the manner in which the port or EtherChannels joined the Multicast group. Ports can be added either to existing groups or to new Multicast service groups.
Configuring Multicast Forwarding Defining Multicast Group • Enable Bridge Multicast Filtering — Indicates if Bridge Multicast Filtering is enabled on the device. Bridge Multicast Filtering can be enabled only if IGMP Snooping is enabled. The possible field values are: - Checked — Enables Multicast Filtering on the device. - Unchecked — Disables Multicast Filtering on the device. • VLAN ID — Specifies the VLAN ID. • Bridge Multicast Address — Identifies the Multicast group MAC address.
Configuring Multicast Forwarding Defining Multicast Group • Bridge Multicast IP Address — Displays the IP address attached to the Multicast Group. • Bridge Multicast MAC Address — Displays the MAC address attached to the Multicast Group. STEP 3 Define the relevant fields. STEP 4 Click Apply. The Multicast Group is added, and the device is updated. Modifying a Multicast Group STEP 1 Click VLAN & Port Settings > Multicast > Multicast Group.
Configuring Multicast Forwarding Defining Multicast Forwarding - Static — Attaches the interface to the Multicast group as static member in the Static Row. The interface has joined the Multicast group statically in the Current Row. - Forbidden — Forbidden interfaces are not included the Multicast group, even if IGMP Snooping designated the interface to join a Multicast group. - Excluded — The port is not part of a Multicast group.
Configuring Multicast Forwarding Defining Multicast Forwarding STEP 1 Click VLAN & Port Settings > Multicast > Forward. The Multicast Forward Page opens: Multicast Forward Page The Multicast Forward Page contains the following fields: • VLAN ID — Displays the VLAN ID. • Ports — Displays the Multicast Forwarding ports’ status. • EtherChannels — Displays the Multicast Forwarding status of all of the device’s EtherChannels.
Configuring Multicast Forwarding Defining Multicast Forwarding - Dynamic — Attaches the port to the Multicast group as dynamic member. Modifying Multicast Forwarding STEP 2 Click VLAN & Port Settings > Multicast > Forward. The Multicast Forward Page opens: STEP 3 Click the Edit button. The Edit Multicast Forward All Page opens: Edit Multicast Forward All Page The Edit Multicast Forward All Page contains the following fields: • VLAN ID — Displays the VLAN ID.
Configuring Multicast Forwarding Defining Unregistered Multicast Settings STEP 5 Click Apply. The Multicast Forward All settings are modified, and the device is updated. Defining Unregistered Multicast Settings Multicast frames are generally forwarded to all ports in the VLAN. If IGMP Snooping is enabled, the device learns about the existence of Multicast groups and monitors which ports have joined what Multicast group. Multicast groups can also be statically enabled.
Configuring Multicast Forwarding Defining Unregistered Multicast Settings STEP 1 Click VLAN & Port Settings > Multicast > Unregistered Multicast. The Unregistered Multicast Page opens: Unregistered Multicast Page The Unregistered Multicast Page contains the following fields: • Ports — Indicates the port for which the unregistered Multicast parameters are displayed. • EtherChannels — Specifies the EtherChannel for which the Unregistered Multicast settings are displayed.
Configuring Multicast Forwarding Defining Unregistered Multicast Settings Edit Unregistered Multicast Page STEP 3 Define the Unregistered Multicast field. STEP 4 Click Apply. The Multicast Forward All settings are saved and the device is updated.
Configuring Spanning Tree Defining STP Properties Configuring Spanning Tree The Spanning Tree Protocol (STP) provides tree topography for any arrangement of bridges. STP also provides one path between end stations on a network, eliminating loops. Loops occur when alternate routes exist between hosts. Loops in an extended network can cause bridges to forward traffic indefinitely, resulting in increased traffic and reducing network efficiency.
Configuring Spanning Tree Defining STP Properties STEP 1 Click VLAN & Port Settings > Spanning Tree (STP) > Properties. The STP Properties Page opens: STP Properties Page The STP Properties Page contains the following fields: Global Settings The Global Settings area contains device-level parameters. • Spanning Tree State — Indicates if STP is enabled on the device. The possible field values are: - Enable — Enables STP on the device. This is the default value. - Disable — Disables STP on the device.
Configuring Spanning Tree Defining STP Properties - Rapid STP — Enables Rapid STP on the device. - Multiple STP — Enables Multiple STP on the device. • BPDU Handling — Determines how BPDU packets are managed when STP is disabled on the port or device. BPDUs are used to transmit spanning tree information. The possible field values are: - Filtering — Filters BPDU packets when spanning tree is disabled on an interface. - Flooding — Floods BPDU packets when spanning tree is disabled on an interface.
Configuring Spanning Tree Defining Spanning Tree Interface Settings • Bridge ID — Identifies the Bridge Priority and MAC address. • Root Bridge ID — Identifies the Root Bridge priority and MAC address. • Root Port — Indicates the port number that offers the lowest cost path from this bridge to the Root Bridge. It is significant when the Bridge is not the Root. • Root Path Cost — The cost of the path from this bridge to the root.
Configuring Spanning Tree Defining Spanning Tree Interface Settings STEP 1 Click VLAN & Port Settings > Spanning Tree (STP) > Interface Settings. The STP Interface Settings Page opens: Interface Settings Page The STP Interface Settings Page contains the following fields: • Copy From Entry Number — Indicate the port from which the STP interface setting are copied. • To Entry Number(s) — Indicate the port to which the STP interface setting are copied.
Configuring Spanning Tree Defining Spanning Tree Interface Settings convergence. STP convergence can take 30-60 seconds in large networks. The possible values are: - Enabled — Port Fast is enabled. - Disable — Port Fast is disabled. - Auto — Port Fast mode is enabled a few seconds after the interface becomes active. • Root Guard — Prevents devices outside the network core from being assigned the spanning tree root. Root Guard may be enabled or disabled.
Configuring Spanning Tree Defining Spanning Tree Interface Settings - Designated — The port or EtherChannel through which the designated switch is attached to the LAN. - Alternate — Provides an alternate path to the root switch from the root interface. - Backup — Provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur only when two ports are connected in a loop by a point-to-point link, or when a LAN has two or more connections connected to a shared segment.
Configuring Spanning Tree Defining Spanning Tree Interface Settings Modifying Interface Settings STEP 1 Click VLAN & Port Settings > Spanning Tree (STP) > Interface Settings. The Interface Settings Page opens: STEP 2 Click the Edit button. The Edit Interface Settings Page opens: Edit Interface Settings Page The Edit Interface Settings Page contains the following fields: • Interface — Selects the port number on which Spanning Tree is configured. • STP — Enables or disables STP on the port.
Configuring Spanning Tree Defining Spanning Tree Interface Settings - Enabled — Enables Port Fast on the port. - Disabled — Disables Port Fast on the port. - Auto — Enables Port Fast mode a few seconds after the interface becomes active. • Enable Root Guard — Enable the prevention of a devices outside the network core from being assigned the spanning tree root. The possible field values are: - Checked — Enables Root Guard on the selected port or EtherChannel.
Configuring Spanning Tree Defining Rapid Spanning Tree - Checked — Path Cost is the default value. - Unchecked — Path Cost is user-defined. • Priority — Priority value of the port. The priority value influences the port choice when a bridge has two ports connected in a loop. The priority value is between 0 -240. The priority value is provided in increments of 16. • Designated Bridge ID — Indicates the bridge priority and the MAC Address of the designated bridge.
Configuring Spanning Tree Defining Rapid Spanning Tree STEP 1 Click VLAN & Port Settings > Spanning Tree (STP) > RSTP. The RSTP Page opens: RSTP Page The RSTP Page contains the following fields: • Copy From Entry Number — Indicate the port from which the STP interface setting are copied. • To Entry Number(s) — Indicate the port to which the STP interface setting are copied. • Ports or EtherChannels Radio Buttons— Indicates the port for which the STP settings are displayed.
Configuring Spanning Tree Defining Rapid Spanning Tree - Designated — Indicates that the port or EtherChannel via which the designated switch is attached to the LAN. - Alternate — Provides an alternate path to the root switch from the root interface. - Backup — Provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur only when two ports are connected in a loop by a point-to-point link.
Configuring Spanning Tree Defining Rapid Spanning Tree • • Point-to-Point Operational Status — Indicates the Point-to-Point operating state. The possible values are: - Enable — Enables Point-to-Point on the interface. - Disable — Disables Point-to-Point on the interface. Activate Protocol Migration — Click the Activate button to run a Protocol Migration Test. The test identifies the STP mode of the interface connected to the selected interface. STEP 2 Define the relevant fields.
Configuring Spanning Tree Defining Rapid Spanning Tree • Role — Indicates the port role assigned by the STP algorithm in order to provide to STP paths. The possible field values are: - Root — Provides the lowest cost path to forward packets to root switch. - Designated — Indicates that the port or EtherChannel via which the designated switch is attached to the LAN. - Alternate — Provides an alternate path to the root switch from the root interface.
Configuring Spanning Tree Defining Multiple Spanning Tree - Forwarding — Indicates that the port is in Forwarding mode. The port can forward traffic and learn new MAC addresses. • Point-to-Point Admin Status — Indicates whether a point-to-point link is established on the port. Ports defined as Full Duplex are considered Point-toPoint port links. The possible field values are: - Enable — Device establishes point-to-point, full duplex links. - Disable — Device establishes shared, half duplex links.
Configuring Spanning Tree Defining Multiple Spanning Tree • Defining MSTP Interface Settings Defining MSTP Properties The MSTP Properties Page contains information for defining global MSTP settings, including region names, MSTP revisions, and maximum hops. To define MSTP: STEP 1 Click VLAN & Port Settings > Spanning Tree (STP) > MSTP > Properties.
Configuring Spanning Tree Defining Multiple Spanning Tree information is aged out. The possible field range is 1-40. The field default is 20 hops. • IST Master — Identifies the region’s master. STEP 2 Define the relevant fields. STEP 3 Click Apply. The MSTP properties are defined, and the device is updated. Defining MSTP Instance to VLAN MSTP maps VLANs into STP instances. Packets assigned to various VLANs are transmitted along different paths within Multiple Spanning Tree Regions (MST Regions).
Configuring Spanning Tree Defining Multiple Spanning Tree STEP 1 Click VLAN & Port Settings > Spanning Tree (STP) > MSTP > Instance to VLAN. The Instance to VLAN Page opens: Instance to VLAN Page The Instance to VLAN Page contains the following fields: • VLAN — Indicates the VLAN for which the MSTP instance ID is defined. • Instance ID (0-15) — Indicates the MSTP instance ID assigned to the VLAN. The possible field range is 0-15. STEP 2 Map the VLANs to Instance IDs. STEP 3 Click Apply.
Configuring Spanning Tree Defining Multiple Spanning Tree Defining MSTP Instance Settings MSTP maps VLANs into STP instances. Packets assigned to various VLANs are transmitted along different paths within Multiple Spanning Tree Regions (MST Regions). Regions are one or more Multiple Spanning Tree bridges by which frames can be transmitted. In configuring MSTP, the MST region to which the device belongs is defined. A configuration consists of the name, revision, and region to which the device belongs.
Configuring Spanning Tree Defining Multiple Spanning Tree • Designated Root Bridge ID — Indicates the priority and MAC address of the bridge with the lowest path cost to the instance ID. • Root Port — Indicates the selected instance’s root port. • Root Path Cost — Indicates the selected instance’s path cost. • Bridge ID — Indicates the priority and MAC address of the selected instance. • Remaining Hops — Indicates the number of hops remaining to the next destination.
Configuring Spanning Tree Defining Multiple Spanning Tree STEP 1 Click VLAN & Port Settings > Spanning Tree (STP) > MSTP > Interface Settings. The MSTP Interface Settings Page opens: MSTP Interface Settings Page The MSTP Interface Settings Page contains the following fields: • Instance ID — Lists the MSTP instances configured on the device. Possible field range is 1-15. • Interface — Displays the interface for which the MSTP settings are displayed.
Configuring Spanning Tree Defining Multiple Spanning Tree - Listening — Indicates that the port is in Listening mode. The port cannot forward traffic nor can it learn MAC addresses. - Learning — Indicates that the port is in Learning mode. The port cannot forward traffic, however it can learn new MAC addresses. - Forwarding — Indicates that the port is in Forwarding mode. The port can forward traffic and learn new MAC addresses.
Configuring Spanning Tree Defining Multiple Spanning Tree TIP STEP 2 • Interface Priority — Defines the interface priority for specified instance. The priority value is between 0 -240. The priority value is provided in increments of 16. The default value is 128. • Path Cost — Indicates the port contribution to the Spanning Tree instance. The range is 1-200,000,000. • Designated Bridge ID — Indicates the bridge ID number that connects the link or shared LAN to the root.
Configuring Spanning Tree Defining Multiple Spanning Tree MSTP Interface Table Page The MSTP Interface Table Page contains the following fields: • Instance — Defines the VLAN group to which the interface is assigned. • Interface — Indicates the port or EtherChannel for which the MSTP settings are displayed. • Role — Indicates the port role assigned by the STP algorithm in order to provide to STP paths.
Configuring Spanning Tree Defining Multiple Spanning Tree when a LAN has two or more connections connected to a shared segment. - Disabled — Indicates the port is not participating in the Spanning Tree. • Mode — Indicates the current Spanning Tree mode. The possible field values are: - STP — Indicates that Classic STP is enabled on the device. - RSTP — Indicates that Rapid STP is enabled on the device. - MSTP — Indicates that MSTP is enabled on the port.
Configuring Spanning Tree Defining Multiple Spanning Tree - Forwarding — Indicates that the port is in Forwarding mode. The port can forward traffic and learn new MAC addresses. • Designated Cost — Indicates that the default path cost is assigned according to the method selected on the Spanning Tree Global Settings page. • Designated Bridge ID — Indicates the bridge ID number that connects the link or shared LAN to the root.
Configuring Quality of Service Configuring Quality of Service Network traffic is usually unpredictable, and the only basic assurance that can be offered is best effort traffic delivery. To overcome this challenge, Quality of Service (QoS) is applied throughout the network. This ensures that network traffic is prioritized according to specified criteria, and that specific traffic receives preferential treatment.
Configuring Quality of Service Managing QoS Statistics • Traffic Classification — Classifies each incoming packet as belonging to a given traffic class, based on the packet contents and/or the context. • Assignment to Hardware Queues — Assigns incoming packets to forwarding queues. Packets are sent to a particular queue for handling as a function of the traffic class to which they belong, as defined by the classification mechanism.
Configuring Quality of Service Managing QoS Statistics STEP 1 Click Quality of Service > QoS Statistics > Policer Statistics. The Policer Statistics Page opens: Policer Statistics Page The Policer Statistics Page contains the following fields: • Interface — Displays the interface (port or EtherChannel) for which Policer statistics are displayed. • Policy — Displays the policy for which the statistics are displayed. • Class Map — Displays the class map for which the statistics are displayed.
Configuring Quality of Service Managing QoS Statistics The Add Policer Statistics Page contains the following fields: • Interface — Select either the Port or EtherChannel radio button to select the interface. • Policy Name — Select the policy Name from the pull-down list. • Class Map Name — Select the Class Map Name from the pull-down list. STEP 3 Define the relevant fields. STEP 4 Click Apply. The Policer Statistics is defined, and the device is updated.
Configuring Quality of Service Managing QoS Statistics STEP 1 Click Quality of Service > QoS Statistics > Aggregate Policer . The Aggregate Policer Page opens: Aggregate Policer Page The Aggregate Policer Page contains the following fields: • Aggregate Policer Name — Indicates the port or EtherChannel on which the packets were received. • In-profile Bytes — Displays the total number of in-profile packets that were received.
Configuring Quality of Service Managing QoS Statistics STEP 2 Click the Add button. The Add Aggregate Policer Page opens. The Add Aggregate Policer Page includes one field: the Aggregate Policer Name. STEP 3 Define the relevant fields. STEP 4 Click Apply. The Aggregate Police defined, and the device is updated.
Configuring Quality of Service Managing QoS Statistics Resetting Aggregate Policer Statistics Counters STEP 1 Click Quality of Service > QoS Statistics > Aggregate Policer. The Aggregate Policer Statistics Page opens: STEP 2 Click Clear Counters. The Aggregate Policer statistics counters are cleared. Queues Statistics The Queues Statistics Page contains parameters for viewing queue statistics including statistics forwarded and dropped packets based on interface, queue, and drop precedence.
Configuring Quality of Service Managing QoS Statistics STEP 1 Click Quality of Service > QoS Statistics > Queues Statistics. The Queues Statistics Page opens: Queues Statistics Page The Queues Statistics Page contains the following fields: • Set — Displays the counter set. The possible field values are: - 1 — Displays the statistics for Set 1. Set 1 contains all interfaces and all queues with a high DP. - 2 — Displays the statistics for Set 2.
Configuring Quality of Service Managing QoS Statistics STEP 2 Click the Add button. The Add Queues Statistics Page opens. Adding Queues Statistics • The Add Queues Statistics Page contains the following fields: • Select Counter Set — Selects the counter set. • Interface — Defines the ports for which statistics are displayed. The possible field values are: - Port — Selects the port or which statistics are displayed. - All Ports — Specifies that statistics are displayed for all ports.
Configuring Quality of Service Defining General Settings Defining General Settings The QoS General Settings section contains the following pages: • Defining CoS • Defining QoS Queue • Mapping CoS to Queue • Mapping DSCP to Queue • Configuring Bandwidth • VLAN Rate Limit Defining CoS The CoS Page contains fields for enabling or disabling CoS (Basic or Advanced mode). In addition, the default CoS for each port or EtherChannel is definable.
Configuring Quality of Service Defining General Settings STEP 1 Click Quality of Service > General > CoS. The CoS Page opens: CoS Page The CoS Page contains the following fields: • QoS Mode — Indicates if QoS is enabled on the device. The possible values are: - Advanced — Enables Advanced mode QoS on the device. - Basic — Enables QoS on the device. - Disable — Disables QoS on the device. • Ports — Indicates that the CoS configuration of the ports are described in the page.
Configuring Quality of Service Defining General Settings • Restore Defaults — Restores the factory CoS default settings to the selected port. - Checked — Restores the factory QoS default settings to ports after clicking the Apply button. - Unchecked — Maintains the current QoS settings. STEP 2 Define the relevant fields. STEP 3 Click Apply. The QoS Mode is defined, and the device is updated. Modifying Interface Priorities STEP 1 Click Quality of Service > General > CoS.
Configuring Quality of Service Defining General Settings Defining QoS Queue The Queue Page contains fields for defining the QoS queue forwarding types.
Configuring Quality of Service Defining General Settings STEP 1 Click Quality of Service > General > Queue.
Configuring Quality of Service Defining General Settings Queue Page (Gigabit devices) The Queue Page contains the following fields: • Fast Ethernet — Select whether traffic scheduling on Fast Ethernet interfaces is based on either Strict Priority or WRR. This field is applicable to FE devices only (not applicable to ESW 520-8P devices). The possible field values are: - Strict Priority — Indicates that traffic scheduling for the selected queue is based strictly on the queue priority.
Configuring Quality of Service Defining General Settings • Giga Ethernet — Enables configuring traffic scheduling on GE interfaces. This field heading is applicable to FE devices only. The fields below are applicable to both FE and GE devices. • Queue — Displays the queue for which the queue settings are displayed for GE interfaces. The possible field range is 1 - 4. • Strict Priority — Indicates that traffic scheduling for the selected queue is based strictly on the queue priority.
Configuring Quality of Service Defining General Settings STEP 1 Click Quality of Service > General > CoS to Queue. The Cos to Queue Page opens: Cos to Queue Page The Cos to Queue Page contains the following fields: • Restore Defaults — Restores all queues to the default CoS settings. The possible field values are: - Checked — Restores all queues to the default CoS settings. - Unchecked — Maintain the CoS settings currently defined.
Configuring Quality of Service Defining General Settings Mapping DSCP to Queue The DSCP to Queue Page enables mapping DSCP values to specific queues. To map DCSP to Queues: STEP 1 Click Quality of Service > General > DSCP to Queue. The DSCP to Queue Page opens: DSCP to Queue Page The DSCP to Queue Page contains the following fields: • DSCP In — Indicates the Differentiated Services Code Point (DSCP) value in the incoming packet.
Configuring Quality of Service Defining General Settings Configuring Bandwidth The Bandwidth Page allows network managers to define the bandwidth settings for specified egress and ingress interfaces. Rate Limits and Shaping are defined per interface: STEP 1 • Rate Limit sets the maximum bandwidth allowed on ingress interfaces. • Shaping Rate sets the maximum bandwidth allowed on egress interfaces. On GE ports, traffic shape for burst traffic (CbS) can also be defined.
Configuring Quality of Service Defining General Settings • Ingress Rate Limit — Indicates the traffic limit for ingress interfaces. The possible field values are: - Status — Enables or disables rate limiting for ingress interfaces. Disable is the default value. - Rate Limit — Defines the rate limit for ingress ports. Defines the amount of bandwidth assigned to the interface. For FE ports, the rate is 62 - 100,000 Kips. For GE ports, the rate is 62 - 1,000,000 Kbps.
Configuring Quality of Service Defining General Settings Edit Bandwidth Page The Edit Bandwidth Page contains the following fields: • Interface — Indicates whether the interface, for which bandwidth settings are edited, is a port or a EtherChannel. • Enable Egress Shaping Rate — Indicates if shaping is enabled on the interface. The possible field values are: - Checked — Enables egress shaping on the interface. - Unchecked — Disables egress shaping on the interface.
Configuring Quality of Service Defining General Settings For FE ports, the rate is 62 - 100,000 Kbps. For GE ports, the rate is 62 - 1,000,000 Kbps. STEP 4 Modify the relevant fields. STEP 5 Click Apply. The bandwidth settings are modified, and the device is updated. Configuring VLAN Rate Limit Rate limiting per VLAN allows network administrators to limit traffic on VLANs. Rate limiting is calculated separately for each packet processor in a unit. QoS rate limiting has priority over VLAN rate limiting.
Configuring Quality of Service Defining General Settings STEP 2 • VLAN – Indicates the VLAN on which the Rate Limit is applied. • Rate Limit – Defines the maximum rate (CIR) in kbits per second (bps) that forwarding traffic is permitted in the VLAN. • Burst Size – Defines the maximum burst size (CbS) in bytes that forwarding traffic is permitted through the VLAN. Click the Add button.
Configuring Quality of Service Defining Advanced QoS Mode Modifying the VLAN Rate Limit STEP 1 Click Quality of Service > General > VLAN Rate Limit. The VLAN Rate Limit Page opens: STEP 2 Click the Edit button. The VLAN Rate Limit Page opens: Edit VLAN Rate Limit Page The VLAN Rate Limit Page contains the following fields: • VLAN ID – Defines the VLAN on which to apply the Rate Limit.
Configuring Quality of Service Defining Advanced QoS Mode CCLs are set according to the classification defined in the ACL, and they cannot be defined until a valid ACL is defined. When CCLs are defined, ACLs and CCLs can be grouped together in a more complex structure, called policies. Policies can be applied to an interface. Policy ACLs/CCLs are applied in the sequence they appear within the policy. Only a single policy can be attached to a port.
Configuring Quality of Service Defining Advanced QoS Mode STEP 1 Click Quality of Service > Advanced Mode > DSCP Mapping. The DSCP Mapping Page opens: DSCP Mapping Page The DSCP Mapping Page contains the following fields: • DSCP In — Indicates the DSCP value in the incoming packet which will be mapped to an outgoing packet. • DSCP Out — Sets a mapped DSCP value in the outgoing packet for the corresponding incoming packet. STEP 2 Define the relevant mapping. STEP 3 Click Apply.
Configuring Quality of Service Defining Advanced QoS Mode Defining Class Mapping The Class Mapping Page contains parameters for defining class maps. One IP ACL and/or one MAC ACL comprise a class map. Class maps are configured to match packet criteria, and are matched to packets on a first-fit basis. For example, Class Map A is assigned to packets based only on an IP-based ACL or a MAC-based ACL. Class Map B is assigned to packets based on both an IP-based and a MACbased ACL.
Configuring Quality of Service Defining Advanced QoS Mode - AND — Both the ACL 1 and the IP-based ACL 2 must match a packet. - OR — Either the ACL 1 or the ACL 2 must match a packet. • STEP 2 ACL 2 — Contains a list of the user-defined ACLs. Click the Add button. The Add QoS Class Map Page opens: Add QoS Class Map Page The Add QoS Class Map Page contains the following fields.
Configuring Quality of Service Defining Advanced QoS Mode - MAC Based ACLs — Matches packets to MAC based ACLs first, then matches packets to IP based ACLs. STEP 3 Define the relevant fields. STEP 4 Click Apply. QoS mapping is added, and the device is updated. Defining Aggregate Policer A policy is a collection of classes, each of which is a combination of a class map and a QoS action to apply to matching traffic. Classes are applied in a first-fit manner within a policy.
Configuring Quality of Service Defining Advanced QoS Mode STEP 1 Click Quality of Service > Advanced Mode > Aggregate Policer. The Aggregate Policer Page opens: Aggregate Policer Page The Aggregate Policer Page contains the following fields. • Aggregate Policer Name — Specifies the Aggregate Policer Name • Ingress CIR — Defines the Committed Information Rate (CIR) in Kbits per second. • Ingress CbS — Defines the Committed Burst Size (CbS) in bytes per second.
Configuring Quality of Service Defining Advanced QoS Mode Add QoS Aggregate Policer Page The Add QoS Aggregate Policer Page contains the following fields. • Aggregate Policer Name — Specifies the Aggregate Policer Name. • Ingress Committed Information Rate (CIR) — Defines the CIR in Kbits per second. • Ingress Committed Burst Size (CbS) — Defines the CbS in bytes per second. • Exceed Action — Action assigned to incoming packets exceeding the CIR.
Configuring Quality of Service Defining Advanced QoS Mode Edit QoS Aggregate Policer Page The Edit QoS Aggregate Policer Page contains the following fields. • Aggregate Policer Name— Specifies the Aggregate Policer Name • Ingress Committed Information Rate (CIR) — Defines the CIR in Kbits per second. • Ingress Committed Burst Size (CbS) — Defines the CbS in bytes per second. • Exceed Action — Action assigned to incoming packets exceeding the CIR.
Configuring Quality of Service Defining Advanced QoS Mode STEP 1 Click Quality of Service > Advanced Mode > Policy Table. The Policy Table Page opens: Policy Table Page The Policy Table Page contains the following field: • STEP 2 Policy Name — Displays the user-defined policy name. Click the Add button.
Configuring Quality of Service Defining Advanced QoS Mode Add QoS Policy Profile Page The Add QoS Policy Profile Page contains the following fields. • New Policy Name — Specifies the user-defined policy name. • Class Map — Selects the user-defined class maps which can be associated with the policy. • Action — Defines the action attached to the rule. The possible field value is: • Trust CoS-DSCP — Determines the queue to which the packet is assigned dependent on the CoS tag and DSCP tag.
Configuring Quality of Service Defining Advanced QoS Mode different ports can be configured for policing purposes. An aggregate policer can be applied to multiple classes in the same policy map, but cannot be used across different policy maps. - Single — Configures the class to use manually configured information rates and exceed actions. • Aggregate Policer — Specifies the Aggregate Policer Name • Ingress Committed Information Rate (CIR) — Defines the CIR in Kbps.
Configuring Quality of Service Defining Advanced QoS Mode Edit QoS Policy Profile Page The Edit QoS Policy Profile Page contains the following fields. • Policy Name — Displays the user-defined policy name. • Class Map — Displays the user-defined name of the class map. • Action — Defines the action attached to the rule. The possible field value is: • Trust CoS-DSCP — Determines the queue to which the packet is assigned dependent on the CoS tag and DSCP tag.
Configuring Quality of Service Defining Advanced QoS Mode • Type — Policer type for the policy. Possible values are: - Aggregate — Configures the class to use a configured aggregate policer selected from the drop-down list. An aggregate policer is defined if the policer is shared with multiple classes. Traffic from two different ports can be configured for policing purposes. An aggregate policer can be applied to multiple classes in the same policy map, but cannot be used across different policy maps.
Configuring Quality of Service Defining Advanced QoS Mode STEP 1 Click Quality of Service > Advanced Mode > Policy Binding. The Policy Binding Page opens: Policy Binding Page The Policy Binding Page contains the following fields: STEP 2 • Interface — Displays the interface to which the entry refers. • Policy Name — Displays a Policy name associated with the interface. Click the Add button.
Configuring Quality of Service Defining Advanced QoS Mode Add QoS Policy Binding Page The Add QoS Policy Binding Page contains the following fields. • Interface — Select either the Port or EtherChannel radio button to select the interface. • Policy Name — Select a Policy to associate with the interface. STEP 3 Define the relevant fields. STEP 4 Click Apply. The QoS Policy Binding is defined, and the device is updated.
Configuring Quality of Service Defining QoS Basic Mode • Interface — Displays the interface to which the entry refers. • Policy Name — Displays the Policy name associated with the interface. STEP 3 Define the relevant fields. STEP 4 Click Apply. The QoS policy binding is modified, and the device is updated. Defining QoS Basic Mode The Basic Mode Page contains information for enabling Trust on the device. Packets entering a QoS domain are classified at the edge of the QoS domain.
Configuring Quality of Service Defining QoS Basic Mode • Trust Mode — Displays the trust mode. If a packet’s CoS tag and DSCP tag, are mapped to different queues, the Trust Mode determines the queue to which the packet is assigned. Possible values are: - CoS — Sets trust mode to CoS on the device. The CoS mapping determines the packet queue - DSCP — Sets trust mode to DSCP on the device. The DSCP mapping determines the packet queue.
Configuring Quality of Service Defining QoS Basic Mode DSCP Mapping Page The DSCP Mapping Page contains the following fields: • DSCP In — Indicates the DSCP value in the incoming packet. • DSCP Out — Indicates the DSCP value in the outgoing packet. STEP 3 Define the DSCP mappings. STEP 4 Click Apply. The DSCP mappings are defined, and the device is updated.
Configuring SNMP SNMP Versions Configuring SNMP The Simple Network Management Protocol (SNMP) provides a method for managing network devices. SNMP Versions The device supports the following SNMP versions: SNMP v1 and v2 SNMP agents maintain a list of variables that are used to manage the device. The variables are defined in the Management Information Base (MIB). The MIB presents the variables controlled by the agent.
Configuring SNMP Configuring SNMP Security • Security • Feature Access Control • Traps The device generates the following trap: • Copy trap The SNMP section contains the following topics: • Configuring SNMP Security • Defining Trap Management Configuring SNMP Security The Security section contains the following topics: • Defining the SNMP Engine ID • Defining SNMP Views • Defining SNMP Users • Define SNMP Groups • Defining SNMP Communities Defining the SNMP Engine ID The Engine ID
Configuring SNMP Configuring SNMP Security STEP 1 Click Monitor & Device Properties > SNMP > Security > Engine ID. The Engine ID Page opens: Engine ID Page The Engine ID Page contains the following fields. • Local Engine ID (10-64 Hex characters) — Indicates the local device engine ID. The field value is a hexadecimal string. Each byte in hexadecimal character strings consists of two hexadecimal digits. • Use Default — Uses the device generated Engine ID.
Configuring SNMP Configuring SNMP Security STEP 3 Click Apply. The SNMP Engine ID is defined, and the device is updated. Defining SNMP Views SNMP Views provide access or block access to device features or feature aspects. For example, a view displays that the SNMP Group A has Read Only (R/ O) access to Multicast groups, while SNMP Group B has Read-Write (R/W) access to Multicast groups. Feature access is granted via the MIB name, or MIB Object ID.
Configuring SNMP Configuring SNMP Security STEP 2 • Object ID Subtree — Indicates the device feature OID that is included or excluded in the selected SNMP view. • View Type — Indicates if the defined OID branch that are included or excluded in the selected SNMP view. Click the Add button. The Add SNMP View Page opens: Add SNMP View Page The Add SNMP View Page contains parameters for defining and configuring new SNMP view.
Configuring SNMP Configuring SNMP Security Defining SNMP Users The SNMP Users Page provides information for creating SNMP users, and assigning SNMP access control privileges to SNMP users. Groups allow network managers to assign access rights to specific device features, or feature aspects. STEP 1 Click Monitor & Device Properties > SNMP > Security > Users. The SNMP Users Page opens: SNMP Users Page The SNMP Users Page contains the following fields.
Configuring SNMP Configuring SNMP Security • STEP 2 Authentication — Indicates the Authentication method used. Click the Add button. The Add SNMP Group Membership Page opens: Add SNMP Group Membership Page The Add SNMP Group Membership Page provides information for assigning SNMP access control privileges to SNMP groups. The Add SNMP Group Membership Page contains the following fields. • User Name — Provides a user-defined local user list.
Configuring SNMP Configuring SNMP Security - SHA Password — Users should enter a password that is encrypted using the HMAC-SHA-96 authentication method. - None — No user authentication is used. • Password — Define the local user password. Local user passwords can contain up to 159 characters. This field is available if the Authentication Method is a password. • Authentication Key — Defines the HMAC-MD5-96 or HMAC-SHA-96 authentication level.
Configuring SNMP Configuring SNMP Security • Group Name — SNMP group, which can be chosen from the list, to which the SNMP user belongs. SNMP groups are defined in the SNMP Group Profile page. • Authentication Method — Indicates the Authentication method used. The possible field values are: - MD5 Key — Users are authenticated using a valid HMAC-MD5 key. - SHA Key — Users are authenticated using a valid HMAC-SHA-96 key.
Configuring SNMP Configuring SNMP Security STEP 1 Click Monitor & Device Properties > SNMP > Security > Groups. The SNMP Groups Page opens: SNMP Groups Page The SNMP Groups Page contains the following fields: • Group Name — Displays the user-defined group to which privileges are applied. • Security Model — Defines the SNMP version attached to the group. The possible field values are: - SNMPv1 — SNMPv1 is defined for the group. - SNMPv2 — SNMPv2 is defined for the group.
Configuring SNMP Configuring SNMP Security - Privacy — Encrypts SNMP message. • Operation — Defines the group access right, which are per view. The possible field values are: - Read — The management access is restricted to read-only, and changes cannot be made to the assigned SNMP view. - Write — The management access is read-write and changes can be made to the assigned SNMP view. - Notify — Sends traps for the assigned SNMP view. STEP 2 Click the Add button.
Configuring SNMP Configuring SNMP Security - No Authentication — Neither the Authentication nor the Privacy security levels are assigned to the group. - Authentication — Authenticates SNMP messages, and ensures the SNMP messages origin is authenticated. - Privacy — Encrypts SNMP message. • Operation — Defines the group access right, which are per view. The possible field values are: - Default — Defines the default group access rights.
Configuring SNMP Configuring SNMP Security • Group Name — Displays the user-defined group to which access control rules are applied. The field range is up to 30 characters. • Security Model — Defines the SNMP version attached to the group. The possible field values are: - SNMPv1 — SNMPv1 is defined for the group. - SNMPv2 — SNMPv2 is defined for the group. - SNMPv3 — SNMPv3 is defined for the group. • Security Level — Defines the security level attached to the group.
Configuring SNMP Configuring SNMP Security To define SNMP Communities: STEP 1 Click Monitor & Device Properties > SNMP > Security > Communities. The SNMP Communities Page opens: SNMP Communities Page The SNMP Communities Page is divided into the following tables: • Basic Table • Advanced Table The SNMP Communities Basic Table area contains the following fields: • Management Station — Displays the management station IP address for which the basic SNMP community is defined.
Configuring SNMP Configuring SNMP Security STEP 2 • Management Station — Displays the management station IP address for which the Advanced SNMP community is defined. • Community String — Displays the password used to authenticate the management station to the device. • Group Name — Displays advanced SNMP communities group name. Click the Add button. The Add SNMP Community Page opens.
Configuring SNMP Configuring SNMP Security • Access Mode — Defines the access rights of the community. The possible field values are: - Read Only — Management access is restricted to read-only, and changes cannot be made to the community. - Read Write — Management access is read-write and changes can be made to the device configuration, but not to the community. - SNMP Admin — User has access to all device configuration options, as well as permissions to modify the community.
Configuring SNMP Defining Trap Management • Community String — Defines the password used to authenticate the management station to the device. Configure either the Basic Mode or the Advanced Mode. • Basic — Enables SNMP Basic mode for a selected community and contains the following fields: • Access Mode — Defines the access rights of the community. The possible field values are: - Read Only — Management access is restricted to read-only, and changes cannot be made to the community.
Configuring SNMP Defining Trap Management STEP 1 Click Monitor & Device Properties > SNMP > Trap Management > Trap Settings. The Trap Settings Page opens: Trap Settings Page The Trap Settings Page contains the following fields: • Enable SNMP Notification — Specifies whether the device can send SNMP notifications. The possible field values are: - Checked — Enables SNMP notifications. - Unchecked — Disables SNMP notifications.
Configuring SNMP Defining Trap Management Configuring Station Management The Station Management Page contains information for defining filters that determine whether traps are sent to specific users, and the trap type sent. SNMP notification filters provide the following services: • Identifying Management Trap Targets • Trap Filtering • Selecting Trap Generation Parameters • Providing Access Control Checks Traps indicating status changes are issued by the switch to specified trap managers.
Configuring SNMP Defining Trap Management The SNMPv1,2 Notification Recipient table area contains the following fields: • Recipients IP — Indicates the IP address to which the traps are sent. • Notification Type — Defines the notification sent. The possible field values are: - Trap — Indicates traps are sent. - Inform — Indicates informs are sent. • Community String — Identifies the community string of the trap manager. • Notification Version — Determines the trap type.
Configuring SNMP Defining Trap Management STEP 2 • UDP Port — Displays the UDP port used to send notifications. The default is 162. • Filter Name — Defines if the SNMP filter for which the SNMP Notification filter is defined. • Timeout — Indicates the amount of time (seconds) the device waits before resending informs. The default is 15 seconds. • Retries — Indicates the amount of times the device re-sends an inform request. The default is 3 attempts. Click the Add button.
Configuring SNMP Defining Trap Management • Providing Access Control Checks The Add SNMP Notification Recipient Page contains the following fields: • Recipient IP Address— Indicates the IP address to whom the traps are sent. • Notification Type — Defines the notification sent. The possible field values are: - Trap — Indicates traps are sent. - Inform — Indicates informs are sent. Either SNMPv1,2 or SNMPv3 may be used as the version of traps, with only one version enabled at a single time.
Configuring SNMP Defining Trap Management • Filter Name — Defines if the SNMP filter for which the SNMP Notification filter is defined. • Timeout — Indicates the amount of time (seconds) the device waits before resending informs. The default is 15 seconds. • Retries — Indicates the amount of times the device re-sends an inform request. The default is 3 attempts. STEP 3 Define the relevant fields. STEP 4 Click Apply. The SNMP Notification Recipient settings are defined, and the device is updated.
Configuring SNMP Defining Trap Management Edit SNMP Notification Recipient Page The Edit SNMP Notification Recipient Page contains the following fields: • Recipient IP Address — Indicates the IP address to whom the traps are sent. • Notification Type — Defines the notification sent. The possible field values are: - Trap — Indicates traps are sent. - Inform — Indicates informs are sent. Either SNMPv1,2 or SNMPv3 may be used as the version of traps, with only one version enabled at a single time.
Configuring SNMP Defining Trap Management - SNMP V1 — Indicates SNMP Version 1 traps are sent. - SNMP V2 — Indicates SNMP Version 2 traps are sent. The SNMPv3 Notification Recipient area contains the following fields: • SNMPv3 — Enables SNMPv3 as the Notification version. If SNMPv3is enabled, the User Name and Security Level fields are enabled for configuration: • User Name — Defines the user to whom SNMP notifications are sent.
Configuring SNMP Defining Trap Management STEP 1 Click Monitor & Device Properties > SNMP > Trap Management > Filter Settings. The Filter Settings Page opens: Filter Settings Page The Filter Settings Page contains the following fields: • Filter Name — Contains a list of user-defined notification filters. • Object ID Subtree — Displays the OID for which notifications are sent or blocked. If a filter is attached to an OID, traps or informs are generated and sent to the trap recipients.
Configuring SNMP Defining Trap Management Add SNMP Notification Filter Page The Add SNMP Notification Filter Page contains the following fields: • Filter Name — Defines notification filters. • New Object Identifier Tree — Displays the OID for which notifications are sent or blocked. If a filter is attached to an OID, traps or informs are generated and sent to the trap recipients. Object IDs are selected from either the Select from List or the Object ID List.
Configuring SNMP Managing Cisco Discovery Protocol Managing Cisco Discovery Protocol The Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol that enables devices to advertise their existence to other devices by CDP sending out periodic updates to a Multicast address. In addition, CDP allows devices to receive information about other devices on the same LAN or on the remote WAN side. The system supports CDP versions 1 and 2.
Configuring SNMP Managing Cisco Discovery Protocol • Device ID — Indicates the device ID TLV which is advertised by neighboring devices. • Local Interface — Indicates the receiving port number. • Advertise Version — Indicates the CDP version advertised by the neighboring device. • Time to Live — Indicates the amount of time in seconds before the neighboring device CDP information is aged out. The field default is 180 seconds.
Configuring SNMP Managing Cisco Discovery Protocol STEP 1 Click Monitor & Device Properties > CDP. The CDP Page opens STEP 2 Click Details. The CDP Neighbor Details Page opens: CDP Neighbor Details Page In addition to the fields in the CDP Page, the CDP Neighbor Details Page contains the following additional fields: • IP Address — Indicates the address TLV advertised by the neighboring port. • Interface — Indicates the interface type advertised by the neighboring port.
Managing System Files Managing System Files This section contains information for defining file maintenance and includes both configuration file management as well as device access.
Managing System Files Software Upgrade • Image Files — Software upgrades are used when a new version file is downloaded. Software Upgrade Firmware files are downloaded as required for upgrading the firmware version or for backing up the system configuration. File names cannot contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.
Managing System Files Save Configuration • BACKUP — Specifies that firmware is uploaded for a firmware backup. • via TFTP — Indicates that the upgrade file is found on a TFTP server. • via HTTP — Indicates that the upgrade file is found on a HTTP server. • File Type — Specifies the file type of the downloaded file (for TFTP download only). The possible field values are: - Software Image — Downloads the Image file. - Boot Code — Downloads the Boot file.
Managing System Files Save Configuration STEP 1 Click Maintenance > File Management > Save Configuration. The Save Configuration Page opens: Save Configuration Page The Save Configuration Page contains the following fields: Source File Name — Indicates the device configuration file to copy and the intended usage of the copied file (Running, Startup, or Backup). Destination File Name — Indicates the device configuration file to copy to and the intended usage of the file (Running, Startup, or Backup).
Managing System Files Copy Configuration Copy Configuration The configuration files control the operation of the switch, and contain the functional settings at the device and the port level. Configuration files are one of the following types: • Factory Default — Contains preset default parameter definitions which are downloaded with a new or upgraded version. • Running Configuration — Contains the parameter definitions currently defined on the device.
Managing System Files Copy Configuration STEP 1 Click Maintenance > File Management > Copy Configuration File. The Copy Configuration File Page opens: Copy Configuration File Page The Copy Configuration File Page contains the following fields: • via TFTP — Download and upload files using TFTP. • via HTTP — Download and upload files using HTTP. Via TFTP • UPGRADE — Specifies that the configuration file is associated with a upgrade.
Managing System Files Active Image • Destination File Type — Specifies the type of configuration file to be created. The possible values are: - Running Config — Contains the configuration currently valid on the device. - Starting Config — Contains the configuration which will be valid following system startup or reboot. The Startup configuration is only active after the device is reset. - Backup Config — Contains a copy of the system configuration for restoration following a shutdown or a fault.
Managing System Files Active Image STEP 1 Click Maintenance > File Management > Active Image. The Active Image Page opens: Active Image Page The Active Image Page contains the following fields: • Active Image — Indicates the Image file which is currently active on the device. • Version Number — Indicates the image version number currently active on the device. • After Reset — The Image file which is active after the device is reset.
Managing System Files DHCP Auto Configuration DHCP Auto Configuration Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network. The DHCP Auto Configuration Page allows network managers to change the configuration file and store it on the TFTP server in their network. This configuration file is downloaded automatically to all the switches in the network on which DHCP Auto Configuration is enabled.
Managing Power-over-Ethernet Devices Defining PoE Settings Managing Power-over-Ethernet Devices Power-over-Ethernet (PoE) provides power to devices over existing LAN cabling, without updating or modifying the network infrastructure. Power-over-Ethernet removes the necessity of placing network devices next to power sources.
Managing Power-over-Ethernet Devices Defining PoE Settings STEP 1 Click VLAN & Port Settings > Port Management > PoE Settings. The PoE Settings Page opens: PoE Settings Page The PoE Settings Page displays the currently configured PoE ports and contains the following information: • Total PoE Power Consumption (W) — Displays the total amount of power consumed by PoE ports. • Total PoE Power Available (W) — Displays the total amount of power available to PoE ports.
Managing Power-over-Ethernet Devices Defining PoE Settings STEP 2 • Priority — Indicates the PoE port priority. The possible values are: Critical, High and Low. The default is Low. • Power Allocation (mW) — Indicates the power in milliwatts allocated to the port. The range is 0 - 15,400. • Power Consumption (mW) — Indicates the amount of power in milliwatts assigned to the powered device connected to the selected interface.
Managing Power-over-Ethernet Devices Defining PoE Settings - Low — Defines the PoE priority level as low. - High — Defines the PoE priority level as high. - Critical — Defines the PoE priority level as Critical. This is the highest PoE priority level. • Power Allocation — Indicates the power in milliwatts allocated to the port. The range is 0 - 15,400. • Power Consumption — Indicates the amount of power in milliwatts assigned to the powered device connected to the selected interface.
Managing System Logs Enabling System Logs Managing System Logs The System Logs enable viewing device events in real time, and recording the events for later usage. System Logs record and manage events and report errors or informational messages. Event messages have a unique format, as per the SYSLOG protocols recommended message format for all error reporting.
Managing System Logs Enabling System Logs STEP 1 Click Maintenance > System Logging > System Messages Settings. The System Messages Settings Page opens. System Messages Settings Page The System Messages Settings Page contains the following fields: • Enable Logging — Indicates if message logging is enabled globally in the device. • Severity — The following are the available severity levels: - Emergency —The system is not functioning. - Alert — The system needs immediate attention.
Managing System Logs Viewing the Device Memory Logs - Debug — Provides detailed information about the log. If a Debug error occurs, contact Customer Tech Support. • Memory Logs — The selected Severity types will appear in chronological order in all system logs that are saved in RAM (Cache). After restart, these logs are deleted. • Flash Logs— The selected Severity types will be sent to the Logging file kept in FLASH memory. After restart, this log is not deleted. STEP 2 Define the relevant fields.
Managing System Logs Viewing the Device Memory Logs STEP 1 Click Maintenance > System Logging > System Messages (Memory). The System Messages (Memory) Page opens. System Messages (Memory) Page The System Messages (Memory) Page contains the following fields: • Log Index — Displays the log entry number. • Log Time — Displays the time at which the log entry was generated. • Severity — Displays the event severity. • Description — Displays the log message text.
Managing System Logs Viewing the System Flash Logs Viewing the System Flash Logs The System Messages (Flash) Page contains information about log entries saved to the Log File in FLASH, including the time the log was generated, the event severity, and a description of the log message. The Message Log is available after reboot. To view the Flash Logs: STEP 1 Click Maintenance > System Logging > System Messages (Flash).
Managing System Logs Remote Log Servers Clearing Flash Logs Flash Logs can be cleared from the System Messages (Flash) Page. To clear the System Messages (Flash) Page: STEP 1 Click Maintenance > System Logging > System Messages (Flash). The System Messages (Flash) Page opens. STEP 2 Click Clear Logs. The message logs are cleared. Remote Log Servers The Syslog Servers Page contains information for configuring the Remote Log Servers.
Managing System Logs Remote Log Servers • Server — Specifies the server IP address to which logs can be sent. • UDP Port — Defines the UDP port to which the server logs are sent. The possible range is 1 to 65535. The default value is 514. • Facility — Defines a user-defined application from which system logs are sent to the remote server. Only one facility can be assigned to a single server. If a second facility level is assigned, the first facility is overridden.
Managing System Logs Remote Log Servers Add Syslog Server Page The Add Syslog Server Page contains fields for defining new Remote Log Servers. The Add Syslog Server Page contains the following fields: • Log Server IP Address — Specifies the server to which logs can be sent. • UDP Port — Defines the UDP port to which the server logs are sent. The possible range is 1 to 65535. The default value is 514.
Managing System Logs Remote Log Servers - Critical — The third highest warning level. A critical log is saved if a critical device malfunction occurs; for example, two device ports are not functioning, while the rest of the device ports remain functional. - Error — A device error has occurred, for example, if a single port is offline. - Warning — The lowest level of a device warning. The device is functioning, but an operational problem has occurred.
Managing System Logs Remote Log Servers The Edit Syslog Server Page contains the following fields: • Server — Specifies the name of the Remote Log Server to which logs can be sent. • UDP Port — Defines the UDP port to which the server logs are sent. The possible range is 1 to 65535. The default value is 514. • Facility — Defines a user-defined application from which system logs are sent to the remote server. Only one facility can be assigned to a single server.
Managing System Logs Remote Log Servers STEP 4 Click Apply. The Syslog Server settings are modified, and the device is updated.
Viewing Statistics Viewing Ethernet Statistics Viewing Statistics This section describes device statistics for RMON, interfaces, GVRP, EAP, and Etherlike statistics.
Viewing Statistics Viewing Ethernet Statistics STEP 1 Click Statistics > Ethernet > Interface. The Interface Statistics Page opens: Interface Statistics Page The Interface Statistics Page contains the following fields: • Interface — Indicates the interface for which statistics are displayed. The possible field values are: - Port — Defines the specific port for which Ethernet statistics are displayed. - EtherChannel — Defines the specific EtherChannel for which Ethernet statistics are displayed.
Viewing Statistics Viewing Ethernet Statistics - 60 Sec — Indicates that the Ethernet statistics are refreshed every 60 seconds. - No Refresh — Indicates that the Ethernet statistics are not refreshed. The Receive Statistics area contains the following fields: • Total Bytes (octets) — Displays the number of octets received on the interface since the page was last refreshed. This number includes bad packets and FCS octets, but excludes framing bits.
Viewing Statistics Viewing Ethernet Statistics To view Etherlike Statistics: STEP 1 Click Statistics > Ethernet > Etherlike. The Etherlike Page opens: Etherlike Page The Etherlike Page contains Ethernet-like interface statistics. The Etherlike Page contains the following fields: • Interface — Indicates the interface for which statistics are displayed. The possible field values are: - Port — Defines the specific port for which Etherlike statistics are displayed.
Viewing Statistics Viewing Ethernet Statistics - 60 Sec — Indicates that the Etherlike statistics are refreshed every 60 seconds. - No Refresh — Indicates that the Etherlike statistics are not refreshed. • Frame Check Sequence (FCS) Errors — Displays the number of FCS errors received on the selected interface. • Single Collision Frames — Displays the number of single collision frames received on the selected interface.
Viewing Statistics Viewing Ethernet Statistics STEP 1 Click Statistics > Ethernet > GVRP. The GVRP Page opens: GVRP Page The GVRP Page is divided into two areas, GVRP Statistics Table and GVRP Error Statistics Table. The following fields are relevant for both tables: • Interface — Indicates the interface for which statistics are displayed. The possible field values are: - Port — Defines the specific port for which GVRP statistics are displayed.
Viewing Statistics Viewing Ethernet Statistics - 30 Sec — Indicates that the GVRP statistics are refreshed every 30 seconds. - 60 Sec — Indicates that the GVRP statistics are refreshed every 60 seconds. - No Refresh — Indicates that the GVRP statistics are not refreshed. The GVRP Received Transmitted Table contains the following fields: • Join Empty — Displays the device GVRP Join Empty statistics. • Empty — Displays the device GVRP Empty statistics.
Viewing Statistics Viewing Ethernet Statistics To view the EAP Statistics: STEP 1 Click Statistics > Ethernet > EAP. The EAP Page opens: EAP Page The EAP Page contains the following fields: • Port — Indicates the port which is polled for statistics. • Refresh Rate — Defines the amount of time that passes before the EAP statistics are refreshed. The possible field values are: - 15 Sec — Indicates that the EAP statistics are refreshed every 15 seconds.
Viewing Statistics Managing RMON Statistics • Frames Transmitted — Indicates the number of EAPOL frames transmitted via the port. • Start Frames Received — Indicates the number of EAPOL Start frames received on the port. • Log off Frames Received — Indicates the number of EAPOL Logoff frames that have been received on the port. • Respond ID Frames Received — Indicates the number of EAP Resp/Id frames that have been received on the port.
Viewing Statistics Managing RMON Statistics Viewing RMON Statistics The RMON Statistics Page contains fields for viewing information about device utilization and errors that occurred on the device. To view the RMON statistics: STEP 1 Click Statistics > RMON (Remote Management) > Statistics. The RMON Statistics Page opens: RMON Statistics Page The RMON Statistics Page contains the following fields: • Port — Defines the specific port for which RMON statistics are displayed.
Viewing Statistics Managing RMON Statistics - 15 Sec — Indicates that the RMON statistics are refreshed every 15 seconds. - 30 Sec — Indicates that the RMON statistics are refreshed every 30 seconds. - 60 Sec — Indicates that the RMON statistics are refreshed every 60 seconds. - No Refresh — Indicates that the RMON statistics are not refreshed. • Received Bytes (Octets) — Displays the number of octets received on the interface since the page was last refreshed.
Viewing Statistics Configuring RMON History STEP 2 • Collisions — Displays the number of collisions received on the interface since the page was last refreshed. • Frames of xx Bytes — Number of frames containing the specified number of bytes that were received on the interface since the page was last refreshed. Select either Port or EtherChannel. The RMON statistics are displayed. Resetting RMON Statistics Counters STEP 1 Click Statistics > RMON (Remote Management) > Statistics.
Viewing Statistics Configuring RMON History RMON History Control Page The RMON History Control Page contains the following fields: • History Entry No. — Number automatically assigned to the table entry number. • Source Interface — Displays the interface (port or EtherChannel) from which the history samples were taken. The possible field values are: - Port — Specifies the port from which the RMON information was taken.
Viewing Statistics Configuring RMON History Add RMON History Page The Add RMON History Page contains the following fields: • New History Entry — Number automatically assigned to the table entry number. • Source Interface — Select the interface (port or EtherChannel) from which the history samples will be taken. The possible field values are: - Ports — Specifies the port from which the RMON information is taken. - EtherChannel — Specifies the EtherChannel from which the RMON information is taken.
Viewing Statistics Configuring RMON History Edit RMON History Page The Edit RMON History Page contains the following fields: • History Entry No. — Displays the entry number for the History Control Table page. • Source Interface — Displays the interface (port or EtherChannel) from which the history samples are taken. The possible field values are: - Port — Specifies the port from which the RMON information is taken. - EtherChannel — Specifies the EtherChannel from which the RMON information is taken.
Viewing Statistics Configuring RMON History STEP 1 Click Statistics > RMON (Remote Management) > History. The RMON History Control Page opens: STEP 2 Click the History Table button. The RMON History Table Page opens: RMON History Table Page The RMON History Table Page contains the following fields: • History Entry No. — Displays the entry number for the History Control Table page. • Owner — Displays the RMON station or user that requested the RMON information. The field range is 0-20 characters.
Viewing Statistics Configuring RMON History • Received Packets — Displays the number of packets received on the interface since the page was last refreshed, including bad packets, Multicast and Broadcast packets. • Broadcast Packets — Displays the number of good Broadcast packets received on the interface since the page was last refreshed. This number does not include Multicast packets.
Viewing Statistics Configuring RMON History STEP 1 Click Statistics > RMON (Remote Management) > Events. The RMON Events Page opens: RMON Events Page The RMON Events Page contains the following fields: • Event Entry — Displays the event index number. • Community — Displays the SNMP community string. • Description — Displays the event description. • Type — Describes the event type. Possible values are: - None — No action occurs. - Log — The device adds a log entry.
Viewing Statistics Configuring RMON History The Delete button deletes the selected RMON event. STEP 2 Click the Add button. The Add RMON Events Page opens: Add RMON Events Page The Add RMON Events Page contains the following fields: • Event Entry — Indicates the event entry index number. • Community — Displays the SNMP community string. • Description — Displays a user-defined event description. • Type — Describes the event type. Possible values are: - None — No action occurs.
Viewing Statistics Configuring RMON History Edit RMON Events Page The Edit RMON Events Page contains the following fields: • Entry Event No. — Displays the event entry index number. • Community — Displays the SNMP community string. • Description — Displays the user-defined event description. • Type — Describes the event type. Possible values are: - None — No action occurs. - Log — The device adds a log entry. - Trap — The device sends a trap.
Viewing Statistics Configuring RMON History RMON Events Log Page The RMON Events Log Page contains the following fields: • Event — Displays the RMON Events Log entry number. • Log No. — Displays the log number. • Log Time — Displays the time when the log entry was entered. • Description — Displays the log entry description. To return to the RMON Events Page, click the RMON Events Control button. Defining RMON Alarms The RMON Alarms Page contains fields for setting network alarms.
Viewing Statistics Configuring RMON History STEP 1 Click Statistics > RMON (Remote Management) > Alarms. The RMON Alarms Page opens: RMON Alarms Page The RMON Alarms Page contains the following fields: • Alarm Entry — Indicates the alarm entry number. • Counter Name — Displays the selected MIB variable. • Interface — Displays the interface (port or EtherChannel) for which RMON statistics are displayed. The possible field values are: - Port — Displays the RMON statistics for the selected port.
Viewing Statistics Configuring RMON History - Absolute — Compares the values directly with the thresholds at the end of the sampling interval. • Rising Threshold — Displays the rising counter value that triggers the rising threshold alarm. The rising threshold is presented on top of the graph bars. Each monitored variable is designated a color. • Rising Event — Selects an event which is defined in the Events table that triggers the rising threshold alarm.
Viewing Statistics Configuring RMON History Add RMON Alarm Page The Add RMON Alarm Page contains the following fields: • Alarm Entry — Indicates the alarm entry number. • Interface — Displays the interface (port or EtherChannel) for which RMON statistics are displayed. The possible field values are: - Ports — Displays the RMON statistics for the selected port. - EtherChannels — Displays the RMON statistics for the selected EtherChannel. • Counter Name — Displays the selected MIB variable.
Viewing Statistics Configuring RMON History • Rising Event — Selects an event which is defined in the Events table that triggers the rising threshold alarm. The Events Table is displayed in the RMON Events Page. • Falling Threshold — Displays the falling counter value that triggers the falling threshold alarm. The falling threshold is graphically presented on top of the graph bars. Each monitored variable is designated a color.
Viewing Statistics Configuring RMON History Edit RMON Alarm Page The Edit RMON Alarm Page contains the following fields: • Alarm Entry — Indicates the alarm entry number. • Interface — Displays the interface (port or EtherChannel) for which RMON statistics are displayed. The possible field values are: - Port — Displays the RMON statistics for the selected port. - EtherChannel — Displays the RMON statistics for the selected EtherChannel. • Counter Name — Displays the selected MIB variable.
Viewing Statistics Configuring RMON History • Rising Event — Selects an event which is defined in the Events table that triggers the rising threshold alarm. The Events Table is displayed in the RMON Events Page. • Falling Threshold — Displays the falling counter value that triggers the falling threshold alarm. The falling threshold is graphically presented on top of the graph bars. Each monitored variable is designated a color.
Aggregating Ports Aggregating Ports EtherChannels optimize port usage by linking a group of ports together to form a single aggregated group. EtherChannels multiply the bandwidth between the devices, increase port flexibility, and provide link redundancy. The device supports both static EtherChannels and Link Aggregation Control Protocol (LACP) EtherChannels. LACP EtherChannels negotiate aggregating port links with other LACP ports located on a different device.
Aggregating Ports Defining EtherChannel Management • Defining EtherChannel Management • Configuring LACP • Defining EtherChannel Settings Defining EtherChannel Management Ports added to a EtherChannel lose their individual port configuration. When ports are removed from the EtherChannel, the original port configuration is applied to the ports. To define EtherChannel management: STEP 1 Click VLAN & Port Settings > Port Management > EtherChannel Management.
Aggregating Ports Defining EtherChannel Management • Link State — Displays the link operational status. • Member — Displays the ports configured to the EtherChannel. Modifying LAG Membership STEP 1 Click VLAN & Port Settings > Port Management > EtherChannel Management. The EtherChannel Management Page opens: STEP 2 Click the Edit button. The Edit EtherChannel Management Page opens: Edit EtherChannel Management Page The Edit EtherChannel Management Page contains the following fields.
Aggregating Ports Defining EtherChannel Settings • Port List — Contains a list of ports than can be added to a EtherChannel by using the >> button to add or the << button to remove items. • EtherChannel Members — Displays the ports which are members of the selected EtherChannel. STEP 3 Define the relevant fields. STEP 4 Click Apply. The EtherChannel membership is defined, and the device is updated.
Aggregating Ports Defining EtherChannel Settings STEP 1 Click VLAN & Port Settings > Port Management > EtherChannel Settings. The EtherChannel Settings Page opens: EtherChannel Settings Page The EtherChannel Settings Page contains the following fields: • Copy From Entry Number — Copies the EtherChannel configuration from the specified table entry. • To Entry Number(s) — Assigns the copied EtherChannel configuration to the specified table entry. • EtherChannel — Displays the EtherChannel ID number.
Aggregating Ports Defining EtherChannel Settings • Flow Control — Displays the current Flow Control setting. Flow control may be enabled, disabled, or be in auto negotiation mode. Flow control operates when the ports are in full duplex mode. • PVE — Indicates that this EtherChannel’s ports are protected by an uplink, so that the forwarding decisions are overwritten by those of the ports that protect them. STEP 2 Define the relevant fields. STEP 3 Click Apply.
Aggregating Ports Defining EtherChannel Settings • EtherChannel — Displays the EtherChannel ID number. • Description — Displays the user-defined port name. • EtherChannel Type — Indicates he port types that comprise the EtherChannel. • Admin Status — Enables or disables traffic forwarding through the selected EtherChannel. • Current EtherChannel Status — Indicates if the EtherChannel is currently operating.
Aggregating Ports Configuring LACP the negotiation process. The possible field values are those specified in the Admin Advertisement field. • Neighbor Advertisement — The neighbor EtherChannel (the EtherChannel to which the selected interface is connected) advertises its capabilities to the EtherChannel to start the negotiation process. The possible values are those specified in the Admin Advertisement field. • Admin Speed — The configured speed at which the EtherChannel is operating.
Aggregating Ports Configuring LACP STEP 1 Click VLAN & Port Settings > Port Management > LACP. The LACP Page opens: LACP Page The LACP Page contains fields for configuring LACP EtherChannels. • LACP System Priority — Indicates the global LACP priority value. The possible range is 1- 65535. The default value is 1. • Port — Defines the port number to which timeout and priority values are assigned. • Port Priority — Defines the LACP priority value for the port. The field range is 165535.
Aggregating Ports Configuring LACP Modify LACP Parameter Settings STEP 1 Click VLAN & Port Settings > Port Management > LACP. The LACP Page opens: STEP 2 Click the Edit button. The Edit LACP Page opens: Edit LACP Page The Edit LACP Page contains the following fields: • Port — Defines the port number to which timeout and priority values are assigned. • LACP Port Priority — Defines the LACP priority value for the port. The field range is 1-65535. • LACP Timeout — Administrative LACP timeout.
Managing Device Diagnostics Ethernet Port Testing Managing Device Diagnostics This section contains information for running diagnostic procedures on the switch, and includes the following topics: • Ethernet Ports • GBIC Uplink Ports • SPAN (Port Mirroring) • CPU Utilization Ethernet Port Testing The Ethernet Ports Page contains fields for performing tests on copper cables.
Managing Device Diagnostics Ethernet Port Testing STEP 1 Click Maintenance > Diagnostics > Ethernet Ports. The Ethernet Ports Page opens: The Ethernet Ports Page contains the following fields: • Port — Displays the port list. • Test Result — Displays the cable test results. Possible values are: - No Cable — Indicates that a cable is not connected to the port. - Open Cable — Indicates that a cable is connected on only one side. - Short Cable — Indicates that a short has occurred in the cable.
Managing Device Diagnostics Ethernet Port Testing STEP 2 Click the Test button to run the cable test. A popup message appears that states "The operation will shut down the tested port for a short period, continue?". Click OK to continue or Cancel to stop the test. The results of the test appear on the line associated with the port you tested. Click on the Advanced button to open up the Copper Cable Extended Feature Screen. The Copper Cable Extended Feature page contains the following fields.
Managing Device Diagnostics Performing GBIC Uplink Testing STEP 3 Click Done to close the window. Performing GBIC Uplink Testing The GBIC Uplink Page allows network managers to perform tests on Fiber Optic cables. Optical transceiver diagnostics can be performed only when the link is present. During the port test, the port moves to a down state. STEP 1 Click Maintenance > Diagnostics > GBIC Uplink Ports.
Managing Device Diagnostics Configure Span (Port Mirroring) Configure Span (Port Mirroring) Port Mirroring monitors and mirrors network traffic by forwarding copies of incoming and outgoing packets from one port to a monitoring port. Port mirroring can be used as diagnostic tool and/or a debugging feature. Port mirroring also enables switch performance monitoring.
Managing Device Diagnostics Configure Span (Port Mirroring) NOTE The destination port must be configured with a Smart Port role of "Other" using the Smart Port Wizard before configuring for port mirroring. • Source Port — Defines the port from which traffic is to be analyzed. • Type — Indicates the port mode configuration for port mirroring. The possible field values are: - Rx Only — Defines the port mirroring for receive traffic only on the selected port.
Managing Device Diagnostics Monitoring CPU Utilization - Tx Only — Defines the port mirroring on transmitting ports. - Tx and Rx — Defines the port mirroring on both receiving and transmitting ports. STEP 2 Define the relevant fields. Click Apply. Port mirroring is added, and the device is updated. To Delete an entry, click on the the selected entry in the table and then press Delete. Monitoring CPU Utilization The CPU Utilization page contains information about the system’s CPU utilization.
Managing Device Diagnostics Monitoring CPU Utilization STEP 1 Click Maintenance > Diagnostics > CPU Utilization. The CPU Utilization Page opens: The CPU Utilization page contains the following fields: • CPU Utilization — Displays CPU resource utilization information. The possible field values are: - Enabled — Enables viewing CPU utilization information. This is the default value. - Disabled — Disables viewing the CPU utilization information.
Managing Device Diagnostics Monitoring CPU Utilization - 30 Sec — Indicates that the CPU utilization statistics are refreshed every 30 seconds. - 60 Sec — Indicates that the CPU utilization statistics are refreshed every 60 seconds. • Usage Percentages — Graph’s y-axis indicates the percentage of the CPU’s resources consumed by the device. • Time — Graph’s x-axis indicates the time, in 15, 30, and 60 second intervals, that usage samples are taken.
