ADMINISTRATION GUIDE Cisco Small Business SFE/SGE Managed Switches
6bZg^XVh =ZVYfjVgiZgh 8^hXd HnhiZbh! >cX# HVc ?dhZ! 86 6h^V EVX^[^X =ZVYfjVgiZgh 8^hXd HnhiZbh JH6 EiZ# AiY# H^c\VedgZ :jgdeZ =ZVYfjVgiZgh 8^hXd HnhiZbh >ciZgcVi^dcVa 7K 6bhiZgYVb! I]Z CZi]ZgaVcYh 8^hXd ]Vh bdgZ i]Vc '%% d[[^XZh ldgaYl^YZ# 6YYgZhhZh! e]dcZ cjbWZgh! VcY [Vm cjbWZgh VgZ a^hiZY dc i]Z 8^hXd LZWh^iZ Vi lll#X^hXd#Xdb$\d$d[[^XZh# 889:! 88:CI! 8^hXd :dh! 8^hXd Ajb^c! 8^hXd CZmjh! 8^hXd HiVY^jbK^h^dc! 8^hXd IZaZEgZhZcXZ! 8^hXd LZW:m! i]Z 8^hXd ad\d! 98:! VcY LZaXdbZ id i]Z =jbVc CZildg` VgZ i
Contents Contents Chapter 1: Getting Started 1 Starting the Application 1 Understanding the Interface 3 Using the Cisco Management Buttons 5 Using Screen and Table Options 5 Adding Device Information 5 Modifying Device Information 6 Deleting Device Information 7 Logging Off of the Device 7 The About Page 7 Chapter 2: Managing Device Information Defining System Information Managing Stacking 9 9 11 Understanding Switch Operating Modes 11 Configuring a Stack 12 Stack Membership 14
Contents Defining SNTP Authentication Chapter 4: Configuring Device Security Passwords Management Modifying the Local User Settings 39 41 41 43 Defining Authentication 44 Defining Profiles 44 Modifying an Authentication Profile 47 Mapping Authentication Profiles 48 Defining TACACS+ 50 Defining RADIUS 55 Defining Access Methods 60 Defining Access Profiles 61 Defining Profile Rules 65 Defining Traffic Control 72 Defining Storm Control 73 Defining Port Security 76 Defining 802.
Contents Defining DHCP Snooping Properties 128 Defining DHCP Snooping on VLANs 129 Defining Trusted Interfaces 130 Binding Addresses to the DHCP Snooping Database 132 Defining IP Source Guard 135 Defining Dynamic ARP Inspection 141 Defining ARP Inspection Properties 142 Defining ARP Inspection Trusted Interfaces 144 Defining ARP Inspection List 146 Assigning ARP Inspection VLAN Settings 148 Chapter 5: Configuring Ports 151 Configuring Ports Settings for Layer 2 Enabled Devices 151 C
Contents Chapter 7: Configuring IP Information IP Addressing 190 190 Managing IPv6 190 Viewing IPv6 Routes Table 203 Layer 2 IP Addressing 204 Layer 3 IP Addressing 204 Defining IPv4 Interface (Layer 2) 205 Defining IPv4 Interface (Layer 3) 206 Enabling ARP Proxy (Layer 3) 209 Defining UDP Relay (Layer 3) 210 Defining DHCP Relay (Layer 2) 212 Defining DHCP Relay Interfaces 214 Defining DHCP Relay (Layer 3) 216 ARP 218 Defining IP Routing 221 Domain Name System 224 Defining DNS
Contents Modifying Multicast Forwarding Defining Unregistered Multicast Settings Chapter 10: Configuring Spanning Tree Defining Spanning Tree 245 246 249 249 Defining STP Properties 249 Defining Spanning Tree Interface Settings 252 Modifying Interface Settings 256 Defining Rapid Spanning Tree 258 Modifying RTSP 261 Defining Multiple Spanning Tree 263 Defining MSTP Properties 263 Defining MSTP Instance to VLAN 265 Defining MSTP Instance Settings 266 Defining MSTP Interface Settings
Contents Chapter 12: Configuring SNMP Configuring SNMP Security 302 303 Defining the SNMP Engine ID 303 Defining SNMP Views 305 Defining SNMP Users 307 Defining SNMP Groups 310 Defining SNMP Communities 314 Defining Trap Management 319 Defining Trap Settings 319 Configuring Station Management 320 Defining SNMP Filter Settings 327 Chapter 13: Managing System Files 329 Firmware Upgrade 330 Save Configuration 331 Copy Files 333 Active Image 335 Chapter 14: Managing Power-over-Eth
Contents Clearing Message Logs Viewing the Flash Logs Clearing Flash Logs Viewing Remote Logs Modifying Syslog Server Settings Chapter 17: Viewing Statistics Viewing Ethernet Statistics 353 353 354 355 358 361 361 Defining Ethernet Interface 361 Viewing Etherlike Statistics 363 Viewing GVRP Statistics 365 Viewing EAP Statistics 367 Managing RMON Statistics 369 Viewing RMON Statistics 370 Resetting RMON Statistics Counters 372 Configuring RMON History 372 Defining RMON History Contro
1 Getting Started Starting the Application Getting Started This section provides an introduction to the user interface, and includes the following topics: • Starting the Application • Understanding the Interface • Using the Cisco Management Buttons • Using Screen and Table Options • Logging Off of the Device • The About Page Starting the Application To open the User Interface: STEP 1 Open a web browser. STEP 2 Enter the device’s IP address in the address bar and press Enter.
1 Getting Started Starting the Application Enter Network Password Page STEP 3 When the Enter Network Password Page initially loads, both fields are empty. Enter a Username and Password and click Log In. The default user name is admin. The default password is admin. Passwords are alpha-numeric and case-sensitive. While the system is verifying the login attempt, the Login Progress Indicator appears . The indicator dots rotate clockwise to indicate that the system is still working.
1 Getting Started Understanding the Interface System Information Page If the login attempt fails because the user typed an incorrect username or password, the following message appears: “Invalid Username or Password. Please try again.” If the login attempt fails due to another problem one of the following error messages appears: “Login failed since too many users are logged in.” “Login failed due to PC configuration problems.” “There is no response from the server.
1 Getting Started Understanding the Interface Interface Components Page The following table lists the interface components with their corresponding numbers: Interface Components Component Description 1 Tree View The Tree View provides easy navigation through the configurable device features. The main branches expand to provide the subfeatures. 2 Device View The device view provides information about device ports, current configuration and status, table information, and feature components.
1 Getting Started Using the Cisco Management Buttons Using the Cisco Management Buttons Device Management buttons provide an easy method of configuring device information, and include the following: Device Management Buttons Button Name Description Apply Applies changes to the device Clear Counters Clears statistic counters Clear Logs Clears log files Add Opens an Add page Delete Removes entries from tables Test Performs cable tests Using Screen and Table Options The User Interface contains
Getting Started Using Screen and Table Options 1 Add SNTP Server Page STEP 3 Define the fields. STEP 4 Click Apply. The configuration information is saved, and the device is updated. Modifying Device Information STEP 1 Open the interface page. STEP 2 Select a table entry. STEP 3 Click the Edit Button. A Modify page opens, for example, the Edit RMON Events Page opens: Edit RMON Events Page STEP 4 Define the fields. STEP 5 Click Apply.
1 Getting Started Logging Off of the Device Deleting Device Information STEP 1 Open the interface page. STEP 2 Select a table row. STEP 3 Check the Remove checkbox. STEP 4 Click the Delete button. The information is deleted, and the device is updated. Logging Off of the Device The application may automatically log out after ten minutes. When this occurs, the following message is displayed “You have been logged out as a result of being inactive for 10 minutes. Use the fields to login.
1 Getting Started The About Page The About Page Cisco Small Business SFE/SGE Managed Switches Administration Guide 8
Managing Device Information Defining System Information 2 Managing Device Information This section provides information for defining both basic and advanced system information. This section contains the following topics: • Defining System Information • Managing Stacks • Viewing Device Health • Resetting the Device • Defining Bonjour • TCAM Utilization Defining System Information The System Information Page contains parameters for configuring general device information.
Managing Device Information Defining System Information STEP 1 2 Click System > System Management > System Information. The System Information Page opens: System Information Page The System Information Page contains the following fields: • Model Name — Displays the model name and number of ports supported by the system. • System Name — Displays the user configured name of the system. • System Location — Defines the location where the system is currently running.
2 Managing Device Information Managing Stacking • Hardware Version — Displays the hardware version number. • Software Version — Displays the software version number. If the system is in stack mode, the version of the master unit is displayed. • Boot Version — Indicates the system boot version currently running on the device. If the system is in stack mode, the version of the master unit is displayed.
2 Managing Device Information Managing Stacking Stand-alone Mode Devices operating in stand-alone mode run as a independent -single unit. All ports of a stand-alone switch operate as normal Ethernet links. A stand-alone switch does not participate in a stack even if the device is physically connected to a stack. However, a unit whose mode is changed from Stack to Stand-alone retains its stacking configuration information. That information is restored if the unit is returned to Stack mode.
2 Managing Device Information Managing Stacking • Master Election. Master Election takes place automatically to select the Master unit. If there are two or more units in the stack, then a Backup unit is also automatically selected. • Topology Discovery. The stack Master unit carries out a process called topology discovery to learn which units are present in the stack, the order in which they are connected and the Unit ID that each unit reports itself as owning.
2 Managing Device Information Managing Stacking configured through the web management system. By default, Unit IDs are assigned automatically. However, you can use the browser to assign a specific Unit ID; for example, the same unit ID as the unit which was recently removed. Stack Membership The system supports up to eight switching units per stack.
Managing Device Information Managing Stacking • 2 The stacking members operate under the control of the Master unit. Device software is downloaded separately for each stack member. All stacking members must run the same software version. A stack may contain from zero to six stacking members (not including the Backup unit). Defining Stacking Unit ID Each member unit of a stack is assigned a Unit ID.
2 Managing Device Information Managing Stacking Factory Default Units A unit in factory default mode has the following attributes: • Unit ID = 0. This setting indicates that the unit is in autonumbering mode. • Switch Operation Mode = Stack. The combination of these two settings directs the system to automatically configure the unit as a new stack member. NOTE: A unit in stand-alone mode also displays Unit ID = 0.
Managing Device Information Managing Stacking 2 Unit ID as the switch being replaced. The newly inserted switch is identified by the Master unit by its Unit ID. Since the configuration of the original switch is also stored in the Master and Backup units by Unit ID, the new switch automatically receives the configuration of the old switch. This eliminates the need to configure the new switch and reduces the system downtime. The advantage of manual vs.
2 Managing Device Information Managing Stacking STEP 1 STEP 2 When inserting a unit into a running stack, units that are members of the existing stack retain their Unit IDs. Therefore: • If an automatically numbered unit was inserted into a running stack, the existing unit retains its Unit ID and the newer unit is reset to Unit ID=0.
2 Managing Device Information Managing Stacking Master Election The Master and Backup unit selection is known as Master Election. Master Election takes place if there are one or more eligible candidates contending to be the Master unit. Master Election Candidate Eligibility In general, not all stack member units are eligible to be candidates for Master Election. Eligibility for Master Election is determined in the following order.
2 Managing Device Information Managing Stacking For example: • If there are two or more Master-enabled units and only one of them has been assigned as Force Master, the Force Master unit is the winner of step 1 and therefore the winner of the Master Election. • If there are two or more Master-enabled units that have been assigned as Force Master, then the Master Election proceeds to step 2, where the running times of the Force Master units are compared.
2 Managing Device Information Managing Stacking each one to any existing stack member unit and then powering the new unit on. Each new unit is assigned the next available Unit ID. • After the stack is initialized and configured, the system administrator may reset the Unit IDs manually to the same values assigned by automatic numbering.
2 Managing Device Information Managing Stacking • A stack is initially configured in chain topology and the units are connected as follows: Unit 2—Unit 5—Unit 1—Unit 4—Unit 6—Unit 8 The system administrator resets Unit 4 but does not realize that the Switch Operation Mode After Reset field on the System Information page was mistakenly checked as stand-alone. No physical connections are changed. Unit 4 reboots in stand-alone mode, effectively cutting off Units 6 and 8 from the stack.
2 Managing Device Information Managing Stacks connection to the stack via the new Unit 4. The old Unit 4 and the new Unit 4 appear to the Master unit as two new, manually numbered units trying to simultaneously join the stack. Therefore, both units are shut down, and thus Units 6, 7 and 8 remain shut down.
2 Managing Device Information Managing Stacks STEP 1 Click System > System Management > Stack Management. The Stack Management Page opens: Stack Management Page The Stack Management Page contains the following fields: • Master Election — Indicates the method of electing the master device. The possible values are: - Automatically — The master is selected automatically by software. - Force Master — The unit is forced to be master of the stack. Note that only Unit 1 or Unit 2 can be the stack master.
Managing Device Information Viewing Device Health STEP 3 2 Click Apply. Stack management is defined, and the device is updated. Viewing Device Health The Health Page displays physical device information, including information about the device’s power and ventilation sources. STEP 1 Click System > System Management > Health. The Health Page opens: Health Page The Health Page contains the following fields: • Unit No. — Indicates the number of stack member for which the device information is displayed.
2 Managing Device Information Resetting the Device - OK — Indicates the fan is operating normally. - Fail — Indicates the fan is not operating normally. NOTE: The GE device has up to five fans (the FE device has one fan). Resetting the Device The Reset Page enables the device to be reset from a remote location. Save all changes to the Start up Configuration file before resetting the device. This prevents the current device configuration from being lost.
Managing Device Information Defining Bonjour STEP 1 2 Click System > System Management > Reset. The Reset Page opens: Reset Page STEP 2 Click one of the available Reset commands. The device resets. STEP 3 Enter the user name and password to reconnect to the Web Interface. Defining Bonjour Bonjour is a service discovery protocol that enables automatic discovery of computers, devices and services on IP networks.
2 Managing Device Information Defining Bonjour • Model Number • Device Type • Firmware Version • MAC Address • Serial Number • Hostname The Service Types that are provided for Bonjour are: _csbdp, (a Cisco specific Service Type) , HTTP, HTTPS and Other. Other allows for additional Service Types to be added manually. To define Bonjour: STEP 1 Click System > Admin > Bonjour.
2 Managing Device Information Defining Bonjour - Disable — Disables Bonjour on the device. • Service Type Selection — Defines the DNS Service Discovery (DNS-SD) Service Type used to publish devices on the network. The possible field values are: - _csbdp (default) — Specifies the Service Type selected is _csbdp. This is a Cisco generic Service Type. The port number is chosen randomly from the port range of 4000-5000 at the initialization stage and is used afterwards. This is the default value.
Managing Device Information TCAM Utilization 2 TCAM Utilization The maximum number of rules that may be allocated by all applications on the device is 1024. Some applications allocate rules upon their initiation. Additionally, applications that initialize during system boot use some of their rules during the startup process. The following table lists all applications that can allocate TCAM rules. Each allocation has its specific allocation policy.
2 Managing Device Information TCAM Utilization TCAM Allocation Application Per Port/ Per Device Allocation on Activation Application Upper Limit TCAM rules per User ACL Comments QoS Advanced Mode rules Port 6/device No limit 1 or 2 TCAM entries per each rule. Feature is activated by default. Access Control Rules Port 6/device No limit 1 or 2 TCAM entries per each rule. Feature is activated by default. PVE Port 2/port or LAG --- --- Feature is activated by default.
Managing Device Information TCAM Utilization 2 TCAM Utilization Page The TCAM Utilization Page contains the following fields: • TCAM Utilization — Indicates the percentage of the available TCAM resources which are used. For example, if more ACLs and policy maps are defined, the system uses more TCAM resources.
3 Configuring System Time Defining System Time Configuring System Time The device supports the Simple Network Time Protocol (SNTP). SNTP assures accurate network device clock time synchronization up to the millisecond. Time synchronization is performed by a network SNTP server. The device operates only as an SNTP client, and cannot provide time services to other systems.
3 Configuring System Time Defining System Time STEP 1 Click System > System Management > Time > System Time. The System Time Page opens: System Time Page The System Time Page contains the following fields: • Clock Source — Indicates the source used to set the system clock. The possible field values: - Use Local Settings — The system time is set on the local device. This is the default value. - Use SNTP Server — Sets the system time via an SNTP server. • Date — Indicates the system date.
3 Configuring System Time Defining System Time - European — The device switches to DST at 1:00 am on the last Sunday in March and reverts to standard time at 1:00 am on the last Sunday in October. The European option applies to EU members, and other European countries using the EU standard. - Other — The DST definitions are user-defined based on the device locality. If Other is selected, the From and To fields must be defined.
3 Configuring System Time Defining SNTP Settings - Week — The week within the month at which DST ends every year. The possible field range is 1-5. - Month — The month of the year in which DST ends every year. The possible field range is Jan.-Dec. - Time — The time at which DST ends every year. The field format is Hour:Minute, for example, 05:30. STEP 2 Define the relevant fields. STEP 3 Click Apply. The Time Settings are defined, and the device is updated.
3 Configuring System Time Defining SNTP Settings STEP 1 Click System > System Management > Time > SNTP Settings. The SNTP Settings Page opens: SNTP Settings Page The SNTP Settings Page contains the following fields: • Enable SNTP Broadcast — Enables polling the selected SNTP Server for system time information. • SNTP Server — Indicates the SNTP server IP address. Up to eight SNTP servers can be defined.
3 Configuring System Time Defining SNTP Settings - Unknown — The progress of the SNTP information currently being sent is unknown. For example, the device is currently trying to locate an interface. • Status — The operating SNTP server status. The possible field values are: - Up — The SNTP server is currently operating normally. - Down — Indicates that a SNTP server is currently not available. For example, the SNTP server is currently not connected or is currently down.
3 Configuring System Time Defining SNTP Authentication • Encryption Key ID — Select if Key Identification is used to communicate between the SNTP server and device. The range is 1 - 4294967295. STEP 3 Define the relevant fields. STEP 4 Click Add. The SNTP Server is added, and the device is updated. Defining SNTP Authentication The SNTP Authentication Page provides parameters for performing authentication of the SNTP server. STEP 1 Click System > System Management > Time > SNTP Authentication.
3 Configuring System Time Defining SNTP Authentication - Checked — Authenticates SNTP sessions between the device and SNTP server. - Unchecked — Disables authenticating SNTP sessions between the device and SNTP server. STEP 2 • Encryption Key ID — Indicates the Key Identification used to authenticate the SNTP server and device. The field value is up to 4294967295 characters. • Authentication Key — Displays the key used for authentication.
Configuring Device Security Passwords Management 4 Configuring Device Security The Security Suite contains the following topics: • Passwords Management • Defining Authentication • Defining Access Methods • Defining Traffic Control • Defining 802.1X • Defining Access Control • Defining DoS Prevention • Defining DHCP Snooping • Defining Dynamic ARP Inspection Passwords Management This section contains information for defining passwords.
Configuring Device Security Passwords Management STEP 1 4 Click Security Suite > Passwords Management > User Authentication. The User Authentication Page opens: User Authentication Page The User Authentication Page contains the following fields: • STEP 2 User Name — Displays the user name. Click the Add button. The Add Local User Page opens: Add Local User Page The Add Local User Page contains the following fields: • User Name — Displays the user name.
Configuring Device Security Passwords Management STEP 3 4 • Password — Specifies the new password. The is not displayed. As it entered an * corresponding to each character is displayed in the field. (Range: 1-159 characters) • Confirm Password — Confirms the new password. The password entered into this field must be exactly the same as the password entered in the Password field. Click the Delete button to cancel the selected Profile Name.
Configuring Device Security Defining Authentication 4 Click Apply. The local user settings are modified, and the device is updated. Defining Authentication The Authentication section contains the following pages: • Defining Profiles • Mapping Authentication Profiles • Defining TACACS+ • Defining RADIUS Defining Profiles Authentication profiles allow network administrators to assign authentication methods for user authentication.
4 Configuring Device Security Defining Authentication STEP 1 Click Security Suite > Authentication > Profiles. The Profiles Page opens: Profiles Page The Profiles Page contains the following fields: • Profile Name — Displays the Profile name defined for the Login Table. • Methods — Defines the user authentication methods. The order of the authentication methods defines the order in which authentication is attempted.
4 Configuring Device Security Defining Authentication Add Authentication Profile Page The Add Authentication Profile Page contains the following fields: • Profile Name — Displays the Authentication profile name. • Authentication Method — Defines the user authentication methods. The order of the authentication methods defines the order in which authentication is attempted.
4 Configuring Device Security Defining Authentication Modifying an Authentication Profile STEP 1 Click Security Suite > Authentication > Profiles. The Profiles Page opens: STEP 2 Click the Edit Button. The Edit Authentication Profile Page opens: Edit Authentication Profile Page The Edit Authentication Profile Page contains the following fields: • Profile Name — Displays the Authentication profile name. • Authentication Methods — Defines the user authentication methods.
Configuring Device Security Defining Authentication 4 Mapping Authentication Profiles After authentication profiles are defined, authentication profiles can be applied to management access methods. For example, console users can be authenticated by one authentication profile, while Telnet users are authenticated by another authentication profile. Authentication methods are selected using arrows. The order in which the methods are selected is the order by which the authentication methods are used.
4 Configuring Device Security Defining Authentication • Secure HTTP — Configures the device Secure HTTP settings. Optional Methods — Lists available authentication methods. - Local — Authenticates the user at the device level. The device checks the user name and password for authentication. No authentication method can be added under Local. - RADIUS — Remote Authorization Dial-In User Service (RADIUS) servers provide additional security for networks.
Configuring Device Security Defining Authentication 4 Defining TACACS+ The devices provide Terminal Access Controller Access Control System (TACACS+) client support. TACACS+ provides centralized security for validation of users accessing the device. TACACS+ provides a centralized user management system, while still retaining consistency with RADIUS and other authentication processes.
Configuring Device Security Defining Authentication STEP 1 4 Click Security Suite > Authentication > TACACS+. The TACACS+ Page opens: TACACS+ Page The TACACS+ Page contains the following fields: • Supported IP Format — TACACS+ is supported only on IPv4. • Source IPv4 Address — Displays the device source IPv4 address used for the TACACS+ session between the device and the TACACS+ server. • Key String — Defines the authentication and encryption key for TACACS+ server.
4 Configuring Device Security Defining Authentication • Timeout for Reply — Displays the amount of time in seconds that passes before the connection between the device and the TACACS+ times out. The field range is 1-1000 seconds. • Single Connection — Maintains a single open connection between the device and the TACACS+ server when selected. • Status — Displays the connection status between the device and the TACACS+ server.
4 Configuring Device Security Defining Authentication - • Use Default — Uses the default value for the parameter. If Use Default check box is selected, the global value of 0.0.0.0. is used and interpreted as a request to use the IP address of the outgoing IP interface. Key String — Defines the authentication and encryption key for TACACS+ server. The key must match the encryption key used on the TACACS+ server. The possible values are: - User Defined — Allows the user to define the Key String value.
4 Configuring Device Security Defining Authentication Edit TACACS+ Server Page The Edit TACACS+ Server Page contains the following fields: • Host IP Address — Defines the TACACS+ Server IP address. • Priority — Defines the order in which the TACACS+ servers are used. The default is 0. • Source IP Address — Defines the device source IPv4 address used for the TACACS+ session between the device and the TACACS+ server. • Key String — Defines the authentication and encryption key for TACACS+ server.
4 Configuring Device Security Defining Authentication STEP 3 Define the relevant fields. STEP 4 Click Apply. The authentication profile is defined, the device is updated. Defining RADIUS Remote Authorization Dial-In User Service (RADIUS) servers provide additional security for networks. RADIUS servers provide a centralized authentication method for web access. The default parameters are user-defined, and are applied to newly defined RADIUS servers.
4 Configuring Device Security Defining Authentication - Both — Both 802.1X and login authentication are used to initiate accounting. - None — No authentication is used to initiate accounting. • Supported IP Format — Indicates whether Ipv4 or Ipv6 are supported. • Default Retries — Provides the default retries. • Default Timeout for Reply — Provides the device default Timeout for Reply. • Default Dead Time — Provides the device default Dead Time.
4 Configuring Device Security Defining Authentication • Key String — Defines the default key string used for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. This key must match the RADIUS encryption. • Usage Type — Specifies the RADIUS server authentication type. The default value is Login. The possible field values are: - Login — Indicates that the RADIUS server is used for authenticating user name and passwords. - 802.
4 Configuring Device Security Defining Authentication - Global — Indicates the IPv6 address is a global Unicast IPV6 type which is visible and reachable from different subnets. • Host IP Address — Displays the RADIUS Server IP address. • Priority — Displays the server priority. The possible values are 0-65535, where 1 is the highest value. The RADIUS Server priority is used to configure the server query order.
Configuring Device Security Defining Authentication • 4 Use Default — Uses the default value for the parameter. STEP 3 Define the relevant fields. STEP 4 Click Apply. The RADIUS Server is added, and the device is updated. Modifying RADIUS Server Settings STEP 1 Click Security Suite > Authentication > RADIUS. The RADIUS Page opens: STEP 2 Click the Edit button.
4 Configuring Device Security Defining Access Methods • Number of Retries — Defines the number of transmitted requests sent to RADIUS server before a failure occurs. The possible field values are 1 - 10. Three is the default value. • Timeout for Reply — Defines the amount of the time in seconds the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server. The possible field values are 1 - 30. Three is the default value.
Configuring Device Security Defining Access Methods 4 Defining Access Profiles Access profiles are profiles and rules for accessing the device. Access to management functions can be limited to user groups. User groups are defined for interfaces according to IP addresses or IP subnets. Access profiles contain management methods for accessing and managing the device.
Configuring Device Security Defining Access Methods STEP 1 4 Click Security Suite > Access Method > Access Profiles. The Access Profiles Page opens: Access Profiles Page The Access Profiles Page contains the following fields: STEP 2 • Access Profile Name — Defines the access profile name. The access profile name can contain up to 32 characters. • Current Active Access Profile — Defines the access profile currently active. Click the Add button.
4 Configuring Device Security Defining Access Methods Add Access Profile Page The Add Access Profile Page contains the following fields: • • Supported IP Format — Indicates the supported IP version. The possible values are: - Version 6 — Indicates the device supports IPv6. - Version 4 — Indicates the device supports IPv4. IPv6 Address Type — Displays the IPv6 Type.
4 Configuring Device Security Defining Access Methods - All — Assigns all management methods to the rule. - Telnet — Assigns Telnet access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device. - SNMP — Assigns SNMP access to the rule. If selected, users accessing the device using SNMP meeting access profile criteria are permitted or denied access to the device.Secure Telnet (SSH) — Assigns SSH access to the rule.
Configuring Device Security Defining Access Methods STEP 4 4 Click Apply. The access profile is added, and the device is updated. Defining Profile Rules Access profiles can contain up to 128 rules that determine which users can manage the switch module, and by which methods. Users can also be blocked from accessing the device.
4 Configuring Device Security Defining Access Methods STEP 1 Click Security Suite > Access Method > Profile Rules. The Profile Rules Page opens: Profile Rules Page The Profile Rules Page contains the following fields: • Access Profile Name — Displays the access profile to which the rule is attached. • Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access.
4 Configuring Device Security Defining Access Methods - Telnet — Assigns Telnet access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device. - SNMP — Assigns SNMP access to the rule. If selected, users accessing the device using SNMP meeting access profile criteria are permitted or denied access to the device. - HTTP — Assigns HTTP access to the rule.
4 Configuring Device Security Defining Access Methods Add Profile Rule Page The Add Profile Rule Page contains the following fields: • • Supported IP Format — Indicates the supported IP version. The possible values are: - Version 6 — Indicates the device supports IPv6. - Version 4 — Indicates the device supports IPv4. IPv6 Address type — Displays the IPv6 Type.
4 Configuring Device Security Defining Access Methods • Rule Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access. The rule number is essential to matching packets to rules, as packets are matched on a first-fit basis. The rule priorities are assigned in the Profile Rules Page. • Management Method — Defines the management method for which the rule is defined.
4 Configuring Device Security Defining Access Methods • Prefix Length — Defines the number of bits that comprise the source IP address prefix, or the network mask of the source IP address. • Action — Defines the action attached to the rule. The possible field values are: - Permit — Permits access to the device. - Deny — Denies access to the device. This is the default. STEP 3 Define the relevant fields. STEP 4 Click Apply. The profile rule is added, and the device is updated.
4 Configuring Device Security Defining Access Methods • - Version 6 — Indicates the device supports IPv6. - Version 4 — Indicates the device supports IPv4. IPv6 Address type — Displays the IPv6 Type. The possible field values are: - Link Local — Indicates the IPv6 address is link-local, that uniquely identifies hosts on a single network link. A Link-local address has a prefix of ‘FE80’. The link-local addresses are not routable and can be used for communication on the same network only.
4 Configuring Device Security Defining Traffic Control - Secure Telnet (SSH) — Assigns SSH access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device. • Interface — Defines the interface on which the access profile is defined. The possible field values are: - Port — Specifies the port on which the access profile is defined. - LAG — Specifies the LAG on which the access profile is defined.
Configuring Device Security Defining Traffic Control 4 Defining Storm Control Storm Control enables limiting the amount of Multicast and Broadcast frames accepted and forwarded by the device. When Layer 2 frames are forwarded, Broadcast and Multicast frames are flooded to all ports on the relevant VLAN. This occupies bandwidth, and loads all nodes connected on all ports. A Broadcast Storm is a result of an excessive amount of broadcast messages simultaneously transmitted across a network by a single port.
4 Configuring Device Security Defining Traffic Control • Copy From Entry Number — Copies the storm control configuration from the specified table entry. • To Entry Number(s) — Assigns the copied storm control configuration to the specified table entry. • Unit Number — Displays the stacking member for which the storm control parameters are displayed. • Port — Indicates the port from which storm control is enabled.
4 Configuring Device Security Defining Traffic Control Edit Storm Control Page The Edit Storm Control Page contains the following fields: • Port — Indicates the port from which storm control is enabled. • Enable Broadcast Control — The possible field values are: - Checked — Enables Storm Control. - Unchecked — Disables Storm Control. • Broadcast Mode — Specifies the Broadcast mode currently enabled on the interface.
Configuring Device Security Defining Traffic Control 4 Defining Port Security Network security can be increased by limiting access on a specific port only to users with specific MAC addresses. The MAC addresses can be dynamically learned or statically configured. Locked port security monitors both received and learned packets that are received on specific ports. Access to the locked port is limited to users with specific MAC addresses.
4 Configuring Device Security Defining Traffic Control STEP 1 Click Security Suite > Traffic Control > Port Security. The Port Security Page opens: Port Security Page The Port Security Page contains the following fields: • Ports of Unit — Indicates the port number and stacking member on which port security is configured. • LAGs — Indicates the LAG number on which port security is configured. • Interface — Displays the port or LAG name. • Interface Status — Indicates the port security status.
4 Configuring Device Security Defining Traffic Control - Classic Lock — Locks the port using the classic lock mechanism. The port is immediately locked, regardless of the number of addresses that have already been learned. - Limited Dynamic Lock — Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both relearning and aging MAC addresses are enabled.
4 Configuring Device Security Defining Traffic Control Modifying Port Security STEP 1 Click Security Suite > Traffic Control > Port Security. The Port Security Page opens: STEP 2 Click the Edit Button. The Edit Port Security Page opens: Edit Port Security Page The Edit Port Security Page contains the following fields: • Interface — Select the port or LAG name. • Lock Interface — Indicates the port security status.
4 Configuring Device Security Defining 802.1X Interface Status field. In addition, the Limited Dynamic Lock mode is selected. The possible range is 1-128. The default is 1. • Action on Violation — Indicates the action to be applied to packets arriving on a locked port. The possible field values are: - Discard — Discards packets from any unlearned source. This is the default value. - Forward — Forwards packets from an unknown source without learning the MAC address.
Configuring Device Security Defining 802.1X • 4 Authentication Server — Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the supplicant is authorized to access system services. The 802.1X section contains the following topics: • Defining 802.1X Properties • Defining Port Authentication • Defining Authentication • Defining Authenticated Hosts Defining 802.1X Properties The 802.
4 Configuring Device Security Defining 802.1X - Enable — Enables port-based authentication on the device. - Disable — Disables port-based authentication on the device. • Authentication Method — Defines the user authentication methods. The possible field values are: - RADIUS, None — Indicates port authentication is performed first via the RADIUS server. If no response is received from RADIUS (for example, if the server is down), then the None option is used, and the session is permitted.
Configuring Device Security Defining 802.1X STEP 1 4 Click Security Suite > 802.1X > Port Authentication. The 802.1X Port Authentication Page opens: 802.1X Port Authentication Page The 802.1X Port Authentication Page contains the following fields: • Copy from Entry Number — Copies the port authentication configuration from the specified table entry. • To Entry Number(s) — Assigns the copied port authentication configuration to the specified table entry.
4 Configuring Device Security Defining 802.1X • Reauthentication Period — Specifies the number of seconds in which the selected port is reauthenticated (Range: 300-4294967295). The field default is 3600 seconds. • Authenticator State — Specifies the port authorization state. The possible field values are as follows: - ForceAuthorized — Indicates the controlled port state is set to ForceAuthorized (forward traffic).
4 Configuring Device Security Defining 802.1X Modifying 8021X Security STEP 1 Click Security Suite > 802.1X > Port Authentication. The 802.1X Properties Page opens: STEP 2 Click the Edit button. The Port Authentication Settings Page opens: Port Authentication Settings Page The Port Authentication Settings Page contains the following fields: • Port — Indicates the port on which port-based authentication is enabled. • User Name — Displays the user name.
4 Configuring Device Security Defining 802.1X - ForceUnauthorized — Denies the selected interface system access by moving the interface into unauthorized state. The device cannot provide authentication services to the client through the interface. • Enable Guest VLAN — Specifies whether the Guest VLAN is enabled on the device. The possible field values are: - Checked — Enables using a Guest VLAN for unauthorized ports.
4 Configuring Device Security Defining 802.1X - Force-Authorized — Indicates the controlled port state is set to ForceAuthorized (forward traffic). - Force-Unauthorized — Indicates the controlled port state is set to ForceUnauthorized (discard traffic). • Quiet Period — Specifies the number of seconds that the switch remains in the quiet state following a failed authentication exchange (Range: 0-65535).
4 Configuring Device Security Defining 802.1X STEP 1 Click Security Suite > 802.1X > Authentication. The 802.1X Authentication Page opens: 802.1X Authentication Page The 802.1X Authentication Page contains the following fields: • Unit Number — Displays the stacking member for which the Multiple Hosts configuration is displayed. • Port — Displays the port number for which the Multiple Hosts configuration is displayed. • Host Authentication— Defines the Host Authentication mode.
4 Configuring Device Security Defining 802.1X - Forward — Forwards the packet. - Discard — Discards the packets. This is the default value. - Shutdown — Discards the packets and shuts down the port. The ports remains shut down until reactivated, or until the device is reset. • Traps — Indicates if traps are enabled for Multiple Hosts. The possible field values are: - Enable — Indicates that traps are enabled for Multiple hosts. - Disable — Indicates that traps are disabled for Multiple hosts.
4 Configuring Device Security Defining 802.1X Edit Authentication Page The Edit Authentication Page contains the following fields: • Port — Displays the port number for which advanced port-based authentication is enabled. • Host Authentication— Defines the Host Authentication mode. The possible field values are: - Single — Only the authorized host can access the port. - Multiple Host — Multiple hosts can be attached to a single 802.1xenabled port.
Configuring Device Security Defining 802.1X • 4 Trap Frequency — Defines the time period by which traps are sent to the host. The Trap Frequency (1-1000000) field can be defined only if multiple hosts are disabled. The default is 10 seconds. STEP 3 Modify the relevant fields. STEP 4 Click Apply. The settings are defined, and the device is updated. Defining Authenticated Hosts The Authenticated Hosts Page contains a list of authenticated users. STEP 1 Click Security Suite > 802.
4 Configuring Device Security Defining Access Control • Authentication Method — Displays the method by which the last session was authenticated. The possible field values are: - Remote — Indicates the 802.1x authentication is not used on this port (port is forced-authorized). - None — Indicates the supplicant was not authenticated. - RADIUS — Indicates the supplicant was authenticated by a RADIUS server. • MAC Address — Displays the supplicant MAC address. STEP 2 Modify the relevant fields.
Configuring Device Security Defining Access Control 4 To define the MAC Based ACL: STEP 1 Click Security Suite >Access Control > MAC Based ACL. The MAC Based ACL Page opens: MAC Based ACL Page The MAC Based ACL Page contains the following fields: • ACL Name — Displays the user-defined MAC based ACLs. • Priority — Indicates the ACE priority, which determines which ACE is matched to a packet on a first-match basis. The possible field values are 1-2147483647.
4 Configuring Device Security Defining Access Control • 802.1p — Displays the packet tag value. • 802.1p Mask — Displays the wildcard bits to be applied to the CoS. • EtherType — Displays the Ethernet type of the packet. • Action — Indicates the ACL forwarding action. For example, the port can be shut down, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding.
4 Configuring Device Security Defining Access Control • New Rule Priority — Indicates the ACE priority, which determines which ACE is matched to a packet on a first-match basis. The possible field values are 12147483647. • Source MAC Address: - MAC Address — Matches the source MAC address from which packets are addressed to the ACE. - Wildcard Mask — Indicates the source MAC Address wildcard mask. Wildcards are used to mask all or part of a source MAC Address.
4 Configuring Device Security Defining Access Control - Permit — Forwards packets which meet the ACL criteria. - Deny — Drops packets which meet the ACL criteria. - Shutdown — Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed. STEP 5 Define the relevant fields. STEP 6 Click Apply. The MAC Based ACL is defined, and the device is updated. Adding Rule to MAC Based ACL STEP 1 Select an existing ACL. STEP 2 Click the Add Rule button.
4 Configuring Device Security Defining Access Control - MAC Address — Matches the source MAC address from which packets are addressed to the ACE. - Wildcard Mask — Indicates the source MAC Address wildcard mask. Wildcards are used to mask all or part of a source MAC Address. Wildcard masks specify which octets are used and which octets are ignored. A wildcard mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important.
4 Configuring Device Security Defining Access Control STEP 3 Define the relevant fields. STEP 4 Click Apply. The ACL Rule is defined, and the device is updated. Modifying MAC Based ACL STEP 1 Click Security Suite >Access Control > MAC Based ACL. The MAC Based ACL Page opens. STEP 2 Click the Edit button. The Rule Settings Page opens: Rule Settings Page The Rule Settings Page contains the following fields: • ACL Name — Displays the user-defined MAC based ACLs.
4 Configuring Device Security Defining Access Control are important. For example, if the source MAC address 09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored. • Destination MAC Address: - MAC Address — Matches the destination MAC address to which packets are addressed to the ACE. - Wildcard Mask — Indicates the destination MAC Address wildcard mask.
4 Configuring Device Security Defining Access Control Defining IP Based ACL The IP Based ACL Page page contains information for defining IP Based ACLs, including defining the ACEs defined for IP Based ACLs. To define an IP based ACL: STEP 1 Click Security Suite >Access Control > IP Based ACL. The IP Based ACL Page opens: IP Based ACL Page The IP Based ACL Page contains the following fields: • ACL Name — Displays the user-defined IP based ACLs.
4 Configuring Device Security Defining Access Control - IP — Internet Protocol (IP). Specifies the format of packets and their addressing method. IP addresses packets and forwards the packets to the correct port. - TCP — Transmission Control Protocol (TCP). Enables two hosts to communicate and exchange data streams. TCP guarantees packet delivery, and guarantees packets are transmitted and received in the order the are sent. - EGP — Exterior Gateway Protocol (EGP).
4 Configuring Device Security Defining Access Control - IPV6:ICMP — Matches packets to the Matches packets to the IPv6 and Internet Control Message Protocol. - EIGRP — Enhanced Interior Gateway Routing Protocol (EIGRP). Provides fast convergence, support for variable-length subnet mask, and supports multiple network layer protocols.
4 Configuring Device Security Defining Access Control • - IP Address — Displays the source port IP address to which packets are addressed to the ACE. - Wildcard Mask — Displays the source IP address wildcard mask. Wildcard masks specify which bits are used and which bits are ignored. A wildcard mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all the bits are important. For example, if the source IP address 149.36.184.198 and the wildcard mask is 255.36.
4 Configuring Device Security Defining Access Control Add IP Based ACL Page The Add IP Based ACL Page contains the following fields: • ACL Name — Displays the user-defined IP based ACLs. • New Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-match basis. • Protocol — Creates an ACE based on a specific protocol. For a list of available protocols, see the Protocol field description in the IP Based ACL Page above.
4 Configuring Device Security Defining Access Control • ICMP — Filters packets by ICMP message type. The field values is 0-255. • ICMP Code — Indicates and ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. • IGMP Type — Filters packets by IGMP message or message types. • Source IP Address — Matches the source port IP address from which packets are addressed to the ACE.
Configuring Device Security Defining Access Control STEP 3 Define the relevant fields, STEP 4 Click Apply. The IP Based ACL is defined, and the device is updated. 4 Modifying IP Based ACL STEP 1 Click Security Suite >Access Control > IP Based ACL. The IP Based ACL Page opens. STEP 2 Click the Edit button. The Edit IP Based ACL Pageopens: Edit IP Based ACL Page The Edit IP Based ACL Page contains the following fields: • ACL Name — Displays the user-defined IPv6 based ACLs.
4 Configuring Device Security Defining Access Control • Destination Port — Defines the TCP/UDP destination port. This field is active only if 800/6-TCP or 800/17-UDP are selected in the Select from List dropdown menu. The possible field range is 0 - 65535. • TCP Flags — Filters packets by TCP flag. Filtered packets are either forwarded or dropped. Filtering packets by TCP flags increases packet control, which increases network security.
4 Configuring Device Security Defining Access Control • Action — Indicates the action assigned to the packet matching the ACL. Packets are forwarded or dropped. In addition, the port can be shut down, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding. The options are as follows: - Permit — Forwards packets which meet the ACL criteria. - Deny — Drops packets which meet the ACL criteria.
4 Configuring Device Security Defining Access Control Rules Associated with IP-ACL Page The Rules Associated with IP-ACL Page contains the following fields: • ACL Name — Displays the user-defined IP based ACLs. • New Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-match basis. • Protocol — Creates an ACE based on a specific protocol. • Source Port — Defines the TCP/UDP source port to which the ACE is matched.
4 Configuring Device Security Defining Access Control • Source IP Address — Matches the source port IP address to which packets are addressed to the ACE. • Dest. IP Address — Matches the destination port IP address to which packets are addressed to the ACE. • Traffic Class — Indicates the traffic class to which the packet is matched. Select either Match DSCP or Match IP Precedence. - Match DSCP — Matches the packet to the DSCP tag value.
Configuring Device Security Defining Access Control 4 Add IP Based Rule Page The Add IP Based Rule Page contains the following fields: • ACL Name — Displays the user-defined IP based ACLs. • New Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-match basis. • Protocol — Creates an ACE based on a specific protocol. For a list of available protocols, see the Protocol field description in the IP Based ACL Page above.
4 Configuring Device Security Defining Access Control • IGMP — Filters packets by IGMP message or message types. • Source IP Address — Matches the source port IP address to which packets are addressed to the ACE. • Dest. IP Address — Matches the destination port IP address to which packets are addressed to the ACE. • Traffic Class — Indicates the traffic class to which the packet is matched. Select either Match DSCP or Match IP: • Match DSCP — Matches the packet to the DSCP tag value.
4 Configuring Device Security Defining Access Control STEP 1 Click Security Suite >Access Control > IPv6 Based ACL. The IPv6 Based ACL Page opens: IPv6 Based ACL Page The IPv6 Based ACL Page contains the following fields: • ACL Name — Displays the user-defined IP based ACLs. • Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-match basis. • Protocol — Creates an ACE based on a specific protocol.
4 Configuring Device Security Defining Access Control - TCP — Transmission Control Protocol (TCP). Enables two hosts to communicate and exchange data streams. TCP guarantees packet delivery, and guarantees packets are transmitted and received in the order the are sent. - EGP — Exterior Gateway Protocol (EGP). Permits exchanging routing information between two neighboring gateway hosts in an autonomous systems network. - IGP — Interior Gateway Protocol (IGP).
4 Configuring Device Security Defining Access Control - EIGRP — Enhanced Interior Gateway Routing Protocol (EIGRP). Provides fast convergence, support for variable-length subnet mask, and supports multiple network layer protocols. - OSPF — The Open Shortest Path First (OSPF) protocol is a link-state, hierarchical Interior Gateway Protocol (IGP) for network routing Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks (VPNs).
4 Configuring Device Security Defining Access Control • Destination - IP Address — Matches the destination port IP address to which packets are addressed to the ACE. - Prefix Length — Defines the IP route prefix for the destination IP. The prefix length must be preceded by a forward slash /. • DCSP — Matches the packets DSCP value. • IP-Prec. — Matches the packet IP Precedence value to the ACE. Either the DSCP value or the IP Precedence value is used to match packets to ACLs.
4 Configuring Device Security Defining Access Control Add IPv6 Based ACL Page The Add IPv6 Based ACL Page contains the following fields: • ACL Name — Displays the user-defined IP based ACLs. • New Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-match basis. • Protocol — Creates an ACE based on a specific protocol. For a list of available protocols, see the Protocol field description in the IP Based ACL Page above.
4 Configuring Device Security Defining Access Control • ICMP Code — Indicates and ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. • Source - IP Address — Matches the source port IP address from which packets are addressed to the ACE. - Prefix Length — Matches the IP route prefix for the destination IP. The prefix length must be preceded by a forward slash /.
Configuring Device Security Defining Access Control 4 Modifying IPv6 Based ACL STEP 1 Click Security Suite >Access Control > IPv6 Based ACL. The Edit IPv6 Based ACL Page opens. STEP 2 Click the Edit button. The Edit IP Based ACL Page opens: Edit IPv6 Based ACL Page The Edit IPv6 Based ACL Page contains the following fields: • ACL Name — Displays the user-defined IPv6 based ACLs.
4 Configuring Device Security Defining Access Control • TCP Flags — Filters packets by TCP flag. Filtered packets are either forwarded or dropped. Filtering packets by TCP flags increases packet control, which increases network security. The possible field values are: • ICMP — Indicates if ICMP packets are permitted on the network. The possible field values are as follows:. • ICMP Code — Indicates and ICMP message code for filtering ICMP packets.
Configuring Device Security Defining Access Control STEP 3 Define the relevant fields, STEP 4 Click Apply. The IP Based ACL is modified, and the device is updated. 4 Defining ACL Binding When an ACL is bound to an interface, all the ACE rules that have been defined are applied to the selected interface. Whenever an ACL is assigned on a port or a LAG flows from that ingress interface that do not match the ACL are matched to the default rule, which is Drop unmatched packets.
Configuring Device Security Defining Access Control 4 For each entry, an interface has a bound ACL. • Interface — Indicates the interface to which the associated ACL is bound. • ACL Name — Indicates the ACL which is bound to the associated interface. • Type — Indicates the ACL type to which is bound to the interface. STEP 2 Modify the relevant fields. STEP 3 Click Apply. The settings are defined, and the device is updated.
4 Configuring Device Security Defining DoS Prevention STEP 4 Click Apply. The ACL binding is defined, and the device is updated. Defining DoS Prevention Denial of Service (DOS) increases network security by preventing packets with invalid IP addresses from entering the network. DoS eliminates packets from malicious networks which can compromise a network’s stability. The device provides a Security Suite that allows administrators to match, discard, and redirect packets based on packet header values.
Configuring Device Security Defining DoS Prevention STEP 1 4 Click Security Suite > DoS Prevention > Global Settings. The Global Settings Page opens: Global Settings Page The Global Settings Page contains the following fields: • Security Suite Status — Indicates if DoS security is enabled on the device. The possible field values are: • Enabled — Enables DoS security. • Disabled — Disables DoS security on the device. This is the default value.
4 Configuring Device Security Defining DoS Prevention STEP 3 Click Apply. The DoS prevention global settings are defined, and the device is updated. Defining Martian Addresses Martian Address Filtering enables discarding IP packets from invalid IP addresses. Martian addresses include packets from a source IP addresses outside or not used within the configured network. Martian addresses include any address within the following ranges: • 0.0.0.0/8 (Except 0.0.0.
4 Configuring Device Security Defining DoS Prevention STEP 1 Click Security Suite > DoS Prevention > Martian Addresses. The Martian Addresses Page opens: Martian Addresses Page The Martian Addresses Page contains the following fields: • Include Reserved Martian Addresses — Indicates that packets arriving from Martian addresses are dropped. Enabled is the default value. When enabled, the following IP addresses are included: - 0.0.0.0/8 (except 0.0.0.0/32), 127.0.0.0/8 - 192.0.2.0/24 , 224.0.0.
4 Configuring Device Security Defining DHCP Snooping Add Martian Addresses Page The Add Martian Addresses Page contains the following fields: • Supported IP Format — Indicates only Ipv4 is supported. • IP Address — Enter the Martian IP addresses for which DoS attack is enabled. The possible values are: - One of the addresses in the Martian IP address list. - New IP Address — Enter an IP Address that is not on the list. • Mask — Enter the Mask for which DoS attack is enabled.
4 Configuring Device Security Defining DHCP Snooping • Defining DHCP Snooping Properties • Defining DHCP Snooping on VLANs • Defining Trusted Interfaces • Binding Addresses to the DHCP Snooping Database • Defining IP Source Guard Defining DHCP Snooping Properties The DHCP Snooping Properties Page contains parameters for enabling DHCP Snooping on the device. To define the DHCP Snooping general properties: STEP 1 Click Security Suite > DHCP Snooping > Properties.
4 Configuring Device Security Defining DHCP Snooping - Unchecked — Disables DHCP Snooping on the device. This is the default value. • • Option 82 Passthrough — Indicates if the device forwards or rejects packets that include Option 82 information, while DHCP Snooping is enabled. - Checked — Device forwards packets containing Option 82 information. - Unchecked — Device rejects packets containing Option 82 information. Verify MAC Address — Indicates if the MAC address is verified.
Configuring Device Security Defining DHCP Snooping 4 To define DHCP Snooping on VLANs: STEP 1 Click Security Suite > DHCP Snooping > VLAN Settings. The DHCP Snooping VLAN Settings Page opens: DHCP Snooping VLAN Settings Page The DHCP Snooping VLAN Settings Page contains the following fields: • VLAN ID — Indicates the VLAN to be added to the Enabled VLAN list. • Enabled VLANs — Contains a list of VLANs for which DHCP Snooping is enabled. STEP 2 Modify the relevant fields. STEP 3 Click Apply.
Configuring Device Security Defining DHCP Snooping STEP 1 4 Click Security Suite > DHCP Snooping > Trusted Interfaces. The Trusted Interfaces Page opens: Trusted Interfaces Page The Trusted Interfaces Page contains the following fields: • Ports of Unit — Displays the ports which can be defined as trusted. • LAGs — Displays the LAGs which can be defined as trusted. Trusted Interface Table • Interface — Contains a list of existing interfaces.
4 Configuring Device Security Defining DHCP Snooping Edit Trusted Interface Page In addition to the Trusted Interfaces Page, the Edit Trusted Interface Page contains the following field: • Interface — Contains a list of existing interfaces. • Trust Status — Indicates whether the interface is a Trusted Interface. - Enable — Interface is in trusted mode. - Disable — Interface is in untrusted mode. STEP 4 Define the fields. STEP 5 Click Apply.
4 Configuring Device Security Defining DHCP Snooping STEP 1 Click Security Suite > DHCP Snooping > Binding Database. The Binding Database Page opens: Binding Database Page The Binding Database Page contains the following fields: • STEP 2 Supported IP Format — Indicates only Ipv4 is supported. Define any of the following fields as a query filter: Query By • MAC Address — Indicates the MAC addresses recorded in the DHCP Database. The Database can be queried by MAC address.
4 Configuring Device Security Defining DHCP Snooping - LAG — Queries the VLAN database by LAG number. STEP 3 Click Query. The results appear in the Query Results table. Query Results The Query Results table contains the following fields: • MAC Address — Indicates the MAC address found during the query. • VLAN ID — Displays the VLAN ID to which the IP address is attached in the DHCP Snooping Database. • IP Address — Indicates the IP address found during the query.
Configuring Device Security Defining DHCP Snooping 4 Defining IP Source Guard IP Source Guard is a security feature that restricts the client IP traffic to those source IP addresses configured in the DHCP Snooping Binding Database and in manually configured IP source bindings. For example, IP Source Guard can help prevent traffic attacks caused when a host tries to use the IP address of its neighbor.
4 Configuring Device Security Defining DHCP Snooping STEP 1 Click Security Suite > DHCP Snooping > IP Source Guard > Properties. The IP Source Guard Properties Page opens: IP Source Guard Properties Page The IP Source Guard Properties Page contains the following fields: • IP Source Guard Status — Enables the use of IP Source Guard status on the device. - Enable — Indicates that IP Source Guard is enabled for the device. - Disable — Indicates that IP Source Guard is disabled for the device.
4 Configuring Device Security Defining DHCP Snooping • IPv4 traffic — Only IPv4 traffic with a source IP address that is associated with the specific port is permitted. • Non IPv4 traffic — All non-IPv4 traffic is permitted. NOTE: IP Source Guard must be enabled globally in the IP Source Guard Properties Page before it can be enabled on the device interfaces. If a port is trusted, filtering of static IP addresses can be configured, although IP Source Guard is not active in that condition.
4 Configuring Device Security Defining DHCP Snooping • Status — Indicates if IP Source Guard is enabled or disabled. - Enabled — Indicates that IP Source Guard is enabled on the interface. - Disabled — Indicates that IP Source Guard is disabled on the interface. This is the default value. STEP 2 Click Edit. The Edit Interface Settings Page opens: Edit Interface Settings Page STEP 3 Modify the fields. STEP 4 Click Apply.
4 Configuring Device Security Defining DHCP Snooping STEP 1 Click Security Suite > DHCP Snooping> IP Source Guard > Binding Database. The IP Source Guard Binding Database Page opens: IP Source Guard Binding Database Page The IP Source Guard Binding Database Page contains the following fields: TCAM Resources • Supported IP Format — Indicates the IP Address format. The possible values are Version 6 or Version 4.
4 Configuring Device Security Defining DHCP Snooping • MAC Address — Queries the database by MAC address. • IP Address — Queries the database by IP address. • VLAN — Queries the database by VLAN ID. • Interface — Queries the database by interface number. The possible field values are: - Unit No. and Port — Queries the database by a specific stacking member and port number. - LAG — Queries the VLAN database by LAG number. STEP 3 Click Query. The results appear in the Query Results table.
4 Configuring Device Security Defining Dynamic ARP Inspection STEP 4 Resource Problem — Indicates that the TCAM is full. Click Apply. The device is updated. Defining Dynamic ARP Inspection Dynamic Address Resolution Protocol (ARP) is a TCP/IP protocol for translating IP addresses into MAC addresses. Classic ARP does the following: • Permits two hosts on the same network to communicates and send packets. • Permits two hosts on different packets to communicate via a gateway.
Configuring Device Security Defining Dynamic ARP Inspection 4 NOTE ARP inspection is performed only on untrusted interfaces.
4 Configuring Device Security Defining Dynamic ARP Inspection STEP 1 Click Security Suite > ARP Inspection > Properties. The ARP Inspection Properties Page opens: ARP Inspection Properties Page The ARP Inspection Properties Page contains the following fields: • Enable ARP Inspection — Enables ARP Inspection on the device. The possible field values are: - Checked — Enables ARP Inspection on the device. - Unchecked — Disables ARP Inspection on the device. This is the default value.
4 Configuring Device Security Defining Dynamic ARP Inspection - Unchecked — Disable ARP Inspection Validation on the device. This is the default value. • Log Buffer Interval — Defines the minimal interval between successive Syslog messages. The possible field values are: - Retry Frequency — Frequency at which the log is updated. The possible range is 0-86400 seconds. 0 seconds specifies immediate transmissions of Syslog messages. The default value is 5 seconds. - Never — Log is never updated.
4 Configuring Device Security Defining Dynamic ARP Inspection STEP 1 Click Security Suite > ARP Inspection > Trusted Interfaces. The ARP Inspection Trusted Interfaces Page opens: ARP Inspection Trusted Interfaces Page The ARP Inspection Trusted Interfaces Page contains the following fields: • Ports of Unit — Specifies the port and stacking member for which the Trusted Interface settings are displayed. • LAGs — Specifies the LAG for which the Trusted Interface settings are displayed.
Configuring Device Security Defining Dynamic ARP Inspection 4 Edit Interface Settings Page STEP 3 Define the fields. STEP 4 Click Apply. The Trusted Interface’s configuration is modified, and the device is updated. Defining ARP Inspection List The ARP Inspection List Page provides information for creating static ARP Binding Lists. ARP Binding Lists contain the List Name, IP address and MAC address which are validated against ARP requests and replies.
4 Configuring Device Security Defining Dynamic ARP Inspection STEP 1 Click Security Suite > ARP Inspection > ARP Inspection List. The ARP Inspection List Page opens: ARP Inspection List Page The ARP Inspection List Page contains the following fields: • ARP Inspection List Name — Name of the Inspection List. - Select List — Contains a list of existing user-defined ARP Inspection Lists. - Add — Defines a new ARP Inspection List. The list’s name can contain up to 32 characters.
Configuring Device Security Defining Dynamic ARP Inspection 4 Add ARP List Page In addition to the fields in the ARP Inspection List Page, the Add ARP List Page contains the additional field: • List Name — Specifies a name for the new ARP list. STEP 3 Define the fields. STEP 4 Click Apply. The new ARP Inspection List is added, and the device is updated. Assigning ARP Inspection VLAN Settings The ARP Inspection VLAN Settings Page contains fields for enabling ARP Inspection on VLANs.
Configuring Device Security Defining Dynamic ARP Inspection STEP 1 4 Click Security Suite > ARP Inspection > VLAN Settings. The ARP Inspection VLAN Settings Page opens: ARP Inspection VLAN Settings Page The ARP Inspection VLAN Settings Page contains the following fields: • VLAN ID — A user-defined VLAN ID to add to the Enabled VLANs list. • Enabled VLANs— Contains a list of VLANs in which ARP Inspection is enabled.
Configuring Device Security Defining Dynamic ARP Inspection 4 Add VLAN Settings Page The Add VLAN Settings Page contains the following fields: • Bind List Name — Select a static ARP Inspection List to assign to the VLAN. These lists are defined in the ARP Inspection List Page. • To VLAN — Select the VLAN which includes the specified ARP Inspection List. STEP 3 Define the fields. STEP 4 Click Apply. The VLAN Settings are modified, and the device is updated.
Configuring Ports Configuring Ports Settings for Layer 2 Enabled Devices 5 Configuring Ports This section contains information for configuring ports and contains the following topics: • Configuring Ports Settings for Layer 2 Enabled Devices • Configuring Ports Settings for Layer 3 Enabled Devices Configuring Ports Settings for Layer 2 Enabled Devices The Port Settings Page varies, depending on whether the device is in Layer 2 or Layer 3 mode (definable on the device through the CLI interface).
Configuring Ports Configuring Ports Settings for Layer 2 Enabled Devices STEP 1 5 Click Bridging > Port Management > Port Settings. The Port Settings Page opens: Port Settings Page The Port Settings Page contains the following fields: • Copy From Entry Number — Copies the port configuration from the specified table entry. • To Entry Number(s) — Assigns the copied port configuration to the specified table entry. • Unit Number — Indicates the stacking member for which the ports are defined.
Configuring Ports Configuring Ports Settings for Layer 2 Enabled Devices 5 - Down — Port is disconnected. • Port Speed — Displays the current port speed. • Duplex Mode — Displays the port duplex mode. This field is configurable only when auto negotiation is disabled, and the port speed is set to 10M or 100M. This field cannot be configured on LAGs.
Configuring Ports Configuring Ports Settings for Layer 2 Enabled Devices 5 Edit Port Page The Edit Port Page contains the following fields: • Port — Displays the port number. • Description — Specifies the port’s user-defined name. • Port Type — Displays the port type. The possible field values are: - 1000M— Copper (copper cable). - 1000M— ComboC (combo port with copper cable 3). - 1000M— ComboF (combo port with optic fiber cable). - Fiber — Indicates the port has a fiber optic port connection.
Configuring Ports Configuring Ports Settings for Layer 2 Enabled Devices - 5 Down — Indicates the port is currently not operating. • Current Port Status — Displays the port connection status. • Suspended Port — Reactivates a port if the port has been disabled through the locked port security option or through Access Control List configurations. • Operational Status — Indicates whether the port is currently active or inactive. • Admin Speed — Displays the configured rate for the port.
Configuring Ports Configuring Ports Settings for Layer 2 Enabled Devices 5 - 1000 Full — Indicates that the port is advertising a 1000 mbps speed and full Duplex mode setting. • Current Advertisement — The port advertises its capabilities to its neighbor port to start the negotiation process. The possible field values are those specified in the Admin Advertisement field.
Configuring Ports Configuring Ports Settings for Layer 3 Enabled Devices STEP 4 Define the relevant fields. STEP 5 Click Apply. The Port Settings are modified, and the device is updated. 5 Configuring Ports Settings for Layer 3 Enabled Devices To define port settings (Layer 3): STEP 1 Click Bridging > Port Management > Port Settings.
5 Configuring Ports • To Entry Number(s) — Assigns the copied port configuration to the specified table entry. • Unit Number — Indicates the stacking member for which the ports are defined. • Interface — Displays the port number. • Port Type — Displays the port type. The possible field values are: - 1000M— Copper (copper cable). - 1000M— ComboC (combo port with copper cable 3). - 1000M— ComboF (combo port with optic fiber cable). - Fiber — Indicates the port has a fiber optic port connection.
5 Configuring Ports Modifying Port Settings STEP 1 Click Bridging > Port Management > Port Settings. The Port Settings Page opens: STEP 2 Define the Unit number. STEP 3 Click a specific entry’s Edit button. The Edit Port Page opens: Edit Port Page The Edit Port Page contains the following fields: • Port — Displays the port number. • Description — Specifies the port’s user-defined name. • Port Type — Displays the port type.The possible field values are: - 1000M— Copper (copper cable).
5 Configuring Ports - 1000M— ComboC (combo port with copper cable 3). - 1000M— ComboF (combo port with optic fiber cable). - Fiber — Indicates the port has a fiber optic port connection. • Admin Status — Enables or disables traffic forwarding through the port. • Current Port Status — Displays the port connection status. • Reactivate Suspended Port — Reactivates a port if the port has been disabled through the locked port security option or through Access Control List configurations.
5 Configuring Ports - 10 Full — Indicates that the port is advertising a 10 mbps speed and full Duplex mode setting. - 100 Half — Indicates that the port is advertising a 100 mbps speed and half Duplex mode setting. - 100 Full — Indicates that the port is advertising a 100 mbps speed and full Duplex mode setting. - 1000 Full — Indicates that the port is advertising a 1000 mbps speed and full Duplex mode setting. • Current Advertisement — Displays the current advertisement status.
5 Configuring Ports - MDI — Use for end stations. • Current MDI/MDIX — Displays the current MDI/MDIX setting. • LAG — Defines if the port is part of a Link Aggregation (LAG). STEP 4 Define the relevant fields. STEP 5 Click Apply. The Port Settings are modified, and the device is updated.
6 Configuring VLANs Configuring VLANs A VLAN is a logical group that allow devices connected to the VLAN to communicate to each other at the Ethernet MAC layer regardless of the physical LAN segment of the bridged network to which they are attached. A physical bridged network can support a maximum of 4094 VLANs. Each VLAN is configured a unique VID (VLAN ID) of value 1 to 4094. VLAN packets are distinguished with a 4 byte VLAN tag.
6 Configuring VLANs Defining VLAN Properties • Defining GVRP Settings • Defining Multicast TV VLAN • Defining CPE VLAN Mapping • Defining Protocol Groups • Defining a Protocol Port Defining VLAN Properties The VLAN Properties Page provides information and global parameters for configuring and working with VLANs. To define VLAN properties: STEP 1 Click Bridging > VLAN Management > Properties.
6 Configuring VLANs Defining VLAN Properties • Type — Displays the VLAN type. The possible field values are: - Dynamic — Indicates the VLAN was dynamically created through GVRP. - Static — Indicates the VLAN is user-defined. - Default — Indicates the VLAN is the default VLAN. • Authentication — Indicates whether unauthorized users can access a VLAN. The possible field values are: - Enabled — Disables unauthorized users to use the VLAN. - Disabled — Enables unauthorized users from using the VLAN.
6 Configuring VLANs Defining VLAN Properties STEP 4 Click Apply. The VLAN settings are defined, and the device is updated. Modifying VLANs STEP 1 Click Bridging > VLAN Management > Properties. The VLAN Properties Page opens. STEP 2 Click Edit. The Edit VLAN Page opens: Edit VLAN Page The Edit VLAN Page contains information for enabling VLAN guest authentication, and includes the following fields: • VLAN ID — Displays the VLAN ID. • VLAN Name — Defines the VLAN name.
6 Configuring VLANs Defining VLAN Membership • Unit Number — Displays the stacking member for which the VLAN parameters are displayed. • Port List — Available ports on the device. Select ports from this list to include in the VLAN. • VLAN Members — Ports included in the VLAN. STEP 3 Define the relevant fields. STEP 4 In the Port List, select the ports to include in the VLAN and click the adjacent right arrow. The selected ports then appear in the VLAN Members list. STEP 5 Click Apply.
6 Configuring VLANs Defining VLAN Membership STEP 1 Click Bridging > VLAN Management > Port to VLAN. The Port to VLAN Page opens: Port to VLAN Page The Port to VLAN Page contains the following fields: • VLAN ID — Selects the VLAN ID. • VLAN Name — Displays the VLAN name. • VLAN Type — Indicates the VLAN type. The possible field values are: - Dynamic — Indicates the VLAN was dynamically created through GVRP. - Static — Indicates the VLAN is user-defined.
6 Configuring VLANs Defining VLAN Membership • Interface Status — Indicates the interface’s membership status in the VLAN. The possible field values are: - Untagged — Indicates the interface is an untagged VLAN member. Packets forwarded by the interface are untagged. - Tagged — Indicates the interface is a tagged member of a VLAN. All packets forwarded by the interface are tagged. The packets contain VLAN information. - Exclude — Excludes the interface from the VLAN.
6 Configuring VLANs Assigning Ports to Multiple VLANs - Tagged — Indicates the interface is a tagged member of a VLAN. All packets forwarded by the interface are tagged. The packets contain VLAN information. - Exclude — Excludes the interface from the VLAN. However, the interface can be added to the VLAN through GARP. - Forbidden — Denies the interface VLAN membership, even if GARP indicates the port is to be added. STEP 3 Define the relevant fields. STEP 4 Click Apply.
6 Configuring VLANs Assigning Ports to Multiple VLANs STEP 1 Click VLAN Management > VLAN to Port. The VLAN To Port Page opens: VLAN To Port Page The VLAN To Port Page contains the following fields: • Unit No. — Indicates • Port — Displays the port number. • Mode — Indicates the port mode. The possible values are: that ports on the specified stacking member - General — The port can be tagged and untagged with members of one or more VLANs. (full 802.1Q mode).
6 Configuring VLANs Assigning Ports to Multiple VLANs - Customer — The port can be a member of one or more double tagged Multicast TV VLAN. Refer to "Define Customer VLAN using Q-in-Q" for details. • STEP 2 STEP 3 Join VLAN — Defines the VLANs to which the interface is joined. Pressing the Join VLAN button displays the Join VLAN to Port Screen. Select the VLAN to which to add the port, select the VLANs to be tagged or untagged and click Add.
6 Configuring VLANs Defining GVRP Settings Defining GVRP Settings GARP VLAN Registration Protocol (GVRP) is specifically provided for automatic distribution of VLAN membership information among VLAN-aware bridges. GVRP allows VLAN-aware bridges to automatically learn VLANs to bridge ports mapping, without having to individually configure each bridge and register VLAN membership. The Global System LAG information displays the same field information as the ports, but represents the LAG GVRP information.
6 Configuring VLANs Defining GVRP Settings • Copy From Entry Number — Copies GVRP parameters from the specified table entry. • To Entry Number(s) — Assigns the copied GVRP parameters to the specified table entry. • Ports of Unit — Indicates the port number and stacking member for which GVRP parameters are displayed. • LAGs — Indicates the LAG number for which GVRP parameters are displayed. • Interface — Interface described by the GVRP settings entry.
6 Configuring VLANs Defining GVRP Settings Edit GVRP Page The Edit GVRP Page contains the following fields: • Interface — Port or LAG described by the GVRP settings entry. • GVRP State — Indicates if GVRP is enabled on the interface. The possible field values are: - Enable — Enables GVRP on the selected interface. - Disable — Disables GVRP on the selected interface. • Dynamic VLAN Creation — Indicates if Dynamic VLAN creation is enabled on the interface.
Configuring VLANs Defining VLAN Interface Settings 6 Defining VLAN Interface Settings The VLAN Interface Setting Page provides parameters for managing ports that are part of a VLAN. The port default VLAN ID (PVID) is configured on the VLAN Port Settings page. All untagged packets arriving to the device are tagged by the ports PVID. The varies, depending on whether the device is in Layer 2 or Layer 3 mode (definable on the device through the CLI interface).
6 Configuring VLANs Defining VLAN Interface Settings • To Entry Number(s) — Assigns the copied VLAN configuration to the specified table entry. • Ports of Unit — Indicates that ports on the specified stacking member are described in the page. • LAGs — Indicates that LAGs are described in the page. • Interface — The port number included in the VLAN. • Interface VLAN Mode — Indicates the port mode.
6 Configuring VLANs Defining VLAN Interface Settings - Disable — Ingress filtering is not activated on the port. • Multicast TV VLAN — Indicates if a Multicast TV VLAN is enabled on the device. Multicast TV VLANs enable VLANs to receive Multicast TV transmissions from ports that are not Access ports. The possible values are: - Enable — Multicast TV VLAN is activated on the port. - Disable — Multicast TV VLAN is not activated on the port. Modifying VLAN Interface Settings STEP 2 Click the Edit button.
6 Configuring VLANs Defining VLAN Interface Settings - Customer — The port can be member of one or more double tagged Multicast TV VLAN. Refer to "Define Customer VLAN using Q-in-Q" for details. • PVID — Assigns a VLAN ID to untagged packets. The possible values for General, Access, and Trunk Interface VLAN Mode are: - SGE devices — 1-4094 and 4095 - SFE devices — 1-4093 and 4095 Packets classified to the Discard VLAN are dropped. • Frame Type — Packet type accepted on the port.
Configuring VLANs Defining Customer VLANs Using QinQ 6 Defining Customer VLANs Using QinQ QinQ, also known as Double Tagging, allows network managers to add an additional tag to previously tagged packets received from ports that are in Customer Interface VLAN mode, therefore creating more VLAN space and expanding service to VLAN users. The additional tag is inserted into packets received from the customer ports before the packets are transmitted into Multicast TV VLAN through the service provider network.
6 Configuring VLANs Defining Multicast TV VLAN Defining Multicast TV VLAN An access port can be configured as a member of a Multicast TV VLAN. See Defining VLAN Interface Setting. This is required to supply multicast transmissions to Level 2-isolated subscribers, without replicating the multicast transmissions for each subscriber VLAN. IGMP snooping is supported for those transmissions. Any VLAN can be a Multicast-TV VLAN. A port assigned to a Multicast-TV VLAN: • Joins the Multicast-TV VLAN.
6 Configuring VLANs Defining Multicast TV VLAN STEP 1 Click Bridging > VLAN Management > Multicast TV VLAN. The Multicast TV VLAN Page opens: Multicast TV VLAN Page The Multicast TV VLAN Page contains the following fields: • Interface — Defines the VLAN to which the ports are assigned. • Customer Port Members — Defines the ports already assigned to the Multicast TV VLAN. • Customer Ports — Lists the ports available for assigning to the Multicast TV VLAN.
6 Configuring VLANs Defining CPE VLAN Mapping Defining CPE VLAN Mapping Network managers can map CPE VLANs to Multicast TV VLANs in the CPE VLAN Mapping Page. Once the CPE VLAN is mapped to the Multicast VLAN, the VLAN can participate in IGMP snooping. To map CPE VLANs: STEP 1 Click Bridging > VLAN Management > CPE VLAN Mapping.
6 Configuring VLANs Defining Protocol Groups Add CPE VLAN Mapping Page The Add CPE VLAN Mapping Page contains the following fields: • CPE VLAN — Defines the CPE VLAN which is mapped to the Multicast TV VLAN. • Multicast TV VLAN — Defines the Multicast TV VLAN which is mapped to the CPE VLAN. STEP 3 Define the mapping. STEP 4 Click Apply. CPE VLAN Mapping is modified, and the device is updated.
6 Configuring VLANs Defining Protocol Groups STEP 1 Click Bridging > VLAN Management > Protocol Group (Layer 2). The Protocol Group Page (Layer 2) opens: Protocol Group Page The Protocol Group Page contains the following fields: STEP 2 • Frame Type — Displays the packet type. • Protocol Value — Displays the User-defined protocol name. • Group ID (Hex) — Defines the Protocol group ID to which the interface is added. Range is 1-2147483647. Click the Add Button.
6 Configuring VLANs Defining Protocol Groups Add Protocol Group Page The Add Protocol Group Page provides information for configuring new VLAN protocol groups. The Add Protocol Group Page contains the following fields. • Frame Type — Displays the packet type. • Protocol Value — Defines the User-defined protocol value. The options are as follows: - Protocol Value — The possible values are IP, IPX, IPv6, or ARP. - Ethernet-Based Protocol Value — Specify the value in hexadecimal format.
6 Configuring VLANs Defining a Protocol Port Edit Protocol Group Page The Edit Protocol Group Page contains the following fields. • Frame Type — Displays the packet type. • Protocol Value — Displays the User-defined protocol value. • Group ID (Hex) — Defines the Protocol group ID to which the interface is added. The possible value range is 1-2147483647 in hexadecimal format. STEP 3 Define the relevant fields. STEP 4 Click Apply. The Protocol group is modified, and the device is updated.
6 Configuring VLANs Defining a Protocol Port STEP 1 Click Bridging > VLAN Management > Protocol Port. The Protocol Port Page opens: Protocol Port Page The Protocol Port Page contains the following fields. STEP 2 • Interface — Port or LAG number added to a protocol group. • Protocol Group ID — Protocol group ID to which the interface is added. Protocol group IDs are defined in the Protocol Group Table. • VLAN ID — Attaches the interface to a user-defined VLAN ID.
6 Configuring VLANs Defining a Protocol Port Add Protocol Port to VLAN Page The Add Protocol Port to VLAN Page contains the following fields. • Interface — Port or LAG number added to a protocol group. • Group ID — Protocol group ID to which the interface is added. Protocol group IDs are defined in the Protocol Group Table. • VLAN ID — Attaches the interface to a user-defined VLAN ID. • VLAN Name — Attaches the interface to a user-defined VLAN Name. STEP 3 Define the relevant fields.
7 Configuring IP Information IP Addressing Configuring IP Information This section provides information for defining device IP addresses, and includes the following topics: • IP Addressing • Layer 3 IP Addressing • Domain Name System IP Addressing The IP Addressing section contains the topics: • Managing IPv6 • Defining IPv4 Interface (Layer 2) • Defining IPv4 Interface (Layer 3) • Enabling ARP Proxy (Layer 3) • Defining UDP Relay (Layer 3) • Defining DHCP Relay (Layer 2) • Defining
7 Configuring IP Information IP Addressing The main improvement IPv6 presents is address size, increasing from 32-bit to 128-bit addresses. The larger address size introduces greater flexibility in assigning IP addresses. IPv6 addresses are normally written as eight groups of four hexadecimal digits, for example FE80:0000:9C00:876A:130B. The abbreviated form is also acceptable, where a group of zeroes can be left out: FE80:9C0:876A:130B.
7 Configuring IP Information IP Addressing STEP 1 Click System > System Management > IP Addressing > IPv6 Configuration > IPv6 Interface . The IPv6 Interface Page opens: IPv6 Interface Page The IPv6 Interface Page contains the following fields: • • Interface — Indicates the Link Local Interface. The possible field values are: - VLAN — Indicates VLAN is the Link Local interface. - ISATAP Tunnel — Indicates a ISATAP tunnel is a Link Local interface. IPv6 Type — Displays the IPv6 Type.
7 Configuring IP Information IP Addressing - Duplicate — Indicates the IPv6 address is being used by an another host on the network. - Preferred — Indicates the DAD Status is set to active. - Tentative — Indicates the system is in process of IPv6 address duplication verification. STEP 2 Click the Add button. The Add IPv6 Address Interface Page opens: The Add IPv6 Address Interface Page provides information for adding an IPv6 address to an interface.
7 Configuring IP Information IP Addressing STEP 3 Click the Add button. The Add IPv6 Interface Page opens: Add IPv6 Interface Page STEP 4 Select an IPv6 Interface and define the number of DAD Attempts. STEP 5 Click Apply. The IPv6 Interface is added, and the device is updated. Defining Default Gateway The Default Gateway Page provides information for configuring default gateways for IPv6 enabled interfaces.
7 Configuring IP Information IP Addressing STEP 1 Click System > System Management > IP Addressing > IPv6 Configuration > Default Gateway. The Default Gateway Page opens: Default Gateway Page The Default Gateway Page contains the following fields: • Default Gateway IP Address — Defines the Link Local IP Address of the Default Gateway. • Interface — Specifies the outgoing interface through which the Default Gateway can be reached, which is the VLAN ID on which the IPv6 interface is defined.
7 Configuring IP Information IP Addressing STEP 2 - Reachable — Indicates that a positive confirmation was received within the last Reachable Time. - Stale — Indicates that the previously known neighbor is no longer reachable. No action is taken to verify its reachability, until traffic needs to be sent. - Delay — Indicates previously known neighbor is no longer reachable.
7 Configuring IP Information IP Addressing • Default Gateway IP Address — Defines the Static Default Gateway IP Address. STEP 3 Define the relevant fields. STEP 4 Click Apply. The Default Gateway is defined, and the device is updated. Configuring ISATAP Tunnels The Intra-Site Automatic Tunnel Access Protocol (ISATAP) enables encapsulating IPv6 packets within IPv4 packets for transmission over IPv4 networks. ISATAP is considered a single IPv6 interface.
7 Configuring IP Information IP Addressing STEP 1 To define an IPv6 ISATAP tunnel: Click > System > System Management > IP Addressing > IPv6 Configuration > ISATAP Tunnel. The ISATAP Tunnel Page opens: ISATAP Tunnel Page The ISATAP Tunnel Page contains the following fields: • ISATAP Status — Enables IPv6 over IPv4 ISATAP tunneling. Once ISATAP is enabled, an ISATAP interface is created. The possible field values are: - Enable — Enables ISATAP tunnel on the device.
7 Configuring IP Information IP Addressing • ISATAP Solicitation Interval (10-3600) — Specifies the interval between ISATAP router solicitations messages when there is no active ISATAP router. The range is 10 - 3600 seconds. The default is 10. - Use Default — Selecting the check box that returns settings to default. • ISATAP Robustness (10-20) — Specifies the number of DNS Query/ Router Solicitation refresh messages that the device sends. The range is 1 - 20 seconds. The default is 3.
7 Configuring IP Information IP Addressing STEP 1 Click System > System Management > IP Addressing > IPv6 Configuration > IPv6 Neighbors. The IPv6 Neighbors Page opens: IPv6 Neighbors Page The IPv6 Neighbors Page contains the following fields: • Clear Table — Deletes the entries in the IPv6 Neighbor Table. The possible field values are: - Static Only — Deletes the static IPv6 address entries from the IPv6 Neighbor Table.
7 Configuring IP Information IP Addressing • Type — Displays the type of the neighbor discovery cache information entry. The possible field values are: - Static — Shows static neighbor discovery cache entries. - Dynamic — Shows dynamic neighbor discovery cache entries. • State — Specifies the IPv6 Neighbor status. The possible values are: - Incomplete — Indicates Address Resolution is in process. The neighbor has not yet responded. - Reachable — Indicates the neighbor is known to be reachable.
7 Configuring IP Information IP Addressing • IPv6 Address — Defines the currently configured IPv6 network assigned to the interface. The address must be a valid IPv6 address, specified in hexadecimal using 16-bit values between colons. • MAC Address — Indicates the MAC address mapped to the specified IPv6 address. • Type — Select the type of the neighbor discovery cache information entry. The possible field values are: - Static — Shows static neighbor discovery cache entries.
7 Configuring IP Information IP Addressing Viewing IPv6 Routes Table The IPv6 Routes Table Page allows network managers to view IPv6 network routes. To view IPv6 routing entries: STEP 1 Click >System > System Management > IP Addressing > IPv6 Configuration > IPv6 Routes Table. The IPv6 Routes Table Page opens: IPv6 Routes Table Page The IPv6 Routes Table Page contains the following fields: • Clear Table — Deletes the entries in the IPv6 Routes Table.
7 Configuring IP Information IP Addressing • Next Hop — Displays the address to which the packet is forwarded (typically the address of a neighboring router). This can be either a Link Local or Global address. • Metric — Indicates the value used for comparing this route to other routes with the same destination in the IPv6 route table. • Route Type — Defines whether the destination is directly attached and the means by which the entry was learned.
7 Configuring IP Information IP Addressing • Defining DHCP Relay (Layer 3) • ARP Defining IPv4 Interface (Layer 2) The IPv4 Interface Page contains fields for assigning IPv4 addresses. Packets are forwarded to the default IP when frames are sent to a remote network. The configured IP address must belong to the same IP address subnet of one of the IP interfaces. STEP 1 Click System > System Management > IP Addressing > IPv4 Interface.
7 Configuring IP Information IP Addressing • IP Address — The currently configured IP address. • Network Mask — Displays the currently configured IP address mask. • Prefix Length — Specifies the length of the IPv6 prefix. The range is 5 -128 (64 in the case EUI-64 parameter is used). The Prefix field is applicable only when the IPV6 Static IP Address is defined as a Global IPv6 Address. • User Defined Default Gateway — Manually defined default gateway IP address.
7 Configuring IP Information IP Addressing STEP 1 Click System > System Management > IP Addressing > IPv4 Interface. The IPv4 Interface Page opens: IPv4 Interface Page The IPv4 Interface Page contains the following fields: STEP 2 • IP Address — Displays the currently configured IP address. • Mask — Displays the currently configured IP address mask. • Interface — Displays the interface used to manage the device. Click the Add button.
7 Configuring IP Information IP Addressing • Interface — Specifies the interface to be associated with this IP configuration. • IP Address — Defines the currently configured IP address. • Network Mask — Defines the currently configured IP address mask. • Prefix Length — Specifies the length of the IPv6 prefix. The range is 5 -128 (64 in the case EUI-64 parameter is used). The Prefix field is applicable only when the IPV6 Static IP Address is defined as an Global IPv6 Address.
7 Configuring IP Information IP Addressing STEP 3 Define the relevant fields. STEP 4 Click Apply. The IP interface configuration is defined, and the device is updated. Enabling ARP Proxy (Layer 3) The Address Resolution Protocol (ARP) is a TCP/IP protocol that converts IP addresses into physical addresses. The ARP Proxy Page allows network managers to enable ARP Proxy on the switch. This section is applicable to Layer 3 devices only.
7 Configuring IP Information IP Addressing STEP 3 Click Apply. ARP Proxy is enabled, and the device is updated. Defining UDP Relay (Layer 3) The UDP Relay allows UDP packets to reach other networks. This feature enables browsing from workstations to servers on different networks. This section is applicable to Layer 3 devices only. To define UDP Relay: STEP 1 Click System > System Management > IP Addressing > UDP Relay.
7 Configuring IP Information IP Addressing • • STEP 2 UDP Destination Port— Indicate the destination UDP port ID number of the relayed UDP packets. The following table lists UDP Port allocations.
7 Configuring IP Information IP Addressing Add UDP Relay Page The Add UDP Relay Page contains the following fields: • Source IP Interface — Indicates the input IP interface that relays UDP packets. If this field is 255.255.255.255, UDP packets from all interfaces are relayed. The following address ranges are - 0.0.0.0 to 0.255.255.255. - 127.0.0.0 to 127.255.255.255. • UDP Destination Port— Indicate the destination UDP port ID number of the relayed UDP packets.
7 Configuring IP Information IP Addressing STEP 1 Click System > System Management > IP Addressing > DHCP Relay > DHCP Server. The DHCP Server Page opens: DHCP Server Page The DHCP Server Page Server contains the following fields: • DHCP Relay — Enable or disable DHCP Relay on the device. The possible values are: - Enable — Enable DHCP Relay on the device. - Disable — Disable DHCP Relay on the device. • Option 82 — Indicates if DHCP Option 82 with data insertion is enabled on the device.
7 Configuring IP Information IP Addressing - Disable — Disables DHCP Option 82 with data insertion on the device. This is the default value. • STEP 2 DHCP Server — Port or LAG on which DHCP Relay has been enabled. Click the Add button. The Add DHCP Server Page opens: Add DHCP Server Page The Add DHCP Server Page contains the following field: • Support IP Format — Provides the supported IP format: Version 6 or Version 4. • DHCP Server IP Address — Defines the IP address assigned to the DHCP server.
7 Configuring IP Information IP Addressing STEP 1 Click System > System Management > IP Addressing > DHCP Relay > DHCP Interfaces. The DHCP Interfaces Page opens: DHCP Interfaces Page The DHCP Interfaces Page contains the following fields: • Interface — Displays the interface selected for relay functionality. • Check Box — Removes DHCP relay from an interface. The possible field values are: - Checked — Removes the selected DHCP Relay interface.
7 Configuring IP Information IP Addressing Add DHCP Interface Page The Add DHCP Interface Page contains the following field: • Interface — Selects the interface to define DHCP Relay. The possible field values are: - Ports — Defines the DHCP Relay on the selected port. - LAGs — Defines the DHCP Relay on the selected LAG. - VLAN — Defines the DHCP Relay on the selected VLAN. STEP 3 Select the Interface on which to define a DHCP Relay. STEP 4 Click Apply.
7 Configuring IP Information IP Addressing STEP 1 Click System > System Management > IP Addressing > DHCP Relay > DHCP Server. The DHCP Server Page opens: DHCP Server Page The DHCP Server Page contains the following fields: • DHCP Relay — Enable or disable DHCP Relay on the device. The possible values are: - Enable — Enable DHCP Relay on the device. - Disable — Disable DHCP Relay on the device. • Option 82 — Indicates if DHCP Option 82 with data insertion is enabled on the device.
7 Configuring IP Information IP Addressing - Disable — Disables DHCP Option 82 with data insertion on the device. This is the default value. • STEP 2 DHCP Server — Defines the address of the remote DHCP server to track across the VLANs. Click the Add button. The Add DHCP Server Page opens: Add DHCP Server Page The Add DHCP Server Page contains the following field: • Support IP Format — Provides the supported IP format: Version 6 or Version 4.
7 Configuring IP Information IP Addressing STEP 1 Click System > System Management > IP Addressing > ARP. The ARP Page opens: ARP Page The ARP Page contains the following fields. • ARP Entry Age Out — Defines the amount of time (seconds) that pass between ARP requests about an ARP table entry. After this period, the entry is deleted from the table. The range is 1 - 40000000, where zero indicates that entries are never cleared from the cache. The default value is 60,000 seconds.
7 Configuring IP Information IP Addressing • MAC Address — Indicates the station MAC address, which is associated in the ARP table with the IP address. • Status — Indicates the ARP Table entry status. Possible field values are: - Dynamic — Indicates the ARP entry was learned dynamically. - Static — Indicates the ARP entry is a static entry. STEP 2 Click Add.
7 Configuring IP Information IP Addressing Edit ARP Page The Edit ARP Page contains the following fields: • VLAN — Indicates the ARP-enabled interface. • IP Address — Indicates the station IP address, which is associated with the MAC address filled in below. • MAC Address — Indicates the station MAC address, which is associated in the ARP table with the IP address. • Status — Defines the ARP Table entry status.
7 Configuring IP Information IP Addressing STEP 1 Click Routing > IP Static Routing. The IP Static Routing Page opens: IP Static Routing Page The IP Static Routing Page contains the following fields: • Dest. IP Address — Defines the destination IP address. • Prefix Length — Specifies the IP route prefix length for the destination IP address, preceded by a forward slash. the prefix length. • Next Hop — Indicates the next hop’s IP address or IP alias on the route.
7 Configuring IP Information IP Addressing Add IP Static Route Page In addition to the fields in the IP Static Routing Page, the Add IP Static Route Page contains the following additional fields: • Destination IP Address — Defines the destination IP address. • Network Mask — Defines the currently configured IP address mask. • Prefix Length —Defines the IP route prefix for the destination IP. The prefix length must be preceded by a forward slash (/).
7 Configuring IP Information Domain Name System Domain Name System Domain Name System (DNS) converts user-defined domain names into IP addresses. Each time a domain name is assigned, the DNS service translates the name into a numeric IP address. For example, www.ipexample.com is translated into 192.87.56.2. DNS servers maintain databases of domain names and their corresponding IP addresses.
7 Configuring IP Information Domain Name System • Enable DNS — Enables translating the DNS names into IP addresses. The possible field values are: - Checked — Translates the domains into IP addresses. - Unchecked — Disables translating domains into IP addresses. Default Parameters • Default Domain Name — Specifies the user-defined DNS server name (1 -158 characters). • Type — Displays the IP address type. The possible field values are: - Dynamic — The IP address is dynamically created.
7 Configuring IP Information Domain Name System • IPv6 Address Type — Indicates the IPv6 Type. The possible field values are: - Link-Local — Indicates the IPv6 address is link-local. - Global Unicast — Indicates the IPv6 address is global Unicast. • Link Local Interface —Indicates the IPv6 link-local interface. The possible field values are: - VLAN — Indicates that theIPv6 link-local interface is defined as a VLAN used.
7 Configuring IP Information Domain Name System STEP 1 Click System > System Management > IP Addressing > Domain Name System > Host Mapping. The Host Mapping Page opens: Host Mapping Page The Host Mapping Page contains the following fields: STEP 2 • Host Names — Displays a user-defined default domain name. When defined, the default domain name is applied to all unqualified host names. The Host Name field can contain up to 158 characters. • IP Address — Displays the DNS host IP address.
7 Configuring IP Information Domain Name System Add Host Name Page The Add Host Name Page contains the following fields: • Supported IP Format — Indicates the IP address format supported by the host. The possible field values are: - Version 6 — Indicates that the host supports IPv6 addresses. - Version 4 — Indicates that the host supports IPv4 addresses only. • IPv6 Address Type — Indicates the IPv6 Type. The possible field values are: - Link-Local — Indicates the IPv6 address is link-local.
7 Configuring IP Information Domain Name System • IP Address 3 (optional) — Indicates the third IPv6 network assigned to the interface. The address must be a valid IPv6 address, specified in hexadecimal using 16-bit values between colons. • IP Address 4 (optional) — Indicates the fourth IPv6 network assigned to the interface. The address must be a valid IPv6 address, specified in hexadecimal using 16-bit values between colons. STEP 3 Define the relevant fields. STEP 4 Click Apply.
8 Defining Address Tables Defining Static Addresses Defining Address Tables MAC addresses are stored in either the Static Address or the Dynamic Address databases. A packet addressed to a destination stored in one of the databases is forwarded immediately to the port. The Dynamic Address Table can be sorted by interface, VLAN, and MAC Address. MAC addresses are dynamically learned as packets from sources arrive at the device.
8 Defining Address Tables Defining Static Addresses STEP 1 Click Bridging > Address Tables > Static. The Static Page opens: Static Page The Static Page contains the following fields: • VLAN ID — Displays the VLAN ID number to which the entry refers. • MAC Address — Displays the MAC address to which the entry refers. • Interface — Displays the interface to which the entry refers: - Port — The specific port number to which the forwarding database parameters refer.
8 Defining Address Tables Defining Static Addresses STEP 2 Click the Add button. The Add Static MAC Address Page opens: Add Static MAC Address Page The Add Static MAC Address Page contains the following fields: • Interface — Displays the interface to which the entry refers: - Ports — The specific port number to which the forwarding database parameters refer. - LAGs — The specific LAG number to which the forwarding database parameters refer.
Defining Address Tables Defining Dynamic Addresses 8 Defining Dynamic Addresses The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports.
8 Defining Address Tables Defining Dynamic Addresses • Aging Interval — Specifies the amount of time the MAC address remains in the Dynamic MAC Address table before it is timed out, if no traffic from the source is detected. The default value is 300 seconds. • Clear Table — If checked, clears the MAC address table. Query By In the Query By section, select the preferred option for sorting the addresses table: • Interface — Specifies the interface for which the table is queried.
Configuring Multicast Forwarding IGMP Snooping 9 Configuring Multicast Forwarding The Multicast section contains the following topics: • IGMP Snooping • Defining Multicast Group • Configuring IGMP Snooping Mapping • Defining Multicast TV Membership • Defining Multicast Forwarding • Defining Unregistered Multicast Settings IGMP Snooping When IGMP Snooping is enabled globally, all IGMP packets are forwarded to the CPU.
Configuring Multicast Forwarding IGMP Snooping STEP 1 9 Click Bridging > Multicast > IGMP Snooping. The IGMP Snooping Page opens: IGMP Snooping Page The IGMP Snooping Page contains the following fields: • Enable IGMP Snooping Status — Indicates that the device monitors network traffic to determine which hosts want to receive multicast traffic. IGMP Snooping can be enabled only if Bridge Multicast Filtering is enabled. The possible field values are: - Checked — Enables IGMP Snooping on the device.
Configuring Multicast Forwarding IGMP Snooping • 9 Leave Timeout — Indicates the amount of time the host waits, after requesting to leave the IGMP group and not receiving a Join message from another station, before timing out. If a Leave Timeout occurs, the switch notifies the Multicast device to stop sending traffic The Leave Timeout value is either user-defined, or an Immediate Leave value. The default timeout is 10 seconds. STEP 2 Define the relevant fields. STEP 3 Click Apply.
Configuring Multicast Forwarding Defining Multicast Group • 9 AutoLearn — Indicates if Auto Learn is enabled on the device. If Auto Learn is enabled, the devices automatically learns where other Multicast groups are located. The possible field values are: - Enable — Enables auto learn. - Disable — Disables auto learn. • Host Timeout — Indicates the amount of time host waits to receive a message before timing out. The default time is 260 seconds.
Configuring Multicast Forwarding Defining Multicast Group STEP 1 9 Click Bridging > Multicast> Multicast Group. The Multicast Group Page opens: Multicast Group Page The Multicast Group Page contains the following fields: • Enable Bridge Multicast Filtering — Indicates if Bridge Multicast Filtering is enabled on the device. Bridge Multicast Filtering can be enabled only if IGMP Snooping is enabled. The possible field values are: - Checked — Enables Multicast Filtering on the device.
Configuring Multicast Forwarding Defining Multicast Group 9 - Forbidden — Forbidden interfaces are not included the Multicast group, even if IGMP Snooping designated the interface to join a Multicast group. STEP 2 None — The interface is not part of a Multicast group. Click the Add button. The Add Multicast Group Page opens: Add Multicast Group Page The Add Multicast Group Page contains the following fields: • VLAN ID — Displays the VLAN ID.
Configuring Multicast Forwarding Defining Multicast Group 9 Edit Multicast Group Page The Edit Multicast Group Page contains the following fields: • VLAN ID — Displays the VLAN ID. • Bridge IP Multicast — Displays the IP address attached to the Multicast Group. • Bridge MAC Multicast — Displays the MAC address attached to the Multicast Group. • Interface — Displays the interface attached to the Multicast Group. • Interface Status — Defines the interface status.
Configuring Multicast Forwarding Configuring IGMP Snooping Mapping 9 Configuring IGMP Snooping Mapping Multicast TV allows subscribers to join the same Multicast stream, even if the subscribers are not members of the same VLAN, eliminating television traffic duplication. IGMP snooping is supported for those transmissions. Ports which receive Multicast Transmissions, or Receiver Ports, can be defined in any VLAN, and not just in the Multicast VLAN.
Configuring Multicast Forwarding Defining Multicast TV Membership • STEP 2 9 Multicast Group — Indicates the Multicast group IP address for which the IGMP Snooping is enabled. Click the Add button. The Add IGMP Snooping Mapping Page opens: Add IGMP Snooping Mapping Page The Add IGMP Snooping Mapping Page contains the following fields: • VLAN — Defines the Multicast TV VLAN on which to enable IGMP Snooping. • Multicast Group — Defines the Multicast group IP address on which to enable IGMP Snooping.
Configuring Multicast Forwarding Defining Multicast Forwarding STEP 1 9 Click Bridging > Multicast > Multicast TV Membership. The Multicast TV Membership Page opens: Multicast TV Membership Page The Multicast TV Membership Page contains the following fields: • Multicast TV VLAN ID — Indicates the Multicast VLAN ID in which the source ports and receiver ports are members. • Receiver Ports — Indicates the port on which Multicast TV transmissions are received.
Configuring Multicast Forwarding Defining Multicast Forwarding STEP 1 9 Click Bridging > Multicast > Forward. The Multicast Forward Page opens: Multicast Forward Page The Multicast Forward Page contains the following fields: • VLAN ID — Displays the VLAN ID. • Ports — Displays the Multicast Forwarding status of all of the specified stacking member’s ports. • LAGs — Displays the Multicast Forwarding status of all of the device’s LAGs.
Configuring Multicast Forwarding Defining Unregistered Multicast Settings 9 Edit Multicast Forward All Page The Edit Multicast Forward All Page contains the following fields: • VLAN ID — Displays the VLAN ID. • Interface — Displays the port or LAG attached to the Multicast Group. • Interface Status — Displays the interface status of the port or LAG. The options are as follows: - Static — Attaches the interface to the Multicast group as a static member.
Configuring Multicast Forwarding Defining Unregistered Multicast Settings 9 The Unregistered Multicast Page contains fields to handle Multicast frames that belong to Unregistered Multicast groups. Unregistered Multicast groups are the groups that are not known to the device. All Unregistered Multicast frames are still forwarded to all ports on the VLAN. After a port has been set to Forwarding/ Filtering, then this port's configuration is valid for any VLAN it is a member of (or will be a member of).
Configuring Multicast Forwarding Defining Unregistered Multicast Settings 9 - Filtering — Enables filtering of Unregistered Multicast frames to the selected VLAN interface. STEP 2 Click Edit. The Edit Unregistered Multicast Page opens: STEP 3 Define the Unregistered Multicast field. STEP 4 Click Apply. The settings are saved and the device is updated.
Configuring Spanning Tree Defining Spanning Tree 10 Configuring Spanning Tree The Spanning Tree Protocol (STP) provides tree topography for any arrangement of bridges. STP also provides one path between end stations on a network, eliminating loops. Loops occur when alternate routes exist between hosts. Loops in an extended network can cause bridges to forward traffic indefinitely, resulting in increased traffic and reducing network efficiency.
10 Configuring Spanning Tree Defining Spanning Tree STEP 1 Click Bridging > Spanning Tree > Properties. The STP Properties Page opens: STP Properties Page The STP Properties Page contains the following fields: Global Settings The Global Settings area contains device-level parameters. • Spanning Tree State — Indicates if STP is enabled on the device. The possible field values are: - Enable — Enables STP on the device. This is the default value. - Disable — Disables STP on the device.
10 Configuring Spanning Tree Defining Spanning Tree • BPDU Handling — Determines how BPDU packets are managed when STP is disabled on the port or device. BPDUs are used to transmit spanning tree information. The possible field values are: - Filtering — Filters BPDU packets when spanning tree is disabled on an interface. - Flooding — Floods BPDU packets when spanning tree is disabled on an interface. This is the default value.
Configuring Spanning Tree Defining Spanning Tree 10 • Root Port — Indicates the port number that offers the lowest cost path from this bridge to the Root Bridge. It is significant when the Bridge is not the Root. • Root Path Cost — The cost of the path from this bridge to the root. • Topology Changes Counts — Indicates the total amount of STP state changes that have occurred.
10 Configuring Spanning Tree Defining Spanning Tree STEP 1 Click Bridging > Spanning Tree > Interface Settings. The STP Interface Settings Page opens: Interface Settings Page The STP Interface Settings Page contains the following fields: • Copy From Entry Number — Indicates the port from which the STP interface setting are copied. • To Entry Numbers — Indicates the port to which the STP interface setting are copied.
10 Configuring Spanning Tree Defining Spanning Tree convergence. STP convergence can take 30-60 seconds in large networks. The possible values are: - Enabled — Port Fast is enabled. - Disabled — Port Fast is disabled. - Auto — Port Fast mode is enabled a few seconds after the interface becomes active. • Root Guard — Prevents devices outside the network core from being assigned the spanning tree root. Root Guard may be enabled or disabled.
10 Configuring Spanning Tree Defining Spanning Tree - Designated — The port or LAG through which the designated switch is attached to the LAN. - Alternate — Provides an alternate path to the root switch from the root interface. - Backup — Provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur only when two ports are connected in a loop by a point-to-point link, or when a LAN has two or more connections connected to a shared segment.
10 Configuring Spanning Tree Defining Spanning Tree Modifying Interface Settings STEP 1 Click Bridging > Spanning Tree > Interface Settings. The Interface Settings Page opens: STEP 2 Click the Edit button. The Edit Interface Settings Page opens: Edit Interface Settings Page The Edit Interface Settings Page contains the following fields: • Port — Selects the port number on which Spanning Tree is configured. • STP — Enables or disables STP on the port.
10 Configuring Spanning Tree Defining Spanning Tree - Auto — Enables Port Fast mode a few seconds after the interface becomes active. • Enable Root Guard — Enable the prevention of a devices outside the network core from being assigned the spanning tree root. The possible field values are: - Checked — Enables Root Guard on the selected port or LAG. - Unchecked — Disables Root Guard on the selected port or LAG. This is the default value.
Configuring Spanning Tree Defining Spanning Tree 10 • Priority — Priority value of the port. The priority value influences the port choice when a bridge has two ports connected in a loop. The priority value is between 0 -240. The priority value is provided in increments of 16. • Designated Bridge ID — Indicates the bridge priority and the MAC Address of the designated bridge. • Designated Port ID — Indicates the selected port’s priority and interface.
10 Configuring Spanning Tree Defining Spanning Tree STEP 1 Click Bridging > Spanning Tree > RSTP. The RSTP Page opens: RSTP Page The RSTP Page contains the following fields: • Copy From Entry Number — Indicate the port from which the STP interface setting are copied. • To Entry Numbers — Indicate the port to which the STP interface setting are copied. • Ports — Display the RSTP configurations of the specified stacking member’s ports. • LAGs — Display the RSTP configurations of device LAGs.
10 Configuring Spanning Tree Defining Spanning Tree - Backup — Provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur only when two ports are connected in a loop by a point-to-point link. Backup ports also occur when a LAN has two or more connections connected to a shared segment. - Disable — Indicates the port is not participating in the Spanning Tree. • Mode — Indicates the current Spanning Tree mode.
10 Configuring Spanning Tree Defining Spanning Tree • Activate Protocol Migration — Click the Activate button to run a Protocol Migration Test. The test identifies the STP mode of the interface connected to the selected interface. STEP 2 Define the relevant fields. STEP 3 Click Apply. The Rapid Spanning Tree Settings are defined, and the device is updated. Modifying RTSP STEP 1 Click Bridging > Spanning Tree > RSTP. The RSTP Page opens: STEP 2 Click the Edit button.
10 Configuring Spanning Tree Defining Spanning Tree - Backup — Provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur only when two ports are connected in a loop by a point-to-point link. Backup ports also occur when a LAN has two or more connections connected to a shared segment. - Disable — Indicates the port is not participating in the Spanning Tree. • Mode — Indicates the current Spanning Tree mode.
10 Configuring Spanning Tree Defining Multiple Spanning Tree - Auto — Device automatically determines the state. • Point-to-Point Operational Status — Indicates the Point-to-Point operating state. • Activate Protocol Migration Test — Enables a Protocol Migration Test.The test identifies the STP mode of the interface connected to the selected interface. The possible field values are: - Checked — Enable Protocol Migration. - Unchecked — Disable Protocol Migration. STEP 3 Define the relevant fields.
Configuring Spanning Tree Defining Multiple Spanning Tree STEP 1 10 Click Bridging > Spanning Tree > MSTP > Properties. The MSTP Properties Page opens: MSTP Properties Page The MSTP Properties Page contains the following fields: • Region Name — Provides a user-defined STP region name. • Revision — Defines unsigned 16-bit number that identifies the revision of the current MST configuration. The revision number is required as part of the MST configuration. The possible field range 0-65535.
Configuring Spanning Tree Defining Multiple Spanning Tree 10 Defining MSTP Instance to VLAN MSTP maps VLANs into STP instances. Packets assigned to various VLANs are transmitted along different paths within Multiple Spanning Tree Regions (MST Regions). Regions are one or more Multiple Spanning Tree bridges by which frames can be transmitted. In configuring MSTP, the MST region to which the device belongs is defined. A configuration consists of the name, revision, and region to which the device belongs.
Configuring Spanning Tree Defining Multiple Spanning Tree 10 Defining MSTP Instance Settings MSTP maps VLANs into STP instances. Packets assigned to various VLANs are transmitted along different paths within Multiple Spanning Tree Regions (MST Regions). Regions are one or more Multiple Spanning Tree bridges by which frames can be transmitted. In configuring MSTP, the MST region to which the device belongs is defined. A configuration consists of the name, revision, and region to which the device belongs.
Configuring Spanning Tree Defining Multiple Spanning Tree 10 • Designated Root Bridge ID — Indicates the priority and MAC address of the bridge with the lowest path cost to the instance ID. • Root Port — Indicates the selected instance’s root port. • Root Path Cost — Indicates the selected instance’s path cost. • Bridge ID — Indicates the priority and MAC address of the selected instance. • Remaining Hops — Indicates the number of hops remaining to the next destination.
10 Configuring Spanning Tree Defining Multiple Spanning Tree STEP 1 Click Bridging > Spanning Tree > MSTP > Interface Settings. The MSTP Interface Settings Page opens: MSTP Interface Settings Page The MSTP Interface Settings Page contains the following fields: • Instance ID — Lists the MSTP instances configured on the device. Possible field range is 0-15. • Interface — Displays the interface for which the MSTP settings are displayed.
10 Configuring Spanning Tree Defining Multiple Spanning Tree - Forwarding — Indicates that the port is in Forwarding mode. The port can forward traffic and learn new MAC addresses. • Type — Indicates if the port is a point-to-point port, or a port connected to a hub. The possible field values are: - Boundary Port — Indicates the port is a boundary port. A Boundary port attaches MST bridges to LAN in an outlying region.
10 Configuring Spanning Tree Defining Multiple Spanning Tree STEP 2 • Designated Bridge ID — Indicates the bridge ID number that connects the link or shared LAN to the root. • Designated Port ID — Indicates the Port ID number on the designated bridge that connects the link or the shared LAN to the root. • Designated Cost — Indicates that the default path cost is assigned according to the method selected on the Spanning Tree Global Settings page.
10 Configuring Spanning Tree Defining Multiple Spanning Tree - Designated — Indicates the port or LAG via which the designated device is attached to the LAN. - Alternate — Provides an alternate path to the root device from the root interface. - Backup — Provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur only when two ports are connected in a loop by a point-to-point link.
10 Configuring Spanning Tree Defining Multiple Spanning Tree - Listening — Indicates that the port is in Listening mode. The port cannot forward traffic nor can it learn MAC addresses. - Learning — Indicates that the port is in Learning mode. The port cannot forward traffic, however it can learn new MAC addresses. - Forwarding — Indicates that the port is in Forwarding mode. The port can forward traffic and learn new MAC addresses.
11 Configuring Quality of Service Configuring Quality of Service Network traffic is usually unpredictable, and the only basic assurance that can be offered is best effort traffic delivery. To overcome this challenge, Quality of Service (QoS) is applied throughout the network. This ensures that network traffic is prioritized according to specified criteria, and that specific traffic receives preferential treatment.
Configuring Quality of Service Defining General Settings 11 • Traffic Classification — Classifies each incoming packet as belonging to a given traffic class, based on the packet contents and/or the context. • Assignment to Hardware Queues — Assigns incoming packets to forwarding queues. Packets are sent to a particular queue for handling as a function of the traffic class to which they belong, as defined by the classification mechanism.
11 Configuring Quality of Service Defining General Settings STEP 1 Click Quality of Service > General > CoS. The CoS Page opens: CoS Page The CoS Page contains the following fields: • QoS Mode — Indicates if QoS is enabled on the device. The possible values are: - Advanced — Enables Advanced mode QoS on the device. • Ports — Indicates that the CoS configuration of the ports on the specified stacking member are described in the page.
Configuring Quality of Service Defining General Settings 11 Modifying Interface Priorities STEP 2 Click the Edit button. The Edit Interface Priority Page opens: Edit Interface Priority Page The Edit Interface Priority Page contains the following fields: • Interface — Indicates whether the interface is a port or LAG. • Set Default User Priority— Defines the default CoS value for incoming packets for which a VLAN tag is not defined. The possible field values are 0-7. The default CoS is 0.
Configuring Quality of Service Defining General Settings STEP 1 11 Click Quality of Service > General > Queue. The Queue Page opens: Queue Page The Queue Page contains the following fields: • Queue — Displays the queue for which the queue settings are displayed. The possible field range is 1 - 4. • WRR Weight — Displays the WRR weight assigned to the queue by the user. • % of WRR Bandwidth — Indicates the amount of bandwidth assigned to the queue.
Configuring Quality of Service Defining General Settings 11 Mapping CoS to Queue The Cos to Queue Page contains fields for classifying CoS settings to traffic queues. STEP 1 Click Quality of Service > General > CoS to Queue. The Cos to Queue Page opens: Cos to Queue Page The Cos to Queue Page contains the following fields: • Restore Defaults — Restores all queues to the default CoS settings.
Configuring Quality of Service Defining General Settings 11 Mapping DSCP to Queue The DSCP to Queue Page enables mapping DSCP values to specific queues. To map DCSP to Queues: STEP 1 Click Quality of Service > General > DSCP to Queue. The DSCP to Queue Page opens: DSCP to Queue Page The DSCP to Queue Page contains the following fields: • DSCP In — Indicates the Differentiated Services Code Point (DSCP) value in the incoming packet.
11 Configuring Quality of Service Defining General Settings Configuring Bandwidth The Bandwidth Page allows network managers to define the bandwidth settings for specified egress and ingress interfaces. Rate Limits and Shaping are defined per interface: STEP 1 • Rate Limit sets the maximum bandwidth allowed on ingress interfaces. • Shaping Rate sets the maximum bandwidth allowed on egress interfaces. On GE ports, traffic shape for burst traffic (CbS) can also be defined.
11 Configuring Quality of Service Defining General Settings - Rate Limit — Defines the rate limit for ingress ports. Defines the amount of bandwidth assigned to the interface. For FE ports, the rate is 62 - 100,000 Kbps. For GE ports, the rate is 62 - 1,000,000 Kbps. • Egress Shaping Rates — Indicates the traffic shaping type, if enabled, for egress ports. The possible field values are: - CIR — Defines Committed Information Rate (CIR) as the queue shaping type.
11 Configuring Quality of Service Defining General Settings • Committed Information Rate (CIR) — Defines CIR as the queue shaping type. The possible field values are: - For FE ports, the rate is 64 - 62,500 Kbps. - For GE ports, the rate is 64 - 1,000,000 Kbps. • Committed Burst Size (CS) — Defines CbS as the queue shaping type. CS is supported only on GE interfaces. The possible field value is 4096 - 16,769,020 bytes. • Ingress Rate Limit — Indicates if rate limiting is defined on the interface.
Configuring Quality of Service Defining General Settings STEP 1 11 Click Quality of Service > General > VLAN Rate Limit. The VLAN Rate Limit Page opens: VLAN Rate Limit Page The VLAN Rate Limit Page contains the following fields: STEP 2 • VLAN – Indicates the VLAN on which the Rate Limit is applied. • Rate Limit – Defines the maximum rate (CIR) in kbits per second (bps) that forwarding traffic is permitted in the VLAN.
Configuring Quality of Service Defining General Settings 11 Add VLAN Rate Limit Page The Add VLAN Rate Limit Page contains the following fields. • VLAN ID – Defines the VLAN on which to apply the Rate Limit. • Rate Limit (CIR) – Defines the maximum rate (CIR) in kbits per second (bps) that forwarding traffic is permitted in the VLAN. • Burst Size (CbS) – Defines the maximum burst size (CbS) in bytes that forwarding traffic is permitted through the VLAN. STEP 3 Define the relevant fields.
Configuring Quality of Service Defining Advanced QoS Mode 11 Edit VLAN Rate Limit Page The VLAN Rate Limit Page contains the following fields: • VLAN ID – Defines the VLAN on which to apply the Rate Limit. • Rate Limit (CIR) – Defines the maximum rate (CIR) in kbits per second (bps) that forwarding traffic is permitted in the VLAN. • Burst Size (CbS) – Defines the maximum burst size (CbS) in bytes that forwarding traffic is permitted through the VLAN. STEP 3 Define the relevant fields.
Configuring Quality of Service Defining Advanced QoS Mode 11 After assigning packets to a specific queue, services such as configuring output queues for the scheduling scheme, or configuring output shaping for burst size, CIR, or CbS per interface or per queue, can be applied.
Configuring Quality of Service Defining Advanced QoS Mode STEP 1 11 Click Quality of Service > Advanced Mode > DSCP Mapping. The DSCP Mapping Page opens: DSCP Mapping Page The DSCP Mapping Page contains the following fields: • DSCP In — Indicates the DSCP value in the incoming packet which will be mapped to an outgoing packet. • DSCP Out — Sets a mapped DSCP value in the outgoing packet for the corresponding incoming packet. STEP 2 Define the relevant mapping. STEP 3 Click Apply.
11 Configuring Quality of Service Defining Advanced QoS Mode Defining Class Mapping The Class Mapping Page contains parameters for defining class maps. One IP ACL and/or one MAC ACL comprise a class map. Class maps are configured to match packet criteria, and are matched to packets on a first-fit basis. For example, Class Map A is assigned to packets based only on an IP-based ACL or a MAC-based ACL. Class Map B is assigned to packets based on both an IP-based and a MACbased ACL.
11 Configuring Quality of Service Defining Advanced QoS Mode STEP 2 Click the Add button. The Add QoS Class Map Page opens: Add QoS Class Map Page The Add QoS Class Map Page contains the following fields. • Class Map Name — Defines a new Class Map name • IP ACL — Matches packets to IP based ACLs first, then matches packets to MAC based ACLs. Select either an IPv4 ACL or an IPv6 ACL. • Match — Criteria used to match IP addresses and /or MAC addresses with an ACL’s address.
Configuring Quality of Service Defining Advanced QoS Mode 11 Defining Aggregate Policer A policy is a collection of classes, each of which is a combination of a class map and a QoS action to apply to matching traffic. Classes are applied in a first-fit manner within a policy. Before configuring policies for classes whose match criteria are defined in a class map, a class map must first be defined, or the name of the policy map to be created, added to, or modified must first be specified.
11 Configuring Quality of Service Defining Advanced QoS Mode • Ingress CIR — Defines the Committed Information Rate (CIR) in bits per second. • Ingress CS — Defines the Committed Burst Size (CS) in bytes per second. • Exceed Action — Action assigned to incoming packets exceeding the CIR. Possible values are: - Drop — Drops packets exceeding the defined CIR value. - Remark DSCP —Remarks packet’s DSCP values exceeding the defined CIR value. - None — Forwards packets exceeding the defined CIR value.
11 Configuring Quality of Service Defining Advanced QoS Mode STEP 4 Click Apply. The Aggregate policer is added, and the device is updated. Modifying QoS Aggregate Policer STEP 1 Click Quality of Service > Advanced Mode > Aggregate Policer. The Aggregate Policer Page opens: STEP 2 Click the Edit Button. The Edit QoS Aggregate Policer Page opens: Edit QoS Aggregate Policer Page The Edit QoS Aggregate Policer Page contains the following fields.
Configuring Quality of Service Defining Advanced QoS Mode 11 Configuring Policy Table In the Policy Table Page, QoS policies are set up and assigned to interfaces. To set up QoS policies: STEP 1 Click Quality of Service > Advanced Mode > Policy Table. The Policy Table Page opens: Policy Table Page The Policy Table Page contains the following field: • STEP 2 Policy Name — Displays the user-defined policy name. Click the Add button.
11 Configuring Quality of Service Defining Advanced QoS Mode Add QoS Policy Profile Page The Add QoS Policy Profile Page contains the following fields. • New Policy Name — Displays the user-defined policy name. • Class Map — Selects the user-defined class maps which can be associated with the policy. • Action — Defines the action attached to the rule. The possible field value is: • Set — Defines the Trust configuration manually.
11 Configuring Quality of Service Defining Advanced QoS Mode defined if the policer is shared with multiple classes. Traffic from two different ports can be configured for policing purposes. An aggregate policer can be applied to multiple classes in the same policy map, but cannot be used across different policy maps. - Single — Configures the class to use manually configured information rates and exceed actions.
11 Configuring Quality of Service Defining Advanced QoS Mode Edit QoS Policy Profile Page The Edit QoS Policy Profile Page contains the following fields. • Policy Name — Displays the user-defined policy name. • Class Map — Displays the user-defined name of the class map. • Action — Defines the action attached to the rule. The possible field value is: • Set — Defines the Trust configuration manually. The possible field values are: - DSCP — In the New Value box, the possible values are 0-63.
11 Configuring Quality of Service Defining Advanced QoS Mode • Ingress Committed Information Rate (CIR) — Defines the CIR in Kbps. This field is only relevant when the Police value is Single. • Ingress Committed Burst Size (CS) — Defines the CS in bytes. This field is only relevant when the Police value is Single. • Exceed Action — Action assigned to incoming packets exceeding the CIR. This field is only relevant when the Police value is Single.
Configuring Quality of Service Defining Advanced QoS Mode STEP 1 11 Click Quality of Service > Advanced Mode > Policy Binding. The Policy Binding Page opens: Policy Binding Page The Policy Binding Page contains the following fields: STEP 2 • Interface — Displays the interface to which the entry refers. • Policy Name — Displays a Policy name associated with the interface. Click the Add button.
Configuring Quality of Service Defining QoS Basic Mode 11 STEP 3 Define the relevant fields. STEP 4 Click Apply. The QoS Policy Binding is defined, and the device is updated. Modifying QoS Policy Binding Settings STEP 1 Click Quality of Service > Advanced Mode > Policy Binding. The Policy Binding Page opens: STEP 2 Click the Edit button. The Edit QoS Policy Binding Page opens: Edit QoS Policy Binding Page The Edit QoS Policy Binding Page contains the following fields.
11 Configuring Quality of Service Defining QoS Basic Mode STEP 1 Click Quality of Service > Basic Mode. The Basic Mode Page opens: Basic Mode Page The Basic Mode Page contains the following fields: • Trust Mode — Displays the trust mode. If a packet’s CoS tag and DSCP tag, are mapped to different queues, the Trust Mode determines the queue to which the packet is assigned. Possible values are: - CoS — Sets trust mode to CoS on the device.
Configuring Quality of Service Defining QoS Basic Mode STEP 1 11 Click Quality of Service > Advanced Mode > DSCP Mapping. The DSCP Mapping Page opens: DSCP Mapping Page The DSCP Mapping Page contains the following fields: • DSCP In — Indicates the DSCP value in the incoming packet. • DSCP Out — Indicates the DSCP value in the outgoing packet. STEP 2 Define the relevant fields. STEP 3 Click Apply. The device is updated.
12 Configuring SNMP Configuring SNMP The Simple Network Management Protocol (SNMP) provides a method for managing network devices. The device supports the following SNMP versions: SNMP v1 and v2 SNMP agents maintain a list of variables that are used to manage the device. The variables are defined in the Management Information Base (MIB). The MIB presents the variables controlled by the agent.
12 Configuring SNMP Configuring SNMP Security • Copy trap • Stacking traps The SNMP section contains the following topics: • Configuring SNMP Security Defining Trap Management NOTE All private MIBs for the switches in this manual are anchored under the MIB root: enterprises(1).cisco(9).otherEnterprises(6).
12 Configuring SNMP Configuring SNMP Security STEP 1 Click System > SNMP > Security > Engine ID. The Engine ID Page opens: Engine ID Page The Engine ID Page contains the following fields. • Local Engine ID (10-64 Hex characters) — Indicates the local device engine ID. The field value is a hexadecimal string. Each byte in hexadecimal character strings consists of two hexadecimal digits. Each byte can be separated by a period or a colon. • Use Default — Uses the device generated Engine ID.
12 Configuring SNMP Configuring SNMP Security STEP 3 Click Apply. The device is updated. Defining SNMP Views SNMP Views provide access or block access to device features or feature aspects. For example, a view displays that the SNMP Group A has Read Only (R/ O) access to Multicast groups, while SNMP Group B has Read-Write (R/W) access to Multicast groups. Feature access is granted via the MIB name, or MIB Object ID. To define SNMP views: STEP 1 Click System > SNMP > Security > Views.
12 Configuring SNMP Configuring SNMP Security STEP 2 • Object ID Subtree — Indicates the device feature OID that is included or excluded in the selected SNMP view. • View Type — Indicates if the defined OID branch that are included or excluded in the selected SNMP view. Click the Add button. The Add SNMP View Page opens: Add SNMP View Page The Add SNMP View Page contains parameters for defining and configuring new SNMP view.
12 Configuring SNMP Configuring SNMP Security Defining SNMP Users The SNMP Users Page provides information for creating SNMP users, and assigning SNMP access control privileges to SNMP users. Groups allow network managers to assign access rights to specific device features, or feature aspects. STEP 1 Click System > SNMP > Security > Users. The SNMP Users Page opens: SNMP Users Page The SNMP Users Page contains the following fields.
12 Configuring SNMP Configuring SNMP Security Add SNMP Group Membership Page The Add SNMP Group Membership Page provides information for assigning SNMP access control privileges to SNMP groups. The Add SNMP Group Membership Page contains the following fields. • User Name — Provides a user-defined local user list. • Engine ID — Indicates either the local or remote SNMP entity to which the user is connected. Changing or removing the local SNMP Engine ID deletes the SNMPv3 User Database.
12 Configuring SNMP Configuring SNMP Security • Password — Defines the local user password. Local user passwords can contain up to 159 characters. This field is available if the Authentication Method is a password. • Authentication Key — Defines the HMAC-MD5-96 or HMAC-SHA-96 authentication level. The authentication and privacy keys are entered to define the authentication key. If HMAC-MD5-96 is selected then16 bytes are required and if HMAC-SHA-96 then 20 bits are required.
12 Configuring SNMP Configuring SNMP Security • Authentication Method— Indicates the Authentication method used. The possible field values are: - MD5 Key — Users are authenticated using a valid HMAC-MD5 key. - SHA Key — Users are authenticated using a valid HMAC-SHA-96 key. - MD5 Password — Users should enter a password that is encrypted using the HMAC-MD5-96 authentication method. - SHA Password — Users should enter a password that is encrypted using the HMAC-SHA-96 authentication method.
12 Configuring SNMP Configuring SNMP Security STEP 1 Click System > SNMP > Security > Groups. The SNMP Groups Page opens: SNMP Groups Page The SNMP Groups Page contains the following fields: • Group Name — Displays the user-defined group to which privileges are applied. • Security Model — Defines the SNMP version attached to the group. The possible field values are: - SNMPv1 — SNMPv1 is defined for the group. - SNMPv2 — SNMPv2 is defined for the group. - SNMPv3 — SNMPv3 is defined for the group.
12 Configuring SNMP Configuring SNMP Security • Operation — Defines the group access right, which are per view. The possible field values are: - Read — The management access is restricted to read-only, and changes cannot be made to the assigned SNMP view. - Write — The management access is read-write and changes can be made to the assigned SNMP view. - Notify — Sends traps for the assigned SNMP view. STEP 2 Click the Add button.
12 Configuring SNMP Configuring SNMP Security - Authentication — Authenticates SNMP messages, and ensures the SNMP messages origin is authenticated. - Privacy — Encrypts SNMP message. • Operation — Defines the group access right, which are per view. The possible field values are: - Default — Defines the default group access rights. - DefaultSuper — Defines the default group access rights for administrator. STEP 3 Define the relevant fields. STEP 4 Click Apply.
12 Configuring SNMP Configuring SNMP Security - SNMPv3 — SNMPv3 is defined for the group. • Security Level — Defines the security level attached to the group. Security levels apply to SNMPv3 only. - No Authentication — Neither the Authentication nor the Privacy security levels are assigned to the group. - Authentication — Authenticates SNMP messages, and ensures the SNMP messages origin is authenticated. - Privacy — Encrypts SNMP message. • Operation — Defines the group access rights.
12 Configuring SNMP Configuring SNMP Security STEP 1 Click System > SNMP > Security > Communities. The SNMP Communities Page opens: SNMP Communities Page The SNMP Communities Page is divided into the following tables: • Basic Table • Advanced Table The SNMP Communities Basic Table area contains the following fields: • Management Station — Displays the management station IP address for which the basic SNMP community is defined.
12 Configuring SNMP Configuring SNMP Security • STEP 2 Group Name — Displays advanced SNMP communities group name. Click the Add button. The Add SNMP Community Page opens. Add SNMP Community Page The Add SNMP Community Page allows network managers to define and configure new SNMP communities. The Add SNMP Community Page contains the following fields: • • • • Supported IP Format — Indicates the supported IP version. The possible values are: - — Indicates the device supports IPv6.
12 Configuring SNMP Configuring SNMP Security • Basic — Enables SNMP Basic mode for a selected community and contains the following fields: • Access Mode — Defines the access rights of the community. The possible field values are: - Read Only — Management access is restricted to read-only, and changes cannot be made to the community. - Read Write — Management access is read-write and changes can be made to the device configuration, but not to the community.
12 Configuring SNMP Configuring SNMP Security Edit SNMP Community Page The Edit SNMP Community Page contains the following fields: • SNMP Management — Defines the management station IP address for which the SNMP community is defined. • Community String — Defines the password used to authenticate the management station to the device. Configure either the Basic Mode or the Advanced Mode.
12 Configuring SNMP Defining Trap Management STEP 4 Click Apply. The device is updated. Defining Trap Management This section contains the following topics: • Defining Trap Settings • Configuring Station Management • Defining SNMP Filter Settings Defining Trap Settings The Trap Settings Page contains parameters for defining SNMP notification parameters. STEP 1 Click System > SNMP > Trap Management > Trap Settings.
12 Configuring SNMP Defining Trap Management • Enable SNMP Notification — Specifies whether the device can send SNMP notifications. The possible field values are: - Checked — Enables SNMP notifications. - Unchecked — Disables SNMP notifications. • Enable Authentication Notification — Specifies whether SNMP authentication failure notification is enabled on the device. The possible field values are: - Checked — Enables the device to send authentication failure notifications.
12 Configuring SNMP Defining Trap Management STEP 1 Click System > SNMP > Trap Management > Station Management. The Station Management Page opens: Station Management Page The Station Management Page contains two areas, the SNMPv1,2 Notification Recipient and the SNMPv3 Notification Recipient table. The SNMPv1,2 Notification Recipient table area contains the following fields: • Recipients IP — Indicates the IP address to which the traps are sent. • Notification Type — Defines the notification sent.
12 Configuring SNMP Defining Trap Management • Filter Name — Indicates if the SNMP filter for which the SNMP Notification filter is defined. • Timeout — Indicates the amount of time (seconds) the device waits before resending informs. The default is 15 seconds. • Retries — Indicates the amount of times the device re-sends an inform request. The default is 3 seconds.
12 Configuring SNMP Defining Trap Management Add SNMP Notification Recipient Page The Add SNMP Notification Recipient Page contains information for defining filters that determine whether traps are sent to specific users, and the trap type sent.
12 Configuring SNMP Defining Trap Management - Trap — Indicates traps are sent. - Inform — Indicates informs are sent. Either SNMPv1,2 or SNMPv3 may be used as the version of traps, with only one version enabled at a single time. The SNMPv1,2 Notification Recipient area contains the following fields: • SNMPv1,2 — Enables SNMPv1,2 as the Notification version.
12 Configuring SNMP Defining Trap Management STEP 3 Define the relevant fields. STEP 4 Click Apply. The SNMP Notification Recipient settings are defined, and the device is updated. Modifying SNMP Notifications The Edit SNMP Notification Recipient Page allows system administrators to define notification settings.
12 Configuring SNMP Defining Trap Management - Inform — Indicates informs are sent. Either SNMPv1,2 or SNMPv3 may be used as the version of traps, with only one version enabled at a single time. The SNMPv1,2 Notification Recipient area contains the following fields: • SNMPv1,2 — Enables SNMPv1,2 as the Notification version.
12 Configuring SNMP Defining Trap Management STEP 3 Define the relevant fields. STEP 4 Click Apply. The SNMP Notification Receivers are defined, and the device is configured. Defining SNMP Filter Settings The Filter Settings Page permits filtering traps based on OIDs. Each OID is linked to a device feature or a feature aspect. The Filter Settings Page also allows network managers to filter notifications. STEP 1 Click System > SNMP > Trap Management > Filter Settings.
12 Configuring SNMP Defining Trap Management - Excluded — Restricts sending OID traps or informs. - Included — Sends OID traps or informs. STEP 2 Click the Add button. The Add SNMP Notification Filter Page opens: Add SNMP Notification Filter Page The Add SNMP Notification Filter Page contains the following fields: • Filter Name — Contains a list of user-defined notification filters. • New Object Identifier Tree — Displays the OID for which notifications are sent or blocked.
13 Managing System Files Managing System Files The configuration file structure consists of the following configuration files: • Startup Configuration File — Contains the commands required to reconfigure the device to the same settings as when the device is powered down or rebooted. The Startup file is created by copying the configuration commands from the Running Configuration file or the Backup Configuration file.
13 Managing System Files Firmware Upgrade Firmware Upgrade Firmware files are downloaded as required for upgrading the firmware version or for backing up the system configuration. File names cannot contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”).
13 Managing System Files Save Configuration • • Supported IP Format — Indicates the supported IP version. The possible values are: - — Indicates the device supports IPv6. - — Indicates the device supports IPv4. IPv6 Address Type — Displays the IPv6 Type. The possible field values are: - Link local — Indicates the IPv6 address is link-local, that uniquely identifies hosts on a single network link. A Link-local address has a prefix of ‘FE80’.
13 Managing System Files Save Configuration was started or rebooted. When the device shuts down or reboots the next time, this configuration becomes the Starting Configuration. • Starting configuration — Contains the parameter definitions which were valid in the Running Configuration when the system last rebooted or shut down. • Backup configuration — Contains a copy of the system configuration for protection against system shutdown, or for maintenance of a specific operating state.
13 Managing System Files Copy Files Via TFTP • — Specifies that the configuration file is associated with a upgrade. • — Specifies that the configuration file contains the system backup configuration. Via HTTP • Source File — Name of the configuration file. STEP 2 Define the relevant fields. STEP 3 Click Apply. The device is updated. Copy Files All software images on the stack must be identical to ensure proper operation of the stack.
13 Managing System Files Copy Files STEP 1 Click Admin > File Management > Copy Files. The Copy Files Page opens: Copy Files Page The Copy Files Page contains the following fields: • Copy Master Firmware — Indicates the Stacking Master image or boot file to copy. The possible field values are: - Source — Copies the current Stacking Master’s firmware. - Destination Unit — Defines the stacking member to which the firmware is downloaded.
13 Managing System Files Active Image Active Image The Active Image Page allows network managers to select the Image files. For stackable device, active image is indicated/selected per each stack unit. Images are activated only after the device is reset. STEP 1 Click Admin > File Management > Active Image. The Active Image Page opens: Active Image Page The Active Image Page contains the following fields: • Unit No. — Indicates the unit number for which the Image file is selected.
Managing Power-over-Ethernet Devices Defining PoE Settings 14 Managing Power-over-Ethernet Devices Power-over-Ethernet (PoE) provides power to devices over existing LAN cabling, without updating or modifying the network infrastructure. Power-over-Ethernet removes the necessity of placing network devices next to power sources.
Managing Power-over-Ethernet Devices Defining PoE Settings STEP 1 14 Click Bridging > Port Management > PoE Settings. The PoE Settings Page opens: PoE Settings Page The PoE Settings Page displays the currently configured PoE ports and contains the following information: • Port — Displays the selected port number. • Admin Status — Indicates whether PoE is enabled or disabled on the port. The possible values are: - Enable — Enables PoE on the port. This is the default setting.
Managing Power-over-Ethernet Devices Defining PoE Settings 14 Edit PoE Settings Page The Edit PoE Settings Page contains the following fields: • Port — Indicates the specific interface for which PoE parameters are defined, and assigned to the powered interface connected to the selected port. • Enable PoE — Enables or disables PoE on the port. The possible values are: - Checked — Enables PoE on the port. This is the default setting. - Unchecked — Disables PoE on the port.
Managing Power-over-Ethernet Devices Defining PoE Settings 14 • Power Consumption — Indicates the amount of power in milliwatts assigned to the powered device connected to the selected interface. • Overload Counter — Indicates the total power overload occurrences. • Short Counter — Indicates the total power shortage occurrences. • Denied Counter — Indicates times the powered device was denied power.
Managing Device Diagnostics Viewing Integrated Cable Tests 15 Managing Device Diagnostics This section contains information for configuring port mirroring, running cable tests, and viewing device operational information, and includes the following topics: • Viewing Integrated Cable Tests • Performing Optical Tests • Configuring Port Mirroring • Viewing CPU Utilization Viewing Integrated Cable Tests The Copper Ports Page contains fields for performing tests on copper cables.
15 Managing Device Diagnostics Viewing Integrated Cable Tests STEP 1 Click Admin > Diagnostics > Copper Ports. The Copper Ports Page opens: Copper Ports Page The Copper Ports Page contains the following fields: • Unit Number — Indicates the unit number on which the tests are performed. • Port — Displays the port list. • Test Result — Displays the cable test results. Possible values are: • STEP 2 - No Cable — Indicates that a cable is not connected to the port.
15 Managing Device Diagnostics Viewing Integrated Cable Tests STEP 3 The following message appears: STEP 4 Click OK, The Copper Ports Page opens: Copper Ports Results Page The Copper Ports Results Page contains the following fields: • Port — Specifies port to which the cable is connected. • Test Result — Displays the cable test results. Possible values are: - OK — Indicates that a cable passed the test. - No Cable — Indicates that a cable is not connected to the port.
Managing Device Diagnostics Viewing Integrated Cable Tests • 15 Approximate Cable Length — Indicates the estimated cable length. This test can only be performed when the port is up and operating at 1 Gbps. For testing on GE ports, an Advanced button opens the Copper Cable Extended Feature Screen. Advanced Cable Test Screen - GE Ports The Copper Cable Extended Feature Screen contains the following fields. • Cable Status — Displays the cable status.
Managing Device Diagnostics Performing Optical Tests STEP 5 15 Click Done to close the window. Performing Optical Tests The Optical Test Page allows network managers to perform tests on Fiber Optic cables. Optical transceiver diagnostics can be performed only when the link is present. Optical Test Page The Optical Test Page contains the following fields: • Port — Displays the port number on which the cable is tested. • Temperature — Displays the temperature (C) at which the cable is operating.
Managing Device Diagnostics Configuring Port Mirroring • Loss of Signal — Indicates if a signal loss occurred in the cable. • Data Ready — Indicates the data status. 15 Configuring Port Mirroring Port Mirroring monitors and mirrors network traffic by forwarding copies of incoming and outgoing packets from one port to a monitoring port. Port mirroring can be used as diagnostic tool and/or a debugging feature. Port mirroring also enables switch performance monitoring.
15 Managing Device Diagnostics Configuring Port Mirroring • Type — Indicates the port mode configuration for port mirroring. The possible field values are: - RxOnly — Defines the port mirroring for receive traffic only on the selected port. - TxOnly — Defines the port mirroring on transmitting ports. This is the default value. - Tx and Rx— Defines the port mirroring on both receiving and transmitting ports. • Status — Indicates if the port is currently monitored.
15 Managing Device Diagnostics Configuring Port Mirroring STEP 3 Define the relevant fields. STEP 4 Click Apply. Port mirroring is added, and the device is updated. Modifying Port Mirroring STEP 1 Click Admin > Diagnostics > Port Mirroring. The Port Mirroring Page opens: STEP 2 Click the Edit Button. The Edit Port Mirroring Page opens: Edit Port Mirroring Page The Edit Port Mirroring Page contains the following fields: • Source Port — Indicates the port from which traffic is to be analyzed.
15 Managing Device Diagnostics Viewing CPU Utilization Viewing CPU Utilization The CPU Utilization Page contains information about the system’s CPU utilization. CPU Utilization Page The CPU Utilization Page contains the following fields: • CPU Utilization — Displays CPU resource utilization information. The possible field values are: - Enabled — Enables viewing CPU utilization information. This is the default value. - Disabled — Disables viewing the CPU utilization information.
15 Managing Device Diagnostics Viewing CPU Utilization - 60 Sec — Indicates that the CPU utilization statistics are refreshed every 60 seconds. • Usage Percentages — Graph’s y-axis indicates the percentage of the CPU’s resources consumed by the device. • Time — Graph’s x-axis indicates the time, in 15,30,60 second intervals, that usage samples are taken.
16 Managing System Logs Enabling System Logs Managing System Logs The System Logs enable viewing device events in real time, and recording the events for later usage. System Logs record and manage events and report errors or informational messages. Event messages have a unique format, as per the SYSLOG protocols recommended message format for all error reporting.
16 Managing System Logs Enabling System Logs STEP 1 Click Admin > Logs > Logs Settings. The Log Settings Page opens. Log Settings Page The Log Settings Page contains the following fields: • Enable Logging — Indicates if message logging is enabled globally in the device. • Severity — The following are the available severity levels: - Emergency —The system is not functioning. - Alert — The system needs immediate attention. - Critical — The system is in a critical state.
Managing System Logs Viewing the Device Memory Logs 16 • Memory Logs — The selected Severity types will appear in chronological order in all system logs that are saved in RAM (Cache). After restart, these logs are deleted. • Log Flash — The selected Severity types will be sent to the Logging file kept in FLASH memory. After restart, this log is not deleted. STEP 2 Define the relevant fields. STEP 3 Click Apply. The device is updated.
16 Managing System Logs Viewing the Flash Logs • Log Time — Displays the time at which the log entry was generated. • Severity — Displays the event severity. • Description — Displays the log message text. Clearing Message Logs Message Logs can be cleared from the Memory Page. To clear the Memory Page: STEP 1 Click Admin > Logs > Memory. The Memory Page opens. STEP 2 Click the Clear Logs button. The message logs are cleared.
16 Managing System Logs Viewing the Flash Logs STEP 1 Click Admin > Logs > Flash. The Flash Page opens: Flash Page The Flash Page contains the following fields: • Log Index — Displays the log entry number. • Log Time — Displays the time at which the log entry was generated. • Severity — Displays the event severity. • Description — Displays the log message text. Clearing Flash Logs Flash Logs can be cleared from the Flash Page. To clear the Flash Page: STEP 2 Click Clear Logs.
16 Managing System Logs Viewing Remote Logs Viewing Remote Logs The Remote Log Servers Page contains information for viewing and configuring the Remote Log Servers. New log servers and the minimum severity level of events sent to them may be added. STEP 1 Click Admin > Logs > Remote Log Servers. The Remote Log Servers Page opens: Remote Log Servers Page The Remote Log Servers Page contains the following fields: • Server — Specifies the server IP address to which logs can be sent.
16 Managing System Logs Viewing Remote Logs The following are the available log severity levels: - Emergency — The highest warning level. If the device is down or not functioning properly, an emergency log message is saved to the specified logging location. - Alert — The second highest warning level. An alert log is saved, if there is a serious device malfunction; for example, all device features are down. - Critical — The third highest warning level.
16 Managing System Logs Viewing Remote Logs Add Syslog Server Page The Add Syslog Server Page contains fields for defining new Remote Log Servers. The Add Syslog Server Page contains the following fields: • Supported IP Format — Provides the supported IP format: Version 6 or Version 4. • IPv6 Address type — Indicates the IPv6 Type. The possible field values are: - Link Local — Indicates the IPv6 address is link-local. - Global — Indicates the IPv6 address is global Unicast.
16 Managing System Logs Viewing Remote Logs • Description — Provides a user-defined server description. • Minimum Severity — Indicates the minimum severity level of logs that are sent to the server. For example, if Notice is selected, all logs from a Notice severity and higher are sent to the remote server. The following are the available log severity levels: - Emergency — The highest warning level.
16 Managing System Logs Viewing Remote Logs Edit Syslog Server Page The Edit Syslog Server Page contains fields for modifying Remote Log Server settings. The Edit Syslog Server Page contains the following fields: • Server — Specifies the name of the Remote Log Server to which logs can be sent. • UDP Port — Defines the UDP port to which the server logs are sent. The possible range is 1 to 65535. The default value is 514.
16 Managing System Logs Viewing Remote Logs - Critical — The third highest warning level. A critical log is saved if a critical device malfunction occurs; for example, two device ports are not functioning, while the rest of the device ports remain functional. - Error — A device error has occurred, for example, if a single port is offline. - Warning — The lowest level of a device warning. The device is functioning, but an operational problem has occurred.
17 Viewing Statistics Viewing Ethernet Statistics Viewing Statistics This section describes device statistics for RMON, interfaces, GVRP, EAP, and Etherlike statistics.
17 Viewing Statistics Viewing Ethernet Statistics STEP 1 Click Statistics > Ethernet > Interface. The Ethernet Interface Page opens: Ethernet Interface Page The Ethernet Interface Page contains the following fields: • Interface — Indicates the interface for which statistics are displayed. The possible field values are: - Port — Defines the specific port for which Ethernet statistics are displayed. - LAG — Defines the specific LAG for which Ethernet statistics are displayed.
17 Viewing Statistics Viewing Ethernet Statistics • Total Bytes (octets) — Displays the number of octets received on the interface since the page was last refreshed. This number includes bad packets and FCS octets, but excludes framing bits. • Unicast Packets — Displays the number of good Unicast packets received on the interface since the page was last refreshed. • Multicast Packets — Displays the number of good Multicast packets received on the interface since the page was last refreshed.
17 Viewing Statistics Viewing Ethernet Statistics STEP 1 Click Statistics > Ethernet > Etherlike. The Etherlike Page opens: Etherlike Page The Etherlike Page contains Ethernet-like interface statistics. The Etherlike Page contains the following fields: • Interface — Indicates the interface for which statistics are displayed. The possible field values are: - Port — Defines the specific port for which Etherlike statistics are displayed.
17 Viewing Statistics Viewing Ethernet Statistics • Frame Check Sequence (FCS) Errors — Displays the number of FCS errors received on the selected interface. • Single Collision Frames — Displays the number of single collision frames received on the selected interface. • Late Collisions — Displays the number of late collision frames received on the selected interface.
17 Viewing Statistics Viewing Ethernet Statistics STEP 1 Click Statistics > Ethernet > GVRP. The GVRP Page opens: GVRP Page The GVRP Page is divided into two areas, GVRP Statistics Table and GVRP Error Statistics Table. The following fields are relevant for both tables: • Interface — Specifies the interface type for which the statistics are displayed. - Port— Indicates if port statistics are displayed. - LAG — Indicates if LAG statistics are displayed.
17 Viewing Statistics Viewing Ethernet Statistics • Empty — Displays the device GVRP Empty statistics. • Leave Empty — Displays the device GVRP Leave Empty statistics. • Join In — Displays the device GVRP Join In statistics. • Leave In — Displays the device GVRP Leave in statistics. • Leave All— Displays the device GVRP Leave all statistics. The GVRP Error Statistics Table contains the following fields: • Invalid Protocol ID — Displays the device GVRP Invalid Protocol ID statistics.
17 Viewing Statistics Viewing Ethernet Statistics STEP 1 Click Statistics > Ethernet > EAP. The EAP Page opens: EAP Page The EAP Page contains the following fields: • Unit Number — Indicates the stacking member for which the EAP statistics are displayed. • Port — Indicates the port which is polled for statistics. • Refresh Rate — Defines the amount of time that passes before the EAP statistics are refreshed.
17 Viewing Statistics Managing RMON Statistics • Start Frames Receive — Indicates the number of EAPOL Start frames received on the port. • Log off Frames Receive — Indicates the number of EAPOL Logoff frames that have been received on the port. • Respond ID Frames Receive — Indicates the number of EAP Resp/Id frames that have been received on the port. • Respond Frames Receive — Indicates the number of EAP Resp/Id frames that have been received on the port.
17 Viewing Statistics Managing RMON Statistics Viewing RMON Statistics The RMON Statistics Page contains fields for viewing information about device utilization and errors that occurred on the device. To view the RMON statistics: STEP 1 Click Statistics > RMON > Statistics. The RMON Statistics Page opens: RMON Statistics Page The RMON Statistics Page contains the following fields: • Interface — Indicates the interface for which statistics are displayed.
17 Viewing Statistics Managing RMON Statistics - 30 Sec — Indicates that the RMON statistics are refreshed every 30 seconds. - 60 Sec — Indicates that the RMON statistics are refreshed every 60 seconds. • Received Bytes (Octets) — Displays the number of octets received on the interface since the page was last refreshed. This number includes bad packets and FCS octets, but excludes framing bits. • Dropped Events — Displays the number packets that were dropped.
17 Viewing Statistics Configuring RMON History STEP 2 Select an interface in the Interface field. The RMON statistics are displayed. Resetting RMON Statistics Counters STEP 3 Click the Reset Counters button. The RMON statistics counters are cleared.
17 Viewing Statistics Configuring RMON History STEP 1 1. Click Statistics > RMON > History. The RMON History Control Page opens. RMON History Control Page The RMON History Control Page contains the following fields: • History Entry No. — Number automatically assigned to the table entry number. • Source Interface — Displays the interface (port or LAG) from which the history samples were taken. The possible field values are: - Ports — Specifies the port from which the RMON information was taken.
17 Viewing Statistics Configuring RMON History Add RMON History Page The Add RMON History Page contains the following fields: • New History Entry — Number automatically assigned to the table entry number. • Source Interface — Select the interface (port or LAG) from which the history samples will be taken. The possible field values are: - Port — Specifies the port from which the RMON information is taken. - LAG— Specifies the LAG from which the RMON information is taken.
17 Viewing Statistics Configuring RMON History Edit RMON History Page The Edit RMON History Page contains the following fields: • History Entry No. — Displays the entry number for the History Control Table page. • Source Interface — Displays the interface (port or LAG) from which the history samples are taken. The possible field values are: - Port — Specifies the port from which the RMON information is taken. - LAG — Specifies the LAG from which the RMON information is taken.
17 Viewing Statistics Configuring RMON History To view the RMON History Table: STEP 1 Click Statistics > RMON > History. The RMON History Control Page opens: STEP 2 Click the History Table button. The RMON History Table Page opens: RMON History Table Page The RMON History Table Page contains the following fields: • History Entry No. — Displays the entry number for the History Control Table page. • Owner — Displays the RMON station or user that requested the RMON information.
17 Viewing Statistics Configuring RMON History STEP 3 • Received Packets — Displays the number of packets received on the interface since the page was last refreshed, including bad packets, Multicast and Broadcast packets. • Broadcast Packets — Displays the number of good Broadcast packets received on the interface since the page was last refreshed. This number does not include Multicast packets.
17 Viewing Statistics Configuring RMON History STEP 1 Click Statistics > RMON > Events. The RMON Events Page opens: RMON Events Page The RMON Events Page contains the following fields: • Event Entry — Displays the event index number. • Community — Displays the SNMP community string. • Description — Displays the event description. • Type — Describes the event type. Possible values are: - None — No action occurs. - Log — The device adds a log entry. - Trap — The device sends a trap.
17 Viewing Statistics Configuring RMON History Add RMON Events Page The Add RMON Events Page contains the following fields: • Event Entry — Indicates the event entry index number. • Community — Displays the SNMP community string. • Description — Displays a user-defined event description. • Type — Describes the event type. Possible values are: - None — No action occurs. - Log — The device adds a log entry. - Trap — The device sends a trap.
17 Viewing Statistics Configuring RMON History Edit RMON Events Page The Edit RMON Events Page contains the following fields: • Entry Event No. — Displays the event entry index number. • Community — Displays the SNMP community string. • Description — Displays the user-defined event description. • Type — Describes the event type. Possible values are: - None — No action occurs. - Log — The device adds a log entry. - Trap — The device sends a trap.
17 Viewing Statistics Configuring RMON History RMON Events Log Page The RMON Events Log Page contains the following fields: • Event — Displays the RMON Events Log entry number. • Log No.— Displays the log number. • Log Time — Displays the time when the log entry was entered. • Description — Displays the log entry description. To return to the RMON Events Page, click the RMON Events Control button. Defining RMON Alarms The RMON Alarms Page contains fields for setting network alarms.
17 Viewing Statistics Configuring RMON History STEP 1 Click Statistics > RMON > Alarms. The RMON Alarms Page opens: RMON Alarms Page The RMON Alarms Page contains the following fields: • Alarm Entry — Indicates the alarm entry number. • Counter Name — Displays the selected MIB variable. • Interface — Displays the interface (port or LAG) for which RMON statistics are displayed. The possible field values are: - Port — Displays the RMON statistics for the selected port.
17 Viewing Statistics Configuring RMON History • Rising Threshold — Displays the rising counter value that triggers the rising threshold alarm. The rising threshold is presented on top of the graph bars. Each monitored variable is designated a color. • Rising Event — Selects an event which is defined in the Events table that triggers the rising threshold alarm. The Events Table is displayed in the RMON Events page.
17 Viewing Statistics Configuring RMON History Add RMON Alarm Page The Add RMON Alarm Page contains the following fields: • Alarm Entry — Indicates the alarm entry number. • Interface — Displays the interface (port or LAG) for which RMON statistics are displayed. The possible field values are: - Port — Displays the RMON statistics for the selected port. - LAG — Displays the RMON statistics for the selected LAG. • Counter Name — Displays the selected MIB variable.
17 Viewing Statistics Configuring RMON History • Falling Threshold — Displays the falling counter value that triggers the falling threshold alarm. The falling threshold is graphically presented on top of the graph bars. Each monitored variable is designated a color. • Falling Event — Selects an event which is defined in the Events table that triggers the falling threshold alarm. The Events Table is displayed in the RMON Events Page.
17 Viewing Statistics Configuring RMON History Edit RMON Alarm Page The Edit RMON Alarm Page contains the following fields: • Alarm Entry — Indicates the alarm entry number. • Interface — Displays the interface (port or LAG) for which RMON statistics are displayed. The possible field values are: - Port — Displays the RMON statistics for the selected port. - LAG — Displays the RMON statistics for the selected LAG. • Counter Name — Displays the selected MIB variable.
17 Viewing Statistics Managing QoS Statistics • Falling Threshold — Displays the falling counter value that triggers the falling threshold alarm. The falling threshold is graphically presented on top of the graph bars. Each monitored variable is designated a color. • Falling Event — Selects an event which is defined in the Events table that triggers the falling threshold alarm. The Events Table is displayed in the RMON Events Page.
17 Viewing Statistics Managing QoS Statistics To view policer statistics: STEP 1 Click Quality of Service > QoS Statistics >Aggregated Policer Statistics. The Policer Statistics Page opens: Policer Statistics Page The Policer Statistics Page contains the following fields: • Interface — Displays the interface (port or LAG) for which Policer statistics are displayed. The possible field values are: - Ports — Displays the Policer statistics for the selected port.
17 Viewing Statistics Managing QoS Statistics STEP 3 Click Apply. The Police Statistics accumulation configuration is modified, and the device is updated. Viewing Aggregated Policer Statistics To view Aggregated Policer Statistics: To view Aggregated Policer Statistics STEP 1 Click Quality of Service > QoS Statistics >Aggregate Polcier. The Aggregate Policer Page opens: The window contains the following fields: • Aggregate Policer — Indicates the port or LAG on which the packets were received.
17 Viewing Statistics Managing QoS Statistics STEP 1 Click Quality of Service > QoS Statistics > Queues Statistics. The Queues Statistics Page opens: Queues Statistics Page The Queues Statistics Page contains the following fields: • STEP 2 Set — Displays the counter set. The possible field values are: - Set 1 — Displays the statistics for Set 1. Set 1 contains all interfaces and all queues with a high DP. - Set 2 — Displays the statistics for Set 2.
17 Viewing Statistics Managing QoS Statistics Add Queues Statistics Page The Add Queues Statistics Page contains the following fields: • Select Counter Set — Selects the counter set. • Interface — Defines the ports for which statistics are displayed. The possible field values are: - Unit No. — Selects the unit number. - Port — Selects the port on the selected unit number for which statistics are displayed. - All Ports — Specifies that statistics are displayed for all ports.
17 Viewing Statistics Managing QoS Statistics Resetting Queues Statistics Counters STEP 1 Click Quality of Service > QoS Statistics > Queues Statistics. The Queues Statistics Page opens: Click Clear Counters. The Queues statistics counters are cleared.
18 Aggregating Ports Aggregating Ports Link Aggregated Groups (LAGs) optimize port usage by linking a group of ports together to form a single aggregated group. Link aggregated groups multiply the bandwidth between the devices, increase port flexibility, and provide link redundancy. The device supports both static LAGs and Link Aggregation Control Protocol (LACP) LAGs. LACP LAGs negotiate aggregating port links with other LACP ports located on a different device.
18 Aggregating Ports Defining LAG Management • Configuring LACP Defining LAG Management Ports added to a LAG lose their individual port configuration. When ports are removed from the LAG, the original port configuration is applied to the ports. To define LAG management: STEP 1 Click Bridging > Port Management > LAG Management. The LAG Management Page opens: LAG Management Page The LAG Management Page contains the following fields. • LAG — Displays the LAG number. • Name — Displays the LAG name.
18 Aggregating Ports Defining LAG Management STEP 2 Define the relevant fields. STEP 3 Click Apply. LAG Management is defined, and the device is updated. Modifying LAG Membership STEP 1 Click Bridging > Port Management > LAG Management. The LAG Management Page opens: STEP 2 Click the Edit button. The Edit LAG Membership Page opens: Edit LAG Membership Page The Edit LAG Membership Page contains the following fields. STEP 3 • LAG — Displays the LAG number. • LAG Name — Displays the LAG name.
18 Aggregating Ports Defining LAG Settings STEP 4 Click Apply. The LAG membership is defined, and the device is updated. Defining LAG Settings Link Aggregated Groups optimize port usage by linking a group of ports together to form a single aggregated group. Link aggregated groups multiply the bandwidth between the devices, increase port flexibility, and provide link redundancy. The LAG Settings Page contains fields for configuring parameters for configured LAGs.
18 Aggregating Ports Defining LAG Settings STEP 2 • Copy From Entry Number — Copies the LAG configuration from the specified table entry. • To Entry Number(s) — Assigns the copied LAG configuration to the specified table entry. • LAG — Displays the LAG ID number. • Description — Displays the user-defined port name. • Type — Displays the port types that comprise the LAG. • Status — Indicates if the LAG is currently operating.
18 Aggregating Ports Defining LAG Settings Edit LAG Page The Edit LAG Page contains the following fields: • LAG — Displays the LAG ID number. • Description — Displays the user-defined port name. • LAG Type — Indicates he port types that comprise the LAG. • Admin Status — Enables or disables traffic forwarding through the selected LAG. • Current LAG Status — Indicates if the LAG is currently operating.
18 Aggregating Ports Defining LAG Settings advertise its transmission rate, and flow control (the flow control default is disabled) abilities to its partner. • Current Auto Negotiation — Displays the current Auto Negotiation setting. • Admin Advertisement — Specifies the capabilities to be advertised by the LAG. The possible field values are: - Max Capability — Indicates that all LAG speeds and Duplex mode settings can be accepted.
18 Aggregating Ports Configuring LACP Configuring LACP Aggregate ports can be linked into link-aggregation port-groups. Each group is comprised of ports with the same speed, set to full-duplex operations. Aggregated Links can be manually setup or automatically established by enabling Link Aggregation Control Protocol (LACP) on the relevant links. Aggregate ports can be linked into link-aggregation port-groups. Each group is comprised of ports with the same speed.
18 Aggregating Ports Configuring LACP • Port Priority — Defines the LACP priority value for the port. The field range is 165535. • LACP Timeout — Administrative LACP timeout. The possible field values are: - Short — Defines a short timeout value. - Long — Defines a long timeout value. This is the default value. Modify LACP Parameter Settings STEP 2 Click the Edit button.
