ECS2100-10T/PE/P ECS2100-28T/P/PP 10/28-Port Web-Smart Pro Gigabit Ethernet Switch Web Management Guide Software Release v1.2.2.31 www.edge-core.
Web Management Guide ECS2100-10T Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 8 10/100/1000BASE-T (RJ-45) Ports and 2 Gigabit SFP Ports ECS2100-10PE Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 8 10/100/1000BASE-T (RJ-45) 802.3 af/at PoE Ports with 2 Gigabit SFP Ports (PoE Power Budget: 65W) ECS2100-10P Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 8 10/100/1000BASE-T (RJ-45) 802.
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This guide is for network administrators who are responsible for operating and this Guide? maintaining network equipment.
How to Use This Guide For information on how to install the switch, see the following guide: Installation Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
How to Use This Guide Revision Date v1.2.2.
How to Use This Guide Revision Date v1.2.2.
Contents Section I How to Use This Guide 3 Contents 7 Figures 19 Tables 31 Getting Started 33 1 Introduction 35 Key Features 35 Description of Software Features 36 Configuration Backup and Restore 36 Authentication 36 Access Control Lists 37 Port Configuration 37 Rate Limiting 37 Port Mirroring 37 Port Trunking 37 Storm Control 37 Static MAC Addresses 38 IP Address Filtering 38 IEEE 802.
Contents Address Resolution Protocol 40 Multicast Filtering 40 Link Layer Discovery Protocol 41 System Defaults Section II 41 Web Configuration 45 2 Using the Web Interface 47 Connecting to the Web Interface 47 Navigating the Web Browser Interface 48 Dashboard 48 Configuration Options 50 Panel Display 51 Main Menu 52 3 Basic Management Tasks 69 Displaying System Information 70 Displaying Hardware/Software Versions 71 Configuring Support for Jumbo Frames 72 Displaying Bridge
Contents Displaying CPU Utilization 96 Configuring CPU Guard 97 Displaying Memory Utilization 98 Resetting the System 99 Using Cloud Management 103 4 Interface Configuration 105 Port Configuration 106 Configuring by Port List 106 Configuring by Port Range 108 Displaying Connection Status 109 Showing Port or Trunk Statistics 110 Displaying Statistical History 114 Displaying Transceiver Data 118 Configuring Transceiver Thresholds 119 Performing Cable Diagnostics 122 Trunk Config
Contents Adding an Interface to a QinQ Tunnel Protocol VLANs 165 166 Configuring Protocol VLAN Groups Configuring MAC-based VLANs 6 Address Table Settings 167 168 171 Displaying the Dynamic Address Table 171 Clearing the Dynamic Address Table 172 Changing the Aging Time 173 Configuring MAC Address Learning 174 Setting Static Addresses 176 Issuing MAC Address Traps 178 7 Spanning Tree Algorithm 181 Overview 181 Configuring Loopback Detection 183 Configuring Global Settings for STA 1
Contents Overview 219 Configuring a Class Map 220 Creating QoS Policies 223 Attaching a Policy Map to a Port 226 11 VoIP Traffic Configuration 229 Overview 229 Configuring VoIP Traffic 230 Configuring Telephony OUI 231 Configuring VoIP Traffic Ports 232 12 Security Measures 235 AAA (Authentication, Authorization and Accounting) 236 Configuring Local/Remote Logon Authentication 237 Configuring Remote Logon Authentication Servers 238 Configuring AAA Accounting 243 Configuring AAA
Contents Configuring a Standard IPv4 ACL 280 Configuring an Extended IPv4 ACL 282 Configuring a Standard IPv6 ACL 284 Configuring an Extended IPv6 ACL 285 Configuring a MAC ACL 287 Configuring an ARP ACL 289 Binding a Port to an Access Control List 291 Showing ACL Hardware Counters 292 Filtering IP Addresses for Management Access 295 Configuring Port Security 297 Configuring 802.1X Port Authentication 299 Configuring 802.
Contents Sending Simple Mail Transfer Protocol Alerts Link Layer Discovery Protocol 337 339 Setting LLDP Timing Attributes 339 Configuring LLDP Interface Attributes 341 Configuring LLDP Interface Civic-Address 345 Displaying LLDP Local Device Information 347 Displaying LLDP Remote Device Information 351 Displaying Device Statistics 357 Power over Ethernet 359 Setting the Switch’s Overall PoE Power Budget 359 Setting the Port PoE Power Budget 361 Simple Network Management Protocol 364
Contents Configuring Interface Settings for LBD Smart Pair Configuration 412 413 Configuring the Smart Pair Global Settings 414 Configuring Smart Pair Interface Settings 414 Show the Configured Smart Pair IDs 415 Display the Configured Smart Pair Port Members and Restore the Traffic 416 14 Multicast Filtering 417 Overview 417 Layer 2 IGMP (Snooping and Query for IPv4) 418 Configuring IGMP Snooping and Query Parameters 420 Specifying Static Interfaces for a Multicast Router 424 Assigning
Contents Using the Trace Route Function 470 Address Resolution Protocol 472 Basic ARP Configuration 473 Displaying Dynamic or Local ARP Entries 474 Displaying ARP Statistics 475 16 IP Configuration 477 Setting the Switch’s IP Address (IP Version 4) Configuring IPv4 Interface Settings 477 477 Setting the Switch’s IP Address (IP Version 6) 481 Configuring the IPv6 Default Gateway 482 Configuring IPv6 Interface Settings 482 Configuring an IPv6 Address 487 Showing IPv6 Addresses 489 Sho
Contents Specifying an Administrative Distance 517 Configuring Network Interfaces for RIP 518 Displaying RIP Interface Settings 522 Displaying Peer Router Information 522 Resetting RIP Statistics 523 19 IP Services 525 Domain Name Service Section III 525 Configuring General DNS Service Parameters 525 Configuring a List of Domain Names 526 Configuring a List of Name Servers 528 Configuring Static DNS Host to Address Entries 529 Displaying the DNS Cache 530 Multicast Domain Name Serv
Contents Glossary 559 – 17 –
Contents – 18 –
Figures Figure 1: Dashboard 49 Figure 2: Front Panel Indicators 51 Figure 3: System Information 70 Figure 4: General Switch Information 71 Figure 5: Configuring Support for Jumbo Frames 72 Figure 6: Displaying Bridge Extension Configuration 74 Figure 7: Copy Firmware 76 Figure 8: Saving the Running Configuration 77 Figure 9: Setting Start-Up Files 78 Figure 10: Displaying System Files 79 Figure 11: Configuring Automatic Code Upgrade 82 Figure 12: Manually Setting the System Clock 84
Figures Figure 30: Restarting the Switch (Regularly) 102 Figure 31: Configuring the Switch for Cloud Management 103 Figure 32: Configuring Connections by Port List 108 Figure 33: Configuring Connections by Port Range 109 Figure 34: Displaying Port Information 110 Figure 35: Showing Port Statistics (Table) 113 Figure 36: Showing Port Statistics (Chart) 114 Figure 37: Configuring a History Sample 116 Figure 38: Showing Entries for History Sampling 116 Figure 39: Showing Status of Statistica
Figures Figure 65: Configuring an sFlow Receiver 145 Figure 66: Showing sFlow Receivers 145 Figure 67: Configuring an sFlow Instance 146 Figure 68: Showing sFlow Instances 147 Figure 69: Enabling Traffic Segmentation 148 Figure 70: Configuring Members for Traffic Segmentation 150 Figure 71: Showing Traffic Segmentation Members 150 Figure 72: VLAN Compliant and VLAN Non-compliant Devices 152 Figure 73: Creating Static VLANs 155 Figure 74: Modifying Settings for Static VLANs 155 Figure 75
Figures Figure 100: Configuring Global Settings for STA (MSTP) 190 Figure 101: Displaying Global Settings for STA 191 Figure 102: Determining the Root Port 193 Figure 103: Configuring Interface Settings for STA 196 Figure 104: STA Port Roles 197 Figure 105: Displaying Interface Settings for STA 198 Figure 106: Creating an MST Instance 200 Figure 107: Displaying MST Instances 200 Figure 108: Modifying the Priority for an MST Instance 201 Figure 109: Displaying Global Settings for an MST In
Figures Figure 135: Configuring Port Settings for a Voice VLAN 234 Figure 136: Configuring the Authentication Sequence 238 Figure 137: Authentication Server Operation 238 Figure 138: Configuring Remote Authentication Server (RADIUS) 241 Figure 139: Configuring Remote Authentication Server (TACACS+) 242 Figure 140: Configuring AAA Server Groups 242 Figure 141: Showing AAA Server Groups 243 Figure 142: Configuring Global Settings for AAA Accounting 245 Figure 143: Configuring AAA Accounting M
Figures Figure 170: Creating an ACL 279 Figure 171: Showing a List of ACLs 280 Figure 172: Configuring a Standard IPv4 ACL 281 Figure 173: Configuring an Extended IPv4 ACL 284 Figure 174: Configuring a Standard IPv6 ACL 285 Figure 175: Configuring an Extended IPv6 ACL 287 Figure 176: Configuring a MAC ACL 289 Figure 177: Configuring a ARP ACL 291 Figure 178: Binding a Port to an ACL 292 Figure 179: Showing ACL Statistics 295 Figure 180: Creating an IP Address Filter for Management Acces
Figures Figure 205: Configuring LLDP Timing Attributes 341 Figure 206: Configuring LLDP Interface Attributes 345 Figure 207: Configuring the Civic Address for an LLDP Interface 346 Figure 208: Showing the Civic Address for an LLDP Interface 347 Figure 209: Displaying Local Device Information for LLDP (General) 350 Figure 210: Displaying Local Device Information for LLDP (Port) 350 Figure 211: Displaying Local Device Information for LLDP (Port Details) 350 Figure 212: Displaying Remote Device
Figures Figure 240: Showing SNMP Notification Logs 390 Figure 241: Showing SNMP Statistics 391 Figure 242: Configuring an RMON Alarm 394 Figure 243: Showing Configured RMON Alarms 395 Figure 244: Configuring an RMON Event 396 Figure 245: Showing Configured RMON Events 397 Figure 246: Configuring an RMON History Sample 398 Figure 247: Showing Configured RMON History Samples 399 Figure 248: Showing Collected RMON History Samples 399 Figure 249: Configuring an RMON Statistical Sample 401 F
Figures Figure 275: Showing Interface Settings for IGMP Snooping 434 Figure 276: Dropping IGMP Query or Multicast Data Packets 435 Figure 277: Showing Multicast Groups Learned by IGMP Snooping 436 Figure 278: Displaying IGMP Snooping Statistics – Query 438 Figure 279: Displaying IGMP Snooping Statistics – VLAN 439 Figure 280: Displaying IGMP Snooping Statistics – Port 439 Figure 281: Displaying IGMP Snooping Statistics – Port 440 Figure 282: Enabling IGMP Filtering and Throttling 441 Figure
Figures Figure 310: Pinging a Network Device 470 Figure 311: Tracing the Route to a Network Device 472 Figure 312: Proxy ARP 473 Figure 313: Configuring General Settings for ARP 474 Figure 314: Displaying ARP Entries 475 Figure 315: Displaying ARP Statistics 475 Figure 316: Configuring a Static IPv4 Address 479 Figure 317: Configuring a Dynamic IPv4 Address 480 Figure 318: Showing the Configured IPv4 Address for an Interface 481 Figure 319: Configuring the IPv6 Default Gateway 482 Figur
Figures Figure 345: Configuring a Network Interface for RIP 521 Figure 346: Showing RIP Network Interface Settings 521 Figure 347: Showing RIP Interface Settings 522 Figure 348: Showing RIP Peer Information 523 Figure 349: Resetting RIP Statistics 523 Figure 350: Configuring General Settings for DNS 526 Figure 351: Configuring a List of Domain Names for DNS 527 Figure 352: Showing the List of Domain Names for DNS 527 Figure 353: Configuring a List of Name Servers for DNS 528 Figure 354: S
Figures – 30 –
Tables Table 1: Key Features 35 Table 2: System Defaults 41 Table 3: Web Page Configuration Buttons 50 Table 4: Switch Main Menu 52 Table 5: Predefined Summer-Time Parameters 92 Table 6: Port Statistics 110 Table 7: Traffic Segmentation Forwarding 148 Table 8: Recommended STA Path Cost Range 192 Table 9: Default STA Path Costs 193 Table 10: Default Mapping of CoS/CFI Values to Queue/CFI 215 Table 11: Default Mapping of DSCP Values to Queue/CFI 217 Table 12: Dynamic QoS Profiles 258
Tables Table 30: Show IPv6 Statistics - display description 493 Table 31: Show MTU - display description 498 Table 32: Options 60, 66 and 67 Statements 533 Table 33: Options 55 and 124 Statements 533 Table 34: Troubleshooting Chart 553 – 32 –
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 34 –
1 Introduction This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Chapter 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4094 using IEEE 802.
Chapter 1 | Introduction Description of Software Features authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server). Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/Telnet/web management access. MAC address filtering and IP source guard also provide authenticated port access.
Chapter 1 | Introduction Description of Software Features Static MAC Addresses A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.
Chapter 1 | Introduction Description of Software Features members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP). Virtual LANs The switch supports up to 4094 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Ports can be manually assigned to a specific set of VLANs.
Chapter 1 | Introduction Description of Software Features based on access lists, IP Precedence or DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. IP Routing The switch provides Layer 3 IP routing.
Chapter 1 | Introduction System Defaults Link Layer Discovery LLDP is used to discover basic information about neighboring devices within the Protocol local broadcast domain. LLDP is a Layer 2 protocol that advertises information about the sending device and collects information gathered from neighboring network nodes it discovers. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Authentication and Security Measures Privileged Exec Level Username “admin” Password “admin” Normal Exec Level Username “guest” Password “guest” Enable Privileged Exec from Normal Exec Level Password “super” RADIUS Authentication Disabled TACACS+ Authentication Disabled 802.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Spanning Tree Algorithm Status Disabled Edge Ports Auto LLDP Status Enabled Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Enabled Switchport Mode (Egress Mode) Hybrid QinQ Tunneling Disabled Ingress Port Priority 0 Queue Mode WRR Queue Weight Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 Class of Service Enabled IP Precedence Priority
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNTP Clock Synchronization Disabled Switch Clustering Status Disabled Commander Disabled – 44 –
Section II Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
Section II | Web Configuration ◆ "Unicast Routing" on page 505 ◆ "IP Services" on page 525 – 46 –
2 Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 9, Mozilla Firefox 39, or Google Chrome 44, or more recent versions). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface switch port attached to your management station to fast forwarding (i.e., enable Admin Edge Port) to improve the switch’s response time to management commands issued through the web interface. See “Configuring Interface Settings for STA” on page 191. Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Figure 1: Dashboard – 49 –
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3: Web Page Configuration Buttons Button Action Apply Sets specified values to the system.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control).
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Switch Main Menu Menu Description Page Dashboard Displays system information, CPU utilization, temperature, and top 5 most active interfaces.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Reset Restarts the switch immediately, at a specified time, after a specified delay, or at a periodic interval 99 Cloud Manage Configures the switch for management through ecCLOUD 103 Interface 105 Port 106 General 106 Configure by Port List Configures connection settings per port 106 Configure by Port Range Configures connection settings for a range of por
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Trunk 128 Configure Configures connection settings 128 Show Displays port connection status 128 Statistics Shows Interface, Etherlike, and RMON port statistics 110 Chart Shows Interface, Etherlike, and RMON port statistics 110 Load Balance Sets the load-distribution method among ports in aggregated links 133 History Shows statistical history for
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Show Description Page Shows configured protocol groups 167 MAC-Based 168 Add Maps traffic with specified source MAC address to a VLAN 168 Show Shows source MAC address to VLAN mapping 168 MAC Address 171 Dynamic Configure Aging Sets timeout for dynamically learned entries 173 Show Dynamic MAC Displays dynamic entries in the address table 171 Clear Dynamic MAC Removes any
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Displays interface settings for an MST instance 203 Rate Limit Sets the input and output rate limits for a port 205 Storm Control Sets the broadcast storm threshold for each interface 206 Default Priority Sets the default priority for each port or trunk 209 Queue Sets queue mode for the switch; sets the service weight for each queue 210 that will use a weighted
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Security 235 AAA System Authentication Authentication, Authorization and Accounting 236 Configures authentication sequence – local, RADIUS, and TACACS 237 Server Configure Server 238 Configures RADIUS and TACACS server message exchange settings Configure Group 238 238 Add Specifies a group of authentication servers and sets the priority sequence 238 Show Sho
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Network Access Configure Global Description Page MAC address-based network access authentication 257 Enables aging for authenticated MAC addresses, and sets the time 259 period after which a connected MAC address must be reauthenticated Configure Interface General 260 Enables MAC authentication on a port; sets the maximum number of 260 address that can be authenticated, the guest VLAN,
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresses 297 Port Authentication IEEE 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Administration 333 Log 334 System 334 Configure Global Stores error messages in local memory 334 Show System Logs Shows logged error messages 334 Remote Configures the logging of messages to a remote logging process 336 SMTP Sends an SMTP client message to a participating server 337 LLDP Configure Global 339 Configures global LLDP timing parameters Conf
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure View 369 Add View Adds an SNMP v3 view of the OID MIB 369 Show View Shows configured SNMP v3 views 369 Add OID Subtree Specifies a part of the subtree for the selected view 369 Show OID Subtree Shows the subtrees assigned to each view 369 Configure Group 372 Add Adds a group with access policies for assigned users 372 Show Shows configured gro
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page History Periodically samples statistics on a physical interface 397 Statistics Enables collection of statistics on a physical interface 400 History Shows sampling parameters for each entry in the history group 397 Statistics Shows sampling parameters for each entry in the statistics group 400 History Shows sampled data for each entry in the history group 397
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Ping Sends ICMP echo request packets to another node on the network 463 Trace Route Shows the route packets take to the specified destination 464 ARP Shows entries in the Address Resolution Protocol cache 466 Tools IP 477 General Routing Interface Add Address Configures an IP interface for a VLAN 477 Show Address Shows the IP interfaces assigned to a VLAN 4
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Add Name Server Specifies IP address of name servers for dynamic lookup 528 Show Name Servers Shows the name server address list 528 Static Host Table 529 Add Configures static entries for domain name to address mapping 529 Show Shows the list of static mapping entries 529 Modify Modifies the static address mapped to the selected host name 529 Displays cac
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Forwarding Entry Page Displays the current multicast groups learned through IGMP Snooping 435 Filter Configure General 440 Enables IGMP filtering for the switch Configure Profile 441 441 Add Adds IGMP filter profile; and sets access mode 441 Show Shows configured IGMP filter profiles 441 Add Multicast Group Range Assigns multicast groups to selected profile 441 S
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Query Drop Configures the interface to drop MLD query packets 468 Group Information Displays known multicast groups, member ports, the means by which each group was learned, and the corresponding source list 453 Statistics 454 Input Shows statistics for MLD ingress traffic 451 Output Shows statistics for MLD egress traffic 451 Query Shows statistics for quer
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Add Configures RIP parameters for each interface, including send and receive versions, authentication, and method of loopback prevention 518 Show Shows the RIP parameters set for each interface 518 Modify Modifies RIP parameters for an interface 518 Statistics * 522 Show Interface Information Shows RIP settings, and statistics on RIP protocol messages 522 Sh
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface – 68 –
3 Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
Chapter 3 | Basic Management Tasks Displaying System Information Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. ◆ System Up Time – Length of time the management agent has been up.
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ Hardware Version – Hardware version of the main board.
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet and 10 Gigabit Ethernet ports or trunks. Compared to standard Ethernet frames that run only up to 1.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Displaying Bridge Extension Capabilities Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Chapter 3 | Basic Management Tasks Managing System Files Web Interface To view Bridge Extension information: 1. Click System, then Capability. Figure 6: Displaying Bridge Extension Configuration Managing System Files This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Copying Files via FTP/ Use the System > File (Copy) page to upload/download firmware or configuration SFTP/TFTP or HTTP settings using FTP, SFTP, TFTP or HTTP.
Chapter 3 | Basic Management Tasks Managing System Files ◆ Secure Shell FTP (SFTP) provides a method of transferring files between two network devices over an SSH2-secured connection. SFTP functions similar to Secure Copy (SCP), using SSH for user authentication and data encryption. Although the underlying premises of SFTP are similar to SCP, it requires some additional steps to verify the protocol versions and perform security checks.
Chapter 3 | Basic Management Tasks Managing System Files Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. Note: The maximum number of user-defined configuration files is 8. Note: The file “Factory_Default_Config.cfg” can be copied to a file server or management station, but cannot be used as the destination file name on the switch. Web Interface To copy firmware files: 1. Click System, then File. 2.
Chapter 3 | Basic Management Tasks Managing System Files Saving the Running Use the System > File (Copy) page to save the current configuration settings to a Configuration to a local file on the switch. The configuration settings are not automatically saved by Local File the system for subsequent use when the switch is rebooted. You must save these settings to the current startup file, or to another file which can be subsequently set as the startup file.
Chapter 3 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Setting the Use the System > File (Set Start-Up) page to specify the firmware or configuration Start-up File file to use for system initialization. Web Interface To set a file to use for system initialization: 1. Click System, then File. 2. Select Set Start-Up from the Action list. 3.
Chapter 3 | Basic Management Tasks Managing System Files Figure 10: Displaying System Files Automatic Operation Use the System > File (Automatic Operation Code Upgrade) page to automatically Code Upgrade download an operation code file when a file newer than the currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Chapter 3 | Basic Management Tasks Managing System Files series.bix and ECS2100-Series.bix are considered to be unique files. Thus, if the upgrade file is stored as ECS2100-Series.bix (or even EcS2100-Series.bix) on a case-sensitive server, then the switch (requesting ecs2100-series.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Chapter 3 | Basic Management Tasks Managing System Files ■ host – Defines the IP address of the TFTP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized. ■ filedir – Defines the directory, relative to the TFTP server root, where the upgrade file can be found. Nested directory structures are accepted.
Chapter 3 | Basic Management Tasks Managing System Files The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: ■ ftp://192.168.0.1/ The user name and password are empty, so “anonymous” will be the user name and the password will be blank. The image file is in the FTP root directory. ■ ftp://switches:upgrade@192.168.0.1/ The user name is “switches” and the password is “upgrade”.
Chapter 3 | Basic Management Tasks Setting the System Clock If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.2.1.3; new version 1.2.1.6 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
Chapter 3 | Basic Management Tasks Setting the System Clock ◆ Year – Sets the year. (Range: 1970-2037) Web Interface To manually set the system clock: 1. Click System, then Time. 2. Select Configure General from the Step list. 3. Select Manual from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5.
Chapter 3 | Basic Management Tasks Setting the System Clock 5. Click Apply Figure 13: Setting the Polling Interval for SNTP Configuring NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers. Parameters The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 14: Configuring NTP Configuring Use the System > Time (Configure Time Server) pages to specify the IP address for Time Servers NTP/SNTP time servers, or to set the authentication key for NTP time servers. Specifying SNTP Time Servers Use the System > Time (Configure Time Server – Configure SNTP Server) page to specify the IP address for up to three SNTP time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 15: Specifying SNTP Time Servers Specifying NTP Time Servers Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to three NTP time servers. Parameters The following parameters are displayed: ◆ NTP Server IP Address – Sets the IPv4 address for up to three time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 16: Adding an NTP Time Server To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List Specifying NTP Authentication Keys Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To add an entry to NTP authentication key list: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Add NTP Authentication Key from the Action list. 4. Enter the index number and MD5 authentication key string. 5. Click Apply. Figure 18: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2.
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the Time Zone Use the System > Time (Configure Time Zone) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 20: Setting the Time Zone Configuring Use the Summer Time page to set the system clock forward during the summer Summer Time months (also known as daylight savings time). In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
Chapter 3 | Basic Management Tasks Setting the System Clock Table 5: Predefined Summer-Time Parameters Region Start Time, Day, Week, & Month End Time, Day, Week, & Month Australia 00:00:00, Sunday, Week 5 of October 23:59:59, Sunday, Week 5 of March 60 min Europe 00:00:00, Sunday, Week 5 of March 60 min 23:59:59, Sunday, Week 5 of October New Zealand 00:00:00, Sunday, Week 1 of October 23:59:59, Sunday, Week 3 of March USA 02:00:00, Sunday, Week 2 of March Rel.
Chapter 3 | Basic Management Tasks Configuring the Console Port Figure 21: Configuring Summer Time Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Chapter 3 | Basic Management Tasks Configuring the Console Port per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits) ◆ Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) ◆ Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None.
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password. Note that the password is only configurable through the CLI.
Chapter 3 | Basic Management Tasks Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. Web Interface To configure parameters for the console port: 1. Click System, then Telnet. 2. Specify the connection parameters as required. 3.
Chapter 3 | Basic Management Tasks Configuring CPU Guard Figure 24: Displaying CPU Utilization Configuring CPU Guard Use the System > CPU Guard page to set the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Parameters The following parameters are displayed: ◆ CPU Guard Status – Enables CPU Guard.
Chapter 3 | Basic Management Tasks Displaying Memory Utilization ◆ Trap Status – If enabled, an alarm message will be generated when utilization exceeds the high watermark or exceeds the maximum threshold. (Default: Disabled) Once the high watermark is exceeded, utilization must drop beneath the low watermark before the alarm is terminated, and then exceed the high watermark again before another alarm is triggered.
Chapter 3 | Basic Management Tasks Resetting the System Web Interface To display memory utilization: 1. Click System, then Memory Status. Figure 26: Displaying Memory Utilization Resetting the System Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. Command Usage ◆ This command resets the entire system. ◆ When the system is restarted, it will always run the Power-On Self-Test.
Chapter 3 | Basic Management Tasks Resetting the System ■ ■ ■ In – Specifies an interval after which to reload the switch. (The specified time must be equal to or less than 24 days.) ■ hours – The number of hours, combined with the minutes, before the switch resets. (Range: 0-576) ■ minutes – The number of minutes, combined with the hours, before the switch resets. (Range: 0-59) At – Specifies a time at which to reload the switch. ■ DD - The day of the month at which to reload.
Chapter 3 | Basic Management Tasks Resetting the System Figure 27: Restarting the Switch (Immediately) Figure 28: Restarting the Switch (In) – 101 –
Chapter 3 | Basic Management Tasks Resetting the System Figure 29: Restarting the Switch (At) Figure 30: Restarting the Switch (Regularly) – 102 –
Chapter 3 | Basic Management Tasks Using Cloud Management Using Cloud Management Use the System > Cloud Manage page to enable the cloud management agent on the switch. The Edgecore ecCLOUD Controller is a cloud-based network service available from anywhere through a web-browser interface. The switch can be managed by the ecCLOUD controller once you have set up an account and registered the device on the system. By default, the cloud management agent is disabled on the switch.
Chapter 3 | Basic Management Tasks Using Cloud Management – 104 –
4 Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Displaying Statistics – Shows Interface, Etherlike, and RMON port statistics in table or chart form. ◆ Displaying Statistical History – Displays statistical history for the specified interfaces.
Chapter 4 | Interface Configuration Port Configuration Port Configuration This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Configuring by Use the Interface > Port > General (Configure by Port List) page to enable/disable Port List an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Chapter 4 | Interface Configuration Port Configuration ■ 10h - Supports 10 Mbps half-duplex operation. ■ 10f - Supports 10 Mbps full-duplex operation. ■ 100h - Supports 100 Mbps half-duplex operation. ■ 100f - Supports 100 Mbps full-duplex operation. ■ 1000f - Supports 1000 Mbps full-duplex operation. ■ Sym - Symmetric exchange of transmit and receive pause frames.
Chapter 4 | Interface Configuration Port Configuration Figure 32: Configuring Connections by Port List Configuring by Use the Interface > Port > General (Configure by Port Range) page to enable/ Port Range disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Chapter 4 | Interface Configuration Port Configuration Figure 33: Configuring Connections by Port Range Displaying Use the Interface > Port > General (Show Information) page to display the current Connection Status connection status, including link state, speed/duplex mode, flow control, and autonegotiation. Parameters These parameters are displayed: ◆ Port – Port identifier. ◆ Type – Indicates the port type. (1000BASE-T, 1000BASE SFP) ◆ Name – Interface label.
Chapter 4 | Interface Configuration Port Configuration Web Interface To display port connection parameters: 1. Click Interface, Port, General. 2. Select Show Information from the Action List. Figure 34: Displaying Port Information Showing Port or Trunk Use the Interface > Port/Trunk > Statistics or Chart page to display standard Statistics statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher-layer protocol.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Symbol Errors Symbol errors occur when port interface hardware cannot decode the bits received electrically from the cable connection. A large amount of symbol errors indicates a possible hardware issue. RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Output Packets per second Number of packets leaving this interface per second. Output Utilization The output utilization rate for this interface. Web Interface To show a list of port statistics: 1. Click Interface, Port, Statistics. 2. Select the statistics mode to display (Interface, Etherlike, RMON or Utilization). 3. Select a port from the drop-down list. 4.
Chapter 4 | Interface Configuration Port Configuration Figure 36: Showing Port Statistics (Chart) Displaying Statistical Use the Interface > Port > History or Interface > Trunk > History page to display History statistical history for the specified interfaces. Command Usage ◆ For a description of the statistics displayed on these pages, see “Showing Port or Trunk Statistics” on page 110. ◆ To configure statistical history sampling, use the “Displaying Statistical History” on page 114.
Chapter 4 | Interface Configuration Port Configuration ◆ History Name – Name of sample interval. (Range: 1-32 characters) ◆ Interval - The interval for sampling statistics. (Range: 1-86400 minutes) ◆ Requested Buckets - The number of samples to take. (Range: 1-96) Show ◆ Port – Port number. (Range: 1-10/28) ◆ History Name – Name of sample interval. (Default settings: 15min, 1day) ◆ Interval - The interval for sampling statistics. ◆ Requested Buckets - The number of samples to take.
Chapter 4 | Interface Configuration Port Configuration Figure 37: Configuring a History Sample To show the configured entries for a history sample: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show from the Action menu. 3. Select an interface from the Port or Trunk list. Figure 38: Showing Entries for History Sampling To show the configured parameters for a sampling entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2.
Chapter 4 | Interface Configuration Port Configuration Figure 39: Showing Status of Statistical History Sample To show statistics for the current interval of a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Current Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
Chapter 4 | Interface Configuration Port Configuration To show ingress or egress traffic statistics for a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Input Previous Entry or Output Previous Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
Chapter 4 | Interface Configuration Port Configuration The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters.
Chapter 4 | Interface Configuration Port Configuration ◆ Port – Port number. (Range: 9-10/25-28) ◆ General – Information on connector type and vendor-related parameters. ◆ DDM Information – Information on temperature, supply voltage, laser bias current, laser power, and received optical power. The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers.
Chapter 4 | Interface Configuration Port Configuration ■ A low-threshold alarm or warning message is sent if the current value is less than or equal to the threshold, and the last sample value was greater than the threshold. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the low threshold and reaches the high threshold.
Chapter 4 | Interface Configuration Port Configuration Performing Cable Use the Interface > Port > Cable Test page to test the cable attached to a port. The Diagnostics cable test will check for any cable faults (short, open, etc.). If a fault is found, the switch reports the length to the fault. Otherwise, it reports the cable length. It can be used to determine the quality of the cable, connectors, and terminations.
Chapter 4 | Interface Configuration Trunk Configuration ◆ Test Result – The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found. To ensure more accurate measurement of the length to a fault, first disable power-saving mode on the link partner before running cable diagnostics. For link-down ports, the reported distance to a fault is accurate to within +/- 2 meters.
Chapter 4 | Interface Configuration Trunk Configuration The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP). Static trunks have to be manually configured at both ends of the link, and the switches must comply with the Cisco EtherChannel standard. On the other hand, LACP configured ports can automatically negotiate a trunked link with LACP-configured ports on another device.
Chapter 4 | Interface Configuration Trunk Configuration Configuring a Use the Interface > Trunk > Static page to create a trunk, assign member ports, and Static Trunk configure the connection parameters. Figure 45: Configuring Static Trunks } statically configured active links Command Usage ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation.
Chapter 4 | Interface Configuration Trunk Configuration Figure 46: Creating Static Trunks To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply. Figure 47: Adding Static Trunks Members To configure connection parameters for a static trunk: 1. Click Interface, Trunk, Static. 2.
Chapter 4 | Interface Configuration Trunk Configuration 3. Select Configure from the Action list. 4. Modify the required interface settings. (Refer to “Configuring by Port List” on page 106 for a description of the parameters.) 5. Click Apply. Figure 48: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
Chapter 4 | Interface Configuration Trunk Configuration Configuring a Use the Interface > Trunk > Dynamic pages to set the administrative key for an Dynamic Trunk aggregation group, enable LACP on a port, configure protocol parameters for local and partner ports, or to set Ethernet connection parameters.
Chapter 4 | Interface Configuration Trunk Configuration Parameters These parameters are displayed: Configure Aggregator ◆ Admin Key – LACP administration key is used to identify a specific link aggregation group (LAG) during local LACP setup on the switch. (Range: 0-65535) If the port channel admin key is not set when a channel group is formed (i.e.
Chapter 4 | Interface Configuration Trunk Configuration Configure Aggregation Port - General ◆ Port – Port identifier. (Range: 1-10/28) ◆ LACP Status – Enables or disables LACP on a port. Configure Aggregation Port - Actor/Partner ◆ Port – Port number. (Range: 1-10/28) ◆ Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG.
Chapter 4 | Interface Configuration Trunk Configuration Note: Configuring the port partner sets the remote side of an aggregate link; i.e., the ports on the attached device. The command attributes have the same meaning as those used for the port actor. Web Interface To configure the admin key for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregator from the Step list. 3. Set the Admin Key and timeout mode for the required LACP group. 4. Click Apply.
Chapter 4 | Interface Configuration Trunk Configuration Figure 52: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply. Figure 53: Configuring LACP Parameters on a Port To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2.
Chapter 4 | Interface Configuration Trunk Configuration 4. Modify the required interface settings. (See “Configuring by Port List” on page 106 for a description of the interface settings.) 5. Click Apply. Figure 54: Configuring Connection Settings for a Dynamic Trunk To show connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Show from the Action list.
Chapter 4 | Interface Configuration Trunk Configuration ■ Destination MAC Address: All traffic with the same destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is destined for many different hosts. Do not use this mode for switch-to-router trunk links where the destination MAC address is the same for all traffic.
Chapter 4 | Interface Configuration Saving Power 3. Click Apply. Figure 56: Configuring Load Balancing Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port. Command Usage ◆ The power-saving methods provided by this switch include: ■ Power saving when there is no link partner: Under normal operation, the switch continuously auto-negotiates to find a link partner, keeping the MAC interface powered up even if no link connection exists.
Chapter 4 | Interface Configuration Saving Power Parameters These parameters are displayed: ◆ Port – Power saving mode only applies to the Gigabit Ethernet ports using copper media. ◆ Power Saving Status – Adjusts the power provided to ports based on the length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements. (Default: Enabled on Gigabit Ethernet RJ-45 ports) Web Interface To enable power savings: 1. Click Interface, Green Ethernet. 2.
Chapter 4 | Interface Configuration Configuring Local Port Mirroring Configuring Local Port Mirroring Use the Interface > Mirror page to mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring 5. Specify the traffic type to be mirrored. 6. Click Apply. Figure 59: Configuring Local Port Mirroring To display the configured mirror sessions: 1. Click Interface, Mirror. 2. Select Show from the Action List. Figure 60: Displaying Local Port Mirror Sessions Configuring Remote Port Mirroring Use the Interface > RSPAN page to mirror traffic from remote switches for analysis at a destination port on the local switch.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring Figure 61: Configuring Remote Port Mirroring Intermediate Switch Uplink Port Uplink Port Destination Switch Source Switch Source Port RPSAN VLAN Uplink Port Uplink Port Destination Port Tagged or untagged traffic from the RSPAN VLAN is analyzed at this port. Ingress or egress traffic is mirrored onto the RSPAN VLAN from here.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring ◆ RSPAN Limitations The following limitations apply to the use of RSPAN on this switch: ■ RSPAN Ports – Only ports can be configured as an RSPAN source, destination, or uplink; static and dynamic trunks are not allowed. A port can only be configured as one type of RSPAN interface – source, destination, or uplink. Also, note that the source port and destination port cannot be configured on the same switch.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring ■ Destination - Specifies this device as a switch configured with a destination port which is to receive mirrored traffic for this session. ◆ Remote VLAN – The VLAN to which traffic mirrored from the source port will be flooded. The VLAN specified in this field must first be reserved for the RSPAN application using the VLAN > Static page (see page 153).
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring Figure 62: Configuring Remote Port Mirroring (Source) Figure 63: Configuring Remote Port Mirroring (Intermediate) Figure 64: Configuring Remote Port Mirroring (Destination) – 142 –
Chapter 4 | Interface Configuration Sampling Traffic Flows Sampling Traffic Flows The flow sampling (sFlow) feature embedded on this switch, together with a remote sFlow Collector, can provide network administrators with an accurate, detailed and real-time overview of the types and levels of traffic present on their network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 4 | Interface Configuration Sampling Traffic Flows ◆ Receiver Timeout – The time that the sFlow process will continuously send samples to the Collector before resetting all sFlow port parameters. (Range: 30-10000000 seconds, where 0 indicates no time out) The sFlow parameters affected by this command include the sampling interval, the receiver’s name, address and UDP port, the time out, maximum header size, and maximum datagram size. ◆ Receiver Destination2 – IP address of the sFlow Collector.
Chapter 4 | Interface Configuration Sampling Traffic Flows Figure 65: Configuring an sFlow Receiver Web Interface To show configured receivers: 1. Click Interface, sFlow. 2. Select Configure Receiver from the Step list. 3. Select Show from the Action list.
Chapter 4 | Interface Configuration Sampling Traffic Flows data source instance for a specific interface that takes samples periodically based on the number of packets processed. ◆ Data Source – The source from which the samples will be taken and sent to a collector. ◆ Instance ID – An instance ID used to identify the sampling source. (Range: 1) ◆ Sampling Rate – The number of packets out of which one sample will be taken.
Chapter 4 | Interface Configuration Traffic Segmentation 3. Select Show from the Action list. 4. Select the owner name from the scroll-down list. 5. Select sFlow type as Sampling or Polling. Figure 68: Showing sFlow Instances Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Chapter 4 | Interface Configuration Traffic Segmentation Web Interface To enable traffic segmentation: 1. Click Interface, Traffic Segmentation. 2. Select Configure Global from the Step list. 3. Mark the Status check box, and set the required uplink-to-uplink mode. 4. Click Apply. Figure 69: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the and Downlink Ports downlink and uplink ports to use in the segmented group.
Chapter 4 | Interface Configuration Traffic Segmentation ◆ When traffic segmentation is disabled, all ports operate in normal forwarding mode based on the settings specified by other functions such as VLANs and spanning tree protocol. ◆ A port cannot be configured in both an uplink and downlink list. ◆ A port can only be assigned to one traffic-segmentation session. ◆ A downlink port can only communicate with an uplink port in the same session.
Chapter 4 | Interface Configuration Traffic Segmentation Figure 70: Configuring Members for Traffic Segmentation To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Show from the Action list.
5 VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customerspecific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆ Protocol VLANs – Configures VLAN groups based on specified protocols.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs This switch supports the following VLAN features: ◆ Up to 4094 VLANs based on the IEEE 802.1Q standard ◆ Distributed VLAN learning across multiple switches using explicit tagging.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch. Untagged VLANs – Untagged VLANs are typically used to reduce broadcast traffic and to increase security.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Modify ◆ VLAN ID – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. ◆ L3 Interface – Sets the interface to support Layer 3 configuration, and reserves memory space required to maintain additional information about this interface type.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 73: Creating Static VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4. Modify the VLAN name or operational status as required. 5. Enable the L3 Interface field to specify that a VLAN will be used as a Layer 3 interface. 6. Click Apply.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list. Figure 75: Showing Static VLANs Adding Static Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or Edit Members to VLANs Member by Interface Range) pages to configure port members for the selected VLAN index, interface, or a range of interfaces.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. ◆ PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Edit Member by Interface All parameters are the same as those described under the preceding section for Edit Member by VLAN. Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below. ◆ Port Range – Displays a list of ports. (Range: 1-10/28) ◆ Trunk Range – Displays a list of ports.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3. Select a port or trunk configure. 4. Modify the settings for any interface as required. 5. Click Apply. Figure 77: Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 78: Configuring Static VLAN Members by Interface Range IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 6. After packet classification, the packet is written to memory for processing as a single-tagged or double-tagged packet. 7. The switch sends the packet to the proper egress port. 8. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packet will have two tags. Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 5. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see “Adding Static Members to VLANs” on page 156). 6. Configure the QinQ tunnel uplink port to Uplink mode (see “Adding an Interface to a QinQ Tunnel” on page 165). 7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see “Adding Static Members to VLANs” on page 156).
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 3. Enable Tunnel Status, and specify the TPID if a client attached to a tunnel port is using a non-standard ethertype to identify 802.1Q tagged frames. 4. Click Apply. Figure 80: Enabling QinQ Tunneling Adding an Interface Follow the guidelines under in the preceding section to set up a QinQ tunnel on the to a QinQ Tunnel switch. Then use the VLAN > Tunnel (Configure Interface) page to set the tunnel mode for any participating interface.
Chapter 5 | VLAN Configuration Protocol VLANs Web Interface To add an interface to a QinQ tunnel: 1. Click VLAN, Tunnel. 2. Select Configure Interface from the Step list. 3. Set the mode for any tunnel access port to Access and the tunnel uplink port to Uplink. 4. Click Apply. Figure 81: Adding an Interface to a QinQ Tunnel Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
Chapter 5 | VLAN Configuration Protocol VLANs 2. Create a protocol group for each of the protocols you want to assign to a VLAN using the Configure Protocol (Add) page. 3. Then map the protocol for each interface to the appropriate VLAN using the Configure Interface (Add) page. ◆ When MAC-based, IP subnet-based, or protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs 6. Enter an identifier for the protocol group. 7. Click Apply. Figure 82: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. Figure 83: Displaying Protocol VLANs Configuring MAC-based VLANs Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Command Usage ◆ The MAC-to-VLAN mapping applies to all ports on the switch. ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, or protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs 6. Click Apply. Figure 84: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Show from the Action list.
6 Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ Dynamic Address Cache – Shows dynamic entries in the address table.
Chapter 6 | Address Table Settings Clearing the Dynamic Address Table ◆ Life Time – Shows the time to retain the specified address. Web Interface To show the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Show Dynamic MAC from the Action list. 3. Select the Sort Key (MAC Address, VLAN, or Interface). 4. Enter the search parameters (MAC Address, VLAN, or Interface). 5. Click Query.
Chapter 6 | Address Table Settings Changing the Aging Time Web Interface To clear the entries in the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Clear Dynamic MAC from the Action list. 3. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). 4. Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. 5. Click Clear.
Chapter 6 | Address Table Settings Configuring MAC Address Learning 4. Specify a new aging time. 5. Click Apply. Figure 88: Setting the Address Aging Time Configuring MAC Address Learning Use the MAC Address > Learning Status page to enable or disable MAC address learning on an interface. Command Usage ◆ When MAC address learning is disabled, the switch immediately stops learning new MAC addresses on the specified interface.
Chapter 6 | Address Table Settings Configuring MAC Address Learning Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-10/28) ◆ Trunk – Trunk Identifier. (Range: 1-8) ◆ Status – The status of MAC address learning. (Default: Enabled) Web Interface To enable or disable MAC address learning: 1. Click MAC Address, Learning Status. 2. Set the learning status for any interface. 3. Click Apply.
Chapter 6 | Address Table Settings Setting Static Addresses Setting Static Addresses Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Chapter 6 | Address Table Settings Setting Static Addresses Web Interface To configure a static MAC address: 1. Click MAC Address, Static. 2. Select Add from the Action list. 3. Specify the VLAN, the port or trunk to which the address will be assigned, the MAC address, and the time to retain this entry. 4. Click Apply. Figure 90: Configuring Static MAC Addresses To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list.
Chapter 6 | Address Table Settings Issuing MAC Address Traps Issuing MAC Address Traps Use the MAC Address > MAC Notification pages to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed. Parameters These parameters are displayed: Configure Global ◆ MAC Notification Traps – Issues a trap when a dynamic MAC address is added or removed. (Default: Disabled) ◆ MAC Notification Trap Interval – Specifies the interval between issuing two consecutive traps.
Chapter 6 | Address Table Settings Issuing MAC Address Traps To enable MAC address traps at the interface level: 1. Click MAC Address, MAC Notification. 2. Select Configure Interface from the Step list. 3. Enable MAC notification traps for the required ports. 4. Click Apply.
Chapter 6 | Address Table Settings Issuing MAC Address Traps – 180 –
7 Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
Chapter 7 | Spanning Tree Algorithm Overview Figure 94: STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Spanning Tree (CST) interconnects all adjacent MST Regions, and acts as a virtual bridge node for communications with STP or RSTP nodes in the global network. Figure 96: Spanning Tree – Common Internal, Common, Internal Region 1 Region 1 CIST CST IST Region 4 Region 2 Region 4 Region 3 Region 2 Region 3 MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree (CIST).
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Status – Enables loopback detection on this interface. (Default: Disabled) ◆ Trap – Enables SNMP trap notification for loopback events on this interface. (Default: Disabled) ◆ Release Mode – Configures the interface for automatic or manual loopback release.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 97: Configuring Port Loopback Detection Configuring Global Settings for STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. Command Usage ◆ Spanning Tree Protocol3 ◆ This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ■ A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. ■ Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Advanced Configuration Settings The following attributes are based on RSTP, but also apply to STP since the switch uses a backwards-compatible subset of RSTP to implement STP, and also apply to MSTP which is based on RSTP according to the standard: ◆ ◆ Path Cost Method – The path cost is used to determine the best path between devices.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA RSTP does not depend on the forward delay timer in most cases. It is able to confirm that a port can transition to the forwarding state without having to rely on any timer configuration. To achieve fast convergence, RSTP relies on the use of edge ports, and automatic detection of point-to-point link types, both of which allow a port to directly transition to the forwarding state.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 98: Configuring Global Settings for STA (STP) Figure 99: Configuring Global Settings for STA (RSTP) – 189 –
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 100: Configuring Global Settings for STA (MSTP) Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Topology Changes – The number of times the Spanning Tree has been reconfigured. Note: When showing the Global Settings for MSTP in the web interface, “Topology Changes” is shown as parameter “Configuration Changes”. ◆ Last Topology Change – Time since the Spanning Tree was last reconfigured.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) ◆ BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 185) or when spanning tree is disabled on a specific port.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Table 9: Default STA Path Costs Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (IEEE 802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 Administrative path cost cannot be used to directly determine the root port on a switch. Connections to other devices use IEEE 802.1Q-2005 to determine the root port as in the following example.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA by taking over as the root port and forming a new spanning tree topology. It could also be used to form a border around part of the network where the root bridge is allowed. (Default: Disabled) ◆ Admin Edge Port – Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA configured edge ports should not receive BPDUs. If an edge port receives a BPDU an invalid configuration exists, such as a connection to an unauthorized device. The BPDU guard feature provides a secure response to invalid configurations because an administrator must manually enable the port.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 103: Configuring Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. Parameters These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA ◆ Forward Transitions – The number of times this port has transitioned from the Learning state to the Forwarding state. ◆ Designated Cost – The cost for a packet to travel from this port to the root in the current Spanning Tree configuration. The slower the media, the higher the cost.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B The criteria used for determining the port role is based on root bridge ID, root path cost, designated bridge, designated port, port priority, and port number, in that order and as applicable to the role under question. Web Interface To display interface settings for STA: 1. Click Spanning Tree, STA.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Configuring Multiple Spanning Trees Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. Command Usage MSTP generates a unique spanning tree for each instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Web Interface To create instances for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree > MSTP (Configure Global Add Member) page. If the priority is not specified, the default value 32768 is used. 5. Click Apply.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply. Figure 108: Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5. Enter the VLAN group to add to the instance in the VLAN ID field. Note that the specified member does not have to be a configured VLAN. 6.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. Parameters These parameters are displayed: ◆ MST ID – Instance identifier to configure. (Default: 0) ◆ Interface – Displays a list of ports or trunks. ◆ STA Status – Displays the current state of this interface within the Spanning Tree.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Web Interface To configure MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Enter the priority and path cost for an interface 5. Click Apply. Figure 112: Configuring MSTP Interface Settings To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list.
8 Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
Chapter 8 | Congestion Control Storm Control Web Interface To configure rate limits: 1. Click Traffic, Rate Limit. 2. Set the interface type to Port or Trunk. 3. Enable the Rate Limit Status for the required interface. 4. Set the rate limit for required interfaces. 5. Click Apply. Figure 114: Configuring Rate Limits Storm Control Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds.
Chapter 8 | Congestion Control Storm Control ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these features on the same interface. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Type – Indicates the port type. (1000BASE-T, 1000BASE SFP). ◆ Unknown Unicast – Specifies storm control for unknown unicast traffic.
Chapter 8 | Congestion Control Storm Control Figure 115: Configuring Storm Control – 208 –
9 Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s highpriority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) Web Interface To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2.
Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues. The queues assigned to use strict priority should be specified using the Strict Mode field parameter.
Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Set the queue mode. 3. If the weighted queue mode is selected, the queue weight can be modified if required. 4. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table. 5. Click Apply.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 119: Setting the Queue Mode (Strict and WRR) Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Setting Priority The switch allows a choice between using DSCP or CoS priority processing Processing to methods. Use the Priority > Trust Mode page to select the required processing DSCP or CoS method. Command Usage ◆ If the QoS mapping mode is set to DSCP, and the ingress packet type is IPv4, then priority processing will be based on the DSCP value in the ingress packet.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 120: Setting the Trust Mode Mapping Use the Traffic > Priority > CoS to Queue page to map CoS/CFI values in incoming CoS Priorities to Per- packets to per-hop behavior for priority processing. hop Behavior Command Usage ◆ The default mapping of CoS/CFI to Queue/CFI values is shown below.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map CoS/CFI values to Queue precedence: 1. Click Traffic, Priority, CoS to Queue. 2. Set the Queue for any of the CoS/CFI combinations. 3. Click Apply. Figure 121: Configuring CoS to Queue Mapping Mapping Use the Traffic > Priority > DSCP to Queue page to map DSCP values in incoming DSCP Priorities to Per- packets to per-hop behavior for priority processing.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Parameters These parameters are displayed: ◆ Port – Specifies a port. ◆ DSCP – DSCP value in ingress packets. (Range: 0-63) ◆ Queue – Per-hop behavior, or the priority used for this router hop.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 122: Configuring DSCP to Queue Mapping – 218 –
10 Quality of Service This chapter describes the following tasks required to apply QoS policies: ◆ Class Map – Creates a map which identifies a specific class of traffic. ◆ Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. ◆ Binding to a Port – Applies a policy map to an ingress port.
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, or a CoS value. 3.
Chapter 10 | Quality of Service Configuring a Class Map ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value.
Chapter 10 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 124: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
Chapter 10 | Quality of Service Creating QoS Policies To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list. Figure 126: Showing the Rules for a Class Map Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 220).
Chapter 10 | Quality of Service Creating QoS Policies Add Rule ◆ Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification upon which a policy can act. A policy map can contain up to 32 class maps. ◆ Action – This attribute is used to set an internal QoS value in hardware for matching packets.
Chapter 10 | Quality of Service Creating QoS Policies Figure 127: Configuring a Policy Map To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list. Figure 128: Showing Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port Figure 129: Adding Rules to a Policy Map To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list. Figure 130: Showing the Rules for a Policy Map Attaching a Policy Map to a Port Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port ◆ Ingress – Applies the selected rule to ingress traffic. Web Interface To bind a policy map to a port: 1. Click Traffic, DiffServ. 2. Select Configure Interface from the Step list. 3. Check the box under the Ingress field to enable a policy map for a port. 4. Select a policy map from the scroll-down box. 5. Click Apply.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port – 228 –
11 VoIP Traffic Configuration This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port. Command Usage All ports are set to VLAN hybrid mode by default.
Chapter 11 | VoIP Traffic Configuration Configuring Telephony OUI Figure 132: Configuring a Voice VLAN Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports 7. Click Apply. Figure 133: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Parameters These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) ■ None – The Voice VLAN feature is disabled on the port. The port will not detect VoIP traffic or be added to the Voice VLAN. ■ Auto – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports When VoIP Mode is set to Auto, the Remaining Age will be displayed. Otherwise, if the VoIP Mode is Disabled or set to Manual, the remaining age will display “NA.” Web Interface To configure VoIP traffic settings for a port: 1. Click Traffic, VoIP. 2. Select Configure Interface from the Step list. 3. Configure any required changes to the VoIP settings each port. 4. Click Apply.
12 Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) with invalid MAC to IP Address bindings, which forms the basis for certain “man-in-the-middle” attacks. Note: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) 2. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. 3. Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. 4. Apply the method names to port or line interfaces. Note: This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the method(s) of controlling management access: 1. Click Security, AAA, System Authentication. 2. Specify the authentication sequence (i.e., one to three methods). 3. Click Apply. Figure 136: Configuring the Authentication Sequence Configuring Use the Security > AAA > Server page to configure the message exchange Remote Logon parameters for RADIUS or TACACS+ remote access authentication servers.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Command Usage ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet. ◆ RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ ◆ Confirm Authentication Key – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. TACACS+ ■ Global – Provides globally applicable TACACS+ settings. ■ Server Index – Specifies the index number of the server to be configured. The switch currently supports only one TACACS+ server.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the parameters for RADIUS or TACACS+ authentication: 1. Click Security, AAA, Server. 2. Select Configure Server from the Step list. 3. Select RADIUS or TACACS+ server type. 4. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server. 5.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 139: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ ◆ Exec – Administrative accounting for local console, Telnet, or SSH connections. Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined. (Range: 1-64 characters) Note that the method name is only used to describe the accounting method configured on the specified RADIUS or TACACS+ servers.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ VTY Method Name – Specifies a user defined method name to apply to Telnet and SSH connections. This method must be defined in the Configure Method page. (Range: 1-64 characters) Show Information – Summary ◆ Accounting Type - Displays the accounting service. ◆ Method Name - Displays the user-defined or default accounting method. ◆ Server Group Name - Displays the accounting server group.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Add from the Action list. 4. Select the accounting type (802.1X, Exec). 5. Specify the name of the accounting method and server group name. 6. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 144: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: 1. Click Security, AAA, Accounting. 2. Select Configure Service from the Step list. 3. Select the accounting type (802.1X, Exec). 4. Enter the required accounting method. 5. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 146: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 148: Displaying Statistics for AAA Accounting Sessions Configuring Use the Security > AAA > Authorization page to enable authorization of requested AAA Authorization services, and also to display the configured authorization methods, and the methods applied to specific interfaces. Command Usage ◆ This feature performs authorization to determine if a user is allowed to run an Exec shell.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ◆ Console Method Name – Specifies a user defined method name to apply to console connections. ◆ VTY Method Name – Specifies a user defined method name to apply to Telnet and SSH connections. Show Information ◆ Authorization Type - Displays the authorization service. ◆ Method Name - Displays the user-defined or default accounting method. ◆ Server Group Name - Displays the authorization server group.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) 3. Select Show from the Action list. Figure 150: Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click Security, AAA, Authorization. 2. Select Configure Service from the Step list. 3. Enter the required authorization method. 4. Click Apply.
Chapter 12 | Security Measures Configuring User Accounts To display a the configured authorization method and assigned server groups for The Exec service type: 1. Click Security, AAA, Authorization. 2. Select Show Information from the Step list. Figure 152: Displaying the Applied AAA Authorization Method Configuring User Accounts Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords.
Chapter 12 | Security Measures Configuring User Accounts Level 8-14 provide the same default access privileges, including additional commands beyond those provided for Levels 0-7 (equivalent to CLI Normal Exec command mode), and a subset of the configuration commands provided for Level 15 (equivalent to CLI Privileged Exec command mode). Level 15 provides full access to all commands.
Chapter 12 | Security Measures Web Authentication Figure 153: Configuring User Accounts To show user accounts: 1. Click Security, User Accounts. 2. Select Show from the Action list. Figure 154: Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Chapter 12 | Security Measures Web Authentication Logon Authentication” on page 237.) Note: Web authentication cannot be configured on trunk ports. Configuring Global Use the Security > Web Authentication (Configure Global) page to edit the global Settings for Web parameters for web authentication. Authentication Parameters These parameters are displayed: ◆ Web Authentication Status – Enables web authentication for the switch.
Chapter 12 | Security Measures Web Authentication Figure 155: Configuring Global Settings for Web Authentication Configuring Interface Use the Security > Web Authentication (Configure Interface) page to enable web Settings for Web authentication on a port, and display information for any connected hosts. Authentication Parameters These parameters are displayed: ◆ Port – Indicates the port being configured. ◆ Status – Configures the web authentication status for the port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 156: Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server. ◆ When port status changes to down, all MAC addresses mapped to that port are cleared from the secure MAC address table. Static VLAN assignments are not restored.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Any unsupported profiles in the Filter-ID attribute are ignored. For example, if the attribute is “map-ip-dscp=2:3;service-policy-in=p1,” then the switch ignores the “map-ip-dscp” profile.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) The maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Reauthentication Time – Sets the time period after which the switch removes an authenticated MAC address from the secure table.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ■ Max MAC Count5 – Sets the maximum number of MAC addresses that can be authenticated on a port via MAC authentication; that is, the Network Access process described in this section. (Range: 1-1024; Default: 1024) ◆ Network Access Max MAC Count5 – Sets the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication (including Network Access and IEEE 802.1X).
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To configure MAC authentication on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the General button. 4. Make any configuration changes required to enable address authentication on a port, set the maximum number of secure addresses supported, the guest VLAN to use when MAC Authentication or 802.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ MAC Address – The filter rule will check ingress packets against the entered MAC address or range of MAC addresses (as defined by the MAC Address Mask). ◆ MAC Address Mask – The filter rule will check for the range of MAC addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 160: Showing the MAC Address Filter Table for Network Access Displaying Secure Use the Security > Network Access (Show Information) page to display the MAC Address authenticated MAC addresses stored in the secure MAC address table. Information Information on the secure MAC entries can be displayed and selected entries can be removed from the table.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To display the authenticated MAC addresses stored in the secure MAC address table: 1. Click Security, Network Access. 2. Select Show Information from the Step list. 3. Use the sort key to display addresses based MAC address, interface, or attribute. 4.
Chapter 12 | Security Measures Configuring HTTPS Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Configuring Global Use the Security > HTTPS (Configure Global) page to enable or disable HTTPS and Settings for HTTPS specify the TCP port used for this service.
Chapter 12 | Security Measures Configuring HTTPS Parameters These parameters are displayed: ◆ HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) ◆ HTTPS Port – Specifies the TCP port number used for HTTPS connection to the switch’s web interface. (Range: 1-65535; Default: Port 443) Web Interface To configure HTTPS: 1. Click Security, HTTPS. 2. Select Configure Global from the Step list. 3. Enable HTTPS and specify the port number if required. 4.
Chapter 12 | Security Measures Configuring HTTPS When you have obtained these, place them on your TFTP server and transfer them to the switch to replace the default (unrecognized) certificate with an authorized one. Note: The switch must be reset for the new certificate to be activated.
Chapter 12 | Security Measures Configuring the Secure Shell Figure 163: Downloading the Secure-Site Certificate Configuring the Secure Shell The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Chapter 12 | Security Measures Configuring the Secure Shell To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Chapter 12 | Security Measures Configuring the Secure Shell Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v2 Clients a.
Chapter 12 | Security Measures Configuring the Secure Shell ◆ Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) Web Interface To configure the SSH server: 1. Click Security, SSH. 2. Select Configure Global from the Step list. 3. Enable the SSH server. 4. Adjust the authentication parameters as required. 5. Click Apply.
Chapter 12 | Security Measures Configuring the Secure Shell Note: The switch uses only RSA keys for SSHv2 clients. Web Interface To generate the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Generate from the Action list. 4. Click Apply. Figure 165: Generating the SSH Host Key Pair To display or clear the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Show from the Action list. 4.
Chapter 12 | Security Measures Configuring the Secure Shell Importing Use the Security > SSH (Configure User Key - Copy) page to upload a user’s public User Public Keys key to the switch. This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
Chapter 12 | Security Measures Configuring the Secure Shell Figure 167: Copying the SSH User’s Public Key To display or clear the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Show from the Action list. 4. Select a user from the User Name list. 5. Select the key to clear. 6. Click Clear.
Chapter 12 | Security Measures Access Control Lists Access Control Lists Access Control Lists (ACL) provide ingress packet filtering for IPv4/IPv6 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, ), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
Chapter 12 | Security Measures Access Control Lists are compressed into one ACE classifying the IP address as 192.168.1.0/24, which requires only “n” entries in TCAM. The above example is an ideal case for compression. The worst case would be if no any ACE can be compressed, in which case the used number of TCAM entries would be the same as without compression. It would also require more time to process the ACEs. ◆ If no matches are found down to the end of the list, the traffic will be permitted.
Chapter 12 | Security Measures Access Control Lists ◆ Total – The maximum number of policy control entries allocated to the each pool. ◆ Used – The number of policy control entries used by the operating system. ◆ Free – The number of policy control entries available for use. ◆ Capability – The processes assigned to each pool. Web Interface To show information on TCAM utilization: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show TCAM from the Action list.
Chapter 12 | Security Measures Access Control Lists ◆ Type – The following filter modes are supported: ■ IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address. ■ IP Extended: IPv4 ACL mode filters packets based on the source or destination IPv4 address, as well as the protocol type and protocol port number. If the “TCP” protocol is specified, then you can also filter packets based on the TCP control code.
Chapter 12 | Security Measures Access Control Lists To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list. Figure 171: Showing a List of ACLs Configuring a Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL Standard IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
Chapter 12 | Security Measures Access Control Lists address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. ◆ Time Range – Name of a time range. Web Interface To add rules to an IPv4 Standard ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IP Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7.
Chapter 12 | Security Measures Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to configure Extended IPv4 ACL an Extended IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists ■ 32 (urg) – Urgent pointer For example, use the code value and mask below to catch packets with the following flags set: ◆ ◆ ■ SYN flag valid, use control-code 2, control bit mask 2 ■ Both SYN and ACK valid, use control-code 18, control bit mask 18 ■ SYN valid and ACK invalid, use control-code 2, control bit mask 18 Service Type – Packet priority settings based on the following criteria: ■ Precedence – IP precedence level.
Chapter 12 | Security Measures Access Control Lists Figure 173: Configuring an Extended IPv4 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to Standard IPv6 ACL configure a Standard IPv6ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to a Standard IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the source address type (Any, Host, or IPv6-prefix). 8. If you select “Host,” enter a specific address.
Chapter 12 | Security Measures Access Control Lists ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source Address Type – Specifies the source IP address type. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-Prefix” to specify a range of addresses. (Options: Any, Host, IPv6-Prefix; Default: Any) ◆ Destination Address Type – Specifies the destination IP address type.
Chapter 12 | Security Measures Access Control Lists 4. Select IPv6 Extended from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any or IPv6-prefix). 8. If you select “Host,” enter a specific address. If you select “IPv6-prefix,” enter a subnet address and prefix length. 9. Set any other required criteria, such as DSCP . 10. Click Apply.
Chapter 12 | Security Measures Access Control Lists address range with the Address and Bit Mask fields. (Options: Any, Host, MAC; Default: Any) ◆ Source/Destination MAC Address – Source or destination MAC address. ◆ Source/Destination Bit Mask – Hexadecimal mask for source or destination MAC address. ◆ Packet Format – This attribute includes the following packet types: ■ Any – Any Ethernet packet type. ■ Untagged-eth2 – Untagged Ethernet II packets. ■ Untagged-802.3 – Untagged Ethernet 802.
Chapter 12 | Security Measures Access Control Lists 7. Select the address type (Any, Host, or MAC). 8. If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bit mask for an address range. 9. Set any other required criteria, such as VID, Ethernet type, or packet format. 10. Click Apply.
Chapter 12 | Security Measures Access Control Lists ◆ Source/Destination IP Address Type – Specifies the source or destination IPv4 address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and Mask fields. (Options: Any, Host, IP; Default: Any) ◆ Source/Destination IP Address – Source or destination IP address.
Chapter 12 | Security Measures Access Control Lists Figure 177: Configuring a ARP ACL Binding a Port to an After configuring ACLs, use the Security > ACL (Configure Interface – Configure) Access Control List page to bind the ports that need to filter ingress traffic to the appropriate ACLs. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to bind to a port. ◆ Port – Port identifier. ◆ ACL – ACL used for ingress packets. ◆ Time Range – Name of a time range.
Chapter 12 | Security Measures Access Control Lists 6. Select the name of an ACL from the ACL list. 7. Click Apply. Figure 178: Binding a Port to an ACL Showing ACL Use the Security > ACL > Configure Interface (Show Hardware Counters) page to Hardware Counters show statistics for ACL hardware counters. Selection Criteria Select the setting criteria for the data you wish to view: ◆ Port – Port identifier. (Range: 1-10/28) ◆ Type – Selects the type of ACL.
Chapter 12 | Security Measures Access Control Lists ◆ Hit – Shows the number of packets matching this ACL. ◆ Clear Counter – Clears the hit counter for the specified ACL. IP Extended Parameters These parameters are displayed: ◆ ACL Name – The ACL bound to this port. ◆ Action – Shows if action is to permit or deny specified packets. ◆ Source IP Address - The source IP address or source IP address range the ACL matches.
Chapter 12 | Security Measures Access Control Lists ◆ Hit – Shows the number of packets matching this ACL. ◆ Clear Counter – Clears the hit counter for the specified ACL. IPv6 Standard Parameters These parameters are displayed: ◆ ACL Name – The ACL bound to this port. ◆ Action – Shows if action is to permit or deny specified packets. ◆ Source IPv6 Address - The source IPv6 address or IPv6 address range the ACL matches. ◆ Hit – Shows the number of packets matching this ACL.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Figure 179: Showing ACL Statistics Filtering IP Addresses for Management Access Use the Security > IP Filter page to create a list of up to 15 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage ◆ The management interfaces are open to all IP addresses by default.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access ■ SNMP – Configures IP address(es) for the SNMP group. ■ Telnet – Configures IP address(es) for the Telnet group. ■ All – Configures IP address(es) for all groups. ◆ Start IP Address – A single IP address, or the starting address of a range. ◆ End IP Address – The end address of a range. Web Interface To create a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2.
Chapter 12 | Security Measures Configuring Port Security To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list. Figure 181: Showing IP Addresses Authorized for Management Access Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Chapter 12 | Security Measures Configuring Port Security ◆ When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table. ◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Current MAC Count – The number of MAC addresses currently associated with this interface. ◆ MAC Filter – Shows if MAC address filtering has been set under Security > Network Access (Configure MAC Filter) as described on page 262. ◆ MAC Filter ID – The identifier for a MAC address filter. ◆ Last Intrusion MAC – The last unauthorized MAC address detected.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Each client that needs to be authenticated must have dot1X client software installed and properly configured. ◆ The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) ◆ The RADIUS server and client also have to support the same EAP authentication type – MD5, PEAP, TLS, or TTLS.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Configuring Use the Security > Port Authentication (Configure Interface – Authenticator) page Port Authenticator to configure 802.1X port settings for the switch as the local authenticator. When Settings for 802.1X 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ■ Multi-Host – Allows multiple host to connect to this port. In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails reauthentication or sends an EAPOL logoff message. ■ MAC-Based – Allows multiple hosts to connect to this port, with each host needing to be authenticated.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Re-authentication Status – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) ◆ Re-authentication Period – Sets the time period after which a connected client must be re-authenticated.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ State – Current state (including initialize, reauthenticate). Web Interface To configure port authenticator settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Interface from the Step list. 3. Modify the authentication settings for each port as required. 4. Click Apply Figure 185: Configuring Interface Settings for 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Displaying Use the Security > Port Authentication (Show Statistics) page to display statistics for 802.1X Statistics dot1x protocol exchanges for any port. Parameters These parameters are displayed: Table 14: 802.1X Statistics Parameter Description Authenticator Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
Chapter 12 | Security Measures DoS Protection Web Interface To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. Figure 186: Showing Statistics for 802.1X Port Authenticator DoS Protection Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource.
Chapter 12 | Security Measures DoS Protection victim. The victim should crash due to the many interrupts required to send ICMP Echo response packets. (Default: Disabled) ◆ TCP Flooding Attack – Attacks in which a perpetrator sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service.
Chapter 12 | Security Measures DHCP Snooping ◆ WinNuke Attack Rate – Maximum allowed rate. (Range: 64-2000 kbits/second; Default: 1000 kbits/second) Web Interface To protect against DoS attacks: 1. Click Security, DoS Protection. 2. Enable protection for specific DoS attacks, and set the maximum allowed rate as required. 3.
Chapter 12 | Security Measures DHCP Snooping messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped. ◆ Table entries are only learned for trusted interfaces. An entry is added or removed dynamically to the DHCP snooping table when a client receives or releases an IP address from a DHCP server. Each entry includes a MAC address, IP address, lease time, VLAN identifier, and port identifier.
Chapter 12 | Security Measures DHCP Snooping ■ Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place.
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping Use the Security > DHCP Snooping (Configure Global) page to enable DHCP Global Configuration Snooping globally on the switch, or to configure MAC Address Verification. Parameters These parameters are displayed: General ◆ DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled) ◆ DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification.
Chapter 12 | Security Measures DHCP Snooping ◆ DHCP Snooping Information Option TR101 Board ID – Sets the board identifier used in Option 82 information based on TR-101 syntax. (Range: 0-9; Default: undefined) ◆ DHCP Snooping Information Option Policy – Specifies how to handle DHCP client request packets which already contain Option 82 information. ■ Drop – Drops the client’s request packet instead of relaying it.
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping Use the Security > DHCP Snooping (Configure VLAN) page to enable or disable VLAN Configuration DHCP snooping on specific VLANs. Command Usage ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Chapter 12 | Security Measures DHCP Snooping Configuring Ports Use the Security > DHCP Snooping (Configure Interface) page to configure switch for DHCP Snooping ports as trusted or untrusted. Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Chapter 12 | Security Measures DHCP Snooping 4. Specify the mode used for sending circuit ID information, and an arbitrary string if required. 5. Click Apply Figure 190: Configuring the Port Mode for DHCP Snooping Displaying DHCP Use the Security > DHCP Snooping (Show Information) page to display entries in Snooping Binding the binding table. Information Parameters These parameters are displayed: ◆ MAC Address – Physical address associated with the entry.
Chapter 12 | Security Measures IPv4 Source Guard Web Interface To display the binding table for DHCP Snooping: 1. Click Security DHCP Snooping. 2. Select Show Information from the Step list. 3. Use the “Store to Flash” or “Clear from Flash” function if required.
Chapter 12 | Security Measures IPv4 Source Guard ◆ Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table. Use the SIP-MAC option to check these same parameters, plus the source MAC address. If no matching entry is found, the packet is dropped. Note: Multicast addresses cannot be used by IP Source Guard.
Chapter 12 | Security Measures IPv4 Source Guard ■ SIP-MAC – Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table. ◆ Filter Table – Sets the source guard learning model to search for addresses in the ACL binding table or the MAC address binding table. (Default: ACL binding table) ◆ Max Binding Entry – The maximum number of entries that can be bound to an interface.
Chapter 12 | Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 12 | Security Measures IPv4 Source Guard ◆ VLAN – ID of a configured VLAN or a range of VLANs. (Range: 1-4094) ◆ IP Address – A valid unicast IP address, including classful types A, B or C. ◆ Port – The port to which a static entry is bound. Specify a physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers.
Chapter 12 | Security Measures IPv4 Source Guard 3. Select Show from the Action list. Figure 194: Displaying Static Bindings for IPv4 Source Guard Displaying Use the Security > IP Source Guard > Dynamic Binding page to display the sourceInformation for guard binding table for a selected interface. Dynamic IPv4 Source Guard Bindings Parameters These parameters are displayed: Query by ◆ Port – A port on this switch.
Chapter 12 | Security Measures ARP Inspection Figure 195: Showing the IPv4 Source Guard Binding Table ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-themiddle” attacks.
Chapter 12 | Security Measures ARP Inspection ◆ ■ If ARP Inspection is disabled globally, then it becomes inactive for all VLANs, including those where inspection is enabled. ■ When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. ■ Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs.
Chapter 12 | Security Measures ARP Inspection ARP Inspection Logging ◆ By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis. After the system message is generated, the entry is cleared from the log buffer.
Chapter 12 | Security Measures ARP Inspection Web Interface To configure global settings for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Configure General from the Step list. 3. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. 4. Click Apply.
Chapter 12 | Security Measures ARP Inspection ◆ If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ DAI Status – Enables Dynamic ARP Inspection for the selected VLAN. (Default: Disabled) ◆ ACL Name – Allows selection of any configured ARP ACLs.
Chapter 12 | Security Measures ARP Inspection Configuring Use the Security > ARP Inspection (Configure Interface) page to specify the ports Interface Settings for that require ARP inspection, and to adjust the packet inspection rate. $$$ ARP Inspection Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. ◆ Trust Status – Configures the port as trusted or untrusted.
Chapter 12 | Security Measures ARP Inspection Displaying Use the Security > ARP Inspection (Show Information - Show Statistics) page to ARP Inspection display statistics about the number of ARP packets processed, or dropped for Statistics various reasons. Parameters These parameters are displayed: Table 15: ARP Inspection Statistics Parameter Description Received ARP packets before ARP inspection rate limit Count of ARP packets received but not exceeding the ARP Inspection rate limit.
Chapter 12 | Security Measures ARP Inspection Figure 199: Displaying Statistics for ARP Inspection Displaying the Use the Security > ARP Inspection (Show Information - Show Log) page to show ARP Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components. Parameters These parameters are displayed: Table 16: ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen. Port The port where this packet was seen. Src.
Chapter 12 | Security Measures ARP Inspection Figure 200: Displaying the ARP Inspection Log – 331 –
Chapter 12 | Security Measures ARP Inspection – 332 –
13 Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Chapter 13 | Basic Administration Protocols Configuring Event Logging Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Use the Administration > Log > System (Configure Global) page to enable or Configuration disable event logging, and specify which levels are logged to RAM or flash memory.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ History RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level. Note: All log messages are retained in RAM and Flash after a warm restart (i.e.
Chapter 13 | Basic Administration Protocols Configuring Event Logging 3. Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory. This page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Server IP Address – Specifies the IPv4 or IPv6 address of a remote server which will be sent syslog messages. ◆ Port - Specifies the UDP port number used by the remote server. (Range: 1-65535; Default: 514) Web Interface To configure the logging of error messages to remote servers: 1. Click Administration, Log, Remote. 2. Enable remote logging, specify the facility type to use for the syslog messages.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Email Source Address – Sets the email address used for the “From” field in alert messages. You may use a symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. (Range: 1-41 characters) ◆ Email Destination Address – Specifies the email recipients of alert messages. You can specify up to five recipients.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol increase the probability that multiple, rather than single changes, are reported in each transmission. This attribute must comply with the rule: (4 * Delay Interval) Transmission Interval ◆ Reinitialization Delay – Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 205: Configuring LLDP Timing Attributes Configuring LLDP Use the Administration > LLDP (Configure Interface - Configure General) page to Interface Attributes specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages. ■ Management Address – The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ■ VLAN ID – The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “IEEE 802.1Q VLANs” on page 151). (Default: Enabled) ■ VLAN Name – The name of all VLANs to which this interface has been assigned (see “IEEE 802.1Q VLANs” on page 151.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ■ Inventory – This option advertises device details useful for inventory management, such as manufacturer, model, software version and other pertinent information. (Default: Enabled) ■ Location – This option advertises location identification details.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 206: Configuring LLDP Interface Attributes Configuring Use the Administration > LLDP (Configure Interface – Add CA-Type) page to specify LLDP Interface the physical location of the device attached to an interface.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 18: LLDP MED Location CA Types (Continued) ◆ CA Type Description CA Value Example 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Select Show CA-Type from the Action list. 4. Select an interface from the Port or Trunk list.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s administratively assigned name (see “Displaying System Information” on page 70). ◆ System Description – A textual description of the network entity. This field is also displayed by the show system command.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 209: Displaying Local Device Information for LLDP (General) Figure 210: Displaying Local Device Information for LLDP (Port) Figure 211: Displaying Local Device Information for LLDP (Port Details) – 350 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display Remote Device information about devices connected directly to the switch’s ports which are Information advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 20, "System Capabilities," on page 348.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 20, "System Capabilities," on page 348.) ◆ Management Address List – The management addresses for this device.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 22: Remote Port Auto-Negotiation Advertised Capability (Continued) Bit Capability 5 100BASE-TX full duplex mode 6 100BASE-T2 half duplex mode 7 100BASE-T2 full duplex mode 8 PAUSE for full-duplex links 9 Asymmetric PAUSE for full-duplex links 10 Symmetric PAUSE for full-duplex links 11 Asymmetric and Symmetric PAUSE for full-duplex links 12 1000BASE-X, -LX, -SX, -CX half duplex mode 13 1000BASE-X, -LX, -SX, -
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆ Remote Link Aggregation Status – The current aggregation status of the link. ◆ Remote Link Port ID – This object contains the IEEE 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol – 355 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 213: Displaying Remote Device Information for LLDP (Port Details) – 356 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying Use the Administration > LLDP (Show Device Statistics) page to display statistics for Device Statistics LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces. Parameters These parameters are displayed: General Statistics on Remote Devices ◆ Neighbor Entries List Last Updated – The time the LLDP neighbor entry list was last updated.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To display statistics for LLDP-capable devices attached to the switch: 1. Click Administration, LLDP. 2. Select Show Device Statistics from the Step list. 3. Select General, Port, or Trunk.
Chapter 13 | Basic Administration Protocols Power over Ethernet Power over Ethernet The ECS2100-10PE/10P and ECS2100-28P/28PP switches can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device. Once configured to supply power, an automatic detection process is initialized by the switch that is authenticated by a PoE signature from the connected device.
Chapter 13 | Basic Administration Protocols Power over Ethernet Default: 370000 milliwatts ECS2100-28PP: 50000-740000 milliwatts with external power supply, Default: 740000 milliwatts) ◆ System Operation Status – Status of the PoE power service provided to the switch ports. ◆ PoE Power Consumption – The amount of power being consumed by PoE devices connected to the switch. ◆ Software Version – The version of software running on the PoE controller subsystem in the switch.
Chapter 13 | Basic Administration Protocols Power over Ethernet Web Interface To set the overall PoE power budget for switch: 1. Click Administration, PoE, PSE. 2. Select Configure Global from the Step list. 3. Set the maximum PoE power provided by the switch, enable the compatible mode, and set the maximum allocation mode if required. 4. Click Apply.
Chapter 13 | Basic Administration Protocols Power over Ethernet Table 24: Maximum Number of Ports Providing Simultaneous Power Switch 30W (802.3at) 15.4W (802.3af) 7.5W (802.
Chapter 13 | Basic Administration Protocols Power over Ethernet ◆ Time Range Name – Name of a time range. If a time range is set, then PoE will be provided to an interface during the specified period. ◆ Time Range Status – Indicates if a time range has been applied to an interface, and whether it is currently active or inactive. ◆ Class – Shows the maximum power allocation class as defined by the Maximum Allocation Mode setting on the PoE>PSE (Configure Global) page.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 25: SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public (read only) defaultview none none Community string only v1 noAuthNoPriv private (read/write) defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined user defined Community string only v2c noAuthNoPriv public (read only) defau
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 3. Use the Administration > SNMP (Configure Engine) page to change the local engine ID. If you want to change the default engine ID, it must be changed before configuring other parameters. 4. Use the Administration > SNMP (Configure View) page to specify read and write access views for the switch MIB tree. 5. Use the Administration > SNMP (Configure User) page to configure SNMP user groups with the required security model (i.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting the Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change Local Engine ID the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying a Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to Remote Engine ID configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Show Remote Engine from the Action list. Figure 221: Showing Remote Engine IDs for SNMP Setting SNMPv3 Views Use the Administration > SNMP (Configure View) page to configure SNMPv3 views which are used to restrict user access to specified portions of the MIB tree.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add View from the Action list. 4. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group SNMPv3 Groups which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 26: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 26: Supported Notification Messages (Continued) Model Level Group swPowerStatusChangeTrap 1.3.6.1.4.1.259.10.1.43.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.44.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled. swIpFilterRejectTrap 1.3.6.1.4.1.259.10.1.43.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 26: Supported Notification Messages (Continued) Model Level Group swMemoryUtiFallingThreshold Notification 1.3.6.1.4.1.259.10.1.43.2.1.0.110 This notification indicates that the memory utilization has fallen from memoryUtiRisingThreshold to memoryUtiFallingThreshold. dhcpRougeServerAttackTrap 1.3.6.1.4.1.259.10.1.43.2.1.0.114 This trap is sent when receiving a DHCP packet from a rouge server.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 226: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting Community Use the Administration > SNMP (Add Community) page to configure up to five Access Strings community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings. Parameters These parameters are displayed: ◆ Community String – A community string that acts like a password and permits access to the SNMP protocol.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show the community access strings: 1. Click Administration, SNMP. 2. Select Configure Community from the Step list. 3. Select Show Community from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. (Range: 8-32 characters) ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 230: Configuring Local SNMPv3 Users To show local SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Local User from the Action list. Figure 231: Showing Local SNMPv3 Users To change a local SNMPv3 local user group: 1. Click Administration, SNMP. 2. Select Change SNMPv3 Local User Group from the Action list. 3. Select the User Name. 4.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 5. Click Apply Figure 232: Changing a Local SNMPv3 User Group Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page Remote SNMPv3 Users to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 233: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying Use the Administration > SNMP (Configure Trap) page to specify the host devices to Trap Managers be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Community String – Specifies a valid community string for the new trap manager entry. (Range: 1-32 characters, case sensitive) Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User – Add Community page. ◆ UDP Port – Specifies the UDP port number used by the trap manager.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ ◆ Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) ■ Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 238: Showing Trap Managers Creating SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to create an Notification Logs SNMP notification log.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ When a trap host is created using the Administration > SNMP (Configure Trap – Add) page described on page 384, a default notify filter will be created. Parameters These parameters are displayed: ◆ IP Address – The IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the Administration > SNMP (Configure Trap – Add) page. The notification log is stored locally.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 240: Showing SNMP Notification Logs Showing Use the Administration > SNMP (Show Statistics) page to show counters for SNMP SNMP Statistics input and output protocol data units. Parameters The following counters are displayed: ◆ SNMP packets input – The total number of messages delivered to the SNMP entity from the transport service.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ SNMP packets output – The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service. ◆ Too big errors – The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “tooBig.
Chapter 13 | Basic Administration Protocols Remote Monitoring Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Sample Type – Tests for absolute or relative changes in the specified variable. ■ Absolute – The variable is compared directly to the thresholds at the end of the sampling period. ■ Delta – The last sample is subtracted from the current value and the difference is then compared to the thresholds.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 242: Configuring an RMON Alarm To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm. Note: The RMON show page includes the Status parameter indicating the condition of the configured alarm. Note: The RMON show page includes the following parameters: ◆ Type - this is the Sample Type set on the configuration page.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 243: Showing Configured RMON Alarms Configuring RMON Use the Administration > RMON (Configure Global - Add - Event) page to set the Events action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Description – A comment that describes this event. (Range: 1-127 characters) ◆ Owner – Name of the person who created this entry. (Range: 1-32 characters) Web Interface To configure an RMON event: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Click Event. 5.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 245: Showing Configured RMON Events Configuring RMON Use the Administration > RMON (Configure Interface - Add - History) page to collect History Samples statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆ Buckets - The number of buckets requested for this entry. (Range: 1-65536; Default: 8) The number of buckets granted are displayed on the Show page. ◆ Owner - Name of the person who created this entry. (Range: 1-32 characters) Web Interface To periodically sample statistics on a port: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Remote Monitoring 4. Select a port from the list. 5. Click History. Figure 247: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click History.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to Statistical Samples collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. Command Usage ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 249: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 250: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 251: Showing Collected RMON Statistical Samples Switch Clustering Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Chapter 13 | Basic Administration Protocols Switch Clustering ◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN: 1. Create VLAN 4093 (see “Configuring VLAN Groups” on page 153). 2. Add the participating ports to this VLAN (see “Adding Static Members to VLANs” on page 156), and set them to hybrid mode, tagged members, PVID = 1, and acceptable frame type = all.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure a switch cluster: 1. Click Administration, Cluster. 2. Select Configure Global from the Step list. 3. Set the required attributes for a Commander or a managed candidate. 4. Click Apply Figure 252: Configuring a Switch Cluster Cluster Member Use the Administration > Cluster (Configure Member - Add) page to add Candidate Configuration switches to the cluster as Members.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Add from the Action list. 4. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. 5. Click Apply. Figure 253: Configuring a Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3.
Chapter 13 | Basic Administration Protocols Switch Clustering To show cluster candidates: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Show Candidate from the Action list. Figure 255: Showing Cluster Candidates Managing Cluster Use the Administration > Cluster (Show Member) page to manage another switch Members in the cluster. Parameters These parameters are displayed: ◆ Member ID – The ID number of the Member switch.
Chapter 13 | Basic Administration Protocols Setting a Time Range Web Interface To manage a cluster member: 1. Click Administration, Cluster. 2. Select Show Member from the Step list. 3. Select an entry from the Cluster Member List. 4. Click Operate. Figure 256: Managing a Cluster Member Setting a Time Range Use the Administration > Time Range page to set a time range during which various functions are applied, including applied ACLs or PoE.
Chapter 13 | Basic Administration Protocols Setting a Time Range ◆ Mode ■ Absolute – Specifies a specific time or time range. ■ ■ Start/End – Specifies the hours, minutes, month, day, and year at which to start or end. Periodic – Specifies a periodic interval. ■ Start/To – Specifies the days of the week, hours, and minutes at which to start or end. Web Interface To configure a time range: 1. Click Administration, Time Range. 2. Select Add from the Action list. 3. Enter the name of a time range. 4.
Chapter 13 | Basic Administration Protocols Setting a Time Range To configure a rule for a time range: 1. Click Administration, Time Range. 2. Select Add Rule from the Action list. 3. Select the name of time range from the drop-down list. 4. Select a mode option of Absolute or Periodic. 5. Fill in the required parameters for the selected mode. 6. Click Apply. Figure 259: Add a Rule to a Time Range To show the rules configured for a time range: 1. Click Administration, Time Range. 2.
Chapter 13 | Basic Administration Protocols LBD Configuration LBD Configuration The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When loopback detection (LBD) is enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 13 | Basic Administration Protocols LBD Configuration If the recover time is not enabled (checkbox unmarked), all ports placed in shutdown state can be restored to operation using the Release button. To restore a specific port, re-enable Admin status on the Configure Interface page. The recover-time is the maximum time when recovery is triggered after a loop is detected. The actual interval between recovery and detection will be less than or equal to the recover-time.
Chapter 13 | Basic Administration Protocols LBD Configuration Web Interface To configure global settings for LBD: 1. Click Administration, LBD, Configure Global. 2. Make the required configuration changes. 3. Click Apply. Figure 261: Configuring Global Settings for LBD Configuring Interface Use the Administration > LBD (Configure Interface) page to enable loopback Settings for LBD detection on an interface, to display the loopback operational state, and the VLANs which are looped back.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Figure 262: Configuring Interface Settings for LBD Smart Pair Configuration A Smart Pair consists of two ports which are paired to provide layer 2 link redundancy, The pair consists of a primary port and a backup port. All traffic is forwarded through the primary port and the backup port will be set to standby. If the primary port link goes down, the backup port is activated and all traffic is forwarded through it.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Configuring the Smart Use the Administration > Smart Pair (Configure Global) page to create a Smart Pair Pair Global Settings ID. The Smart paid ID will be used to specify two ports that are the primary and secondary members of the Smart Pair. Parameters These parameters are displayed: ◆ Smart Pair ID – Specifies a Smart Pair on the switch. (Default: None, Range: 11000 IDs can be specified.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration ◆ WTR Delay Sets the wait-to-restore delay for a Smart Pair in seconds (Default: 30 seconds, Range: 0, 5-3600) Web Interface To configure the interface settings for a Smart Pair: 1. Click Administration, Smart Pair, Configure Smart Pair. 2. Select Configure from the Action menu. 3. Select the ID of the Smart Pair to be configured from the ID pull down-menu. 4.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Figure 265: Displaying the Smart Pair IDs. Display the Use the Administration > Smart Pair (Configure Smart Pair Global) to display the Configured Smart Pair port members of a Smart Pair. Port Members and Restore the Traffic Web Interface To configure the interface settings for a Smart Pair: 1. Click Administration, Smart Pair, Configure Smart Pair. 2. Select Configure from the Show menu. 3.
14 Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface. ◆ MLD Snooping – Configures snooping and query parameters for IPv6. ◆ MLD Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) have not requested a specific source (the only option for IGMPv1 and v2 hosts unless statically configured on the switch), and a channel indicates a flow for which the hosts have requested service from a specific source. For IGMPv1/v2 hosts, the source address of a channel is always null (indicating that any source is acceptable), but for IGMPv3 hosts, it may include a specific address when requested.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Last Leave: Intercepts, absorbs and summarizes IGMP leaves coming from IGMP hosts. IGMP leaves are relayed upstream only when necessary, that is, when the last user leaves a multicast group. ◆ Query Suppression: Intercepts and processes IGMP queries in such a way that IGMP specific queries are never sent to client ports.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Parameters These parameters are displayed: ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping. (Default: Disabled) When IGMP snooping is enabled globally, the per VLAN interface settings for IGMP snooping take precedence (see “Setting IGMP Snooping Status per Interface” on page 428).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) members have been learned. Otherwise, the time spent in flooding mode can be manually configured to reduce excessive loading. When the spanning tree topology changes, the root bridge sends a proxy query to quickly re-learn the host membership/port relations for multicast channels. The root bridge also sends an unsolicited Multicast Router Discover (MRD) request to quickly locate the multicast routers in this VLAN.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ IGMP Unsolicited Report Interval – Specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled. (Range: 1-65535 seconds, Default: 400 seconds) When a new upstream interface (that is, uplink port) starts up, the switch sends unsolicited reports for all currently learned multicast channels via the new upstream interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 268: Configuring General Settings for IGMP Snooping Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) Interfaces for a page to statically attach an interface to a multicast router/switch. Multicast Router Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Show Static Multicast Router ◆ VLAN – Selects the VLAN for which to display any configured static multicast routers. ◆ Interface – Shows the interface to which the specified static multicast routers are attached. Show Current Multicast Router ◆ VLAN – Selects the VLAN for which to display any currently active multicast routers. ◆ Interface – Shows the interface to which an active multicast router is attached.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 270: Showing Static Interfaces Attached a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol (such as PIM) to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group. Command Usage ◆ Static multicast addresses are never aged out. ◆ When a multicast address is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To show the static interfaces assigned to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Note: The default values recommended in the MRD draft are implemented in the switch. Multicast Router Discovery uses the following three message types to discover multicast routers: ◆ Multicast Router Advertisement – Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Parameters These parameters are displayed: ◆ VLAN – ID of configured VLANs. (Range: 1-4094) ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) joining the multicast group. Only when all hosts on that port leave the group will the member port be deleted. ◆ Multicast Router Discovery – MRD is used to discover which interfaces are attached to multicast routers. (Default: Disabled) ◆ General Query Suppression – Suppresses general queries except for ports attached to downstream multicast hosts.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Query Interval – The interval between sending IGMP general queries. (Range: 2-31744 seconds; Default: 125 seconds) An IGMP general query message is sent by the switch at the interval specified by this attribute. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To resolve this problem, the source address in proxied IGMP query messages can be replaced with any valid unicast address (other than the router’s own address). Web Interface To configure IGMP snooping on a VLAN: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Configure VLAN from the Action list. 3. Select the VLAN to configure and update the required parameters. 4. Click Apply.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 275: Showing Interface Settings for IGMP Snooping Filtering IGMP Query Use the Multicast > IGMP Snooping > Interface (Configure Interface) page to Packets and Multicast configure an interface to drop IGMP query packets. Data Parameters These parameters are displayed: ◆ Interface – Port or Trunk identifier. ◆ IGMP Query Drop – Configures an interface to drop any IGMP query packets received on the specified interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 276: Dropping IGMP Query or Multicast Data Packets Displaying Multicast Use the Multicast > IGMP Snooping > Forwarding Entry page to display the Groups Discovered forwarding entries learned through IGMP Snooping. by IGMP Snooping Command Usage To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page 420).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To show multicast groups learned through IGMP snooping: 1. Click Multicast, IGMP Snooping, Forwarding Entry. Figure 277: Showing Multicast Groups Learned by IGMP Snooping Displaying IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP snooping Snooping Statistics protocol-related statistics for the specified interface. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ General Query Received – The number of general queries received on this interface. ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Leave – The number of leave messages sent from this interface. ◆ G Query – The number of general query messages sent from this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface. ◆ Clear - Click the Clear button to reset the statistics. ◆ Refresh - Click the Refresh button to update the statistics.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) 3. Select a VLAN. Figure 279: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To display IGMP snooping protocol-related statistics for a trunk: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Trunk Statistics from the Action list. 3. Select a Trunk. Figure 281: Displaying IGMP Snooping Statistics – Port Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. Enabling IGMP Use the Multicast > IGMP Snooping > Filter (Configure General) page to enable Filtering and IGMP filtering and throttling globally on the switch.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Parameters These parameters are displayed: Add ◆ Profile ID – Creates an IGMP profile. (Range: 1-4294967295) ◆ Access Mode – Sets the access mode of the profile; either permit or deny. (Default: Deny) When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 284: Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add Multicast Group Range from the Action list. 4.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Profile ID – Selects an existing profile to assign to an interface. ◆ Max Multicast Groups – Sets the maximum number of multicast groups an interface can join at the same time. (Range: 1-511; Default: 511) ◆ Current Multicast Groups – Displays the current multicast groups the interface has joined.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) There are two versions of the MLD protocol, version 1 and version 2. MLDv1 control packets include Listener Query, Listener Report, and Listener Done messages (equivalent to IGMPv2 query, report, and leave messages). MLDv2 control packets include MLDv2 query and report messages, as well as MLDv1 report and done messages.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Router Port Expiry Time – The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. (Range: 300-500 seconds; Default: 300 seconds) ◆ MLD Snooping Version – The protocol version used for compatibility with other devices on the network. This is the MLD version the switch uses to send snooping reports.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 288: Configuring General Settings for MLD Snooping Setting Immediate Use the Multicast > MLD Snooping > Interface page to configure Immediate Leave Leave Status for status for a VLAN. MLD Snooping per Interface Parameters These parameters are displayed: ◆ VLAN – A VLAN identification number.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 3. Click Apply. Figure 289: Configuring Immediate Leave for MLD Snooping Specifying Static Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast Router) Interfaces for an page to statically attach an interface to an IPv6 multicast router/switch. IPv6 Multicast Router Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 290: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Assigning Interfaces Use the Multicast > MLD Snooping > MLD Member (Add Static Member) page to to IPv6 Multicast statically assign an IPv6 multicast service to an interface. Services Multicast filtering can be dynamically configured using MLD snooping and query messages (see “Configuring MLD Snooping and Query Parameters” on page 446).
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 293: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 295: Showing Current Interfaces Assigned to an IPv6 Multicast Service Showing MLD Use the Multicast > MLD Snooping > Group Information page to display known Snooping Groups multicast groups, member ports, the means by which each group was learned, and and Source List the corresponding source list. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Interface – Port or trunk identifier.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Exclude List – Sources included on the router’s exclude list. Web Interface To display known MLD multicast groups: 1. Click Multicast, MLD Snooping, Group Information. 2. Select the port or trunk, and then select a multicast service assigned to that interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Drop – The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MLD group report received. ◆ Join Success – The number of times a multicast group was successfully joined. ◆ Group – The number of MLD groups active on this interface. Output Same as input parameters listed above, except that the direction of transmission is outbound.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Physical Interface (Port/Trunk) ◆ Querier ■ ■ ◆ Transmit ■ General – The number of general queries sent from this interface. ■ Group Specific – The number of group specific queries sent from this interface. Received ■ General – The number of general queries received on this interface. ■ Group Specific – The number of group specific queries received on this interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ■ Other Uptime – Time remote querier has been up. ■ Other Expire – Time after which remote querier is assumed to have expired. ■ Self Addr – IPv6 address of local querier on this interface. ■ Self Expire – Time after which local querier is assumed to have expired. ■ Self Uptime – Time local querier has been up. ■ Transmit ■ ◆ ◆ ■ General – The number of general queries sent from this interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ■ Filter Drop - The number of messages dropped by an MLD filtering profile. ■ Source Port Drop – The number of dropped messages that are received on MVR source port or mrouter port. ■ Others Drop - The number of received invalid messages. Others Drop – The number of received invalid messages. Clear Parameters These parameters are displayed: ◆ All – Clears statistics for all MLD messages. ◆ VLAN – VLAN identifier.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD snooping output-related message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Output. Figure 298: Displaying MLD Snooping Statistics – Output To display MLD query message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Query.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD summary statistics for a port or trunk: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Summary. 3. Select a port or trunk.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD summary statistics for a VLAN: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Summary. 3. Select a VLAN.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups To clear MLD statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Clear. 3. Select All or enter the required interface. 4. Click Clear. Figure 302: Clearing MLD Snooping Statistics Filtering and Throttling MLD Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups Enabling MLD Use the Multicast > MLD Snooping > Filter (Configure General) page to enable Filtering and IGMP filtering and throttling globally on the switch. Throttling Parameters These parameters are displayed: ◆ MLD Filter Status – Enables MLD filtering and throttling globally for the switch. (Default: Disabled) Web Interface To enable MLD filtering and throttling on the switch: 1. Click Multicast, MLD Snooping, Filter. 2.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, MLD join reports are only processed when the multicast group is not in the controlled range. Add Multicast Group Range ◆ Profile ID – Selects an IGMP profile to configure. ◆ Start Multicast IPv6 Address – Specifies the starting address of a range of multicast groups.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups Figure 305: Showing the MLD Filtering Profiles Created To add a range of multicast groups to an MLD filter profile: 1. Click Multicast, MLD Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add Multicast Group Range from the Action list. 4. Select the profile to configure, and add a multicast group address or range of addresses. 5. Click Apply.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups To show the multicast groups configured for an MLD filter profile: 1. Click Multicast, MLD Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups ◆ Current Multicast Groups – Displays the current multicast groups the interface has joined. ◆ Throttling Action Mode – Sets the action to take when the maximum number of multicast groups for the interface has been exceeded. (Default: Deny) ◆ ■ Deny - The new multicast group join report is dropped. ■ Replace - The new multicast group replaces an existing group.
Chapter 14 | Multicast Filtering Filtering MLD Query Packets on an Interface Filtering MLD Query Packets on an Interface Use the Multicast > MLD Snooping > Query Drop page to configure an interface to drop MLD query packets. Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. ◆ Query Drop – Drops any received MLD query packets. (Default: Disabled) This feature can be used to drop any query packets received on the specified interface.
15 IP Tools This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace Route – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol – Describes how to configure proxy ARP or static addresses, and how to display entries in the ARP cache. Using the Ping Function Use the Tools > Ping page to send ICMP echo request packets to another node on the network.
Chapter 15 | IP Tools Using the Trace Route Function ■ ◆ Network or host unreachable - The gateway found no corresponding entry in the route table. The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Web Interface To ping another device on the network: 1.
Chapter 15 | IP Tools Using the Trace Route Function ◆ IPv4 Max Failures – The maximum number of failures before which the trace route is terminated. (Fixed: 5) ◆ IPv6 Max Failures – The maximum number of failures before which the trace route is terminated. (Range: 1-255; Default: 5) Command Usage Use the trace route function to determine the path taken to reach a specified destination.
Chapter 15 | IP Tools Address Resolution Protocol Figure 311: Tracing the Route to a Network Device Address Resolution Protocol If IP routing is enabled (page 505), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Chapter 15 | IP Tools Address Resolution Protocol reply, it writes the destination IP address and corresponding MAC address into its cache, and forwards the IP traffic on to the next hop. As long as this entry has not timed out, the router will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request.
Chapter 15 | IP Tools Address Resolution Protocol Web Interface To configure the timeout for the ARP cache or to enable Proxy ARP for a VLAN (i.e., IP subnetwork): 1. Click Tools, ARP. 2. Select Configure General from the Step List. 3. Enable Proxy ARP for subnetworks that do not have routing or a default gateway. 4. Click Apply. Figure 313: Configuring General Settings for ARP Displaying Dynamic Use the Tools > ARP page to display dynamic or local entries in the ARP cache.
Chapter 15 | IP Tools Address Resolution Protocol Figure 314: Displaying ARP Entries Displaying Use the Tools > ARP (Show Information) page to display statistics for ARP messages ARP Statistics crossing all interfaces on this switch. Parameters These parameters are displayed: Table 28: ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router. Received Reply Number of ARP Reply packets received by the router.
Chapter 15 | IP Tools Address Resolution Protocol – 476 –
16 IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server. An IPv6 address can either be manually configured or dynamically generated.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) IP > Routing > Static Routes (Add) page (see “Configuring Static Routes” on page 502) or IP > IPv6 Configuration (Configure Global) page (see “Configuring the IPv6 Default Gateway” on page 482”)Parameters These parameters are displayed: ◆ VLAN – ID of the configured VLAN (1-4094). By default, all ports on the switch are members of VLAN 1.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) 4. Select any configured VLAN, set IP Address Mode to “User Specified,” set IP Address Type to “Primary” if no address has yet been configured for this interface, and then enter the IP address and subnet mask. 5. Select Primary or Secondary Address Type. 6. Click Apply. Figure 316: Configuring a Static IPv4 Address To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: 1. Click IP, General, Routing Interface. 2.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 317: Configuring a Dynamic IPv4 Address Note: The switch will also broadcast a request for IP configuration settings on each power reset. Note: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 318: Showing the Configured IPv4 Address for an Interface Setting the Switch’s IP Address (IP Version 6) This section describes how to configure an IPv6 interface for management access over the network, or for creating an interface to multiple subnets. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring the Use the IP > IPv6 Configuration (Configure Global) page to configure an IPv6 IPv6 Default Gateway default gateway for the switch. Parameters These parameters are displayed: ◆ Default Gateway – Sets the IPv6 address of the default next hop router to use when no routing information is known about an IPv6 address.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ The option to explicitly enable IPv6 creates a link-local address, but will not generate a global IPv6 address if auto-configuration is not enabled. In this case, you can manually configure a global unicast address (see “Configuring an IPv6 Address” on page 487). ◆ IPv6 Neighbor Discovery Protocol supersedes IPv4 Address Resolution Protocol in IPv6 networks.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Disabling this parameter does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address. ◆ ◆ MTU – Sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. (Range: 1280-65535 bytes; Default: 1500 bytes) ■ The maximum value set in this field cannot exceed the MTU of the physical interface, which is currently fixed at 1500 bytes.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ND NS Interval – The interval between transmitting IPv6 neighbor solicitation messages on an interface. (Range: 1000-3600000 milliseconds) Default: 1000 milliseconds is used for neighbor discovery operations, 0 milliseconds is advertised in router advertisements. This attribute specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ The M flag is set to 0, and the O flag is set to 1: DHCPv6 is used only for other configuration settings. Neighboring routers are configured to advertise non-link-local address prefixes from which IPv6 hosts derive stateless addresses. This combination is known as DHCPv6 stateless autoconfiguration, in which a DHCPv6 server does not assign stateful addresses to IPv6 hosts, but does assign stateless configuration settings.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring an Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 IPv6 Address interface for management access over the network, or for creating an interface to multiple subnets. Command Usage ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access, or for creating an interface to multiple subnets. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ◆ Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ You can configure only one link-local address per interface. ■ The specified address replaces a link-local address that was automatically generated for the interface. IPv6 Address – IPv6 address assigned to this interface. Web Interface To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) In addition to the unicast addresses assigned to an interface, a node is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope). FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the Neighbor Cache IPv6 addresses detected for neighbor devices. Parameters These parameters are displayed: Table 29: Show IPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor. Age The time since the address was verified as reachable (in seconds).
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To show neighboring IPv6 devices: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Neighbors from the Action list. Figure 323: Showing IPv6 Neighbors Showing Use the IP > IPv6 Configuration (Show Statistics) page to display statistics about IPv6 Statistics IPv6 traffic passing through this switch.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: Table 30: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 30: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 30: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement Messages The number of ICMP Neighbor Advertisement messages received by the interface. Redirect Messages The number of Redirect messages received by the interface. Group Membership Query Messages The number of ICMPv6 Group Membership Query messages received by the interface.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3. Click IPv6, ICMPv6 or UDP.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 325: Showing IPv6 Statistics (ICMPv6) Figure 326: Showing IPv6 Statistics (UDP) – 497 –
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum for Responding transmission unit (MTU) cache for destinations that have returned an ICMP packetDestinations too-big message along with an acceptable MTU to this switch.
17 General IP Routing This chapter provides information on network functions including: ◆ Static Routes – Configures static routes to other network segments. ◆ Routing Table – Displays routing entries learned through statically configured entries. Overview This switch supports IP routing and routing path management via static routing definitions and dynamic routing protocols such as RIP.
Chapter 17 | General IP Routing IP Routing and Switching Figure 328: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Unt Untagged Unt VLAN 1 VLAN 2 Tagged or Tagged or Untagged Untagged Tagged or Tagged or Untagged Untagged Intra-subnet traffic (Layer 2 switching) IP Routing and Switching IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
Chapter 17 | General IP Routing IP Routing and Switching If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node. However, if the packet belongs to a subnet not included on this switch, then the packet should be sent to the next hop router (with the MAC address of the router itself used as the destination MAC address, and the destination IP address of the destination node).
Chapter 17 | General IP Routing Configuring Static Routes Configuring Static Routes You can enter static routes in the routing table using the IP > Routing > Static Routes (Add) page. Static routes may be required to force the use of a specific route to a subnet. Static routes do not automatically change in response to changes in network topology, so you should only configure a small number of stable routes to ensure network accessibility. Command Usage ◆ Up to 32 static routes can be configured.
Chapter 17 | General IP Routing Displaying the Routing Table Figure 329: Configuring Static Routes To display static routes: 1. Click IP, Routing, Static Routes. 2. Select Show from the Action List. Figure 330: Displaying Static Routes Displaying the Routing Table Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces through static routes.
Chapter 17 | General IP Routing Displaying the Routing Table forwarding decision on a particular packet. The typical components within a FIB entry are a network prefix, a router (i.e., VLAN) interface, and next hop information. ◆ The Routing Table (and the “show ip route” command described in the CLI Reference Guide) only display routes which are currently accessible for forwarding. The router must be able to directly reach the next hop, so the VLAN interface associated with any route entry must be up.
18 Unicast Routing This chapter describes how to configure the following unicast routing protocols: RIP – Configures Routing Information Protocol. Overview This switch can route unicast traffic to different subnetworks using Routing Information Protocol (RIP). It supports RIP and RIP-2 dynamic routing. These protocols exchange routing information, calculate routing tables, and can respond to changes in the status or loading of the network.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Configuring the Routing Information Protocol The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost. Each router broadcasts its advertisement every 30 seconds, together with any updates to its routing table.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Configuring General Use the Routing Protocol > RIP > General (Configure) page to configure general Protocol Settings settings and the basic timers. RIP is used to specify how routers exchange routing information. When RIP is enabled on this router, it sends RIP messages to all devices in the network every 30 seconds (by default), and updates its own routing table when RIP messages are received from other routers.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ RIP Default Metric – Sets the default metric assigned to external routes imported from other protocols. (Range: 1-15; Default: 1) The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics. It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Basic Timer Settings Note: The timers must be set to the same values for all routers in the network. ◆ Update – Sets the rate at which updates are sent. This is the fundamental timer used to control all basic RIP processes. (Range: 5-2147483647 seconds; Default: 30 seconds) Setting the update timer to a short interval can cause the router to spend an excessive amount of time processing updates.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 333: Configuring General Settings for RIP Clearing Entries from Use the Routing Protocol > RIP > General (Clear Route) page to clear entries from the Routing Table the routing table based on route type or a specific network address. Command Usage ◆ RIP must be enabled to activate this menu option. ◆ Clearing “All” types deletes all routes in the RIP table.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Clear Route By Network – Clears a specific route based on its IP address and prefix length. ■ Network IP Address – Deletes all related entries for the specified network address. ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address. Web Interface To clear entries from the routing table RIP: 1. Click Routing Protocol, RIP, General. 2.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Parameters These parameters are displayed: ◆ ◆ By Address – Adds a network to the RIP routing process. ■ Subnet Address – IP address of a network directly connected to this router. (Default: No networks are specified) ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 336: Showing Network Interfaces Using RIP Specifying Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP from Passive Interfaces sending routing updates on the specified interface. Command Usage ◆ Network interfaces can be configured to stop RIP broadcast and multicast messages from being sent.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 337: Specifying a Passive RIP Interface To show the passive RIP interfaces: 1. Click Routing Protocol, RIP, Passive Interface. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 339: Specifying a Static RIP Neighbor To show static RIP neighbors: 1. Click Routing Protocol, RIP, Neighbor Address. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP. For example, if a metric of 10 is defined for redistributed routes, these routes can only be advertised to routers up to 5 hops away, at which point the metric exceeds the maximum hop count of 15.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Specifying an Use the Routing Protocol > RIP > Distance (Add) page to define an administrative Administrative distance for external routes learned from other routing protocols. Distance Command Usage ◆ Administrative distance is used by the routers to select the preferred path when there are two or more different routes to the same destination from two different routing protocols.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol To show the distance assigned to external routes learned from other routing protocols: 1. Click Routing Protocol, RIP, Distance. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ■ Use “RIPv1 and RIPv2” if some routers in the local network are using RIPv2, but there are still some older routers using RIPv1. (This is the default setting.) ■ Use “Do Not Receive” if dynamic entries are not required to be added to the routing table for an interface. (For example, when only static routes are to be allowed for a specific interface.) Protocol Message Authentication RIPv1 is not a secure protocol.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Receive Version – The RIP version to receive on an interface. ■ RIPv1: Accepts only RIPv1 packets. ■ RIPv2: Accepts only RIPv2 packets. ■ RIPv1 and RIPv2: Accepts RIPv1 and RIPv2 packets. ■ Do Not Receive: Does not accept incoming RIP packets. This option does not add any dynamic entries to the routing table for an interface. The default depends on the setting for the Global RIP Version.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Web Interface To network interface settings for RIP: 1. Click Routing Protocol, RIP, Interface. 2. Select Add from the Action list. 3. Select a Layer 3 VLAN interface to participate in RIP. Select the RIP protocol message types that will be received and sent. Select the RIP authentication method and password. And then set the loopback prevention method. 4. Click Apply.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Displaying RIP Use the Routing Protocol > RIP > Statistics (Show Interface Information) page to Interface Settings display information about RIP interface configuration settings. Parameters These parameters are displayed: ◆ Interface – Source IP address of RIP router interface. ◆ Auth Type – The type of authentication used for exchanging RIPv2 protocol messages. ◆ Send Version – The RIP version to sent on this interface.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Version – Shows whether RIPv1 or RIPv2 packets were received from this peer. ◆ Rcv Bad Packets – Number of bad RIP packets received from this peer. ◆ Rcv Bad Routes – Number of bad routes received from this peer. Web Interface To display information on neighboring RIP routers: 1. Click Routing Protocol, RIP, Statistics. 2. Select Show Peer Information from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol – 524 –
19 IP Services This chapter describes the following IP services: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ Multicast DNS – Configures multicast DNS host name-to-address mapping on the local network without the need for a dedicated DNS server. ◆ DHCP – Configures client, relay, and dynamic provisioning.
Chapter 19 | IP Services Domain Name Service Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 alphanumeric characters) Web Interface To configure general settings for DNS: 1. Click IP Service, DNS. 2.
Chapter 19 | IP Services Domain Name Service ◆ If all name servers are deleted, DNS will automatically be disabled. Parameters These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 characters) Web Interface To create a list domain names: 1. Click IP Service, DNS. 2. Select Add Domain Name from the Action list. 3. Enter one domain name at a time. 4. Click Apply.
Chapter 19 | IP Services Domain Name Service Configuring a List Use the IP Service > DNS - General (Add Name Server) page to configure a list of of Name Servers name servers to be tried in sequential order. Command Usage ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see “Configuring General DNS Service Parameters” on page 525).
Chapter 19 | IP Services Domain Name Service To show the list name servers: 1. Click IP Service, DNS. 2. Select Show Name Servers from the Action list. Figure 354: Showing the List of Name Servers for DNS Configuring Use the IP Service > DNS - Static Host Table (Add) page to manually configure static Static DNS Host entries in the DNS table that are used to map domain names to IP addresses.
Chapter 19 | IP Services Domain Name Service Figure 355: Configuring Static Entries in the DNS Table To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 356: Showing Static Entries in the DNS Table Displaying the DNS Use the IP Service > DNS - Cache page to display entries in the DNS cache that have Cache been learned via the designated name servers.
Chapter 19 | IP Services Multicast Domain Name Service ◆ TTL – The time to live reported by the name server. ◆ Host – The host name associated with this record. Web Interface To display entries in the DNS cache: 1. Click IP Service, DNS, Cache. Figure 357: Showing Entries in the DNS Cache Multicast Domain Name Service Use the IP Service > Multicast DNS page to enable multicast DNS host name-toaddress mapping on the local network without the need for a dedicated DNS server.
Chapter 19 | IP Services Dynamic Host Configuration Protocol ■ Announcing – The responder sends an unsolicited mDNS Response containing all of its newly registered resource records (both shared records, and unique records that have completed the probing step). ■ Updating – The responder repeats the Announcing step to update neighbor caches when the data for any local mDNS record changes.
Chapter 19 | IP Services Dynamic Host Configuration Protocol information about a client, but the specific string to use should be supplied by your service provider or network administrator. Options 60, 66 and 67 statements can be added to the server daemon’s configuration file.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Web Interface To configure a DHCP client identifier: 1. Click IP Service, DHCP, Client. 2. Mark the check box to enable this feature. Select the default setting, or the format for a vendor class identifier. If a non-default value is used, enter a text string or hexadecimal value. 3. Click Apply.
Chapter 19 | IP Services Dynamic Host Configuration Protocol ◆ DHCP relay configuration will be disabled if an active DHCP server is detected on the same network segment. Parameters These parameters are displayed: ◆ DHCP Relay Type – L2 or L3 Web Interface To configure a DHCP client identifier: 1. Click IP Service, DHCP, Relay. 2. Select either L2 or L3 from the drop-down menu items. 3. Click Apply.
Chapter 19 | IP Services Dynamic Host Configuration Protocol where the client is located. Depending on the selected frame format set for the remote-id, this information may specify the MAC address, IP address, or an arbitrary string for the requesting device (that is, the relay agent in this context).
Chapter 19 | IP Services Dynamic Host Configuration Protocol management VLAN or a non-management VLAN, it will process it according to the configured relay information option policy: ◆ ◆ ■ If the policy is “replace,” the DHCP request packet’s option 82 content (the RID and CID sub-option) is replaced with information provided by the switch. The relay agent address is inserted into the DHCP request packet, and the switch then unicasts this packet to the DHCP server.
Chapter 19 | IP Services Dynamic Host Configuration Protocol ■ The reply packet contains a valid relay agent address field (that is not the address of this switch), or receives a reply packet with a zero relay agent address through the management VLAN. ■ A DHCP relay server has been set on the switch, and the switch receives a reply packet on a non-management VLAN. Parameters These parameters are displayed: ◆ Insertion of Relay Information – Enable DHCP Option 82 information relay.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Figure 361: Configuring DHCP L2 Relay Configuring DHCP L3 Use the IP Service > DHCP > L3 Relay page to configure DHCP relay service for Relay Service attached host devices. If DHCP L3 relay mode is enabled, and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Parameters These parameters are displayed: ◆ VLAN ID – ID of configured VLAN. ◆ Server IP Address – Addresses of DHCP servers or relay servers to be used by the switch’s DHCP relay agent in order of preference. ◆ Restart DHCP Relay – Use this button to re-initialize DHCP relay service. Web Interface To configure DHCP relay service: 1. Click IP Service, DHCP, Relay. 2.
Chapter 19 | IP Services Dynamic Host Configuration Protocol the DHCP server can identify the device, and determine what information should be given to requesting device. Parameters These parameters are displayed: ◆ Dynamic Provision via DHCP Status – Enables dynamic provisioning via DHCP. (Default: Disabled) Web Interface To enable dynamic provisioning via DHCP: 1. Click IP Service, DHCP, Dynamic Provision. 2.
Chapter 19 | IP Services Dynamic Host Configuration Protocol ◆ The relay agent is enabled when at least one configured VLAN has an entry is listed in the IP Service > DHCPv6 > Relay (Action: Show) page. ◆ The relay agent is disabled if there are no entries for all configured VLANs in the IP Service > DHCPv6 > Relay (Action: Show) page. Parameters These parameters are displayed: ◆ VLAN – ID of the configured VLAN.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Figure 365: Enabling DHCPv6 Relay Agent for Unicast mode. To enable the switch’s DHCPv6 Relay Agent for Multicast mode: 1. Click IP Service, DHCPv6, Relay (Action: Add). 2. Select a VLAN from the VLAN drop-down list. 3. Select Multicast from the Mode drop-down list. 4. Select a destination VLAN or All (VLANs) from the Destination VLAN drop-down list. 5. Click Apply Figure 366: Enabling DHCPv6 Relay Agent for Multicast mode.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Figure 367: Enabling DHCPv6 Relay Agent for Multicast mode.
Section III Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 547 ◆ “Troubleshooting” on page 553 ◆ “License Information” on page 555 – 545 –
Section III | Appendices – 546 –
A Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, IP Filter Authentication General Security Access Control Lists (512 rules), Port Authentication (802.1X), MAC Authentication, Measures Port Security, DHCP Snooping, IP Source Guard Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LHX/ZX: 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.
Appendix A | Software Specifications Management Features VLAN Support Up to 4094 groups; port-based, protocol-based, tagged (802.
Appendix A | Software Specifications Standards RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.
Appendix A | Software Specifications Management Information Bases Management Information Bases Bridge MIB (RFC 1493) Differentiated Services MIB (RFC 3289) DNS Resolver MIB (RFC 1612) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP MIB (RFC 2011) IP Forwarding Table MIB (RFC 2096) IP Multicasting related MIBs IPV6-MIB
Appendix A | Software Specifications Management Information Bases SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415) SNMPv2 IP MIB (RFC 2011) TACACS+ Authentication Client MIB TCP MIB (RFC 2012) Trap (RFC 1215) UDP MIB (RFC 2013) – 551 –
Appendix A | Software Specifications Management Information Bases – 552 –
B Troubleshooting Problems Accessing the Management Interface Table 34: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ Be sure the switch is powered on. ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a welldefined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Glossary MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages. MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs.
Glossary RMON Remote Monitoring. RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. RSTP Rapid Spanning Tree Protocol. RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard.
Glossary UDP User Datagram Protocol. UDP provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IPlike services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary. UTC Universal Time Coordinate.
Glossary – 566 –
E012021-CS-R07