ECS4100 Series Web Management Guide Software Release v1.2.77.212 www.edge-core.
Web Management Guide ECS4100-12T Gigabit Ethernet Switch L2+/L3 Lite Gigabit Ethernet Switch with 8 10/100/1000BASE-T ports, 2 Combos and 2 SFP ports ECS4100-12PH Gigabit Ethernet Switch L2+/L3 Lite UPOE Gigabit Ethernet Switch with 8 10/100/1000BASE-T PoE+ Ports, 2 Combos and 2 SFP ports ECS4100-26TX Gigabit Ethernet Switch L2+ Gigabit Ethernet Switch with 24 10/100/1000BASE-T ports and 2 10 SFP+ ports ECS4100-26TX-ME Gigabit Ethernet Switch L2+ Gigabit Ethernet Switch with 24 10/100/1000BASE-T ports an
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This guide is for network administrators who are responsible for operating and this Guide? maintaining network equipment.
How to Use This Guide For information on how to install the switch, see the following guide: Quick Start Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
How to Use This Guide Revision v.1.2.24.182 Date 09/2018 v1.2.9.173 11/2017 v1.2.2.172 06/2017 v1.11.08.
How to Use This Guide – 6 –
Contents Section I How to Use This Guide 3 Contents 7 Figures 19 Tables 35 Getting Started 37 1 Introduction Section II 39 Key Features 39 Description of Software Features 40 System Defaults 45 Web Configuration 49 2 Using the Web Interface 51 Connecting to the Web Interface 51 Navigating the Web Browser Interface 52 Dashboard 52 Configuration Options 53 Panel Display 54 Main Menu 54 3 Basic Management Tasks 73 Displaying System Information 74 Displaying Hardware/Sof
Contents Copying Files via FTP/SFTP/TFTP or HTTP 78 Saving the Running Configuration to a Local File 81 Setting the Start-up File 82 Showing System Files 82 Automatic Operation Code Upgrade 83 Setting the System Clock 87 Setting the Time Manually 87 Setting the SNTP Polling Interval 88 Configuring NTP 89 Configuring Time Servers 90 Setting the Time Zone 94 Configuring Summer Time 95 Configuring the Console Port 97 Configuring Telnet Settings 99 Displaying CPU Utilization 100 C
Contents Displaying LACP Settings and Status for the Remote Side 141 Configuring Load Balancing 142 Saving Power 144 Configuring Local Port Mirroring 145 Configuring Remote Port Mirroring 147 Sampling Traffic Flows 151 Configuring sFlow Receiver Settings 152 Configuring an sFlow Polling Instance 154 Traffic Segmentation 156 Enabling Traffic Segmentation 156 Configuring Uplink and Downlink Ports 157 Excluded VLAN 159 VLAN Trunking 161 5 VLAN Configuration 165 IEEE 802.
Contents Changing the Aging Time 205 Configuring MAC Address Learning 206 Setting Static Addresses 207 Issuing MAC Address Traps 209 7 Spanning Tree Algorithm 211 Overview 211 Configuring Loopback Detection 213 Configuring Global Settings for STA 215 Displaying Global Settings for STA 221 Configuring Interface Settings for STA 222 Displaying Interface Settings for STA 226 Configuring Multiple Spanning Trees 229 Configuring Interface Settings for MSTP 233 8 Congestion Control 237
Contents 11 VoIP Traffic Configuration 267 Overview 267 Configuring VoIP Traffic 268 Configuring Telephony OUI 269 Configuring VoIP Traffic Ports 270 12 Security Measures 273 AAA (Authentication, Authorization and Accounting) 274 Configuring Local/Remote Logon Authentication 275 Configuring Remote Logon Authentication Servers 276 Configuring AAA Accounting 281 Configuring AAA Authorization 287 Configuring User Accounts 291 Web Authentication 293 Configuring Global Settings for Web
Contents Configuring an Extended IPv6 ACL 325 Configuring a MAC ACL 328 Configuring an ARP ACL 330 Binding a Port to an Access Control List 331 Showing ACL Hardware Counters 332 Filtering IP Addresses for Management Access 334 Configuring Port Security 336 Configuring 802.1X Port Authentication 338 Configuring 802.1X Global Settings 340 Configuring Port Authenticator Settings for 802.1X 341 Configuring Port Supplicant Settings for 802.1X 345 Displaying 802.
Contents Configuring Interface Settings for ARP Inspection 386 Displaying ARP Inspection Statistics 387 Displaying the ARP Inspection Log 388 Application Filter 389 13 Basic Administration Protocols Configuring Event Logging 391 392 System Log Configuration 392 Remote Log Configuration 394 Sending Simple Mail Transfer Protocol Alerts 396 Link Layer Discovery Protocol 397 Setting LLDP Timing Attributes 397 Configuring LLDP Interface Attributes 399 Configuring LLDP Interface Civic-Addre
Contents Configuring RMON History Samples 456 Configuring RMON Statistical Samples 459 Switch Clustering 461 Configuring General Settings for Clusters 462 Cluster Member Configuration 463 Managing Cluster Members 465 Setting a Time Range 466 Ethernet Ring Protection Switching 469 ERPS Global Configuration 473 ERPS Ring Configuration 473 ERPS Forced and Manual Mode Operations 489 Connectivity Fault Management 493 Configuring Global Settings for CFM 497 Configuring Interfaces for CF
Contents Displaying Results of Remote Loopback Testing UDLD Configuration 537 538 Configuring UDLD Protocol Intervals 539 Configuring UDLD Interface Settings 540 Displaying UDLD Neighbor Information 542 LBD Configuration 543 Configuring Global Settings for LBD 544 Configuring Interface Settings for LBD 546 Smart Pair Configuration 546 Configuring the Smart Pair Global Settings 547 Configuring Smart Pair Interface Settings 548 Show the Configured Smart Pair IDs 549 Display the Configur
Contents Displaying MLD Snooping Statistics Filtering and Throttling MLD Groups 590 598 Enabling MLD Filtering and Throttling 599 Configuring MLD Filter Profiles 599 Configuring MLD Filtering and Throttling for Interfaces 602 Multicast VLAN Registration for IPv4 603 Configuring MVR Global Settings 605 Configuring MVR Domain Settings 607 Configuring MVR Group Address Profiles 608 Configuring MVR Interface Status 611 Assigning Static MVR Multicast Groups to Interfaces 613 Displaying MVR R
Contents Configuring IPv6 Interface Settings 654 Configuring an IPv6 Address 660 Showing IPv6 Addresses 662 Showing the IPv6 Neighbor Cache 664 Showing IPv6 Statistics 665 Showing the MTU for Responding Destinations 671 17 General IP Routing 673 Overview 673 Initial Configuration 673 IP Routing and Switching 674 Routing Path Management 675 Routing Protocols 675 Configuring Static Routes 676 Displaying the Routing Table 677 18 Unicast Routing 679 Overview 679 Configuring the
Contents Configuring Static DNS Host to Address Entries 703 Displaying the DNS Cache 704 Multicast Domain Name Service 705 Dynamic Host Configuration Protocol 706 Specifying a DHCP Client Identifier 707 Configuring DHCP L3 Relay Service 708 Configuring DHCP L2 Relay Service 710 Enabling DHCP Dynamic Provision 712 Configuring the DHCP Server 713 Configuring DHCPv6 Relay 720 Configuring the PPPoE Intermediate Agent Section III 722 Configuring PPPoE IA Global Settings 723 Configuring
Figures Figure 1: Dashboard 52 Figure 2: System Information 74 Figure 3: General Switch Information 76 Figure 4: Configuring Support for Jumbo Frames 77 Figure 5: Displaying Bridge Extension Configuration 78 Figure 6: Copy Firmware 80 Figure 7: Saving the Running Configuration 81 Figure 8: Setting Start-Up Files 82 Figure 9: Displaying System Files 83 Figure 10: Configuring Automatic Code Upgrade 86 Figure 11: Manually Setting the System Clock 88 Figure 12: Setting the Polling Interva
Figures Figure 30: Configuring the Switch for Cloud Management 107 Figure 31: Configuring Connections by Port List 112 Figure 32: Configuring Connections by Port Range 113 Figure 33: Displaying Port Information 114 Figure 34: Showing Port Statistics (Table) 118 Figure 35: Showing Port Statistics (Chart) 119 Figure 36: Configuring a History Sample 121 Figure 37: Showing Entries for History Sampling 121 Figure 38: Showing Status of Statistical History Sample 122 Figure 39: Showing Current S
Figures Figure 65: Configuring Remote Port Mirroring (Source) 150 Figure 66: Configuring Remote Port Mirroring (Intermediate) 151 Figure 67: Configuring Remote Port Mirroring (Destination) 151 Figure 68: Configuring an sFlow Receiver 153 Figure 69: Showing sFlow Receivers 154 Figure 70: Configuring an sFlow Instance 155 Figure 71: Showing sFlow Instances 155 Figure 72: Enabling Traffic Segmentation 157 Figure 73: Configuring Members for Traffic Segmentation 158 Figure 74: Showing Traffic
Figures Figure 100: Assigning Interfaces to Protocol VLANs 195 Figure 101: Showing the Interface to Protocol Group Mapping 195 Figure 102: Configuring IP Subnet VLANs 197 Figure 103: Showing IP Subnet VLANs 197 Figure 104: Configuring MAC-Based VLANs 199 Figure 105: Showing MAC-Based VLANs 199 Figure 106: Configuring VLAN Translation 200 Figure 107: Configuring VLAN Translation 201 Figure 108: Showing the Entries for VLAN Translation 201 Figure 109: Displaying the Dynamic MAC Address Tabl
Figures Figure 135: Configuring MSTP Interface Settings 234 Figure 136: Displaying MSTP Interface Settings 235 Figure 137: Configuring Rate Limits 238 Figure 138: Configuring Storm Control 240 Figure 139: Storm Control by Limiting the Traffic Rate 240 Figure 140: Storm Control by Shutting Down a Port 241 Figure 141: Configuring ATC Timers 242 Figure 142: Configuring ATC Interface Attributes 245 Figure 143: Setting the Default Port Priority 248 Figure 144: Setting the Queue Mode (Strict)
Figures Figure 170: Configuring AAA Accounting Methods 284 Figure 171: Showing AAA Accounting Methods 285 Figure 172: Configuring AAA Accounting Service for 802.
Figures Figure 205: Configuring a MAC ACL 329 Figure 206: Configuring a ARP ACL 331 Figure 207: Binding a Port to an ACL 332 Figure 208: Showing ACL Statistics 333 Figure 209: Creating an IP Address Filter for Management Access 335 Figure 210: Showing IP Addresses Authorized for Management Access 335 Figure 211: Configuring Port Security 338 Figure 212: Configuring Port Authentication 339 Figure 213: Configuring Global Settings for 802.
Figures Figure 240: Displaying Statistics for ARP Inspection 388 Figure 241: Displaying the ARP Inspection Log 389 Figure 242: Configuring Discarding or Forwarding of CDP/PVST Packets 389 Figure 243: Configuring Settings for System Memory Logs 393 Figure 244: Showing Error Messages Logged to System Memory 394 Figure 245: Configuring Settings for Remote Logging of Error Messages 395 Figure 246: Configuring SMTP Alert Messages 397 Figure 247: Configuring LLDP Timing Attributes 399 Figure 248:
Figures Figure 275: Changing a Local SNMPv3 User Group 440 Figure 276: Configuring Remote SNMPv3 Users 442 Figure 277: Showing Remote SNMPv3 Users 442 Figure 278: Configuring Trap Managers (SNMPv1) 446 Figure 279: Configuring Trap Managers (SNMPv2c) 446 Figure 280: Configuring Trap Managers (SNMPv3) 446 Figure 281: Showing Trap Managers 447 Figure 282: Creating SNMP Notification Logs 448 Figure 283: Showing SNMP Notification Logs 449 Figure 284: Showing SNMP Statistics 450 Figure 285: C
Figures Figure 310: Creating an ERPS Ring 487 Figure 311: Creating an ERPS Ring 488 Figure 312: Showing Configured ERPS Rings 488 Figure 313: Blocking an ERPS Ring Port 493 Figure 314: Single CFM Maintenance Domain 494 Figure 315: Multiple CFM Maintenance Domains 495 Figure 316: Configuring Global Settings for CFM 499 Figure 317: Configuring Interfaces for CFM 500 Figure 318: Configuring Maintenance Domains 504 Figure 319: Showing Maintenance Domains 504 Figure 320: Configuring Detailed
Figures Figure 345: Configuring UDLD Protocol Intervals 540 Figure 346: Configuring UDLD Interface Settings 542 Figure 347: Displaying UDLD Neighbor Information 543 Figure 348: Configuring Global Settings for LBD 545 Figure 349: Configuring Interface Settings for LBD 546 Figure 350: Configuring the Smart Pair Global Settings (Adding a Smart Pair) 548 Figure 351: Configuring Interfaces for a Smart Pair 549 Figure 352: Displaying the Smart Pair IDs.
Figures Figure 380: Assigning an Interface to an IPv6 Multicast Service 587 Figure 381: Showing Static Interfaces Assigned to an IPv6 Multicast Service 587 Figure 382: Showing Current Interfaces Assigned to an IPv6 Multicast Service 588 Figure 383: Dropping MLD Query Packets 589 Figure 384: Showing IPv6 Multicast Services and Corresponding Sources 590 Figure 385: Displaying MLD Snooping Statistics – Input 594 Figure 386: Displaying MLD Snooping Statistics – Output 595 Figure 387: Displaying M
Figures Figure 415: Assigning an MVR6 Group Address Profile to a Domain 626 Figure 416: Showing MVR6 Group Address Profiles Assigned to a Domain 627 Figure 417: Configuring Interface Settings for MVR6 629 Figure 418: Assigning Static MVR6 Groups to a Port 630 Figure 419: Showing the Static MVR6 Groups Assigned to a Port 631 Figure 420: Displaying MVR6 Receiver Groups 632 Figure 421: Displaying MVR6 Statistics – Query 634 Figure 422: Displaying MVR6 Statistics – VLAN 635 Figure 423: Displayi
Figures Figure 450: Configuring RIP 680 Figure 451: Configuring General Settings for RIP 684 Figure 452: Clearing Entries from the Routing Table 685 Figure 453: Adding Network Interfaces to RIP 686 Figure 454: Showing Network Interfaces Using RIP 687 Figure 455: Specifying a Passive RIP Interface 688 Figure 456: Showing Passive RIP Interfaces 688 Figure 457: Specifying a Static RIP Neighbor 689 Figure 458: Showing Static RIP Neighbors 689 Figure 459: Redistributing External Routes into RI
Figures Figure 485: Configuring Excluded Addresses on the DHCP Server 715 Figure 486: Showing Excluded Addresses on the DHCP Server 715 Figure 487: Configuring DHCP Server Address Pools (Network) 718 Figure 488: Configuring DHCP Server Address Pools (Host) 718 Figure 489: Showing Configured DHCP Server Address Pools 719 Figure 490: Shows Addresses Assigned by the DHCP Server 720 Figure 491: Enabling DHCPv6 Relay Agent for Unicast mode.
Figures – 34 –
Tables Table 1: Key Features 39 Table 2: System Defaults 45 Table 3: Web Page Configuration Buttons 53 Table 4: Switch Main Menu 54 Table 5: Predefined Summer-Time Parameters 96 Table 6: Port Statistics 115 Table 7: LACP Port Counters 138 Table 8: LACP Internal Configuration Information 139 Table 9: LACP Remote Device Configuration Information 141 Table 10: Traffic Segmentation Forwarding 157 Table 11: Recommended STA Path Cost Range 223 Table 12: Default STA Path Costs 223 Table 13
Tables Table 30: Remote MEP Priority Levels 502 Table 31: MEP Defect Descriptions 502 Table 32: OAM Operation State 530 Table 33: Remote Loopback Status 536 Table 34: Address Resolution Protocol 642 Table 35: ARP Statistics 647 Table 36: Show IPv6 Neighbors - display description 664 Table 37: Show IPv6 Statistics - display description 666 Table 38: Show MTU - display description 671 Table 39: Options 60, 66 and 67 Statements 707 Table 40: Options 55 and 124 Statements 707 Table 41: Tr
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 38 –
1 Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Chapter 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4093 using IEEE 802.
Chapter 1 | Introduction Description of Software Features a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
Chapter 1 | Introduction Description of Software Features Port Trunking Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using Link Aggregation Control Protocol (LACP – IEEE 802.3-2005). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 12 trunks.
Chapter 1 | Introduction Description of Software Features creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection. ◆ Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the older IEEE 802.1D STP standard.
Chapter 1 | Introduction Description of Software Features IEEE 802.1Q Tunneling This feature is designed for service providers carrying traffic for multiple customers (QinQ) across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Chapter 1 | Introduction System Defaults MVR6 for IPv6) which allows common multicast traffic, such as television channels, to be transmitted across a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, while preserving security and data isolation for normal traffic. Link Layer Discovery LLDP is used to discover basic information about neighboring devices within the Protocol local broadcast domain.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Authentication and Security Measures Privileged Exec Level Username “admin” Password “admin” Normal Exec Level Username “guest” Password “guest” Enable Privileged Exec from Normal Exec Level Password “super” RADIUS Authentication Disabled TACACS+ Authentication Disabled 802.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Spanning Tree Algorithm Status Enabled, RSTP (Defaults: RSTP standard) Edge Ports Disabled LLDP Status Enabled ERPS Status Disabled CFM Status Enabled OAM Status Disabled Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode (Egress Mode) Hybrid GVRP (global) Disabled GVRP (port interface) Disabled QinQ Tunneling Disab
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default System Log Status Enabled Messages Logged to RAM Levels 0-7 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Clock Synchronization Disabled Switch Clustering Status Disabled Commander Disabled – 48 –
Section II Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
Section II | Web Configuration – 50 –
2 Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 9, Mozilla Firefox 39, or Google Chrome 44, or more recent versions). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface switch port attached to your management station to fast forwarding (i.e., enable Admin Edge Port) to improve the switch’s response time to management commands issued through the web interface. See “Configuring Interface Settings for STA” on page 222. Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3: Web Page Configuration Buttons Button Action Apply Sets specified values to the system.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 3: Web Page Configuration Buttons (Continued) Button Action Displays help for the selected page. Refreshes the current page. Displays the site map. Logs out of the management interface. Sends mail to the vendor. Links to the vendor’s web site. Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Capability Description Page Enables support for jumbo frames; shows the bridge extension parameters 76, 77 File 78 Copy Allows the transfer and copying files 78 Automatic Operation Code Upgrade Automatically upgrades operation code if a newer version is found on the server 83 Set Startup Sets the startup file 82 Show Shows the files stored in flash memory; allows deletion of
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Chart Shows Interface, Etherlike, and RMON port statistics 114 History Shows statistical history for specified interfaces 119 Transceiver Shows identifying information and operational parameters for optical transceivers which support Digital Diagnostic Monitoring (DDM), and configures thresholds for alarm and warning messages for optical transceivers which support D
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Statistics Shows Interface, Etherlike, and RMON port statistics 114 Chart Shows Interface, Etherlike, and RMON port statistics 114 Load Balance Sets the load-distribution method among ports in aggregated links 142 History Shows statistical history for specified interfaces 119 Adjusts the power provided to ports based on the length of the cable used to connect t
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Shows the interfaces assigned to a VLAN through GVRP 175 IEEE 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Configure Interface Description Page Enables MAC authentication traps on the current interface 209 Spanning Tree 211 Loopback Detection Configures Loopback Detection parameters STA Spanning Tree Algorithm 213 Configure Global Configure Configures global bridge settings for STP, RSTP and MSTP 215 Show Information Displays STA values used for the bridge 221 Configure Configur
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows configured class maps 258 Modify Modifies the name of a class map 258 Add Rule Configures the criteria used to classify ingress traffic 258 Show Rule Shows the traffic classification rules for a class map 258 Configure Policy 261 Add Creates a policy map to apply to multiple interfaces 261 Show Shows configured policy maps 261 Modify Modifie
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Configure Service Description Page Sets the accounting method applied to specific interfaces for 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Host Key 312 Generate Generates the host key pair (public and private) 312 Show Displays RSA host keys; deletes host keys 312 Configure User Key 313 Copy Imports user public keys from a TFTP server 313 Show Displays RSA user keys; deletes user keys 313 Access Control Lists 315 ACL Configure ACL 318 Show TCAM Shows utilization parameters for T
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure VLAN Enables DHCPv6 snooping on a VLAN 357 Configure Interface Sets the trust mode for an interface 358 Show Information Displays the DHCPv6 Snooping binding information 359 Filters IP traffic based on static entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table 369 Enables IP source guard and selects filter type per port
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Remote Configures the logging of messages to a remote logging process 394 SMTP Sends an SMTP client message to a participating server 396 LLDP Configure Global 397 Configures global LLDP timing parameters Configure Interface 397 399 Configure General Sets the message transmission mode; enables SNMP notification; and sets the LLDP attributes to advertise 399 Ad
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Add Community Configures community strings and access mode 426 Show Community Shows community strings and access mode 426 Add SNMPv3 Local User Configures SNMPv3 users on this switch 438 Show SNMPv3 Local User Shows SNMPv3 users configured on this switch 438 Change SNMPv3 Local User Group Assign a local user to a new group 438 Add SNMPv3 Remote User Configu
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Global Globally enables clustering for the switch; sets Commander status 462 Configure Member Adds switch Members to the cluster 463 Show Member Shows cluster switch member; managed switch members 465 Configures the time to apply an ACL 466 Add Specifies the name of a time range 466 Show Shows the name of configured time ranges 466 Time Range Ad
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Shows list of configured maintenance end points 509 Configures Remote Maintenance End Points 511 Add Configures a static list of remote MEPs for comparison against the MEPs learned through continuity check messages 511 Show Shows list of configured remote maintenance end points 511 Transmit Link Trace Sends link trace messages to isolate connectivity faults by t
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Loopback Detection 543 Configure Global Enables loopback detection globally, specifies the interval at which to transmit control frames, specifies the interval to wait before releasing an interface from shutdown state, specifies response to detect loopback, and traps to send 544 Configure Interface Enables loopback detection per interface 546 Ping Sends ICMP echo
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page IP Service DNS 699 Domain Name Service General 699 Configure Global Enables DNS lookup; defines the default domain name appended to incomplete host names 699 Add Domain Name Defines a list of domain names that can be appended to incomplete host names 700 Show Domain Names Shows the configured domain name list 700 Add Name Server Specifies IP address of name s
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show VLAN Information Shows IGMP snooping settings per VLAN interface 562 Configure Port Configures the interface to drop IGMP query packets or all multicast data packets 568 Configure Trunk Configures the interface to drop IGMP query packets or all multicast data packets 568 Forwarding Entry Displays the current multicast groups learned through IGMP Snooping 569
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Profile 599 Add Adds MLD filter profile; and sets access mode 599 Show Shows configured MLD filter profiles 599 Add Multicast Group Range Assigns multicast groups to selected profile 599 Show Multicast Group Range Shows multicast groups assigned to a profile 599 Query Drop Configures the interface to drop MLD query packets 588 Group Information
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Multicast VLAN Registration for IPv6 620 Configure Global Configures proxy switching and robustness value 621 Configure Domain Enables MVR for a domain, sets the MVR VLAN, forwarding priority, and 623 upstream source IP MVR6 Configure Profile 624 Add Configures multicast stream addresses 624 Show Shows multicast stream addresses 624 Associate Profile 624
3 Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
Chapter 3 | Basic Management Tasks Displaying System Information Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. ◆ System Up Time – Length of time the management agent has been up.
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ Hardware Version – Hardware version of the main board.
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Web Interface To view hardware and software version information. 1. Click System, then Switch. Figure 3: General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet and 10 Gigabit Ethernet ports or trunks.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities 3. Click Apply. Figure 4: Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Chapter 3 | Basic Management Tasks Managing System Files Web Interface To view Bridge Extension information: 1. Click System, then Capability. Figure 5: Displaying Bridge Extension Configuration Managing System Files This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Copying Files via FTP/ Use the System > File (Copy) page to upload/download firmware or configuration SFTP/TFTP or HTTP settings using FTP, SFTP, TFTP or HTTP.
Chapter 3 | Basic Management Tasks Managing System Files ◆ Secure Shell FTP (SFTP) provides a method of transferring files between two network devices over an SSH2-secured connection. SFTP functions similar to Secure Copy (SCP), using SSH for user authentication and data encryption. Although the underlying premises of SFTP are similar to SCP, it requires some additional steps to verify the protocol versions and perform security checks.
Chapter 3 | Basic Management Tasks Managing System Files Note: The file “Factory_Default_Config.cfg” can be copied to a file server or management station, but cannot be used as the destination file name on the switch. Web Interface To copy firmware files: 1. Click System, then File. 2. Select Copy from the Action list. 3. Select FTP Upload, HTTP Upload, SFTP or TFTP Upload as the file transfer method. 4. If FTP, SFTP or TFTP Upload is used, enter the IP address of the file server. 5.
Chapter 3 | Basic Management Tasks Managing System Files Saving the Running Use the System > File (Copy) page to save the current configuration settings to a Configuration to a local file on the switch. The configuration settings are not automatically saved by Local File the system for subsequent use when the switch is rebooted. You must save these settings to the current startup file, or to another file which can be subsequently set as the startup file.
Chapter 3 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Setting the Use the System > File (Set Start-Up) page to specify the firmware or configuration Start-up File file to use for system initialization. Web Interface To set a file to use for system initialization: 1. Click System, then File. 2. Select Set Start-Up from the Action list. 3.
Chapter 3 | Basic Management Tasks Managing System Files Figure 9: Displaying System Files Automatic Operation Use the System > File (Automatic Operation Code Upgrade) page to automatically Code Upgrade download an operation code file when a file newer than the currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Chapter 3 | Basic Management Tasks Managing System Files etc.) are case-sensitive, meaning that two files in the same directory, ecs4100series.bix and ECS4100-Series.bix are considered to be unique files. Thus, if the upgrade file is stored as ECS4100-Series.bix (or even EcS2100-Series.bix) on a case-sensitive server, then the switch (requesting ecs2100-series.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Chapter 3 | Basic Management Tasks Managing System Files ■ host – Defines the IP address of the TFTP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized. ■ filedir – Defines the directory, relative to the TFTP server root, where the upgrade file can be found. Nested directory structures are accepted.
Chapter 3 | Basic Management Tasks Managing System Files The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: ■ ftp://192.168.0.1/ The user name and password are empty, so “anonymous” will be the user name and the password will be blank. The image file is in the FTP root directory. ■ ftp://switches:upgrade@192.168.0.1/ The user name is “switches” and the password is “upgrade”.
Chapter 3 | Basic Management Tasks Setting the System Clock If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.2.1.3; new version 1.2.1.6 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
Chapter 3 | Basic Management Tasks Setting the System Clock ◆ Year – Sets the year. (Range: 1970-2037) Web Interface To manually set the system clock: 1. Click System, then Time. 2. Select Configure General from the Step list. 3. Select Manual from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5.
Chapter 3 | Basic Management Tasks Setting the System Clock 5. Click Apply Figure 12: Setting the Polling Interval for SNTP Configuring NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers. Parameters The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 13: Configuring NTP Configuring Use the System > Time (Configure Time Server) pages to specify the IP address for Time Servers NTP/SNTP time servers, or to set the authentication key for NTP time servers. Specifying SNTP Time Servers Use the System > Time (Configure Time Server – Configure SNTP Server) page to specify the IP address for up to three SNTP time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 14: Specifying SNTP Time Servers Specifying NTP Time Servers Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. Parameters The following parameters are displayed: ◆ NTP Server IP Address – Sets the IPv4 address for up to three time servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 15: Adding an NTP Time Server To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 16: Showing the NTP Time Server List Specifying NTP Authentication Keys Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
Chapter 3 | Basic Management Tasks Setting the System Clock Web Interface To add an entry to NTP authentication key list: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Add NTP Authentication Key from the Action list. 4. Enter the index number and MD5 authentication key string. 5. Click Apply. Figure 17: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2.
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the Time Zone Use the System > Time (Configure Time Zone) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 19: Setting the Time Zone Configuring Use the Summer Time page to set the system clock forward during the summer Summer Time months (also known as daylight savings time). In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
Chapter 3 | Basic Management Tasks Setting the System Clock Table 5: Predefined Summer-Time Parameters Region Start Time, Day, Week, & Month End Time, Day, Week, & Month Australia 00:00:00, Sunday, Week 5 of October 23:59:59, Sunday, Week 5 of March 60 min Europe 00:00:00, Sunday, Week 5 of March 60 min 23:59:59, Sunday, Week 5 of October New Zealand 00:00:00, Sunday, Week 1 of October 23:59:59, Sunday, Week 3 of March USA 02:00:00, Sunday, Week 2 of March Rel.
Chapter 3 | Basic Management Tasks Configuring the Console Port Figure 20: Configuring Summer Time Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Chapter 3 | Basic Management Tasks Configuring the Console Port per character. If no parity is required, specify 8 data bits per character. (Default: 8 bits) ◆ Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) ◆ Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None.
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password. Note that the password is only configurable through the CLI.
Chapter 3 | Basic Management Tasks Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. Web Interface To configure parameters for the console port: 1. Click System, then Telnet. 2. Specify the connection parameters as required. 3.
Chapter 3 | Basic Management Tasks Configuring CPU Guard Figure 23: Displaying CPU Utilization Configuring CPU Guard Use the System > CPU Guard page to set the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Parameters The following parameters are displayed: ◆ CPU Guard Status – Enables CPU Guard.
Chapter 3 | Basic Management Tasks Displaying Memory Utilization ◆ Trap Status – If enabled, an alarm message will be generated when utilization exceeds the high watermark or exceeds the maximum threshold. (Default: Disabled) Once the high watermark is exceeded, utilization must drop beneath the low watermark before the alarm is terminated, and then exceed the high watermark again before another alarm is triggered.
Chapter 3 | Basic Management Tasks Resetting the System Web Interface To display memory utilization: 1. Click System, then Memory Status. Figure 25: Displaying Memory Utilization Resetting the System Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. Command Usage ◆ This command resets the entire system. ◆ When the system is restarted, it will always run the Power-On Self-Test.
Chapter 3 | Basic Management Tasks Resetting the System ■ ■ ■ In – Specifies an interval after which to reload the switch. (The specified time must be equal to or less than 24 days.) ■ hours – The number of hours, combined with the minutes, before the switch resets. (Range: 0-576) ■ minutes – The number of minutes, combined with the hours, before the switch resets. (Range: 0-59) At – Specifies a time at which to reload the switch. ■ DD - The day of the month at which to reload.
Chapter 3 | Basic Management Tasks Resetting the System Figure 26: Restarting the Switch (Immediately) Figure 27: Restarting the Switch (In) – 105 –
Chapter 3 | Basic Management Tasks Resetting the System Figure 28: Restarting the Switch (At) Figure 29: Restarting the Switch (Regularly) – 106 –
Chapter 3 | Basic Management Tasks Using Cloud Management Using Cloud Management Use the System > Cloud Manage page to enable the cloud management agent on the switch. The Edgecore ecCLOUD Controller is a cloud-based network service available from anywhere through a web-browser interface. The switch can be managed by the ecCLOUD controller once you have set up an account and registered the device on the system. By default, the cloud management agent is disabled on the switch.
Chapter 3 | Basic Management Tasks Using Cloud Management – 108 –
4 Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Displaying Statistics – Shows Interface, Etherlike, and RMON port statistics in table or chart form. ◆ Displaying Statistical History – Displays statistical history for the specified interfaces.
Chapter 4 | Interface Configuration Port Configuration Port Configuration This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Configuring by Use the Interface > Port > General (Configure by Port List) page to enable/disable Port List an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Chapter 4 | Interface Configuration Port Configuration ◆ ◆ Media Type – Configures the forced transceiver mode for SFP/SFP+ ports. ■ None - Forced transceiver mode is not used for SFP/SFP+ ports. ■ Copper-Forced - Always uses the RJ-45 port. (Only applies to combination RJ-45/SFP ports 9-10 on the ECS4100-12T / ECS4100-12T v2.) ■ SFP-Forced 1000SFP - Always uses the SFP/SFP+ port at 1000 Mbps, Full Duplex. ■ SFP-Forced 100FX - Always uses the SFP port at 100 Mbps, Full Duplex.
Chapter 4 | Interface Configuration Port Configuration ◆ Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) ◆ Flow Control – Allows automatic or manual selection of flow control, i.e. with auto-negotiation disabled. (Default: Disabled) ◆ Link Up Down Trap – Issues a notification message whenever a port link is established or broken. (Default: Enabled) Web Interface To configure port connection parameters: 1.
Chapter 4 | Interface Configuration Port Configuration Configuring by Use the Interface > Port > General (Configure by Port Range) page to enable/ Port Range disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control. Parameters Except for the trap command, refer to “Configuring by Port List” on page 110 for more information on command usage and a description of the parameters.
Chapter 4 | Interface Configuration Port Configuration ◆ Name – Interface label. ◆ Admin – Shows if the port is enabled or disabled. ◆ Oper Status – Indicates if the link is Up or Down. ◆ Shutdown Reason – Shows the reason this interface has been shut down if applicable. Some of the reasons for shutting down an interface include being administratively disabled, or exceeding traffic boundary limits set by auto traffic control. ◆ Media Type – Shows the forced transceiver mode for SFP/SFP+ ports.
Chapter 4 | Interface Configuration Port Configuration faulty port or unusually heavy loading). RMON statistics provide access to a broad range of statistics, including a total count of different frame types and sizes passing through each port. All values displayed have been accumulated since the last system reboot, and are shown as counts per second. Statistics are refreshed every 60 seconds by default. Note: RMON groups 2, 3 and 9 can only be accessed using SNMP management software.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Etherlike Statistics Single Collision Frames The number of successfully transmitted frames for which transmission is inhibited by exactly one collision. Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision.
Chapter 4 | Interface Configuration Port Configuration Table 6: Port Statistics (Continued) Parameter Description Oversize Packets The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. 64 Bytes Packets The total number of packets (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
Chapter 4 | Interface Configuration Port Configuration Figure 34: Showing Port Statistics (Table) To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Chapter 4 | Interface Configuration Port Configuration Figure 35: Showing Port Statistics (Chart) Displaying Statistical Use the Interface > Port > History or Interface > Trunk > History page to display History statistical history for the specified interfaces. Command Usage ◆ For a description of the statistics displayed on these pages, see “Showing Port or Trunk Statistics” on page 114. ◆ To configure statistical history sampling, use the “Displaying Statistical History” on page 119.
Chapter 4 | Interface Configuration Port Configuration ◆ History Name – Name of sample interval. (Range: 1-32 characters) ◆ Interval - The interval for sampling statistics. (Range: 1-86400 minutes) ◆ Requested Buckets - The number of samples to take. (Range: 1-96) Show ◆ Port – Port number. (Range: 1-12/26/28/52) ◆ History Name – Name of sample interval. (Default settings: 15min, 1day) ◆ Interval - The interval for sampling statistics. ◆ Requested Buckets - The number of samples to take.
Chapter 4 | Interface Configuration Port Configuration Figure 36: Configuring a History Sample To show the configured entries for a history sample: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show from the Action menu. 3. Select an interface from the Port or Trunk list. Figure 37: Showing Entries for History Sampling To show the configured parameters for a sampling entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2.
Chapter 4 | Interface Configuration Port Configuration Figure 38: Showing Status of Statistical History Sample To show statistics for the current interval of a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Current Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
Chapter 4 | Interface Configuration Port Configuration To show ingress or egress traffic statistics for a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Input Previous Entry or Output Previous Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
Chapter 4 | Interface Configuration Port Configuration problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters. Web Interface To display identifying information and functional parameters for optical transceivers: 1. Click Interface, Port, Transceiver. 2. Select a port from the scroll-down list.
Chapter 4 | Interface Configuration Port Configuration The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters.
Chapter 4 | Interface Configuration Port Configuration ■ Threshold events are triggered as described above to avoid a hysteresis effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low threshold. ■ Trap messages configured by this command are sent to any management station configured as an SNMP trap manager using the Administration > SNMP (Configure Trap) page.
Chapter 4 | Interface Configuration Port Configuration ◆ Cable diagnostics can only be performed on twisted-pair media. ◆ This cable test is only accurate for Gigabit Ethernet cables 7 - 100 meters long. ◆ The test takes approximately 5 seconds. The switch displays the results of the test immediately upon completion, including common cable failures, as well as the status and approximate length to a fault. ◆ Potential conditions which may be listed by the diagnostics include those listed below.
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To test the cable attached to a port: 1. Click Interface, Port, Cable Test. 2. Click Test for any port to start the cable test. Figure 43: Performing Cable Tests Trunk Configuration This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Chapter 4 | Interface Configuration Trunk Configuration To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply. Figure 46: Adding Static Trunks Members To configure connection parameters for a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3.
Chapter 4 | Interface Configuration Trunk Configuration To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
Chapter 4 | Interface Configuration Trunk Configuration ◆ Ports are only allowed to join the same Link Aggregation Group (LAG) if (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured). However, if the LAG admin key is set, then the port admin key must be set to the same value for a port to be allowed to join that group. Note: If the LACP admin key is not set when a channel group is formed (i.e.
Chapter 4 | Interface Configuration Trunk Configuration When a dynamic port-channel is torn down, the configured timeout value will be retained. When the dynamic port-channel is constructed again, that timeout value will be used. ◆ System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations. ◆ System MAC Address – The device MAC address assigned to each trunk.
Chapter 4 | Interface Configuration Trunk Configuration ■ If an LAG already exists with the maximum number of allowed port members, and LACP is subsequently enabled on another port using a higher priority than an existing member, the newly configured port will replace an existing port member that has a lower priority.
Chapter 4 | Interface Configuration Trunk Configuration 6. Click Apply. Figure 51: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply. Figure 52: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2.
Chapter 4 | Interface Configuration Trunk Configuration Figure 53: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Configure from the Action list. 4. Modify the required interface settings. (See “Configuring by Port List” on page 110 for a description of the interface settings.) 5. Click Apply.
Chapter 4 | Interface Configuration Trunk Configuration To show connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Show from the Action list. Figure 55: Showing Connection Parameters for Dynamic Trunks Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Port Counters Information - Counters) page to display statistics for LACP protocol messages.
Chapter 4 | Interface Configuration Trunk Configuration 5. Select a group member from the Port list. Figure 56: Displaying LACP Port Counters Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Internal) page to display the configuration settings and operational for the Local Side state for the local side of a link aggregation.
Chapter 4 | Interface Configuration Trunk Configuration Table 8: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Oper State (continued) ◆ ◆ ◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate. LACP-Activity – Activity control value with regard to this link.
Chapter 4 | Interface Configuration Trunk Configuration Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Neighbors) page to display the configuration settings and for the Remote Side operational state for the remote side of a link aggregation. Parameters These parameters are displayed: Table 9: LACP Remote Device Configuration Information Parameter Description Partner Admin System LAG partner’s system ID assigned by the user.
Chapter 4 | Interface Configuration Trunk Configuration Figure 58: Displaying LACP Port Remote Information Configuring Use the Interface > Trunk > Load Balance page to set the load-distribution method Load Balancing used among ports in aggregated links. Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 4 | Interface Configuration Trunk Configuration ■ Source and Destination MAC Address: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from and destined for many different hosts. ■ Source IP Address: All traffic with the same source IP address is output on the same link in a trunk.
Chapter 4 | Interface Configuration Saving Power Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port. Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
Chapter 4 | Interface Configuration Configuring Local Port Mirroring ◆ Power Saving Status – Adjusts the power provided to ports based on the length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements. (Default: Enabled on Gigabit Ethernet RJ-45 ports) Web Interface To enable power savings: 1. Click Interface, Green Ethernet. 2. Mark the Enabled check box for a port. 3. Click Apply.
Chapter 4 | Interface Configuration Configuring Local Port Mirroring (remote port mirroring as described in “Configuring Remote Port Mirroring” on page 147). ◆ Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port. ◆ When traffic matches the rules for both port mirroring, and for mirroring of VLAN traffic or packets based on a MAC address, the matching packets will not be sent to target port specified for port mirroring.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring To display the configured mirror sessions: 1. Click Interface, Port, Mirror. 2. Select Show from the Action List. Figure 63: Displaying Local Port Mirror Sessions Configuring Remote Port Mirroring Use the Interface > RSPAN page to mirror traffic from remote switches for analysis at a destination port on the local switch.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring Command Usage ◆ Traffic can be mirrored from one or more source ports to a destination port on the same switch (local port mirroring as described in “Configuring Local Port Mirroring” on page 145), or from one or more source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section). ◆ Configuration Guidelines Take the following step to configure an RSPAN session: 1.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring ■ MAC address learning is not supported on RSPAN uplink ports when RSPAN is enabled on the switch. Therefore, even if spanning tree is enabled after RSPAN has been configured, MAC address learning will still not be restarted on the RSPAN uplink ports. ■ IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.
Chapter 4 | Interface Configuration Configuring Remote Port Mirroring to an RSPAN VLAN. Also, note that the VLAN > Static (Show) page will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. ◆ Type – Specifies the traffic type to be mirrored remotely. (Options: Rx, Tx, Both) ◆ Destination Port – Specifies the destination port1 to monitor the traffic mirrored from the source ports.
Chapter 4 | Interface Configuration Sampling Traffic Flows Figure 66: Configuring Remote Port Mirroring (Intermediate) Figure 67: Configuring Remote Port Mirroring (Destination) Sampling Traffic Flows The flow sampling (sFlow) feature embedded on this switch, together with a remote sFlow Collector, can provide network administrators with an accurate, detailed and real-time overview of the types and levels of traffic present on their network.
Chapter 4 | Interface Configuration Sampling Traffic Flows Note: The terms “collector”, “receiver” and “owner”, in the context of this chapter, all refer to a remote server capable of receiving the sFlow datagrams generated by the sFlow agent of the switch. As the Collector receives streams from the various sFlow agents (other switches or routers) throughout the network, a timely, network-wide picture of utilization and traffic flows is created.
Chapter 4 | Interface Configuration Sampling Traffic Flows used to indicate the appropriate number of zeros required to fill the undefined fields. ◆ Receiver Socket Port2 – The UDP port on which the sFlow Collector is listening for sFlow streams. (Range: 1-65534) ◆ Maximum Datagram Size – Maximum size of the sFlow datagram payload. (Range: 200-1500 bytes) ◆ Datagram Version – Sends either v4 or v5 sFlow datagrams to the receiver. Web Interface To configure an sFlow receiver: 1.
Chapter 4 | Interface Configuration Sampling Traffic Flows Figure 69: Showing sFlow Receivers Configuring an sFlow Use the Interface > sFlow (Configure Details – Add) page to enable an sFlow polling Polling Instance data source that polls periodically based on a specified time interval, or an sFlow data source instance that takes samples periodically based on the number of packets processed. Parameters These parameters are displayed in the web interface: ◆ Receiver Owner Name – The name of the receiver.
Chapter 4 | Interface Configuration Sampling Traffic Flows 5. Click Apply. Figure 70: Configuring an sFlow Instance Web Interface To show configured instances: 1. Click Interface, sFlow. 2. Select Configure Details from the Step list. 3. Select Show from the Action list. 4. Select the owner name from the scroll-down list. 5. Select sFlow type as Sampling or Polling.
Chapter 4 | Interface Configuration Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation Figure 72: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the and Downlink Ports downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Parameters These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆ Direction – Adds an interface to the segmented group by setting the direction to uplink or downlink. (Default: Uplink) ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier.
Chapter 4 | Interface Configuration Excluded VLAN To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Show from the Action list. Figure 74: Showing Traffic Segmentation Members Excluded VLAN Excluded VLANs provide port-based security and isolation between ports within an assigned session.
Chapter 4 | Interface Configuration Excluded VLAN Parameters These parameters are displayed: ◆ Session ID – Excluded VLAN session. (Range: 1-4) ◆ Direction – Add an interface to the session by setting the direction to Uplink or Downlink. (Default: Downlink) ◆ VLAN – Specifies a VLAN ID. (Range: 1-4094) ◆ VLAN Mask – Specifies a binary bitmask that is applied to the VLAN ID to define a range of VLANs.
Chapter 4 | Interface Configuration VLAN Trunking Figure 75: Configuring Excluded VLANs To display the configured excluded VLAN sessions: 1. Click Interface, Excluded VLAN. 2. Select Show from the Action list. Figure 76: Displaying Excluded VLANs VLAN Trunking Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface.
Chapter 4 | Interface Configuration VLAN Trunking Figure 77: VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags. However, by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B.
Chapter 4 | Interface Configuration VLAN Trunking 3. Enable VLAN trunking on any of the ports or on a trunk. 4. Click Apply.
Chapter 4 | Interface Configuration VLAN Trunking – 164 –
5 VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customerspecific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆ L2PT Tunneling – Configures Layer 2 Protocol Tunneling for the specified protocol. ◆ Protocol VLANs3 – Configures VLAN groups based on specified protocols.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs groups (such as e-mail), or multicast groups (used for multimedia applications such as video conferencing). VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 79: VLAN Compliant and VLAN Non-compliant Devices tagged frames VA VA VA: VLAN Aware VU: VLAN Unaware tagged frames VA untagged frames VA VU VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs. Note: If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in “Adding Static Members to VLANs” on page 171). But you can still enable GVRP on these edge switches, as well as on the core switches in the network.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Configuring VLAN Use the VLAN > Static (Add) page to create or remove VLAN groups, set Groups administrative status, or specify Remote VLAN type (see “Configuring Remote Port Mirroring” on page 147). To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. Parameters These parameters are displayed: Add ◆ VLAN ID – ID of VLAN or range of VLANs (1-4094).
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Web Interface To create VLAN groups: 1. Click VLAN, Static. 2. Select Add from the Action list. 3. Enter a VLAN ID or range of IDs. 4. Check Status to configure the VLAN as operational. 5. Specify whether the VLANs are to be used for remote port mirroring. 6. Click Apply. Figure 81: Creating Static VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs 6. Click Apply. Figure 82: Modifying Settings for Static VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list. Figure 83: Showing Static VLANs Adding Static Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or Edit Members to VLANs Member by Interface Range) pages to configure port members for the selected VLAN index, interface, or a range of interfaces.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ Port – Port Identifier. (Range: 1-12/26/28/52) ◆ Trunk – Trunk Identifier. (Range: 1-16) ◆ Mode – Indicates VLAN membership mode for an interface. (Default: Hybrid) ◆ ■ Access - Sets the port to operate as an untagged interface. The port transmits and receives untagged frames on a single VLAN only. ■ Hybrid – Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ■ Untagged: Interface is a member of the VLAN. All packets transmitted by the port will be untagged, that is, not carry a tag and therefore not carry VLAN or CoS information. Note that an interface must be assigned to at least one group as an untagged port. ■ Forbidden: Interface cannot be included as a member of the VLAN, either manually or via GVRP. For more information, see “Configuring Dynamic VLAN Registration” on page 175.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs 5. Modify the settings for any interface as required. 6. Click Apply. Figure 84: Configuring Static Members by VLAN Index To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3. Select a port or trunk configure. 4. Modify the settings for any interface as required. 5. Click Apply.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Configure Interface ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-12/26/28/52) ◆ Trunk – Trunk Identifier. (Range: 1-16) ◆ GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally enabled for the switch before this setting can take effect (using the Configure General page).
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Web Interface To configure GVRP on the switch: 1. Click VLAN, Dynamic. 2. Select Configure General from the Step list. 3. Enable or disable GVRP. 4. Click Apply. Figure 87: Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: 1. Click VLAN, Dynamic. 2. Select Configure Interface from the Step list. 3. Set the Interface type to display as Port or Trunk. 4. Modify the GVRP status or timers for any interface. 5.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN from the Action list. Figure 89: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Chapter 5 | VLAN Configuration IEEE 802.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: ◆ Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ uplink port are processed in the following manner: 1.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out. Another reason is that it causes non-customer packets to be forwarded to the SPVLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see “Adding Static Members to VLANs” on page 171). Enabling QinQ Use the VLAN > Tunnel (Configure Global) page to configure the switch to operate Tunneling on in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing Layer 2 traffic the Switch across a service provider’s metropolitan area network.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 92: Enabling QinQ Tunneling Creating Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to SPVLAN CVLAN to SPVLAN mapping entry. Mapping Entries Command Usage ◆ The inner VLAN tag of a customer packet entering the edge router of a service provider’s network is mapped to an outer tag indicating the service provider VLAN that will carry this traffic across the 802.1Q tunnel.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Web Interface To configure a mapping entry: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3. Select Add from the Action list. 4. Select an interface from the Port list. 5. Specify the CVID to SVID mapping for packets exiting the specified port. 6. Click Apply. Figure 93: Configuring CVLAN to SPVLAN Mapping Entries To show the mapping table: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the “switchport dot1q-tunnel service match cvid” command in the CLI Reference Guide. Adding an Interface Follow the guidelines under "Enabling QinQ Tunneling on the Switch" in the to a QinQ Tunnel preceding section to set up a QinQ tunnel on the switch.
Chapter 5 | VLAN Configuration L2PT Tunneling 4. Click Apply. Figure 95: Adding an Interface to a QinQ Tunnel L2PT Tunneling When Layer 2 Protocol Tunneling (L2PT) is not used, protocol packets (e.g., STP) are flooded to 802.1Q access ports on the same edge switch, but filtered from 802.1Q tunnel ports. This creates disconnected protocol domains in the customer’s network.
Chapter 5 | VLAN Configuration L2PT Tunneling Processing protocol packets defined in IEEE 802.1ad – Provider Bridges ◆ ◆ When an IEEE 802.1ad protocol packet is received on an uplink port (i.e., an 802.1Q tunnel ingress port connecting the edge switch to the service provider network) ■ with the destination address 01-80-C2-00-00-00,0B~0F (C-VLAN tag), it is forwarded to all QinQ uplink ports and QinQ access ports in the same SVLAN for which L2PT is enabled for that protocol.
Chapter 5 | VLAN Configuration L2PT Tunneling GBPT protocol packet (i.e., setting the destination address to 01-00-0CCD-CD-D0). ■ ■ L2PT is disabled on this port, it is forwarded to the following ports in the same S-VLAN: (a) other access ports for which L2PT is disabled, and (b) all uplink ports. recognized as a GBPT protocol packet (i.e.
Chapter 5 | VLAN Configuration L2PT Tunneling Figure 96: Configuring the L2PT Tunnel Address Enabling L2PT for Use the VLAN > L2PT (Configure Interface) page to enable Layer 2 Protocol Selected Interfaces Tunneling on selected interfaces. Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier.
Chapter 5 | VLAN Configuration Protocol VLANs Figure 97: Enabling L2PT on Required Interfaces Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Chapter 5 | VLAN Configuration Protocol VLANs Configuring Protocol Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. VLAN Groups Parameters These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. ◆ Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, RARP and IPv6. If LLC Other is chosen for the Frame Type, the only available Protocol Type is IPX Raw.
Chapter 5 | VLAN Configuration Protocol VLANs Figure 98: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. Figure 99: Displaying Protocol VLANs Mapping Protocol Use the VLAN > Protocol (Configure Interface - Add) page to map a protocol group Groups to Interfaces to a VLAN for each interface that will participate in the group.
Chapter 5 | VLAN Configuration Protocol VLANs ■ If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. ■ If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-12/26/28/52) ◆ Trunk – Trunk Identifier.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs Figure 100: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port or trunk. Figure 101: Showing the Interface to Protocol Group Mapping Configuring IP Subnet VLANs Use the VLAN > IP Subnet page to configure IP subnet-based VLANs.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs Command Usage ◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an IP address and a mask. The specified VLAN need not be an existing VLAN. ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs Web Interface To map an IP subnet to a VLAN: 1. Click VLAN, IP Subnet. 2. Select Add from the Action list. 3. Enter an address in the IP Address field. 4. Enter a mask in the Subnet Mask field. 5. Enter the identifier in the VLAN field. Note that the specified VLAN need not already be configured. 6. Enter a value to assign to untagged frames in the Priority field. 7. Click Apply.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Configuring MAC-based VLANs Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Web Interface To map a MAC address to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Add from the Action list. 3. Enter an address in the MAC Address field, and a mask to indicate a range of addresses if required. 4. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured. 5. Enter a value to assign to untagged frames in the Priority field. 6. Click Apply.
Chapter 5 | VLAN Configuration Configuring VLAN Translation Configuring VLAN Translation Use the VLAN > Translation (Add) page to map VLAN IDs between the customer and service provider for networks that do not support IEEE 802.1Q tunneling. Command Usage ◆ QinQ tunneling uses double tagging to preserve the customer’s VLAN tags on traffic crossing the service provider’s network.
Chapter 5 | VLAN Configuration Configuring VLAN Translation Web Interface To configure VLAN translation: 1. Click VLAN, Translation. 2. Select Add from the Action list. 3. Select a port, and enter the original and new VLAN IDs. 4. Click Apply. Figure 107: Configuring VLAN Translation To show the mapping entries for VLANs translation: 1. Click VLAN, Translation. 2. Select Show from the Action list. 3. Select a port.
Chapter 5 | VLAN Configuration Configuring VLAN Translation – 202 –
6 Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ Dynamic Address Cache – Shows dynamic entries in the address table.
Chapter 6 | Address Table Settings Clearing the Dynamic Address Table ◆ Life Time – Shows the time to retain the specified address. Web Interface To show the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Show Dynamic MAC from the Action list. 3. Select the Sort Key (MAC Address, VLAN, or Interface). 4. Enter the search parameters (MAC Address, VLAN, or Interface). 5. Click Query.
Chapter 6 | Address Table Settings Changing the Aging Time Web Interface To clear the entries in the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Clear Dynamic MAC from the Action list. 3. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). 4. Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. 5. Click Clear.
Chapter 6 | Address Table Settings Configuring MAC Address Learning 4. Specify a new aging time. 5. Click Apply. Figure 111: Setting the Address Aging Time Configuring MAC Address Learning Use the MAC Address > Learning Status page to enable or disable MAC address learning on an interface. Command Usage ◆ When MAC address learning is disabled, the switch immediately stops learning new MAC addresses on the specified interface.
Chapter 6 | Address Table Settings Setting Static Addresses Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-12/26/28/52) ◆ Trunk – Trunk Identifier. (Range: 1-16) ◆ Status – The status of MAC address learning. (Default: Enabled) Web Interface To enable or disable MAC address learning: 1. Click MAC Address, Learning Status. 2. Set the learning status for any interface. 3. Click Apply.
Chapter 6 | Address Table Settings Setting Static Addresses ◆ Static addresses will not be removed from the address table when a given interface link is down. ◆ A static address cannot be learned on another port until the address is removed from the table. Parameters These parameters are displayed: Add Static Address ◆ VLAN – ID of configured VLAN. (Range: 1-4094) ◆ Interface – Port or trunk associated with the device assigned a static address.
Chapter 6 | Address Table Settings Issuing MAC Address Traps Figure 113: Configuring Static MAC Addresses To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list. Figure 114: Displaying Static MAC Addresses Issuing MAC Address Traps Use the MAC Address > MAC Notification pages to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed.
Chapter 6 | Address Table Settings Issuing MAC Address Traps ◆ MAC Notification Trap – Enables MAC authentication traps on the current interface. (Default: Disabled) MAC authentication traps must be enabled at the global level for this attribute to take effect. Web Interface To enable MAC address traps at the global level: 1. Click MAC Address, MAC Notification. 2. Select Configure Global from the Step list. 3. Configure MAC notification traps and the transmission interval. 4. Click Apply.
7 Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
Chapter 7 | Spanning Tree Algorithm Overview Figure 117: STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 229). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Note: Loopback detection will not be active if Spanning Tree is disabled on the switch. Note: When configured for manual release mode, then a link down/up event will not release the port from the discarding state. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Status – Enables loopback detection on this interface.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 120: Configuring Port Loopback Detection Configuring Global Settings for STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. Command Usage ◆ Spanning Tree Protocol5 This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ■ ◆ RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port. Multiple Spanning Tree Protocol MSTP generates a unique spanning tree for each instance.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ BPDU Flooding – Configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port. ■ To VLAN: Floods BPDUs to all other ports within the receiving port’s native VLAN (i.e., as determined by port’s PVID). This is the default. ■ To All: Floods BPDUs to all other ports on the switch.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) ■ ■ ■ ◆ Default: 20 Minimum: The higher of 6 or [2 x (Hello Time + 1)] Maximum: The lower of 40 or [2 x (Forward Delay - 1)] Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding).
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Web Interface To configure global STA settings: 1. Click Spanning Tree, STA. 2. Select Configure Global from the Step list. 3. Select Configure from the Action list. 4. Modify any of the required attributes. Note that the parameters displayed for the spanning tree types (STP, RSTP, MSTP) varies as described in the preceding section. 5.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 122: Configuring Global Settings for STA (RSTP) Figure 123: Configuring Global Settings for STA (MSTP) – 220 –
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Figure 124: Displaying Global Settings for STA Configuring Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Configure) page to configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Admin Path Cost – This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost takes precedence over port priority.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA If the path cost of i1 on SW2 is never configured/changed, it is 10000. Then the root path cost for i2 on SW3 used to compete for the role of root port is 10000 + path cost of i2 on SW3. The path cost of i1 on SW3 is also 10000 if not configured/changed.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: ■ If spanning tree mode is set to STP (page 215), edge-port mode cannot automatically transition to operational edge-port state using the automatic setting. ■ If loopback detection is enabled (page 213) and a loopback BPDU is detected, the interface cannot function as an edge port until the loopback state is released.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA ◆ TC Propagate Stop – Stops the propagation of topology change notifications (TCN). (Default: Disabled) Web Interface To configure interface settings for STA: 1. Click Spanning Tree, STA. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Modify any of the required attributes. 5. Click Apply.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA ■ Learning - Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. ■ Forwarding - Port forwards packets, and continues learning addresses. The rules defining port status are: ■ A port on a network segment with no other STA compliant bridging device is always forwarding.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA bridge ports, or LANs fail or are removed. The role is set to disabled (i.e., disabled port) if a port has no role within the spanning tree. Figure 127: STA Port Roles R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Figure 128: Displaying Interface Settings for STA Configuring Multiple Spanning Trees Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. Command Usage MSTP generates a unique spanning tree for each instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Note: All VLANs are automatically added to the IST (Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Parameters These parameters are displayed: ◆ MST ID – Instance identifier to configure. (Range: 0-4094) ◆ VLAN ID – VLAN to assign to this MST instance. (Range: 1-4094) ◆ Priority – The priority of a spanning tree instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To show the MSTP instances: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. Figure 130: Displaying MST Instances To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees 4. Select an MST ID. The attributes displayed on this page are described under “Displaying Global Settings for STA” on page 221. Figure 132: Displaying Global Settings for an MST Instance To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP To show the VLAN members of an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Member from the Action list. Figure 134: Displaying Members of an MST Instance Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP ◆ Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP – 236 –
8 Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
Chapter 8 | Congestion Control Storm Control ◆ Resolution – Indicates the resolution at which the rate can be configured. Web Interface To configure rate limits: 1. Click Traffic, Rate Limit. 2. Set the interface type to Port or Trunk. 3. Enable the Rate Limit Status for the required interface. 4. Set the rate limit for required interfaces. 5. Click Apply.
Chapter 8 | Congestion Control Storm Control ◆ Rate limits set by the storm control function are also used by automatic storm control when the control response is set to rate control on the Auto Traffic Control (Configure Interface) page. ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these features on the same interface.
Chapter 8 | Congestion Control Automatic Traffic Control Figure 138: Configuring Storm Control Automatic Traffic Control Use the Traffic > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. Command Usage ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 8 | Congestion Control Automatic Traffic Control ◆ Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. ◆ When traffic falls below the alarm clear threshold after the release timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control Release Trap sent and logged.
Chapter 8 | Congestion Control Automatic Traffic Control be triggered (as configured under the Action field) or a trap message sent (as configured under the Trap Storm Fire field). ◆ The release timer only applies to a Rate Control response set in the Action field of the ATC (Interface Configuration) page. When a port has been shut down by a control response, it must be manually re-enabled using the Manual Control Release (see page 243).
Chapter 8 | Congestion Control Automatic Traffic Control Configuring ATC Use the Traffic > Auto Traffic Control (Configure Interface) page to set the storm Thresholds and control mode (broadcast or multicast), the traffic thresholds, the control response, Responses to automatically release a response of rate limiting, or to send related SNMP trap messages. Parameters These parameters are displayed: ◆ Storm Control – Specifies automatic storm control for broadcast traffic or multicast traffic.
Chapter 8 | Congestion Control Automatic Traffic Control ◆ Once the traffic rate exceeds the upper threshold and the Apply Timer expires, a trap message will be sent if configured by the Trap Storm Fire attribute. ◆ Alarm Clear Threshold – The lower threshold for ingress traffic beneath which a control response for rate limiting will be released after the Release Timer expires, if so configured by the Auto Release Control attribute.
Chapter 8 | Congestion Control Automatic Traffic Control Figure 142: Configuring ATC Interface Attributes – 245 –
Chapter 8 | Congestion Control Automatic Traffic Control – 246 –
9 Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s highpriority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) Web Interface To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2.
Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues. The queues assigned to use strict priority should be specified using the Strict Mode field parameter.
Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Set the queue mode for the port selected. 3. If the weighted queue mode is selected, the queue weight can be modified if required. 4. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table. 5. Click Apply.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 146: Setting the Queue Mode (Strict and WRR) Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Setting Priority The switch allows a choice between using DSCP or CoS priority processing Processing to methods. Use the Priority > Trust Mode page to select the required processing DSCP or CoS method. Command Usage ◆ If the QoS mapping mode is set to DSCP, and the ingress packet type is IPv4, then priority processing will be based on the DSCP value in the ingress packet.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 147: Setting the Trust Mode Mapping Use the Traffic > Priority > CoS to Queue page to map CoS/CFI values in incoming CoS Priorities to Per- packets to per-hop behavior for priority processing. hop Behavior Command Usage ◆ The default mapping of CoS/CFI to Queue/CFI values is shown below.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map CoS/CFI values to Queue precedence: 1. Click Traffic, Priority, CoS to Queue. 2. Set the Queue for any of the CoS/CFI combinations. 3. Click Apply. Figure 148: Configuring CoS to Queue Mapping Mapping Use the Traffic > Priority > DSCP to Queue page to map DSCP values in incoming DSCP Priorities to Per- packets to per-hop behavior for priority processing.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Parameters These parameters are displayed: ◆ Port – Specifies a port. ◆ DSCP – DSCP value in ingress packets. (Range: 0-63) ◆ Queue – Per-hop behavior, or the priority used for this router hop.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Figure 149: Configuring DSCP to Queue Mapping – 256 –
10 Quality of Service This chapter describes the following tasks required to apply QoS policies: ◆ Class Map – Creates a map which identifies a specific class of traffic. ◆ Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. ◆ Binding to a Port – Applies a policy map to an ingress port.
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, a CoS value, or a source port. 3.
Chapter 10 | Quality of Service Configuring a Class Map ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the lone criteria specified by this command. ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value.
Chapter 10 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 151: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
Chapter 10 | Quality of Service Creating QoS Policies To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list. Figure 153: Showing the Rules for a Class Map Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces.
Chapter 10 | Quality of Service Creating QoS Policies Add Rule ◆ Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification upon which a policy can act. A policy map can contain up to 32 class maps. ◆ Action – This attribute is used to set an internal QoS value in hardware for matching packets.
Chapter 10 | Quality of Service Creating QoS Policies Web Interface To configure a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add from the Action list. 4. Enter a policy name. 5. Enter a description. 6. Click Add. Figure 154: Configuring a Policy Map To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list.
Chapter 10 | Quality of Service Creating QoS Policies To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class. Enter a rate limit if required. 6. Click Apply.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list. Figure 157: Showing the Rules for a Policy Map Attaching a Policy Map to a Port Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. Command Usage First define a class map, define a policy map, and then bind the service policy to the required interface.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port 5. Click Apply.
11 VoIP Traffic Configuration This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port. Command Usage All ports are set to VLAN hybrid mode by default.
Chapter 11 | VoIP Traffic Configuration Configuring Telephony OUI Figure 159: Configuring a Voice VLAN Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports 6. Enter a description for the devices. 7. Click Apply. Figure 160: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Parameters These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) ■ None – The Voice VLAN feature is disabled on the port. The port will not detect VoIP traffic or be added to the Voice VLAN. ■ Auto – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports When VoIP Mode is set to Auto, the Remaining Age will be displayed. Otherwise, if the VoIP Mode is Disabled or set to Manual, the remaining age will display “NA.” Web Interface To configure VoIP traffic settings for a port: 1. Click Traffic, VoIP. 2. Select Configure Interface from the Step list. 3. Configure any required changes to the VoIP settings each port. 4. Click Apply.
12 Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ◆ IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the source address cannot be identified via ND snooping, DHCPv6 snooping, nor static source bindings. ◆ ARP Inspection – Security feature that validates the MAC Address bindings for Address Resolution Protocol packets.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure AAA on the switch, you need to follow this general process: 1. Configure RADIUS and TACACS+ server access parameters. See “Configuring Local/Remote Logon Authentication” on page 275. 2. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. 3.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ TACACS – User authentication is performed using a TACACS+ server only. ■ [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. Web Interface To configure the method(s) of controlling management access: 1. Click Security, AAA, System Authentication. 2. Specify the authentication sequence (i.e., one to three methods). 3. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. Command Usage ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ◆ ■ Authentication Key – Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) ■ Confirm Authentication Key – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ◆ Sequence at Priority - Specifies the server and sequence to use for the group. (Range: 1-5) When specifying the priority sequence for a sever, the server index must already be defined (see “Configuring Local/Remote Logon Authentication” on page 275). Web Interface To configure the parameters for RADIUS or TACACS+ authentication: 1. Click Security, AAA, Server. 2. Select Configure Server from the Step list. 3.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 166: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ Exec – Administrative accounting for local console, Telnet, or SSH connections. ◆ Privilege Level – The CLI privilege levels (0-15). This parameter only applies to Command accounting. ◆ Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ VTY Method Name – Specifies a user defined method name to apply to Telnet and SSH connections. Show Information – Summary ◆ Accounting Type - Displays the accounting service. ◆ Method Name - Displays the user-defined or default accounting method. ◆ Server Group Name - Displays the accounting server group. ◆ Interface - Displays the port, console or Telnet interface to which these rules apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Add from the Action list. 4. Select the accounting type (802.1X, Command, Exec). 5. Specify the name of the accounting method and server group name. 6. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 171: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: 1. Click Security, AAA, Accounting. 2. Select Configure Service from the Step list. 3. Select the accounting type (802.1X, Command, Exec). 4. Enter the required accounting method. 5. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 173: Configuring AAA Accounting Service for Command Service Figure 174: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 175: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Statistics.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Parameters These parameters are displayed: Configure Method ◆ Authorization Type – Specifies the service as: ■ Command – Administrative authorization to apply to commands entered at specific CLI privilege levels. ■ Exec – Administrative authorization for local console, Telnet, or SSH connections. ◆ Method Name – Specifies an authorization method for service requests.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Web Interface To configure the authorization method applied to the Exec service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3. Specify the name of the authorization method and server group name. 4. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click Security, AAA, Authorization. 2. Select Configure Service from the Step list. 3. Enter the required authorization method. 4. Click Apply. Figure 179: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: 1.
Chapter 12 | Security Measures Configuring User Accounts Configuring User Accounts Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. Command Usage ◆ The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.” ◆ The guest only has read access for most configuration parameters.
Chapter 12 | Security Measures Configuring User Accounts ■ Encrypted Password – Encrypted password. The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP or FTP server. There is no need for you to manually configure encrypted passwords. ◆ Password – Specifies the user password.
Chapter 12 | Security Measures Web Authentication Figure 182: Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Chapter 12 | Security Measures Web Authentication ◆ Quiet Period – Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts. (Range: 1-180 seconds; Default: 60 seconds) ◆ Login Attempts – Configures the amount of times a supplicant may attempt and fail authentication before it must wait the configured quiet period.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Revert – Restores the previous configuration settings. ◆ Re-authenticate – Ends all authenticated web sessions for selected host IP addresses in the Authenticated Host List, and forces the users to reauthenticate. ◆ Revert – Restores the previous configuration settings. Web Interface To enable web authentication for a port: 1. Click Security, Web Authentication. 2. Select Configure Interface from the Step list. 3.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Command Usage ◆ MAC address authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Table 15: Dynamic QoS Profiles ◆ Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate rate-limit-input=100 (kbps) rate-limit-output=rate rate-limit-output=200 (kbps) 802.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access. ◆ While a port has an assigned dynamic QoS profile, any manual QoS configuration changes only take effect after all users have logged off the port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 185: Configuring Global Settings for Network Access Configuring Use the Security > Network Access (Configure Interface - General) page to Network Access configure MAC authentication on switch ports, including enabling address for Ports authentication, setting the maximum MAC count, and enabling dynamic VLAN or dynamic QoS assignments.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server through the 802.1X authentication process are applied to the port, providing the VLANs have already been created on the switch. (GVRP is not used to create the VLANs.) (Default: Enabled) The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 186: Configuring Interface Settings for Network Access Configuring Use the Security > Network Access (Configure Interface - Link Detection) page to Port Link Detection send an SNMP trap and/or shut down a port when a link event occurs. Parameters These parameters are displayed: ◆ Link Detection Status – Configures whether Link Detection is enabled or disabled for a port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To configure link detection on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the Link Detection button. 4. Modify the link detection status, trigger condition, and the response for any port. 5. Click Apply.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF; Default: FFFFFFFFFFFF) Web Interface To add a MAC address filter for MAC authentication: 1. Click Security, Network Access. 2. Select Configure MAC Filter from the Step list. 3. Select Add from the Action list. 4. Enter a filter ID, MAC address, and optional mask. 5. Click Apply.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Displaying Secure Use the Security > Network Access (Show Information) page to display the MAC Address authenticated MAC addresses stored in the secure MAC address table. Information Information on the secure MAC entries can be displayed and selected entries can be removed from the table. Parameters These parameters are displayed: ◆ ◆ Query By – Specifies parameters to use in the MAC address query.
Chapter 12 | Security Measures Configuring HTTPS Figure 190: Showing Addresses Authenticated for Network Access Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Configuring Global Use the Security > HTTPS (Configure Global) page to enable or disable HTTPS and Settings for HTTPS specify the TCP port used for this service.
Chapter 12 | Security Measures Configuring HTTPS ■ ◆ The client and server generate session keys for encrypting and decrypting data. The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 9, Mozilla Firefox 52, Google Chrome 54, or Opera 41 or more recent versions. ◆ The following web browsers and operating systems currently support HTTPS: Table 16: HTTPS System Support ◆ Web Browser Operating System Internet Explorer 9.
Chapter 12 | Security Measures Configuring HTTPS Figure 191: Configuring HTTPS Replacing the Default Use the Security > HTTPS (Copy Certificate) page to replace the default secure-site Secure-site Certificate certificate. When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that the web browser displays will be associated with a warning that the site is not recognized as a secure site.
Chapter 12 | Security Measures Configuring HTTPS ◆ Private Key Source File Name – Name of private key file stored on the TFTP server. ◆ Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. ◆ Confirm Password – Re-type the string entered in the previous field to ensure no errors were made. The switch will not download the certificate if these two fields do not match.
Chapter 12 | Security Measures Configuring the Secure Shell Configuring the Secure Shell The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Chapter 12 | Security Measures Configuring the Secure Shell 3. Import Client’s Public Key to the Switch – See “Importing User Public Keys” on page 313 to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 291.) The clients are subsequently authenticated using these keys.
Chapter 12 | Security Measures Configuring the Secure Shell d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Chapter 12 | Security Measures Configuring the Secure Shell Figure 193: Configuring the SSH Server Generating the Use the Security > SSH (Configure Host Key - Generate) page to generate a host Host Key Pair public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section “Importing User Public Keys” on page 313.
Chapter 12 | Security Measures Configuring the Secure Shell Figure 194: Generating the SSH Host Key Pair To display or clear the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Show from the Action list. 4. Select the option to save the host key from memory to flash by clicking Save, or select the host-key type to clear and click Clear.
Chapter 12 | Security Measures Configuring the Secure Shell The SSH server uses RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. The switch uses only RSA for SSHv2 clients. ◆ TFTP Server IP Address – The IP address of the TFTP server that contains the public key file you wish to import. ◆ Source File Name – The public key file to upload.
Chapter 12 | Security Measures Access Control Lists Figure 197: Showing the SSH User’s Public Key Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4/IPv6 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type).
Chapter 12 | Security Measures Access Control Lists Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize hardware resources more efficiency. Without compression, one ACE would occupy a fixed number of entries in TCAM. So if one ACL includes 25 ACEs, the ACL would need (25 * n) entries in TCAM, where “n” is the fixed number of TCAM entries needed for one ACE.
Chapter 12 | Security Measures Access Control Lists For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs. Parameters These parameters are displayed: ◆ Pool Capability Code – Abbreviation for processes shown in the TCAM List. ◆ Unit – Stack unit identifier. ◆ Device – Memory chip used for indicated pools. ◆ Pool – Rule slice (or call group).
Chapter 12 | Security Measures Access Control Lists Figure 198: Showing TCAM Utilization Setting the Use the Security > ACL (Configure ACL - Add) page to create an ACL. ACL Name and Type Parameters These parameters are displayed: ◆ ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆ Type – The following filter modes are supported: ■ IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address.
Chapter 12 | Security Measures Access Control Lists ■ IPv6 Extended: IPv6 ACL mode filters packets based on the source or destination IP address, as well as DSCP, and the next header type. ■ MAC – MAC ACL mode filters packets based on the source or destination MAC address and the Ethernet frame type (RFC 1060). ■ ARP – ARP ACL specifies static IP-to-MAC address bindings used for ARP inspection (see “ARP Inspection” on page 381). Web Interface To configure the name and type of an ACL: 1.
Chapter 12 | Security Measures Access Control Lists Figure 200: Showing a List of ACLs Configuring a Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL Standard IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to an IPv4 Standard ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IP Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or IP). 8. If you select “Host,” enter a specific address.
Chapter 12 | Security Measures Access Control Lists ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source/Destination Address Type – Specifies the source or destination IP address type. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and Subnet Mask fields.
Chapter 12 | Security Measures Access Control Lists ◆ ◆ Service Type – Packet priority settings based on the following criteria: ■ Precedence – IP precedence level. (Range: 0-7) ■ DSCP – DSCP priority level. (Range: 0-63) Time Range – Name of a time range. Web Interface To add rules to an IPv4 Extended ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IP Extended from the Type list. 5.
Chapter 12 | Security Measures Access Control Lists Figure 202: Configuring an Extended IPv4 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to Standard IPv6 ACL configure a Standard IPv6ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to a Standard IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the source address type (Any, Host, or IPv6-prefix). 8. If you select “Host,” enter a specific address.
Chapter 12 | Security Measures Access Control Lists ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Protocol – Selects the protocol of the next header in the packet. Select TCP, UDP, ICMP, or Next Header to identify the protocol by value. ◆ Next Header – Identifies the type of header immediately following the IPv6 header.
Chapter 12 | Security Measures Access Control Lists ◆ Destination Port – Protocol9 destination port number. (Range: 0-65535) ◆ Destination Port Bit Mask – Decimal number representing the port bits to match. (Range: 0-65535) ◆ Time Range – Name of a time range. Web Interface To add rules to an Extended IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Extended from the Type list. 5.
Chapter 12 | Security Measures Access Control Lists Configuring a Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC MAC ACL ACL based on hardware addresses, packet format, and Ethernet type. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists ◆ CoS Bit Mask – CoS bitmask. (Range: 0-7) ◆ Time Range – Name of a time range. Web Interface To add rules to a MAC ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select MAC from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or MAC). 8.
Chapter 12 | Security Measures Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs ARP ACL based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see “Configuring Global Settings for ARP Inspection” on page 382). Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
Chapter 12 | Security Measures Access Control Lists 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the packet type (Request, Response, All). 8. Select the address type (Any, Host, or IP). 9. If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “IP,” enter a base address and a hexadecimal bit mask for an address range. 10. Enable logging if required. 11. Click Apply.
Chapter 12 | Security Measures Access Control Lists ◆ Counter – Enables counter for ACL statistics. Web Interface To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Select IP, MAC or IPv6 from the Type options. 5. Select a port. 6. Select the name of an ACL from the ACL list. 7. Click Apply.
Chapter 12 | Security Measures Access Control Lists ◆ Direction – Displays statistics for ingress or egress traffic. ◆ Query – Displays statistics for selected criteria. ◆ ACL Name – The ACL bound this port. ◆ Action – Shows if action is to permit or deny specified packets. ◆ Rules – Shows the rules for the ACL bound to this port. ◆ Time-Range – Name of a time range. ◆ Hit – Shows the number of packets matching this ACL. ◆ Clear Counter – Clears the hit counter for the specified ACL.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Filtering IP Addresses for Management Access Use the Security > IP Filter page to create a list of up to 15 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage ◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Web Interface To create a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Add from the Action list. 3. Select the management interface to filter (Web, SNMP, Telnet, All). 4. Enter the IP addresses or range of addresses that are allowed management access to an interface. 5.
Chapter 12 | Security Measures Configuring Port Security Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 12 | Security Measures Configuring Port Security Parameters These parameters are displayed: ◆ Port – Port identifier. ◆ Security Status – Enables or disables port security on a port. (Default: Disabled) ◆ Port Status – The operational status: ◆ ◆ ■ Secure/Down – Port security is disabled. ■ Secure/Up – Port security is enabled. ■ Shutdown – Port is shut down due to a response to a port security violation.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To configure port security: 1. Click Security, Port Security. 2. Mark the check box in the Security Status column to enable security, set the action to take when an invalid address is detected on a port, and set the maximum number of MAC addresses allowed on the port. 3. Click Apply. Figure 211: Configuring Port Security Configuring 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication authentication messages can be MD5 (Message-Digest 5), TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Configuring 802.1X Use the Security > Port Authentication (Configure Global) page to configure IEEE Global Settings 802.1X port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Parameters These parameters are displayed: ◆ System Authentication Control – Sets the global setting for 802.1X.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication 3. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server. 4. Click Apply Figure 213: Configuring Global Settings for 802.1X Port Authentication Configuring Use the Security > Port Authentication (Configure Interface – Authenticator) page Port Authenticator to configure 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ ◆ ◆ Authorized – Displays the 802.1X authorization status of connected clients. ■ Yes – Connected client is authorized. ■ N/A – Connected client is not authorized, or port is not connected. Control Mode – Sets the authentication mode to one of the following options: ■ Auto – Requires a dot1x-aware client to be authorized by the authentication server. Clients that are not dot1x-aware will be denied access.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Tx Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds) ◆ Supplicant Timeout – Sets the time that a switch port waits for a response to an EAP request from a client before re-transmitting an EAP packet.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Authenticator PAE State Machine ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). ◆ Reauth Count – Number of times connecting state is re-entered. ◆ Current Identifier – Identifier sent in each EAP Success, Failure or Request packet by the Authentication Server.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 214: Configuring Interface Settings for 802.1X Port Authenticator Configuring Use the Security > Port Authentication (Configure Interface – Supplicant) page to Port Supplicant configure 802.1X port settings for supplicant requests issued from a port to an Settings for 802.1X authenticator on another device. When 802.1X is enabled and the control mode is set to Force-Authorized (see “Configuring Port Authenticator Settings for 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Parameters These parameters are displayed: ◆ Port – Port number. ◆ PAE Supplicant – Enables PAE supplicant mode. (Default: Disabled) If the attached client must be authenticated through another device in the network, supplicant status must be enabled. Supplicant status can only be enabled if PAE Control Mode is set to “ForceAuthorized” on this port (see “Configuring Port Authenticator Settings for 802.1X” on page 341).
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Figure 215: Configuring Interface Settings for 802.1X Port Supplicant Displaying Use the Security > Port Authentication (Show Statistics) page to display statistics for 802.1X Statistics dot1x protocol exchanges for any port. Parameters These parameters are displayed: Table 17: 802.1X Statistics Parameter Description Authenticator Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Table 17: 802.1X Statistics (Continued) Parameter Description Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Authenticator. Supplicant Rx EAPOL Invalid The number of EAPOL frames that have been received by this Supplicant in which the frame type is not recognized. Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Supplicant.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Authenticator. 4. Select a port. Figure 216: Showing Statistics for 802.1X Port Authenticator To display port supplicant statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Supplicant. 4. Select a port.
Chapter 12 | Security Measures DoS Protection Figure 217: Showing Statistics for 802.1X Port Supplicant DoS Protection Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
Chapter 12 | Security Measures DoS Protection returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service. (Default: Disabled) ◆ TCP Flooding Attack Rate – Maximum allowed rate. (Range: 64-2000 kbits/ second; Default: 1000 kbits/second) ◆ TCP Null Scan – A TCP NULL scan message is used to identify listening TCP ports.
Chapter 12 | Security Measures DHCP Snooping ◆ WinNuke Attack Rate – Maximum allowed rate. (Range: 64-2000 kbits/second; Default: 1000 kbits/second) Web Interface To protect against DoS attacks: 1. Click Security, DoS Protection. 2. Enable protection for specific DoS attacks, and set the maximum allowed rate as required. 3.
Chapter 12 | Security Measures DHCP Snooping messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped. ◆ Table entries are only learned for trusted interfaces. An entry is added or removed dynamically to the DHCP snooping table when a client receives or releases an IP address from a DHCP server. Each entry includes a MAC address, IP address, lease time, VLAN identifier, and port identifier.
Chapter 12 | Security Measures DHCP Snooping ■ Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place.
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping Use the Security > DHCP Snooping (Configure Global) page to enable DHCP Global Configuration Snooping globally on the switch, or to configure MAC Address Verification. Parameters These parameters are displayed: General ◆ DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled) ◆ DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification.
Chapter 12 | Security Measures DHCP Snooping ◆ DHCP Snooping Information Option TR101 Board ID – Sets the board identifier used in Option 82 information based on TR-101 syntax. (Range: 0-9; Default: undefined) ◆ DHCP Snooping Information Option Policy – Specifies how to handle DHCP client request packets which already contain Option 82 information. ■ Drop – Drops the client’s request packet instead of relaying it.
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping Use the Security > DHCP Snooping (Configure VLAN) page to enable or disable VLAN Configuration DHCP snooping on specific VLANs. Command Usage ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Chapter 12 | Security Measures DHCP Snooping Configuring Ports Use the Security > DHCP Snooping (Configure Interface) page to configure switch for DHCP Snooping ports as trusted or untrusted. Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Chapter 12 | Security Measures DHCP Snooping 4. Specify the mode used for sending circuit ID information, and an arbitrary string if required. 5. Click Apply Figure 221: Configuring the Port Mode for DHCP Snooping Displaying DHCP Use the Security > DHCP Snooping (Show Information) page to display entries in Snooping Binding the binding table. Information Parameters These parameters are displayed: ◆ MAC Address – Physical address associated with the entry.
Chapter 12 | Security Measures DHCPv6 Snooping Web Interface To display the binding table for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Show Information from the Step list. 3. Use the Store or Clear function if required.
Chapter 12 | Security Measures DHCPv6 Snooping ◆ Table entries are only learned for trusted interfaces. Each entry includes a MAC address, IPv6 address, lease time, binding type, VLAN identifier, and port identifier. ◆ When DHCPv6 snooping is enabled, the rate limit for the number of DHCPv6 messages that can be processed by the switch is 100 packets per second. Any DHCPv6 packets in excess of this limit are dropped.
Chapter 12 | Security Measures DHCPv6 Snooping ■ If yes, continue to C. ■ If not, continue to B. ■ Check if IPv6 address in IA option is found in binding cache: ■ If yes, continue to C. ■ If not, check failed, and forward packet to trusted port. B. Check status code in IA option: ■ If successful, and entry is in binding table, update lease time and forward to original destination.
Chapter 12 | Security Measures DHCPv6 Snooping by the DHCPv6 server to assign preassigned configuration data specific to the DHCPv6 client. (Default: Disabled) ■ DHCPv6 provides a relay mechanism for sending information about the switch and its DHCPv6 clients to the DHCPv6 server. Known as DHCPv6 Option 37, it allows compatible DHCPv6 servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Chapter 12 | Security Measures DHCPv6 Snooping ■ Replace – Replaces the Option 37 remote-ID in the client’s request with the relay agent’s remote-ID (when DHCPv6 snooping is enabled), and forwards the packets to trusted ports. Web Interface To configure global settings for DHCPv6 Snooping: 1. Click Security, DHCP Snooping6. 2. Select Configure Global from the Step list. 3. Select the required options for the DHCPv6 snooping process and for the DHCPv6 snooping information options. 4.
Chapter 12 | Security Measures DHCPv6 Snooping Web Interface To configure global settings for DHCPv6 Snooping: 1. Click Security, DHCP Snooping6. 2. Select Configure VLAN from the Step list. 3. Select Add from the Action list. 4. Select a VLAN on which to enable DHCPv6 Snooping. 5. Click Apply Figure 224: Configuring DHCPv6 Snooping on a VLAN To show the VLANs for which DHCPv6 Snooping is enabled: 1. Click Security, DHCP Snooping6. 2. Select Configure VLAN from the Step list. 3.
Chapter 12 | Security Measures DHCPv6 Snooping ◆ Set all interfaces connected to DHCv6 servers within the local network or fire wall to trusted, and all other interfaces outside the local network or fire wall to untrusted. ◆ When DHCPv6 snooping is enabled globally and enabled on a VLAN, DHCPv6 packet filtering will be performed on any untrusted ports within the VLAN according to the default status, or as specifically configured for an interface.
Chapter 12 | Security Measures DHCPv6 Snooping Figure 226: Configuring the Trust Sate for DHCPv6 Snooping Displaying DHCPv6 Use the Security > DHCP Snooping6 (Show Information – Binding) page to display Snooping Binding entries in the binding table. Information Parameters These parameters are displayed: ◆ Link-layer Address – IPv6 link-layer address associated with the entry. ◆ IPv6 Address – IPv6 address corresponding to the client.
Chapter 12 | Security Measures DHCPv6 Snooping Figure 227: Displaying the Binding Table for DHCPv6 Snooping Displaying DHCPv6 Use the Security > DHCP Snooping6 (Show Information – Statistics) page to display Snooping Statistics information on client, server, and relay packets. Parameters These parameters are displayed: ◆ State – Packet states include received, sent and dropped. ◆ Types ■ Client Packet – Includes Solicit, Request, Confirm, Renew, Rebind, Decline, Release and Information-request.
Chapter 12 | Security Measures IPv4 Source Guard Figure 228: Displaying Statistics for DHCPv6 Snooping IPv4 Source Guard IPv4 Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 352). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IPv4 address of a neighbor to access the network.
Chapter 12 | Security Measures IPv4 Source Guard ◆ When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping (see “DHCP Snooping” on page 352), or static addresses configured in the source guard binding table. ◆ If IP source guard is enabled, an inbound packet’s IP address (SIP option) or both its IP address and corresponding MAC address (SIP-MAC option) will be checked against the binding table. If no matching entry is found, the packet will be dropped.
Chapter 12 | Security Measures IPv4 Source Guard ◆ Max Binding Entry – The maximum number of entries that can be bound to an interface.
Chapter 12 | Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 12 | Security Measures IPv4 Source Guard ◆ VLAN – ID of a configured VLAN or a range of VLANs. (Range: 1-4094) ◆ IP Address – A valid unicast IP address, including classful types A, B or C. ◆ Port – The port to which a static entry is bound. Specify a physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers. (Range: 1-18) Show ◆ MAC Address – Physical address associated with the entry.
Chapter 12 | Security Measures IPv4 Source Guard 3. Select Show from the Action list. Figure 231: Displaying Static Bindings for IPv4 Source Guard Displaying Use the Security > IP Source Guard > Dynamic Binding page to display the sourceInformation for guard binding table for a selected interface. Dynamic IPv4 Source Guard Bindings Parameters These parameters are displayed: Query by ◆ Port – A port on this switch.
Chapter 12 | Security Measures IPv6 Source Guard Figure 232: Showing the IPv4 Source Guard Binding Table IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (refer to the DHCPv6 Snooping commands in the CLI Reference Guide).
Chapter 12 | Security Measures IPv6 Source Guard ◆ Table entries include a MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Binding, Dynamic-DHCPv6-Binding), VLAN identifier, and port identifier. ◆ Static addresses entered in the source guard binding table (using the Static Binding page) are automatically configured with an infinite lease time. Dynamic entries learned via DHCPv6 snooping are configured by the DHCPv6 server itself.
Chapter 12 | Security Measures IPv6 Source Guard Guide), and static entries set by IPv6 Source Guard (see “Configuring Static Bindings for IPv6 Source Guard” on page 377). ■ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
Chapter 12 | Security Measures IPv6 Source Guard ◆ Static addresses entered in the source guard binding table are automatically configured with an infinite lease time. ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via ND snooping, DHCPv6 snooping, or static addresses configured in the source guard binding table. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table .
Chapter 12 | Security Measures IPv6 Source Guard ◆ Type – Shows the entry type: ■ DHCP – Dynamic DHCPv6 binding, stateful address. ■ ND – Dynamic Neighbor Discovery binding, stateless address. ■ STA – Static IPv6 Source Guard binding. Web Interface To configure static bindings for IPv6 Source Guard: 1. Click Security, IPv6 Source Guard, Static Binding. 2. Select Add from the Action list. 3. Enter the required bindings for each port. 4.
Chapter 12 | Security Measures IPv6 Source Guard Displaying Use the Security > IPv6 Source Guard > Dynamic Binding page to display the Information for source-guard binding table for a selected interface. Dynamic IPv6 Source Guard Bindings Parameters These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address. ◆ IPv6 Address – A valid global unicast IPv6 address.
Chapter 12 | Security Measures ARP Inspection Figure 236: Showing the IPv6 Source Guard Binding Table ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-themiddle” attacks.
Chapter 12 | Security Measures ARP Inspection ◆ ■ If ARP Inspection is disabled globally, then it becomes inactive for all VLANs, including those where inspection is enabled. ■ When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. ■ Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs.
Chapter 12 | Security Measures ARP Inspection ARP Inspection Logging ◆ By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis. After the system message is generated, the entry is cleared from the log buffer.
Chapter 12 | Security Measures ARP Inspection Web Interface To configure global settings for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Configure General from the Step list. 3. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. 4. Click Apply.
Chapter 12 | Security Measures ARP Inspection ◆ If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ DAI Status – Enables Dynamic ARP Inspection for the selected VLAN. (Default: Disabled) ◆ ACL Name – Allows selection of any configured ARP ACLs.
Chapter 12 | Security Measures ARP Inspection Configuring Use the Security > ARP Inspection (Configure Interface) page to specify the ports Interface Settings for that require ARP inspection, and to adjust the packet inspection rate. $$$ ARP Inspection Parameters These parameters are displayed: ◆ Interface – Port or trunk identifier. ◆ Trust Status – Configures the port as trusted or untrusted.
Chapter 12 | Security Measures ARP Inspection Displaying Use the Security > ARP Inspection (Show Information - Show Statistics) page to ARP Inspection display statistics about the number of ARP packets processed, or dropped for Statistics various reasons. Parameters These parameters are displayed: Table 18: ARP Inspection Statistics Parameter Description Received ARP packets before ARP inspection rate limit Count of ARP packets received but not exceeding the ARP Inspection rate limit.
Chapter 12 | Security Measures ARP Inspection Figure 240: Displaying Statistics for ARP Inspection Displaying the Use the Security > ARP Inspection (Show Information - Show Log) page to show ARP Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components. Parameters These parameters are displayed: Table 19: ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen. Port The port where this packet was seen. Src.
Chapter 12 | Security Measures Application Filter Figure 241: Displaying the ARP Inspection Log Application Filter Use the Security > Application Filter page to forward CDP or PVST packets. Command Usage If this feature is not enabled, the switch will handle CDP or PVST packets as normal packets. In other words, they are forwarded to other ports in the same VLAN that are also configured to forward the specified packet type.
Chapter 12 | Security Measures Application Filter – 390 –
13 Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Smart Pair Configuration – Detects general loopback conditions caused by hardware problems or faulty protocol settings. Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level. Note: All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface).
Chapter 13 | Basic Administration Protocols Configuring Event Logging To show the error messages logged to system or flash memory: 1. Click Administration, Log, System. 2. Select Show System Logs from the Step list. 3. Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory. This page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e.
Chapter 13 | Basic Administration Protocols Configuring Event Logging The attribute specifies the facility type tag sent in syslog messages (see RFC 3164). This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database.
Chapter 13 | Basic Administration Protocols Configuring Event Logging Sending Simple Mail Use the Administration > Log > SMTP page to alert system administrators of Transfer Protocol problems by sending SMTP (Simple Mail Transfer Protocol) email messages when Alerts triggered by logging events of a specified level. The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 246: Configuring SMTP Alert Messages Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Transmission Interval – Configures the periodic transmit interval for LLDP advertisements. (Range: 5-32768 seconds; Default: 30 seconds) ◆ Hold Time Multiplier – Configures the time-to-live (TTL) value sent in LLDP advertisements as shown in the formula below.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol critical to the timely startup of LLDP, and therefore integral to the rapid availability of Emergency Call Service. Web Interface To configure LLDP timing attributes: 1. Click Administration, LLDP. 2. Select Configure Global from the Step list. 3. Enable LLDP, and modify any of the timing parameters as required. 4. Click Apply.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol For information on defining SNMP trap destinations, see “Specifying Trap Managers” on page 443. Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol enabled. The information advertised by this TLV is described in IEEE 802.1AB. (Default: Enabled) ◆ ◆ ■ System Description – The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ◆ MED TLVs – Configures general information included in the MED TLV field of advertised messages. ■ Capabilities – This option advertises LLDP-MED TLV capabilities, allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP-MED related TLVs are supported on the switch.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol 5. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages. 6. Click Apply. Figure 248: Configuring LLDP Interface Attributes Configuring Use the Administration > LLDP (Configure Interface – Add CA-Type) page to specify LLDP Interface the physical location of the device attached to an interface.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 21: LLDP MED Location CA Types (Continued) ◆ CA Type Description CA Value Example 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Select Show CA-Type from the Action list. 4. Select an interface from the Port or Trunk list.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s administratively assigned name (see “Displaying System Information” on page 74). ◆ System Description – A textual description of the network entity. This field is also displayed by the show system command.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 251: Displaying Local Device Information for LLDP (General) Figure 252: Displaying Local Device Information for LLDP (Port) Figure 253: Displaying Local Device Information for LLDP (Port Details) – 408 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display Remote Device information about devices connected directly to the switch’s ports which are Information advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 23, "System Capabilities," on page 406.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 23, "System Capabilities," on page 406.) ◆ Management Address List – The management addresses for this device.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 25: Remote Port Auto-Negotiation Advertised Capability (Continued) Bit Capability 5 100BASE-TX full duplex mode 6 100BASE-T2 half duplex mode 7 100BASE-T2 full duplex mode 8 PAUSE for full-duplex links 9 Asymmetric PAUSE for full-duplex links 10 Symmetric PAUSE for full-duplex links 11 Asymmetric and Symmetric PAUSE for full-duplex links 12 1000BASE-X, -LX, -SX, -CX half duplex mode 13 1000BASE-X, -LX, -SX, -
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆ Remote Link Aggregation Status – The current aggregation status of the link. ◆ Remote Link Port ID – This object contains the IEEE 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – Network Policy10 ◆ Application Type – The primary application(s) defined for this network policy: ■ Voice ■ Voice Signaling ■ Guest Signaling ■ Guest Voice Signaling ■ Softphone Voice ■ Video Conferencing ■ Streaming Video ■ Video Signaling ◆ Tagged Flag – Indicates whether the specified application type is using a tagged or untagged VLAN.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ■ ECS ELIN – Emergency Call Service Emergency Location Identification Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ◆ What – The type of device to which the location applies as described for the field entry “Device entry refers to” under “Configuring LLDP Interface Attributes.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To display LLDP information for a remote port: 1. Click Administration, LLDP. 2. Select Show Remote Device Information from the Step list. 3. Select Port, Port Details, Trunk, or Trunk Details. 4. When the next page opens, select a port on this switch and the index for a remote device attached to this port. 5. Click Query.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 255: Displaying Remote Device Information for LLDP (Port Details) – 416 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDPMED TLVs is shown in the following figure. Figure 256: Displaying Remote Device Information for LLDP (End Node) Displaying Use the Administration > LLDP (Show Device Statistics) page to display statistics for Device Statistics LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources. ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired.
Chapter 13 | Basic Administration Protocols Power over Ethernet Figure 257: Displaying LLDP Device Statistics (General) Figure 258: Displaying LLDP Device Statistics (Port) Power over Ethernet The switch models listed on page 2 designated as a “PoE Switch” can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device.
Chapter 13 | Basic Administration Protocols Power over Ethernet Ports can be set to one of three power priority levels, critical, high or low. To control the power supply within the switch’s budget, ports set at critical to high priority have power enabled in preference to those ports set at low priority. For example, when a device connected to a port is set to critical priority, the switch supplies the required power, if necessary by denying power to ports set for a lower priority during bootup.
Chapter 13 | Basic Administration Protocols Power over Ethernet Web Interface To set the overall PoE power budget for switch: 1. Click Administration, PoE. 2. Select Configure Global from the Step list. 3. Set the maximum PoE power allocated to the switch. 4. Click Apply. Figure 259: Setting the Switch’s PoE Budget Setting The Port PoE Use the Administration > PoE (Configure Interface) page to set the PoE power Power Budget allocation priority and maximum power provided to a port.
Chapter 13 | Basic Administration Protocols Power over Ethernet ◆ If a device is connected to a switch port and the switch detects that it requires more than the power budget set for the port or to the overall switch, no power is supplied to the device (i.e., port power remains off ). ◆ If the power demand from devices connected to all switch ports exceeds the power budget set for the switch, the port power priority settings are used to control the supplied power.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To set the PoE power budget for a port: 1. Click Administration, PoE, PSE. 2. Select Configure Interface from the Step list. 3. Enable PoE power on selected ports. Set the priority and the power budget. 4. Click Apply.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol information using network management software. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Command Usage Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. Refer to: “Configuring Global Settings for SNMP” on page 426 2.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Use the Administration > SNMP (Configure Global) page to enable SNMPv3 service Global Settings for all management clients (i.e., versions 1, 2c, 3), and to enable trap messages. for SNMP Parameters These parameters are displayed: ◆ Agent Status – Enables SNMP on the switch.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Access Mode – Specifies the access rights for the community string: ■ Read-Only – Authorized management stations are only able to retrieve MIB objects. ■ Read/Write – Authorized management stations are able to both retrieve and modify MIB objects. Web Interface To set a community access string: 1. Click Administration, SNMP. 2. Select Configure Community from the Step list. 3. Select Add from the Action list. 4.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Setting the Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change Local Engine ID the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying a Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to Remote Engine ID configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Show Remote Engine from the Action list. Figure 266: Showing Remote Engine IDs for SNMP Setting SNMPv3 Views Use the Administration > SNMP (Configure View) page to configure SNMPv3 views which are used to restrict user access to specified portions of the MIB tree.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add View from the Action list. 4. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group SNMPv3 Groups which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 28: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 28: Supported Notification Messages (Continued) Model Level Group swPowerStatusChangeTrap 1.3.6.1.4.1.259.10.1.46.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.46.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled. swIpFilterRejectTrap 1.3.6.1.4.1.259.10.1.46.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 28: Supported Notification Messages (Continued) Model Level Group swCpuUtiFallingNotification 1.3.6.1.4.1.259.10.1.46.2.1.0.108 This notification indicates that the CPU utilization has fallen from cpuUtiRisingThreshold to cpuUtiFallingThreshold. swMemoryUtiRisingThreshold Notification 1.3.6.1.4.1.259.10.1.46.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 271: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to Local SNMPv3 Users authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 4. Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified. If the security level is authPriv, a privacy password must also be specified. 5. Click Apply Figure 273: Configuring Local SNMPv3 Users To show local SNMPv3 users: 1. Click Administration, SNMP. 2.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 2. Select Change SNMPv3 Local User Group from the Action list. 3. Select the User Name. 4. Enter a new group name. 5. Click Apply Figure 275: Changing a Local SNMPv3 User Group Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page Remote SNMPv3 Users to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default security level.) ■ AuthNoPriv – SNMP communications use authentication, but the data is not encrypted. ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 276: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying Use the Administration > SNMP (Configure Trap) page to specify the host devices to Trap Managers be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Community String – Specifies a valid community string for the new trap manager entry. (Range: 1-32 characters, case sensitive) Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User – Add Community page. ◆ UDP Port – Specifies the UDP port number used by the trap manager.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ ◆ Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) ■ Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 281: Showing Trap Managers Creating SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to create an Notification Logs SNMP notification log.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ When a trap host is created using the Administration > SNMP (Configure Trap – Add) page described on page 443, a default notify filter will be created. Parameters These parameters are displayed: ◆ IP Address – The IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the Administration > SNMP (Configure Trap – Add) page. The notification log is stored locally.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 283: Showing SNMP Notification Logs Showing Use the Administration > SNMP (Show Statistics) page to show counters for SNMP SNMP Statistics input and output protocol data units. Parameters The following counters are displayed: ◆ SNMP packets input – The total number of messages delivered to the SNMP entity from the transport service.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ SNMP packets output – The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service. ◆ Too big errors – The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “tooBig.
Chapter 13 | Basic Administration Protocols Remote Monitoring Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Sample Type – Tests for absolute or relative changes in the specified variable. ■ Absolute – The variable is compared directly to the thresholds at the end of the sampling period. ■ Delta – The last sample is subtracted from the current value and the difference is then compared to the thresholds.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 285: Configuring an RMON Alarm To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Global - Add - Event) page to set the Events action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems. Command Usage ◆ If an alarm is already defined for an index, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To configure an RMON event: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Click Event. 5. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event. 6.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 288: Showing Configured RMON Events Configuring RMON Use the Administration > RMON (Configure Interface - Add - History) page to collect History Samples statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆ Buckets - The number of buckets requested for this entry. (Range: 1-65536; Default: 8) The number of buckets granted are displayed on the Show page. ◆ Owner - Name of the person who created this entry. (Range: 1-32 characters) Web Interface To periodically sample statistics on a port: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Remote Monitoring 4. Select a port from the list. 5. Click History. Figure 290: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click History.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to Statistical Samples collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. Command Usage ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 292: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 293: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 294: Showing Collected RMON Statistical Samples Switch Clustering Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Chapter 13 | Basic Administration Protocols Switch Clustering ◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN: 1. Create VLAN 4093 (see “Configuring VLAN Groups” on page 169). 2. Add the participating ports to this VLAN (see “Adding Static Members to VLANs” on page 171), and set them to hybrid mode, tagged members, PVID = 1, and acceptable frame type = all.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure a switch cluster: 1. Click Administration, Cluster. 2. Select Configure Global from the Step list. 3. Set the required attributes for a Commander or a managed candidate. 4. Click Apply Figure 295: Configuring a Switch Cluster Cluster Member Use the Administration > Cluster (Configure Member - Add) page to add Candidate Configuration switches to the cluster as Members.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Add from the Action list. 4. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. 5. Click Apply. Figure 296: Configuring a Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3.
Chapter 13 | Basic Administration Protocols Switch Clustering To show cluster candidates: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Show Candidate from the Action list. Figure 298: Showing Cluster Candidates Managing Cluster Use the Administration > Cluster (Show Member) page to manage another switch Members in the cluster. Parameters These parameters are displayed: ◆ Member ID – The ID number of the Member switch.
Chapter 13 | Basic Administration Protocols Setting a Time Range Web Interface To manage a cluster member: 1. Click Administration, Cluster. 2. Select Show Member from the Step list. 3. Select an entry from the Cluster Member List. 4. Click Operate. Figure 299: Managing a Cluster Member Setting a Time Range Use the Administration > Time Range page to set a time range during which various functions are applied, including applied ACLs or PoE.
Chapter 13 | Basic Administration Protocols Setting a Time Range ◆ Mode ■ Absolute – Specifies a specific time or time range. ■ ■ Start/End – Specifies the hours, minutes, month, day, and year at which to start or end. Periodic – Specifies a periodic interval. ■ Start/To – Specifies the days of the week, hours, and minutes at which to start or end. Web Interface To configure a time range: 1. Click Administration, Time Range. 2. Select Add from the Action list. 3. Enter the name of a time range. 4.
Chapter 13 | Basic Administration Protocols Setting a Time Range To configure a rule for a time range: 1. Click Administration, Time Range. 2. Select Add Rule from the Action list. 3. Select the name of time range from the drop-down list. 4. Select a mode option of Absolute or Periodic. 5. Fill in the required parameters for the selected mode. 6. Click Apply. Figure 302: Add a Rule to a Time Range To show the rules configured for a time range: 1. Click Administration, Time Range. 2.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Ethernet Ring Protection Switching Note: Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links. The mechanisms and protocol defined in G.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching A link/node failure is detected by the nodes adjacent to the failure. These nodes block the failed link and report the failure to the ring using R-APS (SF) messages. This message triggers the RPL owner to unblock the RPL, and all nodes to flush their forwarding database. The ring is now in protection state, but it remains connected in a logical topology.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching formed by the ring links of ERP2 and the ring link between the interconnection nodes that is controlled by ERP1. ERP2 is a sub-ring. Ring node A is the RPL owner node for ERP1, and ring node E is the RPL owner node for ERP2. These ring nodes (A and E) are responsible for blocking the traffic channel on the RPL for ERP1 and ERP2 respectively. There is no restriction on which ring link on an ring may be set as the RPL.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching port connected to the next node in the ring to the east (or clockwise direction) and another port facing west in the ring. 3. Configure the RPL owner (Configure Domain – Configure Details): Configure one node in the ring as the Ring Protection Link (RPL) owner. When this switch is configured as the RPL owner, the west ring port is set as being connected to the RPL.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ The switch takes about 350 ms to detect link-up on 1000Base-T copper ports, so the convergence time on this port type is more than 50 ms. ◆ One VLAN must be added to an ERPS domain as the CVLAN. This can be designated as any VLAN, other than the management VLAN. The CVLAN should only contain ring ports, and must not be configured with an IP address.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching the RPL owner node and non-owner node state machines will start, and the ring will enter the active state. Limitations When configuring a ring port, note that these ports cannot be part of a spanning tree, nor can they be members of a static or dynamic trunk. Parameters These parameters are displayed: Add ◆ Domain Name – Name of an ERPS ring. (Range: 1-12 characters) ◆ Domain ID – ERPS ring identifier used in R-APS messages.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Interface – The port or trunk which is configured as a ring port. ◆ Port State – The operational state: ■ Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all R-APS messages is allowed.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ 2 - ERPS version 2 based on ITU-T G.8032/Y.1344 Version 2. (This is the default setting.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Once the ring has been activated, the configuration of the control VLAN cannot be modified. Use the Admin Status parameter to stop the ERPS ring before making any configuration changes to the control VLAN. ◆ Node State – Refer to the parameters for the Show page. ◆ Node Type – Shows ERPS node type as one of the following: ■ None – Node is neither Ring Protection Link (RPL) owner nor neighbor. (This is the default setting.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching the RPL to be restored from Protection state to Idle state using the Clear command (Configure Operation page).
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching b. When other healthy ring nodes receive the NR (Node ID) message, no action is taken in response to the message. c. When the operator issues the Clear command (Configure Operation page) for non-revertive mode at the RPL Owner Node, the non-revertive operation is cleared, the RPL Owner Node blocks its RPL port, and transmits an R-APS (NR, RB) message in both directions, repeatedly. d.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Recovery with non-revertive mode is handled as follows: a. The RPL Owner Node, upon reception of an R-APS(NR) message and in the absence of any other higher priority request does not perform any action. b.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching initiates reversion by blocking the traffic channel on the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes its FDB. c. The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL that does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all Ethernet Ring Nodes flush their FDB.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching node holding the link blocked receives this message, it compares the Node ID information with its own. If the received R-APS (NR) message has a higher priority, this unblocks its ring ports. Otherwise, the block remains unchanged. The node identifier may also be used for debugging, such as to distinguish messages when a node is connected to more than one ring.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Sub-ring without R-APS Virtual Channel – Under certain circumstances it may not be desirable to use a virtual channel to interconnect the sub-ring over an arbitrary Ethernet network. In this situation, the R-APS messages are terminated on the interconnection points.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching the second ay ring restore its connections more quickly through protection switching. When the MAC addresses are cleared, data traffic may flood onto the major ring. The data traffic will become stable after the MAC addresses are learned again. The major ring will not be broken, but the bandwidth of data traffic on the major ring may suffer for a short period of time due to this flooding behavior.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Holdoff Timer – The hold-off timer is used to filter out intermittent link faults. Faults will only be reported to the ring protection mechanism if this timer expires. (Range: 0-10000 milliseconds, in steps of 100 milliseconds) In order to coordinate timing of protection switches at multiple layers, a holdoff timer may be required.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ WTR Timer – The wait-to-restore timer is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching If CFM determines that a MEP node which has been configured to monitor a ring port with this command has gone down, this information is passed to ERPS, which in turn processes it as a ring node failure. For more information on how ERPS recovers from a node failure, refer to the description of the Revertive parameter on this configuration page. ◆ RPL – If node is connected to the RPL, this shows by which interface.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 311: Creating an ERPS Ring To show the configured ERPS rings: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Show from the Action list.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS Forced and Use the Administration > ERPS (Configure Operation) page to block a ring port Manual Mode using Forced Switch or Manual Switch commands. Operations Parameters These parameters are displayed: ◆ Domain Name – Name of a configured ERPS ring. ◆ Operation – Specifies a Forced Switch (FS) or Manual Switch (MS) operation on the east or west ring port. ■ Forced Switch – Blocks specified ring port.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching command. As such, two or more forced switches are allowed in the ring, which may inadvertently cause the segmentation of an ring. It is the responsibility of the operator to prevent this effect if it is undesirable. Ring protection requests, commands and R-APS signals have the priorities as specified in the following table.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Manual Switch – Blocks specified ring port, in the absence of a failure or an FS command. (Options: West or East) ■ A ring with no request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links. In this situation, the Manual Switch command triggers protection switching as follows: a.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching c. An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request. ■ ■ Recovery for manual switching under revertive and non-revertive mode is described under the Revertive parameter.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 313: Blocking an ERPS Ring Port Connectivity Fault Management Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ A Maintenance Level allows maintenance domains to be nested in a hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution. ◆ Maintenance End Points (MEPs) which provide full CFM access to a Service Instance (i.e.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 315: Multiple CFM Maintenance Domains C Customer MA Operator 1 MA P C Operator 2 MA P O1 O2 O1 O2 O1 O2 P P Provider MA C C Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management the configured time period, and fault alarms are enabled, a corresponding trap will be sent. No further fault alarms are sent until the fault notification generator has been reset by the passage of a configured time period without detecting any further faults.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Global Use the Administration > CFM (Configure Global) page to configure global settings Settings for CFM for CFM, such as enabling the CFM process on the switch, setting the start-up delay for cross-check operations, configuring parameters for the link trace cache, and enabling traps for events discovered by continuity check messages or cross-check messages.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management name, MA name, MEPID, sequence number, and TTL value (see "Displaying Fault Notification Settings"). ◆ Link Trace Cache Hold Time – The hold time for CFM link trace cache entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Link Trace Cache attribute field. ◆ Link Trace Cache Size – The maximum size for the link trace cache.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management A MEP Missing trap is sent if cross-checking is enabled13, and no CCM is received for a remote MEP configured in the static list14. ◆ Cross Check MEP Unknown – Sends a trap if an unconfigured MEP comes up. A MEP Unknown trap is sent if cross-checking is enabled13, and a CCM is received from a remote MEP that is not configured in the static list14. Web Interface To configure global settings for CFM: 1. Click Administration, CFM. 2.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Interfaces CFM processes are enabled by default for all physical interfaces, both ports and for CFM trunks. You can use the Administration > CFM (Configure Interface) page to change these settings. Command Usage ◆ An interface must be enabled before a MEP can be created (see "Configuring Maintenance End Points").
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Command Usage Configuring General Settings ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator. ◆ More than one domain can be configured at the same maintenance level, but a single domain can only be configured with one maintenance level.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Fault Notification ◆ A fault alarm can generate an SNMP notification. It is issued when the MEP fault notification generator state machine detects that the configured time period (MEP Fault Notify Alarm Time) has passed with one or more defects indicated, and fault alarms are enabled at or above the specified priority level (MEP Fault Notify Lowest Priority).
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) ◆ MD Level – Authorized maintenance level for this domain. (Range: 0-7) ◆ MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this domain: ■ Default – MIPs can be created for any maintenance association (MA) configured in this domain on any bridge port through which the MA’s VID can pass.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 5. Specify the manner in which MIPs can be created within each domain. 6. Click Apply. Figure 318: Configuring Maintenance Domains To show the configured maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Show from the Action list. Figure 319: Showing Maintenance Domains To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 320: Configuring Detailed Settings for Maintenance Domains Configuring CFM Use the Administration > CFM (Configure MA) pages to create and configure the Maintenance Maintenance Associations (MA) which define a unique CFM service instance. Each Associations MA can be identified by its parent MD, the MD’s maintenance level, the VLAN assigned to the MA, and the set of maintenance end points (MEPs) assigned to it.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ If a maintenance point fails to receive three consecutive CCMs from any other MEP in the same MA, a connectivity failure is registered. ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs).
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MA Name Format – Specifies the name format for the maintenance association as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.1731 defined ICC-based format. ■ Character String – IEEE 802.1ag defined character string format. This is an IETF RFC 2579 DisplayString. ■ ICC Based – ITU-T SG13/SG15 Y.1731 defined ICC based format. ◆ Interval Level – The delay between sending CCMs.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 4. Select an entry from the MD Index list. 5. Specify the MAs assigned to each domain, the VLAN through which CFM messages are passed, and the manner in which MIPs can be created within each MA. 6. Click Apply. Figure 321: Creating Maintenance Associations To show the configured maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Show from the Action list. 4.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 4. Select an entry from MD Index and MA Index. 5. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters. 6. Click Apply Figure 323: Configuring Detailed Settings for Maintenance Associations Configuring Use the Administration > CFM (Configure MEP – Add) page to configure Maintenance Maintenance End Points (MEPs).
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Maintenance end point identifier. (Range: 1-8191) ◆ MEP Direction – Up indicates that the MEP faces inward toward the switch cross-connect matrix, and transmits CFM messages towards, and receives them from, the direction of the internal bridge relay mechanism.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 4. Select an entry from MD Index and MA Index. Figure 325: Showing Maintenance End Points Configuring Use the Administration > CFM (Configure Remote MEP – Add) page to specify Remote Maintenance remote maintenance end points (MEPs) set on other CFM-enabled devices within a End Points common MA. Remote MEPs can be added to a static list in this manner to verify that each entry has been properly configured and is operational.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MEP ID – Identifier for a maintenance end point which exists on another CFMenabled device within the same MA. (Range: 1-8191) Web Interface To configure a remote maintenance end point: 1. Click Administration, CFM. 2. Select Configure Remote MEP from the Step list. 3. Select Add from the Action list. 4. Select an entry from MD Index and MA Index. 5. Specify the remote MEPs which exist on other devices within the same MA. 6.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 327: Showing Remote Maintenance End Points Transmitting Link Use the Administration > CFM (Transmit Link Trace) page to transmit link trace Trace Messages messages (LTMs). These messages can isolate connectivity faults by tracing the path through a network to the designated target node (i.e., a remote maintenance end point). Command Usage ◆ LTMs can be targeted to MEPs, not MIPs.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) ◆ Target ◆ ■ MEP ID – The identifier of a remote MEP that is the target of a link trace message.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 328: Transmitting Link Trace Messages Transmitting Loop Use the Administration > CFM (Transmit Loopback) page to transmit Loopback Back Messages Messages (LBMs). These messages can be used to isolate or verify connectivity faults by submitting a request to a target node (i.e., a remote MEP or MIP) to echo the message back to the source.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Target ■ MEP ID – The identifier of a remote MEP that is the target of a loopback message. (Range: 1-8191) ■ MAC Address – MAC address of a remote MEP that is the target of a loopback message. This address can be entered in either of the following formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx ◆ Count – The number of times the loopback message is sent. (Range: 1-1024) ◆ Packet Size – The size of the loopback message.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Transmitting Use the Administration > CFM (Transmit Delay Measure) page to send periodic Delay-Measure delay-measure requests to a specified MEP within a maintenance association. Requests Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this function.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Packet Size – The size of the delay-measure message. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Interval – The transmission delay between delay-measure messages. (Range: 1-5 seconds; Default: 1 second) ◆ Timeout – The timeout to wait for a response. (Range: 1-5 seconds; Default: 5 seconds) Web Interface To transmit delay-measure messages: 1. Click Administration, CFM. 2. Select Transmit Delay Measure from the Step list. 3.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Local MEPs Use the Administration > CFM > Show Information (Show Local MEP) page to show information for the MEPs configured on this device. Parameters These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Details Use the Administration > CFM > Show Information (Show Local MEP Details) page for Local MEPs to show detailed CFM information about a local MEP in the continuity check database. Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Maintenance end point identifier.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Suppressing Alarms – Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions. Web Interface To show detailed information for the MEPs configured on this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MEP Details from the Action list. 4. Select an entry from MD Index and MA Index. 5.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Local MIPs Use the Administration > CFM > Show Information (Show Local MIP) page to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".) Parameters These parameters are displayed: ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Use the Administration > CFM > Show Information (Show Remote MEP) page to Remote MEPs show MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages. Parameters These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MA Name – Maintenance association name.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Details for Use the Administration > CFM > Show Information (Show Remote MEP Details) Remote MEPs page to show detailed information for MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages. Parameters These parameters are displayed: ◆ MD Index – Domain index.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ ■ Down – The interface cannot pass packets. ■ Testing – The interface is in some test mode. ■ Unknown – The interface status cannot be determined for some reason. ■ Dormant – The interface is not in a state to pass packets but is in a pending state, waiting for some external event. ■ Not Present – Some component of the interface is missing.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying the Use the Administration > CFM > Show Information (Show Link Trace Cache) page to Link Trace Cache show information about link trace operations launched from this device. Parameters These parameters are displayed: ◆ Hops – The number hops taken to reach the target MEP. ◆ MA – Maintenance association name. ◆ IP Address / Alias – IP address or DNS alias of the target device’s CPU.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ■ HIT – Target located on this device. Web Interface To show information about link trace operations launched from this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Link Trace Cache from the Action list.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Web Interface To show configuration settings for the fault notification generator: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Fault Notification Generator from the Action list.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ ■ EXCESS_LEV – The number of different MD levels at which MIPs are to be created on this port exceeds the bridge's capabilities. ■ OVERLAP_LEV – A MEP is created for one VID at one maintenance level, but a MEP is configured on another VID at an equivalent or higher level, exceeding the bridge's capabilities. MA Name – The maintenance association for this entry. Web Interface To show CFM continuity check errors: 1.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ Admin Status – Enables or disables OAM functions. (Default: Disabled) ◆ Operation State – Shows the operational state between the local and remote OAM devices. This value is always “disabled” if OAM is disabled on the local interface. Table 32: OAM Operation State ◆ ◆ State Description Disabled OAM is disabled on this interface via the OAM Admin Status. Link Fault The link has detected a fault or the interface is not operational.
Chapter 13 | Basic Administration Protocols OAM Configuration ■ Critical Event – If a critical event occurs, the local OAM entity indicates this to its peer by setting the appropriate flag in the next OAMPDU to be sent and stores this information in its OAM event log. (Default: Enabled) Critical events include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults.
Chapter 13 | Basic Administration Protocols OAM Configuration Figure 339: Enabling OAM for Local Ports Displaying Statistics Use the Administration > OAM > Counters page to display statistics for the various for OAM Messages types of OAM messages passed across each port. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-12/26/28/52) ◆ Clear – Clears statistical counters for the selected ports.
Chapter 13 | Basic Administration Protocols OAM Configuration Web Interface To display statistics for OAM messages: 1. Click Administration, OAM, Counters. Figure 340: Displaying Statistics for OAM Messages Displaying the Use the Administration > OAM > Event Log page to display link events for the OAM Event Log selected port. Command Usage ◆ When a link event occurs, no matter whether the location is local or remote, this information is entered in OAM event log.
Chapter 13 | Basic Administration Protocols OAM Configuration Figure 341: Displaying the OAM Event Log Displaying the Status Use the Administration > OAM > Remote Interface page to display information of Remote Interfaces about attached OAM-enabled devices. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-12/26/28/52) ◆ MAC Address – MAC address of the OAM peer. ◆ OUI – Organizational Unit Identifier of the OAM peer.
Chapter 13 | Basic Administration Protocols OAM Configuration Web Interface To display information about attached OAM-enabled devices: 1. Click Administration, OAM, Remote Interface. Figure 342: Displaying Status of Remote Interfaces Configuring a Remote Use the Administration > OAM > Remote Loopback (Remote Loopback Test) page Loopback Test to initiate a loop back test to the peer device attached to the selected port.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ Loopback Status – Shows if loopback testing is currently running. Loopback Test Parameters ◆ Packet Number – Number of packets to send. (Range: 1-99999999; Default: 10000) ◆ Packet Size – Size of packets to send. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Test – Starts the loop back test. ◆ End – Stops the loop back test. Loop Back Status of Remote Device ◆ Result – Shows the loop back status on the peer.
Chapter 13 | Basic Administration Protocols OAM Configuration 3. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply. 4. Set the number of packets to send and the packet size, and then click Test.
Chapter 13 | Basic Administration Protocols UDLD Configuration Figure 344: Displaying the Results of Remote Loop Back Testing UDLD Configuration The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 13 | Basic Administration Protocols UDLD Configuration Configuring UDLD Use the Administration > UDLD > Configure Global page to configure the Protocol Intervals UniDirectional Link Detection message probe interval, detection interval, and recovery interval. Parameters These parameters are displayed: ◆ Message Interval – Configures the message interval between UDLD probe messages for ports in the advertisement phase and determined to be bidirectional.
Chapter 13 | Basic Administration Protocols UDLD Configuration Web Interface To configure the UDLD message probe interval, detection interval, and recovery interval: 1. Click Administration, UDLD, Configure Global. 2. Select Configure Global from the Step list. 3. Configure the message and detection intervals. 4. Enable automatic recovery if required, and set the recovery interval. 5. Click Apply.
Chapter 13 | Basic Administration Protocols UDLD Configuration ends without the proper echo information being received, the link is considered to be unidirectional. ◆ Aggressive Mode – Reduces the shut-down delay after loss of bidirectional connectivity is detected. (Default: Disabled) UDLD can function in two modes: normal mode and aggressive mode.
Chapter 13 | Basic Administration Protocols UDLD Configuration Web Interface To enable UDLD and aggressive mode: 1. Click Administration, UDLD, Configure Interface. 2. Enable UDLD and aggressive mode on the required ports. 3. Click Apply. Figure 346: Configuring UDLD Interface Settings Displaying Use the Administration > UDLD (Show Information) page to show UDLD neighbor UDLD Neighbor information, including neighbor state, expiration time, and protocol intervals.
Chapter 13 | Basic Administration Protocols LBD Configuration Web Interface To display UDLD neighbor information: 1. Click Administration, UDLD, Show Information. 2. Select an interface from the Port list. Figure 347: Displaying UDLD Neighbor Information LBD Configuration The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings.
Chapter 13 | Basic Administration Protocols LBD Configuration Configuring Global Use the Administration > LBD (Configure Global) page to enable loopback Settings for LBD detection globally, specify the interval at which to transmit control frames, the interval to wait before releasing an interface from shutdown state, the response to a detected loopback, and the traps to send. Parameters These parameters are displayed: ◆ Global Status – Enables loopback detection globally on the switch.
Chapter 13 | Basic Administration Protocols LBD Configuration ◆ ◆ Trap – Sends a trap when a loopback condition is detected, or when the switch recovers from a loopback condition. (Options: Both, Detect, None, Recover; Default: None) ■ Both – Sends an SNMP trap message when a loopback condition is detected, or when the switch recovers from a loopback condition. ■ Detect – Sends an SNMP trap message when a loopback condition is detected.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Configuring Interface Use the Administration > LBD (Configure Interface) page to enable loopback Settings for LBD detection on an interface, to display the loopback operational state, and the VLANs which are looped back. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ■ Port – Port identifier.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Under the Administration > Smart Pair menus you can configure the Smart Pair ports and set the wait to restore delay for a globally configured Smart Pair. Additionally you can show the Smart Pairs configured on the switch and in the show menu restore traffic manually to a configured Smart Pair. Usage Guidelines ◆ Spanning-Tree must be disabled on the port in order to configure it as part of a Smart Pair.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration Figure 350: Configuring the Smart Pair Global Settings (Adding a Smart Pair) Configuring Smart Use the Administration > Smart Pair (Configure Smart Pair Global) to add the port Pair Interface Settings members of a Smart Pair. The ports must have spanning tree turned off to be available for selection.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration 5. Select the Smart Pair Backup Port from the Primary Port pull-down menu and check the box in front of the port ID. 6. Input the WTR delay time in seconds and check the box in front of the field. 7. Click Apply. Figure 351: Configuring Interfaces for a Smart Pair Show the Configured Use the Administration > Smart Pair (Configure Global) to show the configured Smart Pair IDs Smart Pair IDs.
Chapter 13 | Basic Administration Protocols Smart Pair Configuration 1. Click Administration, Smart Pair, Configure Smart Pair. 2. Select Configure from the Show menu. 3. Select the Smart Pair ID from the ID pull-down menu. 4. Click the Restore button to manually restore traffic to the primary port of a specified Smart Pair.
14 Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters. ◆ IGMP Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface. ◆ MLD Snooping – Configures snooping and query parameters for IPv6.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 354: Multicast Filtering Concept Unicast Flow Multicast Flow This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or 3 hosts are all forwarded to the upstream router as IGMPv3 reports. The primary enhancement provided by IGMPv3 snooping is in keeping track of information about the specific multicast sources which downstream IGMPv3 hosts have requested or refused.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) IGMP Snooping with Proxy Reporting – The switch supports last leave, and query suppression (as defined in DSL Forum TR-101, April 2006): ◆ When proxy reporting is disabled, all IGMP reports received by the switch are forwarded natively to the upstream multicast routers. ◆ Last Leave: Intercepts, absorbs and summarizes IGMP leaves coming from IGMP hosts.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Parameters These parameters are displayed: ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping. (Default: Disabled) When IGMP snooping is enabled globally, the per VLAN interface settings for IGMP snooping take precedence (see “Setting IGMP Snooping Status per Interface” on page 562).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) members have been learned. Otherwise, the time spent in flooding mode can be manually configured to reduce excessive loading. When the spanning tree topology changes, the root bridge sends a proxy query to quickly re-learn the host membership/port relations for multicast channels. The root bridge also sends an unsolicited Multicast Router Discover (MRD) request to quickly locate the multicast routers in this VLAN.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Version Exclusive – Discards any received IGMP messages which use a version different to that currently configured by the IGMP Version attribute. (Default: Disabled) ◆ IGMP Unsolicited Report Interval – Specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 355: Configuring General Settings for IGMP Snooping Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) Interfaces for a page to statically attach an interface to a multicast router/switch. Multicast Router Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Show Static Multicast Router ◆ VLAN – Selects the VLAN for which to display any configured static multicast routers. ◆ Interface – Shows the interface to which the specified static multicast routers are attached. Show Current Multicast Router ◆ VLAN – Selects the VLAN for which to display any currently active multicast routers. ◆ Interface – Shows the interface to which an active multicast router is attached.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 357: Showing Static Interfaces Attached a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol (such as PIM) to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group. Command Usage ◆ Static multicast addresses are never aged out. ◆ When a multicast address is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To show the static interfaces assigned to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Note: The default values recommended in the MRD draft are implemented in the switch. Multicast Router Discovery uses the following three message types to discover multicast routers: ◆ Multicast Router Advertisement – Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Parameters These parameters are displayed: ◆ VLAN – ID of configured VLANs. (Range: 1-4094) ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) joining the multicast group. Only when all hosts on that port leave the group will the member port be deleted. ◆ Multicast Router Discovery – MRD is used to discover which interfaces are attached to multicast routers. (Default: Disabled) ◆ General Query Suppression – Suppresses general queries except for ports attached to downstream multicast hosts.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Query Interval – The interval between sending IGMP general queries. (Range: 2-31744 seconds; Default: 125 seconds) An IGMP general query message is sent by the switch at the interval specified by this attribute. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To resolve this problem, the source address in proxied IGMP query messages can be replaced with any valid unicast address (other than the router’s own address). Web Interface To configure IGMP snooping on a VLAN: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Configure VLAN from the Action list. 3. Select the VLAN to configure and update the required parameters. 4. Click Apply.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 362: Showing Interface Settings for IGMP Snooping Filtering IGMP Packets Use the Multicast > IGMP Snooping > Interface (Configure Interface) page to on an Interface configure an interface to drop IGMP query packets or multicast data packets, or enable IGMP authentication. Parameters These parameters are displayed: ◆ Interface – Port or Trunk identifier.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 363: Dropping IGMP Query or Multicast Data Packets Displaying Multicast Use the Multicast > IGMP Snooping > Forwarding Entry page to display the Groups Discovered forwarding entries learned through IGMP Snooping. by IGMP Snooping Command Usage To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page 554).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To show multicast groups learned through IGMP snooping: 1. Click Multicast, IGMP Snooping, Forwarding Entry. Figure 364: Showing Multicast Groups Learned by IGMP Snooping Displaying IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP snooping Snooping Statistics protocol-related statistics for the specified interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Other Querier Expire – Time after which remote querier is assumed to have expired. ◆ Other Querier Uptime – Time remote querier has been up. ◆ Self Querier – IP address of local querier on this interface. ◆ Self Querier Expire – Time after which local querier is assumed to have expired. ◆ Self Querier Uptime – Time local querier has been up.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Drop – The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or IGMP group report received. ◆ Join Success – The number of times a multicast group was successfully joined. ◆ Group – The number of IGMP groups active on this interface. Output Statistics ◆ Report – The number of IGMP membership reports sent from this interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 365: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show VLAN Statistics from the Action list. 3. Select a VLAN.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 366: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To display IGMP snooping protocol-related statistics for a trunk: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Trunk Statistics from the Action list. 3. Select a Trunk. Figure 368: Displaying IGMP Snooping Statistics – Trunk Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups switch randomly removes an existing group and replaces it with the new multicast group. Enabling IGMP Use the Multicast > IGMP Snooping > Filter (Configure General) page to enable Filtering and IGMP filtering and throttling globally on the switch. Throttling Parameters These parameters are displayed: ◆ IGMP Filter Status – Enables IGMP filtering and throttling globally for the switch.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Parameters These parameters are displayed: Add ◆ Profile ID – Creates an IGMP profile. (Range: 1-4294967295) ◆ Access Mode – Sets the access mode of the profile; either permit or deny. (Default: Deny) When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 371: Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add Multicast Group Range from the Action list. 4.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Current Multicast Groups – Displays the current multicast groups the interface has joined. ◆ Throttling Action Mode – Sets the action to take when the maximum number of multicast groups for the interface has been exceeded. (Default: Deny) ◆ ■ Deny - The new multicast group join report is dropped. ■ Replace - The new multicast group replaces an existing group.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) include MLDv2 query and report messages, as well as MLDv1 report and done messages. Remember that IGMP Snooping and MLD Snooping are independent functions, and can therefore both function at the same time. Configuring MLD Use the Multicast > MLD Snooping > General page to configure the switch to Snooping and Query forward multicast traffic intelligently.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) receiving query packets) to have expired. (Range: 300-500 seconds; Default: 300 seconds) ◆ MLD Snooping Version – The protocol version used for compatibility with other devices on the network. This is the MLD version the switch uses to send snooping reports. (Range: 1-2; Default: 2) ◆ Unknown Multicast Mode – The action for dealing with unknown multicast packets.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 375: Configuring General Settings for MLD Snooping Setting Immediate Use the Multicast > MLD Snooping > Interface page to configure Immediate Leave Leave Status for status for a VLAN. MLD Snooping per Interface Parameters These parameters are displayed: ◆ VLAN – A VLAN identification number.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Web Interface To configure immediate leave for MLD Snooping: 1. Click Multicast, MLD Snooping, Interface. 2. Select a VLAN, and set the status for immediate leave. 3. Click Apply. Figure 376: Configuring Immediate Leave for MLD Snooping Specifying Static Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast Router) Interfaces for an page to statically attach an interface to an IPv6 multicast router/switch.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 3. Select the VLAN which will forward all the corresponding IPv6 multicast traffic, and select the port or trunk attached to the multicast router. 4. Click Apply. Figure 377: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 379: Showing Current Interfaces Attached an IPv6 Multicast Router Assigning Interfaces Use the Multicast > MLD Snooping > MLD Member (Add Static Member) page to to IPv6 Multicast statically assign an IPv6 multicast service to an interface. Services Multicast filtering can be dynamically configured using MLD snooping and query messages (see “Configuring MLD Snooping and Query Parameters” on page 581).
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Web Interface To statically assign an interface to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Add Static Member from the Action list. 3. Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an MLD-enabled switch or multicast router), and enter the multicast IP address. 4. Click Apply.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display information about all IPv6 multicast groups, MLD Snooping or multicast routing must first be enabled on the switch. To show all of the interfaces statically or dynamically assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Current Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 4. Click Apply. Figure 383: Dropping MLD Query Packets Showing MLD Use the Multicast > MLD Snooping > Group Information page to display known Snooping Groups multicast groups, member ports, the means by which each group was learned, and and Source List the corresponding source list. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Interface – Port or trunk identifier.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Web Interface To display known MLD multicast groups: 1. Click Multicast, MLD Snooping, Group Information. 2. Select the port or trunk, and then select a multicast service assigned to that interface. Figure 384: Showing IPv6 Multicast Services and Corresponding Sources Displaying MLD Use the Multicast > IGMP Snooping > Statistics pages to display MLD snooping Snooping Statistics protocol-related statistics.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Join Success – The number of times a multicast group was successfully joined. ◆ Group – The number of MLD groups active on this interface. Output Same as input parameters listed above, except that the direction of transmission is outbound. Query ◆ Other Querier Address – IP address of remote querier on this interface. ◆ Other Querier Expire – Time after which remote querier is assumed to have expired.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ■ ■ ◆ Group Specific – The number of group specific queries sent from this interface. Received ■ General – The number of general queries received on this interface. ■ Group Specific – The number of group specific queries received on this interface. Report & Leave ■ ■ Transmit ■ Report – The number of MLD membership reports sent from this interface. ■ Leave – The number of leave messages sent from this interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ■ Self Addr – IPv6 address of local querier on this interface. ■ Self Expire – Time after which local querier is assumed to have expired. ■ Self Uptime – Time local querier has been up. ■ Transmit ■ ◆ ■ General – The number of general queries sent from this interface. ■ Group Specific – The number of group specific queries sent from this interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Clear Parameters These parameters are displayed: ◆ All – Clears statistics for all MLD messages. ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Unit – Stack unit. (Range: 1) ◆ Port – Port identifier. (Range: 1-12/26/28/52) ◆ Trunk – Trunk identifier. (Range: 1-16) Web Interface To display MLD snooping input-related message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Input.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD snooping output-related message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Output. Figure 386: Displaying MLD Snooping Statistics – Output To display MLD query message statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Query.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD summary statistics for a port or trunk: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Summary. 3. Select a port or trunk.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display MLD summary statistics for a VLAN: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Summary. 3. Select a VLAN.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups To clear MLD statistics: 1. Click Multicast, MLD Snooping, Statistics. 2. Select Clear. 3. Select All or enter the required interface. 4. Click Clear. Figure 390: Clearing MLD Snooping Statistics Filtering and Throttling MLD Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups Enabling MLD Use the Multicast > MLD Snooping > Filter (Configure General) page to enable Filtering and IGMP filtering and throttling globally on the switch. Throttling Parameters These parameters are displayed: ◆ MLD Filter Status – Enables MLD filtering and throttling globally for the switch. (Default: Disabled) Web Interface To enable MLD filtering and throttling on the switch: 1. Click Multicast, MLD Snooping, Filter. 2.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, MLD join reports are only processed when the multicast group is not in the controlled range. Add Multicast Group Range ◆ Profile ID – Selects an IGMP profile to configure. ◆ Start Multicast IPv6 Address – Specifies the starting address of a range of multicast groups.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups Figure 393: Showing the MLD Filtering Profiles Created To add a range of multicast groups to an MLD filter profile: 1. Click Multicast, MLD Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add Multicast Group Range from the Action list. 4. Select the profile to configure, and add a multicast group address or range of addresses. 5. Click Apply.
Chapter 14 | Multicast Filtering Filtering and Throttling MLD Groups To show the multicast groups configured for an MLD filter profile: 1. Click Multicast, MLD Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Current Multicast Groups – Displays the current multicast groups the interface has joined. ◆ Throttling Action Mode – Sets the action to take when the maximum number of multicast groups for the interface has been exceeded. (Default: Deny) ◆ ■ Deny - The new multicast group join report is dropped. ■ Replace - The new multicast group replaces an existing group.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong. Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN, users in different IEEE 802.1Q or private VLANs cannot exchange any information (except through upper-level routing services).
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Configuring MVR Use the Multicast > MVR (Configure Global) page to configure proxy switching and Global Settings the robustness variable. Parameters These parameters are displayed: ◆ ◆ Proxy Switching – Configures MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ ◆ Proxy Query Interval – Configures the interval at which the receiver port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) ■ This parameter sets the general query interval at which active receiver ports send out general queries. ■ This interval is only effective when proxy switching is enabled.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Configuring MVR Use the Multicast > MVR (Configure Domain) page to enable MVR globally on the Domain Settings switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 399: Configuring Domain Settings for MVR Configuring MVR Use the Multicast > MVR (Configure Profile and Associate Profile) pages to assign Group Address the multicast group address for required services to one or more MVR domains. Profiles Command Usage ◆ Use the Configure Profile page to statically configure all multicast group addresses that will join the MVR VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Profile Name – The name of a profile to be assigned to this domain. (Range: 1-21 characters) Web Interface To configure an MVR group address profile: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3. Select Add from the Action list. 4. Enter the name of a group profile to be assigned to one or more domains, and specify a multicast group that will stream traffic to participating hosts. 5. Click Apply.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4. Select a domain from the scroll-down list, and enter the name of a group profile. 5. Click Apply. Figure 402: Assigning an MVR Group Address Profile to a Domain To show the MVR group address profiles assigned to a domain: 1. Click Multicast, MVR. 2.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Configuring MVR Use the Multicast > MVR (Configure Interface) page to configure each interface that Interface Status participates in the MVR protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Type – The following interface types are supported: ■ Source – An uplink port that can send and receive multicast data for the groups assigned to the MVR VLAN. Note that the source port must be manually configured as a member of the MVR VLAN (see “Adding Static Members to VLANs” on page 171). ■ Receiver – A subscriber port that can receive multicast data sent through the MVR VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 4. Click Port or Trunk. 5. Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached. 6. Click Apply.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Group IP Address – Defines a multicast service sent to the selected port. Multicast groups must be assigned from the MVR group range configured on the Configure General page. Web Interface To assign a static MVR group to an interface: 1. Click Multicast, MVR. 2. Select Configure Static Group Member from the Step list. 3. Select Add from the Action list. 4. Select an MVR domain. 5.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 406: Showing the Static MVR Groups Assigned to a Port Displaying MVR Use the Multicast > MVR (Show Member) page to show the multicast groups either Receiver Groups statically or dynamically assigned to the MVR receiver groups on each interface. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Group IP Address – Multicast groups assigned to the MVR VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Web Interface To display the interfaces assigned to the MVR receiver groups: 1. Click Multicast, MVR. 2. Select Show Member from the Step list. 3. Select an MVR domain. Figure 407: Displaying MVR Receiver Groups Displaying MVR Use the Multicast > MVR > Show Statistics pages to display MVR protocol-related Statistics statistics for the specified interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Querier Expire Time – The time after which this querier is assumed to have expired. ◆ General Query Received – The number of general queries received on this interface. ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Web Interface To display statistics for MVR query-related messages: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN, Port or Trunk: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN/Port/Trunk Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN/Port/Trunk.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR domain. 5. Select a Port. Figure 410: Displaying MVR Statistics – Port Multicast VLAN Registration for IPv6 MVR6 functions in a manner similar to that described for MRV (see “Multicast VLAN Registration for IPv4” on page 603).
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 3. Set the interfaces that will join the MVR as source ports or receiver ports (see “Configuring MVR6 Interface Status” on page 627). 4. For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see “Assigning Static MVR6 Multicast Groups to Interfaces” on page 629).
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ ◆ ◆ Robustness Value – Configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. (Range: 1-10; Default: 2) ■ This parameter is used to set the number of times report messages are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 411: Configuring Global Settings for MVR6 Configuring MVR6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 globally on the Domain Settings switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Web Interface To configure settings for an MVR6 domain: 1. Click Multicast, MVR6. 2. Select Configure Domain from the Step list. 3. Select a domain from the scroll-down list. 4. Enable MVR6 for the selected domain, select the MVR6 VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required. 5. Click Apply.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Parameters These parameters are displayed: Configure Profile ◆ Profile Name – The name of a profile containing one or more MVR6 group addresses. (Range: 1-21 characters) ◆ Start IPv6 Address – Starting IP address for an MVR6 multicast group. This parameter must be a full IPv6 address including the network prefix and host address bits. ◆ End IPv6 Address – Ending IP address for an MVR6 multicast group.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To show the configured MVR6 group address profiles: 1. Click Multicast, MVR6. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 414: Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 416: Showing MVR6 Group Address Profiles Assigned to a Domain Configuring MVR6 Use the Multicast > MVR6 (Configure Interface) page to configure each interface Interface Status that participates in the MVR6 protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ■ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface. ■ Immediate leave does not apply to multicast groups which have been statically assigned to a port. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Web Interface To configure interface settings for MVR6: 1. Click Multicast, MVR6. 2. Select Configure Interface from the Step list. 3. Select an MVR6 domain. 4. Click Port or Trunk. 5. Set each port that will participate in the MVR6 protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached. 6. Click Apply.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Interface – Port or trunk identifier. ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Group IPv6 Address – Defines a multicast service sent to the selected port. Multicast groups must be assigned from the MVR6 group range configured on the Configure General page. Web Interface To assign a static MVR6 group to an interface: 1. Click Multicast, MVR6. 2.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 419: Showing the Static MVR6 Groups Assigned to a Port Displaying MVR6 Use the Multicast > MVR6 (Show Member) page to show the multicast groups Receiver Groups either statically or dynamically assigned to the MVR6 receiver groups on each interface. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Group IPv6 Address – Multicast groups assigned to the MVR6 VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 3. Select an MVR6 domain. Figure 420: Displaying MVR6 Receiver Groups Displaying MVR6 Use the Multicast > MVR6 > Show Statistics pages to display MVR6 protocol-related Statistics statistics for the specified interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Number of Leaves Sent – The number of leaves sent from this interface. VLAN, Port or Trunk Statistics ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Port – Port identifier. (Range: 1-12/26/28/52) ◆ Trunk – Trunk identifier. (Range: 1-16) Input Statistics ■ Report – The number of MLD membership reports received on this interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Web Interface To display statistics for MVR6 query-related messages: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR6 domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a Port.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a trunk: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Trunk Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a Trunk.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 – 638 –
15 IP Tools This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace Route – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol – Describes how to configure proxy ARP or static addresses, and how to display entries in the ARP cache. Using the Ping Function Use the Tools > Ping page to send ICMP echo request packets to another node on the network.
Chapter 15 | IP Tools Using the Ping Function ■ ◆ Network or host unreachable - The gateway found no corresponding entry in the route table. The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Web Interface To ping another device on the network: 1.
Chapter 15 | IP Tools Using the Trace Route Function Using the Trace Route Function Use the Tools > Trace Route page to show the route packets take to the specified destination. Parameters These parameters are displayed: ◆ Destination IP Address – Alias or IPv4/IPv6 address of the host. ◆ IPv4 Max Failures – The maximum number of failures before which the trace route is terminated. (Fixed: 5) ◆ IPv6 Max Failures – The maximum number of failures before which the trace route is terminated.
Chapter 15 | IP Tools Address Resolution Protocol Figure 426: Tracing the Route to a Network Device Address Resolution Protocol If IP routing is enabled (page 679), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Chapter 15 | IP Tools Address Resolution Protocol cache, and forwards the IP traffic on to the next hop. As long as this entry has not timed out, the router will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request. Also, if the switch receives a request for its own IP address, it will send back a response, and also cache the MAC of the source device's IP address.
Chapter 15 | IP Tools Address Resolution Protocol Web Interface To configure the timeout for the ARP cache or to enable Proxy ARP for a VLAN (i.e., IP subnetwork): 1. Click Tools, ARP. 2. Select Configure General from the Step List. 3. Enable Proxy ARP for subnetworks that do not have routing or a default gateway. 4. Click Apply.
Chapter 15 | IP Tools Address Resolution Protocol Parameters These parameters are displayed: ◆ IP Address – IP address statically mapped to a physical MAC address. (Valid IP addresses consist of four numbers, 0 to 255, separated by periods.) ◆ MAC Address – MAC address statically mapped to the corresponding IP address.
Chapter 15 | IP Tools Address Resolution Protocol Figure 430: Displaying Static ARP Entries Displaying Dynamic Use the Tools > ARP page to display dynamic or local entries in the ARP cache. The or Local ARP Entries ARP cache contains static entries, and entries for local interfaces, including subnet, host, and broadcast addresses. However, most entries will be dynamically learned through replies to broadcast messages. Web Interface To display all dynamic and local entries in the ARP cache: 1.
Chapter 15 | IP Tools Address Resolution Protocol Displaying Use the Tools > ARP (Show Information) page to display statistics for ARP messages ARP Statistics crossing all interfaces on this switch. Parameters These parameters are displayed: Table 35: ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router. Received Reply Number of ARP Reply packets received by the router. Sent Request Number of ARP Request packets sent by the router.
Chapter 15 | IP Tools Address Resolution Protocol – 648 –
16 IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server. An IPv6 address can either be manually configured or dynamically generated.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Command Usage ◆ This section describes how to configure a single local interface for initial access to the switch. To configure multiple IP interfaces, set up an IP interface for each VLAN. ◆ Once an IP address has been assigned to an interface, routing between different interfaces on the switch is enabled.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ Subnet Mask – This mask identifies the host address bits used for routing to specific subnets. (Default: None) ◆ Restart DHCP – Requests a new IP address from the DHCP server. Web Interface To set a static IPv4 address for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 434: Configuring a Dynamic IPv4 Address Note: The switch will also broadcast a request for IP configuration settings on each power reset. Note: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 435: Showing the Configured IPv4 Address for an Interface Setting the Switch’s IP Address (IP Version 6) This section describes how to configure an IPv6 interface for management access over the network, or for creating an interface to multiple subnets. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. ■ An IPv6 address must be configured according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Discovery to discover each other's presence, to determine each other's linklayer addresses, to find routers and to maintain reachability information about the paths to active neighbors.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ◆ ■ The maximum value set in this field cannot exceed the MTU of the physical interface, which is currently fixed at 1500 bytes. ■ If a non-default value is configured, an MTU option is included in the router advertisements sent from this device. This option is provided to ensure that all nodes on a link use the same MTU value in cases where the link MTU is not otherwise well known.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) This attribute specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations. When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) This combination is known as DHCPv6 stateless autoconfiguration, in which a DHCPv6 server does not assign stateful addresses to IPv6 hosts, but does assign stateless configuration settings. RA Guard Mode ◆ Interface – Shows port or trunk configuration page. ◆ RA Guard – Blocks incoming Router Advertisement and Router Redirect packets.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 437: Configuring General Settings for an IPv6 Interface To configure RA Guard for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Interface from the Action list. 3. Select RA Guard mode. 4. Enable RA Guard for untrusted interfaces. 5. Click Apply.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring an Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 IPv6 Address interface for management access over the network, or for creating an interface to multiple subnets. Command Usage ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access, or for creating an interface to multiple subnets. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ◆ Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ You can configure only one link-local address per interface. ■ The specified address replaces a link-local address that was automatically generated for the interface. IPv6 Address – IPv6 address assigned to this interface. Web Interface To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) In addition to the unicast addresses assigned to an interface, a node is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope). FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the Neighbor Cache IPv6 addresses detected for neighbor devices. Parameters These parameters are displayed: Table 36: Show IPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor. Age The time since the address was verified as reachable (in seconds).
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To show neighboring IPv6 devices: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Neighbors from the Action list. Figure 441: Showing IPv6 Neighbors Showing Use the IP > IPv6 Configuration (Show Statistics) page to display statistics about IPv6 Statistics IPv6 traffic passing through this switch.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: Table 37: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement Messages The number of ICMP Neighbor Advertisement messages received by the interface. Redirect Messages The number of Redirect messages received by the interface. Group Membership Query Messages The number of ICMPv6 Group Membership Query messages received by the interface.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 37: Show IPv6 Statistics - display description (Continued) Field Description Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. Output The total number of UDP datagrams sent from this entity. Web Interface To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 443: Showing IPv6 Statistics (ICMPv6) Figure 444: Showing IPv6 Statistics (UDP) – 670 –
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum for Responding transmission unit (MTU) cache for destinations that have returned an ICMP packetDestinations too-big message along with an acceptable MTU to this switch.
Chapter 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) – 672 –
17 General IP Routing This chapter provides information on network functions including: ◆ Static Routes – Configures static routes to other network segments. ◆ Routing Table – Displays routing entries learned through statically configured entries. Overview This switch supports IP routing and routing path management via static routing definitions.
Chapter 17 | General IP Routing IP Routing and Switching Figure 446: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Unt Untagged Unt VLAN 1 VLAN 2 Tagged or Tagged or Untagged Untagged Tagged or Tagged or Untagged Untagged Intra-subnet traffic (Layer 2 switching) IP Routing and Switching IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
Chapter 17 | General IP Routing IP Routing and Switching If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node. However, if the packet belongs to a subnet not included on this switch, then the packet should be sent to the next hop router (with the MAC address of the router itself used as the destination MAC address, and the destination IP address of the destination node).
Chapter 17 | General IP Routing Configuring Static Routes Configuring Static Routes You can enter static routes in the routing table using the IP > Routing > Static Routes (Add) page. Static routes may be required to force the use of a specific route to a subnet. Static routes do not automatically change in response to changes in network topology, so you should only configure a small number of stable routes to ensure network accessibility. Command Usage ◆ Up to 512 static routes can be configured.
Chapter 17 | General IP Routing Displaying the Routing Table Figure 447: Configuring Static Routes To display static routes: 1. Click IP, Routing, Static Routes. 2. Select Show from the Action List. Figure 448: Displaying Static Routes Displaying the Routing Table Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces through static routes.
Chapter 17 | General IP Routing Displaying the Routing Table forwarding decision on a particular packet. The typical components within a FIB entry are a network prefix, a router (i.e., VLAN) interface, and next hop information. ◆ The Routing Table (and the “show ip route” command described in the CLI Reference Guide) only displays routes which are currently accessible for forwarding. The router must be able to directly reach the next hop, so the VLAN interface associated with any route entry must be up.
18 Unicast Routing This chapter describes how to configure the following unicast routing protocols: RIP – Configures Routing Information Protocol. Overview This switch can route unicast traffic to different subnetworks using Routing Information Protocol (RIP). It supports RIP and RIP-2 dynamic routing. These protocols exchange routing information, calculate routing tables, and can respond to changes in the status or loading of the network.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Configuring the Routing Information Protocol The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost. Each router broadcasts its advertisement every 30 seconds, together with any updates to its routing table.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Configuring General Use the Routing Protocol > RIP > General (Configure) page to configure general Protocol Settings settings and the basic timers. RIP is used to specify how routers exchange routing information. When RIP is enabled on this router, it sends RIP messages to all devices in the network every 30 seconds (by default), and updates its own routing table when RIP messages are received from other routers.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ RIP Default Metric – Sets the default metric assigned to external routes imported from other protocols. (Range: 1-15; Default: 1) The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics. It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Basic Timer Settings Note: The timers must be set to the same values for all routers in the network. ◆ Update – Sets the rate at which updates are sent. This is the fundamental timer used to control all basic RIP processes. (Range: 5-2147483647 seconds; Default: 30 seconds) Setting the update timer to a short interval can cause the router to spend an excessive amount of time processing updates.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 451: Configuring General Settings for RIP Clearing Entries from Use the Routing Protocol > RIP > General (Clear Route) page to clear entries from the Routing Table the routing table based on route type or a specific network address. Command Usage ◆ RIP must be enabled to activate this menu option. ◆ Clearing “All” types deletes all routes in the RIP table.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Clear Route By Network – Clears a specific route based on its IP address and prefix length. ■ Network IP Address – Deletes all related entries for the specified network address. ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address. Web Interface To clear entries from the routing table RIP: 1. Click Routing Protocol, RIP, General. 2.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Parameters These parameters are displayed: ◆ ◆ By Address – Adds a network to the RIP routing process. ■ Subnet Address – IP address of a network directly connected to this router. (Default: No networks are specified) ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 454: Showing Network Interfaces Using RIP Specifying Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP from Passive Interfaces sending routing updates on the specified interface. Command Usage ◆ Network interfaces can be configured to stop RIP broadcast and multicast messages from being sent.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 455: Specifying a Passive RIP Interface To show the passive RIP interfaces: 1. Click Routing Protocol, RIP, Passive Interface. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 457: Specifying a Static RIP Neighbor To show static RIP neighbors: 1. Click Routing Protocol, RIP, Neighbor Address. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP. For example, if a metric of 10 is defined for redistributed routes, these routes can only be advertised to routers up to 5 hops away, at which point the metric exceeds the maximum hop count of 15.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Specifying an Use the Routing Protocol > RIP > Distance (Add) page to define an administrative Administrative distance for external routes learned from other routing protocols. Distance Command Usage ◆ Administrative distance is used by the routers to select the preferred path when there are two or more different routes to the same destination from two different routing protocols.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol To show the distance assigned to external routes learned from other routing protocols: 1. Click Routing Protocol, RIP, Distance. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ■ Use “RIPv1 and RIPv2” if some routers in the local network are using RIPv2, but there are still some older routers using RIPv1. (This is the default setting.) ■ Use “Do Not Receive” if dynamic entries are not required to be added to the routing table for an interface. (For example, when only static routes are to be allowed for a specific interface.) Protocol Message Authentication RIPv1 is not a secure protocol.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Receive Version – The RIP version to receive on an interface. ■ RIPv1: Accepts only RIPv1 packets. ■ RIPv2: Accepts only RIPv2 packets. ■ RIPv1 and RIPv2: Accepts RIPv1 and RIPv2 packets. ■ Do Not Receive: Does not accept incoming RIP packets. This option does not add any dynamic entries to the routing table for an interface. The default depends on the setting for the Global RIP Version.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Web Interface To network interface settings for RIP: 1. Click Routing Protocol, RIP, Interface. 2. Select Add from the Action list. 3. Select a Layer 3 VLAN interface to participate in RIP. Select the RIP protocol message types that will be received and sent. Select the RIP authentication method and password. And then set the loopback prevention method. 4. Click Apply.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Displaying RIP Use the Routing Protocol > RIP > Statistics (Show Interface Information) page to Interface Settings display information about RIP interface configuration settings. Parameters These parameters are displayed: ◆ Interface – Source IP address of RIP router interface. ◆ Auth Type – The type of authentication used for exchanging RIPv2 protocol messages. ◆ Send Version – The RIP version to sent on this interface.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Version – Shows whether RIPv1 or RIPv2 packets were received from this peer. ◆ Rcv Bad Packets – Number of bad RIP packets received from this peer. ◆ Rcv Bad Routes – Number of bad routes received from this peer. Web Interface To display information on neighboring RIP routers: 1. Click Routing Protocol, RIP, Statistics. 2. Select Show Peer Information from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol – 698 –
19 IP Services This chapter describes the following IP services: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ Multicast DNS – Configures multicast DNS host name-to-address mapping on the local network without the need for a dedicated DNS server. ◆ DHCP – Configures client, relay, dynamic provisioning, and DHCP server.
Chapter 19 | IP Services Domain Name Service Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 alphanumeric characters) Web Interface To configure general settings for DNS: 1. Click IP Service, DNS. 2.
Chapter 19 | IP Services Domain Name Service ◆ If all name servers are deleted, DNS will automatically be disabled. Parameters These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 characters) Web Interface To create a list domain names: 1. Click IP Service, DNS. 2. Select Add Domain Name from the Action list. 3. Enter one domain name at a time. 4. Click Apply.
Chapter 19 | IP Services Domain Name Service Configuring a List Use the IP Service > DNS - General (Add Name Server) page to configure a list of of Name Servers name servers to be tried in sequential order. Command Usage ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see “Configuring General DNS Service Parameters” on page 699).
Chapter 19 | IP Services Domain Name Service To show the list name servers: 1. Click IP Service, DNS. 2. Select Show Name Servers from the Action list. Figure 472: Showing the List of Name Servers for DNS Configuring Use the IP Service > DNS - Static Host Table (Add) page to manually configure static Static DNS Host entries in the DNS table that are used to map domain names to IP addresses.
Chapter 19 | IP Services Domain Name Service Figure 473: Configuring Static Entries in the DNS Table To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 474: Showing Static Entries in the DNS Table Displaying the DNS Use the IP Service > DNS - Cache page to display entries in the DNS cache that have Cache been learned via the designated name servers.
Chapter 19 | IP Services Multicast Domain Name Service ◆ TTL – The time to live reported by the name server. ◆ Host – The host name associated with this record. Web Interface To display entries in the DNS cache: 1. Click IP Service, DNS, Cache. Figure 475: Showing Entries in the DNS Cache Multicast Domain Name Service Use the IP Service > Multicast DNS page to enable multicast DNS host name-toaddress mapping on the local network without the need for a dedicated DNS server.
Chapter 19 | IP Services Dynamic Host Configuration Protocol ■ Announcing – The responder sends an unsolicited mDNS Response containing all of its newly registered resource records (both shared records, and unique records that have completed the probing step). ■ Updating – The responder repeats the Announcing step to update neighbor caches when the data for any local mDNS record changes.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Specifying a DHCP Use the IP Service > DHCP > Client page to specify the DHCP client identifier for a Client Identifier VLAN interface. Command Usage ◆ The class identifier is used identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 19 | IP Services Dynamic Host Configuration Protocol ◆ Vendor Class ID – The following options are supported when the check box is marked to enable this feature: ■ Default – The default string is the model number. ■ Text – A text string. (Range: 1-32 characters) ■ Hex – A hexadecimal value. (Range: 1-64 characters) Web Interface To configure a DHCP client identifier: 1. Click IP Service, DHCP, Client. 2. Mark the check box to enable this feature.
Chapter 19 | IP Services Dynamic Host Configuration Protocol DHCP response back to the DHCP relay agent (i.e., this switch). This switch then passes the DHCP response received from the server to the client. Figure 478: Layer 3 DHCP Relay Service Provides IP address compatible with switch segment to which client is attached DHCP Server Command Usage ◆ You must specify the IP address for at least one active DHCP server.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Figure 479: Configuring L3 DHCP Relay Service Configuring DHCP L2 If the switch is configured to provide L2 DHCP Relay service use the second IP Relay Service Service > DHCP > Relay page to configure the L2 DHCP relay service for attached host devices. To configure L2 or L3 DHCP relay service refer to the CLI Reference Guide DHCP Relay settings of the CLI Reference Guide - specifically the command: ip dhcp l2/l3 relay.
Chapter 19 | IP Services Dynamic Host Configuration Protocol ◆ DHCP relay configuration will be disabled if an active DHCP server is detected on the same network segment. ◆ If DHCP Option Policy is set to drop, the original DHCP request packet flooded to the receiving VLAN is received but not relayed to the DHCP server. ◆ If DHCP Option Policy is set to replace, the DHCP request packet’s option 82 content (RID and CID sub-option) is replaced with the relay agent switch’s address information.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Figure 481: Configuring L2 DHCP Relay Service Enabling DHCP Use the IP Service > DHCP > Dynamic Provision to enable dynamic provisioning via Dynamic Provision DHCP. Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Chapter 19 | IP Services Dynamic Host Configuration Protocol 3. Click Apply. Figure 482: Enabling Dynamic Provisioning via DHCP Configuring the DHCP This switch includes a Dynamic Host Configuration Protocol (DHCP) server that can Server assign temporary IP addresses to any attached host requesting service.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Enabling the Server Use the IP Service > DHCP > Server (Configure Global) page to enable the DHCP Server. Parameters These parameters are displayed: ◆ DHCP Server – Enables or disables the DHCP server on this switch. (Default: Disabled) Web Interface To enable the DHCP server: 1. Click IP Service, DHCP, Server. 2. Select Configure Global from the Step list. 3. Mark the Enabled box. 4. Click Apply.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Web Interface To configure IP addresses excluded for DHCP clients: 1. Click IP Service, DHCP, Server. 2. Select Configure Excluded Addresses from the Step list. 3. Select Add from the Action list. 4. Enter a single address or an address range. 5. Click Apply. Figure 485: Configuring Excluded Addresses on the DHCP Server To show the IP addresses excluded for DHCP clients: 1. Click IP Service, DHCP, Server. 2.
Chapter 19 | IP Services Dynamic Host Configuration Protocol You can configure up to 8 network address pools, and up to 32 manually bound host address pools (i.e., one address per host pool). Just note that any address specified in a host address pool must fall within the range of a configured network address pool. ◆ When a client request is received, the switch first checks for a network address pool matching the gateway where the request originated (i.e., if the request was forwarded by a relay server).
Chapter 19 | IP Services Dynamic Host Configuration Protocol identifier is based on RFC 2132 Option 60, and must be unique for all clients in the same administrative domain. ◆ Hardware Address – Specifies the MAC address and protocol used on the client. (Options: Ethernet, IEEE802, FDDI, None; Default: Ethernet) Setting Optional Parameters ◆ Default Router – The IP address of the primary and alternate gateway router. The IP address of the router should be on the same subnet as the client.
Chapter 19 | IP Services Dynamic Host Configuration Protocol host device. Configure the optional parameters such as a gateway server and DNS server. 8. Click Apply.
Chapter 19 | IP Services Dynamic Host Configuration Protocol To show the configured DHCP address pools: 1. Click IP Service, DHCP, Server. 2. Select Configure Pool from the Step list. 3. Select Show from the Action list. Figure 489: Showing Configured DHCP Server Address Pools Displaying Address Bindings Use the IP Service > DHCP > Server (Show IP Binding) page display the host devices which have acquired an IP address from this switch’s DHCP server.
Chapter 19 | IP Services Dynamic Host Configuration Protocol Figure 490: Shows Addresses Assigned by the DHCP Server Configuring DHCPv6 Use IP Service > DHCPv6 > Relay (Add) page to enable the switch as a DHCPv6 Relay Relay Agent and configure destination addresses or VLAN IDs to which client DHCPv6 messages are forwarded. When the relay agent is enabled on a specified VLAN, the switch listens to UDP port 547 for DHCPv6 messages on that VLAN.
Chapter 19 | IP Services Dynamic Host Configuration Protocol DHCPv6 agent forwards DHCPv6 messages to the IPv6 DHCP multicast address known as “All_DHCP_Servers” (FF05::1:3) which both DHCPv6 servers and relay agents listen to. ◆ Destination Address - When Unicast mode is selected, enter an IPv6 address of a DHCPv6 server or relay agent (Maximum: 5 for each configured VLAN). ◆ Destination VLAN – When Multicast mode is selected, select a configured VLAN or “All” (all VLANs).
Chapter 19 | IP Services Configuring the PPPoE Intermediate Agent Figure 492: Enabling DHCPv6 Relay Agent for Multicast mode. To show and delete the DHCP Relay Agent Unicast and Multicast entries: 1. Click IP Service, DHCPv6, Relay (Action: Show). 2. From the VLAN drop-down list, select a VLAN. 3. Either click the upper-left-most box to select all entries or click the box to the left of the specific entry(s). 4. Click Delete. Figure 493: Enabling DHCPv6 Relay Agent for Multicast mode.
Chapter 19 | IP Services Configuring the PPPoE Intermediate Agent Configuring PPPoE IA Use the IP Service > PPPoE Intermediate Agent (Configure Global) page to enable Global Settings the PPPoE IA on the switch, set the access node identifier, and set the generic error message. Command Usage When PPPoE IA is enabled, the switch inserts a tag identifying itself as a PPPoE IA residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS).
Chapter 19 | IP Services Configuring the PPPoE Intermediate Agent Figure 494: Configuring Global Settings for PPPoE Intermediate Agent Configuring PPPoE IA Use the IP Service > PPPoE Intermediate Agent (Configure Interface) page to enable Interface Settings PPPoE IA on an interface, set trust status, enable vendor tag stripping, and set the circuit ID and remote ID. Parameters These parameters are displayed: ◆ Interface – Port or trunk selection.
Chapter 19 | IP Services Configuring the PPPoE Intermediate Agent ■ The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server.
Chapter 19 | IP Services Configuring the PPPoE Intermediate Agent Figure 495: Configuring Interface Settings for PPPoE Intermediate Agent g Showing PPPoE IA Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to show Statistics statistics on PPPoE IA protocol messages. Parameters These parameters are displayed: ◆ Interface – Port or trunk selection. ◆ Received – Received PPPoE active discovery messages. ◆ ■ All – All PPPoE active discovery message types.
Chapter 19 | IP Services Configuring the PPPoE Intermediate Agent Web Interface To show statistics for PPPoE IA protocol messages: 1. Click IP Service, PPPoE Intermediate Agent. 2. Select Show Statistics from the Step list. 3. Select Port or Trunk interface type.
Chapter 19 | IP Services Configuring the PPPoE Intermediate Agent – 728 –
Section III Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 731 ◆ “Troubleshooting” on page 737 ◆ “License Information” on page 739 – 729 –
Section III | Appendices – 730 –
A Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, IP Filter Authentication General Security Access Control Lists (512 rules), Port Authentication (802.1X), MAC Authentication, Measures Port Security, DHCP Snooping, IP Source Guard Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LHX/ZX: 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.
Appendix A | Software Specifications Management Features VLAN Support Up to 4094 groups; port-based, protocol-based, tagged (802.
Appendix A | Software Specifications Standards Software Loading HTTP, FTP, SFTP, TFTP in-band, or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards Ethernet Service OAM (ITU-T Y.1731) - partial support IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.
Appendix A | Software Specifications Management Information Bases TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) Differentiated Services MIB (RFC 3289) DNS Resolver MIB (RFC 1612) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP MIB (RFC 2011) IP Forwarding Table MIB (RFC 2096) IP Multicasting relate
Appendix A | Software Specifications Management Information Bases SNMP View Based ACM MIB (RFC 3415) SNMPv2 IP MIB (RFC 2011) TACACS+ Authentication Client MIB TCP MIB (RFC 2012) Trap (RFC 1215) UDP MIB (RFC 2013) – 735 –
Appendix A | Software Specifications Management Information Bases – 736 –
B Troubleshooting Problems Accessing the Management Interface Table 41: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ Be sure the switch is powered on. ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.