ECS4510-28T/P/F ECS4510-28F-DC ECS4510-52T/P 28/52-Port Layer 2+ Stackable GE Switch Web Management Guide Software Release v1.5.2.36 www.edge-core.
Web Management Guide ECS4510-28T Stackable GE Switch Layer 2+ Stackable Gigabit Ethernet Switch with 24 10/100/1000BASE-T (RJ-45) Ports, 2 10-Gigabit SFP+ Ports, and Optional Module with 2 10-Gigabit SFP+ Ports ECS4510-28F-DC Stackable GE Switch Layer 2+ Stackable Gigabit Ethernet Fiber Switch with 22 SFP Ports, 2 10/100/1000BASE-T (RJ-45/SFP) Ports, 2 10-Gigabit SFP+ Ports, and Optional Module with 2 10-Gigabit SFP+ Ports ECS4510-28P Stackable GE PoE Switch Layer 2+ Stackable Gigabit Ethernet PoE Switch
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This guide is for network administrators who are responsible for operating and this Guide? maintaining network equipment.
How to Use This Guide For information on how to install the switch, see the following guide: Installation Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
Contents Section I How to Use This Guide 3 Contents 5 Figures 17 Tables 31 Getting Started 33 1 Introduction 35 Key Features 35 Description of Software Features 37 IP Routing 41 Address Resolution Protocol 41 Operation, Administration, and Maintenance 41 System Defaults Section II 42 Web Configuration 47 2 Using the Web Interface 49 Connecting to the Web Interface 49 Navigating the Web Browser Interface 50 Home Page 50 Configuration Options 51 Panel Display 52 Main M
Contents Configuring Support for Jumbo Frames 76 Displaying Bridge Extension Capabilities 77 Managing System Files 79 Copying Files via FTP/TFTP or HTTP 79 Saving the Running Configuration to a Local File 81 Setting the Start-up File 82 Showing System Files 83 Automatic Operation Code Upgrade 83 Setting the System Clock 87 Setting the Time Manually 88 Setting the SNTP Polling Interval 89 Configuring NTP 89 Configuring Time Servers 90 Setting the Time Zone 94 Configuring the Cons
Contents Trunk Configuration 128 Configuring a Static Trunk 129 Configuring a Dynamic Trunk 132 Displaying LACP Port Counters 138 Displaying LACP Settings and Status for the Local Side 139 Displaying LACP Settings and Status for the Remote Side 141 Configuring Load Balancing 142 Saving Power 144 Traffic Segmentation 146 Enabling Traffic Segmentation 146 Configuring Uplink and Downlink Ports 147 VLAN Trunking 149 5 VLAN Configuration 153 IEEE 802.
Contents Configuring MAC Address Mirroring 194 Issuing MAC Address Traps 195 7 Spanning Tree Algorithm 197 Overview 197 Configuring Loopback Detection 199 Configuring Global Settings for STA 201 Displaying Global Settings for STA 206 Configuring Interface Settings for STA 207 Displaying Interface Settings for STA 211 Configuring Multiple Spanning Trees 214 Configuring Interface Settings for MSTP 218 8 Congestion Control 221 Rate Limiting 221 Storm Control 222 Automatic Traffic C
Contents Overview 261 Configuring VoIP Traffic 262 Configuring Telephony OUI 263 Configuring VoIP Traffic Ports 264 12 Security Measures 267 AAA (Authentication, Authorization and Accounting) 268 Configuring Local/Remote Logon Authentication 269 Configuring Remote Logon Authentication Servers 270 Configuring AAA Accounting 275 Configuring AAA Authorization 281 Configuring User Accounts 284 Web Authentication 286 Configuring Global Settings for Web Authentication 287 Configuring In
Contents Configuring an Extended IPv6 ACL 321 Configuring a MAC ACL 323 Configuring an ARP ACL 325 Binding a Port to an Access Control List 327 Configuring ACL Mirroring 328 Showing ACL Hardware Counters 330 ARP Inspection 331 Configuring Global Settings for ARP Inspection 332 Configuring VLAN Settings for ARP Inspection 334 Configuring Interface Settings for ARP Inspection 335 Displaying ARP Inspection Statistics 337 Displaying the ARP Inspection Log 338 Filtering IP Addresses for
Contents Configuring Event Logging 380 System Log Configuration 380 Remote Log Configuration 382 Sending Simple Mail Transfer Protocol Alerts 383 Link Layer Discovery Protocol 385 Setting LLDP Timing Attributes 385 Configuring LLDP Interface Attributes 387 Configuring LLDP Interface Civic-Address 391 Displaying LLDP Local Device Information 393 Displaying LLDP Remote Device Information 397 Displaying Device Statistics 405 Power over Ethernet 407 Setting the Port PoE Power Budget 40
Contents ERPS Global Configuration 458 ERPS Ring Configuration 458 ERPS Forced and Manual Mode Operations 474 Connectivity Fault Management 478 Configuring Global Settings for CFM 482 Configuring Interfaces for CFM 485 Configuring CFM Maintenance Domains 485 Configuring CFM Maintenance Associations 490 Configuring Maintenance End Points 494 Configuring Remote Maintenance End Points 496 Transmitting Link Trace Messages 498 Transmitting Loop Back Messages 500 Transmitting Delay-Measur
Contents Layer 2 IGMP (Snooping and Query for IPv4) 530 Configuring IGMP Snooping and Query Parameters 532 Specifying Static Interfaces for a Multicast Router 536 Assigning Interfaces to Multicast Services 538 Setting IGMP Snooping Status per Interface 540 Filtering IGMP Query Packets and Multicast Data 546 Displaying Multicast Groups Discovered by IGMP Snooping 546 Displaying IGMP Snooping Statistics 548 Filtering and Throttling IGMP Groups 551 Enabling IGMP Filtering and Throttling 552
Contents 15 IP Configuration 599 Setting the Switch’s IP Address (IP Version 4) 599 Setting the Switch’s IP Address (IP Version 6) 603 Configuring the IPv6 Default Gateway 603 Configuring IPv6 Interface Settings 604 Configuring an IPv6 Address 610 Showing IPv6 Addresses 612 Showing the IPv6 Neighbor Cache 614 Showing IPv6 Statistics 615 Showing the MTU for Responding Destinations 621 16 IP Services 623 Domain Name Service 623 Configuring General DNS Service Parameters 623 Configur
Contents Using the Trace Route Function Address Resolution Protocol 646 Basic ARP Configuration 646 Configuring Static ARP Addresses 648 Displaying Dynamic or Local ARP Entries 650 Displaying ARP Statistics 650 Configuring Static Routes 651 Displaying the Routing Table 653 18 Unicast Routing Section III 644 655 Overview 655 Configuring the Routing Information Protocol 656 Configuring General Protocol Settings 657 Clearing Entries from the Routing Table 660 Specifying Network Inter
Contents C License Information 685 The GNU General Public License 685 Glossary 689 Index 697 – 16 –
Figures Figure 1: Home Page 50 Figure 2: Front Panel Indicators 52 Figure 3: System Information 74 Figure 4: General Switch Information 76 Figure 5: Configuring Support for Jumbo Frames 77 Figure 6: Displaying Bridge Extension Configuration 78 Figure 7: Copy Firmware 80 Figure 8: Saving the Running Configuration 82 Figure 9: Setting Start-Up Files 82 Figure 10: Displaying System Files 83 Figure 11: Configuring Automatic Code Upgrade 87 Figure 12: Manually Setting the System Clock 88
Figures Figure 30: Restarting the Switch (At) 106 Figure 31: Restarting the Switch (Regularly) 106 Figure 32: Configuring Connections by Port List 110 Figure 33: Configuring Connections by Port Range 111 Figure 34: Displaying Port Information 112 Figure 35: Configuring Local Port Mirroring 112 Figure 36: Configuring Local Port Mirroring 113 Figure 37: Displaying Local Port Mirror Sessions 114 Figure 38: Configuring Remote Port Mirroring 114 Figure 39: Configuring Remote Port Mirroring (So
Figures Figure 65: Configuring Members for Traffic Segmentation 148 Figure 66: Showing Traffic Segmentation Members 149 Figure 67: Configuring VLAN Trunking 149 Figure 68: Configuring VLAN Trunking 151 Figure 69: VLAN Compliant and VLAN Non-compliant Devices 154 Figure 70: Using GVRP 156 Figure 71: Creating Static VLANs 158 Figure 72: Modifying Settings for Static VLANs 158 Figure 73: Showing Static VLANs 159 Figure 74: Configuring Static Members by VLAN Index 162 Figure 75: Configuring
Figures Figure 100: Configuring Static MAC Addresses 190 Figure 101: Displaying Static MAC Addresses 190 Figure 102: Setting the Address Aging Time 191 Figure 103: Displaying the Dynamic MAC Address Table 192 Figure 104: Clearing Entries in the Dynamic MAC Address Table 193 Figure 105: Mirroring Packets Based on the Source MAC Address 195 Figure 106: Showing the Source MAC Addresses to Mirror 195 Figure 107: Issuing MAC Address Traps (Global Configuration) 196 Figure 108: Issuing MAC Addres
Figures Figure 135: Setting the Queue Mode (Strict) 234 Figure 136: Setting the Queue Mode (WRR) 234 Figure 137: Setting the Queue Mode (Strict and WRR) 235 Figure 138: Mapping CoS Values to Egress Queues 237 Figure 139: Showing CoS Values to Egress Queue Mapping 237 Figure 140: Setting the Trust Mode 239 Figure 141: Configuring DSCP to DSCP Internal Mapping 241 Figure 142: Showing DSCP to DSCP Internal Mapping 241 Figure 143: Configuring CoS to DSCP Internal Mapping 243 Figure 144: Showi
Figures Figure 170: Displaying a Summary of Applied AAA Accounting Methods 281 Figure 171: Displaying Statistics for AAA Accounting Sessions 281 Figure 172: Configuring AAA Authorization Methods 283 Figure 173: Showing AAA Authorization Methods 283 Figure 174: Configuring AAA Authorization Methods for Exec Service 284 Figure 175: Displaying the Applied AAA Authorization Method 284 Figure 176: Configuring User Accounts 286 Figure 177: Showing User Accounts 286 Figure 178: Configuring Global
Figures Figure 205: Configuring a ARP ACL 327 Figure 206: Binding a Port to an ACL 328 Figure 207: Configuring ACL Mirroring 329 Figure 208: Showing the VLANs to Mirror 329 Figure 209: Showing ACL Statistics 331 Figure 210: Configuring Global Settings for ARP Inspection 334 Figure 211: Configuring VLAN Settings for ARP Inspection 335 Figure 212: Configuring Interface Settings for ARP Inspection 336 Figure 213: Displaying Statistics for ARP Inspection 338 Figure 214: Displaying the ARP Ins
Figures Figure 240: Configuring SMTP Alert Messages 384 Figure 241: Configuring LLDP Timing Attributes 387 Figure 242: Configuring LLDP Interface Attributes 391 Figure 243: Configuring the Civic Address for an LLDP Interface 392 Figure 244: Showing the Civic Address for an LLDP Interface 393 Figure 245: Displaying Local Device Information for LLDP (General) 396 Figure 246: Displaying Local Device Information for LLDP (Port) 396 Figure 247: Displaying Local Device Information for LLDP (Port De
Figures Figure 275: Showing SNMP Notification Logs 436 Figure 276: Showing SNMP Statistics 437 Figure 277: Configuring an RMON Alarm 440 Figure 278: Showing Configured RMON Alarms 440 Figure 279: Configuring an RMON Event 442 Figure 280: Showing Configured RMON Events 443 Figure 281: Configuring an RMON History Sample 444 Figure 282: Showing Configured RMON History Samples 445 Figure 283: Showing Collected RMON History Samples 445 Figure 284: Configuring an RMON Statistical Sample 447 F
Figures Figure 310: Showing Maintenance Associations 493 Figure 311: Configuring Detailed Settings for Maintenance Associations 494 Figure 312: Configuring Maintenance End Points 495 Figure 313: Showing Maintenance End Points 496 Figure 314: Configuring Remote Maintenance End Points 497 Figure 315: Showing Remote Maintenance End Points 498 Figure 316: Transmitting Link Trace Messages 500 Figure 317: Transmitting Loopback Messages 501 Figure 318: Transmitting Delay-Measure Messages 503 Fig
Figures Figure 345: Dropping IGMP Query or Multicast Data Packets 546 Figure 346: Showing Multicast Groups Learned by IGMP Snooping 547 Figure 347: Displaying IGMP Snooping Statistics – Query 550 Figure 348: Displaying IGMP Snooping Statistics – VLAN 550 Figure 349: Displaying IGMP Snooping Statistics – Port 551 Figure 350: Enabling IGMP Filtering and Throttling 552 Figure 351: Creating an IGMP Filtering Profile 553 Figure 352: Showing the IGMP Filtering Profiles Created 554 Figure 353: Add
Figures Figure 380: Configuring Domain Settings for MVR6 585 Figure 381: Configuring an MVR6 Group Address Profile 587 Figure 382: Displaying MVR6 Group Address Profiles 587 Figure 383: Assigning an MVR6 Group Address Profile to a Domain 588 Figure 384: Showing MVR6 Group Address Profiles Assigned to a Domain 588 Figure 385: Configuring Interface Settings for MVR6 590 Figure 386: Assigning Static MVR6 Groups to a Port 591 Figure 387: Showing the Static MVR6 Groups Assigned to a Port 592 Fig
Figures Figure 415: Configuring DHCP Relay Service 632 Figure 416: Enabling Dynamic Provisioning via DHCP 633 Figure 417: Configuring Global Settings for PPPoE Intermediate Agent 635 Figure 418: Configuring Interface Settings for PPPoE Intermediate Agent 636 Figure 419: Showing PPPoE Intermediate Agent Statistics 638 Figure 420: Virtual Interfaces and Layer 3 Routing 640 Figure 421: Pinging a Network Device 644 Figure 422: Tracing the Route to a Network Device 645 Figure 423: Proxy ARP 647
Figures – 30 –
Tables Table 1: Key Features 35 Table 2: System Defaults 42 Table 3: Web Page Configuration Buttons 51 Table 4: Switch Main Menu 53 Table 5: Port Statistics 119 Table 6: LACP Port Counters 138 Table 7: LACP Internal Configuration Information 139 Table 8: LACP Remote Device Configuration Information 141 Table 9: Traffic Segmentation Forwarding 147 Table 10: Recommended STA Path Cost Range 208 Table 11: Default STA Path Costs 209 Table 12: IEEE 802.
Tables Table 30: ERPS Request/State Priority 475 Table 31: Remote MEP Priority Levels 487 Table 32: MEP Defect Descriptions 487 Table 33: OAM Operation State 515 Table 34: Remote Loopback Status 521 Table 35: Show IPv6 Neighbors - display description 614 Table 36: Show IPv6 Statistics - display description 616 Table 37: Show MTU - display description 621 Table 38: Options 60, 66 and 67 Statements 630 Table 39: Options 55 and 124 Statements 630 Table 40: Address Resolution Protocol 646
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 34 –
1 Introduction This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Chapter 1 | Introduction Key Features Table 1: Key Features (Continued) Feature Description Address Table 16K MAC addresses in the forwarding table, 1K static MAC addresses; 1760 entries in the ARP cache, 256 static ARP entries, 1760 dynamic ARP entries; 256 static IP routes, 32 IP interfaces; 2K IPv4 entries in the host table; 1K IPv4 entries in routing table; 1K L2 IPv4 multicast groups (shared with MAC table); IP Version 4 and 6 Supports IPv4 and IPv6 addressing and management IEEE 802.
Chapter 1 | Introduction Description of Software Features Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Storm suppression prevents broadcast, multicast, and unknown unicast traffic storms from engulfing the network.
Chapter 1 | Introduction Description of Software Features Port Configuration You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use full-duplex mode on ports whenever possible to double the throughput of switch connections.
Chapter 1 | Introduction Description of Software Features IEEE 802.1D Bridge The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses. Store-and-Forward The switch copies each frame into its memory before forwarding them to another Switching port.
Chapter 1 | Introduction Description of Software Features GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can: ◆ Eliminate broadcast storms which severely degrade performance in a flat network.
Chapter 1 | Introduction Description of Software Features allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. Ethernet Ring ERPS can be used to increase the availability and robustness of Ethernet rings, such Protection Switching as those used in Metropolitan Area Networks (MAN).
Chapter 1 | Introduction System Defaults describes functions including enabling OAM for selected ports, loopback testing, and displaying remote device information. Multicast Filtering Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Authentication and Security Measures Privileged Exec Level Username “admin” Password “admin” Normal Exec Level Username “guest” Password “guest” Enable Privileged Exec from Normal Exec Level Password “super” RADIUS Authentication Disabled TACACS+ Authentication Disabled 802.
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Congestion Control Rate Limiting Disabled Storm Control Broadcast: Enabled (64 kbits/sec) Multicast: Disabled Unknown Unicast: Disabled Auto Traffic Control Disabled Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled, RSTP (Defaults: RSTP standard) Edge Ports Disabled LLDP Status Enabled ERPS Status Disabled CFM Status Enabled OAM Status Disabled Vi
Chapter 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default ARP Enabled Cache Timeout: 20 minutes Proxy: Disabled Unicast Routing RIP Disabled Multicast Filtering IGMP Snooping (Layer 2) Snooping: Enabled Querier: Disabled MLD Snooping (Layer 2 IPv6) Snooping: Enabled Querier: Disabled Multicast VLAN Registration Disabled IGMP Proxy Reporting Disabled Status Enabled Messages Logged to RAM Levels 0-7 (all) Messages Logged to Flash Levels 0-3
Chapter 1 | Introduction System Defaults – 46 –
Section II Web Configuration This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
Section II | Web Configuration ◆ "Unicast Routing" on page 655 – 48 –
2 Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface for STA” on page 207. Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. Note: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface most of the screen display examples are based on the ECS4510-28T. The panel graphics for the various switch types are shown on the following page. NOTE: You can open a connection to the vendor’s web site by clicking on the Edge-core logo. Configuration Options Configurable parameters have a dialog box or a drop-down list.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control).
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Reset Description Page Restarts the switch immediately, at a specified time, after a specified delay, or at a periodic interval 103 Interface 107 Port 108 General 108 Configure by Port List Configures connection settings per port 108 Configure by Port Range Configures connection settings for a range of ports 110 Show Information Displays port connection status 111 Mirror
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Partner Description Page Configures parameters for link aggregation group members on the remote side 132 Show Information 138 Counters Displays statistics for LACP protocol messages 138 Internal Displays configuration settings and operational state for the local side of a link aggregation 139 Neighbors Displays configuration settings and operational state for the remote side of
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Shows the interfaces assigned to a VLAN through GVRP 163 IEEE 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Mirror Page Mirrors traffic matching a specified source address from any port on the 194 switch to a target port MAC Notification 195 Configure Global Issues a trap when a dynamic MAC address is added or removed. 195 Configure Interface Enables MAC authentication traps on the current interface.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Default Priority Sets the default priority for each port or trunk 231 Queue Sets queue mode for the switch; sets the service weight for each queue 232 that will use a weighted or hybrid mode Trust Mode Selects DSCP or CoS priority processing Priority DSCP to DSCP 238 239 Add Maps DSCP values in incoming packets to per-hop behavior and drop precedence values for
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure OUI 263 Add Maps the OUI in the source MAC address of ingress packets to the VoIP 263 device manufacturer Show Shows the OUI telephony list Configure Interface 263 Configures VoIP traffic settings for ports, including the way in which a 264 port is added to the Voice VLAN, filtering of non-VoIP packets, the method of detecting VoIP traffic, and the priori
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows authorized users 284 Modify Modifies user attributes 284 Allows authentication and access to the network when 802.
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Show Rule Description Page Shows the time specified by a rule 311 Configure ACL 314 Show TCAM Shows utilization parameters for TCAM 313 Add Adds an ACL based on IP or MAC address filtering 314 Show Shows the name and type of configured ACLs 314 Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes 314 Show Rule Shows the rules specif
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu IP Source Guard Port Configuration Description Page Filters IP traffic based on static entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table 358 Enables IP source guard and selects filter type per port 358 Static Binding 360 Configure ACL Table 360 Add Adds static addresses to the source guard ACL binding table 360 Show Shows static addresses in th
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Remote Device Information 397 Port/Trunk Displays information about a remote device connected to a port on this 397 switch Port/Trunk Details Displays detailed information about a remote device connected to this 397 switch Show Device Statistics 405 General Displays statistics for all connected remote devices 405 Port/Trunk Displays statistics for remote d
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Add Creates an SNMP notification log 434 Show Shows the configured notification logs 434 Shows the status of SNMP communications 436 Remote Monitoring 438 Alarm Sets threshold bounds for a monitored variable 438 Event Creates a response event for an alarm 441 Configure Notify Filter Show Statistics RMON Configure Global Add Show 438 Alarm Shows all con
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu CFM Description Page Connectivity Fault Management 478 Configure Global Configures global settings, including administrative status, cross-check 482 start delay, link trace, and SNMP traps Configure Interface Configures administrative status on an interface 485 Configure MD Configure Maintenance Domains 485 Add Defines a portion of the network for which connectivity faults can 4
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Link Trace Cache Shows information about link trace operations launched from this device 511 Show Fault Notification Generator Displays configuration settings for the fault notification generator 512 Show Continuity Check Error Displays CFM continuity check errors logged on this device 513 Operation, Administration, and Maintenance 514 OAM Interface Enable
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Add Configures static routing entries 651 Show Shows static routing entries 651 Shows all routing entries, including local, static and dynamic routes 653 Routing Table Show Information IPv6 Configuration 603 Configure Global Sets an IPv6 default gateway for traffic with no known next hop Configure Interface Configures IPv6 interface address using auto-configur
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Snooping 370 Configure Global Enables DHCP snooping globally, MAC-address verification, information option; and sets the information policy 372 Configure VLAN Enables DHCP snooping on a VLAN 374 Configure Interface Sets the trust mode for an interface 375 Show Information Displays the DHCP Snooping binding information 376 Enables dynamic provisioning via DHCP
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Shows configured IGMP filter profiles 552 Add Multicast Group Range Assigns multicast groups to selected profile 552 Show Multicast Group Range Shows multicast groups assigned to a profile 552 Configure Interface Assigns IGMP filter profiles to port interfaces and sets throttling action 555 Statistics 548 Show Query Statistics Shows statistics for query-
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Static Group Member 574 Add Statically assigns MVR multicast streams to an interface 574 Show Shows MVR multicast streams assigned to an interface 574 Shows the multicast groups assigned to an MVR VLAN, the source address of the multicast services, and the interfaces with active subscribers 576 Show Member Show Statistics 577 Show Query Statistics S
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Routing Protocol RIP 656 General 657 Configure Enables or disables RIP, sets the global RIP attributes and timer values 657 Clear Route Clears the specified route type or network interface from the routing table 660 Network 661 Add Sets the network interfaces that will use RIP 661 Show Shows the network interfaces that will use RIP 661 Passive Interface
Chapter 2 | Using the Web Interface Navigating the Web Browser Interface – 72 –
3 Basic Management Tasks This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
Chapter 3 | Basic Management Tasks Displaying System Information Displaying System Information Use the System > General page to identify the system by displaying information such as the device name, location and contact information. Parameters These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. ◆ System Up Time – Length of time the management agent has been up.
Chapter 3 | Basic Management Tasks Displaying Hardware/Software Versions Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Parameters The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ Hardware Version – Hardware version of the main board.
Chapter 3 | Basic Management Tasks Configuring Support for Jumbo Frames Web Interface To view hardware and software version information. 1. Click System, then Switch. Figure 4: General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet and 10 Gigabit Ethernet ports or trunks.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Web Interface To configure support for jumbo frames: 1. Click System, then Capability. 2. Enable or disable support for jumbo frames. 3. Click Apply. Figure 5: Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System > Capability page to display settings based on the Bridge MIB.
Chapter 3 | Basic Management Tasks Displaying Bridge Extension Capabilities Untagged) on each port. (Refer to “VLAN Configuration” on page 153.) ◆ Max Supported VLAN Numbers – The maximum number of VLANs supported on this switch. ◆ Max Supported VLAN ID – The maximum configurable VLAN identifier supported on this switch. ◆ GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register end stations with multicast groups.
Chapter 3 | Basic Management Tasks Managing System Files Managing System Files This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Copying Files via FTP/ Use the System > File (Copy) page to upload/download firmware or configuration TFTP or HTTP settings using FTP, TFTP or HTTP. By backing up a file to an FTP/TFTP server or management station, that file can later be downloaded to the switch to restore operation.
Chapter 3 | Basic Management Tasks Managing System Files names is 32 characters for files on the switch or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Note: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. Note: The maximum number of user-defined configuration files is limited only by available flash memory space. Note: The file “Factory_Default_Config.
Chapter 3 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Saving the Running Use the System > File (Copy) page to save the current configuration settings to a Configuration to a local file on the switch. The configuration settings are not automatically saved by Local File the system for subsequent use when the switch is rebooted.
Chapter 3 | Basic Management Tasks Managing System Files Figure 8: Saving the Running Configuration If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Setting the Use the System > File (Set Start-Up) page to specify the firmware or configuration Start-up File file to use for system initialization. Web Interface To set a file to use for system initialization: 1. Click System, then File. 2.
Chapter 3 | Basic Management Tasks Managing System Files Showing System Files Use the System > File (Show) page to show the files in the system directory, or to delete a file. Note: Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted. Web Interface To show the system files: 1. Click System, then File. 2. Select Show from the Action list. 3. To delete a file, mark it in the File List and click Delete.
Chapter 3 | Basic Management Tasks Managing System Files ◆ The path to the directory must also be defined. If the file is stored in the root directory for the FTP/TFTP service, then use the “/” to indicate this (e.g., ftp:// 192.168.0.1/). ◆ The file name must not be included in the upgrade file location URL. The file name of the code stored on the remote server must be ECS4510-Series.bix (using upper case and lower case letters exactly as indicated here).
Chapter 3 | Basic Management Tasks Managing System Files ◆ The switch will immediately restart after the upgrade file is successfully written to the file system and set as the startup image. Parameters The following parameters are displayed: ◆ Automatic Opcode Upgrade – Enables the switch to search for an upgraded operation code file during the switch bootup process. (Default: Disabled) ◆ Automatic Upgrade Location URL – Defines where the switch should search for the operation code upgrade file.
Chapter 3 | Basic Management Tasks Managing System Files Examples The following examples demonstrate the URL syntax for a TFTP server at IP address 192.168.0.1 with the operation code image stored in various locations: ■ tftp://192.168.0.1/ The image file is in the TFTP root directory. ■ tftp://192.168.0.1/switch-opcode/ The image file is in the “switch-opcode” directory, relative to the TFTP root. ■ tftp://192.168.0.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 11: Configuring Automatic Code Upgrade If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.2.1.3; new version 1.2.1.
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the Time Use the System > Time (Configure General - Manual) page to set the system time on Manually the switch manually without using SNTP. Parameters The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch. ◆ Hours – Sets the hour. (Range: 0-23) ◆ Minutes – Sets the minute value. (Range: 0-59) ◆ Seconds – Sets the second value. (Range: 0-59) ◆ Month – Sets the month.
Chapter 3 | Basic Management Tasks Setting the System Clock Setting the SNTP Use the System > Time (Configure General - SNTP) page to set the polling interval at Polling Interval which the switch will query the specified time servers. Parameters The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch. ◆ SNTP Polling Interval – Sets the interval between sending requests for a time update from a time server.
Chapter 3 | Basic Management Tasks Setting the System Clock You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client. ◆ Polling Interval – Shows the interval between sending requests for a time update from NTP servers.
Chapter 3 | Basic Management Tasks Setting the System Clock Parameters The following parameters are displayed: ◆ SNTP Server IP Address – Sets the IPv4 or IPv6 address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence. Web Interface To set the SNTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3.
Chapter 3 | Basic Management Tasks Setting the System Clock ◆ Authentication Key – Specifies the number of the key in the NTP Authentication Key List to use for authentication with the configured server. NTP authentication is optional. If enabled on the System > Time (Configure General) page, you must also configure at least one key on the System > Time (Add NTP Authentication Key) page. (Range: 1-65535) Web Interface To add an NTP time server to the server list: 1. Click System, then Time. 2.
Chapter 3 | Basic Management Tasks Setting the System Clock Specifying NTP Authentication Keys Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list. Parameters The following parameters are displayed: ◆ Authentication Key – Specifies the number of the key in the NTP Authentication Key List to use for authentication with a configured server. NTP authentication is optional.
Chapter 3 | Basic Management Tasks Setting the System Clock Figure 19: Showing the NTP Authentication Key List Setting the Time Zone Use the System > Time (Configure Time Zone) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Chapter 3 | Basic Management Tasks Configuring the Console Port Figure 20: Setting the Time Zone Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Chapter 3 | Basic Management Tasks Configuring the Console Port ◆ Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) ◆ Parity – Defines the generation of a parity bit. Communication protocols provided by some terminals can require a specific parity bit setting. Specify Even, Odd, or None. (Default: None) ◆ Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal).
Chapter 3 | Basic Management Tasks Configuring Telnet Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password. Note that the password is only configurable through the CLI.
Chapter 3 | Basic Management Tasks Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. Web Interface To configure parameters for the console port: 1. Click System, then Telnet. 2. Specify the connection parameters as required. 3.
Chapter 3 | Basic Management Tasks Displaying Memory Utilization Figure 23: Displaying CPU Utilization Displaying Memory Utilization Use the System > Memory Status page to display memory utilization parameters. Parameters The following parameters are displayed: ◆ Free Size – The amount of memory currently free for use. ◆ Used Size – The amount of memory allocated to active processes. ◆ Total – The total amount of system memory. Web Interface To display memory utilization: 1.
Chapter 3 | Basic Management Tasks Stacking Stacking This section describes the basic functions which enable a properly connected set of switches to function as a single logical entity for management purposes. For information on how to physically connect units into a stack, see the Hardware Installation Guide. For detailed information on how stacking is implemented for this type of switch, refer to “Stack Operations” in the CLI Reference Guide.
Chapter 3 | Basic Management Tasks Stacking 4. Click Apply. Figure 25: Setting the Stack Master Enabling Use the System > Stacking (Configure Stacking Button) page to enable stacking on Stacking Ports the front panel 10G ports. Command Usage ◆ The stacking ports must be enabled on all stack members. ◆ Use the Switch Master Button page to specify one unit as the stack master. ◆ Every switch in the stack must be rebooted to activate this command.
Chapter 3 | Basic Management Tasks Stacking Figure 26: Enabling Stacking on 10G Ports Renumbering If the units are no longer numbered sequentially after several topology changes or the Stack failures, use the System > Stacking (Renumber) page to reset the unit numbers. Just remember to save the new configuration settings to a startup configuration file prior to powering off the stack Master.
Chapter 3 | Basic Management Tasks Resetting the System Resetting the System Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. Command Usage ◆ This command resets the entire system. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory. (See “Saving the Running Configuration to a Local File” on page 81).
Chapter 3 | Basic Management Tasks Resetting the System ■ ■ YYYY - The year at which to reload. (Range: 1970-2037) ■ HH - The hour at which to reload. (Range: 00-23) ■ MM - The minute at which to reload. (Range: 00-59) Regularly – Specifies a periodic interval at which to reload the switch. Time ■ HH - The hour at which to reload. (Range: 00-23) ■ MM - The minute at which to reload. (Range: 00-59) Period ■ Daily - Every day. ■ Weekly - Day of the week at which to reload. (Range: Sunday ...
Chapter 3 | Basic Management Tasks Resetting the System Figure 28: Restarting the Switch (Immediately) Figure 29: Restarting the Switch (In) – 105 –
Chapter 3 | Basic Management Tasks Resetting the System Figure 30: Restarting the Switch (At) Figure 31: Restarting the Switch (Regularly) – 106 –
4 Interface Configuration This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Local Port Mirroring – Sets the source and target ports for mirroring on the local switch. ◆ Remote Port Mirroring – Configures mirroring of traffic from remote switches for analysis at a destination port on the local switch.
Chapter 4 | Interface Configuration Port Configuration Port Configuration This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Configuring by Use the Interface > Port > General (Configure by Port List) page to enable/disable Port List an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Chapter 4 | Interface Configuration Port Configuration ◆ ◆ Media Type – Configures the forced transceiver mode for SFP/SFP+ ports, or forced/preferred port type for RJ-45/SFP combination ports. ■ None - Forced transceiver mode is not used for SFP/SFP+ ports. (This is the default setting for RJ-45 ports and SFP/SFP+ ports.) ■ Copper-Forced - Always uses the RJ-45 port. (Only applies to combination RJ-45/SFP ports 23-24 on the ECS4510-28F/28F-DC.
Chapter 4 | Interface Configuration Port Configuration ◆ Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) ◆ Flow Control – Allows automatic or manual selection of flow control. Web Interface To configure port connection parameters: 1. Click Interface, Port, General. 2. Select Configure by Port List from the Action List. 3. Modify the required interface settings. 4. Click Apply.
Chapter 4 | Interface Configuration Port Configuration 3. Enter a range of ports to which your configuration changes apply. 4. Modify the required interface settings. 5. Click Apply. Figure 33: Configuring Connections by Port Range Displaying Use the Interface > Port > General (Show Information) page to display the current Connection Status connection status, including link state, speed/duplex mode, flow control, and autonegotiation. Parameters These parameters are displayed: ◆ Port – Port identifier.
Chapter 4 | Interface Configuration Port Configuration ◆ Oper Flow Control – Shows the flow control type used. Web Interface To display port connection parameters: 1. Click Interface, Port, General. 2. Select Show Information from the Action List. Figure 34: Displaying Port Information Configuring Use the Interface > Port > Mirror page to mirror traffic from any source port to a Local Port Mirroring target port for real-time analysis.
Chapter 4 | Interface Configuration Port Configuration ◆ When traffic matches the rules for both port mirroring, and for mirroring of VLAN traffic or packets based on a MAC address, the matching packets will not be sent to target port specified for port mirroring. ◆ The destination port cannot be a trunk or trunk member port. ◆ Note that Spanning Tree BPDU packets are not mirrored to the target port. Parameters These parameters are displayed: ◆ Source Port – The port whose traffic will be monitored.
Chapter 4 | Interface Configuration Port Configuration To display the configured mirror sessions: 1. Click Interface, Port, Mirror. 2. Select Show from the Action List. Figure 37: Displaying Local Port Mirror Sessions Configuring Use the Interface > RSPAN page to mirror traffic from remote switches for analysis Remote Port Mirroring at a destination port on the local switch.
Chapter 4 | Interface Configuration Port Configuration ◆ Configuration Guidelines Take the following step to configure an RSPAN session: 1. Use the VLAN Static List (see “Configuring VLAN Groups” on page 156) to reserve a VLAN for use by RSPAN (marking the “Remote VLAN” field on this page. (Default VLAN 1 is prohibited.) 2. Set up the source switch on the RSPAN configuration page by specifying the mirror session, the switch’s role (Source), the RSPAN VLAN, and the uplink port2.
Chapter 4 | Interface Configuration Port Configuration though RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. ■ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
Chapter 4 | Interface Configuration Port Configuration ◆ Destination Port – Specifies the destination port2 to monitor the traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session. Also note that a destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
Chapter 4 | Interface Configuration Port Configuration Figure 40: Configuring Remote Port Mirroring (Intermediate) Figure 41: Configuring Remote Port Mirroring (Destination) Showing Port or Trunk Use the Interface > Port/Trunk > Statistics or Chart page to display standard Statistics statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Chapter 4 | Interface Configuration Port Configuration Parameters These parameters are displayed: Table 5: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
Chapter 4 | Interface Configuration Port Configuration Table 5: Port Statistics (Continued) Parameter Description Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy. Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size. Alignment Errors The number of alignment errors (missynchronized data packets).
Chapter 4 | Interface Configuration Port Configuration Table 5: Port Statistics (Continued) Parameter Description 65-127 Byte Packets 128-255 Byte Packets 256-511 Byte Packets 512-1023 Byte Packets 1024-1518 Byte Packets 1519-1536 Byte Packets The total number of packets (including bad packets) received and transmitted where the number of octets fall within the specified range (excluding framing bits but including FCS octets).
Chapter 4 | Interface Configuration Port Configuration To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Chapter 4 | Interface Configuration Port Configuration Displaying Use the Interface > Port > Transceiver page to display identifying information, and Transceiver Data operational for optical transceivers which support Digital Diagnostic Monitoring (DDM). Parameters These parameters are displayed: ◆ Port – Port number. (ECS4510-28F/28F-DC: 1-28, Other models: SFP/SFP+ ports 25-28 / 49-52) ◆ General – Information on connector type and vendor-related parameters.
Chapter 4 | Interface Configuration Port Configuration Figure 44: Displaying Transceiver Data Configuring Use the Interface > Port > Transceiver page to configure thresholds for alarm and Transceiver warning messages for optical transceivers which support Digital Diagnostic Thresholds Monitoring (DDM). This page also displays identifying information for supported transceiver types, and operational parameters for transceivers which support DDM.
Chapter 4 | Interface Configuration Port Configuration ◆ Auto Mode – Uses default threshold settings obtained from the transceiver to determine when an alarm or trap message should be sent. (Default: Enabled) ◆ DDM Thresholds – Information on alarm and warning thresholds. The switch can be configured to send a trap when the measured parameter falls outside of the specified thresholds.
Chapter 4 | Interface Configuration Port Configuration Web Interface To configure threshold values for optical transceivers: 1. Click Interface, Port, Transceiver. 2. Select a port from the scroll-down list. 3. Set the switch to send a trap based on default or manual settings. 4. Set alarm and warning thresholds if manual configuration is used. 5. Click Apply. Figure 45: Configuring Transceiver Thresholds Performing Cable Use the Interface > Port > Cable Test page to test the cable attached to a port.
Chapter 4 | Interface Configuration Port Configuration ◆ ◆ Potential conditions which may be listed by the diagnostics include: ■ OK: Correctly terminated pair ■ Open: Open pair, no link partner ■ Short: Shorted pair ■ Not Supported: This message is displayed for any Gigabit Ethernet ports linked up at a speed lower than 1000 Mbps, or for any 10G Ethernet ports. ■ Impedance mismatch: Terminating impedance is not in the reference range. Ports are linked down while running cable diagnostics.
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To test the cable attached to a port: 1. Click Interface, Port, Cable Test. 2. Click Test for any port to start the cable test. Figure 46: Performing Cable Tests Trunk Configuration This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Chapter 4 | Interface Configuration Trunk Configuration Command Usage ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Chapter 4 | Interface Configuration Trunk Configuration To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply. Figure 49: Adding Static Trunks Members To configure connection parameters for a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3.
Chapter 4 | Interface Configuration Trunk Configuration To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
Chapter 4 | Interface Configuration Trunk Configuration ◆ Ports are only allowed to join the same Link Aggregation Group (LAG) if (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured). However, if the LAG admin key is set, then the port admin key must be set to the same value for a port to be allowed to join that group. Note: If the LACP admin key is not set when a channel group is formed (i.e.
Chapter 4 | Interface Configuration Trunk Configuration Configure Aggregation Port - Actor/Partner ◆ Port – Port number. (Range: 1-28/52) ◆ Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG. (Range: 0-65535; Default – Actor: 1, Partner: 0) By default, the Actor Admin Key is determined by port's link speed, and copied to Oper Key. The Partner Admin Key is assigned to zero, and the Oper Key is set based upon LACP PDUs received from the Partner.
Chapter 4 | Interface Configuration Trunk Configuration Web Interface To configure the admin key for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregator from the Step list. 3. Set the Admin Key and timeout mode for the required LACP group. 4. Click Apply. Figure 53: Configuring the LACP Aggregator Admin Key To enable LACP for a port: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4.
Chapter 4 | Interface Configuration Trunk Configuration Figure 54: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply. Figure 55: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2.
Chapter 4 | Interface Configuration Trunk Configuration 4. Select a Trunk. Figure 56: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Configure from the Action list. 4. Modify the required interface settings. (See “Configuring by Port List” on page 108 for a description of the interface settings.) 5. Click Apply.
Chapter 4 | Interface Configuration Trunk Configuration To show connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Show from the Action list. Figure 58: Showing Connection Parameters for Dynamic Trunks Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Port Counters Information - Counters) page to display statistics for LACP protocol messages.
Chapter 4 | Interface Configuration Trunk Configuration 5. Select a group member from the Port list. Figure 59: Displaying LACP Port Counters Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Internal) page to display the configuration settings and operational for the Local Side state for the local side of a link aggregation.
Chapter 4 | Interface Configuration Trunk Configuration Table 7: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Oper State (continued) ◆ ◆ ◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate. LACP-Activity – Activity control value with regard to this link.
Chapter 4 | Interface Configuration Trunk Configuration Displaying LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Settings and Status Information - Neighbors) page to display the configuration settings and for the Remote Side operational state for the remote side of a link aggregation. Parameters These parameters are displayed: Table 8: LACP Remote Device Configuration Information Parameter Description Partner Admin System LAG partner’s system ID assigned by the user.
Chapter 4 | Interface Configuration Trunk Configuration Figure 61: Displaying LACP Port Remote Information Configuring Use the Interface > Trunk > Load Balance page to set the load-distribution method Load Balancing used among ports in aggregated links. Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 4 | Interface Configuration Trunk Configuration ■ Source and Destination MAC Address: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from and destined for many different hosts. ■ Source IP Address: All traffic with the same source IP address is output on the same link in a trunk.
Chapter 4 | Interface Configuration Saving Power Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port. Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
Chapter 4 | Interface Configuration Saving Power ◆ Power Saving Status – Adjusts the power provided to ports based on the length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements. (Default: Enabled on Gigabit Ethernet RJ-45 ports) Web Interface To enable power savings: 1. Click Interface, Green Ethernet. 2. Mark the Enabled check box for a port. 3. Click Apply.
Chapter 4 | Interface Configuration Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation Figure 64: Enabling Traffic Segmentation Configuring Uplink Use the Interface > Traffic Segmentation (Configure Session) page to assign the and Downlink Ports downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Chapter 4 | Interface Configuration Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Parameters These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆ Direction – Adds an interface to the segmented group by setting the direction to uplink or downlink. (Default: Uplink) ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier.
Chapter 4 | Interface Configuration VLAN Trunking To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Show from the Action list. Figure 66: Showing Traffic Segmentation Members VLAN Trunking Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface.
Chapter 4 | Interface Configuration VLAN Trunking and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. ◆ VLAN trunking is mutually exclusive with the “access” switchport mode (see “Adding Static Members to VLANs” on page 159). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
Chapter 4 | Interface Configuration VLAN Trunking Figure 68: Configuring VLAN Trunking – 151 –
Chapter 4 | Interface Configuration VLAN Trunking – 152 –
5 VLAN Configuration This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customerspecific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆ Protocol VLANs – Configures VLAN groups based on specified protocols.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: ◆ Up to 4093 VLANs based on the IEEE 802.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 70: Using GVRP Port-based VLAN 2 1 9 10 11 3 4 5 13 12 6 15 16 14 7 8 18 19 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ Remote VLAN – Reserves this VLAN for RSPAN (see “Configuring Remote Port Mirroring” on page 114). Modify ◆ VLAN ID – ID of configured VLAN (1-4093). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. ◆ L3 Interface – Sets the interface to support Layer 3 configuration, and reserves memory space required to maintain additional information about this interface type.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 71: Creating Static VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4. Modify the VLAN name or operational status as required. 5. Enable the L3 Interface field to specify that a VLAN will be used as a Layer 3 interface. 6. Click Apply.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list. Figure 73: Showing Static VLANs Adding Static Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or Edit Members to VLANs Member by Interface Range) pages to configure port members for the selected VLAN index, interface, or a range of interfaces.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ◆ ■ Hybrid – Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. ■ 1Q Trunk – Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs ■ None: Interface is not a member of the VLAN. Packets associated with this VLAN will not be transmitted by the interface. Note: VLAN 1 is the default untagged VLAN containing all ports on the switch. Edit Member by Interface All parameters are the same as those described under the preceding section for Edit Member by VLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Figure 74: Configuring Static Members by VLAN Index To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3. Select a port or trunk configure. 4. Modify the settings for any interface as required. 5. Click Apply.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Configure Interface ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-28/52) ◆ Trunk – Trunk Identifier. (Range: 1-16) ◆ GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally enabled for the switch before this setting can take effect (using the Configure General page).
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs Web Interface To configure GVRP on the switch: 1. Click VLAN, Dynamic. 2. Select Configure General from the Step list. 3. Enable or disable GVRP. 4. Click Apply. Figure 77: Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: 1. Click VLAN, Dynamic. 2. Select Configure Interface from the Step list. 3. Set the Interface type to display as Port or Trunk. 4. Modify the GVRP status or timers for any interface. 5.
Chapter 5 | VLAN Configuration IEEE 802.1Q VLANs To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN from the Action list. Figure 79: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Chapter 5 | VLAN Configuration IEEE 802.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: ◆ Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ uplink port are processed in the following manner: 1.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out. Another reason is that it causes non-customer packets to be forwarded to the SPVLAN.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling 7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see “Adding Static Members to VLANs” on page 159). Enabling QinQ Use the VLAN > Tunnel (Configure Global) page to configure the switch to operate Tunneling on in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing Layer 2 traffic the Switch across a service provider’s metropolitan area network.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Figure 82: Enabling QinQ Tunneling Creating Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to SPVLAN CVLAN to SPVLAN mapping entry. Mapping Entries Command Usage ◆ The inner VLAN tag of a customer packet entering the edge router of a service provider’s network is mapped to an outer tag indicating the service provider VLAN that will carry this traffic across the 802.1Q tunnel.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling Web Interface To configure a mapping entry: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3. Select Add from the Action list. 4. Select an interface from the Port list. 5. Specify the CVID to SVID mapping for packets exiting the specified port. 6. Click Apply. Figure 83: Configuring CVLAN to SPVLAN Mapping Entries To show the mapping table: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3.
Chapter 5 | VLAN Configuration IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the “switchport dot1q-tunnel service match cvid” command in the CLI Reference Guide. Adding an Interface Follow the guidelines under "Enabling QinQ Tunneling on the Switch" in the to a QinQ Tunnel preceding section to set up a QinQ tunnel on the switch.
Chapter 5 | VLAN Configuration Protocol VLANs 4. Click Apply. Figure 85: Adding an Interface to a QinQ Tunnel Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Chapter 5 | VLAN Configuration Protocol VLANs Configuring Protocol Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. VLAN Groups Parameters These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. ◆ Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, RARP and IPv6. If LLC Other is chosen for the Frame Type, the only available Protocol Type is IPX Raw.
Chapter 5 | VLAN Configuration Protocol VLANs Figure 86: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. Figure 87: Displaying Protocol VLANs Mapping Protocol Use the VLAN > Protocol (Configure Interface - Add) page to map a protocol group Groups to Interfaces to a VLAN for each interface that will participate in the group.
Chapter 5 | VLAN Configuration Protocol VLANs ■ If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. ■ If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-28/52) ◆ Trunk – Trunk Identifier.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs Figure 88: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port or trunk. Figure 89: Showing the Interface to Protocol Group Mapping Configuring IP Subnet VLANs Use the VLAN > IP Subnet page to configure IP subnet-based VLANs.
Chapter 5 | VLAN Configuration Configuring IP Subnet VLANs Command Usage ◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an IP address and a mask. The specified VLAN need not be an existing VLAN. ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs Figure 90: Configuring IP Subnet VLANs To show the configured IP subnet VLANs: 1. Click VLAN, IP Subnet. 2. Select Show from the Action list. Figure 91: Showing IP Subnet VLANs Configuring MAC-based VLANs Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses.
Chapter 5 | VLAN Configuration Configuring MAC-based VLANs ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. Parameters These parameters are displayed: ◆ MAC Address – A source MAC address which is to be mapped to a specific VLAN. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx. ◆ Mask – Identifies a range of MAC addresses.
Chapter 5 | VLAN Configuration Configuring VLAN Mirroring To show the MAC addresses mapped to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Show from the Action list. Figure 93: Showing MAC-Based VLANs Configuring VLAN Mirroring Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Chapter 5 | VLAN Configuration Configuring VLAN Mirroring ◆ When traffic matches the rules for both port mirroring, and for mirroring of VLAN traffic or packets based on a MAC address, the matching packets will not be sent to target port specified for port mirroring. Parameters These parameters are displayed: ◆ Source VLAN – A VLAN whose traffic will be monitored. (Range: 1-4093) ◆ Target Port – The destination port that receives the mirrored traffic from the source VLAN.
Chapter 5 | VLAN Configuration Configuring VLAN Translation Configuring VLAN Translation Use the VLAN > Translation (Add) page to map VLAN IDs between the customer and service provider for networks that do not support IEEE 802.1Q tunneling. Command Usage ◆ QinQ tunneling uses double tagging to preserve the customer’s VLAN tags on traffic crossing the service provider’s network.
Chapter 5 | VLAN Configuration Configuring VLAN Translation Web Interface To configure VLAN translation: 1. Click VLAN, Translation. 2. Select Add from the Action list. 3. Select a port, and enter the original and new VLAN IDs. 4. Click Apply. Figure 97: Configuring VLAN Translation To show the mapping entries for VLANs translation: 1. Click VLAN, Translation. 2. Select Show from the Action list. 3. Select a port.
6 Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ MAC Address Learning – Enables or disables address learning on an interface.
Chapter 6 | Address Table Settings Configuring MAC Address Learning ◆ Also note that MAC address learning cannot be disabled if any of the following conditions exist: ■ 802.1X Port Authentication has been globally enabled on the switch (see “Configuring 802.1X Global Settings” on page 345). ■ Security Status (see “Configuring Port Security” on page 341) is enabled on the same interface. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks.
Chapter 6 | Address Table Settings Setting Static Addresses Setting Static Addresses Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Chapter 6 | Address Table Settings Setting Static Addresses Web Interface To configure a static MAC address: 1. Click MAC Address, Static. 2. Select Add from the Action list. 3. Specify the VLAN, the port or trunk to which the address will be assigned, the MAC address, and the time to retain this entry. 4. Click Apply. Figure 100: Configuring Static MAC Addresses To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list.
Chapter 6 | Address Table Settings Changing the Aging Time Changing the Aging Time Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information. Parameters These parameters are displayed: ◆ Aging Status – Enables/disables the function. ◆ Aging Time – The time after which a learned entry is discarded.
Chapter 6 | Address Table Settings Displaying the Dynamic Address Table Parameters These parameters are displayed: ◆ Sort Key - You can sort the information displayed based on MAC address, VLAN or interface (port or trunk). ◆ MAC Address – Physical address associated with this interface. ◆ VLAN – ID of configured VLAN (1-4093). ◆ Interface – Indicates a port or trunk. ◆ Type – Shows that the entries in this table are learned.
Chapter 6 | Address Table Settings Clearing the Dynamic Address Table Clearing the Dynamic Address Table Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. Parameters These parameters are displayed: ◆ Clear by – All entries can be cleared; or you can clear the entries for a specific MAC address, all the entries in a VLAN, or all the entries associated with a port or trunk. Web Interface To clear the entries in the dynamic address table: 1.
Chapter 6 | Address Table Settings Configuring MAC Address Mirroring Configuring MAC Address Mirroring Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Chapter 6 | Address Table Settings Issuing MAC Address Traps Figure 105: Mirroring Packets Based on the Source MAC Address To show the MAC addresses to be mirrored: 1. Click MAC Address, Mirror. 2. Select Show from the Action list. Figure 106: Showing the Source MAC Addresses to Mirror Issuing MAC Address Traps Use the MAC Address > MAC Notification pages to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed.
Chapter 6 | Address Table Settings Issuing MAC Address Traps MAC authentication traps must be enabled at the global level for this attribute to take effect. Web Interface To enable MAC address traps at the global level: 1. Click MAC Address, MAC Notification. 2. Select Configure Global from the Step list. 3. Configure MAC notification traps and the transmission interval. 4. Click Apply. Figure 107: Issuing MAC Address Traps (Global Configuration) To enable MAC address traps at the interface level: 1.
7 Spanning Tree Algorithm This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
Chapter 7 | Spanning Tree Algorithm Overview Figure 109: STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 214). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
Chapter 7 | Spanning Tree Algorithm Configuring Loopback Detection Note: Loopback detection will not be active if Spanning Tree is disabled on the switch. Note: When configured for manual release mode, then a link down/up event will not release the port from the discarding state. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Status – Enables loopback detection on this interface.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 112: Configuring Port Loopback Detection Configuring Global Settings for STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. Command Usage ◆ Spanning Tree Protocol4 This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. ■ To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Cisco Prestandard Status – Configures spanning tree operation to be compatible with Cisco prestandard versions. (Default: Disabled) Cisco prestandard versions prior to Cisco IOS Release 12.2(25)SEC do not fully follow the IEEE standard, causing some state machine procedures to function incorrectly. The command forces the spanning tree protocol to function in a manner compatible with Cisco prestandard versions.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. ■ ■ ■ Default: 15 Minimum: The higher of 4 or [(Max. Message Age / 2) + 1] Maximum: 30 RSTP does not depend on the forward delay timer in most cases.
Chapter 7 | Spanning Tree Algorithm Configuring Global Settings for STA 5.
Chapter 7 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 115: Configuring Global Settings for STA (MSTP) Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA root port, then this switch has been accepted as the root device of the Spanning Tree network. ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Configuration Changes – The number of times the Spanning Tree has been reconfigured. ◆ Last Topology Change – Time since the Spanning Tree was last reconfigured. Web Interface To display global STA settings: 1. Click Spanning Tree, STA. 2.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) ◆ BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 201) or when spanning tree is disabled on a specific port.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA Table 11: Default STA Path Costs ◆ Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (IEEE 802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 Admin Link Type – The link type attached to this interface. ■ Point-to-Point – A connection to exactly one other bridge. ■ Shared – A connection to two or more bridges.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: ■ If spanning tree mode is set to STP (page 201), edge-port mode cannot automatically transition to operational edge-port state using the automatic setting. ■ If loopback detection is enabled (page 199) and a loopback BPDU is detected, the interface cannot function as an edge port until the loopback state is released.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 117: Configuring Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. Parameters These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA The rules defining port status are: ■ A port on a network segment with no other STA compliant bridging device is always forwarding. ■ If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
Chapter 7 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 118: STA Port Roles R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port. R A D x R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B Web Interface To display interface settings for STA: 1.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Configuring Multiple Spanning Trees Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. Command Usage MSTP generates a unique spanning tree for each instance.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees Web Interface To create instances for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree > MSTP (Configure Global Add Member) page. If the priority is not specified, the default value 32768 is used. 5. Click Apply.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply. Figure 122: Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3.
Chapter 7 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5. Enter the VLAN group to add to the instance in the VLAN ID field. Note that the specified member does not have to be a configured VLAN. 6.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. Parameters These parameters are displayed: ◆ MST ID – Instance identifier to configure. (Default: 0) ◆ Interface – Displays a list of ports or trunks. ◆ STA Status – Displays the current state of this interface within the Spanning Tree.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP Web Interface To configure MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Enter the priority and path cost for an interface 5. Click Apply. Figure 126: Configuring MSTP Interface Settings To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list.
Chapter 7 | Spanning Tree Algorithm Configuring Interface Settings for MSTP – 220 –
8 Congestion Control The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
Chapter 8 | Congestion Control Storm Control ◆ Rate – Sets the rate limit level. (Range: 64 - 1,000,000 kbits per second for Gigabit Ethernet ports; 64 - 10,000,000 kbits per second for 10 Gigabit Ethernet ports) Web Interface To configure rate limits: 1. Click Traffic, Rate Limit. 2. Set the interface type to Port or Trunk. 3. Enable the Rate Limit Status for the required interface. 4. Set the rate limit for the individual ports. 5. Click Apply.
Chapter 8 | Congestion Control Storm Control ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆ Traffic storms can be controlled at the hardware level using Storm Control or at the software level using Automatic Traffic Control which triggers various control responses. However, only one of these control types can be applied to a port.
Chapter 8 | Congestion Control Automatic Traffic Control 4. Set the required threshold beyond which the switch will start dropping packets. 5. Click Apply. Figure 129: Configuring Storm Control Automatic Traffic Control Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. Command Usage ATC includes storm control for broadcast or multicast traffic.
Chapter 8 | Congestion Control Automatic Traffic Control ◆ When traffic exceeds the alarm fire threshold and the apply timer expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged. ◆ Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it.
Chapter 8 | Congestion Control Automatic Traffic Control Setting the ATC Timers Use the Traffic > Auto Traffic Control (Configure Global) page to set the time at which to apply the control response after ingress traffic has exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
Chapter 8 | Congestion Control Automatic Traffic Control Figure 132: Configuring ATC Timers Configuring ATC Use the Traffic > Auto Traffic Control (Configure Interface) page to set the storm Thresholds and control mode (broadcast or multicast), the traffic thresholds, the control response, Responses to automatically release a response of rate limiting, or to send related SNMP trap messages.
Chapter 8 | Congestion Control Automatic Traffic Control event is logged by the system and a Traffic Release Trap can be sent. (Default: Disabled) If automatic control release is not enabled and a control response of rate limiting has been triggered, you can manually stop the rate limiting response using the Manual Control Release attribute. If the control response has shut down a port, it can also be re-enabled using Manual Control Release.
Chapter 8 | Congestion Control Automatic Traffic Control Web Interface To configure the response timers for automatic storm control: 1. Click Traffic, Auto Traffic Control. 2. Select Configure Interface from the Step field. 3. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send. 4. Click Apply.
Chapter 8 | Congestion Control Automatic Traffic Control – 230 –
9 Class of Service Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s highpriority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
Chapter 9 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Parameters These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) Web Interface To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2.
Chapter 9 | Class of Service Layer 2 Queue Settings the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. ◆ If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues. The queues assigned to use strict priority should be specified using the Strict Mode field parameter.
Chapter 9 | Class of Service Layer 2 Queue Settings Web Interface To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Set the queue mode. 3. If the weighted queue mode is selected, the queue weight can be modified if required. 4. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table. 5. Click Apply.
Chapter 9 | Class of Service Layer 2 Queue Settings Figure 137: Setting the Queue Mode (Strict and WRR) Mapping CoS Values Use the Traffic > Priority > PHB to Queue page to specify the hardware output to Egress Queues queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see “Mapping CoS Priorities to Internal DSCP Values” on page 242).
Chapter 9 | Class of Service Layer 2 Queue Settings The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in Table 13. However, priority levels can be mapped to the switch’s output queues in any way that benefits application traffic for the network.
Chapter 9 | Class of Service Layer 2 Queue Settings 3. Select a port. 4. Map an internal PHB to a hardware queue. Depending on how an ingress packet is processed internally based on its CoS value, and the assigned output queue, the mapping done on this page can effectively determine the service priority for different traffic classes. 5. Click Apply. Figure 138: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: 1. Click Traffic, Priority, PHB to Queue. 2.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ Trust Mode ■ CoS – Maps layer 3/4 priorities using Class of Service values. (This is the default setting.) ■ DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point values. Web Interface To configure the trust mode: 1. Click Traffic, Priority, Trust Mode. 2. Set the trust mode for any port. 3. Click Apply.
Chapter 9 | Class of Service Layer 3/4 Priority Settings DSCP mutation map will not be accepted by the switch, unless the trust mode has been set to DSCP. ◆ Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/ Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain. The mutation map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map DSCP values to internal PHB/drop precedence: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any DSCP value. 5. Click Apply. Figure 141: Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Show from the Action list. 3. Select a port.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Mapping Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in incoming CoS Priorities to packets to per-hop behavior and drop precedence values for priority processing. Internal DSCP Values Command Usage ◆ The default mapping of CoS to PHB values is shown in Table 16 on page 242. ◆ Enter up to eight CoS/CFI paired values, per-hop behavior and drop precedence. ◆ If a packet arrives with a 802.
Chapter 9 | Class of Service Layer 3/4 Priority Settings Web Interface To map CoS/CFI values to internal PHB/drop precedence: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any of the CoS/CFI combinations. 5. Click Apply.
Chapter 9 | Class of Service Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Show from the Action list. 3. Select a port.
10 Quality of Service This chapter describes the following tasks required to apply QoS policies: ◆ Class Map – Creates a map which identifies a specific class of traffic. ◆ Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. ◆ Binding to a Port – Applies a policy map to an ingress port.
Chapter 10 | Quality of Service Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, a CoS value, or a source port. 3.
Chapter 10 | Quality of Service Configuring a Class Map Add Rule ◆ Class Name – Name of the class map. ◆ Type – The criteria specified by the match command. (This field is set on the Add page.) ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value. (Range: 0-63) ◆ IP Precedence – An IP Precedence value. (Range: 0-7) ◆ IPv6 DSCP – A DSCP value contained in an IPv6 packet.
Chapter 10 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 146: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
Chapter 10 | Quality of Service Configuring a Class Map Figure 147: Adding Rules to a Class Map To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list.
Chapter 10 | Quality of Service Creating QoS Policies Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 246), modify service tagging, and enforce bandwidth policing. A policy map can then be bound by a service policy to one or more interfaces (page 259). Configuring QoS policies requires several steps.
Chapter 10 | Quality of Service Creating QoS Policies ◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
Chapter 10 | Quality of Service Creating QoS Policies (BP). Action may taken for traffic conforming to the maximum throughput, exceeding the maximum throughput, or exceeding the peak burst size. ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
Chapter 10 | Quality of Service Creating QoS Policies Command Usage ◆ A policy map can contain 512 class statements that can be applied to the same interface (page 259). Up to 32 policy maps can be configured for ingress ports. ◆ After using the policy map to define packet classification, service tagging, and bandwidth policing, it must be assigned to a specific interface by a service policy (page 259) to take effect. Parameters These parameters are displayed: Add ◆ Policy Name – Name of policy map.
Chapter 10 | Quality of Service Creating QoS Policies ◆ Meter Mode – Selects one of the following policing methods. ■ Flow (Police Flow) – Defines the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and the action to take for conforming and non-conforming traffic.
Chapter 10 | Quality of Service Creating QoS Policies ■ Committed Burst Size (BC) – Burst in bytes. (Range: 64-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. ■ Excess Burst Size (BE) – Burst in excess of committed burst size. (Range: 64-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. ■ Conform – Specifies that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level.
Chapter 10 | Quality of Service Creating QoS Policies ■ Committed Burst Size (BC) – Burst in bytes. (Range: 64-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. ■ Peak Information Rate (PIR) – Rate in kilobits per second. (Range: 0-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) The rate cannot exceed the configured interface speed. ■ Peak Burst Size (BP) – Burst size in bytes.
Chapter 10 | Quality of Service Creating QoS Policies Web Interface To configure a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add from the Action list. 4. Enter a policy name. 5. Enter a description. 6. Click Add. Figure 149: Configuring a Policy Map To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list.
Chapter 10 | Quality of Service Creating QoS Policies To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class. Use one of the metering options to define parameters such as the maximum throughput and burst rate.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list. Figure 152: Showing the Rules for a Policy Map Attaching a Policy Map to a Port Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. Command Usage First define a class map, define a policy map, and then bind the service policy to the required interface.
Chapter 10 | Quality of Service Attaching a Policy Map to a Port 4. Select a policy map from the scroll-down box. 5. Click Apply.
11 VoIP Traffic Configuration This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Configuring VoIP Traffic Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port. Command Usage All ports are set to VLAN hybrid mode by default.
Chapter 11 | VoIP Traffic Configuration Configuring Telephony OUI Figure 154: Configuring a Voice VLAN Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports 7. Click Apply. Figure 155: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Parameters These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected. (Default: None) ■ None – The Voice VLAN feature is disabled on the port. The port will not detect VoIP traffic or be added to the Voice VLAN. ■ Auto – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
Chapter 11 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Web Interface To configure VoIP traffic settings for a port: 1. Click Traffic, VoIP. 2. Select Configure Interface from the Step list. 3. Configure any required changes to the VoIP settings each port. 4. Click Apply.
12 Security Measures You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ◆ IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the source address cannot be identified via ND snooping, DHCPv6 snooping, nor static source bindings. ◆ DHCP Snooping – Filter IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure AAA on the switch, you need to follow this general process: 1. Configure RADIUS and TACACS+ server access parameters. See “Configuring Local/Remote Logon Authentication” on page 269. 2. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. 3.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ TACACS – User authentication is performed using a TACACS+ server only. ■ [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. Web Interface To configure the method(s) of controlling management access: 1. Click Security, AAA, System Authentication. 2. Specify the authentication sequence (i.e., one to three methods). 3. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. Command Usage ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ◆ ■ Authentication Key – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) ■ Confirm Authentication Key – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. TACACS+ ■ Global – Provides globally applicable TACACS+ settings.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ◆ Sequence at Priority - Specifies the server and sequence to use for the group. (Range: 1-5 for RADIUS; 1 for TACACS) When specifying the priority sequence for a sever, the server index must already be defined (see “Configuring Local/Remote Logon Authentication” on page 269). Web Interface To configure the parameters for RADIUS or TACACS+ authentication: 1. Click Security, AAA, Server. 2.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 161: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ Exec – Administrative accounting for local console, Telnet, or SSH connections. ◆ Privilege Level – The CLI privilege levels (0-15). This parameter only applies to Command accounting. ◆ Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) ■ VTY Method Name – Specifies a user defined method name to apply to Telnet and SSH connections. Show Information – Summary ◆ Accounting Type - Displays the accounting service. ◆ Method Name - Displays the user-defined or default accounting method. ◆ Server Group Name - Displays the accounting server group. ◆ Interface - Displays the port, console or Telnet interface to which these rules apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) To configure the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Add from the Action list. 4. Select the accounting type (802.1X, Command, Exec). 5. Specify the name of the accounting method and server group name. 6. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 166: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: 1. Click Security, AAA, Accounting. 2. Select Configure Service from the Step list. 3. Select the accounting type (802.1X, Command, Exec). 4. Enter the required accounting method. 5. Click Apply.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 168: Configuring AAA Accounting Service for Command Service Figure 169: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Figure 170: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Statistics.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) Parameters These parameters are displayed: Configure Method ◆ Authorization Type – Specifies the service as Exec, indicating administrative authorization for local console, Telnet, or SSH connections. ◆ Method Name – Specifies an authorization method for service requests. The “default” method is used for a requested service if no other methods have been defined.
Chapter 12 | Security Measures AAA (Authentication, Authorization and Accounting) 3. Specify the name of the authorization method and server group name. 4. Click Apply. Figure 172: Configuring AAA Authorization Methods To show the authorization method applied to the EXEC service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3. Select Show from the Action list.
Chapter 12 | Security Measures Configuring User Accounts Figure 174: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: 1. Click Security, AAA, Authorization. 2. Select Show Information from the Step list.
Chapter 12 | Security Measures Configuring User Accounts ◆ Access Level – Specifies command access privileges. (Range: 0-15) Level 0, 8 and 15 are designed for users (guest), managers (network maintenance), and administrators (top-level access). The other levels can be used to configured specialized access profiles. Level 0-7 provide the same default access to a limited number of commands which display the current status of the switch, as well as several database clear and reset functions.
Chapter 12 | Security Measures Web Authentication 3. Specify a user name, select the user's access level, then enter a password if required and confirm it. 4. Click Apply. Figure 176: Configuring User Accounts To show user accounts: 1. Click Security, User Accounts. 2. Select Show from the Action list. Figure 177: Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.
Chapter 12 | Security Measures Web Authentication Note: RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See “Configuring Local/Remote Logon Authentication” on page 269.) Note: Web authentication cannot be configured on trunk ports. Configuring Use the Security > Web Authentication (Configure Global) page to edit the global Global Settings for parameters for web authentication.
Chapter 12 | Security Measures Web Authentication Figure 178: Configuring Global Settings for Web Authentication Configuring Use the Security > Web Authentication (Configure Interface) page to enable web Interface Settings for authentication on a port, and display information for any connected hosts. Web Authentication Parameters These parameters are displayed: ◆ Port – Indicates the port being configured. ◆ Status – Configures the web authentication status for the port.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 179: Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server. ◆ When port status changes to down, all MAC addresses mapped to that port are cleared from the secure MAC address table.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) For example, if the attribute is “service-policy-in=p1;service-policy-in=p2”, then the switch applies only the DiffServ profile “p1.” ◆ Any unsupported profiles in the Filter-ID attribute are ignored. For example, if the attribute is “map-ip-dscp=2:3;service-policy-in=p1,” then the switch ignores the “map-ip-dscp” profile.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Reauthentication Time – Sets the time period after which a connected host must be reauthenticated.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ■ Intrusion – Sets the port response to a host MAC authentication failure to either block access to the port or to pass traffic through. (Options: Block, Pass; Default: Block) ■ Max MAC Count7 – Sets the maximum number of MAC addresses that can be authenticated on a port via MAC authentication; that is, the Network Access process described in this section.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To configure MAC authentication on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the General button. 4. Make any configuration changes required to enable address authentication on a port, set the maximum number of secure addresses supported, the guest VLAN to use when MAC Authentication or 802.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) ◆ Action – The switch can respond in three ways to a link up or down trigger event. ■ Trap – An SNMP trap is sent. ■ Trap and shutdown – An SNMP trap is sent and the port is shut down. ■ Shutdown – The port is shut down. Web Interface To configure link detection on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the Link Detection button. 4.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Parameters These parameters are displayed: ◆ Filter ID – Adds a filter rule for the specified filter. ◆ MAC Address – The filter rule will check ingress packets against the entered MAC address or range of MAC addresses (as defined by the MAC Address Mask). ◆ MAC Address Mask – The filter rule will check for the range of MAC addresses defined by the MAC bit mask.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Figure 184: Showing the MAC Address Filter Table for Network Access Displaying Secure Use the Security > Network Access (Show Information) page to display the MAC Address authenticated MAC addresses stored in the secure MAC address table. Information Information on the secure MAC entries can be displayed and selected entries can be removed from the table.
Chapter 12 | Security Measures Network Access (MAC Address Authentication) Web Interface To display the authenticated MAC addresses stored in the secure MAC address table: 1. Click Security, Network Access. 2. Select Show Information from the Step list. 3. Use the sort key to display addresses based MAC address, interface, or attribute. 4.
Chapter 12 | Security Measures Configuring HTTPS Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Configuring Global Use the Security > HTTPS (Configure Global) page to enable or disable HTTPS and Settings for HTTPS specify the TCP port used for this service.
Chapter 12 | Security Measures Configuring HTTPS Parameters These parameters are displayed: ◆ HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) ◆ HTTPS Port – Specifies the TCP port number used for HTTPS connection to the switch’s web interface. (Default: Port 443) Web Interface To configure HTTPS: 1. Click Security, HTTPS. 2. Select Configure Global from the Step list. 3. Enable HTTPS and specify the port number if required. 4. Click Apply.
Chapter 12 | Security Measures Configuring HTTPS When you have obtained these, place them on your TFTP server and transfer them to the switch to replace the default (unrecognized) certificate with an authorized one. Note: The switch must be reset for the new certificate to be activated.
Chapter 12 | Security Measures Configuring the Secure Shell Figure 187: Downloading the Secure-Site Certificate Configuring the Secure Shell The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Chapter 12 | Security Measures Configuring the Secure Shell To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Chapter 12 | Security Measures Configuring the Secure Shell Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b.
Chapter 12 | Security Measures Configuring the Secure Shell Parameters These parameters are displayed: ◆ SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) ◆ Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
Chapter 12 | Security Measures Configuring the Secure Shell Generating the Use the Security > SSH (Configure Host Key - Generate) page to generate a host Host Key Pair public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section “Importing User Public Keys” on page 307.
Chapter 12 | Security Measures Configuring the Secure Shell Figure 189: Generating the SSH Host Key Pair To display or clear the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Show from the Action list. 4. Select the host-key type to clear. 5. Click Clear. Figure 190: Showing the SSH Host Key Pair Importing Use the Security > SSH (Configure User Key - Copy) page to upload a user’s public User Public Keys key to the switch.
Chapter 12 | Security Measures Configuring the Secure Shell “Configuring User Accounts” on page 284). ◆ User Key Type – The type of public key to upload. ■ RSA: The switch accepts a RSA version 1 encrypted public key. ■ DSA: The switch accepts a DSA version 2 encrypted public key. The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Chapter 12 | Security Measures Access Control Lists To display or clear the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Show from the Action list. 4. Select a user from the User Name list. 5. Select the host-key type to clear. 6. Click Clear.
Chapter 12 | Security Measures Access Control Lists Command Usage The following restrictions apply to ACLs: ◆ The maximum number of ACLs is 512. ◆ The maximum number of rules per system is 2048 rules. ◆ An ACL can have up to 2048 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20.
Chapter 12 | Security Measures Access Control Lists 3. If the result of checking an IP ACL is to permit a packet, but the result of a MAC ACL on the same packet is to deny it, the packet will be denied (because the decision to deny a packet has a higher priority for security reasons). A packet will also be denied if the IP ACL denies it and the MAC ACL accepts it. Setting a Time Range Use the Security > ACL (Configure Time Range) page to sets a time range during which ACL functions are applied.
Chapter 12 | Security Measures Access Control Lists Figure 193: Setting the Name of a Time Range To show a list of time ranges: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Show from the Action list. Figure 194: Showing a List of Time Ranges To configure a rule for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of time range from the drop-down list. 5.
Chapter 12 | Security Measures Access Control Lists Figure 195: Add a Rule to a Time Range To show the rules configured for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Show Rule from the Action list.
Chapter 12 | Security Measures Access Control Lists For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs. Parameters These parameters are displayed: ◆ Total Policy Control Entries – The number policy control entries in use. ◆ Free Policy Control Entries – The number of policy control entries available for use.
Chapter 12 | Security Measures Access Control Lists ◆ Type – The following filter modes are supported: ■ IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address. ■ IP Extended: IPv4 ACL mode filters packets based on the source or destination IPv4 address, as well as the protocol type and protocol port number. If the “TCP” protocol is specified, then you can also filter packets based on the TCP control code.
Chapter 12 | Security Measures Access Control Lists To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list. Figure 199: Showing a List of ACLs Configuring a Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL Standard IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
Chapter 12 | Security Measures Access Control Lists address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. ◆ Time Range – Name of a time range. Web Interface To add rules to an IPv4 Standard ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IP Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7.
Chapter 12 | Security Measures Access Control Lists Configuring an Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to configure Extended IPv4 ACL an Extended IPv4 ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists ■ 4 (rst) – Reset ■ 8 (psh) – Push ■ 16 (ack) – Acknowledgement ■ 32 (urg) – Urgent pointer For example, use the code value and mask below to catch packets with the following flags set: ◆ ■ SYN flag valid, use control-code 2, control bit mask 2 ■ Both SYN and ACK valid, use control-code 18, control bit mask 18 ■ SYN valid and ACK invalid, use control-code 2, control bit mask 18 Time Range – Name of a time range.
Chapter 12 | Security Measures Access Control Lists Figure 201: Configuring an Extended IPv4 ACL Configuring a Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to Standard IPv6 ACL configure a Standard IPv6ACL. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules.
Chapter 12 | Security Measures Access Control Lists Web Interface To add rules to a Standard IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the source address type (Any, Host, or IPv6-prefix). 8. If you select “Host,” enter a specific address.
Chapter 12 | Security Measures Access Control Lists ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source Address Type – Specifies the source IP address type. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-Prefix” to specify a range of addresses. (Options: Any, Host, IPv6-Prefix; Default: Any) ◆ Destination Address Type – Specifies the destination IP address type.
Chapter 12 | Security Measures Access Control Lists 3. Select Add Rule from the Action list. 4. Select IPv6 Extended from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any or IPv6-prefix). 8. If you select “Host,” enter a specific address. If you select “IPv6-prefix,” enter a subnet address and prefix length. 9. Set any other required criteria, such as DSCP or next header type. 10. Click Apply.
Chapter 12 | Security Measures Access Control Lists ◆ Action – An ACL can contain any combination of permit or deny rules. ◆ Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bit Mask fields. (Options: Any, Host, MAC; Default: Any) ◆ Source/Destination MAC Address – Source or destination MAC address.
Chapter 12 | Security Measures Access Control Lists 7. Select the address type (Any, Host, or MAC). 8. If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bit mask for an address range. 9. Set any other required criteria, such as VID, Ethernet type, or packet format. 10. Click Apply.
Chapter 12 | Security Measures Access Control Lists ◆ Source/Destination IP Address Type – Specifies the source or destination IPv4 address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and Mask fields. (Options: Any, Host, IP; Default: Any) ◆ Source/Destination IP Address – Source or destination IP address.
Chapter 12 | Security Measures Access Control Lists Figure 205: Configuring a ARP ACL Binding a Port to an After configuring ACLs, use the Security > ACL (Configure Interface – Configure) Access Control List page to bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list and one MAC access list to any port. Parameters These parameters are displayed: ◆ Type – Selects the type of ACLs to bind to a port. ◆ Port – Port identifier.
Chapter 12 | Security Measures Access Control Lists 5. Select the name of an ACL from the ACL list. 6. Click Apply. Figure 206: Binding a Port to an ACL Configuring After configuring ACLs, use the Security > ACL > Configure Interface (Add Mirror) ACL Mirroring page to mirror traffic matching an ACL from one or more source ports to a target port for real-time analysis.
Chapter 12 | Security Measures Access Control Lists Web Interface To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Add Mirror from the Action list. 4. Select a port. 5. Select the name of an ACL from the ACL list. 6. Click Apply. Figure 207: Configuring ACL Mirroring To show the ACLs to be mirrored: 1. Select Configure Interface from the Step list. 2. Select Show Mirror from the Action list. 3. Select a port.
Chapter 12 | Security Measures Access Control Lists Showing ACL Use the Security > ACL > Configure Interface (Show Hardware Counters) page to Hardware Counters show statistics for ACL hardware counters. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ Type – Selects the type of ACL. ◆ Direction – Displays statistics for ingress or egress traffic. ◆ Query – Displays statistics for selected criteria. ◆ ACL Name – The ACL bound this port.
Chapter 12 | Security Measures ARP Inspection Figure 209: Showing ACL Statistics ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-themiddle” attacks.
Chapter 12 | Security Measures ARP Inspection ◆ ■ When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. ■ Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs. ■ When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs.
Chapter 12 | Security Measures ARP Inspection ◆ When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis. After the system message is generated, the entry is cleared from the log buffer. ◆ Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Chapter 12 | Security Measures ARP Inspection 4. Click Apply. Figure 210: Configuring Global Settings for ARP Inspection Configuring Use the Security > ARP Inspection (Configure VLAN) page to enable ARP inspection VLAN Settings for for any VLAN and to specify the ARP ACL to use. ARP Inspection Command Usage ARP Inspection VLAN Filters (ACLs) ◆ By default, no ARP Inspection ACLs are configured and the feature is disabled.
Chapter 12 | Security Measures ARP Inspection ◆ DAI Status – Enables Dynamic ARP Inspection for the selected VLAN. (Default: Disabled) ◆ ACL Name – Allows selection of any configured ARP ACLs. (Default: None) ◆ Static – When an ARP ACL is selected, and static mode also selected, the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings database.
Chapter 12 | Security Measures ARP Inspection Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation checks and will always be forwarded, while those arriving on untrusted interfaces are subject to all configured ARP inspection tests. ◆ Packet Rate Limit – Sets the maximum number of ARP packets that can be processed by CPU per second on trusted or untrusted ports.
Chapter 12 | Security Measures ARP Inspection Displaying Use the Security > ARP Inspection (Show Information - Show Statistics) page to ARP Inspection display statistics about the number of ARP packets processed, or dropped for Statistics various reasons. Parameters These parameters are displayed: Table 19: ARP Inspection Statistics Parameter Description Received ARP packets before ARP inspection rate limit Count of ARP packets received but not exceeding the ARP Inspection rate limit.
Chapter 12 | Security Measures ARP Inspection Figure 213: Displaying Statistics for ARP Inspection Displaying the Use the Security > ARP Inspection (Show Information - Show Log) page to show ARP Inspection Log information about entries stored in the log, including the associated VLAN, port, and address components. Parameters These parameters are displayed: Table 20: ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen. Port The port where this packet was seen. Src.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access Figure 214: Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Use the Security > IP Filter page to create a list of up to 15 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage ◆ The management interfaces are open to all IP addresses by default.
Chapter 12 | Security Measures Filtering IP Addresses for Management Access ■ Telnet – Configures IP address(es) for the Telnet group. ■ All – Configures IP address(es) for all groups. ◆ Start IP Address – A single IP address, or the starting address of a range. ◆ End IP Address – The end address of a range. Web Interface To create a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Add from the Action list. 3.
Chapter 12 | Security Measures Configuring Port Security To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list. Figure 216: Showing IP Addresses Authorized for Management Access Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Chapter 12 | Security Measures Configuring Port Security ◆ When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table. ◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Current MAC Count – The number of MAC addresses currently associated with this interface. ◆ MAC Filter – Shows if MAC address filtering has been set under Security > Network Access (Configure MAC Filter) as described on page 295. ◆ MAC Filter ID – The identifier for a MAC address filter. ◆ Last Intrusion MAC – The last unauthorized MAC address detected.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) ◆ The RADIUS server and client also have to support the same EAP authentication type – MD5, PEAP, TLS, or TTLS. (Native support for these encryption methods is provided in Windows 8, 7, Vista and XP, and in Windows 2000 with Service Pack 4.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Default – Sets all configurable 802.1X global and port settings to their default values. Web Interface To configure global settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Global from the Step list. 3. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication parameters for those ports which must authenticate clients through the remote authenticator (see “Configuring Port Supplicant Settings for 802.1X” on page 351).
Chapter 12 | Security Measures Configuring 802.1X Port Authentication In this mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses). ◆ Max Count – The maximum number of hosts that can connect to a port when the Multi-Host operation mode is selected.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Intrusion Action – Sets the port’s response to a failed authentication. ■ Block Traffic – Blocks all non-EAP traffic on the port. (This is the default setting.) ■ Guest VLAN – All traffic for the port is assigned to a guest VLAN. The guest VLAN must be separately configured (See “Configuring VLAN Groups” on page 156) and mapped on each port (See “Configuring Network Access for Ports” on page 292).
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Web Interface To configure port authenticator settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Interface from the Step list. 3. Click Authenticator. 4. Modify the authentication settings for each port as required. 5. Click Apply Figure 220: Configuring Interface Settings for 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Configuring Use the Security > Port Authentication (Configure Interface – Supplicant) page to Port Supplicant configure 802.1X port settings for supplicant requests issued from a port to an Settings for 802.1X authenticator on another device. When 802.1X is enabled and the control mode is set to Force-Authorized (see “Configuring Port Authenticator Settings for 802.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication ◆ Maximum Start – The maximum number of times that a port supplicant will send an EAP start frame to the client before assuming that the client is 802.1X unaware. (Range: 1-65535; Default: 3) ◆ Authenticated – Shows whether or not the supplicant has been authenticated. Web Interface To configure port authenticator settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Interface from the Step list. 3.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Displaying Use the Security > Port Authentication (Show Statistics) page to display statistics for 802.1X Statistics dot1x protocol exchanges for any port. Parameters These parameters are displayed: Table 21: 802.1X Statistics Parameter Description Authenticator Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
Chapter 12 | Security Measures Configuring 802.1X Port Authentication Table 21: 802.1X Statistics (Continued) Parameter Description Rx EAP LenError The number of EAPOL frames that have been received by this Supplicant in which the Packet Body Length field is invalid. Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Supplicant. Tx EAPOL Start The number of EAPOL Start frames that have been transmitted by this Supplicant.
Chapter 12 | Security Measures DoS Protection To display port supplicant statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Supplicant. Figure 223: Showing Statistics for 802.1X Port Supplicant DoS Protection Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource.
Chapter 12 | Security Measures DoS Protection ◆ Smurf Attack – Attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim. The victim should crash due to the many interrupts required to send ICMP Echo response packets.
Chapter 12 | Security Measures DoS Protection ◆ WinNuke Attack – Attacks in which affected the Microsoft Windows 3.1x/95/ NT operating systems. In this type of attack, the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.” This did not cause any damage to, or change data on, the computer’s hard disk, but any unsaved data would be lost.
Chapter 12 | Security Measures IPv4 Source Guard IPv4 Source Guard IPv4 Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 370). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IPv4 address of a neighbor to access the network.
Chapter 12 | Security Measures IPv4 Source Guard If a matching entry is found in the binding table and the entry type is static IP source guard binding, or dynamic DHCP snooping binding, the packet will be forwarded.
Chapter 12 | Security Measures IPv4 Source Guard Figure 225: Setting the Filter Type for IPv4 Source Guard Configuring Use the Security > IP Source Guard > Static Configuration (Configure ACL Table and Static Bindings Configure MAC Table) pages to bind a static address to a port. Table entries include for IPv4 Source Guard a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier.
Chapter 12 | Security Measures IPv4 Source Guard ■ ■ A valid static IP source guard entry will be added to the binding table in MAC mode if one of the following conditions are true: ■ If there is no binding entry with the same IP address and MAC address, a new entry will be added to the binding table using the type of static IP source guard binding entry. ■ If there is a binding entry with same IP address and MAC address, then the new entry shall replace the old one.
Chapter 12 | Security Measures IPv4 Source Guard Web Interface To configure static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Configuration. 2. Select Configure ACL Table or Configure MAC Table from the Step list. 3. Select Add from the Action list. 4. Enter the required bindings for each port. 5. Click Apply Figure 226: Configuring Static Bindings for IPv4 Source Guard To display static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Binding. 2.
Chapter 12 | Security Measures IPv4 Source Guard Displaying Use the Security > IP Source Guard > Dynamic Binding page to display the sourceInformation for guard binding table for a selected interface. Dynamic IPv4 Source Guard Bindings Parameters These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4093) ◆ MAC Address – A valid unicast MAC address. ◆ IP Address – A valid unicast IP address, including classful types A, B or C.
Chapter 12 | Security Measures IPv6 Source Guard Figure 228: Showing the IPv4 Source Guard Binding Table IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (refer to the DHCPv6 Snooping commands in the CLI Reference Guide).
Chapter 12 | Security Measures IPv6 Source Guard ◆ Table entries include a MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Binding, Dynamic-DHCPv6-Binding), VLAN identifier, and port identifier. ◆ Static addresses entered in the source guard binding table (using the Static Binding page) are automatically configured with an infinite lease time. Dynamic entries learned via DHCPv6 snooping are configured by the DHCPv6 server itself.
Chapter 12 | Security Measures IPv6 Source Guard Bindings for IPv6 Source Guard” on page 366). ■ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings. ■ If IPv6 source guard, ND snooping, and DHCPv6 snooping are enabled on a port, the dynamic bindings used by ND snooping, DHCPv6 snooping, and IPv6 source guard static bindings cannot exceed the maximum allowed bindings set by this parameter.
Chapter 12 | Security Measures IPv6 Source Guard ◆ Static addresses entered in the source guard binding table are automatically configured with an infinite lease time. ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via ND snooping, DHCPv6 snooping, or static addresses configured in the source guard binding table.
Chapter 12 | Security Measures IPv6 Source Guard ■ ND – Dynamic Neighbor Discovery binding, stateless address. ■ STA – Static IPv6 Source Guard binding. Web Interface To configure static bindings for IPv6 Source Guard: 1. Click Security, IPv6 Source Guard, Static Configuration. 2. Select Add from the Action list. 3. Enter the required bindings for each port. 4. Click Apply Figure 230: Configuring Static Bindings for IPv6 Source Guard To display static bindings for Iv6 Source Guard: 1.
Chapter 12 | Security Measures IPv6 Source Guard Displaying Use the Security > IPv6 Source Guard > Dynamic Binding page to display the Information for source-guard binding table for a selected interface. Dynamic IPv6 Source Guard Bindings Parameters These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4093) ◆ MAC Address – A valid unicast MAC address. ◆ IPv6 Address – A valid global unicast IPv6 address.
Chapter 12 | Security Measures DHCP Snooping Figure 232: Showing the IPv6 Source Guard Binding Table DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Chapter 12 | Security Measures DHCP Snooping ◆ Filtering rules are implemented as follows: ■ If the global DHCP snooping is disabled, all DHCP packets are forwarded. ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table.
Chapter 12 | Security Measures DHCP Snooping DHCP Snooping Option 82 ◆ DHCP provides a relay mechanism for sending information about its DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Chapter 12 | Security Measures DHCP Snooping ◆ DHCP Snooping Information Option Status – Enables or disables DHCP Option 82 information relay. (Default: Disabled) ◆ DHCP Snooping Information Option Sub-option Format – Enables or disables use of sub-type and sub-length fields in circuit-ID (CID) and remote-ID (RID) in Option 82 information. (Default: Enabled) ◆ DHCP Snooping Information Option Remote ID – Specifies the MAC address, IP address, or arbitrary identifier of the requesting device (i.e.
Chapter 12 | Security Measures DHCP Snooping Figure 233: Configuring Global Settings for DHCP Snooping DHCP Snooping Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or disable VLAN Configuration DHCP snooping on specific VLANs. Command Usage ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Chapter 12 | Security Measures DHCP Snooping 3. Enable DHCP Snooping on any existing VLAN. 4. Click Apply Figure 234: Configuring DHCP Snooping on a VLAN Configuring Ports Use the IP Service > DHCP > Snooping (Configure Interface) page to configure for DHCP Snooping switch ports as trusted or untrusted. Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network.
Chapter 12 | Security Measures DHCP Snooping Web Interface To configure global settings for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Configure Interface from the Step list. 3. Set any ports within the local network or firewall to trusted. 4. Specify the mode used for sending circuit ID information, and an arbitrary string if required. 5.
Chapter 12 | Security Measures DHCP Snooping ◆ Store – Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid. ◆ Clear – Removes all dynamically learned snooping entries from flash memory.
Chapter 12 | Security Measures DHCP Snooping – 378 –
13 Basic Administration Protocols This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Chapter 13 | Basic Administration Protocols Configuring Event Logging Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Use the Administration > Log > System (Configure Global) page to enable or Configuration disable event logging, and specify which levels are logged to RAM or flash memory.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) Note: The Flash Level must be equal to or less than the RAM Level. Note: All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface).
Chapter 13 | Basic Administration Protocols Configuring Event Logging memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory. Figure 238: Showing Error Messages Logged to System Memory Remote Log Use the Administration > Log > Remote page to send log messages to syslog Configuration servers or other management stations. You can also limit the event messages sent to only those messages below a specified level.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Port - Specifies the UDP port number used by the remote server. (Range: 1-65535; Default: 514) Web Interface To configure the logging of error messages to remote servers: 1. Click Administration, Log, Remote. 2. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. 3. Click Apply.
Chapter 13 | Basic Administration Protocols Configuring Event Logging ◆ Email Destination Address – Specifies the email recipients of alert messages. You can specify up to five recipients. ◆ Server IP Address – Specifies a list of up to three recipient SMTP servers. IPv4 or IPv6 addresses may be specified. The switch attempts to connect to the listed servers in sequential order if the first server fails to respond.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol increase the probability that multiple, rather than single changes, are reported in each transmission. This attribute must comply with the rule: (4 * Delay Interval) Transmission Interval ◆ Reinitialization Delay – Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 241: Configuring LLDP Timing Attributes Configuring LLDP Use the Administration > LLDP (Configure Interface - Configure General) page to Interface Attributes specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages. ■ Management Address – The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ ◆ ■ VLAN ID – The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “IEEE 802.1Q VLANs” on page 153). (Default: Enabled) ■ VLAN Name – The name of all VLANs to which this interface has been assigned (see “IEEE 802.1Q VLANs” on page 153.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ■ ◆ Network Policy – This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 242: Configuring LLDP Interface Attributes Configuring Use the Administration > LLDP (Configure Interface – Add CA-Type) page to specify LLDP Interface the physical location of the device attached to an interface.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 23: LLDP MED Location CA Types (Continued) ◆ CA Type Description CA Value Example 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Select Show CA-Type from the Action list. 4. Select an interface from the Port or Trunk list.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s administratively assigned name (see “Displaying System Information” on page 74). ◆ System Description – A textual description of the network entity. This field is also displayed by the show system command.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 245: Displaying Local Device Information for LLDP (General) Figure 246: Displaying Local Device Information for LLDP (Port) Figure 247: Displaying Local Device Information for LLDP (Port Details) – 396 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Displaying LLDP Use the Administration > LLDP (Show Remote Device Information) page to display Remote Device information about devices connected directly to the switch’s ports which are Information advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 25, "System Capabilities," on page 394.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 25, "System Capabilities," on page 394.) ◆ Management Address List – The management addresses for this device.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Table 27: Remote Port Auto-Negotiation Advertised Capability (Continued) Bit Capability 5 100BASE-TX full duplex mode 6 100BASE-T2 half duplex mode 7 100BASE-T2 full duplex mode 8 PAUSE for full-duplex links 9 Asymmetric PAUSE for full-duplex links 10 Symmetric PAUSE for full-duplex links 11 Asymmetric and Symmetric PAUSE for full-duplex links 12 1000BASE-X, -LX, -SX, -CX half duplex mode 13 1000BASE-X, -LX, -SX, -
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆ Remote Link Aggregation Status – The current aggregation status of the link. ◆ Remote Link Port ID – This object contains the IEEE 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – Network Policy11 ◆ Application Type – The primary application(s) defined for this network policy: ■ Voice ■ Voice Signaling ■ Guest Signaling ■ Guest Voice Signaling ■ Softphone Voice ■ Video Conferencing ■ Streaming Video ■ Video Signaling ◆ Tagged Flag – Indicates whether the specified application type is using a tagged or untagged VLAN.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ■ ECS ELIN – Emergency Call Service Emergency Location Identification Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ◆ What – The type of device to which the location applies as described for the field entry “Device entry refers to” under “Configuring LLDP Interface Attributes.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Web Interface To display LLDP information for a remote port: 1. Click Administration, LLDP. 2. Select Show Remote Device Information from the Step list. 3. Select Port, Port Details, Trunk, or Trunk Details. 4. When the next page opens, select a port on this switch and the index for a remote device attached to this port. 5. Click Query.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Figure 249: Displaying Remote Device Information for LLDP (Port Details) – 404 –
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDPMED TLVs is shown in the following figure. Figure 250: Displaying Remote Device Information for LLDP (End Node) Displaying Use the Administration > LLDP (Show Device Statistics) page to display statistics for Device Statistics LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
Chapter 13 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources. ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired.
Chapter 13 | Basic Administration Protocols Power over Ethernet Figure 251: Displaying LLDP Device Statistics (General) Figure 252: Displaying LLDP Device Statistics (Port) Power over Ethernet The ECS4620-28P/52P can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device.
Chapter 13 | Basic Administration Protocols Power over Ethernet Ports can be set to one of three power priority levels, critical, high, or low. To control the power supply within the switch’s budget, ports set at critical to high priority have power enabled in preference to those ports set at low priority. For example, when a device connected to a port is set to critical priority, the switch supplies the required power, if necessary by denying power to ports set for a lower priority during bootup.
Chapter 13 | Basic Administration Protocols Power over Ethernet power is provided to the port only if the switch can drop power to one or more lower-priority ports and thereby remain within its overall budget. ■ If a device is connected to a port after the switch has finished booting up and would cause the switch to exceed its budget, power will not be provided to that port regardless of its priority setting.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 253: Setting a Port’s PoE Budget Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol and SNMPv3. Users are assigned to “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring SNMPv3 Management Access 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. 2. Use the Administration > SNMP (Configure Trap) page to specify trap managers so that key events are reported by this switch to your management station. 3. Use the Administration > SNMP (Configure Engine) page to change the local engine ID.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 4. Click Apply Figure 254: Configuring Global Settings for SNMP Setting the Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change Local Engine ID the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 255: Configuring the Local Engine ID for SNMP Specifying a Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to Remote Engine ID configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 256: Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Show Remote Engine from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Add OID Subtree ◆ View Name – Lists the SNMP views configured in the Add View page. (Range: 1-32 characters) ◆ OID Subtree – Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 259: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 261: Showing the OID Subtree Configured for SNMP Views Configuring Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group SNMPv3 Groups which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 29: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 29: Supported Notification Messages (Continued) Model Level Group swPowerStatusChangeTrap 1.3.6.1.4.1.259.10.1.24.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.24.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled. swIpFilterRejectTrap 1.3.6.1.4.1.259.10.1.24.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Table 29: Supported Notification Messages (Continued) Model Level Group swCpuUtiRisingNotification 1.3.6.1.4.1.259.10.1.24.2.1.0.107 This notification indicates that the CPU utilization has risen from cpuUtiFallingThreshold to cpuUtiRisingThreshold. swCpuUtiFallingNotification 1.3.6.1.4.1.259.10.1.24.2.1.0.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 262: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 263: Showing SNMP Groups Setting Community Use the Administration > SNMP (Configure User - Add Community) page to Access Strings configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To set a community access string: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Add Community from the Action list. 4. Add new community strings as required, and select the corresponding access rights from the Access Mode list. 5. Click Apply Figure 264: Setting Community Access Strings To show the community access strings: 1. Click Administration, SNMP. 2.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to Local SNMPv3 Users authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Web Interface To configure a local SNMPv3 user: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Add SNMPv3 Local User from the Action list. 4. Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 267: Showing Local SNMPv3 Users Configuring Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page Remote SNMPv3 Users to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 268: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Specifying Use the Administration > SNMP (Configure Trap) page to specify the host devices to Trap Managers be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ Community String – Specifies a valid community string for the new trap manager entry. (Range: 1-32 characters, case sensitive) Although you can set this string in the Configure Trap – Add page, we recommend defining it in the Configure User – Add Community page. ◆ UDP Port – Specifies the UDP port number used by the trap manager.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ■ ◆ Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) ■ Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol 5.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 273: Showing Trap Managers Creating SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to create an Notification Logs SNMP notification log.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ When a trap host is created using the Administration > SNMP (Configure Trap – Add) page described on page 430, a default notify filter will be created. Parameters These parameters are displayed: ◆ IP Address – The IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the Administration > SNMP (Configure Trap – Add) page. The notification log is stored locally.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol Figure 275: Showing SNMP Notification Logs Showing Use the Administration > SNMP (Show Statistics) page to show counters for SNMP SNMP Statistics input and output protocol data units. Parameters The following counters are displayed: ◆ SNMP packets input – The total number of messages delivered to the SNMP entity from the transport service.
Chapter 13 | Basic Administration Protocols Simple Network Management Protocol ◆ SNMP packets output – The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service. ◆ Too big errors – The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error-status field is “tooBig.
Chapter 13 | Basic Administration Protocols Remote Monitoring Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Sample Type – Tests for absolute or relative changes in the specified variable. ■ Absolute – The variable is compared directly to the thresholds at the end of the sampling period. ■ Delta – The last sample is subtracted from the current value and the difference is then compared to the thresholds.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 277: Configuring an RMON Alarm To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Global - Add - Event) page to set the Events action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems. Command Usage ◆ If an alarm is already defined for an index, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Web Interface To configure an RMON event: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Click Event. 5. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event. 6.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 280: Showing Configured RMON Events Configuring RMON Use the Administration > RMON (Configure Interface - Add - History) page to collect History Samples statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems.
Chapter 13 | Basic Administration Protocols Remote Monitoring ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 seconds) ◆ Buckets - The number of buckets requested for this entry. (Range: 1-65536; Default: 50) The number of buckets granted are displayed on the Show page. ◆ Owner - Name of the person who created this entry. (Range: 1-127 characters) Web Interface To periodically sample statistics on a port: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Remote Monitoring 4. Select a port from the list. 5. Click History. Figure 282: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click History.
Chapter 13 | Basic Administration Protocols Remote Monitoring Configuring RMON Use the Administration > RMON (Configure Interface - Add - Statistics) page to Statistical Samples collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. Command Usage ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
Chapter 13 | Basic Administration Protocols Remote Monitoring Figure 284: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 285: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click Administration, RMON. 2.
Chapter 13 | Basic Administration Protocols Switch Clustering Figure 286: Showing Collected RMON Statistical Samples Switch Clustering Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Chapter 13 | Basic Administration Protocols Switch Clustering ◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN: 1. Create VLAN 4093 (see “Configuring VLAN Groups” on page 156). 2. Add the participating ports to this VLAN (see “Adding Static Members to VLANs” on page 159), and set them to hybrid mode, tagged members, PVID = 1, and acceptable frame type = all.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure a switch cluster: 1. Click Administration, Cluster. 2. Select Configure Global from the Step list. 3. Set the required attributes for a Commander or a managed candidate. 4. Click Apply Figure 287: Configuring a Switch Cluster Cluster Member Use the Administration > Cluster (Configure Member - Add) page to add Candidate Configuration switches to the cluster as Members.
Chapter 13 | Basic Administration Protocols Switch Clustering Web Interface To configure cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Add from the Action list. 4. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. 5. Click Apply. Figure 288: Configuring a Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3.
Chapter 13 | Basic Administration Protocols Switch Clustering To show cluster candidates: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Show Candidate from the Action list. Figure 290: Showing Cluster Candidates Managing Cluster Use the Administration > Cluster (Show Member) page to manage another switch Members in the cluster. Parameters These parameters are displayed: ◆ Member ID – The ID number of the Member switch.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Web Interface To manage a cluster member: 1. Click Administration, Cluster. 2. Select Show Member from the Step list. 3. Select an entry from the Cluster Member List. 4. Click Operate. Figure 291: Managing a Cluster Member Ethernet Ring Protection Switching Note: Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Operational Concept Loop avoidance in the ring is achieved by guaranteeing that, at any time, traffic may flow on all but one of the ring links. This particular link is called the ring protection link (RPL), and under normal conditions this link is blocked to traffic. One designated node, the RPL owner, is responsible for blocking traffic over the RPL.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 292: ERPS Ring Components West Port East Port RPL (Idle State) x CC Messages RPL Owner CC Messages Multi-ring/Ladder Network – ERPSv2 also supports multipoint-to-multipoint connectivity within interconnected rings, called a “multi-ring/ladder network” topology.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Interconnection nodes C and D have separate ERP Control Processes for each Ethernet Ring. Figure 293 on page 456 (Signal Fail Condition) illustrates a situation where protection switching has occurred due to an SF condition on the ring link between interconnection nodes C and D. The failure of this ring link triggers protection only on the ring to which it belongs, in this case ERP1.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching that the ring has stabilized before blocking the RPL after recovery from a signal failure. 5. Configure the ERPS control VLAN (Configure Domain – Configure Details): Specify the control VLAN (CVLAN) used to pass R-APS ring maintenance commands. The CVLAN must NOT be configured with an IP address. In addition, only ring ports may be added to the CVLAN (prior to configuring the VLAN as a CVLAN).
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS Global Use the Administration > ERPS (Configure Global) page to globally enable or Configuration disable ERPS on the switch. Parameters These parameters are displayed: ◆ ERPS Status – Enables ERPS on the switch. (Default: Disabled) ERPS must be enabled globally on the switch before it can enabled on an ERPS ring (by setting the Admin Status on the Configure Domain – Configure Details page).
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Parameters These parameters are displayed: Add ◆ Domain Name – Name of an ERPS ring. (Range: 1-12 characters) ◆ Domain ID – ERPS ring identifier used in R-APS messages. (Range: 1-255) Show ◆ Domain Name – Name of a configured ERPS ring. ◆ ID – ERPS ring identifier used in R-APS messages. ◆ Admin Status – Shows whether ERPS is enabled on the switch. ◆ Ver – Shows the ERPS version.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching generated R-APS messages is allowed and the reception of all R-APS messages is allowed. ■ Forwarding – The transmission and reception of traffic is allowed; transmission, reception and forwarding of R-APS messages is allowed. ■ Unknown – The interface is not in a known state (includes the domain being disabled). ◆ Local SF – A signal fault generated on a link to the local node.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Revertive/Non-revertive recovery ■ Forced Switch (FS) and Manual Switch (MS) commands for manually blocking a particular ring port ■ Flush FDB (forwarding database) logic which reduces amount of flush FDB operations in the ring ■ Support of multiple ERP instances on a single ring Version 2 is backward compatible with Version 1. If version 2 is specified, the inputs and commands are forwarded transparently.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Node Type – Shows ERPS node type as one of the following: ■ None – Node is neither Ring Protection Link (RPL) owner nor neighbor. (This is the default setting.) ■ RPL Owner – Specifies a ring node to be the RPL owner. ■ ◆ ■ Only one RPL owner can be configured on a ring.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching protection reversion, or until there is another higher priority request (e.g., an SF condition) in the ring. A ring node that has one ring port in an SF condition and detects the SF condition cleared, continuously transmits the R-APS (NR – no request) message with its own Node ID as the priority information over both ring ports, informing that no request is present at this ring node and initiates a guard timer.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching its RPL port, and transmits an R-APS (NR, RB) message in both directions, repeatedly. d. Upon receiving an R-APS (NR, RB) message, any blocking node should unblock its non-failed ring port. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush the FDB.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching b. Then, after the operator issues the Clear command (Configure Operation page) at the RPL Owner Node, this ring node blocks the ring port attached to the RPL, transmits an R-APS (NR, RB) message on both ring ports, informing the ring that the RPL is blocked, and flushes its FDB. c. The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching c. The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL that does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all Ethernet Ring Nodes flush their FDB. This action unblocks the ring port which was blocked as a result of an operator command. ■ Recovery with non-revertive mode is handled as follows: a.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching The node identifier may also be used for debugging, such as to distinguish messages when a node is connected to more than one ring. ◆ R-APS with VC – Configures an R-APS virtual channel to connect two interconnection points on a sub-ring, allowing ERPS protocol traffic to be tunneled across an arbitrary Ethernet network. (Default: Enabled) ■ A sub-ring may be attached to a primary ring with or without a virtual channel.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching are terminated on the interconnection points. Since the sub-ring does not provide an R-APS channel nor R-APS virtual channel beyond the interconnection points, R-APS channel blocking is not employed on the normal ring links to avoid channel segmentation.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching again. The major ring will not be broken, but the bandwidth of data traffic on the major ring may suffer for a short period of time due to this flooding behavior. ◆ Non-ERPS Device Protection – Sends non-standard health-check packets when an owner node enters protection state without any link down event having been detected through Signal Fault messages.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching In order to coordinate timing of protection switches at multiple layers, a holdoff timer may be required. Its purpose is to allow, for example, a server layer protection switch to have a chance to fix the problem before switching at a client layer.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching If the switch goes into ring protection state due to a signal failure, after the failure condition is cleared, the RPL owner will start the wait-to-restore timer and wait until it expires to verify that the ring has stabilized before blocking the RPL and returning to the Idle (normal operating) state. ◆ WTB Expire – The time before the wait-to-block timer expires.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching how ERPS recovers from a node failure, refer to the description of the Revertive parameter on this configuration page. ◆ RPL – If node is connected to the RPL, this shows by which interface. Web Interface To create an ERPS ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Add from the Action list. 4. Enter a name and optional identifier for the ring. 5. Click Apply.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 299: Creating an ERPS Ring To show the configured ERPS rings: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Show from the Action list.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS Forced and Use the Administration > ERPS (Configure Operation) page to block a ring port Manual Mode using Forced Switch or Manual Switch commands. Operations Parameters These parameters are displayed: ◆ Domain Name – Name of a configured ERPS ring. ◆ Operation – Specifies a Forced Switch (FS) or Manual Switch (MS) operation on the east or west ring port. ■ Forced Switch – Blocks specified ring port.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching command. As such, two or more forced switches are allowed in the ring, which may inadvertently cause the segmentation of an ring. It is the responsibility of the operator to prevent this effect if it is undesirable. Ring protection requests, commands and R-APS signals have the priorities as specified in the following table.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Manual Switch – Blocks specified ring port, in the absence of a failure or an FS command. (Options: West or East) ■ A ring with no request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links. In this situation, the Manual Switch command triggers protection switching as follows: a.
Chapter 13 | Basic Administration Protocols Ethernet Ring Protection Switching c. An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request. ■ ■ Recovery for manual switching under revertive and non-revertive mode is described under the Revertive parameter.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 301: Blocking an ERPS Ring Port Connectivity Fault Management Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ A Maintenance Level allows maintenance domains to be nested in a hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution. ◆ Maintenance End Points (MEPs) which provide full CFM access to a Service Instance (i.e.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 303: Multiple CFM Maintenance Domains C Customer MA Operator 1 MA P C Operator 2 MA P O1 O2 O1 O2 O1 O2 P P Provider MA C C Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management the configured time period, and fault alarms are enabled, a corresponding trap will be sent. No further fault alarms are sent until the fault notification generator has been reset by the passage of a configured time period without detecting any further faults.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Global Use the Administration > CFM (Configure Global) page to configure global settings Settings for CFM for CFM, such as enabling the CFM process on the switch, setting the start-up delay for cross-check operations, configuring parameters for the link trace cache, and enabling traps for events discovered by continuity check messages or cross-check messages.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management name, MA name, MEPID, sequence number, and TTL value (see "Displaying Fault Notification Settings"). ◆ Link Trace Cache Hold Time – The hold time for CFM link trace cache entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Link Trace Cache attribute field. ◆ Link Trace Cache Size – The maximum size for the link trace cache.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management A MEP Missing trap is sent if cross-checking is enabled16, and no CCM is received for a remote MEP configured in the static list17. ◆ Cross Check MEP Unknown – Sends a trap if an unconfigured MEP comes up. A MEP Unknown trap is sent if cross-checking is enabled16, and a CCM is received from a remote MEP that is not configured in the static list17. Web Interface To configure global settings for CFM: 1. Click Administration, CFM. 2.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Interfaces CFM processes are enabled by default for all physical interfaces, both ports and for CFM trunks. You can use the Administration > CFM (Configure Interface) page to change these settings. Command Usage ◆ An interface must be enabled before a MEP can be created (see "Configuring Maintenance End Points").
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Command Usage Configuring General Settings ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator. ◆ More than one domain can be configured at the same maintenance level, but a single domain can only be configured with one maintenance level.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Configuring Fault Notification ◆ A fault alarm can generate an SNMP notification. It is issued when the MEP fault notification generator state machine detects that the configured time period (MEP Fault Notify Alarm Time) has passed with one or more defects indicated, and fault alarms are enabled at or above the specified priority level (MEP Fault Notify Lowest Priority).
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) ◆ MD Level – Authorized maintenance level for this domain. (Range: 0-7) ◆ MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this domain: ■ Default – MIPs can be created for any maintenance association (MA) configured in this domain on any bridge port through which the MA’s VID can pass.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 5. Specify the manner in which MIPs can be created within each domain. 6. Click Apply. Figure 306: Configuring Maintenance Domains To show the configured maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Show from the Action list. Figure 307: Showing Maintenance Domains To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 308: Configuring Detailed Settings for Maintenance Domains Configuring CFM Use the Administration > CFM (Configure MA) pages to create and configure the Maintenance Maintenance Associations (MA) which define a unique CFM service instance. Each Associations MA can be identified by its parent MD, the MD’s maintenance level, the VLAN assigned to the MA, and the set of maintenance end points (MEPs) assigned to it.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ If a maintenance point fails to receive three consecutive CCMs from any other MEP in the same MA, a connectivity failure is registered. ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs).
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MA Name Format – Specifies the name format for the maintenance association as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.1731 defined ICC-based format. ■ Character String – IEEE 802.1ag defined character string format. This is an IETF RFC 2579 DisplayString. ■ ICC Based – ITU-T SG13/SG15 Y.1731 defined ICC based format. ◆ Interval Level – The delay between sending CCMs.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 4. Select an entry from the MD Index list. 5. Specify the MAs assigned to each domain, the VLAN through which CFM messages are passed, and the manner in which MIPs can be created within each MA. 6. Click Apply. Figure 309: Creating Maintenance Associations To show the configured maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Show from the Action list. 4.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 4. Select an entry from MD Index and MA Index. 5. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters. 6. Click Apply Figure 311: Configuring Detailed Settings for Maintenance Associations Configuring Use the Administration > CFM (Configure MEP – Add) page to configure Maintenance Maintenance End Points (MEPs).
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Maintenance end point identifier. (Range: 1-8191) ◆ MEP Direction – Up indicates that the MEP faces inward toward the switch cross-connect matrix, and transmits CFM messages towards, and receives them from, the direction of the internal bridge relay mechanism.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management 3. Select Show from the Action list. 4. Select an entry from MD Index and MA Index. Figure 313: Showing Maintenance End Points Configuring Use the Administration > CFM (Configure Remote MEP – Add) page to specify Remote Maintenance remote maintenance end points (MEPs) set on other CFM-enabled devices within a End Points common MA.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Identifier for a maintenance end point which exists on another CFMenabled device within the same MA. (Range: 1-8191) Web Interface To configure a remote maintenance end point: 1. Click Administration, CFM. 2. Select Configure Remote MEP from the Step list. 3.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 315: Showing Remote Maintenance End Points Transmitting Link Use the Administration > CFM (Transmit Link Trace) page to transmit link trace Trace Messages messages (LTMs). These messages can isolate connectivity faults by tracing the path through a network to the designated target node (i.e., a remote maintenance end point). Command Usage ◆ LTMs can be targeted to MEPs, not MIPs.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) ◆ Target ◆ ■ MEP ID – The identifier of a remote MEP that is the target of a link trace message.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Figure 316: Transmitting Link Trace Messages Transmitting Loop Use the Administration > CFM (Transmit Loopback) page to transmit Loopback Back Messages Messages (LBMs). These messages can be used to isolate or verify connectivity faults by submitting a request to a target node (i.e., a remote MEP or MIP) to echo the message back to the source.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Target ■ MEP ID – The identifier of a remote MEP that is the target of a loopback message. (Range: 1-8191) ■ MAC Address – MAC address of a remote MEP that is the target of a loopback message. This address can be entered in either of the following formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx ◆ Count – The number of times the loopback message is sent. (Range: 1-1024) ◆ Packet Size – The size of the loopback message.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Transmitting Use the Administration > CFM (Transmit Delay Measure) page to send periodic Delay-Measure delay-measure requests to a specified MEP within a maintenance association. Requests Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this function.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Packet Size – The size of the delay-measure message. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Interval – The transmission delay between delay-measure messages. (Range: 1-5 seconds; Default: 1 second) ◆ Timeout – The timeout to wait for a response. (Range: 1-5 seconds; Default: 5 seconds) Web Interface To transmit delay-measure messages: 1. Click Administration, CFM. 2. Select Transmit Delay Measure from the Step list. 3.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Local MEPs Use the Administration > CFM > Show Information (Show Local MEP) page to show information for the MEPs configured on this device. Parameters These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Details Use the Administration > CFM > Show Information (Show Local MEP Details) page for Local MEPs to show detailed CFM information about a local MEP in the continuity check database. Parameters These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Maintenance end point identifier.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ Suppressing Alarms – Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions. Web Interface To show detailed information for the MEPs configured on this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MEP Details from the Action list. 4. Select an entry from MD Index and MA Index. 5.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Local MIPs Use the Administration > CFM > Show Information (Show Local MIP) page to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".) Parameters These parameters are displayed: ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Use the Administration > CFM > Show Information (Show Remote MEP) page to Remote MEPs show MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages. Parameters These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MA Name – Maintenance association name.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying Details for Use the Administration > CFM > Show Information (Show Remote MEP Details) Remote MEPs page to show detailed information for MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages. Parameters These parameters are displayed: ◆ MD Index – Domain index.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ◆ ■ Down – The interface cannot pass packets. ■ Testing – The interface is in some test mode. ■ Unknown – The interface status cannot be determined for some reason. ■ Dormant – The interface is not in a state to pass packets but is in a pending state, waiting for some external event. ■ Not Present – Some component of the interface is missing.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Displaying the Use the Administration > CFM > Show Information (Show Link Trace Cache) page to Link Trace Cache show information about link trace operations launched from this device. Parameters These parameters are displayed: ◆ Hops – The number hops taken to reach the target MEP. ◆ MA – Maintenance association name. ◆ IP Address / Alias – IP address or DNS alias of the target device’s CPU.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management ■ HIT – Target located on this device. Web Interface To show information about link trace operations launched from this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Link Trace Cache from the Action list.
Chapter 13 | Basic Administration Protocols Connectivity Fault Management Web Interface To show configuration settings for the fault notification generator: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Fault Notification Generator from the Action list.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ ■ EXCESS_LEV – The number of different MD levels at which MIPs are to be created on this port exceeds the bridge's capabilities. ■ OVERLAP_LEV – A MEP is created for one VID at one maintenance level, but a MEP is configured on another VID at an equivalent or higher level, exceeding the bridge's capabilities. MA Name – The maintenance association for this entry. Web Interface To show CFM continuity check errors: 1.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ Admin Status – Enables or disables OAM functions. (Default: Disabled) ◆ Operation State – Shows the operational state between the local and remote OAM devices. This value is always “disabled” if OAM is disabled on the local interface. Table 33: OAM Operation State ◆ ◆ State Description Disabled OAM is disabled on this interface via the OAM Admin Status. Link Fault The link has detected a fault or the interface is not operational.
Chapter 13 | Basic Administration Protocols OAM Configuration ■ Critical Event – If a critical event occurs, the local OAM entity indicates this to its peer by setting the appropriate flag in the next OAMPDU to be sent and stores this information in its OAM event log. (Default: Enabled) Critical events include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults.
Chapter 13 | Basic Administration Protocols OAM Configuration Figure 327: Enabling OAM for Local Ports Displaying Statistics Use the Administration > OAM > Counters page to display statistics for the various for OAM Messages types of OAM messages passed across each port. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ Clear – Clears statistical counters for the selected ports.
Chapter 13 | Basic Administration Protocols OAM Configuration Web Interface To display statistics for OAM messages: 1. Click Administration, OAM, Counters. Figure 328: Displaying Statistics for OAM Messages Displaying the Use the Administration > OAM > Event Log page to display link events for the OAM Event Log selected port. Command Usage ◆ When a link event occurs, no matter whether the location is local or remote, this information is entered in OAM event log.
Chapter 13 | Basic Administration Protocols OAM Configuration Figure 329: Displaying the OAM Event Log Displaying the Status Use the Administration > OAM > Remote Interface page to display information of Remote Interfaces about attached OAM-enabled devices. Parameters These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ MAC Address – MAC address of the OAM peer. ◆ OUI – Organizational Unit Identifier of the OAM peer.
Chapter 13 | Basic Administration Protocols OAM Configuration Web Interface To display information about attached OAM-enabled devices: 1. Click Administration, OAM, Remote Interface. Figure 330: Displaying Status of Remote Interfaces Configuring a Remote Use the Administration > OAM > Remote Loopback (Remote Loopback Test) page Loopback Test to initiate a loop back test to the peer device attached to the selected port.
Chapter 13 | Basic Administration Protocols OAM Configuration ◆ Loopback Status – Shows if loopback testing is currently running. Loopback Test Parameters ◆ Packet Number – Number of packets to send. (Range: 1-99999999; Default: 10000) ◆ Packet Size – Size of packets to send. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Test – Starts the loop back test. ◆ End – Stops the loop back test. Loop Back Status of Remote Device ◆ Result – Shows the loop back status on the peer.
Chapter 13 | Basic Administration Protocols OAM Configuration 3. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply. 4. Set the number of packets to send and the packet size, and then click Test.
Chapter 13 | Basic Administration Protocols UDLD Configuration Figure 332: Displaying the Results of Remote Loop Back Testing UDLD Configuration The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 13 | Basic Administration Protocols UDLD Configuration Configuring UDLD Use the Administration > UDLD > Configure Global page to configure the Protocol Intervals UniDirectional Link Detection message probe interval, detection interval, and recovery interval. Parameters These parameters are displayed: ◆ Message Interval – Configures the message interval between UDLD probe messages for ports in the advertisement phase and determined to be bidirectional.
Chapter 13 | Basic Administration Protocols UDLD Configuration Web Interface To configure the UDLD message probe interval, detection interval, and recovery interval: 1. Click Administration, UDLD, Configure Global. 2. Select Configure Global from the Step list. 3. Configure the message and detection intervals. 4. Enable automatic recovery if required, and set the recovery interval. 5. Click Apply.
Chapter 13 | Basic Administration Protocols UDLD Configuration ends without the proper echo information being received, the link is considered to be unidirectional. ◆ Aggressive Mode – Reduces the shut-down delay after loss of bidirectional connectivity is detected. (Default: Disabled) UDLD can function in two modes: normal mode and aggressive mode.
Chapter 13 | Basic Administration Protocols UDLD Configuration Web Interface To enable UDLD and aggressive mode: 1. Click Administration, UDLD, Configure Interface. 2. Enable UDLD and aggressive mode on the required ports. 3. Click Apply. Figure 334: Configuring UDLD Interface Settings Displaying Use the Administration > UDLD (Show Information) page to show UDLD neighbor UDLD Neighbor information, including neighbor state, expiration time, and protocol intervals.
Chapter 13 | Basic Administration Protocols UDLD Configuration Web Interface To display UDLD neighbor information: 1. Click Administration, UDLD, Show Information. 2. Select an interface from the Port list.
14 Multicast Filtering This chapter describes how to configure the following multicast services: ◆ IGMP – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface. ◆ MLD Snooping – Configures snooping and query parameters for IPv6.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 336: Multicast Filtering Concept Unicast Flow Multicast Flow This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) switches in the local network segment, IGMP Snooping is the only service required to support multicast filtering. When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or 3 hosts are all forwarded to the upstream router as IGMPv3 reports. The primary enhancement provided by IGMPv3 snooping is in keeping track of information about the specific multicast sources which downstream IGMPv3 hosts have requested or refused.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 538).
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Note: Multicast routers use this information from IGMP snooping and query reports, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. Parameters These parameters are displayed: ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) By default, the switch immediately enters into “multicast flooding mode” when a spanning tree topology change occurs. In this mode, multicast traffic will be flooded to all VLAN ports. If many ports have subscribed to different multicast groups, flooding may cause excessive packet loss on the link between the switch and the end host.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Forwarding Priority – Assigns a CoS priority to all multicast traffic. (Range: 0-7, where 7 is the highest priority) This parameter can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 337: Configuring General Settings for IGMP Snooping Specifying Static Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) Interfaces for a page to statically attach an interface to a multicast router/switch. Multicast Router Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Show Static Multicast Router ◆ VLAN – Selects the VLAN for which to display any configured static multicast routers. ◆ Interface – Shows the interface to which the specified static multicast routers are attached. Show Current Multicast Router ◆ VLAN – Selects the VLAN for which to display any currently active multicast routers. ◆ Interface – Shows the interface to which an active multicast router is attached.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 339: Showing Static Interfaces Attached a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol (such as PIM) to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group. Command Usage ◆ Static multicast addresses are never aged out. ◆ When a multicast address is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To show the static interfaces assigned to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Note: The default values recommended in the MRD draft are implemented in the switch. Multicast Router Discovery uses the following three message types to discover multicast routers: ◆ Multicast Router Advertisement – Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Parameters These parameters are displayed: ◆ VLAN – ID of configured VLANs. (Range: 1-4093) ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ General Query Suppression – Suppresses general queries except for ports attached to downstream multicast hosts. (Default: Disabled) By default, general query messages are flooded to all ports, except for the multicast router through which they are received. If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) This attribute applies when the switch is serving as the querier (page 532), or as a proxy host when IGMP snooping proxy reporting is enabled (page 532). ◆ Query Response Interval – The maximum time the system waits for a response to general queries.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Web Interface To configure IGMP snooping on a VLAN: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Configure VLAN from the Action list. 3. Select the VLAN to configure and update the required parameters. 4. Click Apply. Figure 343: Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show VLAN Information from the Action list.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Filtering IGMP Query Use the Multicast > IGMP Snooping > Interface (Configure Interface) page to Packets and Multicast configure an interface to drop IGMP query packets or multicast data packets. Data Parameters These parameters are displayed: ◆ Interface – Port or Trunk identifier. ◆ IGMP Query Drop – Configures an interface to drop any IGMP query packets received on the specified interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Parameters These parameters are displayed: ◆ VLAN – An interface on the switch that is forwarding traffic to downstream ports for the specified multicast group address. ◆ Group Address – IP multicast group address with subscribers directly attached or downstream from the switch, or a static multicast group assigned to this interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Displaying IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP snooping Snooping Statistics protocol-related statistics for the specified interface. Parameters These parameters are displayed: ◆ VLAN – VLAN identifier. (Range: 1-4093) ◆ Port – Port identifier. (Range: 1-28/52) ◆ Trunk – Trunk identifier. (Range: 1-16) Query Statistics ◆ Other Querier – IP address of remote querier on this interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ V3 Warning Count – The number of times the query version received (Version 3) does not match the version configured for this interface. VLAN, Port, and Trunk Statistics Input Statistics ◆ Report – The number of IGMP membership reports received on this interface. ◆ Leave – The number of leave messages received on this interface. ◆ G Query – The number of general query messages received on this interface.
Chapter 14 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 347: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show VLAN Statistics from the Action list. 3. Select a VLAN.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port. Figure 349: Displaying IGMP Snooping Statistics – Port Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups switch randomly removes an existing group and replaces it with the new multicast group. Enabling IGMP Use the Multicast > IGMP Snooping > Filter (Configure General) page to enable Filtering and IGMP filtering and throttling globally on the switch. Throttling Parameters These parameters are displayed: ◆ IGMP Filter Status – Enables IGMP filtering and throttling globally for the switch.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups Parameters These parameters are displayed: Add ◆ Profile ID – Creates an IGMP profile. (Range: 1-4294967295) ◆ Access Mode – Sets the access mode of the profile; either permit or deny. (Default: Deny) When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 352: Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add Multicast Group Range from the Action list. 4.
Chapter 14 | Multicast Filtering Filtering and Throttling IGMP Groups To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Current Multicast Groups – Displays the current multicast groups the interface has joined. ◆ Throttling Action Mode – Sets the action to take when the maximum number of multicast groups for the interface has been exceeded. (Default: Deny) ◆ ■ Deny - The new multicast group join report is dropped. ■ Replace - The new multicast group replaces an existing group.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) include MLDv2 query and report messages, as well as MLDv1 report and done messages. Remember that IGMP Snooping and MLD Snooping are independent functions, and can therefore both function at the same time. Configuring MLD Use the Multicast > MLD Snooping > General page to configure the switch to Snooping and Query forward multicast traffic intelligently.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) receiving query packets) to have expired. (Range: 300-500 seconds; Default: 300 seconds) ◆ MLD Snooping Version – The protocol version used for compatibility with other devices on the network. This is the MLD version the switch uses to send snooping reports. (Range: 1-2; Default: 2) ◆ Unknown Multicast Mode – The action for dealing with unknown multicast packets.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Immediate Leave Status – Immediately deletes a member port of an IPv6 multicast service when a leave packet is received at that port and immediate leave is enabled for the parent VLAN. (Default: Disabled) If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ◆ Interface – Activates the Port or Trunk scroll down list. ◆ Port or Trunk – Specifies the interface attached to a multicast router. Web Interface To specify a static interface attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Add Static Multicast Router from the Action list. 3.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 3. Select the VLAN for which to display this information. Ports in the selected VLAN which are attached to a neighboring multicast router/switch are displayed. Figure 360: Showing Current Interfaces Attached an IPv6 Multicast Router Assigning Interfaces Use the Multicast > MLD Snooping > MLD Member (Add Static Member) page to to IPv6 Multicast statically assign an IPv6 multicast service to an interface.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Web Interface To statically assign an interface to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Add Static Member from the Action list. 3. Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an MLD-enabled switch or multicast router), and enter the multicast IP address. 4. Click Apply.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display information about all IPv6 multicast groups, MLD Snooping or multicast routing must first be enabled on the switch. To show all of the interfaces statically or dynamically assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Current Member from the Action list. 3. Select the VLAN for which to display this information.
Chapter 14 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) source addresses, except for those listed in the exclude source-list and for any other sources where the source timer status has expired. ◆ Filter Timer Elapse – The Filter timer is only used when a specific multicast address is in Exclude mode. It represents the time for the multicast address filter mode to expire and change to Include mode. ◆ Request List – Sources included on the router’s request list.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Multicast VLAN Registration for IPv4 Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Interfaces” on page 574). ◆ Although MVR operates on the underlying mechanism of IGMP snooping, the two features operate independently of each other. One can be enabled or disabled without affecting the behavior of the other. However, if IGMP snooping and MVR are both enabled, MVR reacts only to join and leave messages from multicast groups configured under MVR.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ ◆ ◆ ■ When a source port receives a query message, it will be forwarded to all downstream receiver ports. ■ When a receiver port receives a query message, it will be dropped. Robustness Value – Configures the expected packet loss, and thereby the number of times to generate report and group-specific queries.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 366: Configuring Global Settings for MVR Configuring MVR Use the Multicast > MVR (Configure Domain) page to enable MVR globally on the Domain Settings switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Upstream Source IP – The source IP address assigned to all MVR control packets sent upstream on the specified domain. By default, all MVR reports sent upstream use a null source IP address. Web Interface To configure settings for an MVR domain: 1. Click Multicast, MVR. 2. Select Configure Domain from the Step list. 3. Select a domain from the scroll-down list. 4.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ IGMP snooping and MVR share a maximum number of 1024 groups. Any multicast streams received in excess of this limitation will be flooded to all ports in the associated domain. Parameters These parameters are displayed: Configure Profile ◆ Profile Name – The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) ◆ Start IP Address – Starting IP address for an MVR multicast group. (Range: 224.0.1.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 To show the configured MVR group address profiles: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 369: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 371: Showing the MVR Group Address Profiles Assigned to a Domain Configuring MVR Use the Multicast > MVR (Configure Interface) page to configure each interface that Interface Status participates in the MVR protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list. ■ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Web Interface To configure interface settings for MVR: 1. Click Multicast, MVR. 2. Select Configure Interface from the Step list. 3. Select an MVR domain. 4. Click Port or Trunk. 5. Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached. 6. Click Apply.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Interface – Port or trunk identifier. ◆ VLAN – VLAN identifier. (Range: 1-4093) ◆ Group IP Address – Defines a multicast service sent to the selected port. Multicast groups must be assigned from the MVR group range configured on the Configure General page. Web Interface To assign a static MVR group to an interface: 1.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 4. Select an MVR domain. 5. Select the port or trunk for which to display this information. Figure 374: Showing the Static MVR Groups Assigned to a Port Displaying MVR Use the Multicast > MVR (Show Member) page to show the multicast groups either Receiver Groups statically or dynamically assigned to the MVR receiver groups on each interface. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Web Interface To display the interfaces assigned to the MVR receiver groups: 1. Click Multicast, MVR. 2. Select Show Member from the Step list. 3. Select an MVR domain. Figure 375: Displaying MVR Receiver Groups Displaying Use the Multicast > MVR > Show Statistics pages to display MVR protocol-related MVR Statistics statistics for the specified interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent – The number of leaves sent from this interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 Web Interface To display statistics for MVR query-related messages: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR domain. 5. Select a Port. Figure 378: Displaying MVR Statistics – Port Multicast VLAN Registration for IPv6 MVR6 functions in a manner similar to that described for MRV (see “Multicast VLAN Registration for IPv4” on page 565).
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 3. Set the interfaces that will join the MVR as source ports or receiver ports (see “Configuring MVR6 Interface Status” on page 588). 4. For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see “Assigning Static MVR6 Multicast Groups to Interfaces” on page 590).
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ ◆ ◆ Robustness Value – Configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. (Range: 1-10; Default: 2) ■ This parameter is used to set the number of times report messages are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 379: Configuring Global Settings for MVR6 Configuring MVR6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 globally on the Domain Settings switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. Parameters These parameters are displayed: ◆ Domain ID– An independent multicast domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 IPv6 address including the network prefix and host address bits. By default, all MVR6 reports sent upstream use a null source IP address. All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.) ◆ The MVR6 group address range assigned to a profile cannot overlap with the group address range of any other profile.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 381: Configuring an MVR6 Group Address Profile To show the configured MVR6 group address profiles: 1. Click Multicast, MVR6. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 382: Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 383: Assigning an MVR6 Group Address Profile to a Domain To show the MVR6 group address profiles assigned to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Show from the Action list.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 membership for MVR6 receiver ports cannot be set to access mode (see“Adding Static Members to VLANs” on page 159). ◆ One or more interfaces may be configured as MVR6 source ports. A source port is able to both receive and send data for configured MVR6 groups or for groups which have been statically assigned (see “Assigning Static MVR Multicast Groups to Interfaces” on page 574). All source ports must belong to the MVR6 VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 “Active” only if there are subscribers receiving multicast traffic from one of the MVR6 groups, or a multicast group has been statically assigned to an interface. ◆ Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR6 receiver.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.) ◆ The MVR6 VLAN cannot be specified as the receiver VLAN for static bindings. Parameters These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Interface – Port or trunk identifier. ◆ VLAN – VLAN identifier.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To show the static MVR6 groups assigned to an interface: 1. Click Multicast, MVR6. 2. Select Configure Static Group Member from the Step list. 3. Select Show from the Action list. 4. Select an MVR6 domain. 5. Select the port or trunk for which to display this information.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Count – The number of multicast services currently being forwarded from the MVR6 VLAN. ◆ Clear MVR6 Group – Clears multicast group information dynamically learned through MVR6. Statically configured multicast addresses are not cleared. Web Interface To display the interfaces assigned to the MVR6 receiver groups: 1. Click Multicast, MVR6. 2. Select Show Member from the Step list. 3. Select an MVR6 domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent – The number of leaves sent from this interface.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 Web Interface To display statistics for MVR6 query-related messages: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR6 domain.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a VLAN.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a Port.
Chapter 14 | Multicast Filtering Multicast VLAN Registration for IPv6 – 598 –
15 IP Configuration This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server. An IPv6 address can either be manually configured or dynamically generated.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ To enable routing between interfaces defined on this switch and external network interfaces, you must configure static routes (page 651) or use dynamic routing; i.e., RIP (page 656). ◆ The precedence for configuring IP interfaces is the IP > General > Routing Interface (Add Address) menu, static routes (page 651), and then dynamic routing.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Web Interface To set a static IPv4 address for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3. Select any configured VLAN, set IP Address Mode to “User Specified,” set IP Address Type to “Primary” if no address has yet been configured for this interface, and then enter the IP address and subnet mask. 4. Click Apply.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 393: Configuring a Dynamic IPv4 Address Note: The switch will also broadcast a request for IP configuration settings on each power reset. Note: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 394: Showing the Configured IPv4 Address for an Interface Setting the Switch’s IP Address (IP Version 6) This section describes how to configure an IPv6 interface for management access over the network, or for creating an interface to multiple subnets. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ If a routing protocol is enabled (page 655), you can still define a static route (page 651) to ensure that traffic to the designated address or subnet passes through a preferred gateway. ■ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ IPv6 Neighbor Discovery Protocol supersedes IPv4 Address Resolution Protocol in IPv6 networks. IPv6 nodes on the same network segment use Neighbor Discovery to discover each other's presence, to determine each other's linklayer addresses, to find routers and to maintain reachability information about the paths to active neighbors.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ◆ MTU – Sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. (Range: 1280-65535 bytes; Default: 1500 bytes) ■ The maximum value set in this field cannot exceed the MTU of the physical interface, which is currently fixed at 1500 bytes. ■ If a non-default value is configured, an MTU option is included in the router advertisements sent from this device.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ND NS Interval – The interval between transmitting IPv6 neighbor solicitation messages on an interface. (Range: 1000-3600000 milliseconds) Default: 1000 milliseconds is used for neighbor discovery operations, 0 milliseconds is advertised in router advertisements. This attribute specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ The M flag is set to 0, and the O flag is set to 1: DHCPv6 is used only for other configuration settings. Neighboring routers are configured to advertise non-link-local address prefixes from which IPv6 hosts derive stateless addresses. This combination is known as DHCPv6 stateless autoconfiguration, in which a DHCPv6 server does not assign stateful addresses to IPv6 hosts, but does assign stateless configuration settings.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 396: Configuring General Settings for an IPv6 Interface To configure RA Guard for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Interface from the Action list. 3. Select RA Guard mode. 4. Enable RA Guard for untrusted interfaces. 5. Click Apply.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Configuring an Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 IPv6 Address interface for management access over the network, or for creating an interface to multiple subnets. Command Usage ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access, or for creating an interface to multiple subnets. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ◆ Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ You can configure only one link-local address per interface. ■ The specified address replaces a link-local address that was automatically generated for the interface. IPv6 Address – IPv6 address assigned to this interface. Web Interface To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) In addition to the unicast addresses assigned to an interface, a node is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope). FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the IPv6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the Neighbor Cache IPv6 addresses detected for neighbor devices. Parameters These parameters are displayed: Table 35: Show IPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor. Age The time since the address was verified as reachable (in seconds).
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Web Interface To show neighboring IPv6 devices: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Neighbors from the Action list. Figure 400: Showing IPv6 Neighbors Showing Use the IP > IPv6 Configuration (Show Statistics) page to display statistics about IPv6 Statistics IPv6 traffic passing through this switch.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Parameters These parameters are displayed: Table 36: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 36: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 36: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement Messages The number of ICMP Neighbor Advertisement messages received by the interface. Redirect Messages The number of Redirect messages received by the interface. Group Membership Query Messages The number of ICMPv6 Group Membership Query messages received by the interface.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 36: Show IPv6 Statistics - display description (Continued) Field Description Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. Output The total number of UDP datagrams sent from this entity. Web Interface To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 402: Showing IPv6 Statistics (ICMPv6) Figure 403: Showing IPv6 Statistics (UDP) – 620 –
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Showing the MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum for Responding transmission unit (MTU) cache for destinations that have returned an ICMP packetDestinations too-big message along with an acceptable MTU to this switch.
Chapter 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) – 622 –
16 IP Services This chapter describes the following IP services: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ DHCP Client – Specifies the DHCP client identifier for an interface. ◆ DHCP Relay – Enables DHCP relay service, and defines the servers to which client requests are forwarded. ◆ DHCP Dynamic Provision – Enables dynamic provision via DHCP.
Chapter 16 | IP Services Domain Name Service Parameters These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 alphanumeric characters) Web Interface To configure general settings for DNS: 1. Click IP Service, DNS. 2.
Chapter 16 | IP Services Domain Name Service of Name Servers” on page 626). Parameters These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) Web Interface To create a list domain names: 1. Click IP Service, DNS. 2. Select Add Domain Name from the Action list. 3. Enter one domain name at a time. 4. Click Apply.
Chapter 16 | IP Services Domain Name Service Configuring a List Use the IP Service > DNS - General (Add Name Server) page to configure a list of of Name Servers name servers to be tried in sequential order. Command Usage ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see “Configuring General DNS Service Parameters” on page 623).
Chapter 16 | IP Services Domain Name Service Figure 409: Showing the List of Name Servers for DNS Configuring Use the IP Service > DNS - Static Host Table (Add) page to manually configure static Static DNS Host entries in the DNS table that are used to map domain names to IP addresses. to Address Entries Command Usage ◆ Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.
Chapter 16 | IP Services Domain Name Service To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 411: Showing Static Entries in the DNS Table Displaying the Use the IP Service > DNS - Cache page to display entries in the DNS cache that have DNS Cache been learned via the designated name servers. Command Usage Servers or other network devices may support one or more connections via multiple IP addresses.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Web Interface To display entries in the DNS cache: 1. Click IP Service, DNS, Cache. Figure 412: Showing Entries in the DNS Cache Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) can dynamically allocate an IP address and other configuration information to network clients when they boot up.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Table 38: Options 60, 66 and 67 Statements Statement Option ◆ Keyword Parameter 60 vendor-class-identifier a string indicating the vendor class identifier 66 tftp-server-name a string indicating the tftp server name 67 bootfile-name a string indicating the bootfile name By default, DHCP option 66/67 parameters are not carried in a DHCP server reply.
Chapter 16 | IP Services Dynamic Host Configuration Protocol Web Interface To configure a DHCP client identifier: 1. Click IP Service, DHCP, Client. 2. Mark the check box to enable this feature. Select the default setting, or the format for a vendor class identifier. If a non-default value is used, enter a text string or hexadecimal value. 3. Click Apply.
Chapter 16 | IP Services Enabling DHCP Dynamic Provision Parameters These parameters are displayed: ◆ VLAN ID – ID of configured VLAN. ◆ Server IP Address – Addresses of DHCP servers or relay servers to be used by the switch’s DHCP relay agent in order of preference. ◆ Restart DHCP Relay – Use this button to re-initialize DHCP relay service. Web Interface To configure DHCP relay service: 1. Click IP Service, DHCP, Relay. 2.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent that includes a 'parameter request list' option. Besides this, the client can also send a DHCP request that includes a 'vendor class identifier' option to the server so that the DHCP server can identify the device, and determine what information should be given to requesting device. Parameters These parameters are displayed: ◆ Dynamic Provision via DHCP Status – Enables dynamic provisioning via DHCP.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent switch during the PPPoE discovery phase, and sends this tag as a NAS-port-ID attribute in PPP authentication and AAA accounting requests to a RADIUS server. Parameters These parameters are displayed: ◆ PPPoE IA Global Status – Enables the PPPoE Intermediate Agent globally on the switch. (Default: Disabled) Note that PPPoE IA must be enabled globally before it can be enabled on an interface.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent Figure 417: Configuring Global Settings for PPPoE Intermediate Agent Configuring PPPoE IA Use the IP Service > PPPoE Intermediate Agent (Configure Interface) page to enable Interface Settings PPPoE IA on an interface, set trust status, enable vendor tag stripping, and set the circuit ID and remote ID. Parameters These parameters are displayed: ◆ Interface – Port or trunk selection. ◆ PPPoE IA Status – Enables the PPPoE IA on an interface.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent ■ The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent Showing PPPoE IA Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to show Statistics statistics on PPPoE IA protocol messages. Parameters These parameters are displayed: ◆ Interface – Port or trunk selection. ◆ Received – Received PPPoE active discovery messages. ◆ ■ All – All PPPoE active discovery message types. ■ PADI – PPPoE Active Discovery Initiation messages.
Chapter 16 | IP Services Configuring the PPPoE Intermediate Agent Figure 419: Showing PPPoE Intermediate Agent Statistics – 638 –
17 General IP Routing This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace Route – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol – Describes how to configure ARP aging time, proxy ARP, or static addresses. Also shows how to display dynamic entries in the ARP cache. ◆ Static Routes – Configures static routes to other network segments.
Chapter 17 | General IP Routing IP Routing and Switching Figure 420: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Unt Untagged Unt VLAN 1 VLAN 2 Tagged or Tagged or Untagged Untagged Tagged or Tagged or Untagged Untagged Intra-subnet traffic (Layer 2 switching) IP Routing and Switching IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
Chapter 17 | General IP Routing IP Routing and Switching If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node. However, if the packet belongs to a subnet not included on this switch, then the packet should be sent to the next hop router (with the MAC address of the router itself used as the destination MAC address, and the destination IP address of the destination node).
Chapter 17 | General IP Routing Configuring IP Routing Interfaces Routing Protocols The switch supports both static and dynamic routing. ◆ Static routing requires routing information to be stored in the switch either manually or when a connection is set up by an application outside the switch. ◆ Dynamic routing uses a routing protocol to exchange routing information, calculate routing tables, and respond to changes in the status or loading of the network.
Chapter 17 | General IP Routing Configuring IP Routing Interfaces destinations, i.e., packets that do not match any routing table entry. If another router is designated as the default gateway, then the switch will pass packets to this router for any unknown hosts or subnets. To configure a default gateway for IPv4, use the static routing table as described on page 651, enter 0.0.0.0 for the IP address and subnet mask, and then specify this switch itself or another router as the gateway.
Chapter 17 | General IP Routing Configuring IP Routing Interfaces include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Web Interface To ping another device on the network: 1. Click IP, General, Ping. 2. Specify the target device and ping parameters. 3. Click Apply.
Chapter 17 | General IP Routing Configuring IP Routing Interfaces ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The trace route function first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message. The trace function then sends several probe messages at each subsequent TTL level and displays the round-trip time for each message.
Chapter 17 | General IP Routing Address Resolution Protocol Address Resolution Protocol If IP routing is enabled (page 655), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Chapter 17 | General IP Routing Address Resolution Protocol requesting node. That node then sends traffic to the router, which in turn uses its own routing table to forward the traffic to the remote destination. Figure 423: Proxy ARP Proxy ARP no routing, no default gateway ARP request Remote ARP Server Parameters These parameters are displayed: ◆ Timeout – Sets the aging time for dynamic entries in the ARP cache.
Chapter 17 | General IP Routing Address Resolution Protocol Figure 424: Configuring General Settings for ARP Configuring For devices that do not respond to ARP requests or do not respond in a timely Static ARP Addresses manner, traffic will be dropped because the IP address cannot be mapped to a physical address. If this occurs, use the IP > ARP (Configure Static Address – Add) page to manually map an IP address to the corresponding physical address in the ARP cache.
Chapter 17 | General IP Routing Address Resolution Protocol Web Interface To map an IP address to the corresponding physical address in the ARP cache: 1. Click IP, ARP. 2. Select Configure Static Address from the Step List. 3. Select Add from the Action List. 4. Enter the IP address and the corresponding MAC address. 5. Click Apply. Figure 425: Configuring Static ARP Entries To display static entries in the ARP cache: 1. Click IP, ARP. 2. Select Configure Static Address from the Step List. 3.
Chapter 17 | General IP Routing Address Resolution Protocol Displaying Dynamic Use the IP > ARP (Show Information) page to display dynamic or local entries in the or Local ARP Entries ARP cache. The ARP cache contains static entries, and entries for local interfaces, including subnet, host, and broadcast addresses. However, most entries will be dynamically learned through replies to broadcast messages. Web Interface To display all dynamic and local entries in the ARP cache: 1. Click IP, ARP. 2.
Chapter 17 | General IP Routing Configuring Static Routes 3. Click Statistics. Figure 428: Displaying ARP Statistics Configuring Static Routes This router can dynamically configure routes to other network segments using dynamic routing protocols (i.e., RIP). However, you can also manually enter static routes in the routing table using the IP > Routing > Static Routes (Add) page.
Chapter 17 | General IP Routing Configuring Static Routes ◆ Next Hop – IP address of the next router hop used for this route. ◆ Distance – An administrative distance indicating that this route can be overridden by dynamic routing information if the distance of the dynamic route is less than that configured for the static route. Note that the default administrative distances used by the dynamic unicast routing protocols is 120 for RIP.
Chapter 17 | General IP Routing Displaying the Routing Table Displaying the Routing Table Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.
Chapter 17 | General IP Routing Displaying the Routing Table ◆ Protocol – The protocol which generated this route information. (Options: Local, Static, RIP, Others) Web Interface To display the routing table: 1. Click IP, Routing, Routing Table. 2. Select Show Information from the Action List.
18 Unicast Routing This chapter describes how to configure the following unicast routing protocols: RIP – Configures Routing Information Protocol. Overview This switch can route unicast traffic to different subnetworks using the Routing Information Protocol (RIP). It supports RIP and RIP-2 dynamic routing. These protocols exchange routing information, calculate routing tables, and can respond to changes in the status or loading of the network.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Configuring the Routing Information Protocol The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost. Each router broadcasts its advertisement every 30 seconds, together with any updates to its routing table.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Configuring General Use the Routing Protocol > RIP > General (Configure) page to configure general Protocol Settings settings and the basic timers. RIP is used to specify how routers exchange routing information. When RIP is enabled on this router, it sends RIP messages to all devices in the network every 30 seconds (by default), and updates its own routing table when RIP messages are received from other routers.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ RIP Default Metric – Sets the default metric assigned to external routes imported from other protocols. (Range: 1-15; Default: 1) The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics. It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Basic Timer Settings Note: The timers must be set to the same values for all routers in the network. ◆ Update – Sets the rate at which updates are sent. This is the fundamental timer used to control all basic RIP processes. (Range: 5-2147483647 seconds; Default: 30 seconds) Setting the update timer to a short interval can cause the router to spend an excessive amount of time processing updates.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 433: Configuring General Settings for RIP Clearing Entries from Use the Routing Protocol > RIP > General (Clear Route) page to clear entries from the Routing Table the routing table based on route type or a specific network address. Command Usage ◆ RIP must be enabled to activate this menu option. ◆ Clearing “All” types deletes all routes in the RIP table.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Clear Route By Network – Clears a specific route based on its IP address and prefix length. ■ Network IP Address – Deletes all related entries for the specified network address. ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address. Web Interface To clear entries from the routing table RIP: 1. Click Routing Protocol, RIP, General. 2.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Parameters These parameters are displayed: ◆ ◆ By Address – Adds a network to the RIP routing process. ■ Subnet Address – IP address of a network directly connected to this router. (Default: No networks are specified) ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 436: Showing Network Interfaces Using RIP Specifying Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP from Passive Interfaces sending routing updates on the specified interface. Command Usage ◆ Network interfaces can be configured to stop RIP broadcast and multicast messages from being sent.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 437: Specifying a Passive RIP Interface To show the passive RIP interfaces: 1. Click Routing Protocol, RIP, Passive Interface. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 439: Specifying a Static RIP Neighbor To show static RIP neighbors: 1. Click Routing Protocol, RIP, Neighbor Address. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP. For example, if a metric of 10 is defined for redistributed routes, these routes can only be advertised to routers up to 5 hops away, at which point the metric exceeds the maximum hop count of 15.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Specifying an Use the Routing Protocol > RIP > Distance (Add) page to define an administrative Administrative distance for external routes learned from other routing protocols. Distance Command Usage ◆ Administrative distance is used by the routers to select the preferred path when there are two or more different routes to the same destination from two different routing protocols.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol To show the distance assigned to external routes learned from other routing protocols: 1. Click Routing Protocol, RIP, Distance. 2. Select Show from the Action list.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ■ Use “RIPv1 and RIPv2” if some routers in the local network are using RIPv2, but there are still some older routers using RIPv1. (This is the default setting.) ■ Use “Do Not Receive” if dynamic entries are not required to be added to the routing table for an interface. (For example, when only static routes are to be allowed for a specific interface.) Protocol Message Authentication RIPv1 is not a secure protocol.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Send Version – The RIP version to send on an interface. ■ RIPv1: Sends only RIPv1 packets. ■ RIPv2: Sends only RIPv2 packets. ■ RIPv1 Compatible: Route information is broadcast to other routers with RIPv2. ■ Do Not Send: Does not transmit RIP updates. Passively monitors route information advertised by other routers attached to the network. The default depends on the setting for the Global RIP Version.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol ◆ Instability Prevention – Specifies the method used to reduce the convergence time when the network topology changes, and to prevent RIP protocol messages from looping back to the source router. ■ Split Horizon – This method never propagate routes back to an interface from which they have been acquired.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 446: Showing RIP Network Interface Settings Displaying RIP Use the Routing Protocol > RIP > Statistics (Show Interface Information) page to Interface Settings display information about RIP interface configuration settings. Parameters These parameters are displayed: ◆ Interface – Source IP address of RIP router interface. ◆ Auth Type – The type of authentication used for exchanging RIPv2 protocol messages.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Displaying Peer Use the Routing Protocol > RIP > Statistics (Show Peer Information) page to display Router Information information on neighboring RIP routers. Parameters These parameters are displayed: ◆ Peer Address – IP address of a neighboring RIP router. ◆ Update Time – Last time a route update was received from this peer. ◆ Version – Shows whether RIPv1 or RIPv2 packets were received from this peer.
Chapter 18 | Unicast Routing Configuring the Routing Information Protocol Figure 449: Resetting RIP Statistics – 674 –
Section III Appendices This section provides additional information and includes these items: ◆ “Software Specifications” on page 677 ◆ “Troubleshooting” on page 683 ◆ “License Information” on page 685 – 675 –
Section III | Appendices – 676 –
A Software Specifications Software Features Management Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port Security, IP Filter Authentication General Security Access Control Lists (512 rules), Port Authentication (802.
Appendix A | Software Specifications Software Features Spanning Tree Spanning Tree Protocol (STP, IEEE 802.1D-2004) Algorithm Rapid Spanning Tree Protocol (RSTP, IEEE 802.1D-2004) Multiple Spanning Tree Protocol (MSTP, IEEE 802.1D-2004) VLAN Support Up to 4094 groups; port-based, protocol-based, tagged (802.
Appendix A | Software Specifications Management Features Management Features In-Band Management Telnet, web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band RS-232 DB-9 console port Management Software Loading HTTP, FTP or TFTP in-band, or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards Ethernet Service OAM (ITU-T Y.1731) - partial support IEEE 802.
Appendix A | Software Specifications Management Information Bases IPv4 IGMP (RFC 3228) MLD Snooping (RFC 4541) NTP (RFC 1305) RADIUS+ (RFC 2618) RIPv1 (RFC 1058) RIPv2 (RFC 2453) RIPv2, extension (RFC 1724) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 1901, 2571) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 3411, 3413, 3414, 3415) SNTP (RFC 2030) SSH (Version 2.
Appendix A | Software Specifications Management Information Bases Port Access Entity Equipment MIB Power Ethernet MIB (RFC 3621) Private MIB Q-Bridge MIB (RFC 2674Q) QinQ Tunneling (IEEE 802.
Appendix A | Software Specifications Management Information Bases – 682 –
B Troubleshooting Problems Accessing the Management Interface Table 42: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ Be sure the switch is powered on. ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a welldefined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information.
Glossary IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members.
Glossary MIB Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages.
Glossary QinQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks. It is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. QoS Quality of Service. QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization, queuing, congestion avoidance and traffic shaping.
Glossary STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network. TACACS+ Terminal Access Controller Access Control System Plus. TACACS+ is a logon authentication protocol that uses software running on a central server to control access to TACACScompliant devices on the network.
Glossary – 696 –
Index Numerics 802.1Q tunnel 167 access 174 configuration, guidelines 170 configuration, limitations 170 CVID to SVID map 172 description 167 ethernet type 171 interface configuration 174 mode selection 174 status, configuring 171 TPID 171 uplink 174 802.1X authenticator, configuring 346 global settings 345 port authentication 343 port authentication accounting 275, 276 supplicant, configuring 351 A AAA accounting 802.
Index shut down port on receipt 210 bridge extension capabilities, displaying 77 broadcast storm, threshold 222, 223 C cable diagnostics 126 canonical format indicator 242 CFM basic operations 480 continuity check errors 513 continuity check messages 469, 478, 480, 481 cross-check message 478, 481 cross-check start delay 482 delay measure 502 description 478 domain service access point 478, 490, 494 fault isolation 478 fault notification 478, 512 fault notification generator 481, 487, 512 fault verificati
Index peak information rate 256 policy map 250 policy map, description 246 QoS policy 250 service policy 259 setting CoS for matching packets 253 setting IP DSCP for matching packets 254, 255, 256 setting PHB for matching packets 253 single-rate, three-color meter 250, 254 srTCM metering 250, 254 traffic between CIR and BE, configuring response 254 traffic between CIR and PIR, configuring response 255 trTCM metering 255 two-rate, three-color meter 251 violating traffic, configuring response 256 DNS default
Index IEEE 802.
Index local parameters 139 partner parameters 141 protocol message statistics 138 protocol parameters 133 timeout, for LACPDU 133 last member query interval, IGMP snooping 544 license information 685 Link Layer Discovery Protocol - Media Endpoint Discovery See LLDP-MED Link Layer Discovery Protocol See LLDP link trace cache, CFM 511 link trace message, CFM 478, 480, 498 link type, STA 209, 212 LLDP 385 device statistics details, displaying 407 device statistics, displaying 405 display device information 39
Index enabling IGMP snooping 542 enabling IGMP snooping per interface 540 enabling MLD snooping 557 router configuration 536 multicast groups 540, 546, 562 displaying 540, 546, 562 static 538, 540, 561, 562 multicast router discovery 541 multicast router port, displaying 538, 560 multicast services configuring 538, 561 displaying 540, 562 multicast static router port 536 configuring 536 configuring for MLD snooping 559 multicast storm, threshold 223 Multicast VLAN Registration See MVR multicast, filtering
Index showing main power 410 port priority configuring 231 default ingress 231 STA 208 port security, configuring 341 port, statistics 118 ports autonegotiation 109 broadcast storm threshold 222, 223 capabilities 109 configuring 108 duplex mode 110 flow control 110 forced selection of media type 109 mirroring 112 mirroring local traffic 112 mirroring remote traffic 114 multicast storm threshold 223 speed 110 statistics 118 transceiver threshold, auto-set 125 transceiver threshold, trap 124 unknown unicast
Index version 657 RMON 438 alarm, displaying settings 440 alarm, setting thresholds 438 event settings, displaying 442 response to alarm setting 441 statistics history, collection 443 statistics history, displaying 444 statistics, collection 446 statistics, displaying 447 routing table, displaying 653 RSA encryption 306, 307 RSTP 197 global settings, configuring 201 global settings, displaying 206 interface settings, configuring 207 interface settings, displaying 211 S secure shell 302 configuration 302 s
Index saving 81 system clock setting 87 setting manually 88 setting the time zone 94 setting with NTP 91 setting with SNTP 89 system software, downloading from server 79 T TACACS+ logon authentication 270 settings 272 TCN flood 533 general query solicitation 534 Telnet configuring 97 server, enabling 97 time range, ACL 311 time zone, setting 94 time, setting 87 TPID 171 traffic segmentation 146 assigning ports 146 enabling 146 sessions, assigning ports 148 sessions, creating 147 transceiver data, displayi
Index configuration buttons 51 home page 50 menu list 53 panel display 52 – 706 –
E092020-CS-R03 150200000952A