GEP-5070 48 GE PoE-Plus + 2 GE SFP L2 Managed Switch User Manual V1.
U SER M ANUAL GEP-5070 Layer 2 Gigabit Ethernet Switch with 48 10/100/1000BASE-T PoE-Plus Ports (RJ-45) and 2 Gigabit Ethernet SFP Ports GEP-5070 E042013/ST-R01
ABOUT THIS GUIDE PURPOSE This guide gives specific information on how to operate and use the management functions of the switch. AUDIENCE The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
ABOUT THIS GUIDE – 6 –
CONTENTS SECTION I SECTION II ABOUT THIS GUIDE 5 CONTENTS 7 FIGURES 13 TABLES 19 GETTING STARTED 21 1 INTRODUCTION 23 Key Features 23 Description of Software Features 24 System Defaults 28 2 INITIAL SWITCH CONFIGURATION 31 WEB CONFIGURATION 33 3 USING THE WEB INTERFACE 35 Navigating the Web Browser Interface 35 Home Page 35 Configuration Options 36 Panel Display 36 Main Menu 36 4 CONFIGURING THE SWITCH 45 Configuring System Information 45 Setting an IP Address 46 S
CONTENTS Configuring Power Reduction Reducing Power to Idle Queue Circuits 54 54 Configuring Port Connections 55 Configuring Security 57 Configuring User Accounts 58 Configuring User Privilege Levels 60 Configuring The Authentication Method For Management Access 61 Configuring SSH 64 Configuring HTTPS 65 Filtering IP Addresses for Management Access 66 Using Simple Network Management Protocol 67 Remote Monitoring 77 Configuring Port Limit Controls 83 Configuring Authentication Throug
CONTENTS Configuring IGMP Filtering MLD Snooping 151 152 Configuring Global and Port-Related Settings for MLD Snooping 152 Configuring VLAN Settings for MLD Snooping and Query 155 Configuring MLD Filtering 158 Link Layer Discovery Protocol 158 Configuring LLDP Timing and TLVs 159 Configuring LLDP-MED TLVs 162 Power over Ethernet 167 Configuring the MAC Address Table 170 IEEE 802.
CONTENTS Configuring Local Port Mirroring 207 Configuring Remote Port Mirroring 208 Configuring UPnP 213 Configuring sFlow 214 5 MONITORING THE SWITCH Displaying Basic Information About the System 219 219 Displaying System Information 219 Displaying CPU Utilization 220 Displaying Log Messages 221 Displaying Log Details 223 Displaying Information About Ports 223 Displaying Port Status On the Front Panel 223 Displaying an Overview of Port Statistics 224 Displaying QoS Statistics 224
CONTENTS Displaying Information on LACP 252 Displaying an Overview of LACP Groups 252 Displaying LACP Port Status 252 Displaying LACP Port Statistics 253 Displaying Information on Loop Protection 254 Displaying Information on the Spanning Tree 255 Displaying Bridge Status for STA 255 Displaying Port Status for STA 257 Displaying Port Statistics for STA 258 Displaying MVR Information 259 Displaying MVR Statistics 259 Displaying MVR Group Information 260 Displaying MVR SFM Information
CONTENTS Running Cable Diagnostics 7 PERFORMING SYSTEM MAINTENANCE SECTION III 285 287 Restarting the Switch 287 Restoring Factory Defaults 288 Upgrading Firmware 288 Activating the Alternate Image 289 Managing Configuration Files 290 Saving Configuration Settings 290 Restoring Configuration Settings 290 APPENDICES 293 A SOFTWARE SPECIFICATIONS 295 Software Features 295 Management Features 296 Standards 297 Management Information Bases 298 B TROUBLESHOOTING 299 Problems Acc
FIGURES Figure 1: Home Page 35 Figure 2: Front Panel Indicators 36 Figure 3: System Information Configuration 45 Figure 4: IP Configuration 47 Figure 5: IPv6 Configuration 49 Figure 6: NTP Configuration 50 Figure 7: Time Zone and Daylight Savings Time Configuration 52 Figure 8: Configuring Settings for Remote Logging of Error Messages 53 Figure 9: Configuring EEE Power Reduction 55 Figure 10: Port Configuration 57 Figure 11: Showing User Accounts 59 Figure 12: Configuring User Account
FIGURES Figure 32: ACL Port Configuration 98 Figure 33: ACL Rate Limiter Configuration 99 Figure 34: Access Control List Configuration 106 Figure 35: DHCP Snooping Configuration 109 Figure 36: DHCP Relay Configuration 110 Figure 37: Configuring Global and Port-based Settings for IP Source Guard 113 Figure 38: Configuring Static Bindings for IP Source Guard 114 Figure 39: Configuring Global and Port Settings for ARP Inspection 116 Figure 40: Configuring Static Bindings for ARP Inspection 11
FIGURES Figure 68: Port Isolation Configuration 177 Figure 69: Configuring MAC-Based VLANs 178 Figure 70: Configuring Protocol VLANs 180 Figure 71: Assigning Ports to Protocol VLANs 182 Figure 72: Assigning Ports to an IP Subnet-based VLAN 183 Figure 73: Configuring Global and Port Settings for a Voice VLAN 186 Figure 74: Configuring an OUI Telephony List 187 Figure 75: Configuring Ingress Port QoS Classification 188 Figure 76: Configuring Ingress Port Policing 189 Figure 77: Displaying E
FIGURES Figure 104: QoS Control List Status 226 Figure 105: Detailed Port Statistics 228 Figure 106: Access Management Statistics 229 Figure 107: Port Security Switch Status 231 Figure 108: Port Security Port Status 232 Figure 109: Network Access Server Switch Status 233 Figure 110: NAS Statistics for Specified Port 237 Figure 111: ACL Status 238 Figure 112: DHCP Snooping Statistics 240 Figure 113: DHCP Relay Statistics 241 Figure 114: Dynamic ARP Inspection Table 242 Figure 115: Dyna
FIGURES Figure 140: LLDP-MED Neighbor Information 271 Figure 141: LLDP Neighbor PoE Information 272 Figure 142: LLDP Neighbor EEE Information 273 Figure 143: LLDP Port Statistics 275 Figure 144: Power over Ethernet Status 276 Figure 145: MAC Address Table 277 Figure 146: Showing VLAN Members 278 Figure 147: Showing VLAN Port Status 279 Figure 148: Showing MAC-based VLAN Membership Status 280 Figure 149: Showing sFlow Statistics 282 Figure 150: ICMP Ping 284 Figure 151: VeriPHY Cable D
FIGURES – 18 –
TABLES Table 1: Key Features 23 Table 2: System Defaults 28 Table 3: Web Page Configuration Buttons 36 Table 4: Main Menu 36 Table 5: HTTPS System Support 65 Table 6: SNMP Security Models and Levels 68 Table 7: Dynamic QoS Profiles 89 Table 8: QCE Modification Buttons 100 Table 9: Recommended STA Path Cost Range 136 Table 10: Recommended STA Path Costs 136 Table 11: Default STA Path Costs 136 Table 12: QCE Modification Buttons 200 Table 13: System Capabilities 268 Table 14: Troubl
TABLES – 20 –
SECTION I GETTING STARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
SECTION I | Getting Started – 22 –
1 INTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
CHAPTER 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4K using IEEE 802.
CHAPTER 1 | Introduction Description of Software Features ACCESS CONTROL ACLs provide packet filtering for IP frames (based on protocol, TCP/UDP LISTS port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast or multicast, or based on VLAN ID or VLAN tag priority). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.
CHAPTER 1 | Introduction Description of Software Features be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port. IEEE 802.1D BRIDGE The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses.
CHAPTER 1 | Introduction Description of Software Features VIRTUAL LANS The switch supports up to 4096 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned.
CHAPTER 1 | Introduction System Defaults QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Disabled Community Strings “public” (read only) “private” (read/write) Traps Global: disabled Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: default_view Group: default_rw_group Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input and output limits Disabled Port Trunking Static Trunks None LACP (all port
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address 192.168.1.1 Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
2 INITIAL SWITCH CONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. To make use of the management features of your switch, you must first configure it with an IP address that is compatible with the network in which it is being installed. This should be done before you permanently install the switch in the network. Follow this procedure: 1. Place the switch close to the PC that you intend to use for configuration.
CHAPTER 2 | Initial Switch Configuration logging out. To change the password, click Security and then Users. Select “admin” from the User Configuration list, fill in the Password fields, and then click Save.
SECTION II WEB CONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
SECTION II | Web Configuration – 34 –
3 USING THE WEB INTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0, Mozilla Firefox 2.0.0.0, or more recent versions). NAVIGATING THE WEB BROWSER INTERFACE To access the web-browser interface you must first enter a user name and password.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface CONFIGURATION Configurable parameters have a dialog box or a drop-down list. Once a OPTIONS configuration change has been made on a page, be sure to click on the Save button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3: Web Page Configuration Buttons Button Action Save Sets specified values to the system.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Aggregation Page 119 Static Specifies ports to group into static trunks 120 LACP Allows ports to dynamically join trunks 123 Spanning Tree 127 Bridge Settings Configures global bridge settings for STP, RSTP and MSTP; also configures edge port settings for BPDU filtering, BPDU guard, and port error recovery 129 MSTI Mapping Maps VLANs to a specific MSTP instance 132 MST
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Access Management Sets IP addresses of clients allowed management access via HTTP/HTTPS, and SNMP, and Telnet/SSH 66 SNMP Simple Network Management Protocol 67 System Configures read-only and read/write community strings for SNMP v1/v2c, engine ID for SNMP v3, and trap parameters 68 Communities Configures community strings 72 Users Configures SNMP v3 users on this sw
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page 119 Aggregation2 Static Specifies ports to group into static trunks 120 LACP Allows ports to dynamically join trunks 123 Detects general loopback conditions caused by hardware problems or faulty protocol settings 125 Loop Protection 127 Spanning Tree2 Bridge Settings Configures global bridge settings for STP, RSTP and MSTP; also configures edge port settings for BPDU
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Prevents communications between designated ports within the same private VLAN 177 Private VLANs Port Isolation VCL MAC-based VLAN VLAN Control List Maps traffic with specified source MAC address to a VLAN Protocol-based VLAN 177 179 Protocol to Group Creates a protocol group, specifying supported protocols 179 Group to VLAN Maps a protocol group to a VLAN for specified
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page WRED Sets drop probabilities for congested queues 205 Congestion Management Prevents traffic from being forwarded if destination port is congested 206 Mirroring & RSPAN2 Sets source and target ports for local or remote mirroring 207 UPnP Enables UPNP and defines timeout values 213 sFlow Samples traffic flows, and forwards data to designated collector 214 Monitor
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description DHCP Page Dynamic Host Configuration Protocol Snooping Statistics Shows statistics for various types of DHCP protocol packets 239 Relay Statistics Displays server and client statistics for packets affected by the relay information policy 240 ARP Inspection Displays entries in the ARP inspection table, sorted first by port, then VLAN ID, MAC address, and finally IP address 241
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Page Group Information Displays active IGMP groups 263 IPv4 SFM Information Displays IGMP Source-Filtered Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny) 263 Multicast Listener Discovery Snooping 264 Status Displays MLD querier status and protocol statistics 264 Group Information Displays active MLD grou
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 4: Main Menu (Continued) Menu Description Maintenance Page 287 Restart Device Restarts the switch 287 Factory Defaults Restores factory default settings 288 Upload Updates software on the switch with a file specified on the management station 288 Image Select Displays information about the active and alternate (backup) 289 firmware images in the switch, and allows you to revert to the alternate image Software Con
4 CONFIGURING THE SWITCH This chapter describes all of the basic configuration tasks. CONFIGURING SYSTEM INFORMATION Use the System Information Configuration page to identify the system by configuring contact information, system name, and the location of the switch. PATH Basic/Advanced Configuration, System, Information PARAMETERS These parameters are displayed: ◆ System Contact – Administrator responsible for the system.
CHAPTER 4 | Configuring the Switch Setting an IP Address SETTING AN IP ADDRESS This section describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a DHCP server when it is powered on.
CHAPTER 4 | Configuring the Switch Setting an IP Address ◆ IP Router – IP address of the gateway router between the switch and management stations that exist on other network segments. ◆ VLAN ID – ID of the configured VLAN. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
CHAPTER 4 | Configuring the Switch Setting an IP Address SETTING AN IPV6 Use the IPv6 Configuration page to configure an IPv6 address for ADDRESS management access to the switch. IPv6 includes two distinct address types - link-local unicast and global unicast. A link-local address makes the switch accessible over IPv6 for all devices attached to the same local subnet. Management traffic using this kind of address cannot be passed by any router outside of the subnet.
CHAPTER 4 | Configuring the Switch Setting an IP Address interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages, and the host portion is automatically generated using the modified EUI-64 form of the interface identifier; i.e., the switch's MAC address. (Default: Disabled) ◆ Address – Manually configures a global unicast address by specifying the full address and network prefix length (in the Prefix field). (Default: ::192.168.1.
CHAPTER 4 | Configuring the Switch Configuring NTP Service CONFIGURING NTP SERVICE Use the NTP Configuration page to specify the Network Time Protocol (NTP) servers to query for the current time. NTP allows the switch to set its internal clock based on periodic updates from an NTP time server. Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
CHAPTER 4 | Configuring the Switch Configuring the Time Zone and Daylight Savings Time CONFIGURING THE TIME ZONE AND DAYLIGHT SAVINGS TIME Use the Time Zone and Daylight Savings Time page to set the time zone and Daylight Savings Time. Time Zone – NTP/SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
CHAPTER 4 | Configuring the Switch Configuring the Time Zone and Daylight Savings Time ■ Non-Recurring – Sets the start, end, and offset times of summer time for the switch on a one-time basis. ■ From – Start time for summer-time. ■ To – End time for summer-time. ■ Offset – The number of minutes to add during Daylight Saving Time. (Range: 1-1440) WEB INTERFACE To set the time zone or Daylight Savings Time: 1. Click Configuration, System, Time. 2. Select one of the predefined time zones. 3.
CHAPTER 4 | Configuring the Switch Configuring Remote Log Messages CONFIGURING REMOTE LOG MESSAGES Use the System Log Configuration page to send log messages to syslog servers or other management stations. You can also limit the event messages sent to specified types. PATH Basic/Advanced Configuration, System, Log COMMAND USAGE When remote logging is enabled, system log messages are sent to the designated server. The syslog protocol is based on UDP and received on UDP port 514.
CHAPTER 4 | Configuring the Switch Configuring Power Reduction CONFIGURING POWER REDUCTION The switch provides power saving methods including powering down the circuitry for port queues when not in use. REDUCING POWER TO Use the EEE Configuration page to configure Energy Efficient Ethernet IDLE QUEUE CIRCUITS (EEE) for specified queues. PATH Advanced Configuration, Power Reduction, EEE COMMAND USAGE ◆ EEE works by powering down circuits when there is no traffic.
CHAPTER 4 | Configuring the Switch Configuring Port Connections Figure 9: Configuring EEE Power Reduction CONFIGURING PORT CONNECTIONS Use the Port Configuration page to configure the connection parameters for each port. This page includes options for enabling auto-negotiation or manually setting the speed and duplex mode, enabling flow control, setting the maximum frame size, specifying the response to excessive collisions, or enabling power saving mode.
CHAPTER 4 | Configuring the Switch Configuring Port Connections NOTE: The 1000BASE-T standard does not support forced mode. Autonegotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. ◆ Flow Control – Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill.
CHAPTER 4 | Configuring the Switch Configuring Security WEB INTERFACE To configure port connection settings: 1. Click Configuration, Ports. 2. Make any required changes to the connection settings. 3. Click Save. Figure 10: Port Configuration CONFIGURING SECURITY You can configure this switch to authenticate users logging into the system for management access or to control client access to the data ports.
CHAPTER 4 | Configuring the Switch Configuring Security addresses assigned to DHCP clients can also be carefully controlled using static or dynamic bindings with DHCP Snooping and IP Source Guard commands. ARP Inspection can also be used to validate the MAC address bindings for ARP packets, providing protection against ARP traffic with invalid MAC to IP address bindings, which forms the basis for “man-in-themiddle” attacks.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Privilege Level – Specifies the user level. (Options: 1 - 15) Access to specific functions are controlled through the Privilege Levels configuration page (see page 60). The default settings provide four access levels: ■ ■ ■ ■ 1 – Read access of port status and statistics.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING USER Use the Privilege Levels page to set the privilege level required to read or PRIVILEGE LEVELS configure specific software modules or system settings. PATH Advanced Configuration, Security, Switch, Privilege Levels PARAMETERS These parameters are displayed: ◆ ◆ Group Name – The name identifying a privilege group. In most cases, a privilege group consists of a single module (e.g.
CHAPTER 4 | Configuring the Switch Configuring Security 3. Click Save. Figure 13: Configuring Privilege Levels CONFIGURING THE AUTHENTICATION METHOD FOR MANAGEMENT ACCESS Use the Authentication Method Configuration page to specify the authentication method for controlling management access through the console, Telnet, SSH or HTTP/HTTPS. Access can be based on the (local) user name and password configured on the switch, or can be controlled with a RADIUS or TACACS+ remote access authentication server.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 14: Authentication Server Operation Web RADIUS/ TACACS+ server 1. Client attempts management access. 2. Switch contacts authentication server . 3. Authentication server challenges client. 4. Client responds with proper password or .key 5. Authentication server approves access. 6. Switch grants management access.
CHAPTER 4 | Configuring the Switch Configuring Security NOTE: This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA. The configuration of RADIUS and TACACS+ server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS and TACACS+ server software. PARAMETERS These parameters are displayed: ◆ Client – Specifies how the administrator is authenticated when logging into the switch via Telnet, SSH, or a web browser.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING SSH Use the SSH Configuration page to configure access to the Secure Shell (SSH) management interface. SSH provides remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING HTTPS Use the HTTPS Configuration page to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL). HTTPS provides secure access (i.e., an encrypted connection) to the switch's web interface.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 17: HTTPS Configuration FILTERING IP Use the Access Management Configuration page to create a list of up to 16 ADDRESSES FOR IP addresses or IP address groups that are allowed management access to MANAGEMENT ACCESS the switch through the web interface, or SNMP, or Telnet. The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
CHAPTER 4 | Configuring the Switch Configuring Security 5. Mark the protocols to restrict based on the specified address range. The following example shows how to restrict management access for all protocols to a specific address range. 6. Click Save. Figure 18: Access Management Configuration USING SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network.
CHAPTER 4 | Configuring the Switch Configuring Security MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Version - Specifies the SNMP version to use. (Options: SNMP v1, SNMP v2c, SNMP v3; Default: SNMP v2c) ◆ Read Community - The community used for read-only access to the SNMP agent. (Range: 0-255 characters, ASCII characters 33-126 only; Default: public) This parameter only applies to SNMPv1 and SNMPv2c. SNMPv3 uses the User-based Security Model (USM) for authentication and privacy.
CHAPTER 4 | Configuring the Switch Configuring Security 8 colon-separated 16-bit hexadecimal values. One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields. ◆ Trap Authentication Failure - Issues a notification message to specified IP trap managers whenever authentication of an SNMP request fails. (Default: Enabled) ◆ Trap Link-up and Link-down - Issues a notification message whenever a port link is established or broken.
CHAPTER 4 | Configuring the Switch Configuring Security NOTE: To select a name from this field, first enter an SNMPv3 user with the same Trap Security Engine ID in the SNMPv3 Users Configuration menu (see "Configuring SNMPv3 Users" on page 73). WEB INTERFACE To configure SNMP system and trap settings: 1. Click Advanced Configuration, Security, Switch, SNMP, System. 2.
CHAPTER 4 | Configuring the Switch Configuring Security SETTING SNMPV3 COMMUNITY ACCESS STRINGS Use the SNMPv3 Community Configuration page to set community access strings. All community strings used to authorize access by SNMP v1 and v2c clients should be listed in the SNMPv3 Communities Configuration table. For security reasons, you should consider removing the default strings.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING SNMPV3 USERS Use the SNMPv3 User Configuration page to define a unique name and remote engine ID for each SNMPv3 user. Users must be configured with a specific security level, and the types of authentication and privacy protocols to use.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Privacy Protocol - The encryption algorithm use for data privacy; only 56-bit DES is currently available. (Options: None, DES; Default: DES) ◆ Privacy Password - A string identifying the privacy pass phrase. (Range: 8-40 characters, ASCII characters 33-126 only) WEB INTERFACE To configure SNMPv3 users: 1. Click Advanced Configuration, Security, Switch, SNMP, Users. 2. Click “Add new user” to configure a user name. 3.
CHAPTER 4 | Configuring the Switch Configuring Security menu (see page 73). To modify an entry for USM, the current entry must first be deleted. ◆ Group Name - The name of the SNMP group. (Range: 1-32 characters, ASCII characters 33-126 only) WEB INTERFACE To configure SNMPv3 groups: 1. Click Advanced Configuration, Security, Switch, SNMP, Groups. 2. Click “Add new group” to set up a new group. 3. Select a security model. 4. Select the security name.
CHAPTER 4 | Configuring the Switch Configuring Security should exist and its OID subtree should overlap the “excluded” view entry. ◆ OID Subtree - Object identifiers of branches within the MIB tree. Note that the first character must be a period (.). Wild cards can be used to mask a specific portion of the OID string using an asterisk. (Length: 1-128) WEB INTERFACE To configure SNMPv3 views: 1. Click Advanced Configuration, Security, Switch, SNMP, Views. 2. Click “Add new view” to set up a new view. 3.
CHAPTER 4 | Configuring the Switch Configuring Security ■ Auth, Priv - SNMP communications use both authentication and encryption. ◆ Read View Name - The configured view for read access. (Range: 1-32 characters, ASCII characters 33-126 only) ◆ Write View Name - The configured view for write access. (Range: 1-32 characters, ASCII characters 33-126 only) WEB INTERFACE To configure SNMPv3 group access rights: 1. Click Advanced Configuration, Security, Switch, SNMP, Access. 2.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING RMON STATISTICAL SAMPLES Use the RMON Statistics Configuration page to collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. PATH Advanced Configuration, Security, RMON, Statistics COMMAND USAGE ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
CHAPTER 4 | Configuring the Switch Configuring Security growth and plan for expansion before your network becomes too overloaded. PATH Advanced Configuration, Security, RMON, History COMMAND USAGE The information collected for each sample includes: drop events, input octets, packets, broadcast packets, multicast packets, CRC alignment errors, undersize packets, oversize packets, fragments, jabbers, collisions, and network utilization.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING RMON ALARMS Use the RMON Alarm Configuration page to define specific criteria that will generate response events. Alarms can be set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval). Alarms can be set to respond to rising or falling thresholds.
CHAPTER 4 | Configuring the Switch Configuring Security ■ Rising or Falling – Trigger alarm when the first value is larger than the rising threshold or less than the falling threshold (default). ◆ Rising Threshold – If the current value is greater than the rising threshold, and the last sample value was less than this threshold, then an alarm will be generated.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING RMON EVENTS Use the RMON Event Configuration page to set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems. PATH Advanced Configuration, Security, RMON, Event PARAMETERS The following parameters are displayed: ◆ ID – Index to this entry.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 28: RMON Event Configuration CONFIGURING PORT Use the Port Security Limit Control Configuration page to limit the number LIMIT CONTROLS of users accessing a given port. A user is identified by a MAC address and VLAN ID. If Limit Control is enabled on a port, the maximum number of users on the port is restricted to the specified limit. If this number is exceeded, the switch makes the specified response.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Limit – The maximum number of MAC addresses that can be secured on this port. This number cannot exceed 1024. If the limit is exceeded, the corresponding action is taken. The switch is “initialized” with a total number of MAC addresses from which all ports draw whenever a new MAC address is seen on a Port Security-enabled port.
CHAPTER 4 | Configuring the Switch Configuring Security WEB INTERFACE To configure port limit controls: 1. Click Advanced Configuration, Security, Network, Limit Control. 2. Set the system configuration parameters to globally enable or disable limit controls, and configure address aging as required. 3. Set limit controls for any port, including status, maximum number of addresses allowed, and the response to a violation. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 30: Using Port Security 802.1x client 1. Client attempts to access a switch port. 2. Switch sends client an identity request. 3. Client sends back identity information. 4. Switch forwards this to authentication server. 5. Authentication server challenges client. 6. Client responds with proper credentials. 7. Authentication server approves access. 8. Switch grants client access to this port.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ 802.1X / MAC-based authentication must be enabled globally for the switch. ◆ The Admin State for each switch port that requires client authentication must be set to 802.1X or MAC-based. ◆ When using 802.1X authentication: ■ ■ ■ Each client that needs to be authenticated must have dot1x client software installed and properly configured. When using 802.1X authentication, the RADIUS server and 802.1X client must support EAP.
CHAPTER 4 | Configuring the Switch Configuring Security between the switch and the client, and therefore does not imply that a client is still present on a port (see Age Period below). ◆ Reauthentication Period - Sets the time period after which a connected client must be re-authenticated. (Range: 1-3600 seconds; Default: 3600 seconds) ◆ EAPOL Timeout - Sets the time the switch waits for a supplicant response during an authentication session before retransmitting a Request Identify EAPOL packet.
CHAPTER 4 | Configuring the Switch Configuring Security whether RADIUS-assigned QoS Class is enabled for that port. When unchecked, RADIUS-server assigned QoS Class is disabled for all ports. When RADIUS-Assigned QoS is both globally enabled and enabled for a given port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated.
CHAPTER 4 | Configuring the Switch Configuring Security For example, if the attribute is “map-ip-dscp=2:3;service-policyin=p1,” then the switch ignores the “map-ip-dscp” profile. ■ When authentication is successful, the dynamic QoS information may not be passed from the RADIUS server due to one of the following conditions (authentication result remains unchanged): ■ The Filter-ID attribute cannot be found to carry the user profile. ■ The Filter-ID attribute is empty.
CHAPTER 4 | Configuring the Switch Configuring Security If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID or it's invalid, or the supplicant is otherwise no longer present on the port, the port's VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned setting). This option is only available for single-client modes, i.e. port-based 802.1X and Single 802.1X.
CHAPTER 4 | Configuring the Switch Configuring Security NOTE: For trouble-shooting VLAN assignments, use the Monitor > VLANs > VLAN Membership and VLAN Port pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration. Guest VLAN Operation When a Guest VLAN enabled port's link comes up, the switch starts transmitting EAPOL Request Identity frames. If the number of transmissions of such frames exceeds Max. Reauth.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Admin State - If NAS is globally enabled, this selection controls the port's authentication mode. The following modes are available: ■ ■ ■ Force Authorized - The switch sends one EAPOL Success frame when the port link comes up. This forces the port to grant access to all clients, either dot1x-aware or otherwise. (This is the default setting.) Force Unauthorized - The switch will send one EAPOL Failure frame when the port link comes up.
CHAPTER 4 | Configuring the Switch Configuring Security password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string on the following form “xx-xx-xx-xx-xx-xx”, that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Guest VLAN Enabled - Enables or disables this feature for a given port. Refer to the description of this feature under the System Configure section. ◆ Port State - The current state of the port: ■ ■ ■ ■ ■ ◆ Globally Disabled - 802.1X and MAC-based authentication are globally disabled. (This is the default state.) Link Down - 802.1X or MAC-based authentication is enabled, but there is no link on the port.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 31: Network Access Server Configuration FILTERING TRAFFIC An Access Control List (ACL) is a sequential list of permit or deny WITH ACCESS conditions that apply to IP addresses, MAC addresses, or other more CONTROL LISTS specific criteria. This switch tests ingress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Policy ID - An ACL policy configured on the ACE Configuration page (page 101). (Range: 1-8; Default: 1, which is undefined) ◆ Action - Permits or denies a frame based on whether it matches a rule defined in the assigned policy. (Default: Permit) ◆ Rate Limiter ID - Specifies a rate limiter (page 98) to apply to the port. (Range: 1-15; Default: Disabled) ◆ Port Redirect - Defines a port to which matching frames are redirected.
CHAPTER 4 | Configuring the Switch Configuring Security frames, or shutting down the port. Note that the setting for rate limiting is implemented regardless of whether or not a matching packet is seen. 3. Repeat the preceding step for each port to which an ACL will be applied. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 33: ACL Rate Limiter Configuration CONFIGURING ACCESS CONTROL LISTS Use the Access Control List Configuration page to define filtering rules for an ACL policy, for a specific port, or for all ports. Rules applied to a port take effect immediately, while those defined for a policy must be mapped to one or more ports using the ACL Ports Configuration menu (page 96).
CHAPTER 4 | Configuring the Switch Configuring Security matches this entry when ARP/RARP protocol address space setting is equal to IP (0x800) ■ IPv4 frames (based on destination MAC address, protocol type, TTL, IP fragment, IP option flag, source/destination IP, VLAN ID, VLAN priority) PARAMETERS These parameters are displayed: ACCESS CONTROL LIST CONFIGURATION ◆ Ingress Port - The ingress port of the ACE: ■ All - The ACE will match all ingress ports.
CHAPTER 4 | Configuring the Switch Configuring Security ACE CONFIGURATION Ingress Port and Frame Type ◆ Ingress Port - Any port, port identifier, or policy. (Options: Any port, Port 1-10, Policy 1-8; Default: Any) ◆ Policy Filter - The policy number filter for this ACE: ◆ ■ Any - No policy filter is specified (i.e., don’t care). ■ Specific - If you want to filter a specific policy with this ACE, choose this value. Two fields for entering an policy value and bitmask appears.
CHAPTER 4 | Configuring the Switch Configuring Security RARP opcode set to ARP, RARP - frame must have ARP/RARP opcode set to RARP, Other - frame has unknown ARP/RARP opcode flag; Default: Any) ■ ■ Request/Reply - Specifies whether the packet is an ARP request, reply, or either type.
CHAPTER 4 | Configuring the Switch Configuring Security RARP frames where the PRO is equal to IP (0x800) must match this entry; Default: Any) ◆ IPv4: MAC Parameters ■ DMAC Filter - The type of destination MAC address. (Options: Any, MC - multicast, BC - broadcast, UC - unicast; Default: Any) IP Parameters ■ IP Protocol Filter - Specifies the IP protocol to filter for this rule.
CHAPTER 4 | Configuring the Switch Configuring Security ■ ■ ■ TCP SYN - Specifies the TCP “Synchronize sequence numbers” (SYN) value for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the SYN field is set must not match this entry, 1 - TCP frames where the SYN field is set must match this entry; Default: Any) TCP RST - Specifies the TCP “Reset the connection” (RST) value for this rule.
CHAPTER 4 | Configuring the Switch Configuring Security ■ DIP Filter - Specifies the destination IP filter for this rule. (Options: Any - no destination IP filter is specified, Host - specifies the destination IP address in the DIP Address field, Network specifies the destination IP address and destination IP mask in the DIP Address and DIP Mask fields; Default: Any) Response to take when a rule is matched ◆ Action - Permits or denies a frame based on whether it matches an ACL rule.
CHAPTER 4 | Configuring the Switch Configuring Security WEB INTERFACE To configure an Access Control List for a port or a policy: 1. Click Advanced Configuration, Security, Network, ACL, Access Control List. 2. Click the button to add a new ACL, or use the other ACL modification buttons to specify the editing action (i.e., edit, delete, or moving the relative position of entry in the list). 3.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING DHCP Use the DHCP Snooping Configuration page to filter IP traffic on insecure SNOOPING ports for which the source address cannot be identified via DHCP snooping. The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard).
CHAPTER 4 | Configuring the Switch Configuring Security ■ ■ ■ ■ ■ If the DHCP packet is not a recognizable type, it is dropped. If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN. If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 35: DHCP Snooping Configuration CONFIGURING DHCP Use the DHCP Relay Configuration page to configure DHCP relay service for RELAY AND OPTION 82 attached host devices. If a subnet does not include a DHCP server, you can INFORMATION relay DHCP client requests to a DHCP server on another subnet.
CHAPTER 4 | Configuring the Switch Configuring Security PARAMETERS These parameters are displayed: ◆ Relay Mode - Enables or disables the DHCP relay function. (Default: Disabled) ◆ Relay Server - IP address of DHCP server to be used by the switch's DHCP relay agent. ◆ Relay Information Mode - Enables or disables the DHCP Relay Option 82 support. Note that Relay Mode must also be enabled for Relay Information Mode to take effect.
CHAPTER 4 | Configuring the Switch Configuring Security CONFIGURING IP IP Source Guard is a security feature that filters IP traffic on network SOURCE GUARD interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "Configuring DHCP Snooping"). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
CHAPTER 4 | Configuring the Switch Configuring Security PARAMETERS These parameters are displayed: Global Configuration ◆ Mode – Enables or disables IP Source Guard globally on the switch. All configured ACEs will be lost when enabled. (Default: Disabled) NOTE: DHCP snooping must be enabled for dynamic clients to be learned automatically. ◆ Translate dynamic to static – Click to translate all dynamic entries to static entries.
CHAPTER 4 | Configuring the Switch Configuring Security Figure 37: Configuring Global and Port-based Settings for IP Source Guard CONFIGURING STATIC BINDINGS FOR IP SOURCE GUARD Use the Static IP Source Guard Table to bind a static address to a port. Table entries include a port identifier, VLAN identifier, IP address, and subnet mask. All static entries are configured with an infinite lease time.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ IP Address – A valid unicast IP address, including classful types A, B or C. ◆ IP Mask – This mask specifies the address bits used to identify the subnet and host. (Default: 255.255.255.0). WEB INTERFACE To configure static bindings for IP Source Guard: 1. Click Advanced Configuration, Security, Network, IP Source Guard, Static Table. 2. Click “Add new entry.” 3. Enter the required bindings for a given port. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ By default, ARP Inspection is disabled both globally and on all ports. ■ ■ ■ ■ ◆ If ARP Inspection is globally enabled, then it becomes active only on the ports where it has been enabled. When ARP Inspection is enabled globally, all ARP request and reply packets on inspection-enabled ports are redirected to the CPU and their switching behavior handled by the ARP Inspection engine.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Mode – Enables Dynamic ARP Inspection on a given port. Only when both Global Mode and Port Mode on a given port are enabled, will ARP Inspection be enabled on a given port. (Default: Disabled) WEB INTERFACE To configure global and port settings for ARP Inspection: 1. Click Advanced Configuration, Security, Network, ARP Inspection, Configuration. 2. Enable ARP inspection globally, and on any ports where it is required. 3. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ MAC Address – Allowed source MAC address in ARP request packets. ◆ IP Address – Allowed source IP address in ARP request packets. WEB INTERFACE To configure the static ARP Inspection table: 1. Click Advanced Configuration, Network, Security, ARP Inspection, Static Table. 2. Click “Add new entry.” 3. Enter the required bindings for a given port. 4. Click Save.
CHAPTER 4 | Configuring the Switch Configuring Security ◆ Dead Time – The time after which the switch considers an authentication server to be dead if it does not reply. (Range: 0-3600 seconds; Default: 300 seconds) Setting the Dead Time to a value greater than 0 (zero) will cause the authentication server to be ignored until the Dead Time has expired. However, if only one server is enabled, it will never be considered dead.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups Figure 41: Authentication Configuration CREATING TRUNK GROUPS You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a faulttolerant link between two switches. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
CHAPTER 4 | Configuring the Switch Creating Trunk Groups USAGE GUIDELINES Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, configure the trunk on the devices at both ends.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups needs to ensure that frames in each “conversation” are mapped to the same trunk link. To achieve this requirement and to distribute a balanced load across all links in a trunk, the switch uses a hash algorithm to calculate an output link number in the trunk.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups Aggregation Group Configuration ◆ Group ID – Trunk identifier. ◆ Port Members – Port identifier. WEB INTERFACE To configure a static trunk: 1. Click Configuration, Aggregation, Static. 2. Select one or more load-balancing methods to apply to the configured trunks. 3. Assign port members to each trunk that will be used. 4. Click Save.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups CONFIGURING LACP Use the LACP Port Configuration page to enable LACP on selected ports, configure the administrative key, and the protocol initiation mode. PATH Basic/Advanced Configuration, Aggregation, LACP USAGE GUIDELINES ◆ To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP.
CHAPTER 4 | Configuring the Switch Creating Trunk Groups Select the Specific option to manually configure a key. Use the Auto selection to automatically set the key based on the actual link speed, where 10Mb = 1, 100Mb = 2, and 1Gb = 3. ◆ Role – Configures active or passive LACP initiation mode. Use Active initiation of LACP negotiation on a port to automatically send LACP negotiation packets (once each second).
CHAPTER 4 | Configuring the Switch Configuring Loop Protection Figure 43: LACP Port Configuration CONFIGURING LOOP PROTECTION Use the Loop Protection page to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
CHAPTER 4 | Configuring the Switch Configuring Loop Protection When the loop protection mode is changed, any ports placed in shutdown state by the loopback detection process will be immediately restored to operation regardless of the remaining recover time. Port Configuration ◆ Port – Port identifier. ◆ Enable – Enables loopback detection on a port. (Default: Enabled) ◆ Action – Configures the response to take when a loop is detected on a port.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm CONFIGURING THE SPANNING TREE ALGORITHM The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups. Using multiple spanning trees can provide multiple forwarding paths and enable load balancing.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm running spanning tree algorithm between switches that support the STP, RSTP, MSTP protocols. Once you specify the VLANs to include in a Multiple Spanning Tree Instance (MSTI), the protocol will automatically build an MSTI tree to maintain connectivity among each of the VLANs. MSTP maintains contact with the global network because each instance is treated as an RSTP node in the Common Spanning Tree (CST).
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm configuration, allowing them to participate in a specific set of spanning tree instances. ■ ■ A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm from among the device ports attached to the network. (Note that references to “ports” in this section mean “interfaces,” which includes both ports and trunks.) Minimum: The higher of 6 or [2 x (Hello Time + 1)] Maximum: The lower of 40 or [2 x (Forward Delay - 1)] Default: 20 ◆ Max Hop Count – The maximum number of hops allowed in the MST region before a BPDU is discarded.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm WEB INTERFACE To configure global settings for STA: 1. Click Configuration, Spanning Tree, Bridge Settings. 2. Modify the required attributes. 3. Click Save. Figure 48: STA Bridge Configuration CONFIGURING Use the MSTI Mapping page to add VLAN groups to an MSTP instance MULTIPLE SPANNING (MSTI), or to designate the name and revision of the VLAN-to-MSTI TREES mapping used on this switch.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm To use multiple spanning trees: 1. Set the spanning tree type to MSTP (page 129). 2. Add the VLANs that will share this MSTI on the MSTI Mapping page. 3. Enter the spanning tree priority for the CIST and selected MST instance on the MSTI Priorities page. NOTE: All VLANs are automatically added to the CIST (MST Instance 0).
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm Figure 49: Adding a VLAN to an MST Instance CONFIGURING Use the MSTI Priorities page to configure the bridge priority for the CIST SPANNING TREE and any configured MSTI. Remember that RSTP looks upon each MST BRIDGE PRIORITIES Instance as a single bridge node. PATH Basic/Advanced Configuration, Spanning Tree, MSTI Properties PARAMETERS These parameters are displayed: ◆ MSTI – Instance identifier to configure.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm WEB INTERFACE To add VLAN groups to an MSTP instance: 1. Click Configuration, Spanning Tree, MSTI Priorities. 2. Set the bridge priority for the CIST or any configured MSTI. 3. Click Save Figure 50: Configuring STA Bridge Priorities CONFIGURING Use the CIST Ports Configuration page to configure STA attributes for STP/RSTP/CIST interfaces when the spanning tree mode is set to STP or RSTP, or for INTERFACES interfaces in the CIST.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm spanning tree. As implemented on this switch, BPDU transparency allows a port which is not participating in the spanning tree (such as an uplink port to the service provider’s network) to forward BPDU packets to other ports instead of discarding these packets or attempting to process them. ◆ Path Cost – This parameter is used by the STA to determine the best path between devices.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm highest priority, the port with lowest numeric identifier will be enabled. (Range: 0-240, in steps of 16; Default: 128) ◆ Admin Edge (Fast Forwarding) – You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm ◆ Point-to-Point – The link type attached to an interface can be set to automatically detect the link type, or manually configured as point-topoint or shared medium. Transition to the forwarding state is faster for point-to-point links than for shared media. These options are described below: ■ Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared medium.
CHAPTER 4 | Configuring the Switch Configuring the Spanning Tree Algorithm PARAMETERS These parameters are displayed: ◆ Port – Port identifier. This field is not applicable to static trunks or dynamic trunks created through LACP. Also, note that only one set of interface configuration settings can be applied to all trunks. ◆ Path Cost – This parameter is used by the STA to determine the best path between devices.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration MULTICAST VLAN REGISTRATION Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration 2. Set the interfaces that will join the MVR as source ports or receiver ports. 3. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. ◆ Although MVR operates on the underlying mechanism of IGMP snooping, the two features operate independently of each other. One can be enabled or disabled without affecting the behavior of the other.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration port from multicast group membership. (Range: 0 to 31,744 tenths of a second; Default: 5 tenths of a second) ◆ Interface Channel Setting – When the MVR VLAN is created, click the Edit symbol to expand the corresponding multicast channel settings for the specific MVR VLAN. Summary about the Interface Channel Setting (of the MVR VLAN) will be shown besides the Edit symbol. ◆ Port – Port identifier.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration switch can only remove the interface from the multicast stream after the host responds to a periodic request for a membership report. Note that immediate leave should only be enabled on receiver ports to which only one subscriber is attached. Otherwise, service to other active receivers will be affected. WEB INTERFACE To configure global and interface settings for MVR: 1. Click Advanced Configuration, MVR. 2.
CHAPTER 4 | Configuring the Switch Multicast VLAN Registration ◆ Static bindings should only be used to receive long-term multicast streams associated with a stable set of hosts ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using this configuration page. ◆ The IPv4 address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams.
CHAPTER 4 | Configuring the Switch IGMP Snooping Figure 55: Configuring MVR Channel Settings IGMP SNOOPING Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/router.
CHAPTER 4 | Configuring the Switch IGMP Snooping passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic. Multicast routers use information from IGMP snooping and query reports, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet.
CHAPTER 4 | Configuring the Switch IGMP Snooping specific source. For IGMPv1/v2 hosts, the source address of a channel is always null (indicating that any source is acceptable), but for IGMPv3 hosts, it may include a specific address when requested. Only IGMPv3 hosts can request service from a specific multicast source.
CHAPTER 4 | Configuring the Switch IGMP Snooping If IGMP snooping cannot locate the IGMP querier, you can manually designate a port which is connected to a known IGMP querier (i.e., a multicast router/switch). This interface will then join all the current multicast groups supported by the attached router/switch to ensure that multicast traffic is passed to all appropriate interfaces within the switch.
CHAPTER 4 | Configuring the Switch IGMP Snooping WEB INTERFACE To configure global and port-related settings for IGMP Snooping: 1. Click Configuration, IPMC, IGMP Snooping, Basic Configuration. 2. Adjust the IGMP settings as required. 3. Click Save.
CHAPTER 4 | Configuring the Switch IGMP Snooping elected “querier” and assumes the role of querying the LAN for group members. It then propagates the service requests on to any upstream multicast switch/router to ensure that it will continue to receive the multicast service. This feature is not supported for IGMPv3 snooping. ◆ Compatibility - Compatibility is maintained by hosts and routers taking appropriate actions depending on the versions of IGMP operating on these devices within a network.
CHAPTER 4 | Configuring the Switch IGMP Snooping This attribute will take effect only if IGMP snooping proxy reporting is enabled (see page 152). ◆ URI - The Unsolicited Report Interval specifies how often the upstream interface should transmit unsolicited IGMP reports when report suppression/proxy reporting is enabled. (Range: 0-31744 seconds, Default: 1 second) WEB INTERFACE To configure VLAN settings for IGMP snooping and query: 1. Click Configuration, IPMC, IGMP Snooping, VLAN Configuration. 2.
CHAPTER 4 | Configuring the Switch MLD Snooping WEB INTERFACE To configure IGMP Snooping Port Group Filtering: 1. Click Configuration, IGMP Snooping, Port Group Filtering. 2. Click Add New Filtering Group to display a new entry in the table. 3. Select the port to which the filter will be applied. 4. Enter the IP address of the multicast service to be filtered. 5. Click Save.
CHAPTER 4 | Configuring the Switch MLD Snooping Multicast routers use information from MLD snooping and query reports, along with a multicast routing protocol such as PIMv6, to support IP multicasting across the Internet. PATH Advanced Configuration, IPMC, MLD Snooping, Basic Configuration PARAMETERS These parameters are displayed: Global Configuration ◆ Snooping Enabled - When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic.
CHAPTER 4 | Configuring the Switch MLD Snooping The leave-proxy feature does not function when a switch is set as the querier. When the switch is a non-querier, the receiving port is not the last dynamic member port in the group, and the receiving port is not a router port, the switch will generate and send a group-specific (GS) query to the member port which received the leave message, and then start the last member query timer for that port.
CHAPTER 4 | Configuring the Switch MLD Snooping enabled on an interface if it is connected to only one MLD-enabled device, either a service host or a neighbor running MLD snooping. Fast Leave does not apply to a port if the switch has learned that a multicast router is attached to it. Fast Leave can improve bandwidth usage for a network which frequently experiences many MLD host add and leave requests. ◆ Throttling - Limits the number of multicast groups to which a port can belong.
CHAPTER 4 | Configuring the Switch MLD Snooping ◆ Snooping Enabled - When enabled, the switch will monitor network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic. (Default: Disabled) When MLD snooping is enabled globally, the per VLAN interface settings for MLD snooping take precedence.
CHAPTER 4 | Configuring the Switch MLD Snooping ◆ QRI - The Query Response Interval is the Max Response Time advertised in periodic General Queries. The QRI applies when the switch is serving as the querier, and is used to inform other devices of the maximum time this system waits for a response to general queries.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol CONFIGURING MLD Use the MLD Snooping Port Group Filtering Configuration page to filter FILTERING specific multicast traffic. In certain switch applications, the administrator may want to control the multicast services that are available to end users; for example, an IP/TV service based on a specific subscription plan. The MLD filtering feature fulfills this requirement by denying access to specified multicast services on a switch port.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol LLDP also defines how to store and maintain information gathered about the neighboring network nodes it discovers. CONFIGURING LLDP Use the LLDP Configuration page to set the timing attributes used for the TIMING AND TLVS transmission of LLDP advertisements, and the device information which is advertised.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol ◆ Mode – Enables LLDP message transmit and receive modes for LLDP Protocol Data Units. (Options: Disabled, Enabled - TxRx, Rx only, Tx only; Default: Disabled) ◆ CDP Aware – Enables decoding of Cisco Discovery Protocol frames. (Default: Disabled) If enabled, CDP TLVs that can be mapped into a corresponding field in the LLDP neighbors table are decoded, all others are discarded.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol The management address TLV may also include information about the specific interface associated with this address, and an object identifier indicating the type of hardware component or protocol entity associated with this address.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol CONFIGURING Use the LLDP-MED Configuration page to set the device information which LLDP-MED TLVS is advertised for end-point devices. LLDP-MED (Link Layer Discovery Protocol - Media Endpoint Discovery) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches. The LLDP-MED TLVs advertise information such as network policy, power, inventory, and device location details.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol Coordinates Location ◆ Latitude – Normalized to within 0-90 degrees with a maximum of 4 digits. It is possible to specify the direction to either North of the equator or South of the equator. ◆ Longitude – Normalized to within 0-180 degrees with a maximum of 4 digits. It is possible to specify the direction to either East of the prime meridian or West of the prime meridian.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol ■ Trailing street suffix - Trailing street suffix. (Example: SW) ■ Street suffix - Street suffix. (Example: Ave, Platz) ■ House no. - House number. (Example: 21) ■ House no. suffix - House number suffix. (Example: A, 1/2) ■ Landmark - Landmark or vanity address. (Example: Columbia University) ■ Additional location info - Additional location information. (Example: South Wing) ■ ■ Zip code - Postal/zip code.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol This network policy is potentially advertised and associated with multiple sets of application types supported on a given port.
CHAPTER 4 | Configuring the Switch Link Layer Discovery Protocol endpoints frequently does not support multiple VLANs, if at all, and are typically configured to use an 'untagged’ VLAN or a single 'tagged’ data specific VLAN. When a network policy is defined for use with an 'untagged’ VLAN (see Tagged flag below), then the L2 priority field is ignored and only the DSCP value has relevance.
CHAPTER 4 | Configuring the Switch Power over Ethernet WEB INTERFACE To configure LLDP-MED TLVs: 1. Click Configuration, LLDP-MED. 2. Modify any of the timing parameters as required. 3. Set the fast start repeat count, descriptive information for the endpoint device, and policies applied to selected ports. 4. Click Save.
CHAPTER 4 | Configuring the Switch Power over Ethernet on the amount of cables attached to each device. Once configured to supply power, an automatic detection process is initialized by the switch that is authenticated by a PoE signature from the connected device. Detection and authentication prevent damage to non-compliant devices (IEEE 802.3af or 802.3at). ◆ This switch supports both the IEEE 802.3af PoE and IEEE 802.3at-2009 PoE Plus standards.
CHAPTER 4 | Configuring the Switch Power over Ethernet and reserves power accordingly. Four different port classes exist, including 4, 7, 15.4 or 34.2 Watts. In this mode, the Maximum Power fields have no effect. ■ ■ Allocation – The amount of power that each port may reserve is specified. The allocated/reserved power for each port/PD is specified in the Maximum Power fields.
CHAPTER 4 | Configuring the Switch Configuring the MAC Address Table ◆ Maximum Power - The maximum power that can be delivered to a remote device. (Range: 0-34.2 Watts depending on the PoE mode) WEB INTERFACE To configure global and port-specific PoE settings: 1. Click Advanced Configuration, PoE. 2. Set the global PoE parameters, including the method used to determine reserved port power, the method by which port power is shut down, and the switch’s overall power budget. 3.
CHAPTER 4 | Configuring the Switch Configuring the MAC Address Table PARAMETERS These parameters are displayed: Aging Configuration ◆ Disable Automatic Aging - Disables the automatic aging of dynamic entries. (Address aging is enabled by default.) ◆ Aging Time - The time after which a learned entry is discarded. (Range: 10-1000000 seconds; Default: 300 seconds) MAC Table Learning ◆ Auto - Learning is done automatically as soon as a frame with an unknown source MAC address is received.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs 4. Add any required static MAC addresses by clicking the Add New Static Entry button, entering the VLAN ID and MAC address, and marking the ports to which the address is to be mapped. 5. Click Save. Figure 65: MAC Address Table Configuration IEEE 802.1Q VLANS In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs ◆ End stations can belong to multiple VLANs ◆ Passing traffic between VLAN-aware and VLAN-unaware devices ◆ Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs WEB INTERFACE To configure IEEE 802.1Q VLAN groups: 1. Click Configuration, VLANs, VLAN Membership. 2. Change the ports assigned to the default VLAN (VLAN 1) if required. 3. To configure a new VLAN, click Add New VLAN, enter the VLAN ID, and then mark the ports to be assigned to the new group. 4. Click Save.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs ◆ Port Type – Configures how a port processes the VLAN ID in ingress frames. (Default: Unaware) ■ ■ ■ ■ ◆ C-port – For customer ports, each frame is assigned to the VLAN indicated in the VLAN tag, and the tag is removed. S-port – For service ports, the EtherType of all received frames is changed to 0x88a8 to indicate that double-tagged frames are being forwarded across the switch.
CHAPTER 4 | Configuring the Switch IEEE 802.1Q VLANs are classified to the Port VLAN ID. If the classified VLAN ID of a frame transmitted on the port is different from the Port VLAN ID, a VLAN tag with the classified VLAN ID is inserted in the frame. When forwarding a frame from this switch along a path that contains any VLAN-aware devices, the switch should include VLAN tags.
CHAPTER 4 | Configuring the Switch Using Port Isolation USING PORT ISOLATION Use the Port Isolation Configuration page to prevent communications between customer ports within the same private VLAN. Ports within a private VLAN (PVLAN) are isolated from other ports which are not in the same PVLAN. Port Isolation can be used to prevent communications between ports within the same PVLAN. An isolated port cannot forward any unicast, multicast, or broadcast traffic to any other ports in the same PVLAN.
CHAPTER 4 | Configuring the Switch Configuring MAC-based VLANs COMMAND USAGE ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based and protocol-based VLANs are both enabled, priority is applied in this sequence, and then port-based VLANs last. PARAMETERS These parameters are displayed: ◆ MAC Address – A source MAC address which is to be mapped to a specific VLAN.
CHAPTER 4 | Configuring the Switch Protocol VLANs PROTOCOL VLANS The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
CHAPTER 4 | Configuring the Switch Protocol VLANs LLC – Includes the DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) values. (Range: 0x00-0xff; Default: 0xff) SNAP – Includes OUI (Organizationally Unique Identifier) and PID (Protocol ID) values: ■ ■ OUI – A value in the format of xx-xx-xx where each pair (xx) in the string is a hexadecimal value in the ranges of 0x00-0xff.
CHAPTER 4 | Configuring the Switch Protocol VLANs MAPPING PROTOCOL Use the Group Name to VLAN Mapping Table to map a protocol group to a GROUPS TO PORTS VLAN for each interface that will participate in the group. PATH Advanced Configuration, VCL, Protocol-based VLANs, Group to VLAN COMMAND USAGE ◆ When creating a protocol-based VLAN, only assign interfaces using this configuration screen.
CHAPTER 4 | Configuring the Switch Configuring IP Subnet-based VLANs Figure 71: Assigning Ports to Protocol VLANs CONFIGURING IP SUBNET-BASED VLANS Use the IP Subnet-based VLAN Membership Configuration page to map untagged ingress frames to a specified VLAN if the source address is found in the IP subnet-to-VLAN mapping table. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic ◆ IP Address – The IP address for a subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. ◆ Mask Length – The network mask length. ◆ VLAN ID – VLAN to which matching IP subnet traffic is forwarded. (Range: 1-4095) ◆ Port Members – Ports assigned to an IP subnet VLAN. WEB INTERFACE To configure an IP Subnet-based VLAN: 1. Click Advanced Configuration, VCL, IP Subnet-based VLAN. 2.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic CONFIGURING VOIP Use the Voice VLAN Configuration page to configure the switch for VoIP TRAFFIC traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list. ■ Forced3 – The Voice VLAN feature is enabled on the port. ◆ Security – Enables security filtering that discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID.
CHAPTER 4 | Configuring the Switch Managing VoIP Traffic Figure 73: Configuring Global and Port Settings for a Voice VLAN CONFIGURING Use the Voice VLAN OUI Table to identify VoIP devices attached to the TELEPHONY OUI switch. VoIP devices can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
CHAPTER 4 | Configuring the Switch Quality of Service 3. Enter a MAC address that specifies the OUI for VoIP devices in the network, and enter a description for the devices. 4. Click Save. Figure 74: Configuring an OUI Telephony List QUALITY OF SERVICE All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the same class. Class information can be assigned by end hosts, or switches or routers along the path.
CHAPTER 4 | Configuring the Switch Quality of Service CONFIGURING PORT Use the QoS Ingress Port Classification page to set the basic QoS CLASSIFICATION parameters for a port, including the default traffic class, DP level (IEEE 802.1p), and DSCP-based QoS classification. PATH Advanced Configuration, QoS, Port Classification PARAMETERS These parameters are displayed: QoS Ingress Port Classification ◆ Port – Port identifier. ◆ QoS class – Controls the default QoS class, i.e.
CHAPTER 4 | Configuring the Switch Quality of Service verify conformity. Non-conforming traffic is dropped, conforming traffic is forwarded without any changes. PATH Advanced Configuration, QoS, Port Policing PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ Enabled – Enables or disables port policing on a port. ◆ Rate – Controls the maximum rate for frames entering the ingress queue for a port. (Range: 100-1,000,000 kbps/fps, 1-3.
CHAPTER 4 | Configuring the Switch Quality of Service PARAMETERS These parameters are displayed: Displaying QoS Egress Port Schedulers ◆ Port – Port identifier. ◆ Mode – Shows the scheduling mode for this port. ◆ Weight – Shows the weight of each egress queue used by the port.
CHAPTER 4 | Configuring the Switch Quality of Service ◆ Port Shaper – Sets the rate at which traffic can egress this queue. ■ ■ ■ Enable – Enables or disables port shaping. (Default: Disabled) Rate – Controls the rate for the port shaper. The default value is 500. This value is restricted to 100-1000000 kbps, or 1-3300 Mbps Unit – Controls the unit of measure for the port shaper rate as “kbps” or “Mbps.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 78: Configuring Egress Port Schedulers and Shapers CONFIGURING EGRESS Use the QoS Egress Port Shapers page to show an overview of the QoS PORT SHAPER Egress Port Shapers, including the rate for each queue and port.
CHAPTER 4 | Configuring the Switch Quality of Service WEB INTERFACE To show an overview of the rate for each queue and port: 1. Click Advanced Configuration, QoS, Port Shaper. 2. Click on any enter under the Port field to configure the Port Scheduler and Shaper. Figure 79: Displaying Egress Port Shapers CONFIGURING PORT Use the QoS Egress Port Tag Remarking page to show an overview of QoS REMARKING MODE Egress Port Tag Remarking mode.
CHAPTER 4 | Configuring the Switch Quality of Service ■ Mapped – Controls the mapping of the classified QoS class values and DP levels (drop precedence) to (PCP/DEI) values. ■ ■ ■ QoS class/DP level – Shows the mapping options for QoS class values and DP levels (drop precedence). PCP – Remarks matching egress frames with the specified Priority Code Point (or User Priority) value. (Range: 0-7; Default: 0) DEI – Remarks matching egress frames with the specified Drop Eligible Indicator.
CHAPTER 4 | Configuring the Switch Quality of Service Figure 81: Configuring Port Tag Remarking Mode CONFIGURING PORT Use the QoS Port DSCP Configuration page to configure ingress translation DSCP TRANSLATION and classification settings and egress re-writing of DSCP values. AND REWRITING PATH Advanced Configuration, QoS, Port DSCP PARAMETERS These parameters are displayed: ◆ Port – Port identifier.
CHAPTER 4 | Configuring the Switch Quality of Service ■ Disable – No Ingress DSCP Classification is performed. ■ DSCP=0 – Classify if incoming DSCP is 0. ■ ■ ◆ Selected – Classify only selected DSCP for which classification is enabled in DSCP Translation table (see page 198). All – Classify all DSCP. Egress Rewrite – Configures port egress rewriting of DSCP values: ■ Disable – Egress rewriting is not performed. ■ Enable – Egress rewriting is performed without remapping.
CHAPTER 4 | Configuring the Switch Quality of Service PATH Advanced Configuration, QoS, DSCP-Based QoS PARAMETERS These parameters are displayed: ◆ DSCP – DSCP value in ingress packets. (Range: 0-63) ◆ Trust – Controls whether a specific DSCP value is trusted. Only frames with trusted DSCP values are mapped to a specific QoS class and drop level (DPL). Frames with untrusted DSCP values are treated as non-IP frames.
CHAPTER 4 | Configuring the Switch Quality of Service CONFIGURING DSCP Use the DSCP Translation page to configure DSCP translation for ingress TRANSLATION traffic or DSCP re-mapping for egress traffic. PATH Advanced Configuration, QoS, DSCP Translation PARAMETERS These parameters are displayed: ◆ DSCP – DSCP value. (Range: 0-63) ◆ Ingress Translate – Enables ingress translation of DSCP values based on the specified classification method.
CHAPTER 4 | Configuring the Switch Quality of Service CONFIGURING DSCP Use the DSCP Classification page to map DSCP values to a QoS class and CLASSIFICATION drop precedence level. PATH Advanced Configuration, QoS, DSCP Classification PARAMETERS These parameters are displayed: ◆ QoS Class – Shows the mapping options for QoS class values. ◆ DSCP – DSCP value. (Range: 0-63) WEB INTERFACE To map DSCP values to a QoS class: 1. Click Advanced Configuration, QoS, DSCP Classification. 2.
CHAPTER 4 | Configuring the Switch Quality of Service PARAMETERS These parameters are displayed: QoS Control List ◆ QCE – Quality Control Entry index. ◆ Port - Port identifier. ◆ Frame Type – Indicates the type of frame to look for in incoming frames. Possible frame types are: Any, Ethernet, LLC, SNAP, IPv4, IPv6. ◆ SMAC - The OUI field of the source MAC address, i.e. the first three octets (bytes) of the MAC address. ◆ DMAC - The type of destination MAC address.
CHAPTER 4 | Configuring the Switch Quality of Service Key Parameters ◆ Tag – VLAN tag type. (Options: Any, Tag, Untag; Default: Any) ◆ VID – VLAN identifier. (Options: Any, Specific (1-4095), Range; Default: Any) ◆ PCP – Priority Code Point (User Priority). (Options: a specific value of 0, 1, 2, 3, 4, 5, 6, 7, a range of 0-1, 2-3, 4-5, 6-7, 0-3, 4-7, or Any; Default: 0) ◆ DEI – Drop Eligible Indicator. (Options: 0, 1 or Any) ◆ SMAC – The OUI field of the source MAC address.
CHAPTER 4 | Configuring the Switch Quality of Service other than 00-00-00, then valid value of the PID will be any value from 0x0000 to 0xffff. ■ IPv4 – IPv4 frame type includes the following settings: ■ ■ Protocol – IP protocol number. (Options: Any, UDP, TCP, or Other (0-255)) Source IP – Source IP address. (Options: Any, Specific) To configure a specific source IP address, enter both the address and mask format. The address and mask must be in the format x.y.z.
CHAPTER 4 | Configuring the Switch Quality of Service a queue based on basic classification rules. (Options: 0-7, Default (use basic classification); Default setting: 0) ◆ DPL – The drop precedence level will be set to the specified value or left unchanged. (Options: 0-1, Default; Default setting: Default) ◆ DSCP – The DSCP value will be set to the specified value or left unchanged.
CHAPTER 4 | Configuring the Switch Quality of Service CONFIGURING STORM Use the Storm Control Configuration page to set limits on broadcast, CONTROL multicast and unknown unicast traffic to control traffic storms which may occur when a network device is malfunctioning, the network is not properly configured, or application programs are not well designed or properly configured. Traffic storms caused by any of these problems can severely degrade performance or bring your network to a complete halt.
CHAPTER 4 | Configuring the Switch Quality of Service CONFIGURING WRED Use the Storm Control Configuration page to control traffic congestion on its output queues using Weighted Random Early Detection (WRED). This method controls the average queue size by randomly dropping packets at a moderate rate as the network load moves above a specified minimum threshold, and then at a more aggressive rate when it reaches the maximum threshold.
CHAPTER 4 | Configuring the Switch Quality of Service WEB INTERFACE To configure WRED: 1. Click Configuration, QoS, WRED. 2. Enable WRED on the priority queues as required. 3. Set the minimum threshold below which no packets are dropped. 4. Set the drop probabilities for DP levels 1 through 3 as a percentage. 5. Click Save. Figure 88: WRED Configuration CONFIGURING Use the Congestion Management page to specify whether or not to forward CONGESTION traffic when the destination port is congested.
CHAPTER 4 | Configuring the Switch Configuring Local Port Mirroring Figure 89: Congestion Management Configuration CONFIGURING LOCAL PORT MIRRORING Use the Mirroring & RSPAN Configuration page to mirror traffic from any local source port to a target port on the same switch for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring ■ ◆ Tx only - Frames transmitted from this port are mirrored to the destination port. Destination - Traffic from all configured source ports is mirrored to this port. (Default: Disabled) WEB INTERFACE To configure local port mirroring: 1. Click Basic/Advanced Configuration, Mirroring & RSPAN. 2. Set the Mode to Enabled, and the Type to Mirror. 3. Set the type of traffic to mirror on the Source ports to be monitored. 4.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring Figure 91: Configuring Remote Port Mirroring Intermediate Switch Uplink Port Uplink Port Destination Switch Source Switch Source Port RPSAN VLAN Uplink Port Uplink Port Destination Port Tagged or untagged traffic from the RSPAN VLAN is analyzed at this port. Ingress or egress traffic is mirrored onto the RSPAN VLAN from here.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring session is allowed, either local or remote. Also, note that the source port and destination port cannot be configured on the same switch. ■ MAC address learning is not supported on RSPAN uplink ports (Figure 91) when RSPAN is enabled on the switch. Therefore, even if spanning tree is enabled after RSPAN has been configured, MAC address learning will still not be re-started on RSPAN uplink ports.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring ◆ Intermediate – Uplink ports to intermediate switches. MAC Table learning must be disabled on intermediate ports. ◆ Destination Port – Specifies the destination port to monitor the traffic mirrored from source ports. A destination port can be configured on more than one switch for the same session.
CHAPTER 4 | Configuring the Switch Configuring Remote Port Mirroring To configure remote port mirroring for an RSPAN intermediate switch: 1. Click Basic/Advanced Configuration, Mirroring & RSPAN. 2. Set the Mode to Enabled, and the Type to Intermediate. 3. Select the intermediate ports through which all mirrored traffic will be forwarded to other switches. 4. Click Save. Figure 93: Mirror Configuration (Intermediate) To configure remote port mirroring for an RSPAN destination switch: 1.
CHAPTER 4 | Configuring the Switch Configuring UPnP Figure 94: Mirror Configuration (Destination) CONFIGURING UPNP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards. COMMAND USAGE The first step in UPnP networking is discovery.
CHAPTER 4 | Configuring the Switch Configuring sFlow interface. Or right-click on the entry and select “Properties” to display a list of device attributes advertised through UPnP. PATH Advanced Configuration, UPnP PARAMETERS These parameters are displayed: ◆ Mode - Enables/disables UPnP on the device. (Default: Disabled) ◆ TTL - Sets the time-to-live (TTL) value for UPnP messages transmitted by the switch.
CHAPTER 4 | Configuring the Switch Configuring sFlow the monitored interface. Moreover, the processor and memory load imposed by the sFlow agent is minimal since local analysis does not take place. The wire-speed transmission characteristic of the switch is thus preserved even at high traffic levels. As the Collector receives streams from the various sFlow agents (other switches or routers) throughout the network, a timely, network-wide picture of utilization and traffic flows is created.
CHAPTER 4 | Configuring the Switch Configuring sFlow ◆ UDP Port – The UDP port on which the sFlow receiver is listening for sFlow datagrams. If set to 0 (zero), the default port (6343) is used. (Range: 0-65534; Default: 6343) ◆ Timeout – The number of seconds remaining before sampling stops, the current sFlow owner is released, and all sFlow parameters are reset.
CHAPTER 4 | Configuring the Switch Configuring sFlow Figure 96: sFlow Configuration – 217 –
CHAPTER 4 | Configuring the Switch Configuring sFlow – 218 –
5 MONITORING THE SWITCH This chapter describes how to monitor all of the basic functions, configure or view system logs, and how to view traffic status or the address table. DISPLAYING BASIC INFORMATION ABOUT THE SYSTEM You can use the Monitor/System menu to display a basic description of the switch, log messages, or statistics on traffic used in managing the switch.
CHAPTER 5 | Monitoring the Switch Displaying Basic Information About the System ◆ Software Date – Release date of the switch software. ◆ Code Revision – Version control identifier of the switch software. WEB INTERFACE To view System Information, click Monitor, System, Information. Figure 97: System Information DISPLAYING CPU Use the CPU Load page to display information on CPU utilization. UTILIZATION The load is averaged over the last 100ms, 1sec and 10 seconds intervals.
CHAPTER 5 | Monitoring the Switch Displaying Basic Information About the System WEB INTERFACE To display CPU utilization: 1. Click System, then CPU Load. Figure 98: CPU Load DISPLAYING LOG Use the System Log Information page to scroll through the logged system MESSAGES and event messages. PATH Monitor, System, Log PARAMETERS These parameters are displayed: Display Filter ◆ Level – Specifies the type of log messages to display. ■ Info – Informational messages only. ■ Warning – Warning conditions.
CHAPTER 5 | Monitoring the Switch Displaying Basic Information About the System Table Headings ◆ ID – Error ID. ◆ Level – Error level as described above. ◆ Time – The time of the system log entry. ◆ Message – The message text of the system log entry. WEB INTERFACE To display the system log: 1. Click Monitor, System, Log. 2. Specify the message level to display, the starting message ID, and the number of messages to display per page. 3.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports DISPLAYING LOG Use the Detailed Log page to view the full text of specific log messages. DETAILS PATH Monitor, System, Detailed Log WEB INTERFACE To display the text of a specific log message, click Monitor, System, Detailed Log. 1. Enter a log identifier in the ID field, and click Refresh.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports DISPLAYING AN Use the Port Statistics Overview page to display a summary of basic OVERVIEW OF PORT information on the traffic crossing each port. STATISTICS PATH Monitor, Ports, Traffic Overview PARAMETERS These parameters are displayed: ◆ Packets Received/Transmitted – The number of packets received and transmitted. ◆ Bytes Received/Transmitted – The number of bytes received and transmitted.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports ◆ Q# Receive/Transmit – The number of packets received and transmitted through the indicated queue. WEB INTERFACE To display the queue counters, click Monitor, Ports, QoS Statistics. Figure 103: Queueing Counters DISPLAYING QCL Use the QoS Control List Status page to show the QCE entries configured STATUS for different users or software modules, and whether or not there is a conflict.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports ◆ Conflict – Displays QCE status. It may happen that resources required to add a QCE may not available, in that case it shows conflict status as Yes, otherwise it is always shows No. Please note that conflict can be resolved by releasing the resource required by the QCE and pressing Refresh button. WEB INTERFACE To display the show the status of QCE entries 1. Click Monitor, Ports, QCL Status. 2.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports ■ ■ Broadcast – The number of received and transmitted broadcast packets (good and bad). Pause – A count of the MAC Control frames received or transmitted on this port that have an opcode indicating a PAUSE operation. ◆ Receive/Transmit Size Counters – The number of received and transmitted packets (good and bad) split into categories based on their respective frame sizes.
CHAPTER 5 | Monitoring the Switch Displaying Information About Ports WEB INTERFACE To display the detailed port statistics, click Monitor, Ports, Detailed Statistics.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING INFORMATION ABOUT SECURITY SETTINGS You can use the Monitor/Security menu to display statistics on management traffic, security controls for client access to the data ports, and the status of remote authentication access servers. DISPLAYING ACCESS Use the Access Management Statistics page to view statistics on traffic MANAGEMENT used in managing the switch.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING INFORMATION ABOUT SWITCH SETTINGS FOR PORT SECURITY Use the Port Security Switch Status page to show information about MAC address learning for each port, including the software module requesting port security services, the service state, the current number of learned addresses, and the maximum number of secure addresses allowed. Port Security is a module with no direct configuration.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ■ ■ ◆ Limit Reached: The Port Security service is enabled by at least the Limit Control user module, and that module has indicated that the limit is reached and no more MAC addresses should be taken in. Shutdown: The Port Security service is enabled by at least the Limit Control user module, and that module has indicated that the limit is exceeded.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ◆ VLAN ID – The VLAN ID seen on this port. ◆ State – Indicates whether the corresponding MAC address is blocked or forwarding. In the blocked state, it will not be allowed to transmit or receive traffic. ◆ Time of Addition – Shows the date and time when this MAC address was first seen on the port.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings recently received frame from a new client for MAC-based authentication. ◆ Last ID – The user name (supplicant identity) carried in the most recently received Response Identity EAPOL frame for EAPOL-based authentication, and the source MAC address from the most recently received frame from a new client for MAC-based authentication. ◆ QoS Class – The QoS class that NAS has assigned to this port.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings PARAMETERS These parameters are displayed: Port State ◆ Admin State – The port's current administrative state. Refer to NAS Admin State for a description of possible values (see page 85). ◆ Port State – The current state of the port. Refer to NAS Port State for a description of the individual states (see page 85). ◆ QoS Class – The QoS class assigned by the RADIUS server. The field is blank if no QoS class is assigned.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ◆ Request ID – The number of EAPOL Request Identity frames that have been transmitted by the switch. ◆ Requests – The number of valid EAPOL Request frames (other than Request Identity frames) that have been transmitted by the switch. Receive Backend Server Counters – For MAC-based ports there are two tables containing backend server counters. The left-most shows a summary of all backend server counters on this port.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings Last Supplicant Info ◆ MAC Address – The MAC address of the last supplicant/client. ◆ VLAN ID – The VLAN ID on which the last frame from the last supplicant/client was received. ◆ Version – ■ ■ ◆ 802.1X-based: The protocol version number carried in the most recently received EAPOL frame. MAC-based: Not applicable. Identity – ■ 802.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings the client will remain in the unauthenticated state for Hold Time seconds (see page 231). ◆ Last Authentication – Shows the date and time of the last authentication of the client (successful as well as unsuccessful). WEB INTERFACE To display port Statistics for 802.1X or Remote Authentication Service: 1. Click Monitor, Security, Network, NAS, Port. 2. Select a port from the scroll-down list.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ■ ◆ Frame Type – Indicates the frame type to which the ACE applies. Possible values are: ■ ■ ◆ Port: The ACE will match a specific ingress port. Any: The ACE will match any frame type. EType: The ACE will match Ethernet Type frames. Note that an Ethernet Type based ACE will not get matched by IP and ARP frames. ■ ARP: ACE will match ARP/RARP frames. ■ IPv4: ACE will match all IPv4 frames.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings DISPLAYING Use the DHCP Snooping Port Statistics page to show statistics for various STATISTICS FOR types of DHCP protocol packets. DHCP SNOOPING PATH Monitor, Security, Network, DHCP, Snooping Statistics PARAMETERS These parameters are displayed: ◆ Rx/Tx Discover – The number of discover (option 53 with value 1) packets received and transmitted.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings Figure 112: DHCP Snooping Statistics DISPLAYING DHCP Use the DHCP Relay Statistics page to display statistics for the DHCP relay RELAY STATISTICS service supported by this switch and DHCP relay clients. PATH Monitor, Security, Network, DHCP, Relay Statistics PARAMETERS These parameters are displayed: Server Statistics ◆ Transmit to Server – The number of packets relayed from the client to the server.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings ◆ Receive Bad Remote ID – The number of packets with a Remote ID option that did not match a known remote ID. Client Statistics ◆ Transmit to Client – The number of packets that were relayed from the server to a client. ◆ Transmit Error – The number of packets containing errors that were sent to servers. ◆ Receive from Client – The number of packets received from clients.
CHAPTER 5 | Monitoring the Switch Displaying Information About Security Settings WEB INTERFACE To display the Dynamic ARP Inspection Table, click Monitor, Security, Network, ARP Inspection. Figure 114: Dynamic ARP Inspection Table DISPLAYING ENTRIES Open the Dynamic IP Source Guard Table to display entries sorted first by IN THE IP SOURCE port, then VLAN ID, MAC address, and finally IP address.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers DISPLAYING INFORMATION ON AUTHENTICATION SERVERS Use the Monitor/Authentication pages to display information on RADIUS authentication and accounting servers, including the IP address and statistics for each server. DISPLAYING A LIST OF Use the RADIUS Overview page to display a list of configured AUTHENTICATION authentication and accounting servers.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers DISPLAYING STATISTICS FOR CONFIGURED AUTHENTICATION SERVERS Use the RADIUS Details page to display statistics for configured authentication and accounting servers. The statistics map closely to those specified in RFC4668 - RADIUS Authentication Client MIB.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers Accept, Access-Reject, Access-Challenge, timeout, or retransmission. ■ ◆ Timeouts – The number of authentication timeouts to the server. After a timeout, the client may retry to the same server, send to a different server, or give up. A retry to the same server is counted as a retransmit as well as a timeout. A send to a different server is counted as a Request as well as a timeout.
CHAPTER 5 | Monitoring the Switch Displaying Information on Authentication Servers ■ ■ ◆ Packets Dropped – The number of RADIUS packets that were received from the server on the accounting port and dropped for some other reason. Transmit Packets ■ ■ ◆ Unknown Types – The number of RADIUS packets of unknown types that were received from the server on the accounting port. Requests – The number of RADIUS packets sent to the server. This does not include retransmissions.
CHAPTER 5 | Monitoring the Switch Displaying Information on RMON WEB INTERFACE To display statistics for configured authentication and accounting servers, click Monitor, Security, AAA, RADIUS Details. Figure 117: RADIUS Details DISPLAYING INFORMATION ON RMON Use the monitor pages for RMON to display information on RMON statistics, alarms and event responses.
CHAPTER 5 | Monitoring the Switch Displaying Information on RMON PARAMETERS These parameters are displayed: ◆ ID – Index of Statistics entry. ◆ Data Source (ifIndex) – Port ID to monitor. ◆ Drop – The total number of events in which packets were dropped by the probe due to lack of resources. ◆ Octets – The total number of octets of data (including those in bad packets) received on the network.
CHAPTER 5 | Monitoring the Switch Displaying Information on RMON WEB INTERFACE To display RMON statistics, click Monitor, Security, Switch, RMON, Statistics. Figure 118: RMON Statistics DISPLAYING RMON Use the RMON History Overview page to view statistics on a physical HISTORICAL SAMPLES interface, including network utilization, packet types, and errors. PATH Monitor, Security, Switch, RMON, History PARAMETERS These parameters are displayed: ◆ History Index – Index of History control entry.
CHAPTER 5 | Monitoring the Switch Displaying Information on RMON WEB INTERFACE To display RMON historical samples, click Monitor, Security, Switch, RMON, History. Figure 119: RMON History Overview DISPLAYING RMON Use the RMON Alarm Overview page to display configured alarm settings. ALARM SETTINGS PATH Monitor, Security, Switch, RMON, Alarm PARAMETERS These parameters are displayed: ◆ ID – Index of Alarm control entry.
CHAPTER 5 | Monitoring the Switch Displaying Information on RMON ◆ Falling Threshold – If the current value is less than the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. ◆ Falling Index – The index of the event to use if an alarm is triggered by monitored variables crossing below the falling threshold. WEB INTERFACE To display RMON alarm settings, click Monitor, Security, Switch, RMON, Alarm.
CHAPTER 5 | Monitoring the Switch Displaying Information on LACP DISPLAYING INFORMATION ON LACP Use the monitor pages for LACP to display information on LACP configuration settings, the functional status of participating ports, and statistics on LACP control packets. DISPLAYING AN Use the LACP System Status page to display an overview of LACP groups.
CHAPTER 5 | Monitoring the Switch Displaying Information on LACP ◆ LACP – Shows LACP status: ■ Yes – LACP is enabled and the port link is up. ■ No – LACP is not enabled or the port link is down. ■ Backup – The port could not join the aggregation group but will join if other port leaves. Meanwhile it's LACP status is disabled. ◆ Key – Current operational value of the key for the aggregation port. Note that only ports with the same key can aggregate together.
CHAPTER 5 | Monitoring the Switch Displaying Information on Loop Protection WEB INTERFACE To display LACP statistics for local ports this switch, click Monitor, LACP, Port Statistics. Figure 124: LACP Port Statistics DISPLAYING INFORMATION ON LOOP PROTECTION Use the Loop Protection Status page to display information on loopback conditions. PATH Monitor, Loop Protection PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ Action – Configured port action, i.e.
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree DISPLAYING INFORMATION ON THE SPANNING TREE Use the monitor pages for Spanning Tree to display information on spanning tree bridge status, the functional status of participating ports, and statistics on spanning tree protocol packets. DISPLAYING BRIDGE Use the Bridge Status page to display STA information on the global bridge STATUS FOR STA (i.e., this switch) and individual ports.
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree ◆ Internal Root Cost – The Regional Root Path Cost. For the Regional Root Bridge this is zero. For all other CIST instances in the same MSTP region, it is the sum of the Internal Port Path Costs on the least cost path to the Internal Root Bridge. (This parameter only applies to the CIST instance.) ◆ Topology Change Count – The number of times the Spanning Tree has been reconfigured (during a one-second interval).
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree WEB INTERFACE To display an overview of all STP bridge instances, click Monitor, Spanning Tree, Bridge Status. Figure 126: Spanning Tree Bridge Status To display detailed information on a single STP bridge instance, along with port state for all active ports associated, 1. Click Monitor, Spanning Tree, Bridge Status. 2. Click on an entry in the STP Bridges page.
CHAPTER 5 | Monitoring the Switch Displaying Information on the Spanning Tree PARAMETERS These parameters are displayed: ◆ Port – Port Identifier. ◆ CIST Role – Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge (i.e., root port), connecting a LAN through the bridge to the root bridge (i.e., designated port); or is an alternate or backup port that may provide connectivity if other bridges, bridge ports, or LANs fail or are removed.
CHAPTER 5 | Monitoring the Switch Displaying MVR Information ◆ RSTP – The number of RSTP Configuration BPDU's received/ transmitted on a port. ◆ STP – The number of legacy STP Configuration BPDU's received/ transmitted on a port. ◆ TCN – The number of (legacy) Topology Change Notification BPDU's received/transmitted on a port. ◆ Discarded Unknown – The number of unknown Spanning Tree BPDU's received (and discarded) on a port.
CHAPTER 5 | Monitoring the Switch Displaying MVR Information ◆ IGMPv1 Joins Received – Number of received IGMPv1 Joins. ◆ IGMPv2/MLDv1 Reports Received – Number of received IGMPv2 Joins and MLDv1 Reports, respectively. ◆ IGMPv3/MLDv2 Reports Received – Number of received IGMPv1 Joins and MLDv2 Reports, respectively. ◆ IGMPv2/MLDv1 Leaves Received – Number of received IGMPv2 Leaves and MLDv1 Dones, respectively. WEB INTERFACE To display information for MVR statistics, click Monitor, MVR, Statistics.
CHAPTER 5 | Monitoring the Switch Displaying MVR Information WEB INTERFACE To display information for MVR statistics and multicast groups, click Monitor, MVR, Group Information. Figure 131: MVR Group Information DISPLAYING MVR Use the MVR SFM Information page to display MVR Source-Filtered SFM INFORMATION Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny).
CHAPTER 5 | Monitoring the Switch Showing IGMP Snooping Information SHOWING IGMP SNOOPING INFORMATION Use the IGMP Snooping pages to display IGMP snooping statistics, port members of each service group, and information on source-specific groups. SHOWING IGMP Use the IGMP Snooping Status page to display IGMP querier status, SNOOPING STATUS snooping statistics for each VLAN carrying IGMP traffic, and the ports connected to an upstream multicast router/switch.
CHAPTER 5 | Monitoring the Switch Showing IGMP Snooping Information WEB INTERFACE To display IGMP snooping status information, click Monitor, IGMP Snooping, Status. Figure 133: IGMP Snooping Status SHOWING IGMP Use the IGMP Snooping Group Information page to display the port SNOOPING GROUP members of each service group. INFORMATION PATH Monitor, IPMC, IGMP Snooping, Group Information PARAMETERS These parameters are displayed: ◆ VLAN ID – VLAN Identifier.
CHAPTER 5 | Monitoring the Switch Showing MLD Snooping Information PARAMETERS These parameters are displayed: ◆ VLAN ID – VLAN identifier. ◆ Group – The IP address of a multicast group detected on this interface. ◆ Port – Port identifier. ◆ Mode – The filtering mode maintained per VLAN ID, port number, and Group Address. It can be either Include or Exclude. ◆ Source Address – IP Address of the source. Currently, the system limits the total number of IP source addresses for filtering to be 128.
CHAPTER 5 | Monitoring the Switch Showing MLD Snooping Information PARAMETERS These parameters are displayed: Statistics ◆ VLAN ID – VLAN Identifier. ◆ Querier Version – MLD version used by the switch when serving as the MLD querier. ◆ Host Version – MLD version used when used by this switch when serving as a host in MLD proxy mode. ◆ Querier Status – Shows the Querier status as “ACTIVE” or “IDLE.
CHAPTER 5 | Monitoring the Switch Showing MLD Snooping Information SHOWING MLD Use the MLD Snooping Group Information page to display the port SNOOPING GROUP members of each service group. INFORMATION PATH Monitor, IPMC, MLD Snooping, Group Information PARAMETERS These parameters are displayed: ◆ VLAN ID – VLAN Identifier. ◆ Groups – The IP address for a specific multicast service. ◆ Port Members – The ports assigned to the listed VLAN which propagate a specific multicast service.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Type – Indicates the Type. It can be either Allow or Deny. ◆ Hardware Filter/Switch – Indicates whether the data plane destined to the specific group address from the source IPv4 address can be handled by the chip or not. WEB INTERFACE To display MLD Source-Filtered Multicast information, click Monitor, MLD Snooping, IPv6 SFM Information.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information Table 13: System Capabilities ID Basis Reference Other – Repeater IETF RFC 2108 Bridge IETF RFC 2674 WLAN Access Point IEEE 802.11 MIB Router IETF RFC 1812 Telephone IETF RFC 2011 DOCSIS cable device IETF RFC 2669 and IETF RFC 2670 Station only IETF RFC 2011 When a capability is enabled, the capability is followed by (+). If the capability is disabled, the capability is followed by (-).
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Device Type - LLDP-MED devices are comprised of two primary types: ■ LLDP-MED Network Connectivity Devices – as defined in TIA-1057, provide access to the IEEE 802 based LAN infrastructure for LLDPMED Endpoint Devices. An LLDP-MED Network Connectivity Device is a LAN access device based on any of the following technologies: ■ LAN Switch/Router ■ IEEE 802.1 Bridge ■ IEEE 802.3 Repeater (included for historical reasons) ■ IEEE 802.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information and Media Endpoint (Class II) classes, and are extended to include aspects related to end user devices. Example product categories expected to adhere to this class include (but are not limited to) end user communication appliances, such as IP Phones, PC-based softphones, or other communication appliances that directly support the end user.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Auto-negotiation Status – Auto-negotiation status identifies if autonegotiation is currently enabled at the link partner. If Auto-negotiation is supported and Auto-negotiation status is disabled, the 802.3 PMD operating mode will be determined the operational MAU type field value rather than by auto-negotiation. ◆ Auto-negotiation Capabilities – Shows the link partners MAC/PHY capabilities.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information If it is unknown what power supply the PD device is using, this is indicated as “Unknown.” ◆ Power Priority – Power Priority represents the priority of the PD device, or the power priority associated with the PSE type device's port that is sourcing the power. There are three levels of power priority. The three levels (Critical, High and Low). If the power priority is unknown, this is indicated as “Unknown.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information The respective echo values shall be defined as the local link partner’s reflection (echo) of the remote link partner’s respective values. When a local link partner receives its echoed values from the remote link partner it can determine whether or not the remote link partner has received, registered and processed its most recent values.
CHAPTER 5 | Monitoring the Switch Displaying LLDP Information ◆ Total Neighbors Entries Deleted – The number of LLDP neighbors which have been removed from the LLDP remote systems MIB for any reason. ◆ Total Neighbors Entries Dropped – The number of times which the remote database on this switch dropped an LLDPDU because the entry table was full.
CHAPTER 5 | Monitoring the Switch Displaying PoE Status WEB INTERFACE To display statistics on LLDP global counters and control frames, click Monitor, LLDP, Port Statistics. Figure 143: LLDP Port Statistics DISPLAYING POE STATUS Use the Power Over Ethernet Status to display the status for all PoE ports, including the PD class, requested power, allocated power, power and current used, and PoE priority.
CHAPTER 5 | Monitoring the Switch Displaying the MAC Address Table ◆ Current Used – How much current the PD is currently using ◆ Priority – The port's configured priority level (see page 167). ◆ Port Status – PoE service status for the attached device. WEB INTERFACE To display the status for all PoE ports, click Monitor, PoE.
CHAPTER 5 | Monitoring the Switch Displaying Information About VLANs WEB INTERFACE To display the address table, click Monitor, MAC Address Table. Figure 145: MAC Address Table DISPLAYING INFORMATION ABOUT VLANS Use the monitor pages for VLANs to display information about the port members of VLANs, and the VLAN attributes assigned to each port. VLAN MEMBERSHIP Use the VLAN Membership Status page to display the current port members for all VLANs configured by a selected software module.
CHAPTER 5 | Monitoring the Switch Displaying Information About VLANs ■ Combined: Shows information for all active user modules. ◆ VLAN ID – A VLAN which has created by one of the software modules. ◆ Port Members – The ports assigned to this VLAN. WEB INTERFACE 1. To display VLAN members, click Monitor, VLANs, VLAN Membership. 2. Select a software module from the drop-down list on the right side of the page.
CHAPTER 5 | Monitoring the Switch Displaying Information About MAC-based VLANs ◆ Ingress Filtering – If ingress filtering is enabled and the ingress port is not a member of the classified VLAN of the frame, the frame is discarded. ◆ Frame Type – Shows whether the port accepts all frames or only tagged frames. If the port only accepts tagged frames, untagged frames received on that port are discarded.
CHAPTER 5 | Monitoring the Switch Displaying Information About Flow Sampling PARAMETERS These parameters are displayed: ◆ MAC-based VLAN User – A user or software module that uses VLAN management services to configure MAC-based VLAN membership. This switch supports the following VLAN user modules: ■ Static: MAC addresses statically assigned to a VLAN and member port through the CLI, Web or SNMP.
CHAPTER 5 | Monitoring the Switch Displaying Information About Flow Sampling PARAMETERS These parameters are displayed: Receiver Statistics ◆ Owner – This field shows the current owner of the sFlow configuration. It assumes one of three values as follows: ■ If sFlow is currently unconfigured/unclaimed, Owner shows . ■ If sFlow is currently configured through Web, Owner shows .
CHAPTER 5 | Monitoring the Switch Displaying Information About Flow Sampling WEB INTERFACE 1. To display information on sampled traffic, click Monitor, sFlow.
6 PERFORMING BASIC DIAGNOSTICS This chapter describes how to test network connectivity using Ping for IPv4 or IPv6, and how to test network cables. PINGING AN IPV4 OR IPV6 ADDRESS The Ping page is used to send ICMP echo request packets to another node on the network to determine if it can be reached. PATH ◆ Diagnostics, Ping ◆ Diagnostics, Ping6 PARAMETERS These parameters are displayed on the Ping page: ◆ IP Address – IPv4 or IPv6 address of the host.
CHAPTER 6 | Performing Basic Diagnostics Pinging an IPv4 or IPv6 Address After you press Start, the sequence number and round-trip time are displayed upon reception of a reply. The page refreshes automatically until responses to all packets are received, or until a timeout occurs.
CHAPTER 6 | Performing Basic Diagnostics Running Cable Diagnostics RUNNING CABLE DIAGNOSTICS The VeriPHY page is used to perform cable diagnostics for all ports or selected ports to diagnose any cable faults (short, open, etc.) and report the cable length. PATH Diagnostics, VeriPHY PARAMETERS These parameters are displayed on the VeriPHY Cable Diagnostics page: ◆ Port – Diagnostics can be performed on all ports or on a specific port.
CHAPTER 6 | Performing Basic Diagnostics Running Cable Diagnostics – 286 –
7 PERFORMING SYSTEM MAINTENANCE This chapter describes how to perform basic maintenance tasks including upgrading software, restoring or saving configuration settings, and resetting the switch. RESTARTING THE SWITCH Use the Restart Device page to restart the switch. PATH Maintenance, Restart Device WEB INTERFACE To restart the switch 1. Click Maintenance, Restart Device. 2. Click Yes. The reset will be complete when the user interface displays the login page.
CHAPTER 7 | Performing System Maintenance Restoring Factory Defaults RESTORING FACTORY DEFAULTS Use the Factory Defaults page to restore the original factory settings, except for the management IP parameters. CAUTION: To restore the factory defaults for all settings (including the management IP settings), connect a cable from port 1 to port 2, and then reset power to the switch. PATH Maintenance, Restart Device WEB INTERFACE To restore factory defaults: 1. Click Maintenance, Factory Defaults. 2.
CHAPTER 7 | Performing System Maintenance Activating the Alternate Image 3. Click the Upload button to upgrade the switch’s firmware. After the software image is uploaded, a page announces that the firmware update has been initiated. After about a minute, the firmware is updated and the switch is rebooted. CAUTION: While the firmware is being updated, Web access appears to be defunct. The front LED flashes Green/Off at a frequency of 10 Hz while the firmware update is in progress.
CHAPTER 7 | Performing System Maintenance Managing Configuration Files MANAGING CONFIGURATION FILES Use the Maintenance Configuration pages to save the current configuration to a file on your computer, or to restore previously saved configuration settings to the switch. SAVING Use the Configuration Save page to save the current configuration settings CONFIGURATION to a file on your local management station.
CHAPTER 7 | Performing System Maintenance Managing Configuration Files Figure 157: Configuration Upload – 291 –
CHAPTER 7 | Performing System Maintenance Managing Configuration Files – 292 –
SECTION III APPENDICES This section provides additional information and includes these items: ◆ "Software Specifications" on page 295 ◆ "Troubleshooting" on page 299 ◆ "License Information" on page 301 – 293 –
SECTION III | Appendices – 294 –
A SOFTWARE SPECIFICATIONS SOFTWARE FEATURES MANAGEMENT Local, RADIUS, TACACS+, AAA, Port Authentication (802.1X), HTTPS, SSH, AUTHENTICATION Port Security, IP Filter, DHCP Snooping CLIENT ACCESS Access Control Lists (128 rules per system), Port Authentication (802.
APPENDIX A | Software Specifications Management Features VLAN SUPPORT Up to 128 groups; port-based, protocol-based, tagged (802.
APPENDIX A | Software Specifications Standards RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) STANDARDS ANSI/TIA-1057 LLDP for Media Endpoint Discovery - LLDP-MED IEEE 802.1AB Link Layer Discovery Protocol IEEE-802.1ad Provider Bridge IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q-2005 VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.
APPENDIX A | Software Specifications Management Information Bases MANAGEMENT INFORMATION BASES Bridge MIB (RFC 4188) DHCP Option for Civic Addresses Configuration Information (RFC 4776) Differentiated Services MIB (RFC 3289) DNS Resolver MIB (RFC 1612) Entity MIB version 3 (RFC 4133) Ether-like MIB (RFC 3635) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB using SMI v2 (RFC 2863) Interfaces Evolution MIB (RFC 2863)
B TROUBLESHOOTING PROBLEMS ACCESSING THE MANAGEMENT INTERFACE Table 14: Troubleshooting Chart Symptom Action Cannot connect using a web browser, or SNMP software ◆ ◆ Be sure the switch is powered up. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled. ◆ Be sure you have configured the VLAN interface through which the management station is connected with a valid IP address, subnet mask and default gateway.
APPENDIX B | Troubleshooting Using System Logs USING SYSTEM LOGS If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C LICENSE INFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
APPENDIX C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
APPENDIX C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
APPENDIX C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
GLOSSARY ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
GLOSSARY DIFFSERV Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
GLOSSARY GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information.
GLOSSARY IGMP QUERY On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. IGMP PROXY Proxies multicast group membership information onto the upstream interface based on IGMP messages monitored on downstream interfaces, and forwards multicast traffic based on that information.
GLOSSARY MD5 MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest. MIB Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device.
GLOSSARY PORT TRUNK Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lowerspeed physical links. PRIVATE VLANS Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. QINQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks.
GLOSSARY SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
GLOSSARY – 312 –
INDEX A acceptable frame type 175 Access Control List See ACL ACL 96 binding to a port 96 address table 170 aging time 171 address, management access 31 ARP inspection 114 B BPDU guard 137 shut down port on receipt 137 broadcast storm, threshold 204 C community string 69, 72 configuration files restoring 290 restoring defaults 290 saving 290 configuration settings restoring 290 saving 290 saving or restoring 290 congestion management, based on destination port loading 206 control lists, QoS 199 CPU statu
INDEX snooping, configuring 149 snooping, description 145 snooping, fast leave 148 throttling 148 ingress classification, QoS 196 ingress filtering 175 ingress rate limiting 188 IP address, setting 46 IP source guard, configuring static entries 113 IPv4 address DHCP 46 setting 46 IPv6 address dynamic configuration (global unicast) 48 dynamic configuration (link-local) 48 EUI format 48, 49 EUI-64 setting 48, 49 global unicast 48, 49 link-local 48 manual configuration (global unicast) 48, 49 manual configura
INDEX static binding 143 statistics, displaying 259 using immediate leave 142 N NTP, specifying servers 50 P passwords 31, 58 path cost 136, 139 STA 136, 139 PoE configuring 167 port power allocation 168 power budget 169 priority setting 169 shutdown modes 169 status, displaying 275 port maximum frame size 56 statistics 224 port classification, QoS 188 port isolation 177 port policer, ingress rate limiter 188 port priority, STA 136, 139 port remarking mode 193 QoS 193 port shaper, QoS 190, 192 ports auto
INDEX software displaying version 219 downloading 288 Spanning Tree Protocol See STA specifications, software 295 SSH 64 configuring 64 server, configuring 64 STA 127 BPDU shutdown 137 edge port 137 global settings, displaying 129, 132 interface settings 135 link type 138 path cost 136, 139 port priority 136, 139 transmission hold count 131 transmission limit 131 standards, IEEE 297 static addresses, setting 171 statistics, port 224 STP 129, 130 global settings, displaying 132 settings, configuring 132 STP
GEP-5070 E042013/ST-R01