User Guide Smart Switch LGS3XX
Linksys Table of Contents Table of Contents Chapter 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . 1 Starting the Web-based Configuration Utility . . . . . . . . . . . . 1 Launching the Configuration Utility . . . . . . . . . . . . . . . . . 1 Interface Naming Conventions . . . . . . . . . . . . . . . . . . . . . 2 Window Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Linksys Feature Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 33 LLDP MED Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 LLDP Local Information . . . . . . . . . . . . . . . . . . . . . . . . 35 LLDP Neighbor Information . . . . . . . . . . . . . . . . . . . . . 36 LLDP MED Network Policy . . . . . . . . . . . . . . . . . . . . . .
Linksys Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Chapter 12: Security . . . . . . . . . . . . . . . . . . . . . . . . . 72 Management Security . . . . . . . . . . . . . . . . . . . . . . . . . . 72 User Access & Accounts . . . . . . . . . . . . . . . . . . . . . . . . 72 Access Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 72 Access Profile . . . .
Linksys CHAPTER 1 Getting Started Getting Started This section provides an introduction to the Web-based configuration utility, and covers the following topics: Table of Contents STEP 2 Enter the IP address of the device you are configuring in the address bar on the browser, and then press Enter. NOTE: When the device is using the factory default IP address of 192.168.1.251, its power LED flashes continuously.
Linksys Table of Contents Interface Naming Conventions Apply Within the GUI, interfaces are denoted by linking the following elements: Type of interface: The following types of interfaces are found on the switch: •• Gigabit Ethernet ports (displayed as GE). •• LAG (Port Channel) (displayed as LAG). •• VLAN (displayed as VLAN). •• Interface Number: Port, LAG or VLAN ID Window Navigation This section describes the features of the Web-based switch configuration utility.
Linksys Table of Contents Configuring with Menu Command Line Interface To configure the device through the menu CLI, do the following: 1. Log on to the device through telnet. The following menu is displayed: 2. Enter your user name and password. The main menu is displayed: 3. Continue configuring the device. 4. Click Logout to log out of the CLI menu.
Linksys CHAPTER 2 System Status Table of Contents •• Firmware Version—Firmware version number. •• Boot Code Version—Boot version number. •• Hardware Version —Hardware version number of the device. •• Serial Number—Serial number. System Status Device Status This section describes how to view device statistics. It covers the following topics: •• Fan Status—Applicable only to models that have fans. The following values are possible: •• System Summary •• OK—Fan is operating normally.
Linksys Table of Contents •• Bytes Received—Number of octets received, including bad packets and FCS octets, but excluding framing bits. •• Frames of 512 to 1023 Bytes—Number of frames, containing 512-1023 bytes that were received. •• Drop Events—Number of packets dropped. •• •• Packets Received—Number of good packets received, including Multicast and Broadcast packets. Packets of 1024 and More Bytes—Number of frames, containing 1024-2000 bytes, and Jumbo Frames, that were received.
Linksys STEP 4 Click Apply. The entry is added to the History Control Table page, and the Running Configuration file is updated. Table of Contents •• Jabbers—Total number of received packets that were longer than 2000 octets. This number excludes frame bits, but includes FCS octets that had either a bad FCS (Frame Check Sequence) with an integral number of octets (FCS Error) or a bad FCS with a non-integral octet (Alignment Error) number. •• Collisions—Collisions received.
Linksys •• Trap and Event Log—Add a log entry to the Event Log table and send a trap to the remote log server when the alarm goes off. •• Owner—Enter the device or user that defined the event. •• Last Event Time—Displays the time of the event. (This is a read-only table in the parent window and cannot be defined). STEP 4 Click Apply. The RMON event is saved to the Running Configuration file. Table of Contents To enter RMON alarms: STEP 1 Click System Status > RMON > Alarms.
Linksys •• Broadcast Packets—Good Broadcast packets transmitted. •• To clear or view statistics counters, do the following: •• Click Refresh to refresh the counters on the page. Interface Statistics •• Click Clear to clear the selected interfaces counters. The Interface Statistics page displays traffic statistics per port. The refresh rate of the information can be selected. •• Click View All to see all ports on a single page.
Linksys Table of Contents Chapter 3 Quick Start Quick Start This section describes how to view device statistics. To simplify device configuration through quick navigation, the Quick Start page provides links to the most commonly used pages.
Linksys Chapter 4 System Management This chapter describes the following topics: Table of Contents To set the idle session timeout for various types of sessions: STEP 1 Click Configuration > System Management > Management Session Timeout. STEP 2 Select the timeout for the following sessions from the corresponding list. The default timeout value is 10 minutes. •• System Information •• Telnet Session Timeout—Select the timeout for a Telnet session.
Linksys Table of Contents System Time NOTE: The DHCP server must supply DHCP option 100 in order for dynamic time zone configuration to take place. System time can be set manually by the user dynamically from an SNTP server. If an SNTP server is chosen, the manual time settings are overwritten when communications with the server are established. As part of the boot process, the device always configures the time, time zone, and DST.
Linksys •• SNTP—If you enable this, the system time is obtained from an SNTP server. To use this feature, you must also configure a connection to an SNTP server in the SNTP Unicast Server page. •• SNTP Client Unicast—Select to enable client Unicast mode. •• SNTP IPv4 Multicast Rx—Select to receive SNTP IPv4 Multicast synchronization packets requesting system time information. The packets are transmitted from any SNTP servers on the subnet.
Linksys NOTE: To specify a Unicast SNTP server by name, you must first configure DNS server(s) on the device (see DNS Settings). To add a Unicast SNTP server, SNTP Client Unicast must be enabled. Table of Contents •• NOTE: To specify a well-known SNTP server, the device must be connected to the Internet and configured with a DNS server or configured so that a DNS server is identified by using DHCP. (See DNS Settings) To add a Unicast SNTP server: STEP 1 Click Configuration > Time > SNTP Unicast Server.
Linksys SNMP This section describes the Simple Network Management Protocol (SNMP) feature that provides a method for managing network devices.
Linksys Table of Contents STEP 3 Input the unique community string in the Community String field. STEP 4 Optionally, define a notification filter(s) by using the Notification Filter page. LGS326P 24-Port Smart Gigabit PoE Switch enterprises(1).linksys(3955). smb(1000).3.26.2 The private Object IDs are placed under: STEP 5 Configure the notification recipients on the Notification Recipients SNMPv1,2 page. enterprises(1).linksys(3955).smb(1000).switch01(201).
Linksys Table of Contents •• First 4 octets—First bit = 1, the rest is the IANA enterprise number. well- known names can be used to specify the root of the desired subtree or an OID can be entered (see Model OIDs). •• Fifth octet—Set to 3 to indicate the MAC address that follows. •• Last 6 octets—MAC address of the device. Each subtree is either included or excluded in the view being defined. •• None—No engine ID is used. •• User Defined—Enter the local device engine ID.
Linksys Groups •• In SNMPv1 and SNMPv2, a community string is sent along with the SNMP frames. The community string acts as a password to gain access to an SNMP agent. However, neither the frames nor the community string are encrypted. Therefore, SNMPv1 and SNMPv2 are not secure. •• In SNMPv3, the following security mechanisms can be configured. •• Authentication—The device checks that the SNMP user is an authorized system administrator. This is done for each frame.
Linksys •• Authentication and Privacy—Authenticates SNMP messages, and encrypts them. •• Authorized View—Select the Read, Write and Notify views associated with this group and with the above security level. STEP 4 Click Apply. The SNMP group is saved to the Running Configuration file. Users Table of Contents •• •• Engine—User is connected to a different SNMP entity besides the local device.
Linksys Communities are only defined in SNMPv1 and v2 because SNMPv3 works with users instead of communities. The users belong to groups that have access rights assigned to them. The Communities page associates communities with access rights, either directly (Basic mode) or through groups (Advanced mode): •• Basic mode—The access rights of a community can configure with Read Only, Read Write, or SNMP Admin.
Linksys •• The Notification Filter page contains notification information for each filter. The table is able to filter notification entries by Filter Name. STEP 2 Click Add. STEP 3 Enter the parameters. Table of Contents An SNMP notification is a message sent from the device to the SNMP management station indicating that a certain event has occurred, such as a link up/ down. It is also possible to filter certain notifications.
Linksys •• Community—Select from the pull-down the community string of the trap manager. Community String names are generated from those listed in the Community page. •• Notification Filter—Select to enable filtering the type of SNMP notifications sent to the management station. The filters are created in the Notification Filter page. •• Filter Name—Select the SNMP filter that defines the information contained in traps (defined in the Notification Filter page).
Linksys Overview Each log is a set of messages describing system events. The device generates the following local logs: •• Log sent to the console interface. •• Log written into a cyclical list of logged events in the RAM and erased when the device reboots. •• Log written to a cyclical log-file saved to the Flash memory and persists across reboots. In addition, you can send messages to remote SYSLOG servers in the form of SNMP traps and SYSLOG messages.
Linksys Table of Contents Remote Log Servers •• Description—Enter a server description. The Remote Log Servers page enables defining remote SYSLOG servers where log messages are sent (using the SYSLOG protocol). For each server, you can configure the severity of the messages that it receives. •• Minimum Logging Level—Select the minimum level of system log messages to be sent to the server.
Linksys Chapter 5 Port Management Table of Contents Configure Port Settings To configure port settings: STEP 1 Click Configuration > Port Management > Ports. This section describes port configuration, link aggregation, and the Green Ethernet feature. It covers the following topics: STEP 2 Select Enable to support jumbo packets of up to 10 KB in size. If Jumbo Frames is not enabled (default), the system supports packet size up to 2,000 bytes.
Linksys •• Port Speed—Configure the speed of the port. The port type determines the available speeds. You can designate this field only when port autonegotiation is disabled. •• Duplex Mode—Select the port duplex mode. This field is configurable only when auto-negotiation is disabled, and the port speed is set to 10M or 100M. At port speed of 1G, the mode is always full duplex.
Linksys •• Table of Contents 1. Disable LACP on the LAG to make it static. Assign up to eight member ports to the static LAG in the Port List to the LAG Port Member list. Perform these actions in the LAGs page. By IP and MAC Addresses—Based on the destination and source IP addresses for IP packets, and destination and source MAC addresses for non-IP packets. 2. Configure various aspects of the LAG, such as speed and flow control by using the Edit LAG page.
Linksys •• LACP—Select to enable LACP on the selected LAG. This makes it a dynamic LAG. This field can only be enabled after moving a port to the LAG in the next field. •• Protected LAG—Select to make the LAG a protected port for Layer 2 isolation. See the Port Configuration description in Setting Basic Port Configuration for details regarding protected ports and LAGs. •• Auto Negotiation—Select to enable auto-negotiation on the LAG.
Linksys LLDP is used to select the optimal set of parameters for both devices. If LLDP is not supported by the link partner, or is disabled, 802.3 EEE will still be operational, but it might not be in the optimal operational mode. The 802.3 EEE feature is implemented using a port mode called Low Power Idle (LPI) mode. When there is no traffic and this feature is enabled on the port, the port is placed in the LPI mode, which reduces power consumption dramatically.
Linksys •• Port LEDs—Select to disable port LEDs. When disabled, ports do not display link status, activity, etc. •• Short Reach—Select to globally enable Short Reach mode. NOTE: If Short Reach is enabled, EEE must be disabled. •• 802.3 Energy Efficient Ethernet (EEE)—Select to globally enable EEE. STEP 3 Click Apply to set the global settings.
Linksys See Device Models for information concerning PoE support on various models. PoE provides the following features: •• Eliminates the need to run 110/220 V AC power to all devices on a wired LAN. •• Removes the necessity for placing all network devices next to power sources. •• Eliminates the need to deploy double cabling systems in an enterprise, significantly decreasing installation costs.
Linksys If at any time during the connectivity an attached PD requires more power from the device than the configured allocation allows (no matter if the device is in Class Limit or Port Limit mode), the device does the following: Table of Contents STEP 3 Click Apply to save the PoE properties.
Linksys •• •• Table of Contents Power Priority Level—Port priority is low, high, or critical, for use when the power supply is low. For example, if the power supply is running at 99% usage and port 1 is prioritized as high, but port 3 is prioritized as low, port 1 receives power and port 3 might be denied power. LLDP Class—Class configured on this port.
Linksys •• •• If LLDP is globally disabled, the device can be configured to discard, VLAN-aware flooding, or VLAN-unaware flooding of all incoming LLDP packets. VLAN-aware flooding floods an incoming LLDP packet to the VLAN where the packet is received excluding the ingress port. VLAN-unaware flooding floods an incoming LLDP packet to all the ports excluding the ingress port. The default is to discard LLDP packets when LLDP is globally disabled.
Linksys •• Table of Contents power value—Port power value •• 802.3 MAC-PHY—Duplex and bit rate capability and the current duplex and bit rate settings of the sending device. It also indicates whether the current settings are due to auto-negotiation or manual configuration. •• 802.3 Link Aggregation—Whether the link (associated with the port on which the LLDP PDU is transmitted) can be aggregated.
Linksys •• Inventory—Whether Inventory TLV is transmitted. STEP 2 The message at the top of the page indicates whether the generation of the LLDP MED Network Policy for the voice application is automatic or not (see LLDP Overview). Click on the link to change the mode. STEP 3 To associate additional LLDP MED TLV and/or one or more userdefined LLDP MED Network Policies to a port, select it, and click Edit. Table of Contents STEP 2 Select the desired port from the Port list.
Linksys •• Table of Contents Device Class—LLDP-MED endpoint device class. The possible device classes are: •• Untagged—Indicates the network policy is defined for untagged VLANs. •• Endpoint Class 1—Generic endpoint class, offering basic LLDP services. •• User Priority—Network policy user priority. •• Endpoint Class 2—Media endpoint class, offering media streaming capabilities, as well as all Class 1 features. •• DSCP—Network policy DSCP.
Linksys •• •• Supported System Capabilities—Primary functions of the device. The capabilities are indicated by two octets. Bits 0 through 7 indicate Other, Repeater, Bridge, WLAN AP, Router, Telephone, DOCSIS cable device, and station, respectively. Bits 8 through 15 are reserved. Enabled System Capabilities—Primary enabled function(s) of the device. Management Address •• Address Subtype—Managed address subtype; for example, MAC or IPv4. •• Address—Managed address. •• Interface Subtype—Port subtype.
Linksys Setting LLDP MED Network Policy An LLDP-MED network policy is a related set of configuration settings for a specific real-time application such as voice, or video. A network policy, if configured, can be included in the outgoing LLDP packets to the attached LLDP media endpoint device. The media endpoint device must send its traffic as specified in the network policy it receives.
Linksys Chapter 6 VLAN Management Table of Contents When a frame enters a VLAN-aware device, it is classified as belonging to a VLAN, based on the four-byte VLAN tag in the frame. If there is no VLAN tag in the frame or the frame is priority-tagged only, the frame is classified to the VLAN based on the PVID (Port VLAN Identifier) configured at the ingress port where the frame is received.
Linksys Table of Contents •• Guest VLAN—For more information refer to Security: Network Access Control. •• It is distinct, non-static/non-dynamic, and all ports are untagged members by default. •• Default VLAN—For more information refer to VLANs. •• It cannot be deleted. •• Management VLAN—For more information refer to the IPv4 Interface page It cannot be given a label. VLANs •• It cannot be used for any special role, such as unauthenticated VLAN or Voice VLAN.
Linksys VLANs - Creating VLANs You can create a VLAN, but this has no effect until the VLAN is attached to at least one port, either manually or dynamically. Ports must always belong to one or more VLANs. The Smart device supports up to 128 VLANs, including the default VLAN. Each VLAN must be configured with a unique VID with a value from 1 to 4094. The device reserves VID 4095 as the Discard VLAN and VID 4094 for 802.1x.
Linksys •• •• Admit Tagged Only—The interface accepts only tagged frames. •• Admit Untagged Only—The interface accepts only untagged and priority frames. Ingress Filtering—(Available only in General mode) Select to enable ingress filtering. When an interface is ingress filtering enabled, the interface discards all incoming frames that are classified as VLANs of which the interface is not a member. Ingress filtering can be disabled or enabled on general ports.
Linksys Table of Contents are to send and receive untagged packets to and from the VLAN. Otherwise, traffic might leak from one VLAN to another. STEP 3 Click Apply. The settings are modified and written to the Running Configuration file. Frames that are VLAN-tagged can pass through other network devices that are VLAN-aware or VLAN-unaware.
Linksys Table of Contents Workflow STEP 2 Click Add. To define a MAC-based VLAN group: STEP 3 Enter the values for the following fields: 1. Assign a MAC address to a VLAN group ID (using the MAC-Based Groups page). •• Interface—Enter a general interface (port/LAG) through which traffic is received. 2. For each required interface: a. Assign the VLAN group to a VLAN (using the Mac-Based VLAN page). The interfaces must be in General mode.
Linksys Table of Contents Ethernet MAC address. For more information about Telephony OUI, see Telephony OUI. and optionally remark the 802.1p of the voice streams by specifying the desired CoS/802.1p values and using the remarking option under Telephony OUI. Voice End-Points Voice VLAN Constraints To have a voice VLAN work properly, the voice devices, such as IP phones and VoIP endpoints, must be assigned to the voice VLAN where it sends and receives its voice traffic.
Linksys Aging Time—Enter the time delay to remove a port from the voice VLAN after all of the MAC addresses of the phones detected on the ports have aged out. •• Table of Contents •• STEP 4 Click Apply to save the settings to the Running Configuration file. Refer to Administration > Discovery > LLDP > LLDP MED Network Policy to enable automatic generation of network policy for voice. To view or add a new OUI: STEP 1 Click Configuration > VLAN Management > Voice VLAN > Feature Configuration.
Linksys Chapter 7 Spanning Tree Management Table of Contents •• Rapid STP (RSTP) – Detects network topologies to provide faster convergence of the spanning tree. This is most effective when the network topology is naturally tree-structured, and therefore faster convergence might be possible. RSTP is enabled by default. Spanning Tree Spanning Tree Management The Spanning Tree page contains parameters for enabling STP or RSTP.
Linksys •• •• Table of Contents Maximum Age—Set the interval (in seconds) that the device can wait without receiving a configuration message, before attempting to redefine its own configuration. •• Use Global Settings—Select to use the settings defined in the Spanning Tree page. •• Filtering—Filters BPDU packets when Spanning Tree is disabled on an Forward Delay—Set the interval (in seconds) that a bridge remains in a learning state before forwarding packets. interface.
Linksys Table of Contents RSTP Interfaces •• Point to Point Status—Displays the point-to-point operational status if the Point to Point Administrative Status is set to Auto. Rapid Spanning Tree Protocol (RSTP) enables a faster STP convergence without creating forwarding loops. •• Port Role—Displays the role of the port that was assigned by STP to provide STP paths. The possible roles are as follows: The RSTP Interfaces page enables you to configure RSTP per port.
Linksys Table of Contents 1. Set the STP Operation Mode to MSTP as described in the Spanning Tree page. switches from another MST region. If they are separated, the region becomes two separate regions. 2. Define MSTP instances. Each MSTP instance calculates and builds a loop free topology to bridge packets from the VLANs that map to the instance. Refer to the MSTP Properties page. The VLAN to MSTP instance mapping is done in the MSTP Properties page. Each VLAN can be mapped to a MSTP instance.
Linksys Table of Contents •• Bridge Priority—Set the priority of this bridge for the selected MST instance. STEP 1 Click Configuration > Spanning Tree Management > MSTP Instance Interface . •• Action—Select either add VLAN or remove VLAN STEP 2 Enter the parameters. •• VLANs—Displays the VLANs mapped to the selected instance. The default mapping is that all VLANs are mapped to the common and internal spanning tree (CIST) instance 0). •• MSTP Instance—Select the MSTP instance to be configured.
Linksys •• •• •• Alternate—The interface provides an alternate path to the root device from the root interface. •• Backup—The interface provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur when two ports are connected in a loop by a point-to-point link. Backup ports also occur when a LAN has two or more established connections to a shared segment. •• Disabled—The interface does not participate in the Spanning Tree.
Linksys Chapter 8 MAC Address Management Table of Contents To prevent this table from overflowing, and to make room for new MAC addresses, an address is deleted if no corresponding traffic is received for a certain period. This period of time is the aging interval. Configuring Dynamic MAC Address Aging Time To configure the aging interval for dynamic addresses, do the following: MAC Address Management This section describes how to add MAC addresses to the system.
Linksys Table of Contents •• MAC Address—Enter the interface MAC address. •• Bridge—Forward the packet to all VLAN members. •• Interface—Select an interface (unit/slot, port, or LAG) for the entry. •• Discard—Drop the packet. •• Status—Select how the entry is treated. The options are: •• Permanent—The system never removes this MAC address. If the static MAC address is saved in the Startup Configuration, it is retained after rebooting.
Linksys Chapter 9 Multicast Multicast This section describes the Multicast Forwarding feature and covers the following topics: •• Overview •• Feature Configuration •• IGMP/MLD Snooping •• Multicast Router Ports •• Forward All •• Unregistered Multicast •• IGMP/MLD IP Group Addresses •• MAC Group Address FDB •• IP Group Address FDB Overview Multicast forwarding enables one-to-many information dissemination.
Linksys Multicast registration is the process of listening and responding to Multicast registration protocols. The available protocols are IGMP for IPv4. When IGMP snooping is enabled in a device on a VLAN, it analyzes the IGMP packets it receives from the VLAN connected to the device and Multicast routers in the network.
Linksys •• By IPv4 Group Address—Select to enable the IPv4 group address Table of Contents •• Which ports are connected to Multicast routers (Mrouters) that are generating IGMP/MLD queries. •• Which ports are receiving PIM, DVMRP, or IGMP/MLD query protocols. method for forwarding Multicast packets. •• By Source Specific IPv4 Group Address—Select to enable the source- specific IPv4 group address method for forwarding Multicast packets.
Linksys •• •• IGMP Querier Version—Select the IGMP version used if the device becomes the elected querier. Select IGMPv3 if there are switches and/or Multicast routers in the VLAN that perform source-specific IP Multicast forwarding. Querier Source IP Address—Select the source IP address of the IGMP Querier. The following options are available: Table of Contents •• MLD Snooping Status—Select to enable MLD snooping globally on all interfaces.
Linksys Table of Contents •• Dynamic—(Display only) The port is dynamically configured as a Multicast router port by a IGMP/MLD query. To enable the dynamic learning of Multicast router ports, go to the IGMP Snooping page. STEP 5 Click Apply. The Running Configuration file is updated. •• Forbidden—This port is not to be configured as a Multicast router port, even if IGMP/MLD queries are received on this port. If Forbidden is enabled on a port, Mrouter is not learned on this port (i.e.
Linksys There might be a difference between information on this page and, for example, information displayed in the MAC Group Address FDB page. Assuming that the system is in MAC-based groups and a port that requested to join the following Multicast groups 224.1.1.1 and 225.1.1.1, both are mapped to the same MAC Multicast address 01:00:5e:01:01:01. In this case, there is a single entry in the MAC Group Address FDB page, but two entries on this page.
Linksys Table of Contents STEP 7 Click Search to display the port or LAG membership. STEP 5 Enter the parameters. STEP 8 Select the way that each interface is associated with the Multicast group: •• VLAN ID—Defines the VLAN ID of the group to be added. •• IP Group Address—Define the IP address of the new Multicast group. •• Static—Attaches the interface to the Multicast group as a static member.
Linksys Chapter 10 IP Interface IP Interface This section describes IP interfaces and covers the following topics: •• IPv4 •• IPv6 Table of Contents IP address collisions occur when the same IP address is used in the same IP subnet by more than one device. Address collisions require administrative actions on the DHCP server and/or the devices that collide with the device.
Linksys •• Dynamic (DHCP)—Discover the IP address using DHCP from the management VLAN. Table of Contents STEP 2 Enter the parameters. •• •• Static IP Address—Manually define a static IP address. NOTE: DHCP Option 12 (Host Name option) is supported when the device is a DHCP client. If DHCP Option 12 is received from a DHCP server, it is saved as the server’s host name. DHCP option 12 will not be requested by the device.
Linksys Table of Contents Overview The Internet Protocol version 6 (IPv6) is a network-layer protocol for packetswitched Internet works. IPv6 was designed to replace IPv4, the predominantly deployed Internet protocol. IPv6 introduces greater flexibility in assigning IP addresses because the address size increases from 32-bit to 128-bit addresses. IPv6 addresses are written as eight groups of four hexadecimal digits, for example FE80:0000:0 000:0000:0000:9C00:876A:130B.
Linksys •• •• •• Table of Contents IPv6 Address—In Layer 2, the device supports a singleIPv6 interface. In addition to the default link local and Multicast addresses, the device also automatically adds global addresses to the interface based on the router advertisements it receives. The device supports a maximum of 128 addresses at the interface. Each address must be a valid IPv6 address that is specified in hexadecimal format by using 16-bit values separated by colons.
Linksys Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. •• Global—An IPv6 address that is a global Unicast IPV6 type that is visible and reachable from other networks. •• Point-to-Point—A Point-to-point tunnel. •• Metric—Value used for comparing this route to other routes with the same destination in the IPv6 router table. All default routes have the same value.
Linksys Chapter 11 IP Network Operations Table of Contents •• IP Interface—Interface connected to DNS server. •• Preference—Each server has a preference value, a lower value means a higher chance of being used. •• Configuration Source—Source of the server’s IP address (static or DHCPv4 or DHCPv6) STEP 3 Up to eight DNS servers can be defined. To add a DNS server, click Add.
Linksys Overview DHCP snooping provides a security mechanism to prevent receiving false DHCP response packets and to log DHCP addresses. It does this by treating ports on the device as either trusted or untrusted. A trusted port is a port that is connected to a DHCP server and is allowed to assign DHCP addresses. DHCP messages received on trusted ports are allowed to pass through the device. An untrusted port is a port that is not allowed to assign DHCP addresses.
Linksys Table of Contents DHCP Trusted Packet Handling DHCPREQUEST Forward to trusted interfaces only. Forward to trusted interfaces only. DHCPACK Filter. Same as DHCPOFFER and an entry is added to the DHCP Snooping Binding database. DHCPNAK Filter. Same as DHCPOFFER. Remove entry if exists. DHCPDECLINE Check if there is information in the database. If the information exists and does not match the interface on which the message was received, the packet is filtered.
Linksys Table of Contents DHCP Default Options Option Default State DHCP Snooping Disable Option 82 Insertion Not enabled Option 82 Passthrough Not enabled Verify MAC Address Enabled Backup DHCP Snooping Binding Database Not enabled •• Verify MAC Address—Select to verify that the source MAC address of the Layer 2 header matches the client hardware address as appears in the DHCP Header (part of the payload) on DHCP untrusted ports.
Linksys •• When DHCP Snooping is disabled for a VLAN, the binding entries that were collected for that VLAN are removed. •• If the database is full, DHCP Snooping continues to forward packets, but new entries are not created. Table of Contents To add entries to the DHCP Snooping Binding database, do the following: STEP 1 Click Configuration > IP Network Operations > DHCP Snooping Binding Database.
Linksys Chapter 12 Security Security This section describes device security and access control. The system handles various types of security. This chapter covers the following sections: •• Management Security •• RADIUS •• Network Access Control •• Port Security •• Storm Control Management Security The default username/password is admin/admin. You can assign authentication methods to the various management access methods, such as, Telnet, HTTP, and HTTPS.
Linksys If an authentication method fails or the user has insufficient privilege level, the user is denied access to the device. If authentication fails at an authentication method, the device stops the authentication attempt; it does not continue and does not attempt to use the next authentication method. Table of Contents •• To define authentication methods for an access method: STEP 1 Click Configuration > Security > Managed Security > Access Authentication.
Linksys STEP 2 To change the active access profile, select a profile from the Active Access Profile drop down menu and click Apply. This makes the chosen profile the active access profile. STEP 3 Click OK to select the active access profile or click Cancel to discontinue the action. Table of Contents •• Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork.
Linksys Table of Contents The selected access profile appears in the Profile Rule Table. •• STEP 3 Click Add to add a rule. STEP 4 Enter the parameters. •• Access Profile Name—Select an access profile. •• Rule Priority—Enter the rule priority. When the packet is matched to a rule, user groups are either granted or denied access to the device. The rule priority is essential to matching packets to rules, as packets are matched on a first-fit basis. •• All—Assigns all management methods to the rule.
Linksys The user-configurable, TCP port used for RADIUS server accounting is the same TCP port that is used for RADIUS server authentication and authorization. Defaults Table of Contents This overrides the default key string if one has been defined. STEP 3 Click Apply. The RADIUS default settings for the device are updated in the Running Configuration file. To add a RADIUS server, click Add. •• The following defaults are relevant to this feature: •• No default RADIUS server is defined by default.
Linksys •• Key String—Enter the key string used for authenticating and encrypting communication between the device and the RADIUS server. This key must match the key configured on the RADIUS server. If Use Default is selected, the device attempts to authenticate to the RADIUS server by using the default Key String. •• Usage Type—Enter the RADIUS server authentication type. The options are: •• Login—RADIUS server is used for authenticating users that ask to administer the device. •• 802.
Linksys •• MAC-based—Supported in all authentication modes. •• In 802.1x-based authentication, the authenticator extracts the EAP messages from the 802.1x messages (EAPOL frames) and passes them to the authentication server, using the RADIUS protocol. •• Table of Contents •• A port is authorized if there is at least one authorized client. When a port is unauthorized and a guest VLAN is enabled, untagged traffic is remapped to the guest VLAN.
Linksys Table of Contents When an authentication method finishes successfully for a client authenticated by a method with a lower priority, the attributes of the new method are applied. When the new method fails, the client is left authorized with the old method. 802.1x-Based Authentication The device supports the 802.1x authentication mechanism, as described in the standard, to authenticate and authorize 802.1x supplicants. The 802.1x-based authenticator relays transparent EAP messages between 802.
Linksys When a port is in multi-session mode and RADIUS-Assigned VLAN is enabled, the device automatically adds the port as an untagged member of the VLAN that is assigned by the RADIUS server during the authentication process. The device classifies untagged packets to the assigned VLAN if the packets originated from the devices or ports that are authenticated and authorized. NOTE: In multi-session mode, RADIUS VLAN assignment is only supported when the device is in Layer 2 system mode.
Linksys •• •• Table of Contents Guest VLAN—Enable the use of a guest VLAN for unauthorized ports. If a guest VLAN is enabled, all unauthorized ports automatically join the VLAN selected in the Guest VLAN ID field. If a port is later authorized, it is removed from the guest VLAN. Guest VLAN ID—Select the guest VLAN from the list of VLANs. The Port Authentication page enables configuration of 802.1X parameters for a port.
Linksys Table of Contents •• Port—Number of the port. •• VLAN ID—VLAN where the host is learned or assigned. •• Session Time – Amount of time that the supplicant was logged on the port. •• Authentication Method—Method by which the last session was authenticated. Authentication Method and Port Mode Support The following table shows which combinations of authentication method and port mode are supported. Authentication Method Multi-host Multi-sessions Device in L3 Device in L2 802.
Linksys Table of Contents Mode Behavior The following table describes how authenticated and non-authenticated traffic is handled in various situations Unauthenticated Traffic With Guest VLAN Authenticated Traffic Without Guest VLAN With Radius VLAN Without Radius VLAN Untagged Untagged Tagged Untagged Tagged Untagged Tagged Multi-host Frames are remapped to the guest VLAN Frames are Frames are dropped unless dropped they belong to the guest VLAN or to the unauthenticated VLANs Frames are dro
Linksys Table of Contents Port Security •• Classic Lock—Locks the port immediately, regardless of the number Network security can be increased by limiting access on a port to users with specific MAC addresses. The MAC addresses can be either dynamically learned or statically configured. •• Limited Dynamic Lock—Locks the port by deleting the current Port security monitors received and learned packets. Access to locked ports is limited to users with specific MAC addresses.
Linksys •• Port—Select the port for which storm control is enabled. •• Storm Control—Select to enable Storm Control. •• Storm Control Mode—Select one of the modes: Table of Contents •• Unknown Unicast, Multicast & Broadcast—Counts unknown Unicast, Broadcast, and Multicast traffic towards the bandwidth threshold. •• Multicast & Broadcast—Counts Broadcast and Multicast traffic towards the bandwidth threshold. •• Broadcast Only—Counts only Broadcast traffic towards the bandwidth threshold.
Linksys Table of Contents Chapter 13 Access Control List NOTE: If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a default action). Because of this default drop action you must explicitly add ACEs into the ACL to permit the desired traffic, including management traffic, such as Telnet, HTTP or SNMP that is directed to the device itself.
Linksys Table of Contents 1. Create one or more of the following types of ACLs: a. MAC-based ACL by using the MAC Based ACL page and the MAC Based ACE page. STEP 2 Click Add. STEP 3 Enter the name of the new ACL in the ACL Name field. ACL names are case-sensitive. b. IPv4-Based ACL by using the IPv4 Based ACL page and the IPv4 Based ACE page. STEP 4 Click Apply. The MAC-based ACL is saved to the Running Configuration file. c.
Linksys NOTE: Given a mask of 0000 0000 0000 0000 0000 0000 1111 1111 (which means that you match on the bits where there is 0 and don’t match on the bits where there are 1’s). You need to translate the 1’s to a decimal integer and you write 0 for each four zeros. In this example since 1111 1111 = 255, the mask would be written: as 0.0.0.255. Table of Contents NOTE: ACLs are also used as the building elements of flow definitions for per-flow QoS handling (see QoS Advanced Mode).
Linksys •• Shutdown—Drop packet that meets the ACE criteria and disable the port to which the packet was addressed. Ports are reactivated from the Port Management page. Protocol—Select to create an ACE based on a specific protocol or protocol ID. Select Any IPv4 to accept all IP protocols.
Linksys Table of Contents STEP 3 Click Add. •• Any—Match to all source ports. STEP 4 Enter the parameters. •• Single Port—Enter a single TCP/UDP source port to which packets are matched. This field is active only if 800/6-TCP or 800/17-UDP is selected in the Select from List drop-down menu. •• ACL Name—Displays the name of the ACL. ACE Settings •• ACE Priority—Enter the priority. ACEs with higher priority are processed first.
Linksys Table of Contents STEP 4 Select an interface, and click Edit. STEP 5 Select one of the following: •• MAC Based ACL—Select a MAC-based ACL to be bound to the interface. •• IPv4 Based ACL—Select an IPv4-Based ACL to be bound to the interface. •• IPv6 Based ACL—Select an IPv6-Based ACL to be bound to the interface. •• Permit Any Unmatched Packets—Select to enable/disable this action. STEP 6 Click Apply. The ACL binding is modified, and the Running Configuration file is updated.
Linksys Chapter 14 Quality of Service The Quality of Service feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment. This section covers the following topics: •• Feature Configuration •• Queue Scheduling •• CoS/802.
Linksys Table of Contents When the mode is changed, the following occurs: •• When disabling QoS, the shaper and queue setting (WRR/SP bandwidth setting) are reset to default values. All other user configurations remain intact. Feature Configuration To select the QoS mode: STEP 1 Click Configuration > Quality of Service > Feature Configuration. STEP 2 Set the QoS mode. The following options are available: QoS Workflow •• Disable—QoS is disabled on the device.
Linksys •• Weighted Round Robin (WRR)—In WRR mode, the number of packets sent from the queue is proportional to the weight of the queue (the higher the weight the more frames are sent). For example, if there are a maximum of four queues possible and all four queues are WRR and the default weights are used, queue 1 receives 1/15 of the bandwidth (assuming all queues are saturated and there is congestion), queue 2 receives 2/15, queue 3 receives 4/15 and queue 4 receives 8 /15 of the bandwidth.
Linksys •• •• Table of Contents 802.1p—Displays the 802.1p priority tag values to be assigned to an egress queue, where 0 is the lowest and 7 is the highest priority. Output Queue—Select the egress queue to which the 802.1p priority is mapped. Either four or eight egress queues are supported, where Queue 4 is the highest priority egress queue and Queue 1 is the lowest priority. STEP 3 For each 802.1p priority, select the Output Queue to which it is mapped. STEP 4 Click Apply. 801.
Linksys •• Ingress Rate Limit—Enter the maximum amount of bandwidth allowed on the interface. •• Ingress Committed Burst Size—Enter the maximum burst size of data for the ingress interface in bytes of data. This amount can be sent even if it temporarily increases the bandwidth beyond the allowed limit. This field is only available if the interface is a port. NOTE: The above Ingress Rate Limit fields do not appear when the interface type is LAG. Table of Contents STEP 4 Select the Interface.
Linksys Table of Contents STEP 1 Click Configuration > Quality of Service > Basic QoS. •• 30 Sec—Statistics are refreshed every 30 seconds. STEP 2 Select the Trust Mode while the device is in Basic mode. The Trust mode determines the queue to which the packet is assigned: •• 60 Sec—Statistics are refreshed every 60 seconds. •• •• •• •• CoS/802.1p—Traffic is mapped to queues based on the VPT field in the VLAN tag, or based on the per-port default CoS/802.
Linksys Chapter 15 Maintenance Table of Contents STEP 3 Click Apply and Reboot. The parameters are copied to the Running Configuration file and the stack is rebooted. File Management This section describes how to view system information and configure various options on the device. It covers the following topics: •• Reboot •• File Management •• Diagnostics Device Models All models can be fully managed through the web-based switch configuration utility.
Linksys Table of Contents The configuration files are text files and can be edited in a text editor, such as Notepad after they are copied to an external device, such as a PC. •• View the firmware image currently in use or select the image to be used in the next reboot as described in the Active Firmware Image section. Files and File Types •• Save configuration files on the device to a location on another device as described in the Configuration & Log section.
Linksys Backup—Specifies that a copy of the file type is to be saved to a file on another device. •• Enter the following fields: •• File Type—Select the destination file type: •• Firmware—The program that controls the operations and functionality of the device. More commonly referred to as the image. Table of Contents •• Bytes Transferred—How many bites were transferred in the process. •• Status—Did the process succeed or fail. •• Error Message—Reason for failure of the process.
Linksys When restoring a configuration file to the Startup Configuration or a backup configuration file, the new file replaces the previous file. When restoring to Startup Configuration, the device must be rebooted for the restored Startup Configuration to be used as the Running Configuration. You can reboot the device by using the process described in the Management Interface section. Table of Contents •• Interface—Select the link local interface (if IPv6 is used) from the list.
Linksys Table of Contents •• Time Domain Reflectometry (TDR) technology tests the quality and characteristics of a copper cable attached to a port. Cables of up to 140 meters long can be tested. These results are displayed in the Test Results block of the Copper Test page. •• DSP-based tests are performed on active GE links to measure cable length. These results are displayed in the Advanced Information block of the Copper Test page.
Linksys •• •• •• No Cable—Cable is not connected to the port. •• Open Cable—Cable is connected on only one side. •• Short Cable—Short circuit has occurred in the cable. •• Unknown Test Result—Error has occurred. Distance to Fault—Distance from the port to the location on the cable where the fault was discovered. Table of Contents sometimes called a pong. It measures the round-trip time and records any packet loss. To ping a host, do the following: STEP 1 Click Maintenance > Diagnostics > Ping.
Linksys •• Result—Success or fail of ping. •• Number of Pings Sent—Numbers of responses sent. •• Number of Ping Responses Received—Numbers of responses received. •• Table of Contents •• Target IP Address—Select the target source interface whose IPv4 address will be used as the source IPv4 address for communication messages. Only the existing IP addresses of the type specified in the IP Version field will be displayed.
Linksys To enable mirroring, do the following: STEP 1 Click Maintenance > Diagnostics > Port Mirroring. Table of Contents Chapter 16 Support The following fields are displayed: •• Destination Port—Port to which traffic is to be copied; the analyzer port. •• Source Port—Interface, port, from which traffic is sent to the analyzer port. •• Mirror Type—Type of monitoring: incoming to the port (Rx), outgoing from the port (Tx), or both.
Visit linksys.com/support for award-winning technical support © 2014 Belkin International, Inc. and/or its affiliates. All rights reserved. BELKIN, LINKSYS and many product names and logos are trademarks of the Belkin group of companies. Third-party trademarks mentioned are the property of their respective owners. 8820-01844 Rev.
