background image

EKI-9500 Series User Manual

68

User Security Model

The SNMP User Security Model page provides the capability to configure the SNMP
V3 user accounts.

To access this page, click 

System

 > 

Advanced Configuration

 > 

SNMP

 > 

User

Security Model

.

Figure 4.58 System > Advanced Configuration > SNMP > User Security Model

The following table describes the items in the previous figure.

Write

The level of write access rights for the group. The menu includes the 
available SNMP views. When adding a group, select the check box to 
allow the field to be configured, then select the desired view that per-
mits management read-write access to the contents of the agent but 
not to the community.

Notify

The level of notify access rights for the group. The menu includes the 
available SNMP views. When adding a group, select the check box to 
allow the field to be configured, then select the desired view that per-
mits sending SNMP traps or informs.

Submit

Click 

Submit

 to save the values.

Cancel

Click 

Cancel

 to close the window.

Item

Description

User Name

Specifies the name of the SNMP user being added for the User-based 
Security Model (USM). Each user name must be unique within the 
SNMP agent user list. A user name cannot contain any leading or 
embedded blanks.

Group Name

A SNMP group is a group to which hosts running the SNMP service 
belong. A group name parameter is simply the name of that group by 
which SNMP communities are identified. The use of a group name 
provides some security and context for agents receiving requests and 
initiating traps and does the same for management systems and their 
tasks. An SNMP agent won't respond to a request from a manage-
ment system outside its configured group, but an agent can be a 
member of multiple groups at the same time. This allows for commu-
nications with SNMP managers from different groups.

Engine ID

Each SNMPv3 agent has an engine ID that uniquely identifies the 
agent in the device. If given this entry will be used only for packets 
whose engine id is this. This field takes an hexadecimal string in the 
form 0102030405.

Authentication

Specifies the authentication protocol to be used on authenticated 
messages on behalf of the specified user.

SHA: SHA protocol will be used.

MD5: MD5 protocol will be used.

None: No authentication will be used for this user.

Privacy

Specifies the privacy protocol to be used on encrypted messages on 
behalf of the specified user. This parameter is only valid if the Authen-
tication method parameter is not NONE.

DES: DES protocol will be used.

None: No privacy protocol will be used.

Item

Description

Summary of Contents for EKI-9512-C0IDW10E

Page 1: ...User Manual EKI 9500 Series Full Managed Ethernet Switches...

Page 2: ...tion Advantech assumes no liability under the terms of this warranty as a consequence of such events Because of Advantech s high quality control standards and rigorous testing most of our customers ne...

Page 3: ...case the user will be required to correct the interference at his own expense FCC Class B Note This equipment has been tested and found to comply with the limits for a Class B digital device pursuant...

Page 4: ...vements to this manual we would welcome comments and constructive criticism Please send all such in writing to support advan tech com Packing List Before setting up the system check that the items lis...

Page 5: ...liquid into an opening This may cause fire or electrical shock 13 Never open the equipment For safety reasons the equipment should be opened only by qualified service personnel 14 If one of the follow...

Page 6: ...e einen Brand bzw elektrischen Schlag aus l sen 13 ffnen Sie niemals das Ger t Das Ger t darf aus Gr nden der elektrischen Sicherheit nur von authorisiertem Servicepersonal ge ffnet werden 14 Wenn fol...

Page 7: ...m damage To avoid electrical shock always disconnect the power from your PC chassis before you work on it Don t touch any components on the CPU card or other cards while the PC is on Disconnect power...

Page 8: ...ance Please have the following information ready before you call Product name and serial number Description of your peripheral attachment Description of your software operating system version applicat...

Page 9: ...he Power Inputs 14 Figure 2 5 Removing the Protection Cap 15 Figure 2 6 Installing the Power Cable 15 Figure 2 7 Standard M23 6 Pin Male DC Power Input Connector 15 2 5 Connecting the Ethernet Media 1...

Page 10: ...Excluded Addresses Add 33 Figure 4 13 System Advanced Configuration DHCP Server Pool Summary 33 Figure 4 14 System Advanced Configuration DHCP Server Pool Summary Add 34 Figure 4 15 System Advanced Co...

Page 11: ...nfiguration sFlow Agent 55 Figure 4 42 System Advanced Configuration sFlow Receiver 56 Figure 4 43 System Advanced Configuration sFlow Poller 56 Figure 4 44 System Advanced Configuration sFlow Poller...

Page 12: ...olute 78 Figure 4 72 System Advanced Configuration Time Ranges Entry Configuration Add Periodic 79 Figure 4 73 System Advanced Configuration Time Zone Summary 80 Figure 4 74 System Advanced Configurat...

Page 13: ...111System Management Access HTTPS 109 Figure 4 112System Management Access SSH 111 4 3 9 Passwords 112 Figure 4 113System Passwords Line Password 112 Figure 4 114System Passwords Enable Password 112 F...

Page 14: ...ure 4 154Switching Class of Service 802 1p 152 4 4 2 DHCP Snooping 152 Figure 4 155Switching DHCP Snooping Base Global 152 Figure 4 156Switching DHCP Snooping Base VLAN Configuration 153 Figure 4 157S...

Page 15: ...gure 4 187Switching Dynamic ARP Inspection ACL Add Rule 174 Figure 4 188Switching Dynamic ARP Inspection Statistics 174 4 4 6 Filters 175 Figure 4 189Switching Filters MAC Filters 176 Figure 4 190Swit...

Page 16: ...9Switching Multicast Forwarding Database MLD Snooping 200 Figure 4 220Switching Multicast Forwarding Database Statistics 200 4 4 13 MVR 200 Figure 4 221Switching MVR Global 201 Figure 4 222Switching M...

Page 17: ...Based VLAN Status 235 Figure 4 263Switching MAC Based VLAN Status Add 236 4 4 23 Protocol Based VLAN 236 Figure 4 264Switching Protocol Based VLAN Status 236 Figure 4 265Switching Protocol Based VLAN...

Page 18: ...er Summary 275 Figure 4 305Security TACACS Server Summary Add 276 Figure 4 306Security TACACS Server Configuration 276 Figure 4 307Security TACACS Source Interface Configuration 277 4 7 QoS 277 4 7 1...

Page 19: ...29QoS Diffserv Policy Configuration Add Attribute 301 Figure 4 330QoS Diffserv Service Summary 304 Figure 4 331QoS Diffserv Service Summary Add 305 Figure 4 332QoS Diffserv Service Statistics 305 Figu...

Page 20: ...Chapter 1 1Product Overview...

Page 21: ...emp Wide voltage input EKI 9512DP HV EKI 9512 PFIDH10E 12FE PoE wide temp High voltage input EKI 9512DP LV EKI 9512 PFIDL10E 12FE PoE wide temp Low voltage input EKI 9512D WV EKI 9512 CFIDW10E 12FE w...

Page 22: ...r Input EKI 9516 24 48 72 96 110 Vdc EKI 9516P HV 72 96 110 Vdc EKI 9516P LV 24 48 Vdc EKI 9512 24 48 72 96 110 Vdc EKI 9512P HV 72 96 110 Vdc EKI 9512P LV 24 48 Vdc Certifications Safety EN50155 EN50...

Page 23: ...aseT X x 4 X coding EKI 9516D 10 100 1000BaseT X x 4 D coding 7 ETH port EKI 9516 10 100 1000BaseT X x 12 X coding EKI 9516D 10 100 1000BaseT X x 12 D coding 8 Mounting screw hole Screw holes x6 used...

Page 24: ...P HV and EKI 9516DP LV 10 100 1000BaseT X x 4 D coding 7 ETH port EKI 9516P HV and EKI 9516P LV 10 100 1000BaseT X x 12 X coding EKI 9516DP HV and EKI 9516DP LV 10 100 1000BaseT X x 12 D coding 8 Moun...

Page 25: ...4 X coding EKI 9512D 10 100 1000BaseT X x 4 D coding 7 ETH port EKI 9512 10 100 1000BaseT X x 8 X coding EKI 9512D 10 100 1000BaseT X x 8 D coding 8 Mounting screw hole Screw holes x6 used in the ins...

Page 26: ...ng EKI 9512DP HV and EKI 9512DP LV 10 100 1000BaseT X x 4 D coding 7 ETH port EKI 9512P HV and EKI 9512P LV 10 100 1000BaseT X x 8 X coding EKI 9512DP HV and EKI 9512DP LV 10 100 1000BaseT X x 8 D cod...

Page 27: ...ed but unsaved Blink yellow 3Hz TBD Blink yellow 5Hz TBD Off Configuration saved 5 ALM Red on Defined major policies are detected Blink red 1Hz Defined minor policies are detected Blink red 3Hz TBD Bl...

Page 28: ...Chapter 2 2Switch Installation...

Page 29: ...arance at the top and bottom and around the exhaust vents 2 1 1 Connecting Hardware These instructions explain how to find a proper location for your Modbus Gateways and how to connect to the network...

Page 30: ...crews to secure the device Note Make sure the screws dimensions are suitable for use with the device Do not completely tighten the screws into the wall A final adjust ment may be needed before fully s...

Page 31: ...e into consideration the following guidelines before wiring the device The Terminal Block CN1 is suitable for 12 24 AWG 3 31 0 205 mm2 Torque value 7 lb in The cross sectional area of the earthing con...

Page 32: ...nications wires through separate con duits Caution Do not disconnect modules or cabling unless the power is first switched off The device only supports the voltage outlined in the type plate Do not us...

Page 33: ...ter to ensure there is no voltage difference between the power supply s negative output terminal and the grounding point on the switch Pin DN Signal VBUS NC DP GND 1 2 3 4 5 Pin TX Signal RX DSR GND D...

Page 34: ...0 125 and 250VDC to the DC power connector on the switch The DC input connector is located on the left side of the front panel The power terminals are connected as shown in the following figure They a...

Page 35: ...ng circular connectors The 10 100 1000BaseT X ports located on the switch s front side are used to connect to Ethernet enabled devices 2 5 1 1 M12 X Coding Connector Pin Assignment Figure 2 8 10 100 1...

Page 36: ...ernal power is lost either from an external power down condi tion or by the failure of the power supply inside of the EKI 9500 Series 2 6 0 1 Pin Assignment Figure 2 10 Alarm Contact Pin Assignment 2...

Page 37: ...EKI 9500 Series User Manual 18 2 8 Connecting the USB Terminal 2 8 0 1 Pin Assignment Figure 2 12 M12 Console Pin Assignment Pin Description 1 DN 2 VBUS 3 NC 4 DP 5 GND 2 1 5 3 4...

Page 38: ...Chapter 3 3Configuration Utility...

Page 39: ...explanation of how RSTP works is given in the Spanning Tree section The switch is capable of communicating with other SNMP capable devices on the network to exchange management information This stati...

Page 40: ...for network access select Add Menu Address Here to reach the System Settings menu The settings in this menu control the switch s general net work configuration DHCP Enabled Disabled The switch can au...

Page 41: ...cable between network interfaces The second local area network standard is 100BASE T which runs at 100Mbps over the same twisted pair Ethernet cable Lastly there is 100BASE F which enables fast Ether...

Page 42: ...nterface allows for local or remote switch configuration anywhere on the network The interface is designed for use with Internet Explorer 6 0 Chrome Firefox 3 3 1 Preparing for Web Configuration The i...

Page 43: ...Chapter 4 4Managing Switch...

Page 44: ...e Figure 4 1 Login Screen 4 2 Recommended Practices One of the easiest things to do to help increase the security posture of the network infrastructure is to implement a policy and standard for secure...

Page 45: ...nd port based IEEE 802 1X access to the system An authentication list specifies which authentication method s to use to vali date the credentials of a user who attempts to access the device Several au...

Page 46: ...IAS Uses the local Internal Authentication Server IAS data base for 802 1X port based authentication Deny Denies authentication Enable Uses the locally configured Enable password to verify the user s...

Page 47: ...menu include the default Enable authentication lists as well as any user configured Enable lists To access this page click System AAA Authentication Selection Figure 4 6 System AAA Authentication Sel...

Page 48: ...ers who attempt to access the CLI by using a Telnet ses sion SSH The Login authentication list and the Enable authentication list to apply to users who attempt to access the CLI by using a secure shel...

Page 49: ...ld are configured on the Accounting Selection page Refresh Click Refresh to update the screen Add Click Add to add a new accounting list Edit Click Edit to edit the selected entries Item Description A...

Page 50: ...methods in this section are CLI based Console The Exec accounting list and the Commands account ing list to apply to users who access the CLI by using a connec tion to the console port Telnet The Exe...

Page 51: ...dministrative mode When enabled the device can be configured to automatically allocate TCP IP configurations for clients Conflict Logging Mode Enables or disables the logging mode for IP address confl...

Page 52: ...e of addresses this value is the lowest address to exclude To The highest address to exclude in a range of addresses If the excluded address is not part of a range this field shows the same value as t...

Page 53: ...HCP server can assign the client any available IP address within the pool This type is also known as Auto matic Undefined The pool has been created by using the CLI but the pool information has not be...

Page 54: ...clients the client identifier is required instead of the hardware address If the cli ent s DHCP request includes the client identifier the Client ID field on the DHCP server must contain the same val...

Page 55: ...r dynamic pools only Client Name The system name of the client The Client Name should not include the domain name This field is optional Hardware Address Type The protocol type Ethernet or IEEE 802 us...

Page 56: ...t a TFTP server to download a new image file To configure this field click button in the row To reset the field to the default value click the Reset icon in the row To configure settings for one or mo...

Page 57: ...e The default domain name to configure for all clients in the selected pool Bootfile Name The name of the default boot image that the client should attempt to download from a specified boot server Opt...

Page 58: ...System Advanced Configuration DHCP Server Pool Options Configure Vendor Option The following table describes the items in the previous figure Item Description Option Code The number that uniquely ide...

Page 59: ...ared To access this page click System Advanced Configuration DHCP Server Statistics Figure 4 20 System Advanced Configuration DHCP Server Statistics Submit Click Submit to save the values Cancel Click...

Page 60: ...e message if the DHCP client detects that the IP address offered by the DHCP server is already in use on the network The server then marks the address as unavailable DHCPRELEASE The number of DHCP rel...

Page 61: ...hich is one of the following Gratuitous ARP The DHCP client detected the conflict by broadcasting an ARP request to the address specified in the DHCP offer message sent by the server If the client rec...

Page 62: ...omain List The list of domain names that have been added to the DNS client s domain list If a DNS query that includes the default domain name is not resolved the DNS client attempts to use the domain...

Page 63: ...only available for Dynamic entries Elapsed Time The number of seconds that have passed since the entry was added to the table When the Elapsed Time reaches the Total Time the entry times out and is r...

Page 64: ...ure 4 26 System Advanced Configuration Email Alerts Global The following table describes the items in the previous figure Item Description Type The type of interface to use as the source interface Non...

Page 65: ...g Duration Minutes Determines how frequently the non critical messages are sent to the SMTP server Submit Click Submit to save the values and update the screen Refresh Click Refresh to update the scre...

Page 66: ...resh Click Refresh to update the screen Add Click Add to add a new Email server Edit Click Edit to edit the selected entries Remove Click Remove to remove the selected entries Item Description Securit...

Page 67: ...ime Since Last Email Sent The amount of time in days hours minutes and seconds that has passed since the last email alert was successfully sent Refresh Click Refresh to update the screen Clear Counter...

Page 68: ...l CDP ISDP is used to share information between neighboring devices routers bridges access servers and switches To access this page click System Advanced Configuration ISDP Global Figure 4 34 System A...

Page 69: ...interface that is connected to the neighbor The ISDP mes sage was received on this interface IP Address The first network layer address reported in the address TLV of the most recently received ISDP m...

Page 70: ...is page click System Advanced Configuration ISDP Statistics Figure 4 37 System Advanced Configuration ISDP Statistics The following table describes the items in the previous figure Item Description In...

Page 71: ...e total number of ISDP version 1 packets transmitted by the device ISDPv2 Packets Received The total number of ISDP version 2 packets received by the device ISDPv2 Packets Transmitted The total number...

Page 72: ...link up Down Link is down when the above conditions are not true Refresh Click Refresh to update the screen Add Click Add to add a new group Edit Click Edit to edit the selected entries Remove Click R...

Page 73: ...Port Enable this option to allow the device to drop packets that have the TCP source port equal to the TCP destination port UDP Port Enable this option to allow the device to drop packets that have t...

Page 74: ...ler than this configured value ICMP Settings ICMP Enable this option to allow the device to drop ICMP packets that have a type set to ECHO_REQ ping and a payload size greater than the ICMP payload siz...

Page 75: ...Owner String The entity making use of this sFlow receiver table entry If this field is blank the entry is currently unclaimed Time Remaining The time in seconds remaining before the sampler is releas...

Page 76: ...l also expire Poller Interval The maximum number of seconds between successive samples of the counters associated with this data source A sampling interval of 0 disables counter sampling Refresh Click...

Page 77: ...sampling rate for packet sampling from this source A sampling rate of 0 disables sampling Maximum Header Size The maximum number of bytes that should be copied from a sampled packet Refresh Click Ref...

Page 78: ...Pv1 2 Community page When the community names are changed access rights are also changed SNMP Communities are defined only for SNMP v1 and SNMP v2 Use the SNMP Community Configuration page to enable S...

Page 79: ...ted with this community entry IP Address Specifies the IP address that can connect with this community Refresh Click Refresh to update the screen Add Community Click Add Community to add a new SNMP co...

Page 80: ...in the client and identifies the access the user may connect with Group Name Identifies the Group associated with this Community entry IP Address Specifies the IP address that can connect with this co...

Page 81: ...Add Click Add to add a new SNMP trap receiver Remove Click Remove to remove the selected entries Item Description Host IP Address The IP address of the SNMP management host that will receive traps ge...

Page 82: ...cation Notify Type The type of SNMP notification to send the SNMP management host Trap An SNMP message that notifies the host when a certain event has occurred on the device The message is not acknowl...

Page 83: ...The type of SNMP notification to send the SNMP management host Inform An SNMP message that notifies the host when a certain event has occurred on the device The message is acknowl edged by the SNMP m...

Page 84: ...ment system outside of its configured group but an agent can be a member of multiple groups at the same time to allow communication with SNMP managers from different groups Several default SNMP groups...

Page 85: ...cation but no data encryption With this security level users send SNMP messages that use an MD5 key password for authentication but not a DES key password for encryption Auth Priv Authentication and d...

Page 86: ...or authentication but not a DES key password for encryption Auth Priv Authentication and data encryption With this security level users send an MD5 key password for authentication and a DES key passwo...

Page 87: ...r name cannot contain any leading or embedded blanks Group Name A SNMP group is a group to which hosts running the SNMP service belong A group name parameter is simply the name of that group by which...

Page 88: ...contain any leading or embedded blanks Group Name A SNMP group is a group to which hosts running the SNMP service belong A group name parameter is simply the name of that group by which SNMP communiti...

Page 89: ...protocol to be used on encrypted messages on behalf of the specified user This parameter is only valid if the Authen tication method parameter is not NONE DES DES protocol will be used None No privacy...

Page 90: ...cription Client Mode Specifies the mode of operation of SNTP Client An SNTP client may operate in one of the following modes Disable SNTP is not operational No SNTP requests are sent from the client n...

Page 91: ...before attempting to use the next configured server when configured in unicast mode Number of Servers Configured Specifies the number of current valid unicast server entries configured for this clien...

Page 92: ...NTP message Server Kiss Of Death The SNTP server indicated that no further queries were to be sent to this server This is indicated by a stra tum field equal to 0 in a message received from a server S...

Page 93: ...er that they appear in the table Version Specifies the NTP version running on the server Refresh Click Refresh to update the screen Add Click Add to add a new SNTP server Edit Click Edit to edit the s...

Page 94: ...e the system clock Last Attempt Time Specifies the local date and time UTC that this SNTP server was last queried Last Attempt Status Specifies the status of the last SNTP request to this server If no...

Page 95: ...guration Use the Time Range Summary page to create a named time range Each time range can consist of one absolute time entry and or one or more periodic time entries To access this page click System A...

Page 96: ...name that identifies this time range A time based ACL rule can reference the name configured in this field Time Range Status Shows whether the time range is Active or Inactive A time range is Inactiv...

Page 97: ...even years Each time entry configuration can have only one Absolute entry Periodic Recurring entry that takes place at fixed intervals This type of entry occurs at the same time on one or more days o...

Page 98: ...on in the field or by using the scroll bar in the Choose Time window Click Now to use the current time of day Click Done to close the Choose Time window This field can be configured only if the Start...

Page 99: ...selected option in the Applicable Days field is Days of Week select one or more days on which the entry becomes active To select multiple days hold the CTRL key and select each desired start day Star...

Page 100: ...sable Summer time is not active and the time does not shift based on the time of year Recurring Summer time occurs at the same time every year The start and end times and dates for the time shift must...

Page 101: ...this page click System Advanced Configuration Time Zone Sum mer Time Figure 4 75 System Advanced Configuration Time Zone Summer Time Item Description Time Zone Offset The system clock s offset from U...

Page 102: ...To change the date click the calendar icon to the right of the field select the year from the menu browse to the desired month and click the date Starting Time of Day The time in hours and minutes to...

Page 103: ...ble describes the items in the previous figure Trap Log Use the System Trap Log page to view the entries in the trap log To access this page click System Advanced Configuration Event Manager Trap Log...

Page 104: ...s generated since the traps were last displayed Displaying the traps by any available method for example uploading the file from the switch or viewing the logs from a terminal interface will cause thi...

Page 105: ...Item Description List Name The name of the policy list This field can be configured only when adding a new policy list Event Options The method s used to authenticate a user who attempts to access th...

Page 106: ...The policy list to trigger system alarm relay as always on or off Alarm Relay 2 The policy list to trigger system alarm relay 2 as always on or off Alarm Mail The policy list to send Email Logging The...

Page 107: ...e click System Configuration Storage Save Figure 4 83 System Configuration Storage Save Item Description 802 3x Flow Control Mode The 802 3x flow control mode on the switch IEEE 802 3x flow control wo...

Page 108: ...e on the device When you click Submit the copy action takes place immediately and the source file overwrites the destination file Item Description Save Click Save to initiate a save of all system conf...

Page 109: ...ed or routed To access this page click System Connectivity IPv4 Figure 4 87 System Connectivity IPv4 Item Description Source File Select the configuration file that will overwrite the contents in the...

Page 110: ...ield displays the IP address that was dynamically acquired if any Subnet Mask The IP subnet mask for the interface If the Network Configuration Protocol is None you can manually configure a static sub...

Page 111: ...terface IPv6 Stateless Address AutoConfig Mode Sets the IPv6 stateless address auto configuration mode on the net work interface Enabled The network interface can acquire an IPv6 address through IPv6...

Page 112: ...ugh the network interface MAC Address The MAC address of the neighboring device Type The type of the neighbor entry which is one of the following Static The neighbor entry is manually configured Dynam...

Page 113: ...in the previous figure Add Click Add to add a new network port IPv6 neighbor Remove Click Remove to remove the selected entries Item Description IPv6 Address The IPv6 address of a neighbor device tha...

Page 114: ...ess If the Service Port Configuration Protocol is BOOTP or DHCP this field dis plays the IP address that was dynamically acquired if any Subnet Mask The IP subnet mask for the interface If the Service...

Page 115: ...ault gateway for the IPv6 service port interface To configure this field click button in the row To reset the field to the default value click button in the row Static IPv6 Addresses Lists the manuall...

Page 116: ...The neighbor device is not a router Neighbor State The current reachability state of the neighboring device which is one of the following Reachable The neighbor is reachable through the service port S...

Page 117: ...Upgrade page to transfer a new firmware code image to the device select which image to load during the next boot cycle Item Description DHCP Vendor Class ID Mode The VCI administrative mode When the...

Page 118: ...transfer After you select the appropriate file click Begin Transfer to launch the HTTP transfer process The active image is overwritten by the file that you transfer Backup The backup code file versi...

Page 119: ...on Log Index The position of the entry within the buffered log file The most recent log message always has a Log Index value of 1 Log Time The time the entry was added to the log Severity The severity...

Page 120: ...er used to identify the event log entry with the most recent entry listed first lowest number Type The incident category that indicates the cause of the log entry EVENT ERROR etc Filename The source c...

Page 121: ...encing normal but significant conditions Info 6 The device is providing non critical information Debug 7 The device is providing debug level information Component The component that has issued the log...

Page 122: ...st name of the remote host to receive log messages Port The UDP port on the logging host to which syslog messages are sent Severity Filter Severity level threshold for log messages All log messages wi...

Page 123: ...ystem failures Error 3 The device is experiencing non urgent failures Warning 4 The device is experiencing conditions that could lead to system errors if no action is taken Notice 5 The device is expe...

Page 124: ...the physical port to use as the source interface VLAN ID When the selected Type is VLAN select the VLAN to use as the source interface The menu contains only the VLAN IDs for VLAN routing interfaces S...

Page 125: ...When this mode is dis abled any feature on the device that uses Java is not available and cannot be viewed by using a web browser Telnet Telnet Server Admin Mode Enables or disables the telnet adminis...

Page 126: ...value disconnects all existing telnet connections and shuts down the telnet port in the device Telnet Port The TCP port number on which the telnet server listens for requests Existing telnet login ses...

Page 127: ...Character Size Bits The number of bits in a character This value is always 8 Parity The parity method used on the serial port Stop Bits The number of stop bits per character Flow Control Indicates whe...

Page 128: ...o both HTTP and HTTPs connections HTTP Port The TCP port number on which the HTTP server listens for requests Existing HTTP login sessions are closed whenever this value is changed All new HTTP sessio...

Page 129: ...er that HTTPS uses NOTE Before changing this value check your system e g using net stat to make sure the desired port number is not currently being used by any other service HTTPS Session Soft Time Ou...

Page 130: ...oes not allow connections from clients using the SSH 2 protocol SSH Connections Currently in Use The number of active SSH sessions between remote SSH clients and the SSH server on the device Maximum n...

Page 131: ...Console Telnet SSH Password Enter the new password for the corresponding Line Mode in this field Be sure the password conforms to the allowed number of characters The password characters are not displ...

Page 132: ...disables the password strength checking feature Enabling this feature forces the user to configure passwords that comply with the various strong password configuration parameters that are defined on t...

Page 133: ...keyword checking is case insensitive Additionally a password cannot contain the backwards version of an excluded keyword For example if pass is an excluded keyword passwords such as 23passA2c ssap wor...

Page 134: ...tratively enabled or disabled Power Management Mode The default setting is Dynamic mode Static according to port power budget Dynamic according to actual real time power consumption System Power Bud g...

Page 135: ...the rest of the data in the row When configuring PoE settings this field identifies the interface s being con figured Admin Mode Indicates whether PoE is administratively enabled or disabled on the i...

Page 136: ...main power supply Short PSE port has detected a short circuit condition Overload PD connected to PSE port tried to draw more power than permissible by the hardware Power Denied PSE port has been denie...

Page 137: ...when managing the device by using SNMP Type The interface type which is one of the following Normal The port is a normal port which means it is not a LAG member or configured for port mirroring Trunk...

Page 138: ...sends and receives LACP PDUs with its link partner to confirm that the external switch is also configured for link aggregation Disabled The port is supports static LAG configuration only This mode mi...

Page 139: ...Meters The estimated length of the cable If the cable length cannot be deter mined Unknown is displayed This field shows the range between the shortest estimated length and the longest estimated lengt...

Page 140: ...mirroring session ID The number of sessions allowed is plat form specific Mode The administrative mode for the selected port mirroring session If the mode is disabled the configured source is not mir...

Page 141: ...onfigure Session Click Configure Session to configure the administrative mode for a port mirroring session or to select an ACL for flow based mirroring Configure Source Click Configure Source to confi...

Page 142: ...revent their being deliverable to a higher layer protocol A possible reason for discarding a packet could be to free up buffer space Unicast Packets The number of subnetwork unicast packets delivered...

Page 143: ...fy the interface when managing the device by using SNMP Time Since Counters Last Cleared The amount of time in days hours minutes and seconds that has passed since the statistics for this device were...

Page 144: ...the Ethernet header CRC and payload Packet Lengths Received and Trans mitted The table shows how many packets of certain lengths have been received and transmitted by the interface Basic The table sh...

Page 145: ...Since Counters Last Cleared The amount of time in days hours minutes and seconds that has passed since the statistics for this interface were last reset Refresh Click Refresh to update the screen Cle...

Page 146: ...the DHCPv6 client has sent to any avail able DHCPv6 server to request an extension of its addresses and an update to any other relevant information This message is sent only if the client does not rec...

Page 147: ...stics are not reported to the console or an exter nal server They can be viewed only by using the web interface or by issuing a CLI command Console The statistics are displayed on the console E Mail T...

Page 148: ...al bandwidth used by the port within the specified time period Congestion The percentage of time within the specified time range that the ports experienced congestion Time Range The name of the period...

Page 149: ...Mail The statistics are sent to an e mail address The SNTP server and e mail address information is configured by using the appropriate Email Alerts pages Syslog The statistics are sent to a remote sy...

Page 150: ...gainst the rule Match Criteria Match All Select this option to indicate that all traffic matches the rule and is counted in the statistics This option is exclusive to all other match cri teria so if M...

Page 151: ...to any value less than 1024 When multiple network interfaces are supported by a device as is typical of a router either a single ARP cache is used for all interfaces or a separate cache is maintained...

Page 152: ...the switch port through which the connection was established or displays as Management if the connection occurred via a non net work port interface if applicable Refresh Click Refresh to update the s...

Page 153: ...tem Summary Dashboard 60 Seconds The percentage amount of CPU utilization consumed by the corre sponding task in the last 60 seconds 300 Seconds The percentage amount of CPU utilization consumed by th...

Page 154: ...rts and can not be switched or routed to the operational network Service Port MAC Address The device burned in universally administered media access control MAC address of the service port System Up T...

Page 155: ...al interface that allows remote management of the device via any of the front panel switch ports Service Port IP Address The IP address assigned to the service port The service port provides remote ma...

Page 156: ...l number used to identify the device Manufacturer The two octet code that identifies the manufacturer Burned In MAC Address The device burned in universally administered media access control MAC addre...

Page 157: ...entry and why it is in the table which can be one of the following Static The address has been manually configured and does not age out Learned The address has been automatically learned by the device...

Page 158: ...of the pass word Disable When configuring a password it is checked against the Strength Check rules configured for passwords Password Expiration Indicates the current expiration date if any of the pas...

Page 159: ...rs Auth Server Users Add The following table describes the items in the previous figure Password Strength Shows the status of password strength check Encrypted Password Specifies the password encrypti...

Page 160: ...user name Password Specify the password to associate with the user name if required Confirm Re enter the password to confirm the entry Encrypted Select this option to encrypt the password before it is...

Page 161: ...he ping packet in bytes Changing the size allows you to troubleshoot connectivity issues with a variety of packet sizes such as large or very large packets Source The source IP address or interface to...

Page 162: ...prefix of fe80 64 Interface Select the interface on which to issue the Link Local ping request Host Name or IPv6 Address Enter the global or link local IPv6 address or the DNS resolvable host name of...

Page 163: ...terminates after sending probes that can be layer 3 forwarded this number of times If the destination is further away the TraceRoute will not reach it InitTTL The initial Time To Live TTL This value...

Page 164: ...29 20 5 246 80 ms 80 ms 80 ms 7 198 20 90 26 70 ms 70 ms 70 ms 8 216 20 255 105 90 ms 70 ms 80 ms 9 63 20 216 155 80 ms 80 ms 90 ms Hop Count 9 Last TTL 9 Test attempt 27 Test Success 27 For each TTL...

Page 165: ...ls to receive a response for this number of consecutive probes the TraceRoute terminates Interval Seconds Specifies the time between probes in Seconds If a response is not received within this interva...

Page 166: ...ter that responded to the probes and the response time for each probe If no response is received for probes with a particular TTL the IP address is reported as 0 0 0 0 An error code may be printed wit...

Page 167: ...displayed in days hours minutes and seconds since the last address conflict was detected provided the Clear His tory button has not yet been pressed Refresh Click Refresh to update the screen Run Det...

Page 168: ...system Trap Log Select this option to transfer the system trap records to a remote system Error Log Select this option to transfer the system error per sistent log which is also known as the event lo...

Page 169: ...sed user authentication SSH 1 RSA Key File Select this option to transfer an SSH 1 Rivest Shamir Adleman RSA key file to the device SSH key files contain information to authenticate SSH sessions for r...

Page 170: ...s traffic types e g data or voice based on their latency requirements and give preference to time sensitive traffic Select File If HTTP is the Transfer Protocol browse to the direc tory where the file...

Page 171: ...Priority The heading row lists each 802 1p priority value 0 7 and the data in the table shows which traffic class is mapped to the priority value Incoming frames containing the designated 802 1p prio...

Page 172: ...llowing table describes the items in the previous figure To enable a VLAN for DHCP snooping Click Switching DHCP Snooping Base VLAN Configuration Add Figure 4 157 Switching DHCP Snooping Base VLAN Con...

Page 173: ...The interface associated with the rest of the data in the row When configuring the settings for one or more interfaces this field identifies each interface that is being configured Trust State The tru...

Page 174: ...ived on untrusted interfaces If the incoming rate of DHCP packets exceeds the value of this object during the amount of time specified for the burst interval the port will be shutdown You must adminis...

Page 175: ...describes the items in the previous figure Persistent Use the DHCP Snooping Persistent Configuration page to configure the persistent location of the DHCP snooping bindings database The bindings data...

Page 176: ...y if Remote is selected in the Store field Remote File Name The file name of the DHCP snooping bindings database in which the bindings are stored This field is available only if Remote is selected in...

Page 177: ...e L2 DHCP relay on individual ports Note that L2 DHCP relay must also be enabled globally on the device To change the DHCP L2 relay settings for one or more interfaces select each entry to modify and...

Page 178: ...f the following Trusted A trusted interface usually connects to other agents or servers participating in the DHCP interaction e g other L2 or L3 relay agents or servers An interface in this mode alway...

Page 179: ...VLAN associated with the rest of the data in the row When config uring the settings for one or more VLANs this field identifies each VLAN that is being configured Circuit ID The administrative mode of...

Page 180: ...clients DHCPv6 server messages are forwarded only through trusted ports To access this page click Switching IPv6 DHCP Snooping Base Global Figure 4 169 Switching IPv6 DHCP Snooping Base Global Item De...

Page 181: ...owing table describes the items in the previous figure Item Description DHCP Snooping Mode The administrative mode of IPv6 DHCP snooping on the device MAC Address Vali dation Enables or Disables the v...

Page 182: ...do not match the application logs the event when logging of invalid packets is enabled and drops the message If MAC address validation is globally enabled messages that pass the initial validation ar...

Page 183: ...the binding s inter face is other than the interface where the message was received DHCPv6 packets are dropped when the source MAC address does not match the client hardware address if MAC Address Va...

Page 184: ...sage was received Tentative bindings are completed when IPv6 DHCP snooping learns the client s IPv6 address from a REPLY message on a trusted port DHCP snooping removes bindings in response to DECLINE...

Page 185: ...nding database VLAN ID The VLAN ID of the client interface IP Address The IPv6 address assigned to the client by the DHCPv6 server Lease Time The remaining IPv6 address lease time for the client Refre...

Page 186: ...interface has a VLAN tag S tag removed if one or more tags are present DVLAN also supports up to 4 Tag Protocol Identifier TPID values per switch and the ability to map these values to ports This all...

Page 187: ...0 IEEE 802 1Q customer VLAN tag type 0x88a8 Virtual Metropolitan Area Network VMAN tag type Custom Tag User defined EtherType value Secondary TPIDs The two byte hex EtherType values available to be co...

Page 188: ...LAN tag This value identifies the frame as one of the following types 0x8100 IEEE 802 1Q VLAN tag type This value indicates that the frame includes a VLAN tag 0x88a8 Virtual Metropolitan Area Network...

Page 189: ...the items in the previous figure 4 4 5 2 VLAN Use the Dynamic ARP Inspection VLAN Configuration page to view and configure Dynamic ARP Inspection DAI settings for VLANs When DAI is enabled on a VLAN D...

Page 190: ...cess control list ACL that the VLAN uses as the filter for ARP packet validation The ARP ACL must already exist on the system to associate it with a DAI enabled VLAN ARP ACLs include permit rules only...

Page 191: ...do not match any ARP ACL rules are dropped without consulting the DHCP snooping database Disable The ARP packet needs further validation by using the entries in the DHCP Snooping database Submit Click...

Page 192: ...Switching Dynamic ARP Inspection ACL Add ACL Burst Interval The number of consecutive seconds the interface is monitored for incoming ARP packet rate limit violations Refresh Click Refresh to update t...

Page 193: ...system that is permitted to send ARP packets The ARP packet must match on both the Sender IP Address and Sender MAC Address values in the rule to be considered valid Sender MAC Address The MAC addres...

Page 194: ...ender MAC address in the ARP packet did not match any rules in the ARP ACL associated with this VLAN The static flag on this VLAN is enabled which means ARP packets that fail to match an ARP ACL rule...

Page 195: ...e filter is received on a port in the Source Members list it is forwarded to a port in the Desti nation Members list If the frame that meets the filter criteria is received on a port that is not in th...

Page 196: ...o fully identify the frames to filter Source Members The port s included in the inbound filter If a frame with the MAC address and VLAN ID combination specified in the filter is received on a port in...

Page 197: ...istrative mode of GVRP on the system When enabled GVRP can help dynamically manage VLAN memberships on trunk ports GMRP Mode The administrative mode of GMRP on the system When enabled GMRP can help co...

Page 198: ...e period of time that the multicast packet is flooded The problem of wasting band width is even worse when the LAN segment is not shared for example in Full Duplex links Allowing switches to snoop IGM...

Page 199: ...ing is administratively enabled IGMP snooping must be enabled globally and on an interface for the interface to be able to snoop IGMP packets to determine which seg ments should receive multicast pack...

Page 200: ...ociated with the rest of the data in the row When enabling IGMP snooping on a VLAN use this menu to select the desired VLAN Only VLANs that have been configured on the system and are not already enabl...

Page 201: ...ing for the selected entries Item Description VLAN ID The VLAN associated with the rest of the data in the row When enabling IGMP snooping on a VLAN use this menu to select the desired VLAN Only VLANs...

Page 202: ...1 and IGMPv2 report suppression mode The device uses IGMP report suppression to limit the membership report traffic sent to multicast capable routers When this mode is enabled the device does not send...

Page 203: ...VLANs appear in the table VLAN IDs The ID of the VLAN configured as enabled for multicast routing on the associated interface Refresh Click Refresh to update the screen Add Click Add to enable IGMP sn...

Page 204: ...s multicast router interfaces on the selected port or LAG To disable a VLAN as a multicast router inter face click the VLAN ID to select it or CTRL click to select multiple VLAN IDs Then click the app...

Page 205: ...ier election pro cess Enabled The IGMP snooping querier on this VLAN participates in the querier election process when it discovers the presence of another querier in the VLAN If the snooping querier...

Page 206: ...ode for the IGMP snooping querier election pro cess Enabled The IGMP snooping querier on this VLAN participates in the querier election process when it discovers the presence of another querier in the...

Page 207: ...time interval equal to the configured querier query interval If the snooping switch sees a better querier numerically lower in the VLAN it moves to non querier mode Non Querier The snooping switch is...

Page 208: ...is field identifies each interface that is being configured Admin Mode The administrative mode of MLD snooping on the interface MLD snooping must be enabled globally and on an interface for the inter...

Page 209: ...mode for the specified group which is one of the fol lowing Include The receiver has expressed interest in receiving multi cast traffic for the multicast group from the source or sources in the Source...

Page 210: ...hout first sending out MAC based general queries Refresh Click Refresh to update the screen Add Click Add to enable MLD snooping on a VLAN Edit Click Edit to edit the selected entries Remove Click Rem...

Page 211: ...ter VLAN status for each interface A multicast router interface faces a multicast router or MLD querier and receives multicast traffic If a multicast router is attached to the switch its existence can...

Page 212: ...router VLAN information this field shows the interface that is being configured VLAN ID The ID of each VLAN configured as enabled as a multicast router inter face on the associated interface When cha...

Page 213: ...each VLAN configured as enabled as a multicast router inter face on the associated interface When changing the multicast routing VLAN interfaces that are associated with an interface click the VLAN ID...

Page 214: ...ocess Enabled The MLD snooping querier on this VLAN participates in the querier election process when it discovers the presence of another querier in the VLAN If the snooping querier finds that the ot...

Page 215: ...D snooping querier election process Enabled The MLD snooping querier on this VLAN participates in the querier election process when it discovers the presence of another querier in the VLAN If the snoo...

Page 216: ...in data for more than one protocol To access this page click Switching Multicast Forwarding Database Sum mary Figure 4 216 Switching Multicast Forwarding Database Summary State The operational state o...

Page 217: ...equests GMRP Generic Address Resolution Protocol GARP Multicast Registration Protocol which helps control the flooding of multi cast traffic by keeping track of group membership information Static Fil...

Page 218: ...add or remove ports from IPv6 multicast groups by listening to MLD join and leave requests Description A text description of this multicast table entry Interface s The list of interfaces that will fo...

Page 219: ...dress The multicast MAC address associated with the entry in the MFDB Type The type of entry which is one of the following Static The entry has been manually added to the MFDB by an administrator Dyna...

Page 220: ...s not learn source ports membership instead all source ports are members of all groups by default MVR does not forward IGMP Joins and Leaves from the hosts to the router Dynamic MVR learns source port...

Page 221: ...Group The multicast group address Status The status of the group which can be one of the following Active Group has one or more MVR ports participating Inactive Group has no MVR ports participating M...

Page 222: ...witch It must not be a member of the multicast VLAN None The port is not an MVR port Status The active state of the interface which can be one of the following Active The port has link up and is in th...

Page 223: ...neighbors per interface The number of such neighbors is limited by the memory constraints A product specific constant defines the maximum number of neighbors supported by the switch There is no restr...

Page 224: ...Refresh to update the screen Cancel Click Cancel to restore default value Item Description Interface The interface associated with the rest of the data in the row Only inter faces that have at least...

Page 225: ...erface with the LLDP settings to configure In the Edit LLDP Interface window this field identifies the interface that is being configured Transmit The LLDP advertise transmit mode on the interface If...

Page 226: ...ditional information about a remote device select the interface that received the LLDP data and click Details System Name Select this option to include the user configured system name in the LLDPDU th...

Page 227: ...e remote device sent as the Chassis ID TVL This identifies the hardware platform for the remote system Port ID The port on the remote system that transmitted the LLDP data System Name The system name...

Page 228: ...of the data in the row Transmit Total The number of LLDPDUs transmitted by the LLDP agent on the inter face Receive Total The number of valid LLDPDUs received by this interface while the LLDP agent is...

Page 229: ...h or router IEEE 802 1 bridge or IEEE 802 11 wireless access point Submit Click Submit to save the values and update the screen Refresh Click Refresh to update the screen Cancel Click Cancel to restor...

Page 230: ...ove to remove the selected entries Item Description Interface The interface associated with the rest of the data in the row When configuring LLDP MED settings this field identifies the interfaces that...

Page 231: ...ted together This allows the device to treat the port channel as a single logical link The primary pur Item Description Interface The interface associated with the rest of the data in the row When vie...

Page 232: ...istrative mode of the port channel When disabled the port channel does not send and receive traffic STP Mode The spanning tree protocol STP mode of the port channel When enabled the port channel parti...

Page 233: ...ysical port include the following Source MAC VLAN Ethertype Incoming Port Destination MAC VLAN Ethertype Incoming Port Source Destination MAC VLAN Ethertype Incoming Port Source IP and Source TCP UDP...

Page 234: ...nistra tive mode for the port security feature Port security which is also known as port MAC locking allows you to limit the number of source MAC address that can be learned on a port If a port reache...

Page 235: ...source MAC addresses that can be dynamically learned on an interface If an interface reaches the configured limit any other addresses beyond that limit are not learned and the frames are discarded Fra...

Page 236: ...amically learned addresses are cleared from the source MAC address table the feature maintains When the link is restored the inter face can once again learn addresses up to the specified limit If stic...

Page 237: ...nning and saved configura tion if it is not relearned Refresh Click Refresh to update the screen Add Click Add to associate a static MAC address with an interface Remove Click Remove to remove the sel...

Page 238: ...on The following table describes the items in the previous figure Item Description Interface The interface associated with the rest of the data in the row When converting dynamic addresses to static a...

Page 239: ...t not the end effect chief among the effects is the rapid transitioning of the port to Forwarding The difference between the RSTP and the traditional STP IEEE 802 1D is the ability to configure and re...

Page 240: ...ntain topology infor mation Force Protocol Ver sion The STP version the device uses which is one of the following IEEE 802 1d Classic STP provides a single path between end stations avoiding and elimi...

Page 241: ...value increases the probability that the bridge is selected as the root bridge of Associated VLANs The number of VLANs that are mapped to the MSTI This number does not contain any information about th...

Page 242: ...stratively disabled and is not part of the spanning tree Port Forwarding State Blocking The port discards user traffic and receives but does not send BPDUs During the election process all ports are in...

Page 243: ...ridge Priority The value that helps determine which bridge in the spanning tree is elected as the root bridge during STP convergence A lower value increases the probability that the bridge becomes the...

Page 244: ...hange is in progress on any port assigned to the CST If a change is in progress the value is True other wise it is False Designated Root The bridge identifier of the root bridge for the CST The identi...

Page 245: ...es but does not send BPDUs During the election process all ports are in the blocking state The port is blocked to prevent network loops Listening The port sends and receives BPDUs and evaluates inform...

Page 246: ...sociated VLAN ID which appears in the IEEE 802 1Q tag in the Layer 2 header of packets transmitted on a VLAN An end station may omit the tag or the VLAN portion of the tag in which case the first swit...

Page 247: ...gured Enabled as the Remote Switched Port Analyzer RSPAN VLAN The RSPAN VLAN is used to carry mirrored traffic from source ports to a destination probe port on a remote device Unknown Multicast Use th...

Page 248: ...ge Specify VLAN ID s Use to specify a range and to separate VLAN IDs or VLAN ranges in the list Submit Click Submit to save the values Cancel Click Cancel to close the window Item Description VLAN ID...

Page 249: ...e in this VLAN unless it receives a GVRP or MVRP request and the device software supports the corresponding protocol This mode is equivalent to registration normal in the IEEE 802 1Q standard Tagging...

Page 250: ...mes The options include the following Enabled A tagged frame is discarded if this interface is not a member of the VLAN identified by the VLAN ID in the tag Disabled All tagged frames are accepted Unt...

Page 251: ...n General mode Promiscuous The interface belongs to a primary VLAN and can communicate with all interfaces in the private VLAN including other promiscuous ports community ports and isolated ports Host...

Page 252: ...or traffic from mul tiple source ports or from all ports that are members of a VLAN from different net work devices and send the mirrored traffic to a destination port a probe port connected to a netw...

Page 253: ...tion RSPAN VLAN Click the drop down menu to select the VLAN to use as the RSAN VLAN Submit Click Submit to save the values and update the screen Refresh Click Refresh to update the screen Cancel Click...

Page 254: ...cription IP Address The network address for the IP subnet All incoming untagged packets that have a source IP address within the defined subnetwork are placed in the same VLAN Subnet Mask The subnet m...

Page 255: ...k traffic patterns because protocol specific broadcast messages are sent only to hosts that use the protocols specified in the PBVLAN To access this page click Switching Protocol Based VLAN Status Fig...

Page 256: ...ocol is included in the two byte EtherType field of the frame When adding a PBVLAN you can specify the EtherType hex value or for IP ARP and IPX the protocol keyword Interface The interfaces that are...

Page 257: ...group If a match is not found the frame is assigned the port VID PVID as its VLAN ID Protocol The protocol or protocols to use as the match criteria for an Ethernet frame The protocol is included in...

Page 258: ...two byte EtherType field of ingress Ethernet frames on the PVBLAN Group Interfaces When adding a protocol you can specify the EtherType hex value or for IP ARP and IPX the protocol keyword To configu...

Page 259: ...All ports within a private VLAN share the same primary VLAN Isolated A secondary VLAN that carries traffic from isolated ports to promiscuous ports Only one isolated VLAN can be configured per private...

Page 260: ...Switching Private VLAN Interface Note Isolated VLANs and Community VLANs are collectively called Second ary VLANs Item Description Primary VLAN The VLAN ID of each VLAN configured as a primary VLAN I...

Page 261: ...cate with other ports in the same community if the secondary VLAN is a community VLAN and with the promiscuous ports or is able to communicate only with the promiscuous ports if the secondary VLAN is...

Page 262: ...pology The X Ring Pro group denoted as Coupling means it is a switch that is used to inter connect two X Ring Pro networks Interface 1 Specifies the first member interface for the X Ring Pro group The...

Page 263: ...ical port or LAG Link Aggregation Group port For the X Ring Pro group denoted as Coupling the value is physical port or LAG Link Aggregation Group port or None The value None implies the X Ring Pro gr...

Page 264: ...to which the intended recipient responds by unicasting an ARP reply containing its MAC address Once learned the MAC address is used in the destination address field of the layer 2 header prepended to...

Page 265: ...ing ARP Table Summary The following table describes the items in the previous figure Item Description IP Address The IP address of a network host on a subnet attached to one of the device s routing in...

Page 266: ...ware address associated with the net work host Submit Click Submit to save the values Cancel Click Cancel to close the window Item Description Age Time Seconds The amount of time in seconds that a dyn...

Page 267: ...ctions therefore routing configuration is not required on the Layer 2 device To access this page click Routing IP Configuration Figure 4 278 Routing IP Configuration Item Description Total Entry Count...

Page 268: ...t Burst Size The number of ICMP error messages that can be sent during the burst interval configured in the ICMP Rate Limit Interval field Static Route Prefer ence The default distance preference for...

Page 269: ...physically up active link IP Address The IP address of the interface Subnet Mask The IP subnet mask for the interface also known as the network mask or netmask It defines the portion of the interface...

Page 270: ...fic State The state of the interface which is either Active or Inactive An inter face is considered active if the link is up and the interface is in a for warding state Link Speed Data Rate The physic...

Page 271: ...etwork directed broadcast packets A network directed broadcast is a broadcast directed to a specific subnet If this option is selected network directed broadcasts are forwarded If this option is clear...

Page 272: ...i nation address was not a local address IpFwdDatagrams The number of input datagrams for which this entity was not their final IP destination as a result of which an attempt was made to find a route...

Page 273: ...be fragmented at this entity but could not be e g because their Don t Fragment flag was set IpFragCreates The number of IP datagram fragments that have been generated as a result of fragmentation at t...

Page 274: ...pOutParmProbs The number of ICMP Parameter Problem messages sent IcmpOutSrc Quenchs The number of ICMP Source Quench messages sent IcmpOutRedirects The number of ICMP Redirect messages sent For a host...

Page 275: ...e address and not the host bits When adding a default route this field is not available Subnet Mask The IP subnet mask also known as the network mask or netmask associated with the network address The...

Page 276: ...he network portion of the address and not the host bits When adding a default route this field is not available Subnet Mask The IP subnet mask also known as the network mask or netmask associated with...

Page 277: ...none of the route s next hops were on a local subnet Note that static routes can fail to be added to the routing table at startup because the routing interfaces are not yet up This counter gets incre...

Page 278: ...to enable or disable port access control on the system To access this page click Security Port Access Control Configuration Figure 4 286 Security Port Access Control Configuration The following table...

Page 279: ...ADIUS access reject from the RADIUS server RADIUS timeout or the client itself is 802 1X unaware the client is authenticated and is undisturbed by the failure condition s The reasons for failure are l...

Page 280: ...h is one of the following Auto Force Unauthorized Force Authorized MAC Based N A If the mode is N A port based access control is not applicable to the port If the port is in detached state it cannot p...

Page 281: ...been redirected to this page this field is read only and displays the interface that was selected on the Port Access Control Port Summary page PAE Capabilities The Port Access Entity PAE role which is...

Page 282: ...iod Seconds The value in seconds of the timer used for guest VLAN authentica tion Unauthenticated VLAN ID The VLAN ID of the unauthenticated VLAN Hosts that fail the authen tication might be denied ac...

Page 283: ...t When authenticating the supplicant provides the pass word associated with the selected User Name Authentication Period Seconds The amount of time the supplicant port waits to receive a challenge fro...

Page 284: ...ds The value in seconds of the timer used by the authenticator state machine on the port to determine when to send an EAPOL EAP Request Identity frame to the supplicant Guest VLAN ID The VLAN ID for t...

Page 285: ...ata in the row When viewing detailed information for an interface this field identifies the interface being viewed PAE Capabilities The Port Access Entity PAE role which is one of the following Authen...

Page 286: ...ewed Logical Interface The logical port number associated with the supplicant that is con nected to the port User Name The name the client uses to identify itself as a supplicant to the authen ticatio...

Page 287: ...ed Users field are allowed access To move a user from one field to the other click the user to move or CTL click to select multiple users and click the appropriate arrow Refresh Click Refresh to updat...

Page 288: ...t server has passed without a response from the RADIUS server Therefore the maximum delay in receiving a response from the RADIUS server equals the sum of retransmit timeout for all configured servers...

Page 289: ...e RADIUS server RADIUS authentication servers that are configured with the same name are members of the same named RADIUS server group RADIUS servers in the same group serve as backups for each other...

Page 290: ...is the Primary or a Secondary RADIUS authentication server When multiple RADIUS servers have the same Server Name value the RADIUS client attempts to use the primary server first If the primary server...

Page 291: ...of RADIUS packets received from the server on the authentication port and dropped for some other reason Refresh Click Refresh to update the screen Details Click Details to open a window and display ad...

Page 292: ...the RADIUS client on the device and the RADIUS accounting server The secret specified in this field must match the shared secret configured on the RADIUS accounting server Submit Click Submit to save...

Page 293: ...wing table describes the items in the previous figure 4 6 3 TACACS 4 6 3 1 Configuration Use the TACACS Configuration page to setup accounting information and adminis tration control over authenticati...

Page 294: ...TACACS server The key must match the key configured on the TACACS server Connection Timeout The maximum number of seconds allowed to establish a TCP connec tion between the device and the TACACS serve...

Page 295: ...for TACACS commu nications between the device and the TACACS server The key must match the encryption used on the TACACS server Connection Timeout The amount of time that passes before the connection...

Page 296: ...which types of traffic are forwarded or blocked and above all pro vide security for the network There are three main steps to configuring an ACL 1 Create an ACL Use the current page 2 Add rules to th...

Page 297: ...d Match criteria can be based on the source and destination addresses source and destination Layer 4 ports and protocol type of IPv4 packets IPv4 Named Match criteria is the same as IPv4 Extended ACLs...

Page 298: ...ic IPv4 ACLs classify Layer 3 and Layer 4 IPv4 traffic IPv6 ACLs classify Layer 3 and Layer 4 IPv6 traffic and MAC ACLs classify Layer 2 traffic The ACL types are as follows IPv4 Standard Match criter...

Page 299: ...rule in every ACL ACL Type The type of ACL The ACL type determines the criteria that can be used to match packets The type also determines which attributes can be applied to matching traffic IPv4 ACLs...

Page 300: ...or frame matches the ACL rule Rule Attributes Each action beyond the basic Permit and Deny actions to perform on the traffic that matches the rule Refresh Click Refresh to update the screen Add Rule...

Page 301: ...nverse of a subnet mask With a subnet mask the mask has ones 1 s in the bit positions that are used for the network address and has zeros 0 s for the bit posi tions that are not used In contrast a wil...

Page 302: ...e TCP header When Established is specified a match occurs if either RST or ACK bits are set in the TCP header This option is available only if the protocol is TCP The function is only available for IP...

Page 303: ...tions Equal Not Equal Less Than Greater Than or Range and specify the port number or keyword TCP port keywords include BGP Domain Echo FTP FTP Data HTTP SMTP Telnet WWW POP2 and POP3 UDP port keywords...

Page 304: ...address mask specifies which bits in the destination MAC to compare against an Ethernet frame Use F s and zeros in the MAC mask which is in a wildcard format An F means that the bit is not checked an...

Page 305: ...ts and the ACL containing this ACL rule is associated with an interface the ACL rule is applied when the time range with specified name becomes active The ACL rule is removed when the time range with...

Page 306: ...IPv6 addresses source and desti nation Layer 4 ports and protocol type within IPv6 packets Extended MAC Match criteria can be based on the source and destination MAC addresses 802 1p user priority VL...

Page 307: ...the lowest sequence number is applied first and the other ACLs are applied in ascending numerical order ACL Type The type of ACL The ACL type determines the criteria that can be used to match packets...

Page 308: ...tion between a VLAN and an ACL Item Description VLAN ID The ID of the VLAN associated with the rest of the data in the row When associating a VLAN with an ACL use this field to select the desired VLAN...

Page 309: ...is serviced depends on how the queue is configured and possibly the amount of traffic present in other queues for that port To access this page click QoS Class of Service Interface Figure 4 317 QoS C...

Page 310: ...value the IP DSCP priority designation encoded within packets arriving on the port Shaping Rate The upper limit on how much traffic can leave a port The limit on max imum transmission bandwidth has t...

Page 311: ...essing Defining this value on a per queue basis allows you to create the desired service characteristics for differ ent types of traffic The options are as follows Weighted Weighted round robin associ...

Page 312: ...ed on their priority DSCP or IP precedence This setting applies to the interface if it is configured with a WRED queue management type WRED Maximum Threshold The maximum queue threshold above which al...

Page 313: ...in the table A policy attribute entry attaches various policy attributes to a pol icy class instance Service Table The current and maximum number of service entries in the table A service entry associ...

Page 314: ...ure Item Description Class Enter the name of the DiffServ class Type The class type which is one of the following All All the various match criteria defined for the class should be satisfied for a pac...

Page 315: ...a match will occur on all packets Reference Class Select this option to reference another class for criteria The match cri teria defined in the referenced class is as match criteria in addition to the...

Page 316: ...cimal number Note that this is not a wildcard mask which ACLs use Destination MAC Address Select this option to require a packet s destination MAC address to match the specified MAC address After you...

Page 317: ...s destination port number is the same as any destination port number within the range After you select this option use the following fields to configure a destination port keyword destination port nu...

Page 318: ...match If you select a keyword you cannot configure a Protocol Value Protocol Value The IANA L4 protocol number value to match Flow Label Select this option to require an IPv6 packet s flow label to ma...

Page 319: ...name of the policy Type The traffic flow direction to which the policy is applied In The policy is specific to inbound traffic Out The policy is specific to outbound traffic Submit Click Submit to sa...

Page 320: ...tes to a policy or to change the policy attributes Remove Last Class Click Remove Last Class to remove the most recently associated class from the selected policy Item Description Policy The name of t...

Page 321: ...traffic stream with the specified IP Precedence value After you select this option use the IP Precedence Value field to select the IP Precedence value to mark in packets that match the policy class Mi...

Page 322: ...s CoS IP DSCP IP Precedence or Secondary COS This field is available only if one or more classes that meets the color awareness criteria exist Color Exceed Class For color aware policing packets are m...

Page 323: ...ailable only if one or more classes that meets the color awareness criteria exist Color Exceed Class For color aware policing packets are metered against the PIR Committed Rate Kbps The maximum allowe...

Page 324: ...s it enters the interface Outbound The policy is applied to traffic as it exits the interface Status The status of the policy on the interface A policy is Up if DiffServ is globally enabled and if the...

Page 325: ...p or Down Refresh Click Refresh to update the screen Item Description Interface The interface associated with the rest of the data in the row The table displays all interfaces that have a DiffServ pol...

Page 326: ...tions are subject to change without notice No part of this publication may be reproduced in any form or by any means electronic photocopying recording or otherwise without prior written permis sion of...

Reviews: