manualshive.com logo in svg

Cisco 350XG series, Administration Manual

Share
Download
Cisco 350XG series Administration Manual Download Page 450

Security

Denial of Service Prevention

Cisco 350XG & 550XG Series 10G Stackable Managed Switches

436

19

 

SYN Protection Mode

—Select between three modes:

-

Disable

—The feature is disabled on a specific interface.

-

Report

—Generates a SYSLOG message.The status of the port is 

changed to Attacked when the threshold is passed.

-

Block and Report

—When a TCP SYN attack is identified, TCP SYN 

packets destined for the system are dropped and the status of the port is 
changed to Blocked.

SYN Protection Threshold

—Number of SYN packets per second before 

SYN packets will be blocked (deny SYN with MAC-to-me rule will be applied 
on the port).

SYN Protection Period

—Time in seconds before unblocking the SYN 

packets (the deny SYN with MAC-to-me rule is unbound from the port).

STEP  3

Click 

Apply

. SYN protection is defined, and the Running Configuration file is 

updated.

The SYN Protection Interface Table displays the following fields for every port or 
LAG (as requested by the user).

Current Status

—Interface status. The possible values are:

-

Normal

—No attack was identified on this interface.

-

Blocked

—Traffic is not forwarded on this interface.

-

Attacked

—Attack was identified on this interface.

Last Attack

—Date of last SYN-FIN attack identified by the system and the 

system action (

Reported

 or 

Blocked and Reported

).

Martian Addresses

The Martian Addresses page enables entering IP addresses that indicate an 
attack if they are seen on the network. Packets from these addresses are 
discarded.

The device supports a set of reserved Martian addresses that are illegal from the 
point of view of the IP protocol. The supported reserved Martian addresses are:

Addresses defined to be illegal in the Martian Addresses page. 

Addresses that are illegal from the point of view of the protocol, such as 
loopback addresses, including addresses within the following ranges: 

Summary of Contents for 350XG series

Page 1: ...Cisco 350XG and 550XG Series 10G Stackable Managed Switches ADMINISTRATION GUIDE ...

Page 2: ...ng Conventions 16 Window Navigation 17 Chapter 2 Cisco 350XG 550XG Series 10G Stackable Managed Switches Dashboard 21 Overview 21 Grid Management 22 System Health 22 Resource Utilization 23 Identification 24 Latest Logs 25 Suspended Interfaces 25 Stack Topology 26 Chapter 3 Configuration Wizards 27 Getting Started Wizard 27 VLAN Configuration Wizard 29 Chapter 4 Status and Statistics 31 System Sum...

Page 3: ...e Models 58 System Settings 59 Console Settings Autobaud Rate Support 60 User Accounts 61 Idle Session Timeout 62 System Log 63 Reboot 67 Routing Resources 68 Ping 72 Traceroute 74 Chapter 6 Administration File Management 75 System Files 75 Firmware Operations 77 File Operations 81 File Directory 89 DHCP Auto Configuration Image Update 90 Chapter 7 Administration Stack Management 100 Overview 100 ...

Page 4: ...orts 109 Stack Management 111 Chapter 8 Administration Time Settings 113 System Time Configuration 114 SNTP Modes 115 System Time 116 SNTP Unicast 118 SNTP Multicast Anycast 121 SNTP Authentication 122 Time Range 123 Recurring Time Range 124 Chapter 9 Administration Discovery 126 Bonjour 126 LLDP and CDP 127 Configuring LLDP 129 Configuring CDP 149 CDP Statistics 157 Chapter 10 Port Management 159...

Page 5: ...fault Configuration 202 Relationships with Other Features 202 Common Smartport Tasks 202 Configuring Smartport Using The Web based Interface 205 Built in Smartport Macros 210 Chapter 12 VLAN Management 221 Overview 221 Regular VLANs 228 Private VLAN Settings 236 GVRP Settings 237 VLAN Groups 238 Voice VLAN 242 Access Port Multicast TV VLAN 256 Customer Port Multicast TV VLAN 259 Chapter 13 Spannin...

Page 6: ...c Addresses 278 Dynamic Addresses 279 Reserved MAC Addresses 280 Chapter 15 Multicast 281 Multicast Forwarding 281 Multicast Properties 287 MAC Group Address 287 IP Multicast Group Addresses 289 IPv4 Multicast Configuration 291 IPv6 Multicast Configuration 297 IGMP MLD Snooping IP Multicast Group 303 Multicast Router Ports 304 Forward All 305 Unregistered Multicast 306 Chapter 16 IP Configuration ...

Page 7: ...VRRP Topology 379 Configurable Elements of VRRP 380 Configuring VRRP 384 Chapter 19 Security 388 Configuring TACACS 389 Configuring RADIUS 394 Password Strength 398 Key Management 400 Management Access Method 403 Management Access Authentication 408 SSL Server 409 TCP UDP Services 412 Storm Control 413 Port Security 416 IP Source Guard 419 ARP Inspection 423 Denial of Service Prevention 428 Chapte...

Page 8: ...Management 465 SSD Rules 465 SSD Properties 471 Configuration Files 473 SSD Management Channels 478 Menu CLI and Password Recovery 479 Configuring SSD 479 Chapter 22 Security SSH Server 483 Overview 483 Common Tasks 484 SSH User Authentication 485 SSH Server Authentication 487 Chapter 23 Security SSH Client 488 Overview 488 SSH User Authentication 494 SSH Server Authentication 496 Change User Pass...

Page 9: ...ults 510 Common Tasks 511 Default Settings and Configuration 514 Before You Start 515 Configuring IPv6 First Hop Security through Web GUI 515 Chapter 25 Access Control 535 Overview 535 MAC Based ACLs Creation 539 IPv4 based ACL Creation 541 IPv6 Based ACL Creation 546 ACL Binding 550 Chapter 26 Quality of Service 553 QoS Features and Components 554 General 557 QoS Basic Mode 569 QoS Advanced Mode ...

Page 10: ...Cisco 350XG and 550XG Series 10G Stackable Managed Switches Administration Guide 9 Contents Groups 594 Users 596 Communities 598 Trap Settings 600 Notification Recipients 600 Notification Filter 605 ...

Page 11: ...ed Display Mode Quick Start Device Configuration Interface Naming Conventions Window Navigation Starting the Web based Configuration Utility This section describes how to navigate the web based switch configuration utility If you are using a pop up blocker make sure it is disabled Browser Restrictions If you are using IPv6 interfaces on your management station use the IPv6 global address and not t...

Page 12: ...g In The default username password is cisco cisco The first time that you log in with the default username and password you are required to enter a new password NOTE If you have not previously selected a language for the GUI the language of the Login page is determined by the language s requested by your browser and the languages configured on your device If your browser requests Chinese for examp...

Page 13: ...ion STEP 4 Choose whether to select Password Complexity Settings in the Password Strength page STEP 5 Enter the new password and click Apply When the login attempt is successful the Getting Started page appears If you entered an incorrect username or password an error message appears and the Login page remains displayed on the window Select Don t show this page on startup to prevent the Getting St...

Page 14: ...he Save application link indicates that Running Configuration changes have not yet been saved to the Startup Configuration file The flashing can be disabled by clicking on the Disable Save Icon Blinking button on the Copy Save Configuration page When the device auto discovers a connected device such as an IP phone see What is a Smartport and it configures the port appropriately for the device Thes...

Page 15: ...ement network The out of band and the in band ports share the same IP routing table therefore you cannot use the same subnet on both in band and out of band interfaces The IP address assigned to this port cannot be assigned to the in band ports at the same time In addition the IP address assigned to the OOB port must not belong to any IP subnet configured at the in band interfaces of the devices B...

Page 16: ...ibed in VLAN Configuration Wizard or use the links on the Getting Started page as described below Category Link Name on the Page Linked Page Initial Setup Manage Stack Stack Management Change Management Applications and Services TCP UDP Services Change Device IP Address IPv4 Interface Create VLAN VLAN Settings Configure Port Settings Port Settings Device Status System Summary System Summary Port S...

Page 17: ... denoted by concatenating the following elements Type of interface The following types of interfaces are found on the various types of devices Ten Gigabit Ethernet ports 1000 10 000 Mbps These are displayed as XG Out of Band Port This is displayed as OOB LAG Port Channel These are displayed as LAG VLAN These are displayed as VLAN Tunnel These are displayed as Tunnel Unit Number Number of the unit ...

Page 18: ...not yet been saved to the Startup Configuration file The flashing of the red X can be disabled on the Copy Save Configuration page Click Save to display the Copy Save Configuration page Save the Running Configuration file by copying it to the Startup Configuration file type on the device After this save the red X icon and the Save application link are no longer displayed When the device is reboote...

Page 19: ...lity labels disappear and in their place are the IDs of the strings that correspond to the IDs in the language file NOTE To upgrade a language file use the Upgrade Backup Firmware Language page Logout Click to log out of the web based switch configuration utility About Click to display the device name and device version number Help Click to display the online help The SYSLOG Alert Status icon appe...

Page 20: ...n file type on the device Apply Click to apply changes to the Running Configuration on the device If the device is rebooted the Running Configuration is lost unless it is saved to the Startup Configuration file type or another file type Click Save to display the Copy Save Configuration page and save the Running Configuration to the Startup Configuration file type on the device Cancel Click to rese...

Page 21: ...y numbers in the to field 3 Click Apply to save the changes and click Close to return to the main page Delete After selecting an entry in the table click Delete to remove Details Click to display the details associated with the entry selected Edit Select the entry and click Edit The Edit page appears and the entry can be modified 1 Click Apply to save the changes to the Running Configuration 2 Cli...

Page 22: ...isco 350XG 550XG Series 10G Stackable Managed Switches Dashboard This section describes the device dashboard The dashboard consists of the following sections Overview System Health Resource Utilization Identification Latest Logs Suspended Interfaces Stack Topology ...

Page 23: ...below You can select a number of modules from the available modules and place them in this grid You can also customize settings of the currently displayed modules When the dashboard loads the modules you selected for the dashboard are loaded in their locations in the grid The data in the modules is updated periodically in intervals depending on the module type These intervals are configurable for ...

Page 24: ...t and dragging and dropping it in any space in the grid Small Modules are modules that take up a single square while Large Modules take up two squares If the space selected for the module is currently occupied the module occupying the space is replaced by the new one You can re arrange the placement of the modules in the grid by dragging a module from one occupied grid position to another position...

Page 25: ...n below The title bar of each module in the dashboard displays the title of the module and three buttons These button perform the following Pencil Opens configuration options Refresh Refresh the information X Remove the module from the dashboard System Health This module displays graphic information for a standalone device or each device in the stack The following icons are shown Fan Icon Green if...

Page 26: ...een if the fan is operational Red if the fan is faulty No Refresh Information is not refreshed 1 minute Information is refreshed every minute System Health Click to open the Health page Resource Utilization This module displays the utilization status in terms of a percentage of the various system resources as a bar chart The resources monitored are Multicast Groups Percentage of Multicast groups t...

Page 27: ...reen if the fan is operational Red if the fan is faulty No Refresh Information is not refreshed 30 seconds Information is refreshed every 30 seconds 1 minute Information is refreshed every minute MAC Address Table Click to open Dynamic Addresses TCAM Utilization Information Click to open TCAM Utilization CPU Utilization Information Click to open CPU Utilization Identification This module displays ...

Page 28: ... options right hand corner are available Refresh Time Green if the fan is operational Red if the fan is faulty No Refresh Information is not refreshed 1 minute Information is refreshed every minute System Settings Click to open System Settings System Summary Click to open System Summary Latest Logs This module contains information about the five latest events logged by the system as SYSLOGs The fo...

Page 29: ...ice are shown as red Hovering over a suspended port displays a tooltip with the following information Port name If the port is a member of a LAG the LAG identity of the port The suspension reason if it is suspended The following configuration options right hand corner are available Display Mode The following options are available Device View Information is displayed as shown above Table View Infor...

Page 30: ...Stack Topology This module is a graphic representation of the stack topology and is identical in behavior to the Stack Topology View section in the Stack Management screen Hovering over a unit in the module displays a tooltip identifying the unit and providing basic information on its stacking ports Hovering over a stack connection in the module displays a tooltip detailing the connected units and...

Page 31: ...Next STEP 3 Enter the fields System Location Enter the physical location of the device System Contact Enter the name of a contact person Host Name Select the host name of this device This is used in the prompt of CLI commands Use Default The default hostname System Name of these switches is switch123456 where 123456 represents the last three bytes of the device MAC address in hex format User Defin...

Page 32: ...server STEP 6 Click Next STEP 7 Enter the fields Username Enter a new user name between 0 and 20 characters UTF 8 characters are not permitted Password Enter a password UTF 8 characters are not permitted If the password strength and complexity is defined the user password must comply with the policy configured in Password Strength Confirm Password Enter the password again Password Strength Display...

Page 33: ...here you configure trunk ports tagged and untagged ports and then you configure Access port mode STEP 1 Click Configuration Wizards VLAN Configuration Wizard STEP 2 Click Launch Wizard and Next STEP 3 Click Next STEP 4 Select the ports that are to be configured as trunk port by clicking with mouse on the required ports in the graphical display Ports that are already configured as Trunk ports are p...

Page 34: ...se 1 0 0 x 30 3 STEP 8 Click Next STEP 9 Select the ports are that to be the access ports of the VLAN Access ports of a VLAN is untagged member of the VLAN by clicking with mouse on the required ports in the graphical display STEP 10 Click Next to see the summary of the information that you entered STEP 11 Click Apply ...

Page 35: ...s 31 Status and Statistics This section describes how to view device statistics It covers the following topics System Summary CPU Utilization Interfaces Etherlike GVRP 802 1X EAP ACL TCAM Utilization Health Port and VLAN Mirroring Diagnostics RMON View Logs ...

Page 36: ...s value By default the device hostname is composed of the word switch concatenated with the three least significant bytes of the device MAC address the six furthest right hexadecimal digits System Object ID Unique vendor identification of the network management subsystem contained in the entity used in SNMP System Uptime Time that has elapsed since the last reboot Current Time Current system time ...

Page 37: ... the following fields click Edit to open the TCP UDP Services page HTTP Service Whether HTTP is enabled disabled HTTPS Service Whether HTTPS is enabled disabled SNMP Service Whether SNMP is enabled disabled Telnet Service Whether Telnet is enabled disabled SSH Service Whether SSH is enabled disabled CPU Utilization The device CPU handles the following types of traffic in addition to end user traff...

Page 38: ...ply Interfaces The Interface page displays traffic statistics per port The refresh rate of the information can be selected This page is useful for analyzing the amount of traffic that is both sent and received and its dispersion Unicast Multicast and Broadcast To display Ethernet statistics and or set the refresh rate STEP 1 Click Status and Statistics Interface STEP 2 Enter the parameters Interfa...

Page 39: ...rface displayed Click View All Interfaces Statistics to see all ports on a single page Etherlike The Etherlike page displays statistics per port according to the Etherlike MIB standard definition The refresh rate of the information can be selected This page provides more detailed information regarding errors in the physical layer Layer 1 that might disrupt traffic To view Etherlike Statistics and ...

Page 40: ...nsmitted Flow control pause frames transmitted from the selected interface STEP 3 To clear statistics counters Click Clear Interface Counters to clear the selected interfaces counters Click View All Interfaces Statistics to see all ports on a single page GVRP The GVRP page displays information regarding GARP VLAN Registration Protocol GVRP frames that were sent or received from a port GVRP is a st...

Page 41: ...ckets received transmitted The GVRP Error Statistics section displays the GVRP error counters Invalid Protocol ID Invalid protocol ID errors Invalid Attribute Type Invalid attribute ID errors Invalid Attribute Value Invalid attribute value errors Invalid Attribute Length Invalid attribute length errors Invalid Event Invalid events STEP 3 To clear statistics counters Click Clear Interface Counters ...

Page 42: ...EAP Resp ID frames received on the port EAP Response Frames Received EAP Response frames received by the port other than Resp ID frames EAP Request ID Frames Transmitted EAP Req ID frames transmitted by the port EAP Request Frames Transmitted EAP Request frames transmitted by the port Invalid EAPOL Frames Received Unrecognized EAPOL frames received on this port EAP Length Error Frames Received EAP...

Page 43: ... which packets were forwarded or rejected based on ACL rules Trapped Packets VLAN Based The VLANs on which packets were forwarded or rejected based on ACL rules STEP 3 To manage statistics counters Click Clear Counters to clear the counters of all interfaces TCAM Utilization TCAM holds the rules produced by applications such as ACLs Access Control Lists Quality of Service QoS while Router TCAM hol...

Page 44: ...or IPv4 Multicast routing IPv6 Routing In Use Number of router TCAM entries used for IPv6 Multicast routing Maximum Number of available router TCAM entries that can be used for IPv6 Multicast routing IPv6 Multicast Routing Number of router TCAM entries used for IPv6 routing In Use Number of Router TCAM entries used for IPv6 routing Maximum Number of available Router TCAM entries that can be used f...

Page 45: ...e generated SYSLOG message SNMP trap At least one temperature sensor exceeds the Critical threshold The following are generated SYSLOG message SNMP trap The following actions are performed System LED is set to solid amber if hardware supports this Disable Ports When the Critical temperature has been exceeded for two minutes all ports will be shut down On devices that support PoE Disable the PoE ci...

Page 46: ...nt Fan Status Only supported on 550 family The following values are possible Ready Redundant fan is operational but not required Active One of the main fans is not working and this fan is replacing it Failure Redundant fan is not operating correctly Temperature The options are OK The temperature is below the warning threshold Warning The temperature is between the warning threshold to the critical...

Page 47: ... to the monitoring port processes the data packets for diagnosing debugging and performance monitoring Up to eight sources can be mirrored This can be any combination of eight individual ports and or VLANs A packet that is received on a network port assigned to a VLAN that is subject to mirroring is mirrored to the analyzer port even if the packet was eventually trapped or discarded Packets sent b...

Page 48: ... are up and forwarding traffic Not Ready Either source or destination or both are down or not forwarding traffic for some reason STEP 2 Click Add to add a port or VLAN to be mirrored STEP 3 Enter the parameters Destination Port Select the analyzer port to where packets are copied A network analyzer such as a PC running Wireshark is connected to this port If a port is identified as an analyzer dest...

Page 49: ...ock of the Copper Test page DSP based tests are performed on active XG links to measure cable length These results are displayed in the Advanced Information block of the Copper Test page This test can run only when the link speed is 10G Preconditions to Running the Copper Port Test Before running the test do the following Mandatory Disable Short Reach mode see the Properties page Optional Disable ...

Page 50: ...e port Open Cable Cable is connected on only one side Short Cable Short circuit has occurred in the cable Unknown Test Result Error has occurred Distance to Fault Distance from the port to the location on the cable where the fault was discovered Operational Port Status Displays whether port is up or down The Advanced Information block contains the following information which is refreshed each time...

Page 51: ...ingle mode fiber 1310 nm wavelength supports up to 10 km MGBSX1 1000BASE SX SFP transceiver for multimode fiber 850 nm wavelength supports up to 550 m MGBT1 1000BASE T SFP transceiver for category 5 copper wire supports up to 100 m The following XG SFP 10 000Mbps transceivers are supported Cisco SFP 10GSR Cisco SFP 10GLRM Cisco SFP 10GLR The following XG passive cables Twinax DAC are supported Cis...

Page 52: ...lds and generates alarms without the need for polling by a central SNMP management platform This is an effective mechanism for proactive management provided that you have set the correct thresholds relative to your network s base line RMON decreases the traffic between the manager and the device since the SNMP manager does not have to poll the device frequently for information and enables the mana...

Page 53: ... which Ethernet statistics are to be displayed STEP 3 Select the Refresh Rate which is the time period that passes before the interface statistics are refreshed The following statistics are displayed for the selected interface Bytes Received Octets received including bad packets and FCS octets but excluding framing bits Drop Events Packets dropped Packets Received Good packets received including M...

Page 54: ...4 bytes that were received Frames of 65 to 127 Bytes Frames containing 65 127 bytes that were received Frames of 128 to 255 Bytes Frames containing 128 255 bytes that were received Frames of 256 to 511 Bytes Frames containing 256 511 bytes that were received Frames of 512 to 1023 Bytes Frames containing 512 1023 bytes that were received Frames of 1024 Bytes or More Frames containing 1024 2000 byte...

Page 55: ...ntry Displays the number of the new History table entry Source Interface Select the type of interface from which the history samples are to be taken Max No of Samples to Keep Enter the number of samples to store Sampling Interval Enter the time in seconds that samples are collected from the ports The field range is 1 3600 Owner Enter the RMON station or user that requested the RMON information STE...

Page 56: ...d packets Multicast and Broadcast packets Broadcast Packets Good Broadcast packets excluding Multicast packets Multicast Packets Good Multicast packets received CRC Align Errors CRC and Align errors that have occurred Undersize Packets Undersized packets less than 64 octets received Oversize Packets Oversized packets over 2000 octets received Fragments Fragments packets with less than 64 octets re...

Page 57: ...nd cannot be defined STEP 2 Click Add STEP 3 Enter the parameters Event Entry Displays the event entry index number for the new entry Community Enter the SNMP community string to be included when traps are sent optional Note that the community must be defined using the Notification Recipients pages for the trap to reach the Network Management Station Description Enter a name for the event This nam...

Page 58: ...og Table This page displays the following fields Event Entry No Event s log entry number Log No Log number within the event Log Time Time that the log entry was entered Description Description of event that triggered the alarm RMON Alarms RMON alarms provide a mechanism for setting thresholds and sampling intervals to generate exception events on counters or any other SNMP object counter maintaine...

Page 59: ...erate an alarm The options are Absolute If the threshold is crossed an alarm is generated Delta Subtracts the last sampled value from the current value The difference in the values is compared to the threshold If the threshold was crossed an alarm is generated Rising Threshold Enter the value that triggers the rising threshold alarm Rising Event Select an event to be performed when a rising event ...

Page 60: ...log by severity and a message can go to more than one log including logs that reside on external SYSLOG servers RAM Memory The RAM Memory page displays all messages that were saved in the RAM cache in chronological order Entries are stored in the RAM log according to the configuration in the Log Settings page To view log entries click Status and Statistics View Log RAM Memory The following are dis...

Page 61: ...in the Log Settings page Flash logs remain when the device is rebooted You can clear the logs manually To view the Flash logs click Status and Statistics View Log Flash Memory The Current Logging Threshold specifies the levels of logging that are generated This can be changed by clicking Edit by the field s name This page contains the following fields for each log file Log Index Log entry number L...

Page 62: ... information and configure various options on the device It covers the following topics Device Models System Settings Console Settings Autobaud Rate Support Stack Management User Accounts Idle Session Timeout Time Settings System Log File Management Reboot Discovery Bonjour Discovery LLDP Discovery CDP Ping Traceroute ...

Page 63: ...the models in the 350 family Model Name Description of Ports on Device SG550XG 8F8T 16 port Ten Gigabit Stackable Switch with RPS Support SG550XG 24T 24 port 10GBase T Stackable Switch 2 combo with RPS support SG550XG 48T 48 port 10GBase T Stackable Switch 2 combo with RPS support SG550XG 24F 24 port SFP Ten Gigabit Stackable Switch 2 combo with RPS support Model Name Description of Ports on Devic...

Page 64: ... Enter the hostname Use only letters digits and hyphens Host names cannot begin or end with a hyphen No other symbols punctuation characters or blank spaces are permitted as specified in RFC1033 1034 1035 Custom Banner Settings The following banners can be set Login Banner Enter text to display on the Login page before login Click Preview to view the results Welcome Banner Enter text to display on...

Page 65: ...d pressing the Enter key twice The device detects the baud rate automatically To enable Auto Detection or to manually set the baud rate of the console STEP 1 Click Administration Console Settings STEP 2 Select one of the following options in the Console Port Baud Rate field Auto Detection The console baud rate is detected automatically Static Select one of the available speeds Stack Management See...

Page 66: ...system boot process and a suitable log message is generated to the terminal STEP 3 Click Add to add a new user or click Edit to modify a user STEP 4 Enter the parameters User Name Enter a new username between 0 and 20 characters UTF 8 characters are not permitted Password Enter a password UTF 8 characters are not permitted If the password strength and complexity is defined the user password must c...

Page 67: ... Timeout HTTPS Session Timeout Console Session Timeout Telnet Session Timeout SSH Session Timeout To set the idle session timeout for various types of sessions STEP 1 Click Administration Idle Session Timeout STEP 2 Select the timeout for the each session from the corresponding list The default timeout value is 10 minutes STEP 3 Click Apply to set the configuration settings on the device Time Sett...

Page 68: ...ge has a severity level marked with the first letter of the severity level concatenated with a dash on each side except for Emergency that is indicated by the letter F For example the log message INIT I InitCompleted has a severity level of I meaning Informational The event severity levels are listed from the highest severity to the lowest severity as follows Emergency System is not usable Alert A...

Page 69: ...d contiguous SYSLOG messages and traps are aggregated over the specified Max Aggregation Time and sent in a single message The aggregated messages are sent in the order of their arrival Each message states the number of times it was aggregated Max Aggregation Time Enter the interval of time that SYSLOG messages are aggregated Originator Identifier Enables adding an origin identifier to SYSLOG mess...

Page 70: ...the source IPv6 address of SYSLOG messages sent to SYSLOG servers NOTE If the Auto option is selected the system takes the source IP address from the IP address defined on the outgoing interface Information is described for each previously configured log server The fields are described below in the Add page STEP 3 Click Add STEP 4 Enter the parameters Server Definition Select whether to identify t...

Page 71: ...Severity Select the minimum level of system log messages to be sent to the server STEP 5 Click Apply The Add Remote Log Server page closes the SYSLOG server is added and the Running Configuration file is updated File Management See Administration File Management Reboot Some configuration changes such as enabling jumbo frame support require the system to be rebooted before they take effect However ...

Page 72: ... is discarded when the device is rebooted you must click Save in the upper right corner of any window to preserve current configuration across the boot process If the Save option is not displayed the Running Configuration matches the Startup Configuration and no action is necessary The following options are available Immediate Reboot immediately Date Enter the date month day and time hour and minu...

Page 73: ...ntries Router TCAM entries reserved for IP static routes IP interfaces and IP hosts Non IP Entries TCAM entries reserved for other applications such as ACL rules CoS policers and VLAN rate limits The following table describes the number of TCAM entries used by the various features The Routing Resources page enables you to adjust the Router TCAM allocation If you change the router TCAM allocation i...

Page 74: ...M entries per interface Count is the number of IP addresses on interfaces on the device and Router TCAM Entries is the number of router TCAM entries being used for the IP addresses Routes 1 TCAM entry per route Count is the number of routes recorded on the device and Router TCAM Entries is the number of router TCAM entries being used for the routes Total Displays the number of router TCAM entries ...

Page 75: ...umber of on link prefixes recorded on the device and TCAM Entries is the number of TCAM entries being used for them Total Total number of TCAM entries being used Maximum Entries Select one of the following options Use Default Use default values User Defined Enter a value IPv6 Multicast Routing Resources IPv6 Multicast Routes 8 TCAM entries per route Count is the number of Multicast routes recorded...

Page 76: ...ticast routing Maximum Maximum number of TCAM entries available for IPv6 Multicast routing Maximum TCAM Entries for Non IP Rules Number of TCAM entries available for non IP rules Non IP Rules In Use Number of TCAM entries utilized for non IP rules Maximum Maximum number of TCAM entries available for non IP rules STEP 2 Save the new settings by clicking Apply This checks the feasibility of the rout...

Page 77: ...Definition Select whether to specify the source interface by its IP address or name This field influences the interfaces that are displayed in the Source IP field as described below IP Version If the source interface is identified by its IP address select either IPv4 or IPv6 to indicate that it will be entered in the selected format Source IP Select the source interface whose IPv4 address will be ...

Page 78: ...k Local select from where it is received Destination IP Address Name Address or host name of the device to be pinged Whether this is an IP address or host name depends on the Host Definition Ping Interval Length of time the system waits between ping packets Ping is repeated the number of times configured in the Number of Pings field whether the ping succeeds or not Select to use the default interv...

Page 79: ... all IPv4 and IPv6 addresses will be displayed in this drop down field If the Host Definition field was By IP Address only the existing IP addresses of the type specified in the IP Version field will be displayed Host IP Address Name Enter the host address or name TTL Enter the maximum number of hops that Traceroute permits This is used to prevent a case where the sent frame gets into an endless l...

Page 80: ...r is a system file Various actions can be performed with these files such as selecting the firmware file from which the device boots copying various types of configuration files internally on the device or copying files to or from an external device such as an external server Configuration files on the device are defined by their type and contain the settings and parameter values for the device Ot...

Page 81: ...d by the device when the following conditions exist The device has been operating continuously for 24 hours No configuration changes have been made to the Running Configuration in the previous 24 hours The Startup Configuration is identical to the Running Configuration Only the system can copy the Startup Configuration to the Mirror Configuration However you can copy from the Mirror Configuration ...

Page 82: ...rmware of a device prior adding the device to a stack recommended The stack master will automatically upgrade the firmware of a newly added unit if the unit does not have identical firmware as the master There are two firmware images stored on the device One of the images is identified as the active image and other image is identified as the inactive image When updating the device s firmware the n...

Page 83: ... version of the current active firmware file STEP 2 Enter the following fields Operation Type Select Update Firmware or Backup Firmware Copy Method Select TFTP Server Definition Select whether to specify the TFTP server By IP address or By name If Server Definition is By Address IP Version If Server Definition is By Address Select whether an IPv4 or an IPv6 address for the server is used IPv6 Addr...

Page 84: ...ields are displayed Active Firmware File Displays the current active firmware file Active Firmware Version Displays the version of the current active firmware file STEP 2 Enter the following fields Operation Type Select Update File or Backup File Copy Method Select SCP STEP 3 To enable SSH server authentication which is disabled by default click Edit by Remote SSH Server Authentication This takes ...

Page 85: ...Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPv6 type that is visible and reachable from other networks Link Local Interface Select the link local interface from the list Server IP Address Name Enter the IP address or domain name of the SCP server whichever ...

Page 86: ... of the firmware file after reboot STEP 3 Click Apply and after a success message is displayed click Reboot if you want to immediately reload with the new firmware File Operations The File Operations page enables Backing up configuration files or logs from the device to an external device Restoring configuration files from an external device to the device Duplicating a configuration file NOTE If t...

Page 87: ...he following combinations of copying internal file types are allowed From the Running Configuration to the Startup Configuration or other backup file From the Startup Configuration to the Running Configuration or other backup file From a backup file to the Running Configuration or Startup Configuration From the Mirror Configuration to the Running Configuration Startup Configuration or a backup fil...

Page 88: ...rver Definition there is no need to select the IP Version related options IPv6 Address Type Select the IPv6 address type if used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local a...

Page 89: ...lick System Credentials to go to the SSH User Authentication page where the user password can be set once for all future use Use SSH Client One Time Credentials Enter the following Username Enter a username for this copy action Password Enter a password for this copy NOTE The username and password for one time credential will not saved in configuration file Server Definition Select whether to spec...

Page 90: ...le Type Select one of the configuration file types to backup Copy Method Select HTTP HTTPS Sensitive Data Handling Select how sensitive data should be included in the backup file The following options are available Exclude Do not include sensitive data in the backup Encrypt Include sensitive data in the backup in its encrypted form Plaintext Include sensitive data in the backup in its plaintext fo...

Page 91: ...TFTP STEP 1 Click Administration File Management File Operations STEP 2 Enter the following fields Operation Type Select Backup Source File Type Select the type of file to be backed up Copy Method Select TFTP Server Definition Select whether to specify the TFTP server by IP address or by domain name If Server Definition is By Address IP Version Select whether an IPv4 or an IPv6 address is used If ...

Page 92: ... data options are determined by the current user SSD rules For details refer to Secure Sensitive Data Management SSD Rules page STEP 3 Click Apply to begin the operation To backup a system configuration file using SCP STEP 1 Click Administration File Management File Operations STEP 2 Enter the following fields Operation Type Select Backup Source File Type Select the type of file to be backed up Co...

Page 93: ...rk link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select ...

Page 94: ...ere is more than one unit in the stack the displayed files are taken from the master unit STEP 1 Click Administration File Management File Directory STEP 2 If required enable Auto Mirror Configuration This enables the automatic creation of mirror configuration files When disabling this feature the mirror configuration file if it exists is deleted See System Files for a description of mirror files ...

Page 95: ...onfiguration Image process the device reboots itself to the configuration file NOTE If both Auto Image Update and Auto Configuration are requested Auto Image Update is performed first then after reboot Auto Configuration is performed and then a final reboot is performed To use this feature configure a DHCP server in the network with the locations and names of the configuration file and firmware im...

Page 96: ...n is selected a user defined file extension indicates that files with this extension are downloaded using SCP over SSH while files with other extensions are downloaded using TFTP For example if the file extension specified is xyz files with the xyz extension are downloaded using SCP and files with the other extensions are downloaded using TFTP The default extension is scp TFTP Only The download is...

Page 97: ...up information that has been configured in the DHCP Auto Configuration Image Update page is used When the Auto Configuration Image Update process is triggered see Auto Configuration Image Update Trigger the sequence of events described below occurs Auto Image Update Starts The switch uses the indirect file name from option 125 DHCPv4 and option 60 DHCPv6 if any from the DHCP message received If th...

Page 98: ...e name of the configuration file previously used on the device or if the device has never been configured The device is rebooted with the new configuration file at the end of the Auto Configuration Image Update Process SYSLOG messages are generated by the copy process Missing Options If the DHCP server did not send the TFTP SCP server address in a DHCP option and the backup TFTP SCP server address...

Page 99: ... or explicitly renewed by administrative action or automatically renewed due to an expiring lease Explicit renewal can be activated in the IPv4 Interface page If Auto Image Update is enabled the Auto Image Update process is triggered when an indirect image file name is received from a DHCP server or a backup indirect image file name has been configured Indirect means that this is not the image its...

Page 100: ...nfiguration file is downloaded to the master unit and synchronized to backup before reload For auto image update the new image is copied and saved to the inactive image of the master unit As the part of the copy process the master unit synchronizes the image to all the units in the stack before the reload A configuration file that is placed on the TFTP SCP server must match the form and format req...

Page 101: ...he Running Configuration file DHCP Server Configure the DHCP server with the following options DHCPv4 66 single server address or 150 list of server addresses 67 name of configuration file DHCPv6 Option 59 server address Options 60 name of configuration file plus indirect image file name separated by a comma Auto Image Update Preparations To prepare the DHCP and TFTP SCP servers do the following T...

Page 102: ... enabled by default but can be disabled here Download Protocol Select one of the following options Auto By File Extension Select to indicate that Auto Configuration uses the TFTP or SCP protocol depending on the extension of the configuration file If this option is selected the extension of the configuration file does not necessarily have to be given If it is not given the default extension is use...

Page 103: ...ion files select one of the following options Remote SSH Server Authentication Click on the Enable Disable link to navigate to the SSH Server Authentication page There you can enable authentication of the SSH server to be used for the download and enter the trusted SSH server if required SSH Client Authentication Click on the System Credentials link to enter user credentials in the SSH User Authen...

Page 104: ...ess or name Backup Configuration File Name Enter the backup configuration file name Backup Indirect Image File Name Enter the indirect image file name to be used This is a file that holds the path to the image An example of an indirect image file name is indirect cisco scp This file contains the path and name of the firmware image The following fields are displayed Last Auto Configuration Image Se...

Page 105: ...Overview Devices can either function on their own or they can be connected into a stack of devices By default a device is always stackable but has no stack port All the ports in the devices are network ports by default You can look at a device without any stack port as the master device in a stack of only itself You can also look at a device without any stack port as a standalone device To stack t...

Page 106: ...example of eight relevant for the 550 family devices connected into a stack is shown in the following Stack Architecture Chain Topology A stack provides the following benefits Network capacity can be expanded or contracted dynamically By adding a unit the administrator can dynamically increase the number of ports in the stack while maintaining a single point of management Similarly units can be re...

Page 107: ...that manages itself the backup unit and the slave units Backup If the master unit fails the backup unit assumes the master role switchover The backup unit s ID must be either 1 or 2 Slave These units are managed by the master unit In order for a group of units to function as a stack there must be a master enabled unit When the master enabled unit fails the stack continues to function as long as th...

Page 108: ...OFF Stack Topology This section includes the following topics Types of Stack Topology Topology Discovery Types of Stack Topology The units in a stack can be connected in one of the following types of topologies Chain Topology Each unit is connected to the neighboring unit but there is no cable connection between the first and last unit See Stack Architecture Chain Topology shows a chain topology R...

Page 109: ...gered by a change in the up down status of a stack port The following are examples of events that trigger this process Changing the stack topology from a ring to a chain Merging two stacks into a single stack Splitting the stack Inserting other slave units to the stack for instance because the units were previously disconnected from the stack due to a failure This can happen in a chain topology if...

Page 110: ... ID is manually set to an integer from 1 maximum number of units in a stack Duplicate Unit IDs If you assign the same unit ID to two separate units only one of them can join the stack with that unit ID If auto numbering has been selected the duplicate unit is assigned a new unit number If auto numbering was not selected the duplicate unit is shut down The following shows a case where two units wer...

Page 111: ...numbered is renumbered Duplicate Unit Renumbered The following shows a case where one of the duplicate units is renumbered The one with the lower MAC retains its unit ID see Master Selection Process for a description of this process Duplication Between Two Units With Auto Number Unit ID NOTE If a new stack has more than the maximum number of units all extra units are shut down ...

Page 112: ... when it is selected as master in the switch failover process Unit ID If both units have the same number of time segments the unit with the lowest unit ID is selected MAC Address If both units IDs are the same the unit with the lowest MAC address is chosen NOTE For a stack to operate it must have a master unit A master unit is defined as the active unit that assumes the master role The stack must ...

Page 113: ...tically beginning from the lowest available ID One or more duplicate unit IDs exist Auto numbering resolves conflicts and assigns unit IDs In case of manual numbering only one unit retains its unit ID and the other s are shutdown The number of units in the stack exceeds the maximum number of units allowed The new units that joined the stack are shut down and a SYSLOG message is generated and appea...

Page 114: ...unit receives the lowest available ID Auto Number Unit The following shows what happens when a user assigned master enabled unit with Unit ID 1 joins a stack that already has a master unit with user assigned unit ID 1 The newer Unit 1 does not join the stack and is shutdown User assigned Master enabled Unit Unit Failure in Stack This section includes the following topics Failure of Master Unit Mas...

Page 115: ...aster is being configured it synchronizes the backup immediately Synchronization is performed as soon as a command is executed This is transparent If a unit is inserted into a running stack and is selected as a backup unit the master synchronizes it so that it has an up to date configuration and then generates a SYNC COMPLETE SYSLOG message This is a unique SYSLOG message that appears only when ba...

Page 116: ...down status between the master and the slave unit Packet forwarding on the slave unit resumes after the state of its ports are set to forwarding by the master according to STP NOTE Packet flooding to unknown unicast MAC addresses occurs until the MAC addresses are learned or relearned Reconnecting the Original Master Unit After Failover After failover if the original master is connected again the ...

Page 117: ...per unit The stack LAG can be composed of between two and up to the maximum number of stack ports depending on the unit type Stack Port States Stack ports can be in one of the following states Down Port operational status is down or stack port operational status is up but traffic cannot pass on the port Active Stack port was added to a stack LAG whose stack port operational status is up and traffi...

Page 118: ...mainder of the stack ports are set to standby mode inactive Default Stack and Network Ports All ports are configured as network ports by default Auto Selection of Port Speed The stacking cable type is discovered automatically when the cable is connected to the port auto discovery is the default setting The system automatically identifies the stack cable type and selects the highest speed supported...

Page 119: ...ndalone device or a stack is displayed in the Stack Operational Status block Stack Topology Displays whether the topology of the stack is chain or ring Stack Ports or Network Ports Connector Type All ports Cisco SFP H10GB CU1M Passive Copper Cable 1G 10G Cisco SFP H10GB CU3M Passive Copper Cable 1G 10G Cisco SFP H10GB CU5M Passive Copper Cable 1G 10G Cisco SFP 10G SR Not supported Cisco SFP 10G LR...

Page 120: ...lace in the stack as shown below A graphical view of the device is also seen as shown below See an example of this below STEP 2 To select stack ports for a device a Click a device in the Stack Topology View The ports on this device are displayed in this view b When you hover over a port a tool tip displays the stacking port number unit that it is connected to if there is one the port speed and its...

Page 121: ...rts become stack ports after the reboot d To configure stack parameters for devices in the stack click the device in the Stack Topology View and enter the following fields for the device and stacking ports Unit ID After Reset Select a unit ID or select Auto to have the unit ID be assigned by the system Unit x Stack Connection Speed Displays the speed of the stack connection STEP 3 Click Apply and ...

Page 122: ...is important for the modification times to be consistent regardless of the machine on which the file systems reside For these reasons it is important that the time configured on all of the devices on the network is accurate NOTE The device supports Simple Network Time Protocol SNTP and when enabled the device dynamically synchronizes the device time with time from an SNTP server The device operate...

Page 123: ... configuration of time from the computer is saved to the Running Configuration file You must copy the Running Configuration to the Startup Configuration to enable the device to use the time from the computer after reboot The time after reboot is set during the first WEB login to the device When you configure this feature for the first time if the time was not already set the device sets the time f...

Page 124: ...t supply DHCP option 100 in order for dynamic time zone configuration to take place SNTP Modes The device can receive system time from an SNTP server in one of the following ways Client Broadcast Reception passive mode SNTP servers broadcast the time and the device listens to these broadcasts When the device is in this mode there is no need to define a Unicast SNTP server Client Broadcast Transmis...

Page 125: ...ystem time was last taken STEP 2 Enter the following parameters Clock Source Settings Select the source used to set the system clock Main Clock Source SNTP Servers If this is enabled the system time is obtained from an SNTP server To use this feature you must also configure a connection to an SNTP server in the SNTP Multicast Anycast page Optionally enforce authentication of the SNTP sessions by u...

Page 126: ...one Offset for Paris is GMT 1 while the Time Zone Offset for New York is GMT 5 Time Zone Acronym Enter a name that will represent this time zone This acronym appears in the Actual Time field Daylight Savings Settings Select how DST is defined Daylight Savings Select to enable Daylight Saving Time Time Set Offset Enter the number of minutes offset from GMT ranging from 1 1440 The default is 60 Dayl...

Page 127: ...ds every year Month Month of the year in which DST ends every year Time The time at which DST ends every year STEP 4 Click Apply The system time values are written to the Running Configuration file SNTP Unicast Up to 16 Unicast SNTP servers can be configured NOTE To specify a Unicast SNTP server by name you must first configure DNS server s on the device see DNS Settings To add a Unicast SNTP serv...

Page 128: ...erver stratum level1 unless polling interval is enabled Status SNTP server status The possible values are Up SNTP server is currently operating normally Down SNTP server is currently not available Unknown SNTP server is currently being searched for by the device In Process Occurs when the SNTP server does not fully trust its own time server i e when first booting up the SNTP server Last Response L...

Page 129: ...al address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6 Address Type Link Local is selected from the list SNTP Server IP Address Name Enter the SNTP server IP addressor name The format depends on which a...

Page 130: ...t transmissions from any SNTP server on the subnet SNTP IPv6 Multicast Client Mode Client Broadcast Reception Select to receive system time IPv6 Multicast transmissions from any SNTP server on the subnet SNTP IPv4 Anycast Client Mode Client Broadcast Transmission Select to transmit SNTP IPv4 synchronization packets requesting system time information The packets are transmitted to all SNTP servers ...

Page 131: ...nformation Workflow STEP 1 Enable authentication in the SNTP Authentication page below STEP 2 Create a key in the SNTP Authentication page below STEP 3 Associate this key with an SNTP server in the SNTP Unicast page To enable SNTP authentication and define keys STEP 1 Click Administration Time Settings SNTP Authentication STEP 2 Select SNTP Authentication to support authentication of an SNTP sessi...

Page 132: ...ge and begins and ends on a recurring basis It is defined in the Recurring Range pages If a time range includes both absolute and recurring ranges the operations of the associated commands are active only if both absolute start time and the recurring time range have been reached Operations of the associated commands are inactive when either of the time ranges are reached The device supports a maxi...

Page 133: ...time that the Time Range begins Absolute Ending Time To define the start time enter the following Infinite Select for the time range to never end Date Time Enter the date and time that the Time Range ends STEP 4 Click Apply STEP 5 To add a recurring time range click Recurring Range Recurring Time Range A recurring time element can be added to an absolute time range This limits the operation to cer...

Page 134: ...recurring time range click Add STEP 4 Enter the following fields Recurring Starting Time Enter the date and time that the Time Range begins on a recurring basis Recurring Ending Time Enter the date and time that the Time Range ends on a recurring basis STEP 5 Click Apply STEP 6 Click Time Range to access the Absolute Time Range page ...

Page 135: ...r third party applications By default Bonjour is enabled on the Management VLAN When Bonjour is enabled on the device it sends Bonjour Discovery packets to interfaces with IP addresses that have been associated with Bonjour on the Bonjour Discovery Interface Control table Use to IPv4 Interface to configure an IP address to an interface If an interface such as a VLAN is deleted the device will send...

Page 136: ...ur is enabled can also be OOB and their IP Address STEP 4 To enable Bonjour on an interface click Add STEP 5 Select the interface and click Apply NOTE Click Delete to disable Bonjour on an interface this performs the delete operation without any additional operation such as Apply LLDP and CDP LLDP Link Layer Discovery Protocol and CDP Cisco Discovery Protocol are link layer protocols for directly ...

Page 137: ... device Refer to the Voice VLAN for details NOTE CDP LLDP does not distinguish if a port is in a LAG If there are multiple ports in a LAG CDP LLDP transmit packets on each port without taking into account the fact that the ports are in a LAG The operation of CDP LLDP is independent of the STP status of an interface If 802 1x port access control is enabled at an interface the device transmits and r...

Page 138: ...standardizes methods for network devices to advertise themselves to other systems and to store discovered information LLDP enables a device to advertise its identification configuration and capabilities to neighboring devices that then store the data in a Management Information Base MIB The network management system models the topology of the network by querying these MIB databases LLDP is a link ...

Page 139: ...g the LLDP MED Network Policy page 4 Associate LLDP MED network policies and the optional LLDP MED TLVs to the desired interfaces by using the LLDP MED Port Settings page 5 If Auto Smartport is to detect the capabilities of LLDP devices enable LLDP in the Properties page 6 Display overloading information by using the LLDP Overloading page LLDP Properties The Properties page enables entering LLDP g...

Page 140: ...ransmissions due to changes in the LLDP local systems MIB Chassis ID Advertisement Select one of the following options for advertisement in the LLDP messages MAC Address Advertise the MAC address of the device Host Name Advertise the host name of the device STEP 3 In the LED MED Properties Fast Start Repeat Count field enter the number of times LLDP packets are sent when the LLDP MED Fast Start me...

Page 141: ...r example an SNMP managing system when there is a topology change The time interval between notifications is entered in the Topology Change SNMP Notification Interval field in the LLDP Properties page Define SNMP Notification Recipients by using the SNMPv1 2 Notification Recipients Selected Optional TLVs Select the information to be published by the device by moving the TLV from the Available Opti...

Page 142: ...capability of the MAC PHY implementation Management Address Optional TLV Advertisement Mode Select one of the following ways to advertise the IP management address of the device Auto Advertise Specifies that the software automatically chooses a management address to advertise from all the IP addresses of the device In case of multiple IP addresses the software chooses the lowest IP address among t...

Page 143: ... sends alerts to network managers upon Port speed and duplex mode conflicts QoS policy misconfigurations Setting LLDP MED Network Policy An LLDP MED network policy is a related set of configuration settings for a specific real time application such as voice or video A network policy if configured can be included in the outgoing LLDP packets to the attached LLDP media endpoint device The media endp...

Page 144: ... may not manually configure a voice network policy STEP 3 Click Apply to add this setting to the Running Configuration file STEP 4 To define a new policy click Add STEP 5 Enter the values Network Policy Number Select the number of the policy to be created Application Select the type of application type of traffic for which the network policy is being defined VLAN ID Enter the VLAN ID to which the ...

Page 145: ...or all ports only fields not described in the Edit page are listed Location Whether Location TLV is transmitted PoE Whether POE PSE TLV is transmitted Inventory Whether Inventory TLV is transmitted STEP 2 The message at the top of the page indicates whether the generation of the LLDP MED Network Policy for the voice application is automatic or not see LLDP Overview Click on the link to change the ...

Page 146: ...P Location Civic Address Enter the civic address to be published by LLDP Location ECS ELIN Enter the Emergency Call Service ECS ELIN location to be published by LLDP STEP 5 Click Apply The LLDP MED port settings are written to the Running Configuration file LLDP Port Status The LLDP Port Status page contains the LLDP global information for every port STEP 1 To view the LLDP port status click Admin...

Page 147: ... is shown LLDP Port Status Table LLDP Port Status Table Interface Port identifier LLDP Status LLDP publishing option LLDP MED Status Enabled or disabled Local PoE Power Type Power Source Power Priority Power Value Local PoE information advertised Remote PoE Power Type Power Source Power Priority Power Value PoE information advertised by the neighbor of neighbors Number of neighbors discovered Neig...

Page 148: ...e of the port identifier that is shown Port ID Identifier of port Port Description Information about the port including manufacturer product name and hardware software version Management Address Displays the table of addresses of the local LLDP agent Other remote managers can use this address to obtain information related to the local device The address consists of the following elements Address S...

Page 149: ...icates whether the interface is aggregated Aggregation Port ID Advertised aggregated interface ID 802 3 Energy Efficient Ethernet EEE If device supports EEE Local Tx Indicates the time in micro seconds that the transmitting link partner waits before it starts transmitting data after leaving Low Power Idle LPI mode Local Rx Indicates the time in micro seconds that the receiving link partner request...

Page 150: ...ort power priority PoE Power Value Port power value Hardware Revision Hardware version Firmware Revision Firmware version Software Revision Software version Serial Number Device serial number Manufacturer Name Device manufacturer name Model Name Device model name Asset ID Asset ID Location Information Civic Street address Coordinates Map coordinates latitude longitude and altitude ECS ELIN Emergen...

Page 151: ... was received from a neighbor the information is deleted To view the LLDP neighbors information STEP 1 Click Administration Discovery LLDP LLDP Neighbor Information STEP 2 Select the interface for which LLDP neighbor information is to be displayed This page displays the following fields for the selected interface Local Port Number of the local port to which the neighbor is connected Chassis ID Sub...

Page 152: ...m Description Description of the network entity in alpha numeric format This includes the system name and versions of the hardware operating system and networking software supported by the device The value equals the sysDescr object Supported System Capabilities Primary functions of the device The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Rout...

Page 153: ...vertised power support port class PSE MDI Power Support Indicates if MDI power is supported on the port PSE MDI Power State Indicates if MDI power is enabled on the port PSE Power Pair Control Ability Indicates if power pair control is supported on the port PSE Power Pair Power pair control type supported on the port PSE Power Class Advertised power class of the port 802 3 Details 802 3 Maximum Fr...

Page 154: ...D endpoint device class The possible device classes are Endpoint Class 1 Indicates a generic endpoint class offering basic LLDP services Endpoint Class 2 Indicates a media endpoint class offering media streaming capabilities as well as all Class 1 features Endpoint Class 3 Indicates a communications device class offering all Class 1 and Class 2 features plus location 911 Layer 2 switch support and...

Page 155: ...rtised protocol IDs Location Information Enter the following data structures in hexadecimal as described in section 10 2 4 of the ANSI TIA 1057 standard Civic Civic or street address Coordinates Location map coordinates latitude longitude and altitude ECS ELIN Device s Emergency Call Service ECS Emergency Location Identification Number ELIN Unknown Unknown location information Network Policy Table...

Page 156: ...ministration Discovery LLDP LLDP Statistics For each port the fields are displayed Interface Identifier of interface can also be the OOB port Tx Frames Total Number of transmitted frames Rx Frames Total Number of received frames Discarded Total number of received frames that were discarded Errors Total number of received frames with errors Rx TLVs Discarded Total number of received TLVs that were ...

Page 157: ...ntifier This can also be an OOB port Total Bytes In Use Total number of bytes of LLDP information in each packet Available Bytes Left Total number of available bytes left for additional LLDP information in each packet Status Whether TLVs are being transmitted or if they are overloaded STEP 2 To view the overloading details for a port select it and click Details This page contains the following inf...

Page 158: ...erloaded 802 3 TLVs Size Bytes Total LLDP MED 802 3 TLVs packets byte size Status If the LLDP MED 802 3 TLVs packets were sent or if they were overloaded LLDP Optional TLVs Size Bytes Total LLDP MED optional TLVs packets byte size Status If the LLDP MED optional TLVs packets were sent or if they were overloaded LLDP MED Inventory Size Bytes Total LLDP MED inventory TLVs packets byte size Status If...

Page 159: ...oprietary protocol CDP Configuration Workflow The followings is sample workflow for configuring CDP on the device You can also find additional CDP configuration guidelines in the LLDP CDP section STEP 1 Enter the CDP global parameters using the CDP Properties page STEP 2 Configure CDP per interface using the CDP Interface Settings page STEP 3 If Auto Smartport is used to detect the capabilities of...

Page 160: ... version of CDP to use CDP Hold Time Amount of time that CDP packets are held before the packets are discarded measured in multiples of the TLV Advertise Interval For example if the TLV Advertise Interval is 30 seconds and the Hold Multiplier is 4 then the LLDP packets are discarded after 120 seconds The following options are possible Use Default Use the default time 180 seconds User Defined Enter...

Page 161: ...dvertising Syslog Duplex Mismatch Check to send a SYSLOG message when duplex information is mismatched This means that the duplex information in the incoming frame does not match what the local device is advertising STEP 3 Click Apply The LLDP properties are defined CDP Interface Settings The Interface Settings page enables you to enable disable CDP per port Notifications can also be triggered whe...

Page 162: ...sable the CDP publishing option for the port NOTE The next three fields are operational when the device has been set up to send traps to the management station Syslog Voice VLAN Mismatch Select to enable sending a SYSLOG message when a voice VLAN mismatch is detected This means that the voice VLAN information in the incoming frame does not match what the local device is advertising Syslog Native V...

Page 163: ...not Device ID TLV Device ID Type Type of the device ID advertised in the device ID TLV Device ID Device ID advertised in the device ID TLV System Name TLV System Name System name of the device Address TLV Address1 3 IP addresses advertised in the device address TLV Port TLV Port ID Identifier of port advertised in the port TLV Capabilities TLV Capabilities Capabilities advertised in the port TLV V...

Page 164: ...ch case the following field is relevant CoS for Untrusted Ports TLV CoS for Untrusted Ports If Extended Trust is disabled on the port this fields displays the Layer 2 CoS value meaning an 802 1D 802 1p priority value This is the COS value with which all packets received on an untrusted port are remarked by the device Power TLV Request ID Last power request ID received echoes the Request ID field l...

Page 165: ...ation Discovery CDP CDP Neighbor Information STEP 2 To select a filter check the Filter checkbox select a Local interface and click Go The filter is triggered and Clear Filter is activated STEP 3 Click Clear Filter to stop the filter The CDP Neighbor Information page contains the following fields for the link partner neighbor Device ID Neighbors device ID System Name Neighbors system name Local In...

Page 166: ...ely Bits 8 through 15 are reserved Platform Identifier of the neighbors platform Neighbor Interface Interface number of the neighbor through which frame arrived Native VLAN Neighbors native VLAN Application Name of application running on the neighbor Duplex Whether neighbors interface is half or full duplex Addresses Neighbors addresses Power Drawn Amount of power consumed by neighbor on the inter...

Page 167: ...mber of CDP version 1 packets received transmitted Version 2 Number of CDP version 2 packets received transmitted Total Total number of CDP packets received transmitted The CDP Error Statistics section displays the CDP error counters Illegal Checksum Number of packets received with illegal checksum value Other Errors Number of packets received with errors other than illegal checksums Neighbors Ove...

Page 168: ...actions 1 Configure port by using the Port Settings page 2 Enable disable the Link Aggregation Control LAG protocol and configure the potential member ports to the desired LAGs by using the LAG Management page By default all LAGs are empty 3 Configure the Ethernet parameters such as speed and auto negotiation for the LAGs by using the LAG Settings page 4 Configure the LACP parameters for the ports...

Page 169: ...he receiving port to shutdown For jumbo frames to take effect the device must be rebooted after the feature is enabled In stack systems stack units might reboot twice in order to this setting to become operational This is done automatically STEP 3 Click Apply to update the global setting Jumbo frames configuration changes take effect only after the Running Configuration is explicitly saved to the ...

Page 170: ...is in Up state When the time range is not active the port is in shutdown If a time range is configured it is effective only when the port is administratively Up Time Range Name Select the profile that specifies the time range Not relevant for the OOB port If a time range is not yet defined click Edit to go to the Time Range page Not relevant for the OOB port Operational Time Range State Displays w...

Page 171: ...l 10 Mbps speed and Full Duplex mode 100 Half 100 Mbps speed and Half Duplex mode 100 Full 100 Mbps speed and Full Duplex mode 1000 Full 1000 Mbps speed and Full Duplex mode Operational Advertisement Displays the capabilities currently published to the ports neighbor The possible options are those specified in the Administrative Advertisement field Preference Mode Select the master slave mode of t...

Page 172: ...ort A protected port is also referred as a Private VLAN Edge PVE The features of a protected port are as follows Protected Ports provide Layer 2 isolation between interfaces Ethernet ports and LAGs that share the same VLAN Packets received from protected ports can be forwarded only to unprotected egress ports Protected port filtering rules are also applied to packets that are forwarded by software...

Page 173: ...ery when the port has been shut down for port security violations 802 1x Single Host Violation Select to enable automatic error recovery when the port has been shut down by 802 1x ACL Deny Select to enable automatic error recovery mechanism by an ACL action STP BPDU Guard Select to enable automatic error recovery mechanism when the port has been shut down by STP BPDU guard STP Loopback Guard Enabl...

Page 174: ...back Detection operates independently of STP After a loop is discovered the port that received the loops is placed in the Shut Down state A trap is sent and the event is logged Network managers can define a Detection Interval that sets the time interval between LBD packets The following loop cases can be detected by the Loopback Detection protocol Shorted wire Port that loop backs all receiving tr...

Page 175: ...iving ports or LAGs to Error Disable state Issues an appropriate SNMP trap Generates an appropriate SYLOG message Default Settings and Configuration Loopback detection is not enabled by default Interactions with Other Features If STP is enabled on a port on which Loopback Detection is enabled the port must be in STP forwarding state Configuring LBD To enable and configure LBD STEP 1 Enable Loopbac...

Page 176: ...ng the Loopback Detection State Administrative Loopback detection is enabled Operational Loopback detection is enabled but not active on the interface STEP 5 Select whether to enable LBD on ports or LAGS in the Interface Type equals field STEP 6 Select the ports or LAGs on which LBD is to be enabled and click Edit STEP 7 Select Enable in the Loopback Detection State field for the port or LAG selec...

Page 177: ...able for editing Dynamic A LAG is dynamic if LACP is enabled on it The group of ports assigned to dynamic LAG are candidate ports LACP determines which candidate ports are active member ports The non active candidate ports are standby ports ready to replace any failing active member ports Load Balancing Load Balancing Traffic forwarded to a LAG is load balanced across the active member ports thus ...

Page 178: ...ort is removed from the LAG its original configuration is reapplied Protocols such as Spanning Tree consider all the ports in the LAG to be one port Default Settings and Configuration By default ports are not members of a LAG and are not candidates to become part of a LAG Static and Dynamic LAG Workflow After a LAG has been manually created LACP cannot be added or removed until the LAG is edited a...

Page 179: ... edit the desired LAG on the Edit LAG Membership page To select the load balancing algorithm of the LAG STEP 1 Click Port Management Link Aggregation LAG Management STEP 2 Select one of the following Load Balance Algorithm MAC Address Perform load balancing by source and destination MAC addresses on all packets IP MAC Address Perform load balancing by the source and destination IP addresses on IP ...

Page 180: ... candidate ports STEP 3 Click Apply LAG membership is saved to the Running Configuration file LAG Settings The LAG Settings page displays a table of current settings for all LAGs You can configure the settings of selected LAGs and reactivate suspended LAGs by launching the Edit LAG Settings page To configure the LAG settings or reactivate a suspended LAG STEP 1 Click Port Management Link Aggregati...

Page 181: ...abled on both sides while ensuring that link speeds are identical Operational Auto Negotiation Displays the auto negotiation setting Administrative Speed Select the speed of the ports in the LAG Operational LAG Speed Displays the current speed at which the LAG is operating Administrative Advertisement Select the capabilities to be advertised by the LAG The options are Max Capability All LAG speeds...

Page 182: ...ther LACP port priorities are taken from the local or remote device the local LACP System Priority is compared to the remote LACP System Priority The device with the lowest priority controls candidate port selection to the LAG If both priorities are the same the local and remote MAC addresses are compared The priority of the device with the lowest MAC address controls candidate port selection to t...

Page 183: ... e g PXE which receive their LAG configuration only after they bootup When several LACP configured ports are configured and the link comes up in one or more ports but there are no LACP responses from the link partner for those ports the first port that had link up is added to the LACP LAG and becomes active the other ports become non candidates In this way the neighbor device can for example get i...

Page 184: ...face Settings UDLD Neighbors UDLD Overview UDLD is a Layer 2 protocol that enables devices connected through fiber optic or twisted pair Ethernet cables to detect unidirectional links A unidirectional link occurs whenever traffic from a neighboring device is received by the local device but traffic from the local device is not received by the neighbor The purpose of UDLD is to detect ports on whic...

Page 185: ...ollowing is occurring The neighbor does not support UDLD or The neighbor does not receive traffic from the local device The UDLD action in this case depends on the UDLD mode of the device as explained below UDLD supports the following modes of operation Normal If the link state of the port is determined to be bi directional and the UDLD information times out while the link on the port is still up ...

Page 186: ... status of the port is set to bidirectional If the neighbor message does not contain the local device ID The link status of the port is set to unidirectional and the port is shut down If UDLD messages are not received from a neighboring device during the expiration time frame the link status of the port is sent to undetermined and the following occurs Device is in normal UDLD mode A notification i...

Page 187: ...e UDLD expiration time expires for instance Manually You can reactivate a port in the Error Recovery Settings page Usage Guidelines Cisco does not recommend enabling UDLD on ports that are connected to devices on which UDLD is not supported or disabled Sending UDLD packets on a port connected to a device that does not support UDLD causes more traffic on the port without providing benefits In addit...

Page 188: ... port independently from other Layer 2 protocols running on the same port such as STP or LACP For example UDLD assigns the port a status regardless of the STP status of the port or regardless of whether the port belongs to a LAG or not Default Settings and Configuration The following defaults exist for this feature UDLD is disabled by default on all ports of the device Default message time is 15 s...

Page 189: ... UDLD on a copper port perform the following steps STEP 1 Open the UDLD Global Settings page a Select a port b Select either Default Disabled Normal or Aggressive as the port s UDLD status If you select Default the port receives the global setting STEP 2 Click Apply Workflow3 To bring a port up after it was shut down by UDLD and automatic reactivation was not configured STEP 1 Open the Error Recov...

Page 190: ...ned a notification is issued Aggressive Device shuts down an interface if the link is uni directional If the link is bi directional the device shuts down after the UDLD information times out The port state is marked as undetermined STEP 3 Click Apply to save the settings to the Running Configuration file UDLD Interface Settings Use the UDLD Interface Settings page to change the UDLD state for a sp...

Page 191: ...ince UDLD began running on the port so that the state is not yet determined Bidirectional Traffic sent by the local device is received by its neighbor and traffic from the neighbor is received by the local device Undetermined The state of the link between the port and its connected port cannot be determined either because no UDLD message was received or the UDLD message did not contain the local d...

Page 192: ...tion if there was one or since UDLD began running on the port so that the state is not yet determined Bidirectional Traffic sent by the local device is received by its neighbor and traffic from the neighbor is received by the local device Undetermined The state of the link between the port and its connected port cannot be determined either because no UDLD message was received or the UDLD message d...

Page 193: ...covery from this mode to full operational mode is fast transparent and no frames are lost This mode is supported on both GE and FE ports Short Reach Mode This feature provides for power savings on a short length of cable After cable length is analyzed the power usage is adjusted for various cable lengths If the cable is shorter than 50 meters the device uses less power to send frames over the cabl...

Page 194: ...en consumed by the physical interfaces had they not been running in Green Ethernet mode The saved energy displayed is only related to Green Ethernet The amount of energy saved by EEE is not displayed Power Saving by Disabling Port LEDs The Disable Port LEDs feature saves power consumed by device LEDs Since the devices are often in an unoccupied room having these LEDs lit is a waste of energy The G...

Page 195: ...abled 802 3az EEE still be operational but it might not be in the optimal operational mode The 802 3az EEE feature is implemented using a port mode called Low Power Idle LPI mode When there is no traffic and this feature is enabled on the port the port is placed in the LPI mode which reduces power consumption dramatically Both sides of a connection device port and connecting device must support 80...

Page 196: ... in Annex G of IEEE Std 802 1AB protocol LLDP LLDP is used to further optimize 802 3az EEE operation after auto negotiation is completed The 802 3az EEE TLV is used to fine tune system wake up and refresh durations Availability of 802 3az EEE Please see the release notes for a complete listing of products that support EEE Default Configuration By default 802 3az EEE and EEE LLDP are enabled global...

Page 197: ...3 Energy Efficient Ethernet EEE mode on the port it is enabled by default c Select whether to enable or disable advertisement of 802 3az EEE capabilities through LLDP in 802 3 Energy Efficient Ethernet EEE LLDP it is enabled by default STEP 4 To see 802 3 EEE related information on the local device open the LLDP Local Information page and view the information in the 802 3 Energy Efficient Ethernet...

Page 198: ...o the current consumption Cumulative Energy Saved Displays the amount of energy saved from the last device reboot This value is updated each time there is an event that affects power saving 802 3 Energy Efficient Ethernet EEE Globally enable or disable EEE mode STEP 3 Click Reset Energy Saving Counter To reset the Cumulative Energy Saved information STEP 4 Click Apply The Green Ethernet Properties...

Page 199: ...her it has been enabled on the local port and whether it is operational on the local port LLDP Administrative Displays whether advertising EEE counters through LLDP was enabled LLDP Operational Displays whether advertising EEE counters through LLDP is currently operating EEE Support on Remote Displays whether EEE is supported on the link partner EEE must be supported on both the local and remote l...

Page 200: ... following topics Overview What is a Smartport Smartport Types Smartport Macros Macro Failure and the Reset Operation How the Smartport Feature Works Auto Smartport Error Handling Default Configuration Relationships with Other Features Common Smartport Tasks Configuring Smartport Using The Web based Interface Built in Smartport Macros ...

Page 201: ...ing a configuration When a device is detected from an interface the Smartport macro if assigned that corresponds to the Smartport type of the attaching device is automatically applied The Smartport feature consists of various components and works in conjunction with other features on the device These components and features are described in the following sections Smartport Smartport types and Smar...

Page 202: ...configuration The other called the anti macro serves to undo all configuration performed by the macro when that interface happens to become a different Smartport type You can apply a Smartport macro by the following methods The associated Smartport type Statically from a Smartport macro by name only from the CLI A Smartport macro can be applied by its Smartport type statically from CLI and GUI and...

Page 203: ...gned to it has the Default Smartport status If Auto Smartport assigns a Smartport type to an interface and the interface is not configured to be Auto Smartport Persistent then its Smartport type is re initialized to Default in the following cases A link down up operation is performed on the interface The device is restarted Default No No Printer No No Desktop No No Guest No No Server No No Host Ye...

Page 204: ... of the most recent CDP and LLDP packets decrease to 0 then the anti macro is run and the Smartport type returns to default Smartport Macros A Smartport macro is a script of CLI commands that configure an interface appropriately for a particular network device Smartport macros should not be confused with global macros Global macros configure the device globally however the scope of a Smartport mac...

Page 205: ...onfiguration File into the Startup Configuration File the device applies the Smartport types and the Smartport macros to the interfaces after reboot as follows If the Startup Configuration File does not specify a Smartport type for an interface its Smartport type is set to Default If the Startup Configuration File specifies a static Smartport type the Smartport type of the interface is set to this...

Page 206: ...ame can be done only through the CLI you should refer to the CLI guide for details Because support is provided for Smartport types which correspond to devices that do not allow themselves to be discovered via CDP and or LLDP these Smartport types must be statically assigned to the desired interfaces This can be done by navigating to the Interface Settings page selecting the radio button of the des...

Page 207: ...guration profile that is appropriate for all of the devices is applied to the interface if possible If a device is aged out no longer receiving advertisements from other devices the interface configuration is changed according to its Persistent Status If the Persistent Status is enabled the interface configuration is retained If not the Smartport Type reverts to Default Enabling Auto Smartport Ena...

Page 208: ...ce where the IP phone attaches Unless Persistent Auto Smartport is enabled on an interface the Smartport type and resulting configuration applied by Auto Smartport is removed if the attaching device s ages out links down reboots or conflicting capabilities are received Aging out times are determined by the absence of CDP and or LLDP advertisements from the device for a specified time period Using ...

Page 209: ... Capability Name LLDP Bit Smartport Type Other 1 Ignore Repeater IETF RFC 2108 2 Ignore MAC Bridge IEEE Std 802 1D 3 Switch WLAN Access Point IEEE Std 802 11 MIB 4 Wireless Access Point Router IETF RFC 1812 5 Router Telephone IETF RFC 4293 6 ip_phone DOCSIS cable device IETF RFC 4639 and IETF RFC 4546 7 Ignore Station Only IETF RFC 4293 8 Host C VLAN Component of a VLAN Bridge IEEE Std 802 1Q 9 Sw...

Page 210: ...r more information about LLDP CDP refer to the Configuring LLDP and Configuring CDP sections respectively Persistent Auto Smartport Interface If the Persistent status of an interface is enabled its Smartport type and the configuration that is already applied dynamically by Auto Smartport remains on the interface even after the attaching device ages out the interface goes down and the device is reb...

Page 211: ...oice factory defaults Relationships with Other Features Auto Smartport is enabled by default and may be disabled Telephony OUI cannot function concurrently with Auto Smartport and Auto Voice VLAN Auto Smartport must be disabled before enabling Telephony OUI Common Smartport Tasks This section describes some common tasks to setup Smartport and Auto Smartport Workflow1 To globally enable Auto Smartp...

Page 212: ...ture on the interface open the Interface Settings page STEP 2 Select the interface and click Edit STEP 3 Select the Smartport type that is to be assigned to the interface in the Smartport Application field STEP 4 Set the macro parameters as required STEP 5 Click Apply Workflow3 To adjust Smartport macro parameter defaults and or bind a user defined macro pair to a Smartport type perform the follow...

Page 213: ...oot then correct the problem Consider the troubleshooting tip below STEP 4 Click Edit A new window appears in which you can click Reset to reset the interface STEP 5 Return to the main page and reapply the macro using either Reapply for devices that are not switches routers or APs or Reapply Smartport Macro for switches routers or APs to run the Smartport Macro on the interface A second method of ...

Page 214: ...to disable Auto Smartport on the device Enable Select to enable Auto Smartport on the device Enable by Auto Voice VLAN This enables Auto Smartport but puts it in operation only when Auto Voice VLAN is also enabled and in operation Enable by Auto Voice VLAN is the default Operational Auto Smartport Displays the Auto Smartport status Auto Smartport Device Detection Method Select whether incoming CDP...

Page 215: ...o the CLI reference guide for details Built in or user defined macros can have parameters The built in macros have up to three parameters Editing these parameters for the Smartport types applied by Auto Smartport from the Smartport Type Settings page configures the default values for these parameters These defaults are used by Auto Smartport NOTE Changes to Auto Smartport types cause the new setti...

Page 216: ... Defaults STEP 5 Click Apply to save the changes to the running configuration If the Smartport macro and or its parameter values associated with the Smartport type are modified Auto Smartport automatically reapplies the macro to the interfaces currently assigned with the Smartport type by Auto Smartport Auto Smartport does not apply the changes to interfaces that were statically assigned a Smartpo...

Page 217: ...gurations on the device and the definition of the macro to determine if a reapplication has any impact on the interface Reset unknown interfaces This sets the mode of Unknown interfaces to Default To apply a Smartport macro STEP 1 Click Smartport Interface Settings To reapply the last Smartport macros that was associated with a group of interfaces click one of the following options All Switches Ro...

Page 218: ...ation performed by the macro that failed This clean up must be done manually To assign a Smartport type to an interface or activate Auto Smartport on the interface STEP 1 Select an interface and click Edit STEP 2 Enter the fields Interface Select the port or LAG Smartport Type Displays the Smartport type currently assigned to the port LAG Smartport Application Select the Smartport type from the Sm...

Page 219: ...o Default if it is in Unknown status as a result of an unsuccessful macro application The macro can be reapplied on the main page STEP 4 Click Apply to update the changes and assign the Smartport type to the interface Built in Smartport Macros The following describes the pair of built in macros for each Smartport type For each Smartport type there is a macro to configure the interface and an anti ...

Page 220: ... cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_desktop no_desktop macro description No Deskto...

Page 221: ...rt access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_printer no_printer macro description No printer no switchport access vlan no switchport mode no port security no port security...

Page 222: ... port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_guest no_guest macro description No guest no switchport access vlan no switchport mode no port security no port security mode no smartport storm control broadcast e...

Page 223: ..._hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control broadcast enable spanning tree portfast no_server no_server macro description No server no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no port security no port security mode no port security max no smartport storm con...

Page 224: ...control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_host no_host macro description No host no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no port security no port security mode no port security max no smartport storm control broadcast enable no smartport storm control b...

Page 225: ...ng tree portfast no_ip_camera no_ip_camera macro description No ip_camera no switchport access vlan no switchport mode no port security no port security mode no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto ip_phone ip_phone macro description ip_phone macro keywords native_vlan voice_vlan...

Page 226: ... spanning tree portfast no_ip_phone no_ip_phone macro description no ip_phone macro keywords voice_vlan macro key description voice_vlan The voice VLAN ID Default Values are voice_vlan 1 smartport switchport trunk allowed vlan remove voice_vlan no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no port security no port security mode no port security max no...

Page 227: ... port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_ip_phone_desktop no_ip_phone_desktop macro description no ip_phone_desktop macro keywords voice_vlan macro key description voice_vlan The voice VLAN ID Default Values are voice_vlan 1 smartport switchport trunk allowe...

Page 228: ...trunk allowed vlan add all smartport switchport trunk native vlan native_vlan spanning tree link type point to point no_switch no_switch macro description No switch macro keywords voice_vlan macro key description voice_vlan The voice VLAN ID no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no spanning tree link type router router macro description router...

Page 229: ... spanning tree link type point to point no_router no_router macro description No router macro keywords voice_vlan macro key description voice_vlan The voice VLAN ID no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no smartport storm control broadcast enable no smartport storm control broadcast level no spanning tree link type ap ap macro description ap m...

Page 230: ... regardless of the physical LAN segment of the bridged network to which they are connected VLAN Description Each VLAN is configured with a unique VLAN ID VID with a value from 1 to 4094 A port on a device in a bridged network is a member of a VLAN if it can send data to and receive data from the VLAN A port is an untagged member of a VLAN if all packets destined for that port into the VLAN have no...

Page 231: ...ort where the frame is received The frame is discarded at the ingress port if Ingress Filtering is enabled and the ingress port is not a member of the VLAN to which the packet belongs A frame is regarded as priority tagged only if the VID in its VLAN tag is 0 Frames belonging to a VLAN remain within the VLAN This is achieved by sending or forwarding a frame only to egress ports that are members of...

Page 232: ... to the Voice VLAN section Guest VLAN Set in the Properties page Default VLAN VLAN1 Management VLAN in Layer 2 system mode systems For more information refer to the Layer 2 IP Addressing section QinQ QinQ provides isolation between service provider networks and customers networks The device is a provider bridge that supports port based c tagged service interface With QinQ the device adds an ID tag...

Page 233: ...An isolated port has complete Layer 2 isolation from the other isolated and community ports within the same private VLAN These ports connect host ports The following types of private VLANs exist Primary VLAN The primary VLAN is used to enable Layer 2 connectivity from promiscuous ports to isolated and to community ports There can only be a single primary VLAN per private VLAN Isolated VLAN also kn...

Page 234: ...es are learned by the primary VLAN A private VLAN port can only be added to one private VLAN Other port types such as access or trunk ports can be added to the individual VLANs that make up the private VLAN since they are regular 802 1Q VLANs A private VLAN can be configured to span across multiple switches by setting inter switch ports as trunk ports and adding them to all VLANs in the private VL...

Page 235: ... Flow The following describes traffic flow from hosts to servers routers or other hosts Figure1 Traffic from Hosts to Servers Routers Isolated 1 Isolated 2 Server Community 1 Community 1 Promiscous Promiscous Isolated Isolated Community Community Community Community 1 Isolated vlan Community Vlan ...

Page 236: ...aged Switches 227 12 The following describes server router traffic reply to host Figure 2 Server Router Traffic to Hosts Isolated 1 Isolated 2 Server Community 1 Community 1 Promiscous Promiscous Isolated Isolated Community Community Community Community 1 Primary VLAN ...

Page 237: ...c to be forwarded rather than flooded on the primary VLAN The isolated and community VLANs continue to flood Multicast traffic DHCP snooping ARP Inspection IP Source Guard The system prevents adding or removing isolated or community VLANs to a private VLAN while the above features are enabled Features Not Supported on Private VLAN The following features are not supported on private VLANs and on al...

Page 238: ...ndary VLAN in a private VLAN The resources for the following features are allocated per VLAN within the private VLAN Dynamic MAC Addresses MAC addresses learned on primary VLANs are copied to all community VLANs and to the isolated VLAN MAC addresses learned on isolated community VLANs are copied to the primary VLAN DHCP Snooping A TCAM rule is required to trap DHCP traffic ARP Inspection A TCAM r...

Page 239: ...equired VLANs as described in the VLAN Settings section 2 Set the desired VLAN related configuration for ports and enable QinQ on an interface as described in the Interface Settings section 3 Assign interfaces to VLANs as described in the Port to VLAN section or the Port VLAN Membership section 4 View the current VLAN port membership for all the interfaces as described in the Port VLAN Membership ...

Page 240: ...o longer a member of a VLAN if the VLAN is deleted or the port is removed from the VLAN RADIUS servers cannot assign the default VLAN to 802 1x supplicants by using Dynamic VLAN Assignment VLAN Settings You can create a VLAN but this has no effect until the VLAN is attached to at least one port either manually or dynamically Ports must always belong to one or more VLANs The device supports up to 4...

Page 241: ...ou can create at one time is 100 STEP 4 Add the following fields for the new VLANs VLAN Interface State Select to shutdown the VLAN In this state the VLAN does not transmit receive messages from to higher levels For example if you shut down a VLAN on which an IP interface is configured bridging into the VLAN continues but the switch cannot transmit and receive IP traffic on the VLAN Link Status SN...

Page 242: ...nfigured in this mode is known as a trunk port Customer Selecting this option places the interface in QinQ mode This enables you to use your own VLAN arrangements PVID across the provider network The device is in Q in Q mode when it has one or more customer ports See QinQ Private VLAN Host Select to set the interface as either isolated or community Then select either an isolated or community VLAN ...

Page 243: ...arding from the Available Secondary VLANs Promiscuous and trunk ports can be members in multiple VLANs STEP 5 Click Apply The parameters are written to the Running Configuration file Port to VLAN The Port to Vlan and Port VLAN Membership pages display the VLAN memberships of the ports in various presentations You can use them to add or remove memberships to or from the VLANs When a port is forbidd...

Page 244: ...ttings page Each port or LAG appears with its current registration to the VLAN STEP 3 Change the registration of an interface to the VLAN by selecting its Interface Name in the list of interfaces The following fields are displayed VLAN Mode Displays port type of ports in the VLAN Membership Type Select one of the following options Forbidden The interface is not allowed to join the VLAN even from G...

Page 245: ...except guest and unauthenticated ones In the VLAN to Port page the port is marked with an upper case P When the port is authenticated it receives membership in the VLAN in which it was configured NOTE VLAN IS mode is supported This means that port VLAN membership can be configured ahead of time for various VLAN modes When the port is put into the specific VLAN mode the configuration becomes active...

Page 246: ...be a member of this VLAN Tagged VLANs When the port is in Trunk mode it will be a member of these VLANs The following options are possible All VLANs When the port is in Trunk mode it will be a member of all VLANs User Defined When the port is in Trunk mode it will be a member of the VLANs that are entered here General Mode Membership Untagged VLANs When the port is in General mode it will be an un...

Page 247: ...e private VLANs that have been defined To create a new private VLAN STEP 1 Click VLAN Management Private VLAN Settings STEP 2 Click the Add button STEP 3 Enter the values for the following fields Primary VLAN ID Select a VLAN to be defined as the primary VLAN in the private VLAN The primary VLAN is used to allow Layer 2 connectivity from promiscuous ports to isolated ports and to community ports I...

Page 248: ...e GVRP Settings page GVRP must be activated globally as well as on each port When it is activated it transmits and receives GARP Packet Data Units GPDUs VLANs that are defined but not active are not propagated To propagate the VLAN it must be up on at least one port By default GVRP is disabled globally and on ports GVRP Settings To define GVRP settings for an interface STEP 1 Click VLAN Management...

Page 249: ...s VLAN groups If several classifications schemes are defined packets are assigned to a VLAN in the following order TAG If the packet is tagged the VLAN is taken from the tag MAC Based VLAN If a MAC based VLAN has been defined the VLAN is taken from the source MAC to VLAN mapping of the ingress interface Protocol Based VLAN If a protocol based VLAN has been defined the VLAN is taken from the Ethern...

Page 250: ... manually assign it to the VLAN using the Port to VLAN page MAC based VLAN Groups See Table1 for a description of the availability of this feature To assign a MAC address to a VLAN Group STEP 1 Click VLAN Management VLAN Groups MAC Based Groups STEP 2 Click Add STEP 3 Enter the values for the following fields MAC Address Enter a MAC address to be assigned to a VLAN group NOTE This MAC address cann...

Page 251: ...group is forwarded STEP 4 Click Apply to set the mapping of the VLAN group to the VLAN This mapping does not bind the interface dynamically to the VLAN the interface must be manually added to the VLAN Protocol based VLANs Groups of protocols can be defined and then bound to a port After the protocol group is bound to a port every packet originating from a protocol in the group is assigned the VLAN...

Page 252: ...ct the Ethernet Type LLC SNAP rfc1042 If this is selected enter the Protocol Value LLC If this is selected select the DSAP SSAP Values Ethernet Type Select the Ethernet type for Ethernet V2 encapsulation This is the two octet field in the Ethernet frame used to indicate which protocol is encapsulated in the payload of the Ethernet packet for the VLAN group Protocol Value Enter the protocol for LLC...

Page 253: ...sed group Group ID Protocol group ID VLAN ID Attaches the interface to a user defined VLAN ID STEP 4 Click Apply The protocol ports are mapped to VLANs and written to the Running Configuration file Voice VLAN In a LAN voice devices such as IP phones VoIP endpoints and voice systems are placed into the same VLAN This VLAN is referred as the voice VLAN If the voice devices are in different voice VLA...

Page 254: ... determined by the network configuration There may or may not be separate voice and data VLANs The phones and VoIP endpoints register with an on premise IP PBX IP Centrex ITSP hosted Cisco CP 79xx SPA5xx phones and SPA8800 endpoints support this deployment model For this model the VLAN used by the phones is determined by the network configuration There may or may not be separate voice and data VLA...

Page 255: ...phony OUI In Telephony OUI mode the voice VLAN must be a manually configured VLAN and cannot be the default VLAN When the device is in Telephony OUI mode and a port is manually configured as a candidate to join the voice VLAN the device dynamically adds the port to the voice VLAN if it receives a packet with a source MAC address matching to one of the configured telephony OUIs An OUI is the first ...

Page 256: ...ets are possible Auto Voice VLAN Auto Smartports CDP and LLDP Defaults By factory defaults CDP LLDP and LLDP MED on the device are enabled auto Smartport mode is enabled Basic QoS with trusted DSCP is enabled and all ports are members of default VLAN 1 which is also the default Voice VLAN In addition Dynamic Voice VLAN mode is the default to Auto Voice VLAN with enabling based on trigger and Auto ...

Page 257: ...cting the device to a Cisco UC device you may need to configure the port on the UC device using the switchport voice vlan command to ensure the UC device advertises its voice VLAN in CDP at the port It synchronizes the voice VLAN related parameters with other Auto Voice VLAN enabled switches using Voice Service Discovery Protocol VSDP The device always configures itself with the voice VLAN from th...

Page 258: ...ro is phone desktop Voice VLAN QoS Voice VLAN can propagate the CoS 802 1p and DSCP settings by using LLDP MED Network policies The LLDP MED is set by default to response with the Voice QoS setting if an appliance sends LLDP MED packets MED supported devices must send their voice traffic with the same CoS 802 1p and DSCP values as received with the LLDP MED response You can disable the automatic u...

Page 259: ...that have joined the Voice VLAN and to static ports The voice flow is accepted if the MAC address can be learned by the Forwarding Database FDB If there is no free space in FDB no action occurs Voice VLAN Workflows The device default configuration on Auto Voice VLAN Auto Smartports CDP and LLDP cover most common voice deployment scenarios This section describes how to deploy voice VLAN when the de...

Page 260: ...hony OUI NOTE If the device is currently in Auto Voice VLAN mode you must disable it before you can enable Telephony OUI STEP 2 Configure Telephony OUI in the Telephony OUI Table page STEP 3 Configure Telephony OUI VLAN membership for ports in the Telephone OUI Interface page Voice VLAN Configuration This section describes how to configure voice VLAN It covers the following topics Voice VLAN Prope...

Page 261: ...N Activation triggered by external Voice VLAN is selected then the default values need to be maintained CoS 802 1p Select a CoS 802 1p value that to be used by LLDP MED as a voice network policy Refer to Administration Discovery LLDP LLDP MED Network Policy for additional details DSCP Selection of DSCP values that to be used by the LLDP MED as a voice network policy Refer to Administration Discove...

Page 262: ...ed from external sources STEP 3 Click Apply The VLAN properties are written to the Running Configuration file Auto Voice VLAN Settings If Auto Voice VLAN mode is enabled use the Auto Voice VLAN page to view the relevant global and interface parameters You can also use this page to manually restart Auto Voice VLAN by clicking Restart Auto Voice VLAN After a short delay this resets the voice VLAN to...

Page 263: ... restart Auto Voice VLAN discovery on all the Auto Voice VLAN enabled switches in the LAN The Voice VLAN Local Source Table displays voice VLAN configured on the device as well as any voice VLAN configuration advertised by directly connected neighbor devices It contains the following fields Interface Displays the interface on which voice VLAN configuration was received or configured If N A appears...

Page 264: ...ce is the best local source No This is not the best local source STEP 3 Click Refresh to refresh the information on the page Telephony OUI OUIs are assigned by the Institute of Electrical and Electronics Engineers Incorporated IEEE Registration Authority Since the number of IP phone manufacturers is limited and well known the known OUI values cause the relevant frames and the port on which they ar...

Page 265: ...nfiguration of the device with these values The Telephony OUI table appears Telephony OUI First six digits of the MAC address that are reserved for OUIs Description User assigned OUI description STEP 3 Click Restore Default OUIs to delete all of the user created OUIs and leave only the default OUIs in the table The OUI information may not be accurate until the restoration is completed This may tak...

Page 266: ...identifier and to configure the OUI QoS mode of voice VLAN To configure Telephony OUI on an interface STEP 1 Click VLAN Management Voice VLAN Telephony OUI Interface The Telephony OUI Interface page contains voice VLAN OUI parameters for all interfaces STEP 2 To configure an interface to be a candidate port of the telephony OUI based voice VLAN click Edit STEP 3 Enter the values for the following ...

Page 267: ...rom the Multicast server while including the Multicast TV VLAN in the Multicast packet header For this reasons the network ports must be statically configured as the following Trunk or general port type see Interface Settings Member on the Multicast TV VLAN The subscriber receiver ports can be associated with the Multicast TV VLAN only if it is defined in one of the two following types Access port...

Page 268: ... then the software associates the IGMP packet with the Multicast TV VLAN Otherwise the IGMP message is associated to the access VLAN and the IGMP message is only forwarded within that VLAN The IGMP message is discarded if The STP RSTP state on the access port is discard The MSTP state for the access VLAN is discard The MSTP state for the Multicast TV VLAN is discard and the IGMP message is associa...

Page 269: ...address of the Multicast group Multicast TV VLAN VLAN to which the Multicast packets are assigned STEP 2 Click Add to associate a Multicast group to a VLAN Any VLAN can be selected When a VLAN is selected it becomes a Multicast TV VLAN STEP 3 Click Apply Multicast TV VLAN settings are modified and written to the Running Configuration file Receiver ports VLAN can be used to both send and receive tr...

Page 270: ...t TV VLAN A triple play service provisions three broadband services over a single broadband connection High speed Internet access Video Voice The triple play service is provisioned for service provider subscribers while keeping Layer 2 isolation between them Each subscriber has a CPE MUX box The MUX has multiple access ports that are connected to the subscriber s devices PC telephone and so on and...

Page 271: ...VLAN C Tag is the tag that determines the destination in the subscriber s network by the CPE MUX Workflow 1 Configure an access port as a customer port using the Interface Settings page See QinQ for more information 2 Configure the network port as a trunk or general port with subscriber and Multicast TV VLAN as tagged VLANS using the Interface Settings page 3 Create a Multicast TV VLAN with up to ...

Page 272: ... written to the Running Configuration file Port Multicast VLAN Membership The ports associated with the Multicast VLANs must be configured as customer ports see Interface Settings To map ports to Multicast TV VLANs STEP 1 Click VLAN Management Customer Port Multicast TV VLAN Port Multicast VLAN Membership STEP 2 Select a VLAN from Multicast TV VLAN STEP 3 Select an interface from Interface Type ST...

Page 273: ...oadcast storms by selectively setting links to standby mode to prevent loops In standby mode these links temporarily stop transferring user data After the topology changes so that the data transfer is made possible the links are automatically re activated Loops occur when alternate paths exist between hosts Loops can cause switches to relay the same packets indefinitely resulting packets not arriv...

Page 274: ...e forwarded to the port that is blocked This is not an efficient usage of bandwidth as the blocked port will always be unused MSTP solves this problem by enabling several STP instances so that it is possible to detect and mitigate loops separately in each instance This enables a port to be blocked for one or more STP instances but non blocked for other STP instances If different VLANs are associat...

Page 275: ...value After exchanging BPDUs the device with the lowest priority becomes the Root Bridge In the case that all bridges use the same priority then their MAC addresses are used to determine the Root Bridge The bridge priority value is provided in increments of 4096 For example 4096 8192 12288 and so on Hello Time Set the interval in seconds that a Root Bridge waits between configuration messages Max ...

Page 276: ...earned by the protocol such as the designated bridge The defined configuration entered is valid for all flavors of the STP protocol To configure STP on an interface STEP 1 Click Spanning Tree STP Interface Settings STEP 2 Select an interface and click Edit STEP 3 Enter the parameters Interface Select the Port or LAG on which Spanning Tree is configured STP Enables or disables STP on the port Edge ...

Page 277: ...oot Guard enforces the position of the root bridge BPDU Guard Enables or disables the Bridge Protocol Data Unit BPDU Guard feature on the port The BPDU Guard enables you to enforce the STP domain borders and keep the active topology predictable The devices behind the ports that have BPDU Guard enabled cannot influence the STP topology At the reception of BPDUs the BPDU guard operation disables the...

Page 278: ...ath Cost Set the port contribution to the root path cost or use the default cost generated by the system Priority Set the priority value of the port The priority value influences the port choice when a bridge has two ports connected in a loop The priority is a value from 0 to 240 set in increments of 16 Port State Displays the current STP state of a port Disabled STP is currently disabled on the p...

Page 279: ...RSTP Interface Settings page enables you to configure RSTP per port Any configuration that is done on this page is active when the global STP mode is set to RSTP or MSTP To enter RSTP settings STEP 1 Click Spanning Tree STP Status and Global Settings STEP 2 Enable RSTP STEP 3 Click Spanning Tree RSTP Interface Settings The RSTP Interface Settings page appears STEP 4 Select a port NOTE Activate Pro...

Page 280: ...al status if the Point to Point Administrative Status is set to Auto Role Displays the role of the port that was assigned by STP to provide STP paths The possible roles are Root Lowest cost path to forward packets to the Root Bridge Designated The interface through which the bridge is connected to the LAN which provides the lowest cost path from the LAN to the Root Bridge Alternate Provides an alt...

Page 281: ...sses STEP 8 Click Apply The Running Configuration file is updated Multiple Spanning Tree Overview Multiple Spanning Tree Protocol MSTP is used to separate the STP port state between various domains on different VLANs For example while port A is blocked in one STP instance due to a loop on VLAN A the same port can be placed in the Forwarding State in another STP instance The MSTP Properties page en...

Page 282: ...idges outside of an MSTP region to see the region as a single RSTP bridge regardless of the number of MSTP bridges inside the region itself For two or more switches to be in the same MST region they must have the same VLANs to MST instance mapping the same configuration revision number and the same region name Switches intended to be in the same MST region are never separated by switches from anot...

Page 283: ...than one VLAN but each VLAN can only have one MST Instance attached to it Configuration on this page and all of the MSTP pages applies if the system STP mode is MSTP Up to 16 MST instances can be defined in addition to instance zero For those VLANs that are not explicitly mapped to one of the MST instances the device automatically maps them to the CIST Core and Internal Spanning Tree instance The ...

Page 284: ... an MST instance to be displayed and defined Included VLAN Displays the VLANs mapped to the selected instance The default mapping is that all VLANs are mapped to the common and internal spanning tree CIST instance 0 Bridge Priority Set the priority of this bridge for the selected MST instance Designated Root Bridge ID Displays the priority and MAC address of the Root Bridge for the MST instance Ro...

Page 285: ...nd click Edit STEP 5 Enter the parameters Instance ID Select the MST instance to be configured Interface Select the interface for which the MSTI settings are to be defined Interface Priority Set the port priority for the specified interface and MST instance Path Cost Enter the port contribution to the root path cost in the User Defined textbox or select Use Default to use the default value Port St...

Page 286: ...p The interface provides a backup path to the designated port path toward the Spanning Tree leaves Backup ports occur when two ports are connected in a loop by a point to point link Backup ports also occur when a LAN has two or more established connections to a shared segment Disabled The interface does not participate in the Spanning Tree Boundary The port on this instance is a boundary port It i...

Page 287: ...AN to the root Designated Cost Displays the cost of the port participating in the STP topology Ports with a lower cost are less likely to be blocked if STP detects loops Remain Hops Displays the hops remaining to the next destination Forward Transitions Displays the number of times the port has changed from the Forwarding state to the Blocking state STEP 6 Click Apply The Running Configuration fil...

Page 288: ... arriving at the device is added to the Dynamic Address table This MAC address is retained for a configurable period of time If another frame with the same source MAC address does not arrive at the device before that time period expires the MAC entry is aged deleted from the table When a frame arrives at the device the device searches for a corresponding matching destination MAC address entry in t...

Page 289: ... Click Add STEP 3 Enter the parameters VLAN ID Select the VLAN ID for the port MAC Address Enter the interface MAC address Interface Select an interface unit slot port or LAG for the entry Status Select how the entry is treated The options are Permanent The system never removes this MAC address If the static MAC address is saved in the Startup Configuration it is retained after rebooting Delete on...

Page 290: ...Settings To configure the aging time for dynamic addresses STEP 1 Click MAC Address Tables Dynamic Address Settings STEP 2 Enter Aging Time The aging time is a value between the user configured value and twice that value minus 1 For example if you entered 300 seconds the aging time is between 300 and 599 seconds STEP 3 Click Apply The aging time is updated Dynamic Addresses To query dynamic addres...

Page 291: ...rved MAC address STEP 1 Click MAC Address Tables Reserved MAC Addresses STEP 2 Click Add STEP 3 Enter the values for the following fields MAC Address Select the MAC address to be reserved Frame Type Select a frame type based on the following criteria Ethernet V2 Applies to Ethernet V2 packets with the specific MAC address LLC Applies to Logical Link Control LLC packets with the specific MAC addres...

Page 292: ...Router Ports Forward All Unregistered Multicast Multicast Forwarding Multicast forwarding enables one to many information dissemination Multicast applications are useful for dissemination of information to multiple clients where clients do not require reception of the entire content A typical application is a cable TV like service where clients can join a channel in the middle of a transmission an...

Page 293: ...dress If a Multicast client can receive Multicast traffic from any source of a specific Multicast group this is saved as G You can configure one of the following ways of forwarding Multicast frames MAC Group Address Based on the destination MAC address in the Ethernet frame NOTE One or more IP Multicast group addresses can be mapped to a MAC group address Forwarding based on the MAC group address ...

Page 294: ... enabled and receives a frame for a Multicast stream it forwards the Multicast frame to all the ports that have registered to receive the Multicast stream using IGMP MLD Join messages The system maintains lists of Multicast groups for each VLAN and this manages the Multicast information that each port should receive The Multicast groups and their receiving ports can be configured statically or lea...

Page 295: ...a specific Multicast group issue an IGMP MLD report that specifies which group s the host wants to join This results in the creation of a forwarding entry in the Multicast Forwarding Data Base IGMP Snooping Querier The IGMP MLD Snooping Querier is used to support a Layer 2 Multicast domain of snooping switches in the absence of a Multicast router For example where Multicast content is provided by ...

Page 296: ...5 Query Response Interval NOTE It is recommended to disable IGMP MLD Querier election mechanism if there is an IPM Multicast router on the VLAN Multicast Address Properties Multicast addresses have the following properties Each IPv4 Multicast address is in the address range 224 0 0 0 to 239 255 255 255 The IPv6 Multicast address is FF00 8 To map an IP Multicast group address to an Layer 2 Multicas...

Page 297: ...kets based upon that information The tree must be manually configured by designating upstream and downstream interfaces on each proxy device In addition the IP addressing scheme applied to the proxying tree topology should be configured to ensure that a proxy device can win the IGMP MLD Querier election to be able to forward Multicast traffic There should be no other Multicast routers except the p...

Page 298: ...To enable Multicast filtering and select the forwarding method STEP 1 Click Multicast Properties STEP 2 Enter the parameters Bridge Multicast Filtering Status Select to enable filtering VLAN ID Select the VLAN ID to set its forwarding method Forwarding Method for IPv6 Set one of the following forwarding methods for IPv6 addresses MAC Group Address IP Group Address or Source Specific IP Group Addre...

Page 299: ...ied the page contains all the MAC Group Addresses from the selected VLAN STEP 3 Click Go and the MAC Multicast group addresses are displayed in the lower block Entries that were created both in this page and in the IP Multicast Group Addresses page are displayed For those created in the IP Multicast Group Addresses page the IP addresses are converted to MAC addresses STEP 4 Click Add to add a stat...

Page 300: ...s updated NOTE Entries that were created in the IP Multicast Group Addresses page cannot be deleted in this page even if they are selected IP Multicast Group Addresses The IP Multicast Group Address page is similar to the MAC Group Address page except that Multicast groups are identified by IP addresses The IP Multicast Group Address page enables querying and adding IP Multicast groups To define a...

Page 301: ...eld If not the entry is added as a G entry an IP group address from any IP source Source IP Address Defines the source address to be included STEP 6 Click Apply The IP Multicast group is added and the device is updated STEP 7 To configure and display the registration of an IP group address select an address and click Details The VLAN ID IP Version IP Multicast Group Address and Source IP Address s...

Page 302: ...tify the device as an IGMP Snooping Querier on a VLAN STEP 1 Click Multicast IPv4 Multicast Configuration IGMP Snooping When IGMP Snooping is globally enabled the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic The device performs IGMP Snooping only if both IGMP snooping and Bridge Multicast filtering are enabled The IGMP Snooping Table is di...

Page 303: ...lays the IGMP queries from the Multicast router it deletes entries periodically if it does not receive any IGMP membership reports from the Multicast clients When enabled this feature reduces the time it takes to block unnecessary IGMP traffic sent to a device port Last Member Query Counter Number of IGMP group specific queries sent before the device assumes there are no more members for the group...

Page 304: ...nterval etc do not take effect on timers which were already created IGMP Interface Settings An interface that is defined as a Multicast router port receives all IGMP packets reports and queries as well as all Multicast data To define IGMP on an interface STEP 1 Click Multicast IPv4 Multicast Configuration IGMP Interface Settings The following fields are displayed for each interface on which IGMP i...

Page 305: ...of the fields described above STEP 3 Click Apply The Running Configuration file is updated IGMP VLAN Settings To configure IGMP on a specific VLAN STEP 1 Click Multicast IPv4 Multicast Configuration IGMP VLAN Settings The following fields are displayed for each VLAN on which IGMP is enabled Interface Name VLAN on which IGMP snooping is defined Router IGMP Version Version of IGMP Snooping Query Rob...

Page 306: ...ply The Running Configuration file is updated IGMP Proxy To configure IGMP Proxy STEP 1 Click Multicast IPv4 Multicast Configuration IGMP Proxy STEP 2 Enter the following global fields IGMP Multicast Routing Select to enable IPv4 Multicast routing Downstream Protection Select to discard downstream packets not required for the device Source Specific Multicast Select to enable delivering Multicast p...

Page 307: ...v4 Multicast traffic from downstream interfaces Enable This enables forwarding from downstream interfaces The following fields are displayed for each IPv4 Multicast route Source Address Unicast source IPv4 address Group Address Multicast destination IPv4 address Incoming Interface Expected interface for a Multicast packet from the source If the packet is not received on this interface it is discar...

Page 308: ...y enabled the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic The device performs MLD Snooping only if both MLD snooping and Bridge Multicast filtering are enabled The MLD Snooping Table is displayed The fields displayed are described in the Edit page below In addition the following fields are displayed MLD Snooping Status Displays whether ML...

Page 309: ... clients When enabled this feature reduces the time it takes to block unnecessary MLD traffic sent to a device port Last Member Query Counter Number of MLD group specific queries sent before the device assumes there are no more members for the group if the device is the elected querier Use Query Robustness This value is set in MLD Interface Settings page User Defined Enter a user defined value MLD...

Page 310: ...as well as all Multicast data To configure an interface as a Multicast router interface STEP 1 Click Multicast IPv6 Multicast Configuration MLD Interface Settings The following fields are displayed for each interface on which MLD is enabled Router MLD Version MLD version of the Multicast router Query Robustness Enter the number of expected packet losses on a link Query Interval sec Interval betwee...

Page 311: ...tion MLD VLAN Settings The following fields are displayed for each VLAN on which is enabled Interface Name VLAN for which MLD information is being displayed Router MLD Version Version of MLD router Query Robustness Enter the number of expected packet losses on a link Query Interval sec Interval between the General Queries to be used if this device is the elected querier Query Max Response Interval...

Page 312: ...ds MLD Multicast Routing Select to enable IPv6 Multicast routing Downstream Protection Select to discard downstream packets not required for the device Source Specific Multicast Select to enable delivering Multicast packets originating from a specific source address defined in the next field SSM IPv6 Access List Define the list containing source addresses from which to deliver Multicast packets De...

Page 313: ...ulticast route Source Address Unicast source IPv4 address Group Address Multicast destination IPv4 address Incoming Interface Expected interface for a Multicast packet from the source If the packet is not received on this interface it is discarded Outgoing Interfaces Interfaces through which packets will be forwarded Uptime Length of time in hours minutes and seconds that the entry has been in the...

Page 314: ...this page To query for a IP Multicast group STEP 1 Click Multicast IGMP MLD Snooping IP Multicast Group STEP 2 Set the type of snooping group for which to search IGMP or MLD STEP 3 Enter some or all of following query filter criteria Group Address equals to Defines the Multicast group MAC address or IP address to query Source Address equals to Defines the sender address to query VLAN ID equals to ...

Page 315: ... described IP Version equals to Select the IP version that the Multicast router supports Interface Type equals to Select whether to display ports or LAGs STEP 3 Click Go The interfaces matching the query criteria are displayed STEP 4 For each port or LAG select its association type The options are as follows Static The port is statically configured as a Multicast router port Dynamic Display only T...

Page 316: ...he devices connecting to the port do not support IGMP and or MLD Multicast packets excluding IGMP and MLD messages are always forwarded to ports that are defined as Forward All The configuration affects only the ports that are members of the selected VLAN To define Forward All Multicast STEP 1 Click Multicast Forward All STEP 2 Define the following VLAN ID equals to The VLAN ID the ports LAGs are ...

Page 317: ...on is valid for any VLAN of which the port is a member or will be a member To define unregistered Multicast settings STEP 1 Click Multicast Unregistered Multicast STEP 2 Select the Interface Type equals to To view either ports or LAGs STEP 3 Click Go STEP 4 Define the following Port LAG Displays the port or LAG ID Displays the forwarding status of the selected interface The possible values are For...

Page 318: ... DHCPv4 client and sends out a DHCPv4 request during boot up If the device receives a DHCPv4 response from the DHCPv4 server with an IPv4 address it sends Address Resolution Protocol ARP packets to confirm that the IP address is unique If the ARP response shows that the IPv4 address is in use the device sends a DHCPDECLINE message to the offering DHCP server and sends another DHCPDISCOVER packet t...

Page 319: ...ng a Loopback Interface Overview The loopback interface is a virtual interface whose operational state is always up If the IP address that is configured on this virtual interface is used as the local address when communicating with remote IP applications the communication will not be aborted even if the actual route to the remote application was changed The operational state of a loopback interfac...

Page 320: ...he following Add a loopback interface in IP Configuration IPv6 Management and Interfaces IPv6 Interface Configure the IPv6 address of that interface in the IPv6 Addresses page IPv4 Management and Interfaces This section covers the following topics IPv4 Interface IPv4 Routes RIPv2 Access Lists VRRP ARP ARP Proxy UDP Relay IP Helper DHCPv4 Snooping Relay DHCP Server IPv4 Interface The IPv4 Interface...

Page 321: ...P 3 Click Apply The parameter is saved to the Running Configuration file This page displays the following fields in the IPv4 Interface Table Interface Interface for which the IP address is defined This can also be the out of band port IP Address Type The available options are DHCP Received from DHCP server Static Entered manually Static interfaces are non DHCP interfaces that were created by the u...

Page 322: ...om the list IP Address Type Select one of the following options Dynamic IP Address Receive the IP address from a DHCP server Static IP Address Enter the IP address IP Address Enter the IP address of the interface STEP 6 If Static IP Address was selected enter the Mask field Network Mask IP mask for this address Prefix Length Length of the IPv4 prefix STEP 7 Click Apply The IPv4 address settings ar...

Page 323: ...ollowing fields are displayed for each entry Destination IP Prefix Destination IP address prefix Prefix Length IP route prefix for the destination IP Route Type Whether the route is a local reject or remote route Next Hop Router IP Address The next hop IP address or IP alias on the route Route Owner This can be one of the following options Default Route was configured by default system configurati...

Page 324: ...ensures that if a frame arrives with the destination IP of this route it is dropped Remote Indicates that the route is a remote path Next Hop Router IP Address Enter the next hop IP address or IP alias on the route NOTE You cannot configure a static route through a directly connected IP subnet where the device gets its IP address from a DHCP server Metric Enter the administrative distance to the n...

Page 325: ...agement and Interfaces ARP STEP 2 Enter the parameters ARP Entry Age Out Enter the number of seconds that dynamic addresses can remain in the ARP table A dynamic address ages out after the time it is in the table exceeds the ARP Entry Age Out time When a dynamic address ages out it is deleted from the table and only returns when it is relearned Clear ARP Table Entries Select the type of ARP entrie...

Page 326: ...work NOTE The ARP proxy feature is only available when the device is in L3 mode The ARP Proxy is aware of the destination of traffic and offers another MAC address in reply Serving as an ARP Proxy for another host effectively directs LAN traffic destination to the host The captured traffic is then typically routed by the Proxy to the intended destination by using another interface or by using a tu...

Page 327: ...o where the device is to relay UDP Broadcast packets based on a configured UDP destination port The interface must be one of the IPv4 interfaces configured on the device STEP 4 Enter the UDP Destination Port number for the packets that the device is to relay Select a well known port from the drop down list or click the port radio button to enter the number manually STEP 5 Enter the Destination IP ...

Page 328: ...trusted in the Interface Settings page DHCPv4 Relay Overview DHCP Relay relays DHCP packets to the DHCP server The device can relay DHCP messages received from VLANs that do not have IP addresses Whenever DHCP Relay is enabled on a VLAN without an IP address Option 82 is inserted automatically This insertion is in the specific VLAN and does not influence the global administration state of Option 8...

Page 329: ...VLAN In this case a regular bridging passes the DHCP messages between DHCP client and DHCP server DHCP client and DHCP server are connected to different VLANs In the case only DHCP Relay can and does broadcast DHCP messages between DHCP client and DHCP server Unicast DHCP messages are passed by regular routers and therefore if DHCP Relay is enabled on a VLAN without an IP address an external route...

Page 330: ...ption 82 Bridge no Option 82 is sent Packet is sent with the original Option 82 Relay is sent with Option 82 Bridge no Option 82 is sent Relay discards the packet Bridge Packet is sent with the original Option 82 DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives with Opti...

Page 331: ... Snooping is not enabled Packet is sent with the original Option 82 Relay is sent with Option 82 Bridge Option 82 is inserted if port is trusted behaves as if DHCP Snooping is not enabled Relay discards the packet Bridge Packet is sent with the original Option 82 DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 Packet...

Page 332: ...es in device packet is sent without Option 82 2 If reply does not originate in device packet is discarded Bridge Packet is sent with the original Option 82 Option 82 insertion enabled Packet is sent without Option 82 Relay Packet is sent without Option 82 Bridge Packet is sent with the Option 82 Relay discards Option 82 Bridge Packet is sent without Option 82 Relay Packet is sent without Option 82...

Page 333: ...t if it exists DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives with Option 82 Option 82 Insertion Disabled Packet is sent without Option 82 Packet is sent with the original Option 82 Relay discards Option 82 Bridge Packet is sent without Option 82 Relay 1 If reply origi...

Page 334: ...ult How the DHCP Snooping Binding Database is Built The following describes how the device handles DHCP packets when both the DHCP client and DHCP server are trusted The DHCP Snooping Binding database is built in this process DHCP Trusted Packet Handling The actions are STEP 1 Device sends DHCPDISCOVER to request an IP address or DHCPREQUEST to accept an IP address and lease STEP 2 Device snoops p...

Page 335: ...warded to trusted interfaces only DHCPOFFER Filter Forward the packet according to DHCP information If the destination address is unknown the packet is filtered DHCPREQUEST Forward to trusted interfaces only Forward to trusted interfaces only DHCPACK Filter Same as DHCPOFFER and an entry is added to the DHCP Snooping Binding database DHCPNAK Filter Same as DHCPOFFER Remove entry if exists DHCPDECL...

Page 336: ...d DHCP Relay default options Configuring DHCP Work Flow To configure DHCP Relay and DHCP Snooping STEP 1 Enable DHCP Snooping and or DHCP Relay in the Properties page STEP 2 Define the interfaces on which DHCP Snooping is enabled in the Interface Settings page DHCPRELEASE Same as DHCPDECLINE Same as DHCPDECLINE DHCPINFORM Forward to trusted interfaces only Forward to trusted interfaces only DHCPLE...

Page 337: ...nooping is enabled the following options can be enabled Option 82 Pass Through Select to leave foreign Option 82 information when forwarding packets Verify MAC Address Select to verify that the source MAC address of the Layer 2 header matches the client hardware address as appears in the DHCP Header part of the payload on DHCP untrusted ports Backup Database Select to back up the DHCP Snooping Bin...

Page 338: ...e trusted To designate an interface as untrusted STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Snooping Relay DHCP Snooping Trusted Interfaces STEP 2 Select the interface and click Edit STEP 3 Select Trusted Interface Yes or No STEP 4 Click Apply to save the settings to the Running Configuration file DHCP Snooping Binding Database See How the DHCP Snooping Binding Database is B...

Page 339: ... Database To see a subset of entries in the DHCP Snooping Binding database enter the relevant search criteria and click Go The fields in the DHCP Snooping Binding Database are displayed These are described in the Add page except for the IP Source Guard field Status Active IP Source Guard is active on the device Inactive IP Source Guard is not active on the device Reason No Problem No Resource No S...

Page 340: ...bles you to configure the device as a DHCPv4 server A DHCPv4 server is used to assign IPv4 address and other information to another device DHCP client The DHCPv4 server allocates IPv4 addresses from a user defined pool of IPv4 addresses These can be in the following modes Static Allocation The hardware address or client identifier of a host is manually mapped to an IP address This is done in the S...

Page 341: ...ing the Properties page STEP 2 If there are any IP addresses that you do not want to be assigned configure them using the Excluded Addresses page STEP 3 Define up to 8 network pools of IP addresses using the Network Pool page STEP 4 Configure clients that will be assigned a permanent IP address using the Static Hosts page STEP 5 Configure the required DHCP options in the DHCP Options page This con...

Page 342: ...ious clients within that subnet When a client requests an IP address the device as DHCP server allocates an IP address according to the following Directly Attached Client The device allocates an address from the network pool whose subnet matches the subnet configured on the device s IP interface from which the DHCP request was received If the message arrived directly not via DHCP Relay the pool is...

Page 343: ...the pool s network mask Prefix Length Check and enter the number of bits that comprise the address prefix Address Pool Start Enter the first IP address in the range of the network pool Address Pool End Enter the last IP address in the range of the network pool Lease Duration Enter the amount of time a DHCP client can use an IP address from this pool You can configure a lease duration of up to 49 7...

Page 344: ...s used to register and resolve NetBIOS names M node first uses b node then if necessary p node M node is typically not the best choice for larger networks because its preference for b node Broadcasts increases network traffic Peer to Peer Point to point communications with a NetBIOS name server are used to register and resolve computer names to IP addresses Broadcast IP Broadcast messages are used...

Page 345: ...excluded IP addresses End IP Address Last IP address in the range of excluded IP addresses STEP 3 Click Apply The Running Configuration file is updated Static Hosts You might want to assign some DHCP clients a permanent IP address that never changes This client is then known as a static host To manually allocate a permanent IP address to a specific client STEP 1 Click IP Configuration IPv4 Managem...

Page 346: ... to the static host NetBIOS Node Type Option 46 Select how to resolve the NetBIOS name Valid node types are Hybrid A hybrid combination of b node and p node is used When configured to use h node a computer always tries p node first and uses b node only if p node fails This is the default Mixed A combination of b node and p node communications is used to register and resolve NetBIOS names M node fi...

Page 347: ...page When a client DHCP packet is received containing option 66 the TFTP server is returned as the value of option 66 To configure one or more DHCP options STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Server DHCP Options The previously configured DHCP options are displayed STEP 2 To configure an option that has not been configured yet and enter the field DHCP Server Pool Name ...

Page 348: ...pe is not Boolean enter the value to be sent for this code Description Enter a text description for documentation purposes STEP 4 Click Apply The Running Configuration file is updated Address Binding Use the Address Binding page to view and remove the IP addresses allocated by the device and their corresponding MAC addresses To view and or remove address bindings STEP 1 Click IP Configuration IPv4...

Page 349: ...tate The possible options are Allocated IP address has been allocated When a static host is configured its state is allocated Declined IP address was offered but not accepted therefore it is not allocated Expired The lease of the IP address has expired Pre Allocated An entry will be in pre allocated state from the time between the offer and the time that the DHCP ACK is sent from the client Then i...

Page 350: ...r an IPv4 only network This mechanism called a tunnel enables IPv6 only hosts to reach IPv4 services and enables isolated IPv6 hosts and networks to reach an IPv6 node over the IPv4 infrastructure Tunneling uses either an ISATAP or manual mechanism see IPv6 Tunnel Tunneling treats the IPv4 network as a virtual IPv6 local link with mappings from each IPv4 address to a link local IPv6 address The de...

Page 351: ...ically derived using Network Discovery However the user may override and supplement this by adding manually entries to the Neighbors table IPv6 Global Configuration To define IPv6 global parameters and DHCPv6 client settings STEP 1 Click IP Configuration IPv6 Management and Interfaces IPv6 Global Configuration STEP 2 Enter values for the following fields IPv6 Routing Select to enable IPv6 routing ...

Page 352: ...entifier selected STEP 3 Click Apply The IPv6 global parameters and DHCPv6 client settings are updated IPv6 Interfaces An IPv6 interface can be configured on a port LAG VLAN loopback interface or tunnel As opposed to other types of interfaces a tunnel interface is first created in the IPv6 Tunnel page and then IPv6 interface is configured on the tunnel in this page To define an IPv6 interface STEP...

Page 353: ...indicates how often the device will refresh information received from the DHCPv6 server If this option is not received from the server the value entered here is used Select either Infinite no refresh unless the server sends this option or User Defined to set a value STEP 7 To configure additional IPv6 parameters enter the following fields IPv6 Address Auto Configuration Select to enable automatic ...

Page 354: ...0 To add a tunnel select an interface which was defined as a tunnel in the IPv6 Interfaces page in the IPv6 Tunnel Table and click IPv6 Tunnel Table See IPv6 Tunnel STEP 11 Press the Restart button to initiate refresh of the stateless information received from the DHCPv6 server DHCPv6 Client Details The Details button displays information received on the interface from a DHCPv6 server It is active...

Page 355: ...iguration server received from the DHCPv6 server IPv6 Tunnel Tunnels enable transmission of IPv6 packets over IPv4 networks Each tunnel has a source IPv4 address and if it is a manual tunnel it also has a destination IPv4 address The IPv6 packet is encapsulated between these addresses NOTE Only the IPv6 management interface can be tunneled To create an IPv6 tunnel define an IPv6 interface as a tun...

Page 356: ...stination IPv4 address is provided by the router Note that An IPv6 link local address is assigned to the ISATAP interface The initial IP address is assigned to the interface which is then activated If an ISATAP interface is active the ISATAP router IPv4 address is resolved via DNS by using ISATAP to IPv4 mapping If the ISATAP DNS record is not resolved ISATAP host name to address mapping is search...

Page 357: ...ter creating a tunnel configure IPv6 interface as a tunnel in the IPv6 Interfaces page To configure an IPv6 tunnel STEP 1 Click IP Configuration IPv6 Management and Interfaces IPv6 Tunnel STEP 2 Enter the ISATAP Parameters Solicitation Interval The number of seconds between ISATAP router solicitations messages when no active ISATAP router is discovered The interval can be the Default Value or a Us...

Page 358: ...IPv4 interfaces as the source address for packets sent on the tunnel interface IPv4 Address Specifies the IPv4 address to use as the source address for packets sent on the tunnel interface The local address of the tunnel interface is not changed when the IPv4 address is moved to another interface NOTE If the IPv4 address is changed the local address of the tunnel interface is also changed Interfac...

Page 359: ... an IPv6 Interface STEP 1 Click IP Configuration IPv6 Management and Interfaces IPv6 Addresses STEP 2 To filter the table select an interface name and click Go The interface appears in the IPv6 Address Table STEP 3 Click Add STEP 4 Enter values for the fields IPv6 Interface Displays the interface on which the IPv6 address is to be defined If an is displayed this means that the IPv6 interface is no...

Page 360: ...ch address must be a valid IPv6 address that is specified in hexadecimal format by using 16 bit values separated by colons The following types of addresses can be added to various types of tunnels To manual tunnels Global or Anycast address To ISATAP tunnels Global address with EUI 6 6to4 tunnels None Prefix Length The length of the Global IPv6 prefix is a value from 0 128 indicating the number of...

Page 361: ...l when for example two routers on a link provide equivalent but not equal cost routing and policy may dictate that hosts should prefer one of the routers Include Advertisement Interval Option Select to indicate that an advertisement option will be used by the system This option indicates to a visiting mobile node the interval at which that node may expect to receive router advertisements The node ...

Page 362: ... router advertisements User Defined or select Use Default to user the system default NOTE The minimum RA interval may never be more than 75 of the maximum RA interval and never less than 3 seconds Router Advertisement Lifetime Enter the remaining length of time in seconds that this router will continue to be useful as a default router A value of zero indicates that it is no longer useful as a defa...

Page 363: ...4 967 295 which represents infinity User Defined Enter a value Preferred Lifetime The remaining length of time in seconds that this prefix will continue to be preferred After this time has passed the prefix should no longer be used as a source address in new communications but packets received on such an interface are processed as expected The preferred lifetime must not be larger than the valid l...

Page 364: ... default router for non local traffic it may be empty The device randomly selects a router from the list The device supports one static IPv6 default router Dynamic default routers are routers that have sent router advertisements to the device IPv6 interface When adding or deleting IP addresses the following events occur When removing an IP interface all the default router IP addresses are removed ...

Page 365: ...onfiguration Point to Point A Point to point tunnel Interface Displays the outgoing Link Local interface Default Router IPv6 Address The IP address of the static default router Metric Enter the cost of this hop STEP 4 Click Apply The default router is saved to the Running Configuration file IPv6 Neighbors The IPv6 Neighbors page enables configuring and viewing the list of IPv6 neighbors on the IPv...

Page 366: ...fied IPv6 address Type Neighbor discovery cache information entry type static or dynamic State Specifies the IPv6 neighbor status The values are Incomplete Address resolution is working The neighbor has not yet responded Reachable Neighbor is known to be reachable Stale Previously known neighbor is unreachable No action is taken to verify its reachability until traffic must be sent Delay Previousl...

Page 367: ...try consists of an IP address and a bit mask The IP address can be for a classful network a subnet or a single host route The bit mask is a number from 1 to 32 Prefix lists are configured to filter traffic based on a match of an exact prefix length or a match within a range when the ge and le keywords are used The Greater Than and Lower Than parameters are used to specify a range of prefix lengths...

Page 368: ...fined Puts the new IPV6 prefix into the place specified by the parameter If an entry with the number exists it is replaced by the new one Rule Type Enter the rule for the prefix list Permit Permits networks that matches the condition Deny Denies networks that matches the condition Description Text IPv6 Prefix IP route prefix Prefix Length IP route prefix length Greater Than Minimum prefix length t...

Page 369: ... action for the access list The following options are available Permit Permit entry of packets from the IP address es in the access list Deny Reject entry of packets from the IP address es in the access list STEP 3 Click Apply The settings are written to the Running Configuration file IPv6 Routes The IPv6 Forwarding Table contains the various routes that have been configured One of these routes is...

Page 370: ...ion only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global An IPv6 address that is a global Unicast IPV6 type that is visible and reachable from other networks Point to Point A Point to point tunnel Metric Value used for comparing this route to other routes with the same destinat...

Page 371: ... Global Destinations Packets are always relayed to these DHCPv6 servers Interface List This is a per interface list of DHCPv6 servers When a DHCPv6 packet is received on an interface the packet is relayed both to the servers on the interface list if it exists and to the servers on the global destination list Dependencies with Other Features The DHCPv6 client and DHCPv6 relay functions are mutually...

Page 372: ...add a DHCPv6 server for an interface click Add Enter the fields Source Interface Select the interface port LAG VLAN or tunnel for which DHCPv6 Relay is enabled Use Global Destinations Only Select to forward packets to the DHCPv6 global destination servers only IPv6 Address Type Enter the type of the destination address to which client messages are forwarded The address type can be Link Local Globa...

Page 373: ... for DNS server Disabled No DNS server will be defined Server IP Address If you selected By IP Address above enter the IP address of the DNS server Default Domain Name Enter the DNS domain name used to complete unqualified host names The device appends this to all non fully qualified domain names NFQDNs turning them into FQDNs NOTE Do not include the initial period that separates an unqualified na...

Page 374: ...on the device STEP 4 Click Apply The Running Configuration file is updated The DNS Server Table displays the following information for each DNS server configured DNS Server The IP address of the DNS server Preference Each server has a preference value a lower value means a higher chance of being used Source Source of the server s IP address static or DHCPv4 or DHCPv6 Interface Interface of the ser...

Page 375: ...in the DNS Settings page and dynamic entries received from DHCPv4 and DHCPv6 servers To view the domain names that have been configured on the device click IP Configuration Domain Name System Search List The following fields are displayed for each DNS server configured on the device Domain Name Name of domain that can be used on the device Source Source of the server s IP address static or DHCPv4 ...

Page 376: ...lect the Clear Table option to clear some or all of the entries in the Host Mapping Table Static Only Deletes the static hosts Dynamic Only Deletes the dynamic hosts All Dynamic Static Deletes the static and dynamic hosts The Host Mapping Table displays the following fields Host Name User defined host name or fully qualified name IP Address The host IP address IP Version IP version of the host IP ...

Page 377: ...f a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select the interface through which it is received Host Name Enter a user defined host name or fully qualified name Host names are restri...

Page 378: ...nd update their routes based on advertisements but do not advertise Typically routers run RIP in active mode while hosts use passive mode The default gateway is a static route and it is advertised by RIP in the same way as all other static routers if it is enabled by configuration When IP Routing is enabled RIP works fully When IP Routing is disabled RIP works in the passive mode meaning that it o...

Page 379: ...outing is disabled RIP messages are not sent although when RIP messages are received they are used to update the routing table information NOTE RIP can only be defined on manually configured IP interfaces meaning that RIP cannot be defined on an interface whose IP address was received from a DHCP server or whose IP address is the default IP address Offset Configuration A RIP message includes a met...

Page 380: ...rA is higher via router rC additional 4 to the cost path as opposed to the path via router rB additional 2 to the cost path Therefore forwarding traffic via routing rB is preferred To achieve this you configure a different offset metric value on each interface based on its line speed See Offset Configuration for more information Passive Mode Transmission of routing update messages over a specific ...

Page 381: ... listing every possible network in the routing updates when one or more closely connected routers in the system are prepared to transfer traffic to the networks that are not listed explicitly These routers create RIP entries for the address 0 0 0 0 just as if it were a network to which they are connected You can enable the default route advertisement and configure it with a given metric Redistribu...

Page 382: ...e metric value of a route is equal to or less than 15 this value is used in the RIP protocol when advertising this route If the metric value of a static route is greater than 15 the route is not advertised to other routers using RIP User Defined Metric Causes RIP to use the metric value entered by the user Using RIP in Network with Non Rip Devices Static route configuration and connected interface...

Page 383: ...ent along with the route to another router The receiving router compares this key to its own configured key If they are the same it accepts the route MD5 Uses MD5 digest authentication Each router is configured with a set of secret keys This set is called a key chain Each key chain consists of one or more keys Each key has an identifying number key identifier key string and optionally a send lifet...

Page 384: ...l actions if these are not performed default values are used by the system Enable disable RIP to advertise static or connected routes and its metric on the IP interface using the RIPv2 Properties page Configure the offset added to the metric for incoming routes on an IP interface using theRIPv2 Settings page Enable passive mode on an IP interface using the RIPv2 Settings page Control which routes ...

Page 385: ... the value of the default metric refer to Redistribution Feature STEP 3 Redistribute Static Route Select to enable this feature described in Redistribution Feature STEP 4 If Redistribute Static Route is enabled select an option for the Redistribute Static Metric field The following options are available Default Metric Causes RIP to use the default metric value for the propagated static route confi...

Page 386: ...l when advertising this static route If the metric value of a static route is greater than 15 the static route is not advertised to other routers using RIP User Defined Metric Enter the value of the metric STEP 7 Click Apply The settings are written to the Running Configuration file RIPv2 Settings To configure RIP on an IP interface STEP 1 Click IP Configuration RIPv2 RIPv2 Settings STEP 2 RIP par...

Page 387: ...ute on this RIP interface Default Route Advertisement Metric Enter the metric for the default route for this interface Authentication Mode RIP authentication state enable disable on a specified IP interface The following options are available None There is no authentication performed Text The key password entered below is used for authentication MD5 The MD5 digest of the key chain selected below i...

Page 388: ...f IP addresses of RIP outgoing routes filtering for a specified IP interface See Access List Settingsfor a description of access lists STEP 3 Click Apply The settings are written to the Running Configuration file Displaying RIPv2 Statistic Counters To view the RIP statistical counters for each IP address STEP 1 Click IP Configuration RIPv2 RIPv2 Statistics The following fields are displayed IP Int...

Page 389: ...outes Received Specifies the number of bad routes received and identified by RIP on the IP interface Bad routes mean that the route parameters are incorrect For example the IP destination is a Broadcast or the metric is 0 or greater than 16 Last Updated Indicates the last time RIP received RIP routes from the remote IP address STEP 2 To clear all counters click Clear All Interface Counters Access ...

Page 390: ...P address Source IPv4 Mask Enter the source IPv4 address mask type and value The following options are available Network Mask Enter the network mask Prefix Length Enter the prefix length Action Select an action for the access list The following options are available Permit Permit entry of packets from the IP address es in the access list Deny Reject entry of packets from the IP address es in the a...

Page 391: ...cluded User Defined Enter an IP address Source IPv4 Mask Source IPv4 address mask type and value The following options are available Network Mask Enter the network mask for example 255 255 0 0 Prefix Length Enter the prefix length Action Action for the access list The following options are available Permit Permit entry of packets from the IP address es in the access list Deny Reject entry of packe...

Page 392: ... paths in the network In VRRP one physical router in a virtual router is elected as the master with the other physical router of the same virtual router acting as backups in case the master fails The physical routers are referred as VRRP routers The default gateway of a participating host is assigned to the virtual router instead of a physical router If the physical router that is routing packets ...

Page 393: ...r As the virtual router master Router A controls the IP address of the virtual router and is responsible to route packets on behalf of the virtual router Clients 1 through 3 are configured with the default gateway IP address of 198 168 2 1 Client 4 is configured with the default gateway IP address of 198 168 2 2 NOTE The VRRP router that is the IP address owner responds processes packets whose des...

Page 394: ...ster again During the period that the master is recovering both masters forwards packets and as a result there is some duplication regular behavior but no interruption For more detail on the roles that VRRP routers play and what happens if the virtual router master fails see VRRP Router Priority and Preemption The following shows a LAN topology in which VRRP is configured Routers A and B share the...

Page 395: ...ame virtual router must be configured with all the information relating to the virtual router including its VRID Virtual routers should be enabled on the device only when IP routing is also enabled on the device You can configure a VRRP router to participate in one or more virtual routers either by using CLI commands or through the web GUI as described in the Configuring VRRP section To configure ...

Page 396: ...OTE When both VRRPv2 and VRRPv3 are enabled on a VRRP router the VRRP router transmits both VRRPv2 and VRRPv3 packets According to VRRPv3 standards enabling both VRRPv2 and VRRPv3 should be done when upgrading from v2 to v3 Mixing the two versions should not be considered as a permanent solution Please refer to the VRRPv3 standard for details on VRRPv2 and VRRPv3 inter operation Virtual Router IP ...

Page 397: ... a virtual router uses their own IP address as the source IP address in their outgoing VRRP messages for the virtual router VRRP routers of the same virtual router communicate to each other in VRRP messages If a VRRP router is the owner of the IP address of the virtual router then IP address is one of the virtual router IP addresses If a VRRP router is not the owner of the IP address of the virtua...

Page 398: ...a VRRP router is configured with higher priority than the current master is up it replaces the current master Disabled Even if a VRRP router with a higher priority than the current master is up it does not replace the current master Only the original master when it becomes available replaces the backup VRRP Advertisements The virtual router master sends VRRP advertisements to routers which are in ...

Page 399: ...of the device is the IP address of the virtual router Select the IP addresses of the owner from the Available IP Address list and move it to the Owner IP Address list If No is checked you must enter the address es of the virtual router in the Virtual Router IP Addresses field If multiple IP addresses are added here separate them as follows 1 1 1 1 2 2 2 2 Source IP Address Select the IP address to...

Page 400: ...resses associated with this virtual router Description The virtual router name Additional Status Version The virtual router version Status Is VRRP enabled IP Address Owner The owner of the IP address of the virtual router Master Backup Status Is the virtual router the master or backup Skew Time Time used in calculation of master down interval Master Down Interval Time interval for Backup to declar...

Page 401: ...h Displays number of packets with invalid packet lengths Invalid TTL Displays number of packets with invalid time to live values Invalid VRRP Packet Type Displays number of packets with invalid VRRP packet types Invalid VRRP ID Displays number of packets with invalid VRRP IDs Invalid Protocol Number Displays number of packets with invalid protocol numbers Invalid IP List Displays number of packets...

Page 402: ... more than a single type of security or control and so they appear twice in the list of topics below Permission to administer the device is described in the following sections Configuring TACACS Configuring RADIUS Password Strength Management Access Method Management Access Authentication Key Management Secure Sensitive Data Management SSL Server SSH Server SSH Client Protection from attacks direc...

Page 403: ...nial of Service Prevention SSL Server Storm Control Port Security IP Source Guard ARP Inspection Access Control First Hop Security Configuring TACACS An organization can establish a Terminal Access Controller Access Control System TACACS server to provide centralized security for all of its devices In this way authentication and authorization can be handled on a single server for all devices in th...

Page 404: ...iding authentication and authorization services the TACACS protocol helps to ensure TACACS message protection through encrypted TACACS body messages TACACS is supported only with IPv4 Some TACACS servers support a single connection that enables the device to receive all information in a single connection If the TACACS server does not support this the device reverts to multiple connections Accounti...

Page 405: ... TACACS server do the following STEP 1 Open an account for a user on the TACACS server STEP 2 Configure that server along with the other parameters in the TACACS pages STEP 3 Select TACACS in the Management Access Authentication page so that when a user logs onto the device authentication is performed on the TACACS server instead of in the local database Table 1 Argument Description In Start Messa...

Page 406: ...e following default parameters Key String Enter the default Key String used for communicating with all TACACS servers in Encrypted or Plaintext mode The device can be configured to use this key or to use a key entered for an specific server entered in the Add TACACS Server page If you do not enter a key string in this field the server key entered in the Add TACACS Server page must match the encryp...

Page 407: ...Address Name field IP Version Select the supported IP version of the source address IPv6 or IPv4 IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address...

Page 408: ...ult value displayed on the page Authentication IP Port Enter the port number through which the TACACS session occurs Single Connection Select to enable receiving all information in a single connection If the TACACS server does not support this the device reverts to multiple connections STEP 7 Click Apply The TACACS server is added to the Running Configuration file of the device STEP 8 To display s...

Page 409: ...ns using a RADIUS server The user configurable TCP port used for RADIUS server accounting is the same TCP port that is used for RADIUS server authentication and authorization Defaults The following defaults are relevant to this feature No default RADIUS server is defined by default If you configure a RADIUS server the accounting feature is disabled by default Interactions With Other Features You c...

Page 410: ...to the RADIUS server before a failure is considered to have occurred Timeout for Reply Enter the number of seconds that the device waits for an answer from the RADIUS server before retrying the query or switching to the next server Dead Time Enter the number of minutes that elapse before a non responsive RADIUS server is bypassed for service requests If the value is 0 the server is not bypassed Ke...

Page 411: ...can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6 Address Type Link Local is selected f...

Page 412: ...have occurred If Use Default is selected the device uses the default value for the number of retries Dead Time Select User Defined and enter the number of minutes that must pass before a non responsive RADIUS server is bypassed for service requests If Use Default is selected the device uses the default value for the dead time If you enter 0 minutes there is no dead time Usage Type Enter the RADIUS...

Page 413: ...STEP 1 Click Security Password Strength STEP 2 Enter the following aging parameters for passwords Password Aging If selected the user is prompted to change the password when the Password Aging Time expires Password Aging Time Enter the number of days that can elapse before the user is prompted to change the password NOTE Password aging also applies to zero length passwords no password STEP 3 Selec...

Page 414: ...number of character classes which must be present in a password Character classes are lower case 1 upper case 2 digits 3 and symbols or special characters 4 The New Password Must Be Different than the Current One If selected the new password cannot be the same as the current password upon a password change STEP 5 Click Apply The password settings are written to the Running Configuration file NOTE ...

Page 415: ...he Send Life Time indicates when the key identifier for sending packets is valid Accept Life Time Send Life Time Specifies when packets with this key are accepted Select one of the following options Always Valid No limit to the life of the key identifier User Defined Life of the key chain is limited If this option is selected enter values in the following fields NOTE If you select User Defined the...

Page 416: ...ecurity Key Management Key Settings STEP 2 To add a new key string click Add STEP 3 Enter the following fields Key Chain Name for the key chain Key Identifier Integer identifier for the key chain Key String Value of the key chain string Enter one of the following options User Defined Encrypted Enter an encrypted version User Defined Plaintext Enter a plaintext version NOTE Both the Accept Life Tim...

Page 417: ... Length of time that the key identifier is valid Enter the following fields Days Number of days that the key identifier is valid Hours Number of hours that the key identifier is valid Minutes Number of minutes that the key identifier is valid Seconds Number of seconds that the key identifier is valid STEP 4 Click Apply The settings are written to the Running Configuration file STEP 5 To always dis...

Page 418: ...ich ports including the OOB port LAGs or VLANs are permitted to access or are denied access to the web based configuration utility Source IP Address IP addresses or subnets Access to management methods might differ among user groups For example one user group might be able to access the device module only by using an HTTPS session while another user group might be able to access the device module ...

Page 419: ...nue you are immediately disconnected from the web based configuration utility and can access the device only through the console port This only applies to device types that offer a console port A caution message displays if you selected any other access profile warning you that depending on the selected access profile you might be disconnected from the web based configuration utility STEP 3 Click ...

Page 420: ...The options are Permit Permits access to the device if the user matches the settings in the profile Deny Denies access to the device if the user matches the settings in the profile Applies to Interface Select the interface attached to the rule The options are All Applies to all ports VLANs and LAGs User Defined Applies to selected interface Interface Enter the interface number if User Defined was ...

Page 421: ...et matches a rule the action associated with the rule is performed If no matching rule is found within the active access profile the packet is dropped For example you can limit access to the device from all IP addresses except IP addresses that are allocated to the IT management center In this way the device can still be managed and has gained another layer of security To add profile rules to an a...

Page 422: ...ess the device by using the configured access method from the interface and IP source defined in this rule Or select Deny to deny access Applies to Interface Select the interface attached to the rule The options are All Applies to all ports VLANs and LAGs User Defined Applies only to the port VLAN or LAG selected Interface Enter the interface number The OOB port can also be entered Applies to Sour...

Page 423: ...d authentication methods are RADIUS and Local and all configured RADIUS servers are queried in priority order and do not reply the user is authorized authenticated locally If authorization is enabled and an authentication method fails or the user has insufficient privilege level the user is denied access to the device In other words if authentication fails for an authentication method the device s...

Page 424: ...ed on the TACACS server You must have configured one or more TACACS servers None User is allowed to access the device without authorization authentication Local Username and password are checked against the data stored on the local device These username and password pairs are defined in the User Accounts page NOTE The Local or None authentication method must always be selected last All authenticat...

Page 425: ...e signed certificate into the device By default the device contains a certificate that can be modified HTTPS is enabled by default SSL Server Authentication Settings It may be required to generate a new certificate to replace the default certificate found on the device To create a new certificate STEP 1 Click Security SSL Server SSL Server Authentication Settings Information appears for certificat...

Page 426: ...icate Request button is pressed STEP 5 Click Generate Certificate Request This creates a key that must be entered on the Certification Authority CA Copy it from the Certificate Request field To import a certificate STEP 1 Click Security SSL Server SSL Server Authentication Settings STEP 2 Click Import Certificate STEP 3 Enter the following fields Certificate ID Select the active certificate Certif...

Page 427: ...icate and RSA key pair This is used to copy the certificate and RSA key pair to another device using copy paste When you click Display Sensitive Data as Encrypted the private keys are displayed in encrypted form SSH Server See Security SSH Server SSH Client See Security SSH Client TCP UDP Services The TCP UDP Services page enables TCP or UDP based services on the device usually for security reason...

Page 428: ...services are written to the Running Configuration file The TCP Service Table displays the following fields for each service Service Name Access method through which the device is offering the TCP service Type IP protocol the service uses Local IP Address Local IP address through which the device is offering the service Local Port Local TCP port through which the device is offering the service Remo...

Page 429: ...e is turned into many creating the potential for a traffic storm Storm protection enables you to limit the number of frames entering the device and to define the types of frames that are counted towards this limit When the rate of Broadcast Multicast or Unknown Unicast frames is higher than the user defined threshold frames received beyond the threshold are discarded Storm Control To define Storm ...

Page 430: ...Enter the maximum rate at which unknown packets can be forwarded This value can be entered by kbits sec or by percentage of the total available bandwidth Trap on Storm Select to send a trap when a storm occurs on a port If this is not selected the trap is not sent Shutdown on Storm Select to shutdown a port when a storm occurs on the port If this is not selected extra traffic is discarded Broadcas...

Page 431: ...dcast storm control Multicast Traffic Type Only for Multicast traffic Registered or Unregistered Bytes Passed Number of bytes received Bytes Dropped Number of bytes dropped because of storm control Last Drop Time Time that the last byte was dropped STEP 4 To clear all counters on all interfaces click Clear All Interfaces Counters To clear all counters on an interface select it and click Clear Inte...

Page 432: ...dresses associated with the port after reset New MAC addresses can be learned as Delete On Reset ones up to the maximum addresses allowed on the port Relearning and aging are disabled When a frame from a new MAC address is detected on a port where it is not authorized the port is classically locked and there is a new MAC address or the port is dynamically locked and the maximum number of allowed a...

Page 433: ...ddresses Allowed Relearning and aging are enabled Secure Delete on Reset Deletes the current dynamic MAC addresses associated with the port after reset New MAC addresses can be learned as Delete On Reset ones up to the maximum addresses allowed on the port Relearning and aging are disabled Max No of Addresses Allowed Enter the maximum number of MAC addresses that can be learned on the port if Limi...

Page 434: ...hen a host tries to use the IP address of its neighbor When IP Source Guard is enabled the device only transmits client IP traffic to IP addresses contained in the DHCP Snooping Binding database This includes both addresses added by DHCP Snooping and manually added entries If the packet matches an entry in the database the device forwards it If not it is dropped This section describes the IP Sourc...

Page 435: ...ts status changes from DHCP untrusted to DHCP trusted the static IP address filtering entries remain in the Binding database but they become inactive Port security cannot be enabled if source IP and MAC address filtering is configured on a port IP Source Guard uses TCAM resources and requires a single TCAM rule per IP Source Guard address entry If the number of IP Source Guard entries exceeds the ...

Page 436: ... page STEP 6 View entries to the Binding database in the IP Source Guard Binding Database page Properties To enable IP Source Guard globally STEP 1 Click Security IP Source Guard Properties STEP 2 Select Enable to enable IP Source Guard globally STEP 3 Click Apply to enable IP Source Guard Interface Settings If IP Source Guard is enabled on an untrusted port LAG DHCP packets allowed by DHCP Snoopi...

Page 437: ...ce attempts to write too many entries to the DHCP Snooping Binding database the excessive entries are maintained in an inactive status Entries are deleted when their lease time expires and so inactive entries may be made active See DHCPv4 Snooping Relay NOTE The Binding Database page only displays the entries in the DHCP Snooping Binding database defined on IP Source Guard enabled ports To view th...

Page 438: ... on the VLAN Trusted Port Port has become trusted Resource Problem TCAM resources are exhausted STEP 4 To see a subset of these entries enter the relevant search criteria and click Go ARP Inspection ARP enables IP communication within a Layer 2 Broadcast domain by mapping IP addresses to a MAC addresses A malicious user can attack hosts switches and routers connected to a Layer 2 network by poison...

Page 439: ...st C can poison the ARP caches of the switch Host A and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA or IB and a MAC address of MC Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB which enables Host C intercepts that traffic Because Host C knows the true MAC addresses associated w...

Page 440: ...P access control rules for the packet s IP MAC addresses If the IP address is found and the MAC address in the list matches the packet s MAC address then the packet is valid otherwise it is not If the packet s IP address was not found and DHCP Snooping is enabled for the packet s VLAN search the DHCP Snooping Binding database for the packet s VLAN IP address pair If the VLAN IP address pair was fo...

Page 441: ...ude 0 0 0 0 255 255 255 255 and all IP Multicast addresses Packets with invalid ARP Inspection bindings are logged and dropped Up to 1024 entries can be defined in the ARP Access Control table Interaction Between ARP Inspection and DHCP Snooping If DHCP Snooping is enabled ARP Inspection uses the DHCP Snooping Binding database in addition to the ARP access control rules If DHCP Snooping is not ena...

Page 442: ...atus Select to enable ARP Inspection ARP Packet Validation Select to enable the following validation checks Source MAC Compares the packets source MAC address in the Ethernet header against the senders MAC address in the ARP request This check is performed on both ARP requests and responses Destination MAC Compares the packets destination MAC address in the Ethernet header against the destination ...

Page 443: ...AG STEP 1 Click Security ARP Inspection Interface Settings The ports LAGs and their ARP trusted untrusted status are displayed STEP 2 To set a port LAG as untrusted select the port LAG and click Edit STEP 3 Select Trusted or Untrusted and click Apply to save the settings to the Running Configuration file ARP Access Control To add entries to the ARP Inspection table STEP 1 Click Security ARP Inspec...

Page 444: ...ss of packet STEP 4 Click Apply The settings are defined and the Running Configuration file is updated VLAN Settings To enable ARP Inspection on VLANs and associate Access Control Groups with a VLAN STEP 1 Click Security ARP Inspection VLAN Settings STEP 2 To enable ARP Inspection on a VLAN move the VLAN from the Available VLANs list to the Enabled VLANs list STEP 3 To associate an ARP Access Cont...

Page 445: ...S Attacks Dependencies Between Features Default Configuration Security Suite Settings SYN Protection Martian Addresses SYN Filtering SYN Rate Protection ICMP Filtering IP Fragmented Filtering Secure Core Technology SCT One method of resisting DoS attacks employed by the device is the use of SCT SCT is enabled by default on the device and cannot be disabled The Cisco device is an advanced device th...

Page 446: ...hould be blocked Martian Addresses Martian addresses are illegal from the point of view of the IP protocol See Martian Addresses for more details ICMP Attack Sending malformed ICMP packets or overwhelming number of ICMP packets to the victim that might lead to a system crash IP Fragmentation Mangled IP fragments with overlapping over sized payloads are sent to the device This can crash various ope...

Page 447: ...s a user configured threshold Block SYN FIN packets Block packets that contain reserved Martian addresses Martian Addresses page Prevent TCP connections from a specific interface SYN Filtering page and rate limit the packets SYN Rate Protection page Configure the blocking of certain ICMP packets ICMP Filtering page Discard fragmented IP packets from a specific interface IP Fragmented Filtering pag...

Page 448: ...tings and monitor SCT STEP 1 Click Security Denial of Service Prevention Security Suite Settings CPU Protection Mechanism Enabled indicates that SCT is enabled STEP 2 Click Details beside CPU Utilization to go to the CPU Utilization page and view CPU resource utilization information STEP 3 Click Edit beside TCP SYN Protection to set the feature STEP 4 Select DoS Prevention to enable the feature Di...

Page 449: ... written to the Running Configuration file SYN Protection The network ports might be used by hackers to attack the device in a SYN attack which consumes TCP resources buffers and CPU power Since the CPU is protected using SCT TCP traffic to the CPU is limited However if one or more ports are attacked with a high rate of SYN packets the CPU receives only the attacker packets thus creating Denial of...

Page 450: ...ng Configuration file is updated The SYN Protection Interface Table displays the following fields for every port or LAG as requested by the user Current Status Interface status The possible values are Normal No attack was identified on this interface Blocked Traffic is not forwarded on this interface Attacked Attack was identified on this interface Last Attack Date of last SYN FIN attack identifie...

Page 451: ...ian addresses STEP 1 Click Security Denial of Service Prevention Martian Addresses STEP 2 Select Reserved Martian Addresses and click Apply to include the reserved Martian Addresses in the System Level Prevention list STEP 3 To add a Martian address click Add STEP 4 Enter the parameters IP Version Indicates the supported IP version Currently support is only offered for IPv4 IP Address Enter an IP ...

Page 452: ...the filter is enabled in IP address format TCP Port Select the destination TCP port being filtered Known Ports Select a port from the list User Defined Enter a port number All Ports Select to indicate that all ports are filtered STEP 4 Click Apply The SYN filter is defined and the Running Configuration file is updated SYN Rate Protection The SYN Rate Protection page enables limiting the number of ...

Page 453: ...rce IP address prefix SYN Rate Limit Enter the number of SYN packets that be received STEP 4 Click Apply The SYN rate protection is defined and the Running Configuration is updated ICMP Filtering The ICMP Filtering page enables the blocking of ICMP packets from certain sources This can reduce the load on the network in case of an ICMP attack To define ICMP filtering STEP 1 Click Security Denial of...

Page 454: ...gments Filtering STEP 2 Click Add STEP 3 Enter the parameters Interface Select the interface on which the IP fragmentation is being defined IP Address Enter an IP network from which the fragmented IP packets is filtered or select All Addresses to block IP fragmented packets from all addresses If you enter the IP address enter either the mask or prefix length Network Mask Select the format for the ...

Page 455: ...entication Host and Session Authentication Authenticated Hosts Locked Clients Web Authentication Customization Overview 802 1x authentication restricts unauthorized clients from connecting to a LAN through publicity accessible ports 802 1x authentication is a client server model In this model network devices have the following specific roles Client or supplicant Authenticator Authentication server...

Page 456: ... part of the EAP protocol No special software is required on the client to use MAC based or web based authentication Authenticator An authenticator is a network device that provides network services and to which supplicant ports are connected The following authentication methods are supported 802 1x based Supported in all authentication modes MAC based Supported in all authentication modes WEB bas...

Page 457: ...ccess is enabled on an interface the switch treats all failures received from a RADIUS server as successes and allows access to the network for stations connected to interfaces regardless of authentication results Open Access changes the normal behavior of blocking traffic on a authentication enabled port until authentication and authorization are successfully performed The default behavior of aut...

Page 458: ...P packets with EAP failure messages inside when it receives 802 1x EAPOL Start messages auto Enables port authentications in accordance with the configured port host mode and authentication methods configured on the port Port Host Modes Ports can be placed in the following port host modes configured in the Host and Session Authentication page Single Host Mode A port is authorized if there is an au...

Page 459: ...ify that untagged traffic from the authorized port will be remapped to a VLAN that is assigned by a RADIUS server during the authentication process Tagged traffic is dropped unless it belongs to the RADIUS assigned VLAN or to the unauthenticated VLANs Radius VLAN assignment on a port is set in the Port Authentication page Multi Sessions Mode Unlike the single host and multi host modes a port in th...

Page 460: ...iority continue When one of authentication methods running simultaneously fails the other methods continue When an authentication method finishes successfully for a client authenticated by an authentication method with a lower priority the attributes of the new authentication method are applied When the new method fails the client is left authorized with the old method 802 1x Based Authentication ...

Page 461: ...pplicant capability MAC based authentication uses the MAC address of the connecting device to grant or deny network access In this case the switch supports EAP MD5 functionality with the username and password equal to the client MAC address as shown below Figure 2 MAC Based Authentication The method does not have any specific configuration Client Authenticaticator RADIUS Protocol 802 1x Protocol A...

Page 462: ...dress and be able to resolve the host or domain names All HTTP HTTPS over IPv4 packets from unauthorized clients are trapped to the CPU on the switch If Web based authentication is enabled on the port a login page is displayed before the requested page is displayed The user must enter his username password which is authenticated by a RADIUS server using the EAP protocol If authentication is succes...

Page 463: ...d to an unauthorized client You can configure the guest VLAN and one or more VLANs to be unauthenticated in the Properties page An unauthenticated VLAN is a VLAN that allows access by both authorized and unauthorized devices or ports An unauthenticated VLAN has the following characteristics It must be a static VLAN and cannot be the guest VLAN or the default VLAN The member ports must be manually ...

Page 464: ...d VLANs Multi Sessions Mode The mode does not support the guest VLAN RADIUS VLAN Assignment or Dynamic VLAN Assignment An authorized client can be assigned a VLAN by the RADIUS server if this option is enabled in the Port Authentication page This is called either Dynamic VLAN Assignment DVA or RADIUS VLAN Assignment In this guide the term RADIUS Assigned VLAN is used Untagged traffic and tagged tr...

Page 465: ...ffic and tagged traffic not belonging to the unauthenticated VLANs arriving from the client are assigned to the RADIUS assigned VLAN using TCAM rules and are bridged via the VLAN The following table describes guest VLAN and RADIUS VLAN Assignment support depending on authentication method and port mode Legend The port mode supports the guest VLAN and RADIUS VLAN assignment N S The port mode does n...

Page 466: ...onds 0 traps are disabled If minimum time is not specified it defaults to 1 second for the restrict mode and 0 for the other modes Quiet Period The Quiet period is a period when the port single host or multi host modes or the client multi sessions mode cannot attempt authentication following a failed authentication exchange In single host or multi host mode the period is defined per port and in th...

Page 467: ...port mode are supported Legend The port mode also supports the guest VLAN and RADIUS VLAN assignment N S The authentication method does not support the port mode NOTE You can simulate the single host mode by setting Max Hosts parameter to 1 in the Port Authentication page Authentication Methods and Port Modes Authentication Method Single host Multi host Multi sessions Device in L3 Device in L2 802...

Page 468: ...ess they belong to the RADIUS VLAN or to the unauthent icated VLANs Frames are bridged based on the static VLAN configuration Frames are bridged based on the static VLAN configurat ion Multi host Frames are re mapped to the guest VLAN Frames are dropped unless they belongs to the guest VLAN or to the unauthent icated VLANs Frames are dropped Frames are dropped unless they belongs to the unauthent ...

Page 469: ...EP 10 Select a port and click Edit STEP 11 Set the Administrative Port Control field to Auto STEP 12 Define the authentication methods STEP 13 Click Apply and the Running Configuration file is updated Full multi sessions Frames are re mapped to the guest VLAN Frames are re mappedto the guest VLAN unless they belongs to the unauthent icated VLANs Frames are dropped Frames are dropped unless they be...

Page 470: ... Authentication STEP 4 Click Apply and the Running Configuration file is updated Use the Copy Settings button to copy settings from one port to another Workflow 4 To configure the quiet period STEP 1 Click Security 802 1X MAC Web Authentication Port Authentication STEP 2 Select a port and click Edit STEP 3 Enter the quiet period in the Quiet Period field STEP 4 Click Apply and the Running Configur...

Page 471: ...d authentication STEP 1 Click Security 802 1X MAC Web Authentication Properties STEP 2 Enter the parameters Port Based Authentication Enable or disable port based authentication If this is disabled 802 1X MAC based and web based authentication are disabled Authentication Method Select the user authentication methods The options are RADIUS None Perform port authentication first by using the RADIUS ...

Page 472: ...elect one of more of the following options 802 1x Authentication Failure Traps Select to generate a trap if 802 1x authentication fails 802 1x Authentication Success Traps Select to generate a trap if 802 1x authentication succeeds MAC Authentication Failure Traps Select to generate a trap if MAC authentication fails MAC Authentication Success Traps Select to generate a trap if MAC authentication ...

Page 473: ...Interface Select a port including the OOB port Current Port Control Displays the current port authorization state If the state is Authorized the port is either authenticated or the Administrative Port Control is Force Authorized Conversely if the state is Unauthorized then the port is either not authenticated or the Administrative Port Control is Force Unauthorized Administrative Port Control Sele...

Page 474: ...e port Open Access Select to successfully authenticate the port even though authentication fails See Open Access 802 1X Based Authentication Select to enable 802 1X authentication on the port MAC Based Authentication Select to enable port authentication based on the supplicant MAC address Only 8 MAC based authentications can be used on the port NOTE For MAC authentication to succeed the RADIUS ser...

Page 475: ... WBA Silence Period Enter the maximum length of the silent period for web based authentication allowed on the interface Select either Infinite for no limit or User Defined to set a limit Max Hosts Enter the maximum number of authorized hosts allowed on the interface Select either Infinite for no limit or User Defined to set a limit NOTE Set this value to 1 to simulate single host mode for web base...

Page 476: ...ll ports All fields except the following are described in the Edit page Number of Violations Displays the number of packets that arrive on the interface in single host mode from a host whose MAC address is not the supplicant MAC address STEP 2 Select a port and click Edit STEP 3 Enter the parameters Interface Enter a port number for which host authentication is enabled The OOB port is included Hos...

Page 477: ...k Apply The settings are written to the Running Configuration file Authenticated Hosts To view details about authenticated users click Security 802 1X MAC Web Authentication Authenticated Hosts This page displays the following fields User Name Supplicant names that were authenticated on each port Port Number of the port Session Time DD HH MM SS Amount of time that the supplicant was authenticated ...

Page 478: ...he state is Unauthorized then the port is either not authenticated or the Administrative Port Control is Force Unauthorized Remaining Time Sec The time remaining for the port to be locked STEP 2 Select a port STEP 3 Click Unlock Web Authentication Customization This page enables designing web based authentication pages in various languages You can add up to 4 languages NOTE Up to 5 HTTP users and ...

Page 479: ...ze the web authentication pages STEP 1 Click Security 802 1X MAC Web Authentication Web Authentication Customization This page displays the languages that can be customized STEP 2 Click Edit Login Page Figure 4 The following page is displayed STEP 3 Click Edit labelled 1 The following fields are displayed Language Displays the page s language Color Scheme Select one of the contrast options If the ...

Page 480: ...n Text Enter text to accompany the logo Window Title Text Enter a title for the Login page STEP 4 Click Apply and the settings are saved to the Running Configuration file STEP 5 Click Edit labelled 2 The following fields are displayed Invalid User Credentials Enter the text of the message to be displayed when the end user enters an invalid username or password Service Not Available Enter the text ...

Page 481: ...n process STEP 8 Click Apply and the settings are saved to the Running Configuration file STEP 9 Click Edit labelled 4 The following fields are displayed Terms and Conditions Select to enable a terms and conditions text box Terms and Conditions Warning Enter the text of the message to be displayed as instructions to enter the terms and conditions Terms and Conditions Content Enter the text of the ...

Page 482: ...ge STEP 15 Enter the Success Message which is the text that will be displayed if the end user successfully logs in STEP 16 Click Apply and the settings are saved to the Running Configuration file To preview the login or success message click Preview To set the default language of the GUI interface as the default language for Web based authentication click Set Default Display Language ...

Page 483: ...rties Configuration Files SSD Management Channels Menu CLI and Password Recovery Configuring SSD Introduction SSD protects sensitive data on a device such as passwords and keys permits and denies access to sensitive data encrypted and in plain text based on user credentials and SSD rules and protects configuration files containing sensitive data from being tampered with In addition SSD enables the...

Page 484: ...t define the handling and security of sensitive data The SSD configuration parameters themselves are sensitive data and are protected under SSD All configuration of SSD is performed through the SSD pages that are only available to users with the correct permissions see SSD Rules SSD Rules SSD rules define the read permissions and default read mode given to a user session on a management channel An...

Page 485: ...evel 15 All The rule applies to all users User Name If user type is Specific a user name is required Channel Type of SSD management channel to which the rule is applied The channel types supported are Secure Specifies the rule applies only to secure channels Depending on the device it may support some or all of the following secure channels Console port interface SCP SSH and HTTPS Insecure Specifi...

Page 486: ... write permission to SSD parameters as well Each management channel allows specific read permissions The following summarizes these Default Read Mode All default read modes are subjected to the read permission of the rule The following options exist but some might be rejected depending on the read permission If the user defined read permission for a user is Exclude for example and the default read...

Page 487: ...ive data the rule must be changed to plaintext By default an SNMPv3 user with privacy and XML over secure channels permissions is considered to be a level 15 user SNMP users on Insecure XML and SNMP SNMPv1 v2 and v3 with no privacy channel are considered as All users SNMP community names are not used as user names to match SSD rules Access by a specific SNMPv3 user can be controlled by configuring...

Page 488: ...zed access it is recommended that the user authentication process on a device is secured To secure the user authentication process you can use the local authentication database as well as secure the communication through external authentication servers such as a RADIUS server The configuration of the secure communication to the external authentication servers are sensitive data and are protected u...

Page 489: ...t does not conflict with the SSD read permission of the session This change is effective immediately in the current session until one of the following occurs User changes it again Session is terminated The read permission of the SSD rule that is applied to the session user is changed and is no longer compatible with the current read mode of the session In this case the session read mode returns to...

Page 490: ...d from the passphrase A passphrase must comply with the following rules Length Between 8 16 characters Character Classes The passphrase must have at least one upper case character one lower case character one numeric character and one special character e g Default and User defined Passphrases All devices come with a default out of the box passphrase that is transparent to users The default passphr...

Page 491: ...ensitive data that are encrypted with the key generated from the user defined passphrase in text based configuration files The following are the existing passphrase control modes Unrestricted default The device includes its passphrase when creating a configuration file This enables any device accepting the configuration file to learn the passphrase from the file Restricted The device restricts its...

Page 492: ... file when the file is downloaded or copied to the Startup Configuration file Read Mode Each session has a Read mode This determines how sensitive data appears The Read mode can be either Plaintext in which case sensitive data appears as regular text or Encrypted in which sensitive data appears in its encrypted form Configuration Files A configuration file contains the configuration of a device A ...

Page 493: ...tion files but is ignored when copying the configuration files to the Running or Startup Configuration file The SSD indicator in a file is set according to the user s instruction during copy to include encrypted plaintext or exclude sensitive data from a file SSD Control Block When a device creates a text based configuration file from its Startup or Running Configuration file it inserts an SSD con...

Page 494: ... sensitive data in the file not encrypted by the key generated from the passphrase in the SSD control block If there is an SSD control block in the source configuration file and the file fails the SSD integrity check and or file integrity check the device rejects the source file and fails the copy If there is no passphrase in the SSD control block of the source configuration file all the encrypted...

Page 495: ...le is in plaintext If the passphrase is encrypted it is ignored When directly configuring the passphrase non file copy in the Running Configuration the passphrase in the command must be entered in plaintext Otherwise the command is rejected Configuration commands with encrypted sensitive data that are encrypted with the key generated from the local passphrase are configured into the Running Config...

Page 496: ...change the file SSD indicator that conflicts with the sensitive data if any in the file Otherwise plaintext sensitive data may be unexpectedly exposed Sensitive Data Zero Touch Auto Configuration SSD Zero touch Auto Configuration is the auto configuration of target devices with encrypted sensitive data without the need to manually pre configure the target devices with the passphrase whose key is u...

Page 497: ...rase in the file As a result the user can auto configure the target devices including devices that are out of the box or in factory default with the configuration file without manually pre configuring the target devices with the passphrase This is zero touch because the target devices learn the passphrase directly from the configuration file NOTE Devices that are out of the box or in factory defau...

Page 498: ...itted if the local passphrase is identical to the default passphrase If a device is configured with a user defined passphrase the user is unable to activate password recovery Configuring SSD The SSD feature is configured in the following pages SSD properties are set in the SSD Properties page SSD rules are defined in the SSD Rules page XML HTTP Insecure XML SNMP XML HTTPS XML HTTPS Secure XML SNMP...

Page 499: ... Control Select an option as described in Configuration File Passphrase Control Configuration File Integrity Control Select to enable this feature See Configuration File Integrity Control STEP 3 Select a Read mode for the current session see Elements of an SSD Rule STEP 4 Click Apply The settings are saved to the Running Configuration file To change the local passphrase STEP 1 Click Change Local P...

Page 500: ...e security level of the input channel to which the rule applies Select one of the following options Secure Indicates that this rule applies only to secure channels console SCP SSH and HTTPS not including the SNMP and XML channels Insecure Indicates that this rule applies only to insecure channels Telnet TFTP and HTTP not including the SNMP and XML channels Secure XML SNMP Indicates that this rule ...

Page 501: ...re subjected to the read permission of the rule The following options exist but some might be rejected depending on the rule s read permission Exclude Do not allow reading the sensitive data Encrypted Sensitive data is presented encrypted Plaintext Sensitive data is presented as plaintext STEP 3 Click Apply The settings are saved to the Running Configuration file STEP 4 The following actions can b...

Page 502: ...ssword or by public key At the same time the remote user as a SSH client can perform SSH Server Authentication to authenticate the device using the device public key fingerprint SSH Server can operate in the following modes By Internally generated RSA DSA Keys Default Setting An RSA and a DSA key are generated Users log on the SSH Server application and are automatically authenticated to open a se...

Page 503: ...ervices page STEP 2 Enable SSH User authentication by password in the SSH User Authentication page STEP 3 Establish SSH sessions to the device from a SSH client application such as PUTTY Workflow3 Create an SSH session with SSH user authentication by public key with without bypassing management authentication perform the following steps STEP 1 Enable SSH server in the TCP UDP Services page STEP 2 ...

Page 504: ...f you use the SSH User Authentication page to create an SSH username for a user who is already configured in the local user database You can prevent additional authentication by configuring the Automatic Login feature which works as follows Enabled If a user is defined in the local database and this user passed SSH Authentication using a public key the authentication by the local database username...

Page 505: ...elected STEP 3 Click Apply The settings are saved to the Running Configuration file The following fields are displayed for the configured users SSH User Name User name of user Key Type Whether this is an RSA or DSA key Fingerprint Fingerprint generated from the public keys STEP 4 Click Add to add a new user and enter the fields SSH User Name Enter a user name Key Type Select either RSA or DSA Publ...

Page 506: ...ults Each key is also automatically created when the appropriate user configured key is deleted by the user To regenerate an RSA or DSA key or to copy in an RSA DSA key generated on another device STEP 1 Click Security SSH Server SSH Server Authentication The following fields are displayed for each key Key Type RSA or DSA Key Source Auto Generated or User Defined Fingerprint Fingerprint generated ...

Page 507: ...Server Authentication Change User Password on the SSH Server Overview This section includes the following topics Secure Copy SCP and SSH SSH Server Authentication SSH User Authentication Supported Algorithms Before You Begin Common Tasks Secure Copy SCP and SSH Secure Shell or SSH is a network protocol that enables data to be exchanged on a secure channel between an SSH client in this case the dev...

Page 508: ...entral SCP server to a device With respect to SSH the SCP running on the device is an SSH client application and the SCP server is a SSH server application When files are downloaded via TFTP or HTTP the data transfer is unsecured When files are downloaded via SCP the information is downloaded from the SCP server to the device via a secure channel The creation of this secure channel is preceded by ...

Page 509: ...rint of the received SSH server s public key The device searches the SSH Trusted Servers table for the SSH server s IP address host name One of the following can occur If a match is found both for the server s IP address host name and its fingerprint the server is authenticated If a matching IP address host name is found but there is no matching fingerprint the search continues If no matching fing...

Page 510: ...generate import a public private key pair on the device which is a SSH client Then create the same user at the SSH server and copy the public key or fingerprint generated entered at the SSH client to the SSH server The action of creating the user and copy the public key or fingerprint to the SSH server is beyond the scope of this guide RSA and DSA default key pairs are generated for the device whe...

Page 511: ... it into the remaining switches In this way all the switches can use the same public private key Default Password SSH user authentication by password is enabled by default with the username password being anonymous The user must configure the following information for authentication The authentication method to be used The username password or public private key pair Supported Algorithms When the ...

Page 512: ...password or public private key Use the SSH User Authentication page STEP 2 If the password method was selected perform the following steps a Create a global password in the SSH User Authentication page or create a temporary one in the Firmware Operations or File Operations pages when you actually activate the secure data transfer b Upgrade the firmware boot image or language file using SCP by sele...

Page 513: ...eSSH User Authentication page STEP 2 Set the SSD properties and create a new local passphrase in the SSD Properties page STEP 3 Click Details to view the generated encrypted keys and copy them including the Begin and End footers from the Details page to an external device Copy the public and private keys separately STEP 4 Log on to another device and open the SSH User Authentication page Select th...

Page 514: ...is selected create an RSA public and Private key in the SSH User Key Table block By DSA Public Key If this is selected create a DSA public private key in the SSH User Key Table block STEP 3 Enter the Username no matter what method was selected or user the default username This must match the username defined on the SSH server STEP 4 If the By Password method was selected enter a password Encrypted...

Page 515: ...as the source IPv4 address for messages used in communication with IPv4 SSH servers IPv6 Source Interface Select the source interface whose IPv6 address will be used as the source IPv6 address for messages used in communication with IPv6 SSH servers NOTE If the Auto option is selected the system takes the source IP address from the IP address defined on the outgoing interface STEP 3 Click Add and ...

Page 516: ...face from the list of interfaces Server IP Address Name Enter either the IP address of the SSH server or its name depending on what was selected in Server Definition Fingerprint Enter the fingerprint of the SSH server copied from that server STEP 4 Click Apply The trusted server definition is stored in the Running Configuration file Change User Password on the SSH Server To change the password on ...

Page 517: ...ntry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface from the list of interfaces Server IP Address Name Enter either the IP address of the SSH server or its name depending on what was selected in Server Definition Username This must match the userna...

Page 518: ...re it in the GUI It covers the following topics IPv6 First Hop Security Overview Router Advertisement Guard Neighbor Discovery Inspection DHCPv6 Guard Neighbor Binding Integrity IPv6 Source Guard Attack Protection Policies Global Parameters and System Defaults Common Tasks Default Settings and Configuration Before You Start Configuring IPv6 First Hop Security through Web GUI ...

Page 519: ... in Figure filters Neighbor Discovery Protocol messages DHCPv6 messages and user data messages according to a number of different rules Figure1 IPv6 First Hop Security Configuration A separate and independent instance of IPv6 First Hop Security runs on each VLAN on which the feature is enabled Abbreviations IPv6 Host End Node Monitor First Hop Switch IPv6 Router 370572 Name Description CPA message...

Page 520: ...g names vlan_default and port_default The first one is attached to each VLAN that is not attached to a user defined policy and the second one is connected to each interface and VLAN that is not attached to a user defined policy These policies cannot be attached explicitly by the user See Policies Global Parameters and System Defaults FCFS SAVI First Come First Served Source Address Validation Impr...

Page 521: ...asses to the IPv6 Source Guard feature Trapped DHCPv6 messages are passed to the DHCPv6 Guard feature DHCPv6 Guard validates these messages drops illegal message and legal messages passes to the IPv6 Source Guard feature Trapped data messages are passed to the IPv6 Source Guard feature IPv6 Source Guard validates received messages trapped data messages NDP messages from ND Inspection and DHCPv6 me...

Page 522: ...er IPv6 First Hop Security switches can form a perimeter separating untrusted area from trusted area All switches inside the perimeter support IPv6 First Hop Security and hosts and routers inside this perimeter are trusted devices For example in Figure 2 Switch B and Switch C are inner links inside the protected area Figure 2 IPv6 First Hop Security Perimeter ...

Page 523: ...apped RA messages RA Guard supports the following functions Filtering of received RA CPA and ICMPv6 redirect messages Validation of received RA messages Filtering of Received RA CPA and IPCMv6 redirect Messages RA Guard discards RA and CPA messages received on interfaces whose role are not router The interface role is configured in the RA Guard Settings page Validation of RA messages RA Guard vali...

Page 524: ...gured as host interfaces DHCPv6 Guard DHCPv6 Guard treats the trapped DHCPv6 messages DHCPv6 Guard supports the following functions Filtering of received DHCPv6 messages DHCP Guard discards DHCPv6 reply messages received on interfaces whose role is client The interface role is configured in the DHCPv6 Guard Settings page Validation of received DHCPv6 messages DHCPv6 Guard validates DHCPv6 messages...

Page 525: ...l IPv6 Addresses NB Integrity performs the following validations If the target address in an NS or NA message is a global IPv6 address it must belong to one of the prefixes defined in the RA Prefix table A global IPv6 address provided by a DHCPv6 server must belong to one of the prefixes defined in the IPv6 Prefix List in IPv6 Prefixes page If a message does not pass this verification it is droppe...

Page 526: ...f of address ownership is based on the First Come First Served principle The first host that claims a given source address is the owner of that address until further notice Since no host changes are acceptable a way must be found to confirm address ownership without requiring a new protocol For this reason whenever an IPv6 address is first learned from an NDP message the switch binds the address t...

Page 527: ...is restarted each time that the bound IPv6 address is confirmed If the timer expires the device sends up to 2 DAD NS messages with short intervals to validate the neighbor NBI DHCP Method The NBI NDP method is based on the SAVI DHCP method specified in the SAVI Solution for DHCP draft ietf savi dhcp 15 September 11 2012 Like NBI NDP NBI DHCP provides perimeterical binding for scalability The follo...

Page 528: ...idation RS messages if the source IPv6 address equals the unspecified IPv6 address NS messages if the source IPv6 address equals the unspecified IPv6 address NA messages if the source IPv6 address equals the target address IPv6 Source Guard drops all other IPv6 messages whose source IPv6 address equals the unspecified IPv6 address IPv6 Source Guard runs only on untrusted interfaces belonging to th...

Page 529: ...er interfaces If the given IPv6 address is known the NS message is forwarded only on the interface to which the IPv6 address is bound A Neighbor Advertisement NA message is dropped if the target IPv6 address is bound with another interface Protection against IPv6 Duplication Address Detection Spoofing An IPv6 host must perform Duplication Address Detection for each assigned IPv6 address by sending...

Page 530: ... could send IPv6 messages with a different destination IPv6 address for the last hop forwarding causing overflow of the NBD cache An embedded mechanism in the NDP implementation limits the number of entries allowed in the INCOMPLETE state in the Neighbor Discovery cache This provides protection against the table being flooded by hackers Policies Global Parameters and System Defaults Each feature o...

Page 531: ...ned policy is attached to an interface the default policy for that interface is detached If the user define policy is detached from the interface the default policy is reattached Policies do not take effect until The feature in the policy is enabled on the VLAN containing the interface The policy is attached to the interface VLAN port or LAG When you attach a policy the default policy for that int...

Page 532: ...erride system defaults Common Tasks This section includes the following topics IPv6 First Hop Security Common Work Flow Router Advertisement Guard Work Flow DHCPv6 Guard Work Flow Neighbor Discovery Inspection Work Flow Neighbor Binding Work Flow IPv6 Source Guard Work Flow IPv6 First Hop Security Common Work Flow STEP 1 In the FHS Settings page enter the list of VLANs on which this feature is ena...

Page 533: ...Flow STEP 1 In the DHCPv6 Guard Settings page enter the list of VLANs on which this feature is enabled STEP 2 In this same page set the global configuration values that are used if no values are set in a policy STEP 3 If required either configure a user defined policy or add rules to the default policies for the feature STEP 4 Attach the policy to a VLAN port or LAG using either the Policy Attachm...

Page 534: ... the default policies for the feature STEP 4 Add any manual entries required in the Neighbor Binding Table page STEP 5 Attach the policy to a VLAN port or LAG using either the Policy Attachment VLAN or Policy Attachment Port pages IPv6 Source Guard Work Flow STEP 1 In the IPv6 Source Guard Settings page enter the list of VLANs on which this feature is enabled STEP 2 If required either configure a ...

Page 535: ...ages Certification Path Solicitation CPS message DHCPv6 messages The FHS features are disabled by default Before You Start No preliminary tasks are required Configuring IPv6 First Hop Security through Web GUI This section includes the following topics FHS Settings RA Guard Settings DHCPv6 Guard Settings ND Inspection Settings Neighbor Binding Settings IPv6 Source Guard Settings Policy Attachment V...

Page 536: ...First Hop Security is enabled Packet Drop Logging Select to create a SYSLOG when a packet is dropped by a First Hop Security policy This is the global default value if no policy is defined STEP 3 Click Apply to add the settings to the Running Configuration file STEP 4 Create a FHS policy if required by clicking Add Enter the following fields Policy Name Enter a user defined policy name Packet Drop...

Page 537: ... 2 Enter the following global configuration field RA Guard VLAN List Enter one or more VLANs on which RA Guard is enabled The other configuration fields are described below STEP 3 To add a policy click Add and enter the fields Policy Name Enter a user defined policy name Device Role Displays one of the following options to specify the role of the device attached to the port for RA Guard Inherited ...

Page 538: ...st of addresses to filter Inherited Value is inherited from either the VLAN or system default no verification No Verification Advertised addresses are not verified Match List IPv6 address list to be matched RA Prefix List Specify the list of addresses to filter Inherited Value is inherited from either the VLAN or system default no verification No Verification Advertised prefixes are not verified M...

Page 539: ...ndary of Advertised Default Router Preference Low Specifies the minimum allowed Advertised Default Router Preference value The following values are acceptable low medium and high see RFC4191 Medium Specifies the minimum allowed Advertised Default Router Preference value The following values are acceptable low medium and high see RFC4191 High Specifies the minimum allowed Advertised Default Router ...

Page 540: ...y to Interface Click to jump to Policy Attachment Port page where you can attach this policy to a port DHCPv6 Guard Settings Use the DHCPv6 Guard Settings page to enable the DHCPv6 Guard feature on a specified group of VLANs and to set the global configuration values for this feature If required a policy can be added or the system defined default DHCPv6 Guard policies can be configured in this pag...

Page 541: ...lowing fields Policy Name Enter a user defined policy name Device Role Select either Server or Client to specify the role of the device attached to the port for DHCPv6 Guard Inherited Role of device is inherited from either the VLAN or system default client Client Role of device is client Server Role of device is server Match Reply Prefixes Select to enable verification of the advertised prefixes ...

Page 542: ...the packet received This value must be greater than the Minimal Preference value Inherited Minimal preference is inherited from either the VLAN or system default client No Verification Disables verification of the lower boundary of the hop count limit User Defined Verifies that the advertised preference value is less than or equal to this value STEP 5 Click Apply to add the settings to the Running...

Page 543: ...ation of the security level User Defined Specify the security level of the message to be forwarded Validate Source MAC Select to globally enable checking source MAC address against the link layer address STEP 3 If required click Add to create an ND Inspection policy STEP 4 Enter the following fields Policy Name Enter a user defined policy name Device Role Select either Server or Client to specify ...

Page 544: ...t the link layer address STEP 5 Click Apply to add the settings to the Running Configuration file STEP 6 To attach this policy to an interface Attach Policy to VLAN Click to jump to Policy Attachment VLAN page where you can attach this policy to a VLAN Attach Policy to Interface Click to jump to Policy Attachment Port page where you can attach this policy to a port Neighbor Binding Settings The Ne...

Page 545: ...lobal configuration of allowed configuration methods of global IPv6 addresses within an IPv6 Neighbor Binding policy select one of the following options Any Any configuration methods stateless and manual are allowed for global IPv6 bound from NDP messages Stateless Only stateless auto configuration is allowed for global IPv6 bound from NDP messages Disable Binding from NDP messages is disabled Bin...

Page 546: ...as the global value Enable Enable logging of Binding table main events Disable Disable logging of Binding table main events Address Prefix Validation Select one of the following options to specify validation of addresses Inherited Validation option is the same as the global value Enable Enable validation of addresses Disable Disable validation of addresses Global Address Binding Configuration Inhe...

Page 547: ...s to the Running Configuration file STEP 6 To attach this policy to an interface Attach Policy to VLAN Click to jump to Policy Attachment VLAN page where you can attach this policy to a VLAN Attach Policy to Interface Click to jump to Policy Attachment Port page where you can attach this policy to a port IPv6 Source Guard Settings Use the IPv6 Source Guard Settings page to enable the IPv6 Source G...

Page 548: ...h takes you to the Policy Attachment Port page where you can attach this policy to a port Policy Attachment VLAN To attach a policy to one or more VLANs STEP 1 Click Security IPv6 First Hop Security Policy Attachment VLAN The list of policies that are already attached are displayed along with their Policy Type Policy Name and VLAN List STEP 2 To attach a policy to a VLAN click Add and enter the fo...

Page 549: ...verview Policy Name Select the name of the policy to attach to the interface VLAN List Select the VLANs to which the policy is attached Select All VLANs or enter a range of VLANs STEP 3 Click Apply to add the settings to the Running Configuration file Neighbor Binding Table To view entries in the Neighbor Binding table STEP 1 Click Security IPv6 First Hop Security Neighbor Binding Table STEP 2 Sel...

Page 550: ...owing fields VLAN ID VLAN ID of the entry IPv6 Address Source IPv6 address of the entry Interface Port on which packet is received MAC Address Neighbor MAC address of the packet Neighbor Prefix Table You can add static prefixes for global IPv6 addresses bound from NDP messages in the Neighbor Prefix table Dynamic entries are learned as described in Learning Advertised IPv6 Prefixes To add entries ...

Page 551: ...S features STEP 1 Click Security IPv6 First Hop Security FHS Status STEP 2 Select a port LAG or VLAN for which the FHS state is reported STEP 3 The following fields are displayed for the selected interface FHS Status FHS State on Current VLAN Is FHS enabled on the current VLAN Packet Drop Logging Is this feature enabled for the current interface at the level of global configuration or in a policy ...

Page 552: ...eply prefixes verification enabled Match Server Address Is DHCP server addresses verification enabled Minimal Preference Is verification of the minimal preference enabled Maximal Preference Is verification of the maximum preference enabled ND Inspection Status ND Inspection State on Current VLAN Is ND Inspection enabled on the current VLAN Device Role ND Inspection device role Drop Unsecure Are un...

Page 553: ...rent VLAN Port Trust Whether the port is trusted and how it received its trusted status FHS Statistics To display FHS statistics STEP 1 Click Security IPv6 First Hop Security FHS Statistics STEP 2 Select the Refresh Rate the time period that passes before the statistics are refreshed STEP 3 The following global overflow counters are displayed Neighbor Binding Table Number of entries that could not...

Page 554: ...ived and dropped messages are displayed for the following types of DHCPv6 messages ADV Advertise messages REP Reply messages REC Reconfigure messages REL REP Relay reply messages LEAS REP Lease query reply messages RLS Released messages DEC Decline messages The following fields are displayed in the FHS Dropped Message Table Feature Type of message dropped DHCPv6 Guard RA Guard and so on Count Numb...

Page 555: ...ed or denied entry This section contains the following topics Overview MAC Based ACLs Creation IPv4 based ACL Creation IPv6 Based ACL Creation ACL Binding Overview An Access Control List ACL is an ordered list of classification filters and actions Each single classification rule together with its action is called an Access Control Element ACE Each ACE is made up of filters that distinguish traffic...

Page 556: ... fails at the port The order of the ACEs within the ACL is significant since they are applied in a first fit manner The ACEs are processed sequentially starting with the first ACE ACLs can be used for security for example by permitting or denying certain traffic flows and also for traffic classification and prioritization in the QoS Advanced mode NOTE A port can be either secured with ACLs or conf...

Page 557: ...a specific interface causes the generation of an informational SYSLOG message Additional packets from the same flow are trapped to the CPU but SYSLOG messages for this flow are limited to one message every 5 minutes This SYSLOG informs that at least one packet was trapped in the last 5 minutes After handling the trapped packet the packets are forwarded in case of permit and discarded in case of de...

Page 558: ... packet 06 Jun 2013 09 53 46 3SWCOS I LOGDENYINETPORTS gi0 1 deny ACE IPv4 TCP 1 1 1 1 55 1 1 1 10 66 trapped Configuring ACLs This section describes how to create ACLs and add rules ACEs to them Creating ACLs Workflow To create ACLs and associate them with an interface perform the following 1 Create one or more of the following types of ACLs a MAC based ACL by using the MAC based ACL page and the...

Page 559: ...e chain of unbinding as follows Unbind the policy containing the class map from the interface by using Policy Binding Delete the class map containing the ACL from the policy using the Configuring a Policy Edit Delete the class map containing the ACL by using Defining Class Mapping Only then can the ACL be modified as described in this section MAC Based ACLs Creation MAC based ACLs are used to filt...

Page 560: ...ter the priority of the ACE ACEs with higher priority are processed first One is the highest priority Action Select the action taken upon a match The options are Permit Forward packets that meet the ACE criteria Deny Drop packets that meet the ACE criteria Shutdown Drop packets that meet the ACE criteria and disable the port from where the packets were received Such ports can be reactivated from t...

Page 561: ...en as 0 0 0 255 Source MAC Address Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses Source MAC Address Value Enter the MAC address to which the source MAC address is to be matched and its mask if relevant Source MAC Wildcard Mask Enter the mask to define a range of MAC addresses VLAN ID Enter the VLAN ID section of the VLAN tag ...

Page 562: ...4 based ACL STEP 1 Click Access Control IPv4 Based ACL This page contains all currently defined IPv4 based ACLs STEP 2 Click Add STEP 3 Enter the name of the new ACL in the ACL Name field The names are case sensitive STEP 4 Click Apply The IPv4 based ACL is saved to the Running Configuration file IPv4 Based ACE NOTE Each IPv4 based rule consumes one TCAM rule Note that the TCAM allocation is perfo...

Page 563: ...elect to enable logging ACL flows that match the ACL rule Time Range Select to enable limiting the use of the ACL to a specific time range Time Range Name If Time Range is selected select the time range to be used Time ranges are defined in the System Time Configuration section Protocol Select to create an ACE based on a specific protocol or protocol ID Select Any IPv4 to accept all IP protocols O...

Page 564: ...tead of selecting the name enter the protocol ID Source IP Address Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses Source IP Address Value Enter the IP address to which the source IP address is to be matched Source IP Wildcard Mask Enter the mask to define a range of IP addresses Note that this mask is different than in other u...

Page 565: ... drop down menu Range Select a range of TCP UDP source ports to which the packet is matched There are eight different port ranges that can be configured shared between source and destination ports TCP and UDP protocols each have eight port ranges Destination Port Select one of the available values These are the same as the Source Port field described above NOTE You must specify the IP protocol for...

Page 566: ...lter on this code Any Accept all codes User Defined Enter an ICMP code for filtering purposes IGMP If the ACL is based on IGMP select the IGMP message type to be used for filtering purposes Either select the message type by name or enter the message type number Any All message types are accepted Select from list Select message type by name IGMP Type to match Number of message type that is to be us...

Page 567: ...tains the ACE rules for a specified ACL group of rules STEP 2 Select an ACL and click Go All currently defined IP ACEs for the selected ACL are displayed STEP 3 Click Add STEP 4 Enter the parameters ACL Name Displays the name of the ACL to which an ACE is being added Priority Enter the priority ACEs with higher priority are processed first Action Select the action assigned to the packet matching t...

Page 568: ...rotocol ICMP or Protocol ID to Match Enter the ID of the protocol to be matched Source IP Address Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses Source IP Address Value Enter the IP address to which the source IP address is to be matched and its mask if relevant Source IP Prefix Length Enter the prefix length of the source IP ...

Page 569: ...e flag is Not SET Dont care Ignore the TCP flag Type of Service The service type of the IP packet Any Any service type DSCP to Match Differentiated Serves Code Point DSCP to match IP Precedence to match IP precedence is a model of TOS type of service that the network uses to help provide the appropriate QoS commitments This model uses the 3 most significant bits of the service type byte in the IP ...

Page 570: ... an interface it cannot be edited modified or deleted until it is removed from all the ports to which it is bound or in use NOTE It is possible to bind an interface port LAG or VLAN to a policy or to an ACL but they cannot be bound to both a policy and an ACL NOTE In the same class map a MAC ACL cannot be used with an IPv6 ACE that has a Destination IPv6 address as a filtering condition ACL Bindin...

Page 571: ...port or LAG STEP 1 Click Access Control ACL Binding Port STEP 2 Select an interface type Ports LAGs Port or LAG STEP 3 Click Go For each type of interface selected all interfaces of that type are displayed with a list of their current ACLs Interface Identifier of interface on which ACL is defined MAC ACL ACLs of type MAC that are bound to the interface if any IPv4 ACL ACLs of type IPv4 that are bo...

Page 572: ... Action Select one of the following options Deny Any If packet does not match an ACL it is denied dropped Permit Any If packet does not match an ACL it is permitted forwarded NOTE Default Action can be defined only if IP Source Guard is not activated on the interface STEP 6 Click Apply The ACL binding is modified and the Running Configuration file is updated NOTE If no ACL is selected the ACL s th...

Page 573: ...eature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment This section covers the following topics QoS Features and Components General QoS Basic Mode QoS Advanced Mode Managing QoS Statistics ...

Page 574: ...ssification is done by ACL Access Control List and only traffic that meets the ACL criteria is subject to CoS or QoS classification Assignment to Software Queues Assigns incoming packets to forwarding queues Packets are sent to a particular queue for handling as a function of the traffic class to which they belong See Queue Other Traffic Class Handling Attribute Applies QoS mechanisms to various c...

Page 575: ... the DSCP to Queue page depending on whether the trust mode is CoS 802 1p or DSCP respectively Advanced Mode Per flow Quality of Service QoS In advanced mode a per flow QoS consists of a class map and or a policer A class map defines the kind of traffic in a flow and contains one or more ACLs Packets that match the ACLs belong to the flow A policer applies the configured QoS to a flow The QoS conf...

Page 576: ...ach IP DSCP TC value with the DSCP to Queue page If the device is in DSCP trusted mode incoming packets are put into the egress queues based on the their DSCP TC value STEP 5 Designate an egress queue to each CoS 802 1p priority If the device is in CoS 802 1 trusted mode all incoming packets are put into the designated egress queues according to the CoS 802 1p priority in the packets This is done ...

Page 577: ...or Disabled as described in the QoS Modes section In addition the default CoS priority for each interface can be defined To select the QoS mode STEP 1 Click Quality of Service General QoS Properties STEP 2 Set the QoS mode The following options are available Disable QoS is disabled on the device Basic QoS is enabled on the device in Basic mode Advanced QoS is enabled on the device in Advanced mode...

Page 578: ... supported is as follows The 350 device supports 4 queues for each interface Queue number four is the highest priority queue Queue number one is the lowest priority queue The 550 device supports 8 queues for each interface Queue number eight is the highest priority queue Queue number one is the lowest priority queue There are two ways of determining how traffic in queues is handled Strict Priority...

Page 579: ...trict priority In this case traffic for the strict priority queues is always sent before traffic from the WRR queues Only after the strict priority queues have been emptied is traffic from the WRR queues forwarded The relative portion from each WRR queue depends on its weight To select the priority method and enter WRR data STEP 1 Click Quality of Service General Queue STEP 2 Enter the parameters ...

Page 580: ... describes the default mapping when there are 4 queues The following table describes the default mapping when there are 8 queues for the 550 family 802 1p Values 0 7 7 being the highest Queue 4 queues 1 4 4 being the highest priority Notes 0 1 Background 1 1 Best Effort 2 2 Excellent Effort 3 3 Critical Application LVS phone SIP 4 3 Video 5 4 Voice Cisco IP phone default 6 4 Interwork Control LVS ...

Page 581: ... values to egress queues STEP 1 Click Quality of Service General CoS 802 1p to Queue STEP 2 Enter the parameters 802 1p Displays the 802 1p priority tag values to be assigned to an egress queue where 0 is the lowest and 7 is the highest priority Output Queue Select the egress queue to which the 802 1p priority is mapped Either four or eight egress queues are supported where Queue 4 or Queue 8 is t...

Page 582: ...ueues The DSCP to Queue Table determines the egress queues of the incoming IP packets based on their DSCP values The original VPT VLAN Priority Tag of the packet is unchanged By simply changing the DSCP to Queue mapping and the Queue schedule method and bandwidth allocation it is possible to achieve the desired quality of services in a network The DSCP to Queue mapping is applicable to IP packets ...

Page 583: ... 39 31 23 15 7 Queue 3 3 4 3 3 2 1 1 DSCP 62 54 46 38 30 22 14 6 Queue 3 3 4 3 3 2 1 1 DSCP 61 53 45 37 29 21 13 5 Queue 3 3 4 3 3 2 1 1 DSCP 60 52 44 36 28 20 12 4 Queue 3 3 4 3 3 2 1 1 DSCP 59 51 43 35 27 19 11 3 Queue 3 3 4 3 3 2 1 1 DSCP 58 50 42 34 26 18 10 2 Queue 3 3 4 3 3 2 1 1 DSCP 57 49 41 33 25 17 9 1 Queue 3 3 4 3 3 2 1 1 DSCP 56 48 40 32 24 16 8 0 Queue 3 3 4 3 3 2 1 1 DSCP 63 55 47 3...

Page 584: ...naged Switches 564 26 DSCP 60 52 44 36 28 20 12 4 Queue 6 6 7 5 4 3 2 1 DSCP 59 51 43 35 27 19 11 3 Queue 6 6 7 5 4 3 2 1 DSCP 58 50 42 34 26 18 10 2 Queue 6 6 7 5 4 3 2 1 DSCP 57 49 41 33 25 17 9 1 Queue 6 6 7 5 4 3 2 1 DSCP 56 48 40 32 24 16 8 0 Queue 6 6 6 7 6 6 1 1 ...

Page 585: ...sociated class STEP 2 Select the Output Queue traffic forwarding queue to which the DSCP value is mapped STEP 3 Select Restore Defaults to restore the factory CoS default setting for this interface DSCP 63 55 47 39 31 23 15 7 Queue 7 7 8 6 5 4 3 1 DSCP 62 54 46 38 30 22 14 6 Queue 7 7 8 6 5 4 3 1 DSCP 61 53 45 37 29 21 13 5 Queue 7 7 8 6 5 4 3 1 DSCP 60 52 44 36 28 20 12 4 Queue 7 7 8 6 5 4 3 1 DS...

Page 586: ...e egress interface measured in bits per second Committed Burst Size CBS is the burst of data that is allowed to be sent even though it is above the CIR This is defined in number of bytes of data To enter bandwidth limitation STEP 1 Click Quality of Service General Bandwidth The Bandwidth page displays bandwidth information for each interface The column is the ingress rate limit for the port divide...

Page 587: ...ettings are written to the Running Configuration file Egress Shaping per Queue In addition to limiting transmission rate per port which is done in the Bandwidth page the device can limit the transmission rate of selected egressing frames on a per queue per port basis Egress rate limiting is performed by shaping the output load The device limits all frames except for management frames Any frames th...

Page 588: ...ggregate traffic from all the ports on the device The following constraints apply to rate limiting per VLAN It has lower precedence than any other traffic policing defined in the system For example if a packet is subject to QoS rate limits but is also subject to VLAN rate limiting and the rate limits conflict the QoS rate limits take precedence It is applied at the device level and within the devi...

Page 589: ...Cannot be entered for LAGs STEP 4 Click Apply The VLAN rate limit is added and the Running Configuration file is updated TCP Congestion Avoidance The TCP Congestion Avoidance page enables activating a TCP congestion avoidance algorithm The algorithm breaks up or avoids TCP global synchronization in a congested node where the congestion is due to various sources sending packets with the same byte c...

Page 590: ...any port that as an exception should not trust the incoming CoS mark disable the QoS state on that port using the Interface Settings page Enable or disable the global selected trusted mode at the ports by using the Interface Settings page If a port is disabled without trusted mode all its ingress packets are forward in best effort It is recommended that you disable the trusted mode at the ports wh...

Page 591: ...nabled the device uses the new DSCP values for egress queueing It also replaces the original DSCP values in the packets with the new DSCP values NOTE The frame is mapped to an egress queue using the new rewritten value and not by the original DSCP value STEP 4 If Override Ingress DSCP was enabled click DSCP Override Table to reconfigure DSCP STEP 5 DSCP In displays the DSCP value of the incoming p...

Page 592: ...able QoS State for this interface STEP 6 Click Apply The Running Configuration file is updated QoS Advanced Mode This section covers the following topics Overview Global Settings Out of Profile DSCP Mapping Class Mapping Aggregate Policer Policy Table Policy Class Maps Policy Binding Overview Frames that match an ACL and were permitted entrance are implicitly labeled with the name of the ACL that ...

Page 593: ...policer can support class maps from different policies Per flow QoS are applied to flows by binding the policies to the desired ports A policy and its class maps can be bound to one or more ports but each port is bound with at most one policy Notes Single policer and aggregation policer are available when the device is in Layer 2 mode An ACL can be configured to one or more class maps regardless o...

Page 594: ...Policy Class Map page You can also specify the QoS if needed by assigning a policer to a class map when you associate the class map to the policy Single Policer Create a policy that associates a class map with a single policer by using the Policy Table page and the Class Mapping page Within the policy define the single policer Aggregate Policer Create a QoS action for each flow that sends all matc...

Page 595: ...o Not Trusted the default CoS values configured on the interface is ignored and all the traffic goes to queue 1 See the Quality of Service QoS Advanced Mode Global Settings page for details If you have a policy on an interface then the Default Mode is irrelevant the action is according to the policy configuration and unmatched traffic is dropped STEP 4 Select Override Ingress DSCP to override the ...

Page 596: ...e other domain to identify the same type of traffic These settings are active when the system is in the QoS basic mode and once activated they are active globally For example Assume that there are three levels of service Silver Gold and Platinum and the DSCP incoming values used to mark these levels are 10 20 and 30 respectively If this traffic is forwarded to another service provider that has the...

Page 597: ...ined class maps and the ACLs comprising each and enables you to add delete class maps To define a Class Map STEP 1 Click Quality of Service QoS Advanced Mode Class Mapping This page displays the already defined class maps STEP 2 Click Add A new class map is added by selecting one or two ACLs and giving the class map a name If a class map has two ACLs you can specify that a frame must match both AC...

Page 598: ... policer is bound to multiple ports each port has its own instance of single policer each applying the QoS on the class map flow at ports that are otherwise independent of each other A single policer is created in the Policy Table page Aggregate Policer An aggregate policer applies the QoS to one or more class maps and one or more flows An aggregation policer can support class maps from different ...

Page 599: ...ting aggregate policers STEP 2 Click Add STEP 3 Enter the parameters Aggregate Policer Name Enter the name of the Aggregate Policer Ingress Committed Information Rate CIR Enter the maximum bandwidth allowed in bits per second See the description of this in the Bandwidth page Ingress Committed Burst Size CBS Enter the maximum burst size even if it goes beyond the CIR in bytes See the description of...

Page 600: ...o add a QoS policy STEP 1 Click Quality of Service QoS Advanced Mode Policy Table This page displays the list of defined policies STEP 2 Click Policy Class Map Table to display the Policy Class Maps page or Click Add to open the Add Policy Table page STEP 3 Enter the name of the new policy in the New Policy Name field STEP 4 Click Apply The QoS policy profile is added and the Running Configuration...

Page 601: ...CoS 802 1p to Queue Table Set If this option is selected use the value entered in the New Value box to determine the egress queue of the matching packets as follows If the new value 0 7 is a CoS 802 1p priority use the priority value and the CoS 802 1p to Queue Table to determine the egress queue of all the matching packets If the new value 0 63 is a DSCP use the new DSCP and the DSCP to Queue Tab...

Page 602: ...licy profile is bound and to which port When a policy profile is bound to a specific port it is active on that port Only one policy profile can be configured on a single port but a single policy can be bound to more than one port When a policy is bound to a port it filters and applies QoS to ingress traffic that belongs to the flows defined in the policy The policy does not apply to traffic egress...

Page 603: ...LAG per interface The following fields are displayed for all ports LAGs Policy Name Permit All Managing QoS Statistics From these pages you can manage the Single Policer Aggregated Policer and view queues statistics Policer Statistics A Single Policer is bound to a class map from a single policy An Aggregate Policer is bound to one or more class maps from one or more policies Viewing Single Police...

Page 604: ...lect the interface for which statistics are accumulated Policy Name Select the policy name Class Map Name Select the class name STEP 4 Click Apply An additional request for statistics is created and the Running Configuration file is updated Viewing Aggregated Policer Statistics To view aggregated policer statistics STEP 1 Click Quality of Service QoS Statistics Aggregate Policer Statistics This pa...

Page 605: ...atistics are refreshed The available options are No Refresh Statistics are not refreshed 15 Sec Statistics are refreshed every 15 seconds 30 Sec Statistics are refreshed every 30 seconds 60 Sec Statistics are refreshed every 60 seconds Counter Set The options are Set 1 Displays the statistics for Set 1 that contains all interfaces and queues with a high DP Drop Precedence Set 2 Displays the statis...

Page 606: ...nterfaces and queues with a low DP Interface Select the ports for which statistics are displayed The options are Unit No Selects the unit number Port Selects the port on the selected unit number for which statistics are displayed All Ports Specifies that statistics are displayed for all ports Queue Select the queue for which statistics are displayed Drop Precedence Enter drop precedence that indic...

Page 607: ...ides a method for managing network devices It covers the following topics Overview Views Groups Users Communities Trap Settings Notification Recipients Notification Filter Overview This section includes the following topics SNMP Versions and Workflow SNMP Workflow Supported MIBs Model OIDs SNMPv1 2 Notification Recipients SNMPv3 Notification Recipients ...

Page 608: ...e functionality provided by SNMPv1 and v2 SNMPv3 applies access control and new trap mechanisms to SNMPv1 and SNMPv2 PDUs SNMPv3 also defines a User Security Model USM that includes Authentication Provides data integrity and data origin authentication Privacy Protects against disclosure message content Cipher Block Chaining CBC DES is used for encryption Either authentication alone can be enabled ...

Page 609: ...estrict the SNMP management station to one address or allow SNMP management from all addresses If you choose to restrict SNMP management to one address then input the address of your SNMP Management PC in the IP Address field STEP 3 Input the unique community string in the Community String field STEP 4 Optionally enable traps by using the Trap Settings page STEP 5 Optionally define a notification ...

Page 610: ...isco software navigator html Model OIDs The following are the device model Object IDs OIDs For the 350 family For the 550 family Model Name Description Object ID SG350XG 24F 8 GE ports and 2 special purpose combo ports GE SFP 9 6 1 91 24 8 SG350XG 24T 8 GE ports and 2 special purpose combo ports GE SFP 9 6 1 91 24 9 SG350XG 48T 8 GE ports and 2 special purpose combo ports GE SFP 9 6 1 91 48 9 SG35...

Page 611: ...This engine ID must be unique for the administrative domain so that no two devices in a network have the same engine ID Local information is stored in four MIB variables that are read only snmpEngineId snmpEngineBoots snmpEngineTime and snmpEngineMaxMessageSize CAUTION When the engine ID is changed all configured users and groups are erased To define the SNMP engine ID STEP 1 Click SNMP Engine ID ...

Page 612: ...to specify the Engine ID server by IP address or name IP Version Select the supported IP format IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address ...

Page 613: ...e parameters View Name Enter a view name between 0 30 characters Object ID Subtree Select the node in the MIB tree that is included or excluded in the selected SNMP view The options to select the object are as follows Select from list Enables you to navigate the MIB tree Press the Up arrow to go to the level of the selected node s parent and siblings press the Down arrow to descend to the level of...

Page 614: ... each frame Privacy SNMP frames can carry encrypted data Thus in SNMPv3 there are three levels of security No security No authentication and no privacy Authentication Authentication and no privacy Authentication and privacy SNMPv3 provides a means of controlling the content each user can read or write and the notifications they receive A group defines read write privileges and a level of security ...

Page 615: ...MP message origin is authenticated but does not encrypt them Authentication and Privacy Authenticates SNMP messages and encrypts them View Select to associate a view with either read write and or notify access privileges of the group limits the scope of the MIB tree to which the group has read write and notify access Read Management access is read only for the selected view Otherwise a user or a c...

Page 616: ...MP Engine ID page An SNMPv3 group must be available An SNMPv3 group is defined in the Groups page To display SNMP users and define new ones STEP 1 Click SNMP Users This page contains existing users STEP 2 Click Add This page provides information for assigning SNMP access control privileges to SNMP users STEP 3 Enter the parameters User Name Enter a name for the user Engine ID Select either the loc...

Page 617: ...a key by the MD5 authentication method SHA A password that is used for generating a key by the SHA Secure Hash Algorithm authentication method Authentication Password If authentication is accomplished by either a MD5 or a SHA password enter the local user password in either Encrypted or Plaintext Local user passwords are compared to the local database and can contain up to 32 ASCII characters Priv...

Page 618: ...e or SNMP Admin In addition you can restrict the access to the community to only certain MIB objects by selecting a view defined in the Views page Advanced Mode The access rights of a community are defined by a group defined in the Groups page You can configure the group with a specific security model The access rights of a group are Read Write and Notify To define SNMP communities STEP 1 Click SN...

Page 619: ...s no connection to any group You can only choose the community access level Read Only Read Write or SNMP Admin and optionally further qualify it for a specific view By default it applies to the entire MIB If this is selected enter the following fields Access Mode Select the access rights of the community The options are Read Only Management access is restricted to read only Changes cannot be made ...

Page 620: ...5 The system can generate traps defined in the MIB that it supports Trap receivers aka Notification Recipients are network nodes where the trap messages are sent by the device A list of notification recipients are defined as the targets of trap messages A trap receiver entry contains the IP address of the node and the SNMP credentials corresponding to the version that is included in the trap messa...

Page 621: ... address in inform messages for communication with IPv4 SNMP servers Traps IPv4 Source Interface Select the source interface whose IPv6 address will be used as the source IPv6 address in trap messages for communication with IPv6 SNMP servers Informs IPv6 Source Interface Select the source interface whose IPv4 address will be used as the source IPv4 address in inform messages for communication with...

Page 622: ...the recipient device Notification Type Select whether to send Traps or Informs If both are required two recipients must be created Timeout Enter the number of seconds the device waits before re sending informs Retries Enter the number of times that the device resends an inform request Community String Select from the pull down the community string of the trap manager Community String names are gen...

Page 623: ...IPv6 Source Interface Select the source interface whose IPv6 address will be used as the source IPv6 address in trap messages for communication with IPv6 SNMP servers STEP 2 Click Add STEP 3 Enter the parameters Server Definition Select whether to specify the remote log server by IP address or name IP Version Select either IPv4 or IPv6 IPv6 Address Type Select the IPv6 address type if IPv6 is used...

Page 624: ...entication is applied to the packet NOTE The Security Level here depends on which User Name was selected If this User Name was configured as No Authentication the Security Level is No Authentication only However if this User Name has assigned Authentication and Privacy on the Users page the security level on this screen can be either No Authentication or Authentication Only or Authentication and P...

Page 625: ...fication entries by Filter Name STEP 2 Click Add STEP 3 Enter the parameters Filter Name Enter a name between 0 30 characters Object ID Subtree Select the node in the MIB tree that is included or excluded in the selected SNMP filter The options to select the object are as follows Select from list Enables you to navigate the MIB tree Press the Up arrow to go to the level of the selected node s pare...

Reviews:

No comments

Brands by name

Popular brands

Load more brands