manualshive.com logo in svg

Cisco ESW2-550X-48, Administration Manual, Page: 364 / 548

Share
Download
Cisco ESW2-550X-48 Administration Manual Download Page 364

IP Configuration: RIPv2

Configuring RIP

Cisco 500 Series Stackable Managed Switch Administration Guide Release 1.3

346

18

 

Plain text or password—Uses a key password (string) that is sent along 
with the route to another router. The receiving router compares this key to 
its own configured key. If they are the same, it accepts the route. 

MD5—Uses MD5 digest authentication. Each router is configured with a set 
of secret keys. This set is called a 

key chain

. Each key chain consists of one 

or more keys. Each key has an identifying number (

key identifier

), 

key 

string

 and optionally, a 

send-lifetime

 and 

accept-lifetime

 value. The send-

lifetime is the time period during which an authentication key on a key chain 
is valid to be sent; the accept-lifetime is the time period during which the 
authentication key on a key chain is received as valid.

Each transmitted RIP message contains the calculated MD5 digest of the 
message (containing the key chain), plus the key identifier of the used key 
string. The receiver also has the key chain configured on it. The key 
identifier is used by the receiver to select the key for validating the MD5 
digest.

RIP Statistical Counters

You can monitor the RIP operation by checking statistical counters per IP interface. 
See 

Displaying RIPv2 Statistic Counters

 for a description of these counters.

RIP Peers Database

You can monitor the RIP peers database per IP interface. See 

Displaying the 

RIPv2 Peers Database

 for a description of these counters

Configuring RIP

The following actions can be performed. 

Mandatory actions:

-

Globally enable/disable RIP protocol, using the RIPv2 Properties page. 

-

Enable/disable RIP protocol on an IP interface, using the RIPv2 Settings 
page. 

Optional actions (if these are not performed, default values are used by the 
system)

Summary of Contents for ESW2-550X-48

Page 1: ...Cisco ESW2 Series Advanced Switches ADMINISTRATION GUIDE ...

Page 2: ...on Header 8 Management Buttons 10 Chapter 2 Status and Statistics 12 Viewing Ethernet Interfaces 12 Viewing Etherlike Statistics 13 Viewing GVRP Statistics 15 Viewing 802 1X EAP Statistics 16 Viewing TCAM Utilization 17 Managing RMON 18 Viewing RMON Statistics 19 Configuring RMON History 21 Viewing the RMON History Table 22 Defining RMON Events Control 23 Viewing the RMON Events Logs 24 Defining R...

Page 3: ...es 48 Copy Save Configuration 49 DHCP Auto Configuration 50 DHCP Server Options 51 Auto Configuration Download Protocol TFTP or SCP 52 SSH Client Authentication Parameters 52 Auto Configuration Process 53 Configuring DHCP Auto Configuration 54 Chapter 5 Administration Stack Management 58 Overview 58 Types of Units in Stack 60 Backward Compatibility of Number of Units in Stack 60 Unit LEDs 61 Stack...

Page 4: ...ration After Reboot 73 Stack Ports 73 Default Stack and Network Ports 74 Port Pairs 74 Port Speeds 75 Auto Selection of Port Speed 75 Connecting Units 75 Cables Types 75 Default Configuration 78 Interactions With Other Features 78 System Modes 78 System Mode Backwards Compatibility 79 System Mode and Stack Management 79 Chapter 6 Administration General Information 82 Device Models 82 System Inform...

Page 5: ...P Server 105 Configuring the SNTP Mode 108 Defining SNTP Authentication 108 Time Range 109 Absolute Time Range 110 Recurring Time Range 111 Chapter 8 Administration Diagnostics 112 Testing Copper Ports 112 Displaying Optical Module Status 114 MSA compatible SFPs 114 Configuring Port and VLAN Mirroring 115 Viewing CPU Utilization and Secure Core Technology 117 Chapter 9 Administration Discovery 120...

Page 6: ...e Settings 146 Displaying CDP Local Information 147 Displaying CDP Neighbors Information 149 Viewing CDP Statistics 151 Chapter 10 Port Management 152 Configuring Ports 152 Setting Port Configuration 153 Configuring Link Aggregation 156 Link Aggregation Overview 157 Load Balancing 157 Default Settings and Configuration 158 Static and Dynamic LAG Workflow 158 Defining LAG Management 159 Configuring...

Page 7: ...n 178 How the Smartport Feature Works 179 Auto Smartport 180 Enabling Auto Smartport 180 Identifying Smartport Type 180 Using CDP LLDP Information to Identify Smartport Types 181 Multiple Devices Attached to the Port 182 Persistent Auto Smartport Interface 183 Error Handling 183 Default Configuration 184 Relationships with Other Features and Backwards Compatibility 184 Common Smartport Tasks 184 C...

Page 8: ... 219 Configuring Port to VLAN 220 Configuring VLAN Membership 221 GVRP Settings 223 Defining GVRP Settings 223 VLAN Groups 224 MAC based Groups 224 Assigning MAC based VLAN Groups 225 Mapping VLAN Group to VLAN Per Interface 225 Protocol based VLANs 226 Protocol Based Groups 226 Protocol Based Groups to VLAN Mapping 227 Voice VLAN 228 Voice VLAN Overview 228 Dynamic Voice VLAN Modes 229 Voice End ...

Page 9: ...PE VLANs to Multicast TV VLANs 245 CPE Port Multicast VLAN Membership 246 Chapter 14 Spanning Tree 248 STP Flavors 248 Configuring STP Status and Global Settings 249 Defining Spanning Tree Interface Settings 251 Configuring Rapid Spanning Tree Settings 253 Multiple Spanning Tree 256 Defining MSTP Properties 256 Mapping VLANs to a MSTP Instance 257 Defining MSTP Instance Settings 258 Defining MSTP ...

Page 10: ...st Group 279 Defining Multicast Router Ports 280 Defining Forward All Multicast 281 Defining Unregistered Multicast Settings 282 Chapter 17 IP Configuration 284 Overview 284 Layer 2 IP Addressing 285 Layer 3 IP Addressing 286 IPv4 Management and Interfaces 287 IPv4 Interface 287 Defining an IPv4 Interface in Layer 2 System Mode 287 Defining IPv4 Interface in Layer 3 System Mode 288 IPv4 Routes 291...

Page 11: ... Interface Settings 305 DHCP Snooping Trusted Interfaces 305 DHCP Snooping Binding Database 306 DHCP Server 307 DHCP Options 307 Dependencies Between Features 309 Default Settings and Configurations 309 DHCPv4 Server 310 Network Pool 310 Excluded Addresses 312 Static Hosts 312 Address Binding 314 IPv6 Management and Interfaces 315 IPv6 Static Routing 316 IPv6 Global Configuration 316 IPv6 Interfac...

Page 12: ...abling RIP 341 Offset Configuration 341 Passive Mode 342 Filtering Routing Updates 343 Advertising Default Route Entries on IP Interfaces 343 Redistribution Feature 343 Using RIP in Network with Non Rip Devices 345 RIP Authentication 345 RIP Statistical Counters 346 RIP Peers Database 346 Configuring RIP 346 RIPv2 Properties 347 RIPv2 Settings on an IP Interface 349 Displaying RIPv2 Statistic Coun...

Page 13: ...apter 20 Security 364 Defining Users 365 Setting User Accounts 365 Setting Password Complexity Rules 367 Configuring TACACS 368 Accounting Using a TACACS Server 369 Defaults 370 Interactions With Other Features 370 Workflow 370 Configuring a TACACS Server 370 Configuring RADIUS 373 Accounting Using a RADIUS Server 373 Defaults 373 Interactions With Other Features 374 Radius Workflow 374 Key Manage...

Page 14: ... Properties 397 Defining 802 1X Port Authentication 399 Defining Host and Session Authentication 402 Viewing Authenticated Hosts 404 Defining Time Ranges 404 Denial of Service Prevention 405 Secure Core Technology SCT 405 Types of DoS Attacks 405 Defense Against DoS Attacks 406 Dependencies Between Features 407 Default Configuration 407 Configuring DoS Prevention 407 Security Suite Settings 407 SY...

Page 15: ...ynamic ARP Inspection Interfaces Settings 422 Defining ARP Inspection Access Control 422 Defining ARP Inspection Access Control Rules 423 Defining ARP Inspection VLAN Settings 423 Chapter 21 Security SSH Client 424 Secure Copy SCP and SSH 424 Protection Methods 425 Passwords 425 Public Private Keys 426 Import Keys 426 SSH Server Authentication 427 SSH Client Authentication 428 Supported Algorithms...

Page 16: ...ult SSD Rules 445 SSD Default Read Mode Session Override 446 SSD Properties 446 Passphrase 447 Default and User defined Passphrases 447 Local Passphrase 447 Configuration File Passphrase Control 448 Configuration File Integrity Control 448 Read Mode 449 Configuration Files 449 File SSD Indicator 449 SSD Control Block 450 Startup Configuration File 450 Running Configuration File 451 Backup and Mirr...

Page 17: ... ACL Binding 473 Chapter 25 Quality of Service 476 QoS Features and Components 477 QoS Modes 477 QoS Workflow 478 Configuring QoS General 479 Setting QoS Properties 480 Configuring QoS Queues 481 Mapping CoS 802 1p to a Queue 482 Mapping DSCP to Queue 484 Configuring Bandwidth 487 Configuring Egress Shaping per Queue 489 Configuring VLAN Ingress Rate Limit 489 TCP Congestion Avoidance 491 QoS Basi...

Page 18: ...5 Viewing Single Policer Statistics 505 Viewing Aggregated Policer Statistics 506 Viewing Queues Statistics 506 Chapter 26 SNMP 510 SNMP Versions and Workflow 510 SNMPv1 and v2 511 SNMPv3 511 SNMP Workflow 511 Supported MIBs 513 Model OIDs 513 SNMP Engine ID 514 Configuring SNMP Views 516 Creating SNMP Groups 517 Managing SNMP Users 519 Defining SNMP Communities 521 Defining Trap Settings 523 Noti...

Page 19: ... This section describes how to navigate the web based switch configuration utility If you are using a pop up blocker make sure it is disabled Browser Restrictions If you are using older versions of Internet Explorer you cannot directly use an IPv6 address to access the device You can however use the DNS Domain Name System server to create a domain name that contains the IPv6 address and then use t...

Page 20: ...ser requests Chinese for example and Chinese has been loaded into your device the Login page is automatically displayed in Chinese If Chinese has not been loaded into your device the Login page appears in English The languages loaded into the device have a language and country code en US en GB and so on For the Login page to be automatically displayed in a particular language based on the browser ...

Page 21: ... please see the Launching the Configuration Utility section in the Administration Guide for additional information Select Don t show this page on startup to prevent the Getting Started page from being displayed each time that you log on to the system If you select this option the System Summary page is opened instead of the Getting Started page HTTP HTTPS You can either open an HTTP session not se...

Page 22: ...o discovers a device such as an IP phone see What is a Smartport and it configures the port appropriately for the device These configuration commands are written to the Running Configuration file This causes the Save icon to begin blinking when the you log on even though you did not make any configuration changes When you click Save the Copy Save Configuration page appears Save the Running Configu...

Page 23: ...gement page Change Management Applications and Services TCP UDP Services page Change Device IP Address IPv4 Interface page Create VLAN Create VLAN page Configure Port Settings Port Setting page Device Status System Summary System Summary page Port Statistics Interface page RMON Statistics Statistics page View Log RAM Memory page Quick Access Change Device Password User Accounts page Upgrade Device...

Page 24: ...ernet ports 10 100 1000 bits These are displayed as GE Ten Gigabit Ethernet ports 10000 bits These are displayed as XG LAG Port Channel These are displayed as LAG VLAN These are displayed as VLAN Tunnel These are displayed as Tunnel Unit Number Unit in stack In standalone models this is always 1 Slot Number The slot number is either 1 or 2 Slot number 1 identifies an SG500 SG500X or ESW2 550 devic...

Page 25: ...500X ESW2 550X devices always run in both Layer 2 and Advanced Layer 3 system mode Stack ports are different on these devices See Stack Ports Port speed availability per cable types are different on these devices See Cables Types Enabling IPv4 routing is done differently in the two types of devices as follows SG500X ESW2 550X IPv4 routing must be enabled in the IPv4 Interface page Sx500 When the d...

Page 26: ...en made that have not yet been saved to the Startup Configuration file The flashing of the red X can be disabled on the Copy Save Configuration page Click Save to display the Copy Save Configuration page Save the Running Configuration file by copying it to the Startup Configuration file type on the device After this save the red X icon and the Save application link are no longer displayed When the...

Page 27: ...labels disappear and in their place are the IDs of the strings that correspond to the IDs in the language file NOTE To upgrade a language file use the Upgrade Backup Firmware Language page Logout Click to log out of the web based switch configuration utility About Click to display the device name and device version number Help Click to display the online help The SYSLOG Alert Status icon appears w...

Page 28: ...the Running Configuration to the Startup Configuration file type on the device Apply Click to apply changes to the Running Configuration on the device If the device is rebooted the Running Configuration is lost unless it is saved to the Startup Configuration file type or another file type Click Save to display the Copy Save Configuration page and save the Running Configuration to the Startup Confi...

Page 29: ... the destination entry numbers in the to field 3 Click Apply to save the changes and click Close to return to the main page Delete After selecting an entry in the table click Delete to remove Details Click to display the details associated with the entry selected Edit Select the entry and click Edit The Edit page appears and the entry can be modified 1 Click Apply to save the changes to the Runnin...

Page 30: ... per port The refresh rate of the information can be selected This page is useful for analyzing the amount of traffic that is both sent and received and its dispersion Unicast Multicast and Broadcast To display Ethernet statistics and or set the refresh rate STEP 1 Click Status and Statistics Interface STEP 2 Enter the parameters Interface Select the type of interface and specific interface for wh...

Page 31: ...mit Statistics area displays information about outgoing packets Total Bytes Octets Octets transmitted including bad packets and FCS octets but excluding framing bits Unicast Packets Good Unicast packets transmitted Multicast Packets Good Multicast packets transmitted Broadcast Packets Good Broadcast packets transmitted To clear statistics counters Click Clear Interface Counters to clear counters f...

Page 32: ... redundancy checks Single Collision Frames Frames that were involved in a single collision but were successfully transmitted Late Collisions Collisions that have been detected after the first 512 bits of data Excessive Collisions Number of transmissions rejected due to excessive collisions Oversize Packets Packets greater than 2000 octets received Internal MAC Receive Errors Frames rejected becaus...

Page 33: ...for which GVRP statistics are to be displayed Refresh Rate Select the time period that passes before the GVRP statistics page is refreshed The Attribute Counter block displays the counters for various types of packets per interface Join Empty Number of GVRP Join Empty packets received transmitted Empty Number of GVRP empty packets received transmitted Leave Empty Number of GVRP Leave Empty packets...

Page 34: ...istics 802 1x EAP STEP 2 Select the Interface that is polled for statistics STEP 3 Select the time period Refresh Rate that passes before the EAP statistics are refreshed The values are displayed for the selected interface EAPOL Frames Received Valid EAPOL frames received on the port EAPOL Frames Transmitted Valid EAPOL frames transmitted by the port EAPOL Start Frames Received EAPOL Start frames ...

Page 35: ...ry to support packet actions in wire speed TCAM holds the rules produced by applications such as ACLs Access Control Lists Quality of Service QoS IP Routing and user created rules The maximum number of TCAM rules that can be allocated by all applications on the device is 2048 for Sx500 devices and 3096 for SG500X ESW2 550X devices Some applications allocate rules upon their initiation Additionally...

Page 36: ...at enables an SNMP agent in the device to proactively monitor traffic statistics over a given period and send traps to an SNMP manager The local SNMP agent compares actual real time counters against predefined thresholds and generates alarms without the need for polling by a central SNMP management platform This is an effective mechanism for proactive management provided that you have the correct ...

Page 37: ...ot been detected Received Rx error event has not been detected Packet has a valid CRC To view RMON statistics and or set the refresh rate STEP 1 Click Status and Statistics RMON Statistics STEP 2 Select the Interface for which Ethernet statistics are to be displayed STEP 3 Select the Refresh Rate the time period that passes before the interface statistics are refreshed The statistics are displayed...

Page 38: ...ata length is greater than MRU Packet has an invalid CRC Received Rx Error Event has not been detected Collisions Number of collisions received If Jumbo Frames are enabled the threshold of Jabber Frames is raised to the maximum size of Jumbo Frames Frames of 64 Bytes Number of frames containing 64 bytes that were received Frames of 65 to 127 Bytes Number of frames containing 65 127 bytes that were...

Page 39: ...nt Number of Samples RMON is allowed by standard to not grant all requested samples but rather to limit the number of samples per request Therefore this field represents the sample number actually granted to the request that is equal or less than the requested value STEP 2 Click Add STEP 3 Enter the parameters New History Entry Displays the number of the new History table entry Source Interface Se...

Page 40: ...s but rather the number of times dropped packets were detected Bytes Received Octets received including bad packets and FCS octets but excluding framing bits Packets Received Packets received including bad packets Multicast and Broadcast packets Broadcast Packets Good Broadcast packets excluding Multicast packets Multicast Packets Good Multicast packets received CRC Align Errors CRC and Align erro...

Page 41: ...cs RMON Events This page displays previously defined events STEP 2 Click Add STEP 3 Enter the parameters Event Entry Displays the event entry index number for the new entry Community Enter the SNMP community string to be included when traps are sent optional Description Enter a name for the event This name is used in the Add RMON Alarm page to attach an alarm to an event Notification Type Select t...

Page 42: ...and the conditions of the alarm have occurred STEP 1 Click Status and Statistics RMON Events STEP 2 Click Event Log Table This page displays the following fields Event Entry No Event s log entry number Log No Log number within the event Log Time Time that the log entry was entered Description Description of event that triggered the alarm Defining RMON Alarms RMON alarms provide a mechanism for set...

Page 43: ...Counter Name Select the MIB variable that indicates the type of occurrence measured Sample Type Select the sampling method to generate an alarm The options are Absolute If the threshold is crossed an alarm is generated Delta Subtracts the last sampled value from the current value The difference in the values is compared to the threshold If the threshold was crossed an alarm is generated Rising Thr...

Page 44: ... falling value triggers the falling threshold alarm Rising and Falling Both rising and falling values trigger the alarm Interval Enter the alarm interval time in seconds Owner Enter the name of the user or network management system that receives the alarm STEP 4 Click Apply The RMON alarm is saved to the Running Configuration file ...

Page 45: ...Status and Statistics Managing RMON 27 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 2 ...

Page 46: ...nd persists across reboots In addition you can send messages to remote SYSLOG servers in the form of SNMP traps and SYSLOG messages This section covers the following sections Setting System Log Settings Setting Remote Logging Settings Viewing Memory Logs Setting System Log Settings You can enable or disable logging on the Log Settings page and select whether to aggregate log messages You can selec...

Page 47: ... causes all of the higher severity events to be automatically stored in the log Lower severity events are not stored in the log For example if Warning is selected all severity levels that are Warning and higher are stored in the log Emergency Alert Critical Error and Warning No events with severity level below Warning are stored Notice Informational and Debug To set global log parameters STEP 1 Cl...

Page 48: ...g Select the severity levels of the messages to be logged to the RAM Flash Memory Logging Select the severity levels of the messages to be logged to the Flash memory STEP 3 Click Apply The Running Configuration file is updated Setting Remote Logging Settings The Remote Log Servers page enables defining remote SYSLOG servers where log messages are sent using the SYSLOG protocol For each server you ...

Page 49: ...e Enter the IP address or domain name of the log server UDP Port Enter the UDP port to which the log messages are sent Facility Select a facility value from which system logs are sent to the remote server Only one facility value can be assigned to a server If a second facility code is assigned the first facility value is overridden Description Enter a server description Minimum Severity Select the...

Page 50: ...ntry number Log Time Time when message was generated Severity Event severity Description Message text describing the event To clear the log messages click Clear Logs The messages are cleared Flash Memory The Flash Memory page displays the messages that were stored in the Flash memory in chronological order The minimum severity for logging is configured in the Log Settings page Flash logs remain wh...

Page 51: ...Administration System Log Viewing Memory Logs 33 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 3 ...

Page 52: ...HCP Auto Configuration System Files System files are files that contain configuration information firmware images or boot code Various actions can be performed with these files such as selecting the firmware file from which the device boots copying various types of configuration files internally on the device or copying files to or from an external device such as an external server The possible me...

Page 53: ...ing Configuration Contains the parameters currently being used by the device to operate This is the only file type that is modified when you change parameter values on the device If the device is rebooted the Running Configuration is lost The Startup Configuration stored in Flash overwrites the Running Configuration stored in RAM To preserve any changes you made to the device you must save the Run...

Page 54: ...age Boot Code Controls the basic system startup and launches the firmware image Language File The dictionary that enables the web based configuration utility windows to be displayed in the selected language Flash Log SYSLOG messages stored in Flash memory File Actions The following actions can be performed to manage firmware and configuration files Upgrade the firmware or boot code or replace a se...

Page 55: ...by the browser TFTP that requires a TFTP server Secure Copy Protocol SCP that requires an SCP server If a new language file was loaded onto the device the new language can be selected from the drop down menu It is not necessary to reboot the device This language file is automatically copied to all devices in the stack All software images on the stack must be identical to ensure the proper operatio...

Page 56: ...in the Active Image section Then boot the device NOTE If the device is running in stacking mode the new firmware is pushed to all of the stack units If there is a new device joining the stack with a different firmware version the master unit syncs the firmware version automatically with this newly joined unit This occurs transparently without any manual intervention Upgrade Backing Firmware or Lan...

Page 57: ...If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6 is used from the list TFTP Server IP Address Name Enter the IP address or the domain name of the TFTP server For Upgrade Source File N...

Page 58: ...to the SSH User Authentication page where the user password can be set once for all future use Use SSH Client One Time Credentials Enter the following Username Enter a username for this copy action Password Enter a password for this copy NOTE The username and password for one time credential will not saved in configuration file Select one of the following Save Actions Upgrade Specifies that the fi...

Page 59: ...he name of the backup file STEP 6 Click Apply If the files passwords and server addresses are correct one of the following may happen If SSH server authentication is enabled in the SSH Server Authentication page and the SCP server is trusted the operation succeeds If the SCP server is not trusted the operation fails and an error is displayed If SSH server authentication is not enabled the operatio...

Page 60: ... Log page enables Backing up configuration files or logs from the device to an external device Restoring configuration files from an external device to the device NOTE If the device is working in stacking mode the configuration files are taken from the master unit When restoring a configuration file to the Running Configuration the imported file adds any configuration commands that did not exist i...

Page 61: ...ored Otherwise if the System mode is changed the following cases are possible If the configuration file is downloaded onto the device using the Download Backup Configuration Log page the operation is aborted and a message is displayed indicating that the System mode must be changed in the System Mode and Stack Management page If the configuration file is downloaded during an automatic configuratio...

Page 62: ...Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks d Link Local Interface Select the link local interface from the list e TFTP Server Enter the IP address of the TFTP server f Source File Name Enter the so...

Page 63: ...f the TFTP server f Source File Type Enter the source configuration file type Only valid file types are displayed The file types are described in the Files and File Types section g Sensitive Data Select how sensitive data should be included in the backup file The following options are available Exclude Do not include sensitive data in the backup Encrypted Include sensitive data in the backup in it...

Page 64: ...le types are described in the Files and File Types section b Sensitive Data Select how sensitive data should be included in the backup file The following options are available Exclude Do not include sensitive data in the backup Encrypted Include sensitive data in the backup in its encrypted form Plaintext Include sensitive data in the backup in its plaintext form NOTE The available sensitive data ...

Page 65: ...type if used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a glo...

Page 66: ... SSD rules For details refer to Secure Sensitive Data Management SSD Rules page Destination File Name Name of file being copied to STEP 6 Click Apply The file is upgraded or backed up Configuration Files Properties The Configuration Files Properties page allows you to see when various system configuration files were created It also enables deleting the Startup Configuration and Backup Configuratio...

Page 67: ...he Running Configuration To preserve the parameters in the Running Configuration the Running Configuration must be copied to another configuration type or saved on another device CAUTION Unless the Running Configuration is copied to the Startup Configuration or another configuration file all changes made since the last time the file was copied are lost when the device is rebooted The following com...

Page 68: ...ata is included in the backup file in plain text NOTE The available sensitive data options are determined by the current user SSD rules For details refer to Secure Sensitive Data Management SSD Rules page STEP 4 The Save Icon Blinking field indicates whether an icon blinks when there is unsaved data To disable enable this feature click Disable Enable Save Icon Blinking STEP 5 Click Apply The file ...

Page 69: ...sends information to the device This occurs in the following cases When an interface which is IPv6 enabled is defined as a DHCPv6 stateless configuration client When DHCPv6 messages are received from the server for example when you press the Restart button on IPv6 Interfaces page When DHCPv6 information is refreshed by the device After rebooting the device when stateless DHCPv6 client is enabled W...

Page 70: ...gardless of the file extension of the configuration file name SCP Only The download is done through SCP over SSH regardless of the file extension of the configuration file name SSH Client Authentication Parameters By default remote SSH server authentication is disabled so that the device accepts any remote SSH server out of the box You can enable remote SSH server authentication to only allow conn...

Page 71: ...ted Broadcast address for IPv4 or ALL NODES address for IPv6 on its IP interfaces and continues the process of Auto Configuration with the first answering TFTP server For DHCPv6 The Auto Configuration process is halted If the configuration filename was supplied by the DHCP server DHCPv4 option 67 DHCPv6 option 60 then the copy protocol SCP TFTP is selected as described in Auto Configuration Downlo...

Page 72: ...ode or Defining IPv4 Interface in Layer 3 System Mode pages and or define the device as a DHCPv6 client in the IPv6 Interface page Web Configuration The DHCP Auto Configuration page is used to perform the following actions when the information is not provided in a DHCP message Enable the DHCP auto configuration feature Specify the download protocol Configure the device to receive configuration inf...

Page 73: ...e Extension for SCP If Auto By File Extension is selected you can indicate a file extension here Any file with this extension is downloaded using SCP If no extension is entered the default file extension scp is used TFTP Only Select to indicate that only the TFTP protocol is to be used for auto configuration SCP Only Select to indicate that only the SCP protocol is to be used for auto configuratio...

Page 74: ... local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6 is used from the list Backup Server IP Address Name Enter the IP address or the name of the server to be u...

Page 75: ...Administration File Management DHCP Auto Configuration 57 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 4 ...

Page 76: ...ck Software Auto Synchronization in Stack Stack Unit Mode Stack Ports Default Configuration Interactions With Other Features System Modes Overview Devices can either function on their own Standalone mode or they can be connected into a stack of up to eight devices in various stacking modes see Stack Unit Mode The devices units in a stack are connected through stack ports These devices are then col...

Page 77: ...up unit becomes the master of the stack if the original master fails The stack system supports two types of topologies chain see Stack Architecture Chain Topology and ring see Stack in Ring Topology In ring topology if one of the stack ports fails the stack continues to function in chain topology see Stack Topology A process known as Fast Stack Link Failover is supported on the ports in a ring sta...

Page 78: ...ckup unit fails in addition to the master and the only functioning units are the slave units these also stop functioning after one minute This means for example that if after 1 minute you plug in a cable to one of the slave units that was running without a master the link will not come up Backward Compatibility of Number of Units in Stack Previous versions of the device supported a maximum of four...

Page 79: ...rked as 1 2 3 4 which are used to display the unit ID of each unit e g on Unit ID 1 LED 1 is ON and the other LEDs are OFF To support unit IDs greater than 4 the LED display is changed in accordance to the below definition Units 1 4 LEDs 1 4 are lit respectively Unit 5 LED 1 and 4 are lit Unit 6 LED 2 and 4 are lit Unit 7 LED 3 and 4 are lit Unit 8 LED 1 3 and 4 are lit ...

Page 80: ...ology Ring Topology All the units in the stack are connected in a chain The last unit is connected to the first unit The following shows a ring topology of an eight unit stack Stack in Ring Topology A ring topology is more reliable than a chain topology The failure of one link in a ring does not affect the function of the stack whereas the failure of one link in a chain connection might cause the ...

Page 81: ...e and Stack Management page in one of the following ways Automatically Auto The Unit ID is assigned by the topology discovery process This is the default setting Manually The unit ID is manually set to an integer from 1 8 In addition manual numbering includes the following options 1 Force Master Forces unit 1 to be the master 2 Force Master Forces unit 2 to be the master Duplicate Unit IDs If you ...

Page 82: ...it ID Assignment Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 64 5 Duplicate Unit Shut Down The following shows a case where one of the duplicate units auto numbered is renumbered Duplicate Unit Renumbered ...

Page 83: ... factors in selecting the master unit are taken into account in the following priority Force Master If Force Master is activated on a unit it is selected System Up Time The master enabled units exchange up time which is measured in segments of 10 minutes The unit with the higher number of segments is selected If both units have the same number of time segments and the unit ID of one of the units w...

Page 84: ...s events that can cause a change to the stack A stack topology changes when one of the following occurs One or more units are connecting and or disconnecting to and from the stack Any of its stack ports has a link up or down The stack changes between ring and chain formation When units are added or removed to and from a stack it triggers topology changes master election process and or unit ID assi...

Page 85: ...d the stack are shut down and a SYSLOG message is generated and appears on the master unit The following shows an example of auto numbering when a master enabled unit joins the stack There are two units with unit ID 1 The master selection process selects the best unit to be the master unit The best unit is the unit with the higher uptime in segments of 10 minutes The other unit is made the backup ...

Page 86: ...normally In order for the backup to be able to take the place of the master both units maintain a warm standby at all times In warm standby the master and its backup units are synchronized with the static configuration contained in both the Startup and Running configuration files Backup configuration files are not synchronized The backup configuration file remains on the previous master Dynamic pr...

Page 87: ... port s state is temporarily Blocking and it cannot forward traffic or learn MAC addresses This is to prevent spanning tree loops between active units Slave Unit Handling While the backup becomes the master the active slave units remain active and continue to forward packets based on the configuration from the original master This minimizes data traffic interruption in units After the backup unit ...

Page 88: ...oots itself to run the new version Stack Unit Mode A device has a Stack Unit mode that indicates whether the device is or will be part of a stack or whether it is operating on its own Devices can operate in one of the following Stack Unit modes Standalone A device in Standalone Stack Unit mode is not connected to any other device and does not have a stack port Native Stacking A device in Native St...

Page 89: ...00 units can be stacked together with two SG500X devices Stack Configuration Options The following describes some typical stack configurations Possible Stack Configuration Possible RIP VRRP Support Stack Ports Speed Stack consists of all SG500Xs in Native Stacking mode Enabled Disabled 1G 10G or 1G 5G Stack consists of all Sx500s in Native Stacking mode Not supported 1G 5G default or 1G Copper SFP...

Page 90: ...ack in Changing the Stack Unit Mode Change the Stack Unit mode of a device to remove it from a stack by changing its Stack Unit mode to Standalone or when configuring it to become part of a stack by changing its Stack Unit mode to Native Stacking Basic Hybrid Stacking or Advanced Hybrid Stacking The following sections describe the System mode and configuration of the devices after reboot when the ...

Page 91: ...Native Stacking Retained only when the unit is forced to become master Standalone to Basic Hybrid Retained only when the unit is forced to become master Native Stacking to Basic Hybrid Retained only when the unit is forced to become master Stack Ports Ports in a stack must be reserved to be one of the following port types Network Ports Also known as uplink ports These are ports that are connected ...

Page 92: ...its stack ports automatically become regular network ports Port Pairs The following table describes pairs of ports that are available on the device in the various Stack Unit modes Port Pairs Device Type Port Pair Stacking Standalone Sx500 5G slot S3 S4 Native Stacking mode Available as both network and stack ports Hybrid Modes Available as stack ports Not available Sx500 Combo slot 1G Fiber Copper...

Page 93: ...e stack cable type and selects the highest speed supported by the cable and the port A SYSLOG message informational level requesting that the user configures the port speed manually is displayed when the cable type is not recognized Connecting Units Two units can only be connected in a stack if the ports on both ends of the link are of the same speed This is done by configuring the stack ports spe...

Page 94: ...types and ports Port Speeds Available per Cable Type Stack Ports Network Ports Connector Type S1 S2 5G for SG500X and S3 S4 for Sx500 S1 S2 in Sx500 S1 S2 XG in SG500X S1 S2 5G for SG500X and S3 S4 for Sx500 S1 S2 in Sx500 S1 S2 XG in SG500X Cisco SFP H10GB CU1M Passive Copper Cable 5G 1G 10G 1G 1G 10G Cisco SFP H10GB CU3M Passive Copper Cable 5G 1G 10G 1G 1G 10G Cisco SFP H10GB CU5M Passive Coppe...

Page 95: ...orted 100Mbs SFP Module MFEBX1 Not supported Not supported Not supported Not supported 100Mbs Not supported Other SFPs 1G According to Forced user speed EEPROM speed 1G speed According to Forced user speed EEPROM speed 1G speed 1G According to Forced user speed EEPROM speed 1G speed According to Forced user speed EEPROM speed 10G speed Port Speeds Available per Cable Type Stack Ports Network Ports...

Page 96: ... Unit mode of a device to Standalone Change the Stack Unit mode of a device to one of the stacking modes change the stack unit ID stack ports and the bit rate of the stack port of all the devices in a stack Change the System mode Layer 2 3 of a standalone device or of the stack Change the Queues mode from 4 to 8 supported queues or vice versa Device Type Stack Unit Mode Default Stack Ports Default...

Page 97: ...be examined and adjusted to meet the desired QoS objectives with the new Queues mode Changing the Queues mode takes effect after rebooting the system Queue related configuration that conflicts with the new Queues mode is rejected Stacking Mode The Stacking mode has been expanded to include hybrid stacking modes There is no issue in upgrading from previous software versions since the device will bo...

Page 98: ...evices only To configure the System mode after reboot select either Layer 2 or Layer 3 mode SG500X devices are always in Layer 3 mode STEP 3 To configure the Queues Mode after reboot select whether to configure 4 or 8 QoS queues on the device See Configuring QoS Queues STEP 4 Configure the units in a stack in the Stack Administrative Settings Table These changes become effective after reboot NOTE ...

Page 99: ...able Auto The unit ID of the unit is automatically assigned by the master of the stack 1 8 The unit ID of the unit is manually assigned to either 1 2 3 8 1 Force Master The unit ID of the unit is manually assigned to 1 and the unit is forced to take on the master role after reboot 2 Force Master The unit ID of the unit is manually assigned to 2 and the unit is forced to take on the master role aft...

Page 100: ... Timeout Pinging a Host Traceroute Device Models All models can be fully managed through the web based switch configuration utility NOTE Each model can be set to Layer 3 system mode by using the System Mode and Stack Management page except for the SG500X ESW2 550X models that always run in both Layer 2 and Layer 3 system mode When the device operates in Layer 3 system mode the VLAN Rate Limit and ...

Page 101: ...witch N A N A SF500 24P SF500 24P K9 24 Port 10 100 PoE Stackable Managed Switch 180W 24 SF500 48 SF500 48 K9 48 Port 10 100 Stackable Managed Switch N A N A SF500 48P SF500 48P K9 48 Port 10 100 PoE Stackable Managed Switch 375W 48 SG500 28 SG5000 28 K9 28 Port Gigabit Stackable Managed Switch N A N A SG500 28P SG500 28P K9 28 Port Gigabit PoE Stackable Managed Switch 180W 24 SG500 52 SG500 52 K9...

Page 102: ...e MAC address of the master unit is displayed NOTE If the system is in Native Stacking mode the Firmware Version number shown is based on the version of the master Firmware Version Non active Image Firmware version number of the non active image If the system is in Native Stacking mode the version of the master unit is displayed SG500X 48P SG500X 48P K9 48 Port Gigabit with 4 Port 10 Gigabit PoE S...

Page 103: ...r this value By default the device hostname is composed of the word switch concatenated with the three least significant bytes of the device MAC address the six furthest right hexadecimal digits System Object ID Unique vendor identification of the network management subsystem contained in the entity used in SNMP System Uptime Time that has elapsed since the last reboot Current Time Current system ...

Page 104: ...ksum of the language file TCP UDP Services Status HTTP Service Displays whether HTTP is enabled disabled HTTPS Service Displays whether HTTPS is enabled disabled SNMP Service Displays whether SNMP is enabled disabled Telnet Service Displays whether Telnet is enabled disabled SSH Service Displays whether SSH is enabled disabled PoE Power Information on Master Unit Maximum Available PoE Power W Maxi...

Page 105: ...st name of this device This is used in the prompt of CLI commands Use Default The default hostname System Name of these switches is switch123456 where 123456 represents the last three bytes of the device MAC address in hex format User Defined Enter the hostname Use only letters digits and hyphens Host names cannot begin or end with a hyphen No other symbols punctuation characters or blank spaces a...

Page 106: ...e device and press the Enter key twice The device detects the baud rate automatically To enable Auto Detection or to manually set the baud rate of the console STEP 1 Click Administration Console Settings STEP 2 Select one of the following Auto Detection The console baud rate is detected automatically Static Select one of the available speeds Rebooting the Device Some configuration changes such as ...

Page 107: ... Configuration is discarded when the device is rebooted you must click Save in the upper right corner of any window to preserve current configuration across the boot process If the Save option is not displayed the Running Configuration matches the Startup Configuration and no action is necessary The following options are available Immediate Reboot immediately Date Enter the date month day and time...

Page 108: ...e and Rebooting is not the same as Rebooting to Factory Defaults Rebooting to Factory Defaults is more intrusive Routing Resources TCAM allocation is handled differently in Sx500 and SG500X ESW2 550X devices The Sx500 has a single TCAM that is used for all routing and ACL rules The SG500X ESW2 550X devices have two TCAMs one TCAM is devoted to routing and the other is devoted to ACL rules When SG5...

Page 109: ... the maximum available for that category maximum values are displayed on the page To view and modify router resources STEP 1 Click Administration Router Resources The following fields are displayed for IPv4 routing Neighbors Count is the number of neighbors recorded on the device and TCAM Entries is the number of TCAM entries being used for the neighbors Interfaces Count is the number of IP addres...

Page 110: ...es On Link Prefixes Count is the number of prefixes defined on the device and TCAM Entries is the number of TCAM entries being used for the prefixes Routes Count is the number of routes recorded on the device and TCAM Entries is the number of TCAM entries being used for the routes Total Displays the number of TCAM entries which are currently being used Maximum Entries Select one of the following o...

Page 111: ...ices on which a temperature sensor is assembled for protecting the device hardware in case it overheats the following actions are performed by the device if it overheats and during the cool down period after overheating Event Action At least one temperature sensor exceeds the Warning threshold The following are generated SYSLOG message SNMP trap At least one temperature sensor exceeds the Critical...

Page 112: ...e displays the following fields for each unit Unit Unit number Fan Status Fan s status There are columns for 4 fans but information is only shown for the fans that exist on the specific device model The following values are possible OK Fan s are operating normally Fail Fan s are not operating correctly N A Fan ID s are not applicable for the specific model Fan Direction The direction that the fans...

Page 113: ...on Idle Session Timeout STEP 2 Select the timeout for the each session from the corresponding list The default timeout value is 10 minutes STEP 3 Click Apply to set the configuration settings on the device Pinging a Host Ping is a utility used to test if a remote host can be reached and to measure the round trip time for packets sent from the device to a destination device Ping operates by sending...

Page 114: ...e that is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select from where it is received Host IP Address Name Address or host name of the device to be pinged Whether this is an IP address or host name depends on the Host Definition Ping Interval Length of time the system waits between ping packets Ping is repeated the number of times configur...

Page 115: ...dress uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable...

Page 116: ...8 6 A page appears showing the Round Trip Time RTT and status for each trip in the fields Index Displays the number of the hop Host Displays a stop along the route to the destination Round Trip Time 1 3 Displays the round trip time in ms for the first through third frame and the status of the first through third operation ...

Page 117: ...Administration General Information Traceroute 99 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 6 ...

Page 118: ...so reduces confusion in shared file systems as it is important for the modification times to be consistent regardless of the machine on which the file systems reside For these reasons it is important that the time configured on all of the devices on the network is accurate NOTE The device supports Simple Network Time Protocol SNTP and when enabled the device dynamically synchronizes the device tim...

Page 119: ...nfiguration of time from the computer is saved to the Running Configuration file You must copy the Running Configuration to the Startup Configuration in order to enable the device to use the time from the computer after reboot The time after reboot is set during the first WEB login to the device When you configure this feature for the first time if the time was not already set the device sets the ...

Page 120: ...P option 100 in order for dynamic time zone configuration to take place SNTP Modes The device can receive the system time from an SNTP server in one of the following ways Client Broadcast Reception passive mode SNTP servers broadcast the time and the device listens to these broadcasts When the device is in this mode there is no need to define a Unicast SNTP server Client Broadcast Transmission act...

Page 121: ...ed Server Address stratum and type of the SNTP server from which time was last taken STEP 2 Enter these parameters Clock Source Settings Select the source used to set the system clock Main Clock Source SNTP Servers If you enable this the system time is obtained from an SNTP server To use this feature you must also configure a connection to an SNTP server in the SNTP Interface Settings page Optiona...

Page 122: ... DHCP server This acronym appears in the Actual Time field Time Zone Offset Select the difference in hours between Greenwich Mean Time GMT and the local time For example the Time Zone Offset for Paris is GMT 1 while the Time Zone Offset for New York is GMT 5 Time Zone Acronym Enter a user defined name that represents the time zone you have configured This acronym appears in the Actual Time field D...

Page 123: ...ters are Day Day of the week on which DST ends every year Week Week within the month from which DST ends every year Month Month of the year in which DST ends every year Time The time at which DST ends every year STEP 3 Click Apply The system time values are written to the Running Configuration file Adding a Unicast SNTP Server Up to 16 Unicast SNTP servers can be configured NOTE To specify a Unica...

Page 124: ...e was received from this SNTP server Offset The estimated offset of the server s clock relative to the local clock in milliseconds The host determines the value of this offset using the algorithm described in RFC 2030 Delay The estimated round trip delay of the server s clock relative to the local clock over the network path between them in milliseconds The host determines the value of this delay ...

Page 125: ...rver IP address The format depends on which address type was selected SNTP Server Select the name of the SNTP server from a list of well known NTP servers If other is chosen enter name of SNTP server in the adjacent field Poll Interval Select to enable polling of the SNTP server for system time information All NTP servers that are registered for polling are polled and the clock is selected from th...

Page 126: ...n Select to transmit SNTP IPv4 synchronization packets requesting system time information The packets are transmitted to all SNTP servers on the subnet SNTP IPv6 Anycast Client Mode Client Broadcast Transmission Select to transmit SNTP IPv6 synchronization packets requesting system time information The packets are transmitted to all SNTP servers on the subnet STEP 3 If the system is in Layer 3 sys...

Page 127: ...P 2 Select SNTP Authentication to support authentication of an SNTP session between the device and an SNTP server STEP 3 Click Apply to update the device STEP 4 Click Add STEP 5 Enter the following parameters Authentication Key ID Enter the number used to identify this SNTP authentication key internally Authentication Key Enter the key used for authentication up to eight characters The SNTP server...

Page 128: ...start time and the recurring time range have been reached The process is deactivated when either of the time ranges is reached The device supports a maximum of 10 absolute time ranges All time specifications are interpreted as local time Daylight Saving Time does not affect this To ensure that the time range entries take effect at the desired times the system time must be set The time range featur...

Page 129: ...ring time range click Recurring Range Recurring Time Range A recurring time element can be added to an absolute time range This limits the operation to certain time periods within the absolute range To add a recurring time range element to an absolute time range STEP 1 Click Administration Time Settings Recurring Range The existing recurring time ranges are displayed filtered per a specific absolu...

Page 130: ...ted cable tests performed on copper cables by the Virtual Cable Tester VCT VCT performs two types of tests Time Domain Reflectometry TDR technology tests the quality and characteristics of a copper cable attached to a port Cables of up to 140 meters long can be tested These results are displayed in the Test Results block of the Copper Test page DSP based tests are performed on active GE links to m...

Page 131: ...ications with that device are disrupted To test copper cables attached to ports STEP 1 Click Administration Diagnostics Copper Test STEP 2 Select the port on which to run the test STEP 3 Click Copper Test STEP 4 When the message appears click OK to confirm that the link can go down or Cancel to abort the test The following fields are displayed in the Test Results block Last Update Time of the last...

Page 132: ... pairs NOTE TDR tests cannot be performed when the port speed is 10Mbit Sec Displaying Optical Module Status The Optical Module Status page displays the operating conditions reported by the SFP Small Form factor Pluggable transceiver Some information might not be available for SFPs that do not support the digital diagnostic monitoring standard SFF 8472 MSA compatible SFPs The following FE SFP 100M...

Page 133: ...oltage SFP s operating voltage Current SFP s current consumption Output Power Transmitted optical power Input Power Received optical power Transmitter Fault Remote SFP reports signal loss Values are True False and No Signal N S Loss of Signal Local SFP reports signal loss Values are True and False Data Ready SFP is operational Values are True and False Configuring Port and VLAN Mirroring Port mirr...

Page 134: ... or both and later on delete VLAN 34 the status in port mirroring is set to Not Ready because the VLAN34 is no longer in the database and VLAN23 was not created manually Only one instance of mirroring is supported system wide The analyzer port or target port for VLAN mirroring or port mirroring is the same for all the mirrored VLANs or ports To enable mirroring STEP 1 Click Administration Diagnost...

Page 135: ...rt mirroring on incoming packets Tx Only Port mirroring on outgoing packets Tx and Rx Port mirroring on both incoming and outgoing packets STEP 4 Click Apply Port mirroring is added to the Running Configuration Viewing CPU Utilization and Secure Core Technology This section describes the Secure Core Technology SCT and how to view CPU usage The device handles the following types of traffic in addit...

Page 136: ...s CPU Utilization The CPU Utilization page appears The CPU Input Rate field displays the rate of input frames to the CPU per second The window contains a graph of the CPU utilization The Y axis is percentage of usage and the X axis is the sample number STEP 2 Select the Refresh Rate time period in seconds that passes before the statistics are refreshed A new sample is created for each time period ...

Page 137: ...Administration Diagnostics Viewing CPU Utilization and Secure Core Technology 119 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 8 ...

Page 138: ...e Security TCP UDP Services page to enable or disable the device services The device can be discovered by a network management system or other third party applications By default Bonjour is enabled on the Management VLAN The Bonjour console automatically detects the device and displays it Bonjour in Layer 2 System Mode When the device is in Layer 2 system mode Bonjour Discovery is enabled globally...

Page 139: ... the Bonjour Discovery Interface Control table When the device is operating in Layer 3 system mode go to IP Configuration Management and IP Interface IPv4 Interface to configure an IP address to an interface If an interface such as a VLAN is deleted Goodbye packets are sent to deregister services the device is advertising from the neighboring cache table within the local network The Bonjour Discov...

Page 140: ...he following CDP LLDP configuration notes apply CDP LLDP can be globally enabled or disabled and enabled disabled per port The CDP LLDP capability of a port is relevant only if CDP LLDP is globally enabled If CDP LLDP is globally enabled the device filters out incoming CDP LLDP packets from ports that are CDP LLDP disabled If CDP LLDP is globally disabled the device can be configured to discard VL...

Page 141: ... and authorized If a port is the target of mirroring then according to CDP LLDP it is considered down NOTE CDP and LLDP are link layer protocols for directly connected CDP LLDP capable devices to advertise themselves and their capabilities In deployments where the CDP LLDP capable devices are not directly connected and are separated with CDP LLDP incapable devices the CDP LLDP capable devices may ...

Page 142: ...ocesses all incoming LLDP packets as required by the protocol The LLDP protocol has an extension called LLDP Media Endpoint Discovery LLDP MED which provides and accepts information from media endpoint devices such as VoIP phones and video phones For further information about LLDP MED see LLDP MED Network Policy LLDP Configuration Workflow Following are examples of actions that can be performed wi...

Page 143: ...f LLDP is not enabled select the action to be taken if a packet that matches the selected criteria is received Filtering Delete the packet Flooding Forward the packet to all VLAN members TLV Advertise Interval Enter the rate in seconds at which LLDP advertisement updates are sent or use the default Topology Change SNMP Notification Interval Enter the minimum time interval between SNMP notification...

Page 144: ... are sent in the LLDP PDU The LLDP MED TLVs to be advertised can be selected in the LLDP MED Port Settings page and the management address TLV of the device may be configured To define the LLDP port settings STEP 1 Click Administration Discovery LLDP Port Settings This page contains the port LLDP information STEP 2 Select a port and click Edit This page provides the following fields Interface Sele...

Page 145: ...escr object System Capabilities Primary functions of the device and whether or not these functions are enabled in the device The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Router Telephone DOCSIS cable device and station respectively Bits 8 through 15 are reserved 802 3 MAC PHY Duplex and bit rate capability and the current duplex and bit rate ...

Page 146: ...t the Management IP address from the addresses provided STEP 3 Enter the relevant information and click Apply The port settings are written to the Running Configuration file LLDP MED Network Policy LLDP Media Endpoint Discovery LLDP MED is an extension of LLDP that provides the following additional capabilities to support media endpoint devices Some of the features of the LLDP Med Network Policy a...

Page 147: ...rt memberships according to the network policies and their associated interfaces In addition an administrator can instruct the device to automatically generate and advertise a network policy for voice application based on the voice VLAN maintained by the device Refer the Auto Voice VLAN section for details on how the device maintains its voice VLAN To define an LLDP MED network policy STEP 1 Click...

Page 148: ...LLDP advertisement for the desired interfaces Network Policies are configured using the LLDP MED Network Policy page NOTE If LLDP MED Network Policy for Voice Application LLDP MED Network Policy Page is Auto and Auto Voice VLAN is in operation then the device automatically generates an LLDP MED Network Policy for Voice Application for all the ports that are LLDP MED enabled and are members of the ...

Page 149: ...s NOTE The following fields must be entered in hexadecimal characters in the exact data format that is defined in the LLDP MED standard ANSI TIA 1057_final_for_publication pdf Location Coordinate Enter the coordinate location to be published by LLDP Location Civic Address Enter the civic address to be published by LLDP Location ECS ELIN Enter the Emergency Call Service ECS ELIN location to be publ...

Page 150: ...le Interface Port identifier LLDP Status LLDP publishing option LLDP MED Status Enabled or disabled Local PoE Local PoE information advertised Remote PoE PoE information advertised by the neighbor of neighbors Number of neighbors discovered Neighbor Capability of 1st Device Displays the primary functions of the neighbor for example Bridge or Router Displaying LLDP Local Information To view the LLD...

Page 151: ... is shown Port ID Identifier of port Port Description Information about the port including manufacturer product name and hardware software version Management Address Displays the table of addresses of the local LLDP agent Other remote managers can use this address to obtain information related to the local device The address consists of the following elements Address Subtype Type of management IP ...

Page 152: ...tatus Indicates whether the interface is aggregated Aggregation Port ID Advertised aggregated interface ID 802 3 Energy Efficient Ethernet EEE If device supports EEE Local Tx Indicates the time in micro seconds that the transmitting link partner waits before it starts transmitting data after leaving Low Power Idle LPI mode Local Rx Indicates the time in micro seconds that the receiving link partne...

Page 153: ...source PoE Power Priority Port power priority PoE Power Value Port power value Hardware Revision Hardware version Firmware Revision Firmware version Software Revision Software version Serial Number Device serial number Manufacturer Name Device manufacturer name Model Name Device model name Asset ID Asset ID Location Information Civic Street address Coordinates Map coordinates latitude longitude an...

Page 154: ...d To view the LLDP neighbors information STEP 1 Click Administration Discovery LLDP LLDP Neighbors Information This page contains the following fields Local Port Number of the local port to which the neighbor is connected Chassis ID Subtype Type of chassis ID for example MAC address Chassis ID Identifier of the 802 LAN neighboring device s chassis Port ID Subtype Type of the port identifier that i...

Page 155: ...alue equals the sysDescr object Supported System Capabilities Primary functions of the device The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Router Telephone DOCSIS cable device and station respectively Bits 8 through 15 are reserved Enabled System Capabilities Primary enabled function s of the device Management Address Table Address Subtype Ma...

Page 156: ...he port PSE Power Class Advertised power class of the port 802 3 Details 802 3 Maximum Frame Size Advertised maximum frame size that is supported on the port 802 3 Link Aggregation Aggregation Capability Indicates if the port can be aggregated Aggregation Status Indicates if the port is currently aggregated Aggregation Port ID Advertised aggregated port ID 802 3 Energy Efficient Ethernet EEE Remot...

Page 157: ...atures Endpoint Class 3 Indicates a communications device class offering all Class 1 and Class 2 features plus location 911 Layer 2 switch support and device information management capabilities PoE Device Type Port PoE type for example powered PoE Power Source Port s power source PoE Power Priority Port s power priority PoE Power Value Port s power value Hardware Revision Hardware version Firmware...

Page 158: ...Civic or street address Coordinates Location map coordinates latitude longitude and altitude ECS ELIN Device s Emergency Call Service ECS Emergency Location Identification Number ELIN Unknown Unknown location information Network Policies Application Type Network policy application type for example Voice VLAN ID VLAN ID for which the network policy is defined VLAN Type VLAN type Tagged or Untagged ...

Page 159: ...bor s Information Deletion Count Number of neighbor ageouts on the interface STEP 2 Click Refresh to view the latest statistics LLDP Overloading LLDP adds information as LLDP and LLDP MED TLVs into the LLDP packets LLDP overload occurs when the total amount of information to be included in a LLDP packet exceed the maximum PDU size supported by an interface The LLDP Overloading page displays the nu...

Page 160: ...D Capabilities Size Bytes Total LLDP MED capabilities packets byte size Status If the LLDP MED capabilities packets were sent or if they were overloaded LLDP MED Location Size Bytes Total LLDP MED location packets byte size Status If the LLDP MED locations packets were sent or if they were overloaded LLDP MED Network Policy Size Bytes Total LLDP MED network policies packets byte size Status If the...

Page 161: ...al Bytes Total number of bytes of LLDP information in each packet Left to Send Bytes Total number of available bytes left for additional LLDP information in each packet Configuring CDP This section describes how to configure CDP It covers the following topics Setting CDP Properties Editing CDP Interface Settings Displaying CDP Local Information Displaying CDP Neighbors Information Viewing CDP Stat...

Page 162: ... parameters STEP 1 Click Administration Discovery CDP Properties STEP 2 Enter the parameters CDP Status Select to enable CDP on the device CDP Frames Handling If CDP is not enabled select the action to be taken if a packet that matches the selected criteria is received Bridging Forward the packet based on the VLAN Filtering Delete the packet Flooding VLAN unaware flooding that forwards incoming CD...

Page 163: ...ce Interface IP address to be used in the TLV of the frames The following options are possible Use Default Use the IP address of the outgoing interface User Defined Use the IP address of the interface in the Interface field in the address TLV Interface IF User Defined was selected for Source Interface select the interface Syslog Voice VLAN Mismatch Check to send a SYSLOG message when a voice VLAN ...

Page 164: ...tion for each interface CDP Status CDP publishing option for the port Reporting Conflicts with CDP Neighbors Displays the status of the reporting options that are enabled disabled in the Edit page Voice VLAN Native VLAN Duplex No of Neighbors Number of neighbors detected The bottom of the page has four buttons Copy Settings Select to copy a configuration from one port to another Edit Fields explai...

Page 165: ...essage when duplex information mismatch is detected This means that the duplex information in the incoming frame does not match what the local device is advertising STEP 3 Enter the relevant information and click Apply The port settings are written to the Running Configuration Displaying CDP Local Information To view information that is advertised by the CDP protocol about the local device STEP 1 ...

Page 166: ...iance ID Type of device attached to port advertised in the appliance TLV Appliance VLAN ID VLAN on the device used by the appliance for instance if the appliance is an IP phone this is the voice VLAN Extended Trust TLV Extended Trust Enabled indicates that the port is trusted meaning that the host server from which the packet is received is trusted to mark the packets itself In this case packets r...

Page 167: ...port Management Power Level Displays the supplier s request to the powered device for its Power Consumption TLV The device always displays No Preference in this field Displaying CDP Neighbors Information The CDP Neighbors Information page displays CDP information received from neighboring devices After timeout based on the value received from the neighbor Time To Live TLV during which no CDP PDU w...

Page 168: ...the information for this neighbor is deleted Capabilities Primary functions of the device The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Router Telephone DOCSIS cable device and station respectively Bits 8 through 15 are reserved Platform Identifier of the neighbors platform Neighbor Interface Interface number of the neighbor through which fram...

Page 169: ...STEP 1 Click Administration Discovery CDP CDP Statistics The following fields are displayed for every interface Packets Received Transmitted Version 1 Number of CDP version 1 packets received transmitted Version 2 Number of CDP version 2 packets received transmitted Total Total number of CDP packets received transmitted The CDP Error Statistics section displays the CDP error counters Illegal Check...

Page 170: ... LAG protocol and configure the potential member ports to the desired LAGs by using the LAG Management page By default all LAGs are empty 3 Configure the Ethernet parameters such as speed and auto negotiation for the LAGs by using the LAG Settings page 4 Configure the LACP parameters for the ports that are members or candidates of a dynamic LAG by using the LACP page 5 Configure Green Ethernet and...

Page 171: ...ning Configuration is explicitly saved to the Startup Configuration File using the Copy Save Configuration page and the device is rebooted STEP 4 To update the port settings select the desired port and click Edit STEP 5 Modify the following parameters Interface Select the port number Port Type Displays the port type and speed The possible options are Copper Ports Regular not Combo support the foll...

Page 172: ...rol List ACL configurations The reactivate operation brings the port up without regard to why the port was suspended Auto Negotiation Select to enable auto negotiation on the port Auto negotiation enables a port to advertise its transmission speed duplex mode and Flow Control abilities to the port link partner Operational Auto Negotiation Displays the current auto negotiation status on the port Ad...

Page 173: ... link partner Back Pressure Select the Back Pressure mode on the port used with Half Duplex mode to slow down the packet reception speed when the device is congested It disables the remote port preventing it from sending packets by jamming the signal Flow Control Enable or disable 802 3x Flow Control or enable the auto negotiation of Flow Control on the port only when in Full Duplex mode MDI MDIX ...

Page 174: ...membership Devices connected to protected ports are not allowed to communicate with each other even if they are members of the same VLAN Both ports and LAGs can be defined as protected or unprotected Protected LAGs are described in the Configuring LAG Settings section Member in LAG If the port is a member of a LAG the LAG number appears otherwise this field is left blank STEP 6 Click Apply The Por...

Page 175: ...idate ports LACP determines which candidate ports are active member ports The non active candidate ports are standby ports ready to replace any failing active member ports Load Balancing Traffic forwarded to a LAG is load balanced across the active member ports thus achieving an effective bandwidth close to the aggregate bandwidth of all the active member ports of the LAG Traffic load balancing ov...

Page 176: ...ved from the LAG its original configuration is reapplied Protocols such as Spanning Tree consider all the ports in the LAG to be one port Default Settings and Configuration Ports are not members of a LAG and are not candidates to become part of a LAG Static and Dynamic LAG Workflow After a LAG has been manually created LACP cannot be added or removed until the LAG is edited and a member is removed...

Page 177: ...e desired LAG on the Edit LAG Membership page To select the load balancing algorithm of the LAG STEP 1 Click Port Management Link Aggregation LAG Management STEP 2 Select one of the following Load Balance Algorithms MAC Address Perform load balancing by source and destination MAC addresses on all packets IP MAC Address Perform load balancing by the source and destination IP addresses on IP packets...

Page 178: ...nt Link Aggregation LAG Settings STEP 2 Select a LAG and click Edit STEP 3 Enter the values for the following fields LAG Select the LAG ID number Description Enter the LAG name or a comment LAG Type Displays the port type that comprises the LAG Administrative Status Set the selected LAG to be Up or Down Operational Status Displays whether the LAG is currently operating Time Range Select to enable ...

Page 179: ...e LAG The options are Max Capability All LAG speeds and both duplex modes are available 10 Full The LAG advertises a 10 Mbps speed and the mode is full duplex 100 Full The LAG advertises a 100 Mbps speed and the mode is full duplex 1000 Full The LAG advertises a 1000 Mbps speed and the mode is full duplex Operational Advertisement Displays the Administrative Advertisement status The LAG advertises...

Page 180: ...e lowest MAC address controls candidate port selection to the LAG A dynamic LAG can have up to 16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode When there are more than eight ports in the dynamic LAG the device on the controlling end of the link uses port priorities to determine which ports are bundled into the LAG and which ports are ...

Page 181: ...using DHCP and get its configuration using auto configuration Setting LACP Parameter Settings Use the LACP page to configure the candidate ports for the LAG and to configure the LACP parameters per port With all factors equal when the LAG is configured with more candidate ports than the maximum number of active ports allowed 8 the device selects ports as active from the dynamic LAG on the device t...

Page 182: ...ect is enabled on all devices where only the Gigabyte ports are enable with EEE The Green Ethernet feature can reduce overall power usage in the following ways Energy Detect Mode On an inactive link the port moves into inactive mode saving power while keeping the Administrative status of the port Up Recovery from this mode to full operational mode is fast transparent and no frames are lost This mo...

Page 183: ...onal devices etc On the System Summary page the LEDs that are displayed on the device board pictures are not affected by disabling the LEDs Power savings current power consumption and cumulative energy saved can be monitored The total amount of saved energy can be viewed as a percentage of the power that would have been consumed by the physical interfaces had they not been running in Green Etherne...

Page 184: ...e portions of their functionality and save power during periods of no traffic 802 3az EEE supports IEEE 802 3 MAC operation at 100 Mbps and 1000 Mbps LLDP is used to select the optimal set of parameters for both devices If LLDP is not supported by the link partner or is disabled 802 3az EEE still be operational but it might not be in the optimal operational mode The 802 3az EEE feature is implemen...

Page 185: ...bove 802 3az EEE capabilities and settings are also advertised using frames based on the organizationally specific TLVs defined in Annex G of IEEE Std 802 1AB protocol LLDP LLDP is used to further optimize 802 3az EEE operation after auto negotiation is completed The 802 3az EEE TLV is used to fine tune system wake up and refresh durations Availability of 802 3az EEE Please check the release notes...

Page 186: ...tting page b Check the 802 3 Energy Efficient Ethernet EEE mode on the port it is enabled by default c Select whether to enable or disable advertisement of 802 3az EEE capabilities through LLDP in 802 3 Energy Efficient Ethernet EEE LLDP it is enabled by default STEP 4 To see 802 3 EEE related information on the local device open the Administration Discovery LLDP LLDP Local Information page and vi...

Page 187: ...e amount of energy saved from the last device reboot This value is updated each time there is an event that affects power saving 802 3 Energy Efficient Ethernet EEE Globally enable or disable EEE mode only available if there are GE ports on the device Port LEDs Select to enable the port LEDs When these are disabled they do not display link status activity etc STEP 3 Click Apply The Green Ethernet ...

Page 188: ...t Reach mode Administrative Displays whether Short Reach mode was enabled Operational Displays whether Short Reach mode is currently operating Reason If Short Reach mode is not operational displays the reason Cable Length Displays VCT returned cable length in meters NOTE Short reach mode is only supported on RJ45 GE ports it does not apply to Combo ports 802 3 Energy Efficient Ethernet EEE State o...

Page 189: ...hort Reach and EEE globally see Setting Global Green Ethernet Properties STEP 2 Select a Port and click Edit STEP 3 Select to enable or disable Energy Detect mode on the port STEP 4 Select to enable or disable Short Reach mode on the port if there are GE ports on the device STEP 5 Select to enable or disable 802 3 Energy Efficient Ethernet EEE mode on the port if there are GE ports on the device S...

Page 190: ...lowing topics Overview What is a Smartport Smartport Types Smartport Macros Macro Failure and the Reset Operation How the Smartport Feature Works Auto Smartport Error Handling Default Configuration Relationships with Other Features and Backwards Compatibility Common Smartport Tasks Configuring Smartport Using The Web based Interface Built in Smartport Macros ...

Page 191: ...u manually assign a Smartport type to an interface The result is the corresponding Smartport macro is applied to the interface Auto Smartport Auto Smartport waits for a device to be attached to the interface before applying a configuration When a device is detected from an interface the Smartport macro if assigned that corresponds to the Smartport type of the attaching device is automatically appl...

Page 192: ...int AP Smartport Types Smartport types refers to the types of devices attached or to be attached to Smartports The device supports the following Smartport types Printer Desktop Guest Server Host IP Camera IP phone IP Phone Desktop Switch Router Wireless Access Point Smartport types are named so that they describe the type of device connected to an interface Each Smartport type is associated with t...

Page 193: ...ort types of the attached devices based on CDP capabilities LLDP system capabilities and or LLDP MED capabilities The following describes the relationship of Smartport types and Auto Smartport Smartport and Auto Smartport Types Smartport Type Supported by Auto Smartport Supported by Auto Smartport by default Unknown No No Default No No Printer No No Desktop No No Guest No No Server No No Host Yes ...

Page 194: ...All devices attached to the interface have aged out which is defined as the absence of CDP and or LLDP advertisement from the device for a specified time period Unknown If a Smartport macro is applied to an interface and an error occurs the interface is assigned the Unknown status In this case the Smartport and Auto Smartport features do not function on the interface until you correct the error an...

Page 195: ...iation with each Smartport type The macro applies the configuration and the anti macro removes it There are two types of Smartport macros Built In These are macros provided by the system One macro applies the configuration profile and the other removes it The macro names of the built in Smartport macros and the Smartport type they are associated with as follows macro name for example printer no_ma...

Page 196: ...type of the interface is set to this static type If the Startup Configuration File specifies a Smartport type that was dynamically assigned by Auto Smartport If the Auto Smartport Global Operational state the interface Auto Smartport state and the Persistent Status are all Enable the Smartport type is set to this dynamic type Else the corresponding anti macro is applied and the interfaces status i...

Page 197: ...rtport types must be statically assigned to the desired interfaces This can be done by navigating to the Smartport Interface Settings page selecting the radio button of the desired interface and clicking Edit Then select the Smartport type you want to assign and adjust the parameters as necessary before clicking Apply There are two ways to apply a Smartport macro by Smartport type to an interface ...

Page 198: ...e Persistent Status is enabled the interface configuration is retained If not the Smartport Type reverts to Default Enabling Auto Smartport Auto Smartport can be enabled globally in the Properties page in the following ways Enabled This manually enables Auto Smartport and places it into operation immediately Enable by Auto Voice VLAN This enables Auto Smartport to operate if Auto Voice VLAN is ena...

Page 199: ...hing device s ages out links down reboots or conflicting capabilities are received Aging out times are determined by the absence of CDP and or LLDP advertisements from the device for a specified time period Using CDP LLDP Information to Identify Smartport Types The device detects the type of device attached to the port based on the CDP LLDP capabilities This mapping is shown in the following table...

Page 200: ...ives through that interface in order to assign the correct Smartport type The assignment is based on the following algorithm LLDP Capabilities Mapping to Smartport Type Capability Name LLDP Bit Smartport Type Other 1 Ignore Repeater IETF RFC 2108 2 Ignore MAC Bridge IEEE Std 802 1D 3 Switch WLAN Access Point IEEE Std 802 11 MIB 4 Wireless Access Point Router IETF RFC 1812 5 Router Telephone IETF R...

Page 201: ...ed dynamically by Auto Smartport remains on the interface even after the attaching device ages out the interface goes down and the device is rebooted assuming the configuration was saved The Smartport type and the configuration of the interface are not changed unless Auto Smartport detects an attaching device with a different Smartport type If the Persistent status of an interface is disabled the ...

Page 202: ...ce VLAN Auto Smartport must be disabled before enabling Telephony OUI Common Smartport Tasks This section describes some common tasks to setup Smartport and Auto Smartport Workflow1 To globally enable Auto Smartport on the device and to configure a port with Auto Smartport perform the following steps STEP 1 To enable the Auto Smartport feature on the device open the Smartport Properties page Set A...

Page 203: ... macro parameter defaults and or bind a user defined macro pair to a Smartport type perform the following steps Through this procedure you can accomplish the following View the macro source Change parameter defaults Restore the parameter defaults to the factory settings Bind a user defined macro pair a macro and its corresponding anti macro to a Smartport type 1 Open the Smartport Smartport Type S...

Page 204: ...using either Reapply for devices that are not switches routers or APs or Reapply Smartport Macro for switches routers or APs to run the Smartport Macro on the interface A second method of resetting single or multiple unknown interfaces is STEP 1 In the Interface Settings page select the Port Type equals to checkbox STEP 2 Select Unknown and click Go STEP 3 Click Reset All Unknown Smartports Then r...

Page 205: ...nable Auto Smartport on the device Enable by Auto Voice VLAN This enables Auto Smartport but puts it in operation only when Auto Voice VLAN is also enabled and in operation Enable by Auto Voice VLAN is the default Auto Smartport Device Detection Method Select whether incoming CDP LLDP or both types of packets are used to detect the Smartport type of the attaching device s At least one must be chec...

Page 206: ...e parameters for the Smartport types applied by Auto Smartport from the Smartport Type Settings page configures the default values for these parameters These defaults are used by Auto Smartport NOTE Changes to Auto Smartport types cause the new settings to be applied to interfaces which have already been assigned that type by Auto Smartport In this case binding an invalid macro or setting an inval...

Page 207: ...s associated with the Smartport type are modified Auto Smartport automatically reapplies the macro to the interfaces currently assigned with the Smartport type by Auto Smartport Auto Smartport does not apply the changes to interfaces that were statically assigned a Smartport type NOTE There is no method to validate macro parameters because they do not have a type association Therefore any entry is...

Page 208: ...ollowing ways Select a group of Smartport types switches routers or APs and click Reapply Smartport Macro The macros are applied to all selected interface types Select an interface that is UP and click Reapply to reapply the last macro that was applied to the interface The Reapply action also adds the interface to all newly created VLANs STEP 2 Smartport Diagnostic If a Smartport macro fails the S...

Page 209: ...ying the corresponding Smartport macro To statically assign a Smartport type and apply the corresponding Smartport macro to the interface select the desired Smartport type Persistent Status Select to enable the Persistent status If enabled the association of a Smartport type to an interface remains even if the interface goes down or the device is rebooted Persistent is applicable only if the Smart...

Page 210: ...ost ip_camera ip_phone ip_phone_desktop switch router ap desktop desktop interface configuration for increased network security and reliability when connecting a desktop device such as a PC to a switch port macro description Desktop macro keywords native_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devi...

Page 211: ...runk allowed vlan remove all no port security no port security mode no port security max no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto printer printer macro description printer macro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the p...

Page 212: ...m control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto guest guest macro description guest macro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode a...

Page 213: ...l include multicast spanning tree portfast auto server server macro description server macro keywords native_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk ...

Page 214: ...tfast auto host host macro description host macro keywords native_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan nati...

Page 215: ...cast level no smartport storm control include multicast spanning tree portfast auto ip_camera ip_camera macro description ip_camera macro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode ma...

Page 216: ... macro keywords native_vlan voice_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN voice_vlan 1 max_hosts 10 the default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trun...

Page 217: ...ol broadcast level no smartport storm control include multicast spanning tree portfast auto ip_phone_desktop ip_phone_desktop macro description ip_phone_desktop macro keywords native_vlan voice_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID max_hosts The maximum number of allowed devices on the port Default Values a...

Page 218: ...ort switchport trunk allowed vlan remove all no port security no port security mode no port security max no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto switch switch macro description switch macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which wil...

Page 219: ...link type router router macro description router macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan native_vlan smartport storm ...

Page 220: ...n The voice VLAN ID no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no smartport storm control broadcast enable no smartport storm control broadcast level no spanning tree link type ap ap macro description ap macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port ...

Page 221: ...Smartport Built in Smartport Macros 203 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 11 ...

Page 222: ... is PSE Power Sourcing Equipment that delivers electrical power to connected PD Powered Devices over existing copper cables without interfering with the network traffic updating the physical network or modifying the network infrastructure See Device Models for information concerning PoE support on various models PoE Features PoE provides the following features Eliminates the need to run 110 220 V ...

Page 223: ...class which is the amount of maximum power that the PD consumes Power Consumption After the classification stage completes the PSE provides power to the PD If the PD supports PoE but without classification it is assumed to be class 0 the maximum If a PD tries to consume more power than permitted by the standard the PSE stops supplying power to the port PoE supports two modes Port Limit The maximum...

Page 224: ...nectivity an attached PD requires more power from the device than the configured allocation allows no matter if the device is in Class Limit or Port Limit mode the device does the following Maintains the up down status of the PoE port link Turns off power delivery to the PoE port Logs the reason for turning off power Generates an SNMP trap NOTE When a lower voltage PoE device is connected to the S...

Page 225: ...recycle the device with AC power before reconnecting its PoE ports Configuring PoE Properties The PoE Properties page enables selecting either the Port Limit or Class Limit PoE mode and specifying the PoE traps to be generated These settings are entered in advance When the PD actually connects and is consuming power it might consume much less than the maximum power allowed Output power is disabled...

Page 226: ...ed power STEP 3 Click Apply to save the PoE properties Configuring PoE Settings The PoE Settings page displays system PoE information for enabling PoE on the interfaces and monitoring the current power usage and maximum power limit per port NOTE PoE can be configured on the device for a specific period This feature enables you to define per port the days in the week and the hours that PoE is enabl...

Page 227: ...Device Models for a description of the device models that support PoE and the maximum power that can be allocated to PoE ports To configure PoE port settings STEP 1 Click Port Management PoE Settings The list of fields below is for Port Limit Power Mode The fields are slightly different if the Power Mode is Class Limit STEP 2 Select a port and click Edit The list of fields below is for Port Limit ...

Page 228: ...onnected to the selected interface Overload Counter Displays the total number of power overload occurrences Short Counter Displays the total number of power shortage occurrences Denied Counter Displays number of times the powered device was denied power Absent Counter Displays the number of times that power was stopped to the powered device because the powered device was no longer detected Invalid...

Page 229: ...Port Management PoE Configuring PoE Settings 211 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 12 ...

Page 230: ...Ns Configuring VLAN Interface Settings Defining VLAN Membership GVRP Settings VLAN Groups Voice VLAN Access Port Multicast TV VLAN Customer Port Multicast TV VLAN VLANs A VLAN is a logical group of ports that enables devices associated with it to communicate with each other over the Ethernet MAC layer regardless of the physical LAN segment of the bridged network to which they are connected ...

Page 231: ...ag is added to each Ethernet frame The tag contains a VLAN ID between 1 and 4094 and a VLAN Priority Tag VPT between 0 and 7 See Quality of Service for details about VPT When a frame enters a VLAN aware device it is classified as belonging to a VLAN based on the four byte VLAN tag in the frame If there is no VLAN tag in the frame or the frame is priority tagged only the frame is classified to the ...

Page 232: ...mation with each other by using Generic VLAN Registration Protocol GVRP As a result VLAN information is propagated through a bridged network VLANs on a device can be created statically or dynamically based on the GVRP information exchanged by devices A VLAN can be static or dynamic from GVRP but not both For more information about GVRP refer to the GVRP Settings section Some VLANs can have additio...

Page 233: ...AN Management Interface Settings page VLAN Configuration Workflow To configure VLANs 1 If required change the default VLAN by using the Configuring Default VLAN Settings section 2 Create the required VLANs by using the Creating VLANs section 3 Set the desired VLAN related configuration for ports and enable QinQ on an interface using the Configuring VLAN Interface Settings section 4 Assign interfac...

Page 234: ...tomatically configures the port as an untagged member of the default VLAN A port is no longer a member of a VLAN if the VLAN is deleted or the port is removed from the VLAN RADIUS servers cannot assign the default VLAN to 802 1x supplicants by using Dynamic VLAN Assignment When the VID of the default VLAN is changed the device performs the following on all the ports in the VLAN after saving the co...

Page 235: ...er manually or dynamically Ports must always belong to one or more VLANs Each VLAN must be configured with a unique VID VLAN ID with a value from 1 to 4094 The device reserves VID 4095 as the Discard VLAN All packets classified to the Discard VLAN are discarded at ingress and are not forwarded to a port To create a VLAN STEP 1 Click VLAN Management Create VLAN The Create VLAN page contains the fol...

Page 236: ...guration of VLAN related parameters for all interfaces To configure the VLAN settings STEP 1 Click VLAN Management Interface Settings STEP 2 Select an interface type Port or LAG and click Go Ports or LAGs and their VLAN parameters are displayed STEP 3 To configure a Port or LAG select it and click Edit STEP 4 Enter the values for the following fields Interface Select a Port LAG Interface VLAN Mode...

Page 237: ... The interface accepts only untagged and priority frames Ingress Filtering Available only in General mode Select to enable ingress filtering When an interface is ingress filtering enabled the interface discards all incoming frames that are classified as VLANs of which the interface is not a member Ingress filtering can be disabled or enabled on general ports It is always enabled on access ports an...

Page 238: ... Management Port to VLAN STEP 2 Select a VLAN and the interface type Port or LAG and click Go to display or to change the port characteristic with respect to the VLAN The port mode for each port or LAG appears with its current port mode Access Trunk or General configured from the Interface Settings page Each port or LAG appears with its current registration to the VLAN STEP 3 Change the registrati...

Page 239: ...l the port is authenticated it is excluded from all VLANs except guest and unauthenticated ones In the VLAN to Port page the port is marked with an upper case P When the port is authenticated it receives membership in the VLAN in which it was configured To assign a port to one or more VLANs STEP 1 Click VLAN Management Port VLAN Membership STEP 2 Select interface type Port or LAG and click Go The ...

Page 240: ...istration When a port is not a member of any other VLAN enabling this option on the port makes the port part of internal VLAN 4095 a reserved VID Excluded The interface is currently not a member of the VLAN This is the default for all the ports and LAGs The port can join the VLAN through GVRP registration Tagged Select whether the port is tagged This is not relevant for Access ports Untagged Selec...

Page 241: ...in the GVRP Settings page GVRP must be activated globally as well as on each port When it is activated it transmits and receives GARP Packet Data Units GPDUs VLANs that are defined but not active are not propagated To propagate the VLAN it must be up on at least one port By default GVRP is disabled globally and on ports Defining GVRP Settings To define GVRP settings for an interface STEP 1 Click V...

Page 242: ... is taken from the tag MAC Based VLAN If a MAC based VLAN has been defined the VLAN is taken from the source MAC to VLAN mapping of the ingress interface Protocol Based VLAN If a protocol based VLAN has been defined the VLAN is taken from the Ethernet type protocol to VLAN mapping of the ingress interface PVID VLAN is taken from the port default VLAN ID MAC based Groups MAC based VLAN classificati...

Page 243: ...ilable To assign a MAC address to a VLAN Group STEP 1 Click VLAN Management VLAN Groups MAC Based Groups STEP 2 Click Add STEP 3 Enter the values for the following fields MAC Address Enter a MAC address to be assigned to a VLAN group NOTE This MAC address cannot be assigned to any other VLAN group Prefix Mask Enter one of the following Host Source host of the MAC address Length Prefix of the MAC a...

Page 244: ... manually added to the VLAN Protocol based VLANs Groups of protocols can be defined and then bound to a port After the protocol group is bound to a port every packet originating from a protocol in the group is assigned the VLAN that is configured in the Protocol Based Groups page Workflow To define a protocol based VLAN group 1 Define a protocol group using the Protocol Based Groups page 2 For eac...

Page 245: ...is is selected select the DSAP SSAP Values Group ID Enter a protocol group ID STEP 4 Click Apply The Protocol Group is added and written to the Running Configuration file Protocol Based Groups to VLAN Mapping To map a protocol group to a port the port must be in General mode and not have DVA configured on it see Configuring VLAN Interface Settings Several groups can be bound to a single port with ...

Page 246: ...llowing topics Voice VLAN Overview Configuring Voice VLAN Voice VLAN Overview This section covers the following topics Dynamic Voice VLAN Modes Auto Voice VLAN Auto Smartports CDP and LLDP Voice VLAN QoS Voice VLAN Constraints Voice VLAN Workflows The following are typical voice deployment scenarios with appropriate configurations UC3xx UC5xx hosted All Cisco phones and VoIP endpoints support this...

Page 247: ... VLAN can be manually configured It can also be dynamically learned when Auto Voice VLAN is enabled Ports can be manually added to the voice VLAN by using basic VLAN configuration described in the Configuring VLAN Interface Setting section or by manually applying voice related Smartport macro to the ports Alternatively they can be added dynamically if the device is in Telephony OUI mode or has Aut...

Page 248: ...receives its voice traffic Some of the possible scenarios are as follows A phone endpoint may be statically configured with the voice VLAN A phone endpoint may obtain the voice VLAN in the boot file it downloads from a TFTP server A DHCP server may specify the boot file and the TFTP server when it assigns an IP address to the phone A phone endpoint may obtain the voice VLAN information from CDP an...

Page 249: ...been configured You may manually disable and enable Auto Voice VLAN and or Auto Smartport to fit your deployment if needed Auto Voice VLAN Auto Voice VLAN is responsible to maintain the voice VLAN but depends on Auto Smartport to maintain the voice VLAN port memberships Auto Voice VLAN performs the following functions when it is in operation It discovers voice VLAN information in CDP advertisement...

Page 250: ... of the voice VLAN when voice end points are detected from the ports When CDP and LLDP are enabled the device sends out CDP and LLDP packets periodically to advertise the voice VLAN to the voice endpoints to use When a device attaching to a port advertises itself as a voice endpoint through CDP and or LLDP the Auto Smartport automatically adds the port to the voice VLAN by applying the correspondi...

Page 251: ...VLAN The Voice VLAN cannot be Smartport enabled The Voice VLAN cannot support DVA Dynamic VLAN assignment The Voice VLAN cannot be the Guest VLAN if the voice VLAN mode is OUI If the voice VLAN mode is Auto then the Voice VLAN can be the Guest VLAN The Voice VLAN QoS decision has priority over any other QoS decision except for the Policy ACL QoS decision A new VLAN ID can be configured for the Voi...

Page 252: ...martport Tasks section STEP 7 Configure LLDP CDP as described in the Configuring LLDP and Configuring CDP sections respectively STEP 8 Enable the Smartport feature on the relevant ports using the Smartport Interface Settings page NOTE Step 7 and Step 8 are optional as they are enabled by default Workflow2 To configure the Telephony OUI Method STEP 1 Open the VLAN Management Voice VLAN Properties p...

Page 253: ...dministrative Status block The voice VLAN settings that are actually being applied to the voice VLAN deployment are displayed in the Voice VLAN Settings Operational Status block STEP 2 Enter values for the following fields Voice VLAN ID Enter the VLAN that is to be the Voice VLAN NOTE Changes in the voice VLAN ID CoS 802 1p and or DSCP cause the device to advertise the administrative voice VLAN as...

Page 254: ...ice detects a device advertising the voice VLAN NOTE Manually re configuring the voice VLAN ID CoS 802 1p and or DSCP from their default values results in a static voice VLAN which has higher priority than auto voice VLAN that was learned from external sources STEP 3 Click Apply The VLAN properties are written to the Running Configuration file Displaying Auto Voice VLAN Settings If Auto Voice VLAN...

Page 255: ... address of the device If the device s Switch MAC address is the Root Switch MAC Address the device is the Auto Voice VLAN root device Voice VLAN ID Change Time Last time that voice VLAN was updated STEP 2 Click Restart Auto Voice VLAN to reset the voice VLAN to the default voice VLAN and restart Auto Voice VLAN discovery on all the Auto Voice VLAN enabled switches in the LAN The Voice VLAN Local ...

Page 256: ...the device The following options are available Yes The device uses this voice VLAN to synchronize with other Auto Voice VLAN enabled switches This voice VLAN is the voice VLAN for the network unless a voice VLAN from a higher priority source is discovered Only one local source is the best local source No This is not the best local source STEP 3 Click Refresh to refresh the information on the page ...

Page 257: ...ueue to be assigned to voice traffic Remark CoS 802 1p Select whether to remark egress traffic Auto Membership Aging Time Enter the time delay to remove a port from the voice VLAN after all of the MAC addresses of the phones detected on the ports have aged out STEP 2 Click Apply to update the Running Configuration of the device with these values The Telephony OUI table appears Telephony OUI First ...

Page 258: ...face page to add an interface to the voice VLAN on the basis of the OUI identifier and to configure the OUI QoS mode of voice VLAN To configure Telephony OUI on an interface STEP 1 Click VLAN Management Voice VLAN Telephony OUI Interface The Telephony OUI Interface page contains voice VLAN OUI parameters for all interfaces STEP 2 To configure an interface to be a candidate port of the telephony OU...

Page 259: ...lticast VLAN ID The network ports which through subscribers communicate with the Multicast server by sending IGMP messages receive the Multicast streams from the Multicast server while including the Multicast TV VLAN in the Multicast packet header For this reasons the network ports must be statically configured as the following Trunk or general port type see Configuring VLAN Interface Settings Mem...

Page 260: ...iate it with the access VLAN or with the Multicast TV VLAN according to the following rules If an IGMP message is received on an access port with destination Multicast IP address that is associated with the port s Multicast TV VLAN then the software associates the IGMP packet with the Multicast TV VLAN Otherwise the IGMP message is associated to the access VLAN and the IGMP message is only forward...

Page 261: ... Multicast group Multicast TV VLAN VLAN to which the Multicast packets are assigned STEP 2 Click Add to associate a Multicast group to a VLAN Any VLAN can be selected When a VLAN is selected it becomes a Multicast TV VLAN Group registration All Multicast group registration is dynamic Groups must be associated to Multicast VLAN statically but actual registration of station is dynamic Receiver ports...

Page 262: ...s Ports field to the Member Access Ports field STEP 4 Click Apply Multicast TV VLAN settings are modified and written to the Running Configuration file Customer Port Multicast TV VLAN A triple play service provisions three broadband services over a single broadband connection High speed Internet access Video Voice The triple play service is provisioned for service provider subscribers while keepin...

Page 263: ... Tag represent one of the two type of VLAN as following Subscriber s VLAN Includes Internet and IP Phones Multicast TV VLAN The inner VLAN C Tag is the tag that determines the destination in the subscriber s network by the CPE MUX Workflow 1 Configure an access port as a customer port using the VLAN Management Interface Settings page See QinQ for more information 2 Configure the network port as a ...

Page 264: ...nter the following fields CPE VLAN Enter the VLAN defined on the CPE box Multicast TV VLAN Select the Multicast TV VLAN which is mapped to the CPE VLAN STEP 4 Click Apply CPE VLAN Mapping is modified and written to the Running Configuration file CPE Port Multicast VLAN Membership The ports associated with the Multicast VLANs must be configured as customer ports see Configuring VLAN Interface Setti...

Page 265: ...VLAN Management Customer Port Multicast TV VLAN 247 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 13 ...

Page 266: ... STP Flavors STP protects a Layer 2 Broadcast domain from Broadcast storms by selectively setting links to standby mode to prevent loops In standby mode these links temporarily stop transferring user data After the topology changes so that the data transfer is made possible the links are automatically re activated Loops occur when alternate routes exist between hosts Loops in an extended network c...

Page 267: ...and STP wants to mitigate the loop it stops traffic on the entire port including VLAN B traffic MSTP solves this problem by enabling several STP instances so that it is possible to detect and mitigate loops separately in each instance By associating instances to VLANs each instance is associated with the Layer 2 domain on which it performs loop detection and mitigation This enables a port to be st...

Page 268: ...he lowest priority becomes the Root Bridge In the case that all bridges use the same priority then their MAC addresses are used to determine the Root Bridge The bridge priority value is provided in increments of 4096 For example 4096 8192 12288 and so on Hello Time Set the interval in seconds that a Root Bridge waits between configuration messages Max Age Set the interval in seconds that the devic...

Page 269: ... of the STP protocol To configure STP on an interface STEP 1 Click Spanning Tree STP Interface Settings STEP 2 Select an interface and click Edit STEP 3 Enter the parameters Interface Select the Port or LAG on which Spanning Tree is configured STP Enables or disables STP on the port Edge Port Enables or disables Fast Link on the port If Fast Link mode is enabled on a port the port is automatically...

Page 270: ...tive topology predictable The devices behind the ports that have BPDU Guard enabled cannot influence the STP topology At the reception of BPDUs the BPDU guard operation disables the port that has BPDU configured In this case a BPDU message is received and an appropriate SNMP trap is generated BPDU Handling Select how BPDU packets are managed when STP is disabled on the port or the device BPDUs are...

Page 271: ...lays the priority and interface of the selected port Designated Cost Displays the cost of the port participating in the STP topology Ports with a lower cost are less likely to be blocked if STP detects loops Forward Transitions Displays the number of times the port has changed from the Blocking state to Forwarding state Speed Displays the speed of the port LAG Displays the LAG to which the port be...

Page 272: ...to RSTP or MSTP the device communicates with it using RSTP or MSTP respectively STEP 5 Select an interface and click Edit STEP 6 Enter the parameters Interface Set the interface and specify the port or LAG where RSTP is to be configured Point to Point Administrative Status Define the point to point link status Ports defined as Full Duplex are considered Point to Point port links Enable This port i...

Page 273: ...e Displays the current Spanning Tree mode Classic STP or RSTP Fast Link Operational Status Displays whether the Fast Link Edge Port is enabled disabled or automatic for the interface The values are Enabled Fast Link is enabled Disabled Fast Link is disabled Auto Fast Link mode is enabled a few seconds after the interface becomes active Port Status Displays the RSTP status on the specific port Disa...

Page 274: ...e these MSTP instances to VLAN s accordingly 4 Configure the MSTP attributes by Defining MSTP Properties Defining MSTP Instance Settings Mapping VLANs to a MSTP Instance Defining MSTP Properties The global MSTP configures a separate Spanning Tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree instance MSTP enables formation of MST regions that ...

Page 275: ...guration The field range is from 0 to 65535 Max Hops Set the total number of hops that occur in a specific region before the BPDU is discarded Once the BPDU is discarded the port information is aged out The field range is from 1 to 40 IST Master Displays the regions master STEP 4 Click Apply The MSTP properties are defined and the Running Configuration file is updated Mapping VLANs to a MSTP Insta...

Page 276: ...layed STEP 2 To add a VLAN to an MSTP instance select the MST instance and click Edit STEP 3 Enter the parameters MST Instance ID Select the MST instance VLANs Define the VLANs being mapped to this MST instance Action Define whether to add map the VLAN to the MST instance or remove it STEP 4 Click Apply The MSTP VLAN mappings are defined and the Running Configuration file is updated Defining MSTP ...

Page 277: ... of this device for the selected instance Remaining Hops Displays the number of hops remaining to the next destination STEP 3 Click Apply The MST Instance configuration is defined and the Running Configuration file is updated Defining MSTP Interface Settings The MSTP Interface Settings page enables you to configure the port MSTP settings for every MST instance and to view information that has curr...

Page 278: ...tance is in Listening mode The port cannot forward traffic and cannot learn MAC addresses Learning The port on this instance is in Learning mode The port cannot forward traffic but it can learn new MAC addresses Forwarding The port on this instance is in Forwarding mode The port can forward traffic and learn new MAC addresses Boundary The port on this instance is a boundary port It inherits its st...

Page 279: ... port MSTP MSTP is enabled on the port Type Displays the MST type of the port Boundary A Boundary port attaches MST bridges to a LAN in a remote region If the port is a boundary port it also indicates whether the device on the other side of the link is working in RSTP or STP mode Internal The port is an internal port Designated Bridge ID Displays the ID number of the bridge that connects the link ...

Page 280: ...urce MAC address that appears in a frame arriving at the device is added to the Dynamic Address table This MAC address is retained for a configurable period of time If another frame with the same source MAC address does not arrive at the device before that time period expires the MAC entry is aged deleted from the table When a frame arrives at the device the device searches for a corresponding mat...

Page 281: ...ic addresses STEP 2 Click Add STEP 3 Enter the parameters VLAN ID Select the VLAN ID for the port MAC Address Enter the interface MAC address Interface Select an interface unit slot port or LAG for the entry Status Select how the entry is treated The options are Permanent The system never removes this MAC address If the static MAC address is saved in the Startup Configuration it is retained after ...

Page 282: ...a value between the user configured value and twice that value minus 1 For example if you entered 300 seconds the aging time is between 300 and 599 seconds STEP 3 Click Apply The aging time is updated Querying Dynamic Addresses To query dynamic addresses STEP 1 Click MAC Address Tables Dynamic Addresses STEP 2 In the Filter block you can enter the following query criteria VLAN ID Enter the VLAN ID...

Page 283: ...served MAC Addresses page opens STEP 2 Click Add STEP 3 Enter the values for the following fields MAC Address Select the MAC address to be reserved Frame Type Select a frame type based on the following criteria Ethernet V2 Applies to Ethernet V2 packets with the specific MAC address LLC Applies to Logical Link Control LLC packets with the specific MAC address LLC SNAP Applies to Logical Link Contr...

Page 284: ...ter Ports Defining Forward All Multicast Defining Unregistered Multicast Settings Multicast Forwarding Multicast forwarding enables one to many information dissemination Multicast applications are useful for dissemination of information to multiple clients where clients do not require reception of the entire content A typical application is a cable TV like service where clients can join a channel ...

Page 285: ...tion in this section is mostly for IGMP it also describes coverage of MLD where implied These queries reach the device which in turn floods the queries to the VLAN and also learns the port where there is a Multicast router Mrouter When a host receives the IGMP query message it responds with an IGMP Join message saying that the host wants to receive a specific Multicast stream and optionally from a...

Page 286: ...vice and Multicast routers in the network When a device learns that a host is using IGMP MLD messages to register to receive a Multicast stream optionally from a specific source the device adds the registration to its Multicast Forwarding Data Base MFDB IGMP MLD snooping can effectively reduce Multicast traffic from streaming bandwidth intensive IP applications A device using IGMP MLD snooping onl...

Page 287: ...per bits are mapped to the same Layer 2 address since the lower 23 bits that are used are identical For example 234 129 2 3 is mapped to a MAC Multicast group address 01 00 5e 01 02 03 Up to 32 IP Multicast group addresses can be mapped to the same Layer 2 address For IPv6 this is mapped by taking the 32 low order bits of the Multicast address and adding the prefix of 33 33 For example the IPv6 Mu...

Page 288: ...Specific IP Group Address Based on both the destination IP address and the source IP address of the IP packet S G By selecting the forwarding mode you can define the method used by hardware to identify Multicast flow by one of the following options MAC Group Address IP Group Address or Source Specific IP Group Address S G is supported by IGMPv3 and MLDv2 while IGMPv1 2 and MLDv1 support only G whi...

Page 289: ...DB relating to a specific VLAN ID or a specific MAC address group This data is acquired either dynamically through IGMP MLD snooping or statically by manual entry Add or delete static entries to the MFDB that provide static forwarding information based on MAC destination addresses Display a list of all ports LAGs that are a member of each VLAN ID and MAC address group and enter whether traffic is ...

Page 290: ...t an address and click Details The page contains VLAN ID The VLAN ID of the Multicast group MAC Group Address The MAC address of the group STEP 7 Select the port or LAG to be displayed from the Filter Interface Type menu STEP 8 Click Go to display the port or LAG membership STEP 9 Select the way that each interface is associated with the Multicast group Static Attaches the interface to the Multica...

Page 291: ...ne the IP address of the Multicast group to be displayed This is only relevant when the Forwarding mode is S G Source IP Address equals to Define the source IP address of the sending device If mode is S G enter the sender S This together with the IP Group Address is the Multicast group ID S G to be displayed If mode is G enter an to indicate that the Multicast group is only defined by destination ...

Page 292: ...ct its association type The options are as follows Static Attaches the interface to the Multicast group as a static member Forbidden Specifies that this port is forbidden from joining this group on this VLAN None Indicates that the port is not currently a member of this Multicast group on this VLAN This is selected by default until Static or Forbidden is selected STEP 10 Click Apply The Running Co...

Page 293: ...r 2 Multicast domain of snooping switches in the absence of a Multicast router For example where Multicast content is provided by a local server but the router if one exists on that network does not support Multicast The speed of IGMP Querier activity must be aligned with the IGMP snooping enabled switches Queries must be sent at a rate that is aligned to the snooping table aging time If queries a...

Page 294: ... querier Operational Query Robustness Displays the robustness variable sent by the elected querier Query Interval Enter the interval between the General Queries to be used if this device is the elected querier Operational Query Interval The time interval in seconds between General Queries sent by the elected querier Query Max Response Interval Enter the delay used to calculate the Maximum Response...

Page 295: ...uerier Select IGMPv3 if there are switches and or Multicast routers in the VLAN that perform source specific IP Multicast forwarding STEP 5 Click Apply The Running Configuration file is updated MLD Snooping Hosts use the MLD protocol to report their participation in Multicast sessions and the device uses MLD snooping to build Multicast membership lists It uses these lists to forward Multicast pack...

Page 296: ... static definitions are preserved when the system is rebooted To enable MLD Snooping STEP 1 Click Multicast MLD Snooping STEP 2 Enable or disable MLD Snooping Status When MLD Snooping is globally enabled the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic The device performs MLD Snooping only if both MLD snooping and Bridge Multicast filterin...

Page 297: ...ed to calculate the Maximum Response Code inserted into the General Queries Last Member Query Counter Enter the Last Member Query Count to be used if the device cannot derive the value from the messages sent by the elected querier Operational Last Member Query Counter Displays the operational value of the Last Member Query Counter Last Member Query Interval Enter the Maximum Response Delay to be u...

Page 298: ...t group MAC address or IP address to query Source Address equals to Defines the sender address to query VLAN ID equals to Defines the VLAN ID to query STEP 4 Click Go The following fields are displayed for each Multicast group VLAN The VLAN ID Group Address The Multicast group MAC address or IP address Source Address The sender address for all of the specified group ports Included Ports The list o...

Page 299: ...y configured as a Multicast router port by a MLD IGMP query To enable the dynamic learning of Multicast router ports go to the Multicast IGMP Snooping page and the Multicast MLD Snooping page Forbidden This port is not to be configured as a Multicast router port even if IGMP or MLD queries are received on this port If Forbidden is enabled on a port Mrouter is not learned on this port i e MRouter P...

Page 300: ... streams even if IGMP MLD snooping designated the port to join a Multicast group None The port is not currently a Forward All port STEP 5 Click Apply The Running Configuration file is updated Defining Unregistered Multicast Settings Multicast frames are generally forwarded to all ports in the VLAN If IGMP MLD Snooping is enabled the device learns about the existence of Multicast groups and monitor...

Page 301: ...itted in the network To define unregistered Multicast settings STEP 1 Click Multicast Unregistered Multicast STEP 2 Define the following Interface Type equals to The view as all ports or all LAGs Port LAG Displays the port or LAG ID Unregistered Multicast Displays the forwarding status of the selected interface The possible values are Forwarding Enables forwarding of unregistered Multicast frames ...

Page 302: ...yer 2 or Layer 3 system mode Therefore when this section refers to a device that works in Layer 3 system mode this refers to all SG500X devices in Native stacking mode and those devices that have been manually set to Layer 3 system mode When this document refers to a device that works in Layer 2 system mode this refers to all Sx500 devices and SG500X devices in Hybrid mode that have been manually ...

Page 303: ...ses the default gateway if configured to communicate with devices that are not in the same IP subnet with the device By default VLAN 1 is the management VLAN but this can be modified When operating in Layer 2 system mode the device can only be reached at the configured IP address through its management VLAN The factory default setting of the IPv4 address configuration is DHCPv4 This means that the...

Page 304: ...lid green The LED flashes when the device is acquiring an IP address and is currently using the factory default IP address 192 168 1 254 The same rules apply when a client must renew the lease prior to its expiration date through a DHCPREQUEST message With factory default settings when no statically defined or DHCP acquired IP address is available the default IP address is used When the other IP a...

Page 305: ...nown The device IP address can be manually configured or automatically taken from a DHCP server To configure the IPv4 device IP address STEP 1 Click Administration Management Interface IPv4 Interface STEP 2 Enter values for the following fields Management VLAN Select the Management VLAN used to access the device through telnet or the Web GUI VLAN1 is the default Management VLAN IP Address Type Sel...

Page 306: ... subnet If a dynamic IP address is retrieved from the DHCP server select those of the following fields that are enabled Renew IP Address Now The device dynamic IP address can be renewed any time after it is assigned by a DHCP server Note that depending on your DHCP server configuration the device might receive a new IP address after the renewal that requires setting the web based configuration uti...

Page 307: ... box In Sx500 devices when you change the system mode from Layer 2 to Layer 3 it automatically enables IP routing STEP 2 Select IPv4 Routing to enable the device to function as an IPv4 router STEP 3 Click Apply The parameter is saved to the Running Configuration file This page displays the following fields in the IPv4 Interface Table Interface Interface for which the IP address is defined IP Addre...

Page 308: ...ress Type Select one of the following options Dynamic IP Address Receive the IP address from a DHCP server Static IP Address Enter the IP address STEP 6 If Static Address was selected enter the IP Address for this interface STEP 7 If Static Address was selected enter one of the following Network Mask IP mask for this address Prefix Length Length of the IPv4 prefix STEP 8 Click Apply The IPv4 addre...

Page 309: ...e following fields Destination IP Prefix Enter the destination IP address prefix Mask Select and enter information for one of the following Network Mask The IP route prefix for the destination IP Prefix Length The IP route prefix for the destination IP Route Type Select the route type Reject Rejects the route and stops routing to the destination network via all gateways This ensures that if a fram...

Page 310: ...evice creates dynamic addresses from the ARP packets it receives Dynamic addresses age out after a configured time NOTE In Layer 2 mode the IP MAC address mapping in ARP Table is used by the device to forward traffic originated by the device In Layer 3 mode the mapping information is used for Layer 3 routing as well as to forward generated traffic To define the ARP tables STEP 1 Click IP Configura...

Page 311: ...d by the host Only IPv4 is supported Interface Layer 3 only IPv4 interface on the device VLAN Layer 2 only In Layer 2 displays the management VLAN ID For devices in Layer 2 mode there is only one directly connected IP subnet which is always in the management VLAN All the static and dynamic addresses in the ARP Table reside in the management VLAN Interface For devices in Layer 3 system mode an IPv4...

Page 312: ...dress STEP 3 Click Apply The ARP proxy is enabled and the Running Configuration file is updated UDP Relay IP Helper The UDP Relay IP Helper feature is only available when the device is in Layer 3 system mode Switches do not typically route IP Broadcast packets between IP subnets However if this feature enables the device to relay specific UDP Broadcast packets received from its IPv4 interfaces to ...

Page 313: ...that is connected to a DHCP server and is allowed to assign DHCP addresses DHCP messages received on trusted ports are allowed to pass through the device An untrusted port is a port that is not allowed to assign DHCP addresses By default all ports are considered untrusted until you declare them trusted in the DHCP Snooping Interface Settings page DHCPv4 Relay DHCP Relay relays DHCP packets to the ...

Page 314: ...e network The main goal of option 82 is to help to the DHCP server select the best IP subnet network pool from which to obtain an IP address The following Option 82 options are available on the device DHCP Insertion Add Option 82 information to packets that do not have foreign Option 82 information DHCP Passthrough Forward or reject DHCP packets that contain Option 82 information from untrusted po...

Page 315: ...es with various combinations of DHCP Snooping DHCP Relay and Option 82 The following describes how DHCP request packets are handled when DHCP Snooping is not enabled and DHCP Relay is enabled DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives with Option 82 Option 82 Inser...

Page 316: ... without Option 82 Packet is sent with the original Option 82 Relay inserts Option 82 Bridge no Option 82 is inserted Relay discards the packet Bridge Packet is sent with the original Option 82 Option 82 Insertion Enabled Relay is sent with Option 82 Bridge Option 82 is added if port is trusted behaves as if DHCP Snooping is not enabled Packet is sent with the original Option 82 Relay is sent with...

Page 317: ... originates in device packet is sent without Option 82 2 If reply does not originate in device packet is discarded Bridge Packet is sent with the original Option 82 Option 82 insertion enabled Packet is sent without Option 82 Relay Packet is sent without Option 82 Bridge Packet is sent with the Option 82 Relay discards Option 82 Bridge Packet is sent without Option 82 Relay Packet is sent without ...

Page 318: ... the client if it exists DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives with Option 82 Option 82 Insertion Disabled Packet is sent without Option 82 Packet is sent with the original Option 82 Relay discards Option 82 Bridge Packet is sent without Option 82 Relay 1 If r...

Page 319: ... trusted by default How the DHCP Snooping Binding Database is Built The following describes how the device handles DHCP packets when both the DHCP client and DHCP server are trusted The DHCP Snooping Binding database is built in this process DHCP Trusted Packet Handling The actions are STEP 1 Device sends DHCPDISCOVER to request an IP address or DHCPREQUEST to accept an IP address and lease STEP 2...

Page 320: ... only Forwarded to trusted interfaces only DHCPOFFER Filter Forward the packet according to DHCP information If the destination address is unknown the packet is filtered DHCPREQUEST Forward to trusted interfaces only Forward to trusted interfaces only DHCPACK Filter Same as DHCPOFFER and an entry is added to the DHCP Snooping Binding database DHCPNAK Filter Same as DHCPOFFER Remove entry if exists...

Page 321: ... are relayed DHCP Default Configuration The following describes DHCP Snooping and DHCP Relay default options DHCP Default Options Configuring DHCP Work Flow To configure DHCP Relay and DHCP Snooping DHCPRELEASE Same as DHCPDECLINE Same as DHCPDECLINE DHCPINFORM Forward to trusted interfaces only Forward to trusted interfaces only DHCPLEASEQUE RY Filtered Forward Packet Type Arriving from Untrusted...

Page 322: ... Properties To configure DHCP Relay DHCP Snooping and Option 82 STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Snooping Relay Properties or Security DHCP Snooping Enter the following fields Option 82 Select Option 82 to insert Option 82 information into packets DHCP Relay Select to enable DHCP Relay DHCP Snooping Status Select to enable DHCP Snooping If DHCP Snooping is enabled ...

Page 323: ...faces STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Snooping Relay Interface Settings STEP 2 To enable DHCP Relay or DHCP Snooping on an interface click ADD STEP 3 Select the interface and the features to be enabled DHCP Relay or DHCP Snooping STEP 4 Click Apply The settings are written to the Running Configuration file DHCP Snooping Trusted Interfaces Packets from untrusted po...

Page 324: ...d Note that if the IP source guard and or ARP inspection features are active the clients that are not written in the DHCP Snooping Binding database are not be able to connect to the network To add entries to the DHCP Snooping Binding database STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Snooping Relay DHCP Snooping Binding Database To see a subset of entries in the DHCP Snoopi...

Page 325: ...Allocation The hardware address of a host is manually mapped to an IP address Dynamic Allocation A client obtains a leased IP address for a specified period of time that can be infinite If the DHCP client does not renew the allocated IP Address the IP address is revoked at the end of this period and the client must request another IP address DHCP Options The following tables defines DHCP options s...

Page 326: ...rver but cannot be set in the GUI or CLI 51 Extension IP Address Lease Time 44 NetBIOS NetBIOS over TCP IP Name Server Option netbios name server 46 NetBIOS NetBIOS over TCP IP Node Type Option netbios node type Option Option Name Description 50 Requested IP Address The option is created by the DHCP client during renew 53 DHCP Message Type The option specifies the DHCP message type value message t...

Page 327: ...efault Workflow for Enabling Feature To configure the device as a DHCPv4 server STEP 1 Enable the device as a DHCP server using the DHCP Server Properties page STEP 2 If there are any IP addresses that you do not want to be assigned configure them using the Excluded Addresses page STEP 3 Define up to 8 network pools of IP addresses using the Network Pools page STEP 4 Configure clients that will be...

Page 328: ...ubnetwork These addresses are allocated to various clients within that subnet When a client requests an IP address the device as DHCP server allocates an IP address according to the following Directly attached Client The device allocates an address from the network pool whose subnet matches the subnet configured on the device s IP interface from which the DHCP request was received Remote Client Th...

Page 329: ... lease in number of days The range is 0 to 49710 days Hours The number of hours in the lease A days value must be supplied before an hours value can be added Minutes The number of minutes in the lease A days value and an hours value must be added before a minutes value can be added Default Router IP Address Option 3 Enter the default router for the DHCP client Domain Name Server IP Address Option ...

Page 330: ...the TFTP SCP server from which the configuration file is downloaded File Server Host Name sname Enter the name of the TFTP SCP server Configuration File Name file Enter the name of the file that is used as a configuration file Excluded Addresses By default the DHCP server assumes that all pool addresses in a pool may be assigned to clients A single IP address or a range of IP addresses can be excl...

Page 331: ... address prefix Identifier Type Set how to identify the specific static host Client Identifier Enter a unique identification of the client specified in dotted hexadecimal notation such as 01b6 0819 6811 72 or MAC Address Enter the MAC address of the client Client Name Enter the name of the static host using a standard set of ASCII characters The client name must not include the domain name Default...

Page 332: ...NTP servers if already configured or select Other and enter the IP address of the time server for the DHCP client File Server IP Address siaddr Enter the IP address of the TFTP SCP server from which the configuration file is downloaded File Server Host Name sname Enter the name of the TFTP SCP server Configuration File Name file Enter the name of the file that is used as a configuration file Addre...

Page 333: ...The Internet Protocol version 6 IPv6 is a network layer protocol for packet switched internetworks IPv6 was designed to replace IPv4 the predominantly deployed Internet protocol IPv6 introduces greater flexibility in assigning IP addresses because the address size increases from 32 bit to 128 bit addresses IPv6 addresses are written as eight groups of four hexadecimal digits for example FE80 0000 ...

Page 334: ...ed by the user and are not changed by routing protocols When static routes must be updated this must be done explicitly by the user It is the user s responsibility to prevent routing loops in the network Static IPv6 routes are either Directly attached meaning that the destination is directly attached to an interface on the device so that the packet destination which is the interface is used as the...

Page 335: ...When the hop limit becomes zero the packet is discarded This prevents packets from being transferred endlessly DHCPv6 Client Settings Unique Identifier DUID Format This is the identifier of the DHCP client that is used by the DHCP server to locate the client It can be in one of the following formats Link Layer Default If you select this option the MAC address of the device is used Enterprise Numbe...

Page 336: ...can be configured For other 500 devices both manual and ISATAP tunnels can be configured Tunnel Type Not present for Sx500 If the IPv6 interface is a tunnel select its type Manual or ISATAP see IPv6 Tunnel STEP 5 To configure the interface as a DHCPv6 client meaning to enable the interface to receive information from the DHCPv6 server such as SNTP configuration and DNS information enter the DHCPv6...

Page 337: ...ssages Enable generating unreachable destination messages MLD Version Layer 3 only IPv6 MLD version IPv6 Redirects Layer 3 only Select to enable sending ICMP IPv6 redirect messages These messages inform other devices not to send traffic to the device but rather to another device STEP 7 Click Apply to enable IPv6 processing on the selected interface Regular IPv6 interfaces have the following addres...

Page 338: ...rver DUID Unique identifier of the DHCPv6 server DHCPv6 Server Preference Priority of this DHCPv6 server Information Minimum Refresh Time See above Information Refresh Time See above Received Information Refresh Time Refresh time received from DHCPv6 server Remaining Information Refresh Time Remaining time until next refresh DNS Servers List of DNS servers received from the DHCPv6 server DNS Domai...

Page 339: ...ss is provided by the router Note that An IPv6 link local address is assigned to the ISATAP interface The initial IP address is assigned to the interface which is then activated If an ISATAP interface is active the ISATAP router IPv4 address is resolved via DNS by using ISATAP to IPv4 mapping If the ISATAP DNS record is not resolved ISATAP host name to address mapping is searched in the host mappi...

Page 340: ... address of the tunnel interface is also changed None Disable the tunnel Manual Enter the IPv4 source address to be used The IPv4 address configured must be one of the IPv4 addresses of the devices IPv4 interfaces Interface In Layer 3 Select the IPv4 interface to be used ISATAP Router Name A global string that represents a specific automatic tunnel router domain name The name can either be the def...

Page 341: ...splays the tunnel type Manual or ISATAP Tunnel State Select to enable the tunnel Source Set the local source IPv4 address of a tunnel interface The IPv4 address of the selected IPv4 interface is used to form part of the IPv6 address over the ISATAP tunnel interface The IPv6 address has a 64 bit network prefix of fe80 with the rest of the 64 bit formed by concatenating 0000 5EFE and the IPv4 addres...

Page 342: ...ns to configure a global string that represents a specific automatic tunnel router domain name Use Default This is always ISATAP User Defined Enter the router s domain name STEP 9 Click Apply The tunnel is saved to the Running Configuration file Defining IPv6 Addresses To assign an IPv6 address to an IPv6 Interface STEP 1 In Layer 2 system mode click Administration Management Interface IPv6 Addres...

Page 343: ...ddress In Layer 2 the device supports one IPv6 interface In addition to the default link local and Multicast addresses the device also automatically adds global addresses to the interface based on the router advertisements it receives The device supports a maximum of 128 addresses at the interface Each address must be a valid IPv6 address that is specified in hexadecimal format by using 16 bit val...

Page 344: ...tion Select to indicate that an advertisement option will be used by the system This option indicates to a visiting mobile node the interval at which that node may expect to receive router advertisements The node may use this information in its movement detection algorithm Hop Limit This is the value that the router advertises If it is not zero it is used as the hop limit by the host Managed Addre...

Page 345: ...tisement Lifetime Enter the remaining length of time in seconds that this router will continue to be useful as a default router A value of zero indicates that it is no longer useful as a default router Reachable Time Enter the amount of time that a remote IPv6 node is considered reachable in milliseconds User Defined or select the Use Default option to use the system default STEP 4 Click Apply to ...

Page 346: ...ning length of time in seconds that this prefix will continue to be preferred After this time has passed the prefix should no longer be used as a source address in new communications but packets received on such an interface are processed as expected The preferred lifetime must not be larger than the valid lifetime Infinite Select this value to set the field to 4 294 967 295 which represents infin...

Page 347: ...ynamic default routers are routers that have sent router advertisements to the device IPv6 interface When adding or deleting IP addresses the following events occur When removing an IP interface all the default router IP addresses are removed Dynamic IP addresses cannot be removed An alert message appears after an attempt is made to insert more than a single user defined address An alert message a...

Page 348: ...itation probes are being sent to verify the status STEP 2 Click Add to add a static default router STEP 3 Enter the following fields Next Hop The IP address of the next destination to which the packet is sent This is composed of the following Global An IPv6 address that is a global Unicast IPV6 type that is visible and reachable from other networks Link Local An IPv6 interface and IPv6 address tha...

Page 349: ...addresses the entry type static or dynamic and the state of the neighbor To define IPv6 neighbors STEP 1 n Layer 2 system mode click Administration Management Interface IPv6 Neighbors In Layer 3 system mode click IP Configuration IPv6 Management and Interfaces IPv6 Neighbors STEP 2 You can select a Clear Table option to clear some or all of IPv6 addresses in the IPv6 Neighbors Table Static Only De...

Page 350: ... The address must be a valid IPv6 address MAC Address Enter the MAC address mapped to the specified IPv6 address STEP 5 Click Apply The Running Configuration file is updated STEP 6 To change the type of an IP address from Dynamic to Static select the address click Edit and use the Edit IPv6 Neighbors page Viewing IPv6 Route Tables The IPv6 Forwarding Table contains the various routes that have bee...

Page 351: ...work link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global An IPv6 address that is a global Unicast IPV6 type that is visible and reachable from other networks Point to Point A Point...

Page 352: ...ich packets are forwarded Two sets of DHCPv6 servers can be configured Global Destinations Packets are always relayed to these DHCPv6 servers Interface List This is a per interface list of DHCPv6 servers When a DHCPv6 packet is received on an interface the packet is relayed both to the servers on the interface list if it exists and to the servers on the global destination list Dependencies with Ot...

Page 353: ...CPv6 on an interface and optionally add a DHCPv6 server for an interface click Add Enter the fields Source Interface Select the interface port LAG VLAN or tunnel for which DHCPv6 Relay is enabled Use Global Destinations Only Select to forward packets to the DHCPv6 global destination servers only IPv6 Address Type Enter the type of the destination address to which client messages are forwarded The ...

Page 354: ...f seconds that the device will wait for a response to a DNS query Polling Interval Enter how often in seconds the device sends DNS query packets after the number of retries has been exhausted Use Default Select to use the default value This value 2 Polling Retries 1 Polling Timeout User Defined Select to enter a user defined value Default Parameters Enter the following default parameters Default D...

Page 355: ...nly one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select the interface through which it is received DNS Server IP Address Enter the DNS server IP...

Page 356: ...tries These are mapping pairs that were either added by the system as a result of being used by the user or and an entry for each IP address configured on the device by DHCP There can be 256 dynamic entries Name resolution always begins by checking static entries continues by checking the dynamic entries and ends by sending requests to the external DNS server Eight IP addresses are supported per D...

Page 357: ...is used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global U...

Page 358: ...e their routes based on advertisements but do not advertise Typically routers run RIP in active mode while hosts use passive mode The default gateway is a static route and it is advertised by RIP in the same way as all other static routers if it is enabled by configuration When IP Routing is enabled RIP works fully When IP Routing is disabled RIP works in the passive mode meaning that it only lear...

Page 359: ...ent although when RIP messages are received they are used to update the routing table information NOTE RIP can only be defined on manually configured IP interfaces meaning that RIP cannot be defined on an interface whose IP address was received from a DHCP server or whose IP address is the default IP address Offset Configuration A RIP message includes a metric number of hops for each route An offs...

Page 360: ...rA is higher via router rC additional 4 to the cost path as opposed to the path via router rB additional 2 to the cost path Therefore forwarding traffic via routing rB is preferred To achieve this you configure a different offset metric value on each interface based on its line speed See Offset Configuration for more information Passive Mode Transmission of routing update messages over a specific ...

Page 361: ... to avoid listing every possible network in the routing updates when one or more closely connected routers in the system are prepared to transfer traffic to the networks that are not listed explicitly These routers create RIP entries for the address 0 0 0 0 just as if it were a network to which they are connected You can enable the default route advertisement and configure it with a given metric R...

Page 362: ...efault Causes RIP to use the routing table metric as the RIP metric for the propagated route configuration This results in the following behavior If the metric value of a route is equal to or less than 15 this value is used in the RIP protocol when advertising this route If the metric value of a static route is greater than 15 the route is not advertised to other routers using RIP User Defined Met...

Page 363: ... appropriate metric are configured statically on this router While on router rB the route to router rA is considered a connected route In contrast routers rB and rC derive and distribute their routing entries using RIP The connected route configuration of router rB can be propagated to router rC using either the default metric or transparent system A static connected route is redistributed either ...

Page 364: ...tication key on a key chain is received as valid Each transmitted RIP message contains the calculated MD5 digest of the message containing the key chain plus the key identifier of the used key string The receiver also has the key chain configured on it The key identifier is used by the receiver to select the key for validating the MD5 digest RIP Statistical Counters You can monitor the RIP operati...

Page 365: ...default route entries on the IP interface using the RIPv2 Settings page Enable RIP authentication on an IP Interface using the RIPv2 Settings page RIPv2 Properties To enable disable RIP on the device STEP 1 Click IP Configuration RIPv2 RIPv2 Properties STEP 2 Select the following options as required RIP The following options are available Enable Enable RIP Disable Disable RIP Disabling RIP deletes...

Page 366: ...e static route is not advertised to other routers using RIP User Defined Metric Enter the value of the metric STEP 5 Redistribute Connected Route Select to enable this feature described in Redistributing Static Route Configuration STEP 6 If Redistribute Connected Route is enabled select an option for the Redistribute Static Metric field The following options are available Default Metric Causes RIP...

Page 367: ... number of the specified IP interface This reflects the additional cost of using this interface based on the speed of the interface Default Route Advertisement This option is defined globally in the RIPv2 Properties page You can use the global definition or define this field for the specific interface The following options are available Global Use the global settings defined in the RIPv2 Propertie...

Page 368: ...cified IP address es in the Access List Name If this field is enabled select the Access List Name below Access List Name Select the Access List name which includes a list of IP addresses of RIP outgoing routes filtering for a specified IP interface See Creating an Access Listfor a description of access lists STEP 3 Click Apply The settings are written to the Running Configuration file Displaying R...

Page 369: ...Specifies the number of bad packets identified by RIP on the IP interface Bad Routes Received Specifies the number of bad routes received and identified by RIP on the IP interface Bad routes mean that the route parameters are incorrect For example the IP destination is a Broadcast or the metric is 0 or greater than 16 Last Updated Indicates the last time RIP received RIP routes from the remote IP ...

Page 370: ...sk Enter the source IPv4 address mask type and value The following options are available Network Mask Enter the network mask Prefix Length Enter the prefix length Action Select an action for the access list The following options are available Permit Permit entry of packets from the IP address es in the access list Deny Reject entry of packets from the IP address es in the access list Populate an A...

Page 371: ...IPv4 Mask Source IPv4 address mask type and value The following options are available Network Mask Enter the network mask for example 255 255 0 0 Prefix Length Enter the prefix length Action Action for the access list The following options are available Permit Permit entry of packets from the IP address es in the access list Deny Reject entry of packets from the IP address es in the access list ...

Page 372: ...lity of routing paths in the network In VRRP one physical router in a virtual router is elected as the master with the other physical router of the same virtual router acting as backups in case the master fails The physical routers are referred as VRRP routers The default gateway of a participating host is assigned to the virtual router instead of a physical router If the physical router that is r...

Page 373: ...er uses the IP address of the physical Ethernet interface of Router A Router A assumes the role of the virtual router master and is also known as the IP address owner As the virtual router master Router A controls the IP address of the virtual router and is responsible to route packets on behalf of the virtual router Clients 1 through 3 are configured with the default gateway IP address of 198 168...

Page 374: ... the highest if it is not an owner the priority is manually configured always less than 255 When Router A recovers it becomes the virtual router master again During the period that the master is recovering both masters forwards packets and as a result there is some duplication regular behavior but no interruption For more detail on the roles that VRRP routers play and what happens if the virtual r...

Page 375: ...al router 1 rA is the owner of IP address 192 168 2 1 and is the virtual router master and rB is the virtual router backup to rA Clients 1 and 2 are configured with the default gateway IP address of 192 168 2 1 For virtual router 2 rB is the owner of IP address 192 168 2 2 and virtual router master and rA is the virtual router backup to rB Clients 3 and 4 are configured with the default gateway IP...

Page 376: ...and its IP addresses on every VRRP routers that support the virtual router The following elements can be configured and customized Virtual Router Identification It must be assigned an identifier VRID and may be assigned a description The sections below describe the various attributes of the virtual router VRRP supports up to 255 virtual routers VRRP groups VRRP Versions The device supports the fol...

Page 377: ...supporting a virtual router must have an IP interface on the same IP subnet with respect to the IP addresses configured on the virtual router Assigning IP addresses to a virtual router is done according to the following rules All the VRRP routers supporting the virtual router must be configured with the same virtual router IP addresses in their configuration of the virtual router None of the IP ad...

Page 378: ...est VRRP router s IP address defined on the interface If the source IP address was a default one a new default source IP address is taken VRRP Router Priority and Preemption An important aspect of the VRRP redundancy scheme is the ability to assign each VRRP router a VRRP priority The VRRP priority must express how efficiently a VRRP router would perform as a backup to a virtual router defined in ...

Page 379: ... assigned to the VRRP group The advertisements are sent every second by default the advertisement interval is configurable The advertisement Interval is in mS Range 50 40950 Default 1000 A non value is invalid In VRRP version 3 the operational advertise interval is rounded down the nearest 10ms In VRRP version 2 the operational advertise interval is rounded down to the nearest second The minimum o...

Page 380: ... owner this field gets the value 255 and this value cannot be changed If not enter the priority of this device based on its ability to function as a master 100 is the default for a non owner device Preempt Mode Select true false to enable disable preempt mode as described in VRRP Router Priority and Preemption Advertisement Interval Enter time interval as described in VRRP Advertisements NOTE If t...

Page 381: ...IP Configuration IPv4 VRRP Virtual Routers Configuring VRRP 363 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 19 ...

Page 382: ...e list of topics below Permission to administer the device is described in the following sections Defining Users Configuring TACACS Configuring RADIUS Key Management Configuring Management Access Authentication Defining Management Access Method SSL Server SSL Server Protection from attacks directed at the device CPU is described in the following sections Configuring TCP UDP Services Defining Storm...

Page 383: ...ame password is cisco cisco The first time that you log in with the default username and password you are required to enter a new password Password complexity is enabled by default If the password that you choose is not complex enough Password Complexity Settings are enabled in the Password Strength page you are prompted to create another password Setting User Accounts The User Accounts page enabl...

Page 384: ... boot process and a suitable log message is generated to the terminal STEP 3 Click Add to add a new user or click Edit to modify a user STEP 4 Enter the parameters User Name Enter a new username between 0 and 20 characters UTF 8 characters are not permitted Password Enter a password UTF 8 characters are not permitted If the password strength and complexity is defined the user password must comply ...

Page 385: ... selected the user is prompted to change the password when the Password Aging Time expires Password Aging Time Enter the number of days that can elapse before the user is prompted to change the password NOTE Password aging also applies to zero length passwords no password STEP 3 Select Password Complexity Settings to enable complexity rules for passwords If password complexity is enabled new passw...

Page 386: ...e as the current password upon a password change STEP 5 Click Apply The password settings are written to the Running Configuration file NOTE Configuring the username password equivalence and manufacturer password equivalence may be done through the CLI See the CLI Reference Guide for further instruction Configuring TACACS An organization can establish a Terminal Access Controller Access Control Sy...

Page 387: ...onnection If the TACACS server does not support this the device reverts to multiple connections Accounting Using a TACACS Server The user can enable accounting of login sessions using either a RADIUS or TACACS server The user configurable TCP port used for TACACS server accounting is the same TCP port that is used for TACACS server authentication and authorization The following information is sent...

Page 388: ...TACACS and Add TACACS Server pages STEP 3 Select TACACS in the Management Access Authentication page so that when a user logs onto the device authentication is performed on the TACACS server instead of in the local database NOTE If more than one TACACS server has been configured the device uses the configured priorities of the available TACACS servers to select the TACACS server to be used by the ...

Page 389: ... configured for the individual TACACS server takes precedence Timeout for Reply Enter the amount of time that passes before the connection between the device and the TACACS server times out If a value is not entered in the Add TACACS Server page for a specific server the value is taken from this field Source IPv4 Address Enter the device IPv4 source addresses to be used by the TACACS server Source...

Page 390: ... communications by using MD5 You can select the default key on the device or the key can be entered in Encrypted or Plaintext form If you do not have an encrypted key string from another device enter the key string in plaintext mode and click Apply The encrypted key string is generated and displayed If you enter a key this overrides the default key string if one has been defined for the device on ...

Page 391: ...cation Provides authentication of regular and 802 1X users logging onto the device by using usernames and user defined passwords Authorization Performed at login After the authentication session is completed an authorization session starts using the authenticated username The TACACS server then checks user privileges Accounting Enable accounting of login sessions using the RADIUS server This enabl...

Page 392: ... Port Based Access Control 802 1X MAC Based Specifies that the RADIUS server is used for 802 1x port accounting Management Access Specifies that the RADIUS server is used for user login accounting Both Port Based Access Control and Management Access Specifies that the RADIUS server is used for both user login accounting and 802 1x port accounting None Specifies that the RADIUS server is not used f...

Page 393: ... IPv6 Address Enter the source IPv6 address to be used STEP 4 Click Apply The RADIUS default settings for the device are updated in the Running Configuration file To add a RADIUS server click Add STEP 5 Enter the values in the fields for each RADIUS server To use the default values entered in the RADIUS page select Use Default Server Definition Select whether to specify the RADIUS server by IP add...

Page 394: ...r an answer from the RADIUS server before retrying the query or switching to the next server if the maximum number of retries were made If Use Default is selected the device uses the default timeout value Authentication Port Enter the UDP port number of the RADIUS server port for authentication requests Accounting Port Enter the UDP port number of the RADIUS server port for accounting requests Ret...

Page 395: ...on for a description of how RIP uses key chain for authentication To create a key chain do the following STEP 1 Create a key chain with a single key in it using the Key Chain Settings page STEP 2 Add additional keys using the Key Settings page Creating a Key Chain Use the Key Chain Settings page to create a new key chain STEP 1 Click Security Key Management Key Chain Settings STEP 2 To add a new k...

Page 396: ...ally or from SNTP Otherwise Accept Life Time and Send Life Times always fail Start Date Enter the earliest date that the key identifier is valid Start Time Enter the earliest time that the key identifier is valid on the Start Date End Time Specifies the last date that the key identifier is valid Select one of the following options Infinite No limit to the life of the key identifier Duration Life o...

Page 397: ...escribed for the Accept Life Time The Send Life Time has the same fields Accept Life Time Specifies when packets with this key are accepted Select one of the following options Always Valid No limit to the life of the key identifier User Defined Life of the key chain is limited If this option is selected enter values in the following fields Start Date Enter the earliest date that the key identifier...

Page 398: ...e first authentication method is not available the next selected method is used For example if the selected authentication methods are RADIUS and Local and all configured RADIUS servers are queried in priority order and do not reply the user is authenticated locally If an authentication method fails or the user has insufficient privilege level the user is denied access to the device In other words...

Page 399: ...mine how to authenticate and authorize users accessing the device through various access methods Access Profiles can limit management access from specific sources Only users who pass both the active access profile and the management access authentication methods are given management access to the device There can only be a single access profile active on the device at one time Access profiles cons...

Page 400: ...ess the device is in violation of the active access profile the device generates a SYSLOG message to alert the system administrator of the attempt If a console only access profile has been activated the only way to deactivate it is through a direct connection from the management station to the physical console port on the device For more information see Defining Profile Rules Use the Access Profil...

Page 401: ...s One is the highest priority Management Method Select the management method for which the rule is defined The options are All Assigns all management methods to the rule Telnet Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access Secure Telnet SSH Users requesting access to the device that meets the SSH access profile criteria are permi...

Page 402: ...mal format Prefix Length Select the Prefix Length and enter the number of bits that comprise the source IP address prefix STEP 7 Click Apply The access profile is written to the Running Configuration file You can now select this access profile as the active access profile Defining Profile Rules Access profiles can contain up to 128 rules to determine who is permitted to manage and access the devic...

Page 403: ...ers requesting access to the device that meets the Telnet access profile criteria are permitted or denied access Secure Telnet SSH Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access HTTP Assigns HTTP access to the rule Users requesting access to the device that meets the HTTP access profile criteria are permitted or denied Secure HTTP...

Page 404: ... for the source IP address and enter a value in one of the field Network Mask Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format Prefix Length Select the Prefix Length and enter the number of bits that comprise the source IP address prefix STEP 5 Click Apply and the rule is added to the access profile SSL Server This section describes the Se...

Page 405: ...erver Authentication Settings Information appears for certificate 1 and 2 in the SSL Server Key Table These fields are defined in the Edit page except for the following fields Valid From Specifies the date from which the certificate is valid Valid To Specifies the date up to which the certificate is valid Certificate Source Specifies whether the certificate was generated by the system Auto Generat...

Page 406: ...the CA enter the following Certificate ID Select the active certificate Certificate Copy in the received certificate Import RSA KEY Pair Select to enable copying in the new RSA key pair Public Key Copy in the RSA public key Private Key Encrypted Select and copy in the RSA private key in encrypted form Private Key Plaintext Select and copy in the RSA private key in plain text form Display Sensitive...

Page 407: ...ices STEP 2 Enable or disable the following TCP UDP services on the displayed services HTTP Service Indicates whether the HTTP service is enabled or disabled HTTPS Service Indicates whether the HTTPS service is enabled or disabled SNMP Service Indicates whether the SNMP service is enabled or disabled Telnet Service Indicates whether the Telnet service is enabled or disabled SSH Service Indicates w...

Page 408: ...ce The service instance of the UDP service For example when two senders send data to the same destination STEP 3 Click Apply The services are written to the Running Configuration file Defining Storm Control When Broadcast Multicast or Unknown Unicast frames are received they are duplicated and a copy is sent to all possible egress ports This means that in practice they are sent to all ports belong...

Page 409: ...er the maximum rate at which unknown packets can be forwarded The default for this threshold is 10 000 for FE devices and 100 000 for GE devices Storm Control Mode Select one of the modes Unknown Unicast Multicast Broadcast Counts unknown Unicast Broadcast and Multicast traffic towards the bandwidth threshold Multicast Broadcast Counts Broadcast and Multicast traffic towards the bandwidth threshol...

Page 410: ...Delete On Reset ones up to the maximum addresses allowed on the port Relearning and aging are disabled When a frame from a new MAC address is detected on a port where it is not authorized the port is classically locked and there is a new MAC address or the port is dynamically locked and the maximum number of allowed addresses has been exceeded the protection mechanism is invoked and one of the fol...

Page 411: ...manent Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port set by Max No of Addresses Allowed Relearning and aging are enabled Secure Delete on Reset Deletes the current dynamic MAC addresses associated with the port after reset New MAC addresses can be learned as Delete On Reset ones up to the maximum addresses allo...

Page 412: ... to request port access from a remote device authenticator to which it is connected Only when the supplicant requesting port access is authenticated and authorized is it permitted to send data to the port Otherwise the authenticator discards the supplicant data unless the data is sent to a Guest VLAN and or non authenticated VLANs Authentication of the supplicant is performed by an external RADIUS...

Page 413: ... NOTE DVA is only supported on the Sx500 model switches when the device is in Layer 2 system mode For a device to be authenticated and authorized at a port which is DVA enabled The RADIUS server must authenticate the device and dynamically assign a VLAN to the device The user can configure an alternative VLAN ahead of time to be used if the RADIUS server does not assign a VLAN The assigned VLAN mu...

Page 414: ...n unauthenticated VLAN is a VLAN that allows access by both authorized and unauthorized devices or ports You can configure one or more VLANs to be unauthenticated in Creating VLANs An unauthenticated VLAN has the following characteristics It must be a static VLAN and cannot be the Guest VLAN or the Default VLAN The member ports must be manually configured as tagged members The member ports must be...

Page 415: ...uthorized and unauthorized devices or ports can always send or receive packets to or from unauthenticated VLANs Define 802 1X settings for each port by using the Edit Port Authentication page Note the following On this page DVA can be activated on a port by selecting the RADIUS VLAN Assignment field You can select the Guest VLAN field to have untagged incoming frames go to the guest VLAN Define ho...

Page 416: ...nticate the user Permit the session Guest VLAN Select to enable the use of a Guest VLAN for unauthorized ports If a Guest VLAN is enabled all unauthorized ports automatically join the VLAN selected in the Guest VLAN ID field If a port is later authorized it is removed from the Guest VLAN Guest VLAN ID Select the guest VLAN from the list of VLANs Guest VLAN Timeout Define a time period After linkup...

Page 417: ... STEP 4 Optionally uncheck Authentication to make the VLAN an unauthenticated VLAN STEP 5 Click Apply and the Running Configuration file is updated Defining 802 1X Port Authentication The Port Authentication page enables configuration of 802 1X parameters for each port Since some of the configuration changes are only possible while the port is in Force Authorized state such as host authentication ...

Page 418: ... Authorizes the interface without authentication RADIUS VLAN Assignment Select to enable Dynamic VLAN assignment on the selected port Dynamic VLAN assignment is possible only when the 802 1X mode is set to Multiple Session After authentication the port joins the supplicant VLAN as an untagged port in that VLAN Alternate VLAN Assignment If RADIUS VLAN Assignment is enabled you can select one of the...

Page 419: ...specified Reauthentication Period Reauthentication Period Enter the number of seconds after which the selected port is reauthenticated Reauthenticate Now Select to enable immediate port re authentication Authenticator State Displays the defined port authorization state The options are Initialize In process of coming up Force Authorized Controlled port state is set to Force Authorized forward traff...

Page 420: ...ication was terminated if applicable STEP 4 Click Apply The port settings are written to the Running Configuration file Defining Host and Session Authentication The Host and Session Authentication page enables defining the mode in which 802 1X operates on the port and the action to perform if a violation has been detected The 802 1X modes are Single Only a single authorized host can access the por...

Page 421: ... by using the port No Single Host Port control is Auto and Multiple Hosts mode is enabled At least one client has been authenticated Not in Auto Mode Auto port control is not enabled Number of Violations Displays the number of packets that arrive on the interface in single host mode from a host whose MAC address is not the supplicant MAC address STEP 2 Select a port and click Edit STEP 3 Enter the...

Page 422: ...to the Running Configuration file Viewing Authenticated Hosts To view details about authenticated users STEP 1 Click Security 802 1X Authenticated Hosts This page displays the following fields User Name Supplicant names that were authenticated on each port Port Number of the port Session Time DD HH MM SS Amount of time that the supplicant was logged on the port Authentication Method Method by whic...

Page 423: ... to the CPU There are no interactions with other features SCT can be monitored in the Denial of Service Denial of Service Prevention Security Suite Settings page Details button Types of DoS Attacks The following types of packets or other strategies might be involved in a Denial of Service attack TCP SYN Packets These packets often have a false sender address Each packets is handled like a connecti...

Page 424: ...e handlers by the attacker Using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts Each handler can control up to a thousand agents Invasor Trojan A trojan enables the attacker to download a zombie agent or the trojan may contain one Attackers can also break into systems using automated tools that exploit flaws in programs...

Page 425: ...if you attempt to define an ACL on an interface on which DoS Prevention is enabled A SYN attack cannot be blocked if there is an ACL active on an interface Default Configuration The DoS Prevention feature has the following defaults The DoS Prevention feature is disabled by default SYN FIN protection is enabled by default even if DoS Prevention is disabled If SYN protection is enabled the default p...

Page 426: ...on Enable that part of the feature that prevents attacks from Stacheldraht Distribution Invasor Trojan and Back Orifice Trojan STEP 5 If System Level Prevention or System Level and Interface Level Prevention is selected enable one or more of the following DoS Prevention options Stacheldraht Distribution Discards TCP packets with source TCP port equal to 16660 Invasor Trojan Discards TCP packets wi...

Page 427: ...ick Security Denial of Service Prevention SYN Protection STEP 2 Enter the parameters Block SYN FIN Packets Select to enable the feature All TCP packets with both SYN and FIN flags are dropped on all ports SYN Protection Mode Select between three modes Disable The feature is disabled on a specific interface Report Generates a SYSLOG message The status of the port is changed to Attacked when the thr...

Page 428: ...gal in the Martian Addresses page Addresses that are illegal from the point of view of the protocol such as loopback addresses including addresses within the following ranges 0 0 0 0 8 Except 0 0 0 0 32 as a Source Address Addresses in this block refer to source hosts on this network 127 0 0 0 8 Used as the Internet host loopback address 192 0 2 0 24 Used as the TEST NET in documentation and examp...

Page 429: ...ngth Enter the prefix of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled STEP 5 Click Apply The Martian addresses are written to the Running Configuration file SYN Filtering The SYN Filtering page enables filtering TCP packets that contain a SYN flag and are destined for one or more ports To define a SYN filter STEP 1 Click Security Denial of Se...

Page 430: ...protection STEP 1 Click Security Denial of Service Prevention SYN Rate Protection This page appears the SYN rate protection currently defined per interface STEP 2 Click Add STEP 3 Enter the parameters Interface Select the interface on which the rate protection is being defined IP Address Enter the IP address for which the SYN rate protection is defined or select All Addresses If you enter the IP a...

Page 431: ...MP packet filtering is activated or select All Addresses to block ICMP packets from all source addresses If you enter the IP address enter either the mask or prefix length Network Mask Select the format for the subnet mask for the source IP address and enter a value in one of the field Mask Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format ...

Page 432: ... that comprise the source IP address prefix STEP 4 Click Apply The IP fragmentation is defined and the Running Configuration file is updated IP Source Guard IP Source Guard is a security feature that can be used to prevent traffic attacks caused when a host tries to use the IP address of its neighbor When IP Source Guard is enabled the device only transmits client IP traffic to IP addresses contai...

Page 433: ...ess entry If the number of IP Source Guard entries exceeds the number of available TCAM rules the extra addresses are inactive Filtering If IP Source Guard is enabled on a port then DHCP packets allowed by DHCP Snooping are permitted If source IP address filtering is enabled IPv4 traffic Only traffic with a source IP address that is associated with the port is permitted Non IPv4 traffic Permitted ...

Page 434: ...packet transmission is permitted as follows IPv4 traffic Only IPv4 traffic with a source IP address that is associated with the specific port is permitted Non IPv4 traffic All non IPv4 traffic is permitted See Interactions with Other Features for more information about enabling IP Source Guard on interfaces To configure IP Source Guard on interfaces STEP 1 Click Security IP Source Guard Interface ...

Page 435: ...Source Guard Binding Database STEP 2 The DHCP Snooping Binding database uses TCAM resources for managing the database Complete the Insert Inactive field to select how frequently the device should attempt to activate inactive entries It has the following options Retry Frequency The frequency with which the TCAM resources are checked Never Never try to reactivate inactive addresses STEP 3 Click Appl...

Page 436: ...ayer 2 Broadcast domain by mapping IP addresses to a MAC addresses A malicious user can attack hosts switches and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet This can happen because ARP allows a gratuitous reply from a host even if an ARP request was not received After the a...

Page 437: ...lf into the traffic stream from Host A to Host B the classic man in the middle attack How ARP Prevents Cache Poisoning The ARP inspection feature relates to interfaces as either trusted or untrusted see Security ARP Inspection Interface Setting page Interfaces are classified by the user as follows Trusted Packets are not inspected Untrusted Packets are inspected as described above ARP inspection i...

Page 438: ... is performed for ARP responses IP Addresses Compares the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 255 255 255 and all IP Multicast addresses Packets with invalid ARP Inspection bindings are logged and dropped Up to 1024 entries can be defined in the ARP Access Control table Interaction Between ARP Inspection and DHCP Snooping If DHCP Snooping is enabled ARP I...

Page 439: ...nspection STEP 1 Click Security ARP Inspection Properties Enter the following fields ARP Inspection Status Select to enable ARP Inspection ARP Packet Validation Select to enable the following validation checks Source MAC Compares the packets source MAC address in the Ethernet header against the senders MAC address in the ARP request This check is performed on both ARP requests and responses Destin...

Page 440: ...lt ports LAGs are ARP Inspection untrusted To change the ARP trusted status of a port LAG STEP 1 Click Security ARP Inspection Interface Settings The ports LAGs and their ARP trusted untrusted status are displayed STEP 2 To set a port LAG as untrusted select the port LAG and click Edit STEP 3 Select Trusted or Untrusted and click Apply to save the settings to the Running Configuration file Definin...

Page 441: ...Group and enter the fields MAC Address MAC address of packet IP Address IP address of packet STEP 4 Click Apply The settings are defined and the Running Configuration file is updated Defining ARP Inspection VLAN Settings To enable ARP Inspection on VLANs and associate Access Control Groups with a VLAN STEP 1 Click Security ARP Inspection VLAN Settings STEP 2 To enable ARP Inspection on a VLAN move...

Page 442: ...l between an SSH client in this case the device and an SSH server SSH client helps the user manage a network composed of one or more switches in which various system files are stored on a central SSH server When configuration files are transferred over a network Secure Copy SCP which is an application that utilizes the SSH protocol ensures that sensitive data such as username password cannot be in...

Page 443: ...r both on the device and on the SSH server although this guide does not describe server operations The following illustrates a typical network configuration in which the SCP feature might be used Typical Network Configuration Protection Methods When data is transferred from an SSH server to a device client the SSH server uses various methods for client authentication These are described below Pass...

Page 444: ...the device when it is booted One of these keys is used to encrypt the data being downloaded from the SSH server The RSA key is used by default If the user deletes one or both of these keys they are regenerated The public private keys are encrypted and stored in the device memory The keys are part of the device configuration file and the private key can be displayed to the user in encrypted or plai...

Page 445: ...ed server for a maximum of 16 servers and contains the following information Server IP address host name Server public key fingerprint When SSH server authentication is enabled the SSH client running on the device authenticates the SSH server using the following authentication process The device calculates the fingerprint of the received SSH server s public key The device searches the SSH Trusted ...

Page 446: ...port auto configuration of an out of box device device with factory default configuration SSH server authentication is disabled by default Supported Algorithms When the connection between a device as an SSH client and an SSH server is established the client and SSH server exchange data in order to determine the algorithms to use in the SSH transport layer The following algorithms are supported on ...

Page 447: ...on page STEP 2 If the password method was selected perform the following steps a Create a global password in the SSH User Authentication page or create a temporary one in the Upgrade Backup Firmware Language or Backup Configuration Log pages when you actually activate the secure data transfer b Upgrade the firmware boot image or language file using SCP by selecting the via SCP over SSH option in t...

Page 448: ...Generate a public private key in the SSH User Authentication page STEP 2 Set the SSD properties and create a new local passphrase in the Secure Sensitive Data Management Properties page STEP 3 Click Details to view the generated encrypted keys and copy them including the Begin and End footers from the Details page to an external device Copy the public and private keys separately STEP 4 Log on to a...

Page 449: ...rd This is the default setting If this is selected enter a password or retain the default one By RSA Public Key If this is selected create an RSA public and Private key in the SSH User Key Table block By DSA Public Key If this is selected create a DSA public private key in the SSH User Key Table block STEP 3 Enter the Username no matter what method was selected or user the default username This mu...

Page 450: ... define the trusted servers STEP 1 Click Security SSH Client SSH Server Authentication STEP 2 Select Enable to enable SSH server authentication STEP 3 Click Add and enter the following fields for the SSH trusted server Server Definition Select one of the following ways to identify the SSH server By IP Address If this is selected enter the IP address of the server in the fields below By Name If thi...

Page 451: ...uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from ...

Page 452: ...he device These can be modified by the user The SSH session is opened using a special SSH client application such as PuTTY SSH Server can operate in the following modes By Internally generated RSA DSA Keys Default Setting An RSA and a DSA key are generated Users log on the SSH Server application and are automatically authenticated to open a session on the device when they supply the IP address of ...

Page 453: ...m the following steps STEP 1 Generate an RSA or DSA key on an external SSH client application such as PuTTY STEP 2 Enable SSH user authentication by public key or password in the SSH User Authentication page STEP 3 Enable Automatic Login if required see Automatic Login below STEP 4 Add a user in the SSH User Authentication page and copy in the public key generated externally STEP 5 Log onto an ext...

Page 454: ... local user database You can prevent additional authentication by configuring the Automatic Login feature which works as follows Enabled If a user is defined in the local database and this user passed SSH Authentication using a public key the authentication by the local database username and password is skipped NOTE The configured authentication method for this specific management method console T...

Page 455: ...SA key Fingerprint Fingerprint generated from the public keys STEP 3 Click Add to add a new user and enter the fields SSH User Name Enter a user name Key Type Select either RSA or DSA Public Key Copy the public key generated by an external SSH client application like PuTTY into this text box SSH Server Authentication A public and private RSA and DSA key are automatically generated when the device ...

Page 456: ...te Enables you to delete a key Details Enables you to view the generated key The Details window also enables you to click Display Sensitive Data as Plaintext If this is clicked the keys are displayed as plaintext and not in encrypted form If the key is already being displayed as plaintext you can click Display Sensitive Data as Encrypted to display the text in encrypted form STEP 4 If new keys wer...

Page 457: ...Security SSH Server SSH Server Configuration Pages 439 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 22 ...

Page 458: ... SSD Properties Configuration Files SSD Management Channels Menu CLI and Password Recovery Configuring SSD Introduction SSD protects sensitive data on a device such as passwords and keys permits and denies access to sensitive data encrypted and in plain text based on user credentials and SSD rules and protects configuration files containing sensitive data from being tampered with In addition SSD e...

Page 459: ...ensitive data The SSD configuration parameters themselves are sensitive data and are protected under SSD All configuration of SSD is performed through the SSD pages that are only available to users with the correct permissions see SSD Rules SSD Rules SSD rules define the read permissions and default read mode given to a user session on a management channel An SSD rule is uniquely identified by its...

Page 460: ...e channel types supported are Secure Specifies the rule applies only to secure channels Depending on the device it may support some or all of the following secure channels Console port interface SCP SSH and HTTPS Insecure Specifies that this rule applies only to insecure channels Depending on the device it may support some or all of the following insecure channels Telnet TFTP and HTTP Secure XML S...

Page 461: ... The following options exist but some might be rejected depending on the read permission If the user defined read permission for a user is Exclude for example and the default read mode is Encrypted the user defined read permission prevails Exclude Do not allow reading sensitive data Encrypted Sensitive data is presented in encrypted form Plaintext Sensitive data is presented in plaintext form Each...

Page 462: ...sions is considered to be a level 15 user SNMP users on Insecure XML and SNMP SNMPv1 v2 and v3 with no privacy channel are considered as All users SNMP community names are not used as user names to match SSD rules Access by a specific SNMPv3 user can be controlled by configuring an SSD rule with a user name matching the SNMPv3 user name There must always be at least one rule with read permission P...

Page 463: ...the communication through external authentication servers such as RADIUS and TACACS servers The configuration of the secure communication to the external authentication servers are sensitive data and are protected under SSD NOTE The user credential in the local authenticated database is already protected by a non SSD related mechanism If a user from a channel issues an action that uses an alternat...

Page 464: ... of the following occurs User changes it again Session is terminated The read permission of the SSD rule that is applied to the session user is changed and is no longer compatible with the current read mode of the session In this case the session read mode returns to the default read mode of the SSD rule SSD Properties SSD properties are a set of parameters that in conjunction with the SSD rules d...

Page 465: ...the configuration file or in the CLI GUI If better security and protection are desired an administrator should configure SSD on a device to use a user defined passphrase instead of the default passphrase A user defined passphrase should be treated as a well guard secret so that the security of the sensitive data on the device is not compromised A user defined passphrase can be configured manually ...

Page 466: ...e encrypted sensitive data in a configuration file from devices that do not have the passphrase This mode should be used when a user does not want to expose the passphrase in a configuration file After a device is reset to the factory default its local passphrase is reset to the default passphrase As a result the device will be not able to decrypt any sensitive data encrypted based on a user defin...

Page 467: ...er can manually upload and download a configuration file to and from a remote file server A device can automatically download its Startup Configuration from a remote file server during the auto configuration stage using DHCP Configuration files stored on remote file servers are referred to as remote configuration files A Running Configuration file contains the configuration currently being used by...

Page 468: ...control end respectively Startup Configuration File The device currently supports copying from the Running Backup Mirror and Remote Configuration files to a Startup Configuration file The configurations in the Startup Configuration are effective and become the Running Configuration after reboot A user can retrieve the sensitive data encrypted or in plaintext from a startup configuration file subje...

Page 469: ...configures the Startup Configuration file with the passphrase that is used to generate the key to decrypt the sensitive data in the source configuration file Any SSD configurations that are not found are reset to the default If there is an SSD control block in the source configuration file and the file contains plaintext sensitive data excluding the SSD configurations in the SSD control block the ...

Page 470: ...efore the File SSD Indicator in a Mirror Configuration file always indicates that the file contains encrypted sensitive data By default auto mirror configuration service is enabled To configure auto mirror configuration to be enabled or disabled click Administration File Management Configuration File Properties A user can display copy and upload the complete mirror and backup configuration files s...

Page 471: ...ile the device downloads the boot file remote configuration file into the Startup Configuration file from a file server and then reboots NOTE The file server may be specified by the bootp siaddr and sname fields as well as DHCP option 150 and statically configured on the device The user can safely auto configure target devices with encrypted sensitive data by first creating the configuration file ...

Page 472: ...x or in factory default states use the default anonymous user to access the SCP server SSD Management Channels Devices can be managed over management channels such as telnet SSH and web SSD categories the channels into the following types based on their security and or protocols secured insecure secure XML SNMP and insecure XML SNMP The following describes whether SSD considers each management cha...

Page 473: ...f SSD is supported this option is only permitted if the local passphrase is identical to the default passphrase If a device is configured with a user defined passphrase the user is unable to activate password recovery Configuring SSD The SSD feature is configured in the following pages SSD properties are set in the Properties page SSD rules are defined in the SSD Rules page SSD Properties Only use...

Page 474: ...ad mode for the current session see Elements of an SSD Rule To change the local passphrase STEP 4 Click Change Local Passphrase and enter a new Local Passphrase Default Use the devices default passphrase User Defined Plaintext Enter and confirm a new passphrase SSD Rules Only users with SSD read permission of Plaintext only or Both are allowed to set SSD rules To configure SSD rules STEP 1 Click S...

Page 475: ...SNMPv3 without privacy Read Permission The read permissions associated with the rule These can be the following Exclude Lowest read permission Users are not permitted to get sensitive data in any form Plaintext Only Higher read permission than above ones Users are permitted to get sensitive data in plaintext only Encrypted Only Middle read permission Users are permitted to get sensitive data as en...

Page 476: ... Management Configuring SSD Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 458 23 Restore All Rules to Default Restore all user modified default rules to the default rule and remove all user defined rules ...

Page 477: ...Security Secure Sensitive Data Management Configuring SSD 459 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 23 ...

Page 478: ...ted or denied entry This section contains the following topics Access Control Lists Defining MAC based ACLs IPv4 based ACLs IPv6 Based ACLs Defining ACL Binding Access Control Lists An Access Control List ACL is an ordered list of classification filters and actions Each single classification rule together with its action is called an Access Control Element ACE Each ACE is made up of filters that d...

Page 479: ...ping fails at the port The order of the ACEs within the ACL is significant since they are applied in a first fit manner The ACEs are processed sequentially starting with the first ACE ACLs can be used for security for example by permitting or denying certain traffic flows and also for traffic classification and prioritization in the QoS Advanced mode NOTE A port can be either secured with ACLs or ...

Page 480: ...of unbinding an ACL in order to modify it 1 If the ACL does not belong to a QoS Advanced Mode class map but it has been associated with an interface unbind it from the interface using the ACL Binding page 2 If the ACL is part of the class map and not bound to an interface then it can be modified 3 If the ACL is part of a class map contained in a policy bound to an interface you must perform the ch...

Page 481: ...d ACL To add rules ACEs to an ACL STEP 1 Click Access Control Mac Based ACE STEP 2 Select an ACL and click Go The ACEs in the ACL are listed STEP 3 Click Add STEP 4 Enter the parameters ACL Name Displays the name of the ACL to which an ACE is being added Priority Enter the priority of the ACE ACEs with higher priority are processed first One is the highest priority Action Select the action taken u...

Page 482: ... 0000 0000 0000 0000 0000 0000 1111 1111 which means that you match on the bits where there is 0 and don t match on the bits where there are 1 s You need to translate the 1 s to a decimal integer and you write 0 for each four zeros In this example since 1111 1111 255 the mask would be written as 0 0 0 255 Source MAC Address Select Any if all source address are acceptable or User defined to enter a...

Page 483: ...sses including wildcards DSCP IP precedence value NOTE ACLs are also used as the building elements of flow definitions for per flow QoS handling see QoS Advanced Mode The IPv4 Based ACL page enables adding ACLs to the system The rules are defined in the IPv4 Based ACE page IPv6 ACLs are defined in the IPv6 Based ACL page Defining an IPv4 based ACL To define an IPv4 based ACL STEP 1 Click Access Co...

Page 484: ...e ACE criteria Deny Drop packets that meet the ACE criteria Shutdown Drop packet that meets the ACE criteria and disable the port to which the packet was addressed Ports are reactivated from the Port Management page Time Range Select to enable limiting the use of the ACL to a specific time range Time Range Name If Time Range is selected select the time range to be used Time ranges are defined in t...

Page 485: ...rol Message Protocol EIGRP Enhanced Interior Gateway Routing Protocol OSPF Open Shortest Path First IPIP IP in IP PIM Protocol Independent Multicast L2TP Layer 2 Tunneling Protocol ISIS IGP specific protocol Protocol ID to Match Instead of selecting the name enter the protocol ID Source IP Address Select Any if all source address are acceptable or User defined to enter a source address or range of...

Page 486: ... the following Any Match to all source ports Single Enter a single TCP UDP source port to which packets are matched This field is active only if 800 6 TCP or 800 17 UDP is selected in the Select from List drop down menu Range Select a range of TCP UDP source ports to which the packet is matched There are eight different port ranges that can be configured shared between source and destination ports...

Page 487: ...e to be used for filtering purposes ICMP Code The ICMP messages can have a code field that indicates how to handle the message Select one of the following options to configure whether to filter on this code Any Accept all codes User defined Enter an ICMP code for filtering purposes IGMP If the ACL is based on IGMP select the IGMP message type to be used for filtering purposes Either select the mes...

Page 488: ...ing Rules ACEs for an IPv6 Based ACL STEP 1 Click Access Control IPv6 Based ACE This window contains the ACE rules for a specified ACL group of rules STEP 2 Select an ACL and click Go All currently defined IP ACEs for the selected ACL are displayed STEP 3 Click Add STEP 4 Enter the parameters ACL Name Displays the name of the ACL to which an ACE is being added Priority Enter the priority ACEs with...

Page 489: ...ol Message Protocol ICMP Protocol ID to Match Enter the ID of the protocol to be matched Source IP Address Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses Source IP Address Value Enter the IP address to which the source IP address is to be matched and its mask if relevant Source IP Prefix Length Enter the prefix length of the s...

Page 490: ...urity Set Match if the flag is SET Unset Match if the flag is Not SET Dont care Ignore the TCP flag Type of Service The service type of the IP packet ICMP If the ACL is based on ICMP select the ICMP message type that is used for filtering purposes Either select the message type by name or enter the message type number If all message types are accepted select Any Any All message types are accepted ...

Page 491: ...n ACL but both cannot be bound To bind an ACL to an interface STEP 1 Click Access Control ACL Binding STEP 2 Select an interface type Ports LAGs Port or LAG STEP 3 Click Go For each type of interface selected all interfaces of that type are displayed with a list of their current ACLs Interface Identifier of interface MAC ACL ACLs of type MAC that are bound to the interface if any IPv4 ACL ACLs of ...

Page 492: ...packet does not match an ACL it is denied dropped Enable If packet does not match an ACL it is permitted forwarded NOTE Permit Any can be defined only if IP Source Guard is not activated on the interface STEP 7 Click Apply The ACL binding is modified and the Running Configuration file is updated NOTE If no ACL is selected the ACL s that is previously bound to the interface is unbound ...

Page 493: ...Access Control Defining ACL Binding 475 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 24 ...

Page 494: ... feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment This section covers the following topics QoS Features and Components Configuring QoS General QoS Basic Mode QoS Advanced Mode Managing QoS Statistics ...

Page 495: ...e Queues Assigns incoming packets to forwarding queues Packets are sent to a particular queue for handling as a function of the traffic class to which they belong See Configuring QoS Queues Other Traffic Class Handling Attribute Applies QoS mechanisms to various classes including bandwidth management QoS Modes The QoS mode that is selected applies to all interfaces in the system Basic Mode Class o...

Page 496: ...ed to a single best effort queue so that no type of traffic is prioritized over another Only a single mode can be active at a time When the system is configured to work in QoS Advanced mode settings for QoS Basic mode are not active and vice versa When the mode is changed the following occurs When changing from QoS Advanced mode to any other mode policy profile definitions and class maps are delet...

Page 497: ...g the CoS 802 1p to Queue page STEP 6 If required for Layer 3 traffic only assign a queue to each DSCP TC value by using the DSCP to Queue page STEP 7 Enter bandwidth and rate limits in the following pages a Set egress shaping per queue by using the Egress Shaping Per Queue page b Set ingress rate limit and egress shaping rate per port by using the Bandwidth page c Set VLAN ingress rate limit by u...

Page 498: ...layed for all ports LAGs Interface Type of interface Default CoS Default VPT value for incoming packets that do not have a VLAN Tag The default CoS is 0 The default is only relevant for untagged frames and only if the system is in Basic mode and Trust CoS is selected in the Global Settings page Select Restore Defaults to restore the factory CoS default setting for this interface STEP 4 Click Apply...

Page 499: ... assuming all queues are saturated and there is congestion queue 2 receives 2 15 queue 3 receives 4 15 and queue 4 receives 8 15 of the bandwidth The type of WRR algorithm used in the device is not the standard Deficit WRR DWRR but rather Shaped Deficit WRR SDWRR The queuing modes can be selected in the Queue page When the queuing mode is by strict priority the priority sets the order in which que...

Page 500: ...splays the amount of bandwidth assigned to the queue These values represent the percent of the WRR weight STEP 3 Click Apply The queues are configured and the Running Configuration file is updated Mapping CoS 802 1p to a Queue The CoS 802 1p to Queue page maps 802 1p priorities to egress queues The CoS 802 1p to Queue Table determines the egress queues of the incoming packets based on the 802 1p p...

Page 501: ...ble only if one of the following exists 5 4 Voice Cisco IP phone default 6 4 Interwork Control LVS phone RTP 7 4 Network Control 802 1p Values 0 7 7 being the highest Queue 4 queues 1 4 4 being the highest priority Notes 802 1p Values 0 7 7 being the highest Queue 8 queues 1 8 8 is the highest priority Standalone 7 Queues 8 is the highest priority used for stack control traffic stack Notes 0 1 1 B...

Page 502: ... priority egress queue and Queue1 is the lowest priority STEP 3 For each 802 1p priority select the Output Queue to which it is mapped STEP 4 Click Apply 801 1p priority values to queues are mapped and the Running Configuration file is updated Mapping DSCP to Queue The DSCP IP Differentiated Services Code Point to Queue page maps DSCP values to egress queues The DSCP to Queue Table determines the ...

Page 503: ...62 54 46 38 30 22 14 6 Queue 3 3 4 3 3 2 1 1 DSCP 61 53 45 37 29 21 13 5 Queue 3 3 4 3 3 2 1 1 DSCP 60 52 44 36 28 20 12 4 Queue 3 3 4 3 3 2 1 1 DSCP 59 51 43 35 27 19 11 3 Queue 3 3 4 3 3 2 1 1 DSCP 58 50 42 34 26 18 10 2 Queue 3 3 4 3 3 2 1 1 DSCP 57 49 41 33 25 17 9 1 Queue 3 3 4 3 3 2 1 1 DSCP 56 48 40 32 24 16 8 0 Queue 3 3 4 3 3 2 1 1 Table 5 DSCP to Queue Default Mapping 8 Queues System 7 i...

Page 504: ...2 34 26 18 10 2 Queue 6 6 7 5 4 3 2 1 DSCP 57 49 41 33 25 17 9 1 Queue 6 6 7 5 4 3 2 1 DSCP 56 48 40 32 24 16 8 0 Queue 6 6 6 7 6 6 1 1 Table 6 DSCP to Queue Default Mapping 8 Queues System 8 is highest DSCP 63 55 47 39 31 23 15 7 Queue 7 7 8 6 5 4 3 1 DSCP 62 54 46 38 30 22 14 6 Queue 7 7 8 6 5 4 3 1 DSCP 61 53 45 37 29 21 13 5 Queue 7 7 8 6 5 4 3 1 DSCP 60 52 44 36 28 20 12 4 Queue 7 7 8 6 5 4 3...

Page 505: ...fine two values Ingress Rate Limit and Egress Shaping Rate which determine how much traffic the system can receive and send The ingress rate limit is the number of bits per second that can be received from the ingress interface Excess bandwidth above this limit is discarded The following values are entered for egress shaping Committed Information Rate CIR sets the average maximum amount of data al...

Page 506: ...maximum amount of bandwidth allowed on the interface NOTE The two Ingress Rate Limit fields do not appear when the interface type is LAG Ingress Committed Burst Size CBS Enter the maximum burst size of data for the ingress interface in bytes of data This amount can be sent even if it temporarily increases the bandwidth beyond the allowed limit This field is only available if the interface is a por...

Page 507: ...ping per Queue The Egress Shaping Per Queue page displays the rate limit and burst size for each queue STEP 2 Select an interface type Port or LAG and click Go STEP 3 Select a Port LAG and click Edit This page enables shaping the egress for up to eight queues on each interface STEP 4 Select the Interface STEP 5 For each queue that is required enter the following fields Enable Shaping Select to ena...

Page 508: ...igured VLAN rate limit value is applied to each of the packet processors independently Devices with up to 24 ports have a single packet processor while devices of 48 ports or more have two packet processors Rate limiting is calculated separately for each packet processor in a unit and for each unit in a stack To define the VLAN ingress rate limit STEP 1 Click Quality of Service General VLAN Ingres...

Page 509: ...e The initial packet classification and marking of these fields is done in the ingress of the trusted domain Workflow to Configure Basic QoS Mode To configure Basic QoS mode perform the following 1 Select Basic mode for the system by using the QoS Properties page 2 Select the trust behavior using the Global Setting page The device supports CoS 802 1p trusted mode and DSCP trusted mode CoS 802 1p t...

Page 510: ...mapping CoS 802 1p to Queue page DSCP All IP traffic is mapped to queues based on the DSCP field in the IP header The actual mapping of the DSCP to queue can be configured in the DSCP to Queue page If traffic is not IP traffic it is mapped to the best effort queue CoS 802 1p DSCP Either CoS 802 1p or DSCP whichever has been set STEP 3 Select Override Ingress DSCP to override the original DSCP valu...

Page 511: ...the list of ports or LAGs QoS State displays whether QoS is enabled on the interface STEP 3 Select an interface and click Edit STEP 4 Select the Port or LAG interface STEP 5 Click to enable or disable QoS State for this interface STEP 6 Click Apply The Running Configuration file is updated QoS Advanced Mode Frames that match an ACL and were permitted entrance are implicitly labeled with the name o...

Page 512: ...he desired ports A policy and its class maps can be bound to one or more ports but each port is bound with at most one policy Notes Single policer and aggregation policer are available when the device is in Layer 2 mode An ACL can be configured to one or more class maps regardless of policies A class map can belong to only one policy When a class map using single policer is bound to multiple ports...

Page 513: ...he Policy Class Map page You can also specify the QoS if needed by assigning a policer to a class map when you associate the class map to the policy Single Policer Create a policy that associates a class map with a single policer by using the Policy Table page and the Class Mapping page Within the policy define the single policer Aggregate Policer Create a QoS action for each flow that sends all m...

Page 514: ... to Not Trusted the Default CoS values configured on the interface are used for prioritizing the traffic arriving on the interface See the Quality of Service QoS Advanced Mode Global Settings page for details If you have a policy on an interface then the Default Mode is irrelevant the action is according to the policy configuration and unmatched traffic is dropped STEP 4 Select Override Ingress DS...

Page 515: ...ity of that type of traffic to the DSCP value used in the other domain to identify the same type of traffic These settings are active when the system is in the QoS basic mode and once activated they are active globally For example Assume that there are three levels of service Silver Gold and Platinum and the DSCP incoming values used to mark these levels are 10 20 and 30 respectively If this traff...

Page 516: ...ws the list of defined class maps and the ACLs comprising each and enables you to add delete class maps To define a Class Map STEP 1 Click Quality of Service QoS Advanced Mode Class Mapping This page displays the already defined class maps STEP 2 Click Add A new class map is added by selecting one or two ACLs and giving the class map a name If a class map has two ACLs you can specify that a frame ...

Page 517: ...policer is configured with a QoS specification There are two kinds of policers Single Regular Policer A single policer applies the QoS to a single class map and to a single flow based on the policer s QoS specification When a class map using single policer is bound to multiple ports each port has its own instance of single policer each applying the QoS on the class map flow at ports that are other...

Page 518: ...ssigning a policer to a class map is done when a class map is added to a policy If the policer is an aggregate policer you must create it using the Aggregate Policer page Defining Aggregate Policers An aggregate policer applies the QoS to one or more class maps therefore one or more flows An aggregation policer can support class maps from different policies and applies the QoS to all its flow s in...

Page 519: ...Running Configuration file is updated Configuring a Policy The Policy Table Map page displays the list of advanced QoS polices defined in the system The page also allows you to create and delete polices Only those policies that are bound to an interface are active see Policy Binding page Each policy consists of One or more class maps of ACLs which define the traffic flows in the policy One or more...

Page 520: ... click Add STEP 4 Enter the parameters Policy Name Displays the policy to which the class map is being added Class Map Name Select an existing class map to be associated with the policy Class maps are created in the Class Mapping page Action Type Select the action regarding the ingress CoS 802 1p and or DSCP value of all the matching packets Use default trust mode Ignore the ingress CoS 802 1p and...

Page 521: ...or the policy is a single policer Aggregate The policer for the policy is an aggregate policer Aggregate Policer Available in Layer 2 system mode only If Police Type is Aggregate select a previously defined in the Aggregate Policer page aggregate policer If Police Type is Single enter the following QoS parameters Ingress Committed Information Rate CIR Enter the CIR in Kbps See a description of thi...

Page 522: ...moved unbound from all those ports to which it is bound NOTE It is possible to either bind a port to a policy or to an ACL but both cannot be bound To define policy binding STEP 1 Click Quality of Service QoS Advanced Mode Policy Binding STEP 2 Select a Policy Name and Interface Type if required STEP 3 Click Go The policy is selected STEP 4 Select the following for the policy interface Binding Sel...

Page 523: ...layed when the device is in Layer 3 mode To view policer statistics STEP 1 Click Quality of Service QoS Statistics Single Policer Statistics This page displays the following fields Interface Statistics are displayed for this interface Policy Statistics are displayed for this policy Class Map Statistics are displayed for this class map In Profile Bytes Number of in profile bytes received Out of Pro...

Page 524: ...tistics are displayed STEP 4 Click Apply An additional request for statistics is created and the Running Configuration file is updated Viewing Queues Statistics The Queues Statistics page displays queue statistics including statistics of forwarded and dropped packets based on interface queue and drop precedence NOTE QoS Statistics are shown only when the device is in QoS Advanced Mode only This ch...

Page 525: ... Total Packets Number of packets forwarded or tail dropped Tail Drop Packets Percentage of packets that were tail dropped STEP 2 Click Add STEP 3 Enter the parameters Counter Set Select the counter set Set 1 Displays the statistics for Set 1 that contains all interfaces and queues with a high DP Drop Precedence Set 2 Displays the statistics for Set 2 that contains all interfaces and queues with a ...

Page 526: ...ith a low DP Interface Select the ports for which statistics are displayed The options are Unit No Selects the unit number Port Selects the port on the selected unit number for which statistics are displayed All Ports Specifies that statistics are displayed for all ports Queue Select the queue for which statistics are displayed Drop Precedence Enter drop precedence that indicates the probability o...

Page 527: ...Quality of Service Managing QoS Statistics 509 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 25 ...

Page 528: ...g topics SNMP Versions and Workflow Model OIDs SNMP Engine ID Configuring SNMP Views Creating SNMP Groups Managing SNMP Users Defining SNMP Communities Defining Trap Settings Notification Recipients SNMP Notification Filters SNMP Versions and Workflow The device functions as SNMP agent and supports SNMPv1 v2 and v3 It also reports system events to trap receivers using the traps defined in the supp...

Page 529: ...lso defines a User Security Model USM that includes Authentication Provides data integrity and data origin authentication Privacy Protects against disclosure message content Cipher Block Chaining CBC DES is used for encryption Either authentication alone can be enabled on an SNMP message or both authentication and privacy can be enabled on an SNMP message However privacy cannot be enabled without ...

Page 530: ...If you choose to restrict SNMP management to one address then input the address of your SNMP Management PC in the IP Address field STEP 3 Input the unique community string in the Community String field STEP 4 Optionally enable traps by using the Trap Settings page STEP 5 Optionally define a notification filter s by using the Notification Filter page STEP 6 Configure the notification recipients on ...

Page 531: ... 24 Port 10 100 PoE Stackable Managed Switch 9 6 1 80 24 2 SF500 48 48 Port 10 100 Stackable Managed Switch 9 6 1 80 48 1 SF500 48P 48 Port 10 100 PoE Stackable Managed Switch 9 6 1 80 48 2 SG500 28 28 Port Gigabit Stackable Managed Switch 9 6 1 81 28 1 SG500 28P 28 Port Gigabit PoE Stackable Managed Switch 9 6 1 81 28 2 SG500 52 52 Port Gigabit Stackable Managed Switch 9 6 1 81 52 1 SG500 52P 52 ...

Page 532: ...dress This engine ID must be unique for the administrative domain so that no two devices in a network have the same engine ID Local information is stored in four MIB variables that are read only snmpEngineId snmpEngineBoots snmpEngineTime and snmpEngineMaxMessageSize CAUTION When the engine ID is changed all configured users and groups are erased To define the SNMP engine ID STEP 1 Click SNMP Engi...

Page 533: ... 4 Click Add Enter the following fields Server Definition Select whether to specify the Engine ID server by IP address or name IP Version Select the supported IP format IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used...

Page 534: ... parameters View Name Enter a view name between 0 30 characters Object ID Subtree Select the node in the MIB tree that is included or excluded in the selected SNMP view The options to select the object are as follows Select from list Enables you to navigate the MIB tree Press the Up arrow to go to the level of the selected node s parent and siblings press the Down arrow to descend to the level of ...

Page 535: ...fore SNMPv1 and SNMPv2 are not secure In SNMPv3 the following security mechanisms can be configured Authentication The device checks that the SNMP user is an authorized system administrator This is done for each frame Privacy SNMP frames can carry encrypted data Thus in SNMPv3 there are three levels of security No security No authentication and no privacy Authentication Authentication and no priva...

Page 536: ... choose one of the following No Authentication and No Privacy Neither the Authentication nor the Privacy security levels are assigned to the group Authentication and No Privacy Authenticates SNMP messages and ensures the SNMP message origin is authenticated but does not encrypt them Authentication and Privacy Authenticates SNMP messages and encrypts them View Associating a view with the read write...

Page 537: ...an Engine ID The configured user have the attributes of its group having the access privileges configured within the associated view Groups enable network managers to assign access rights to a group of users instead of to a single user A user can only belong to a single group To create an SNMPv3 user the following must first exist An engine ID must first be configured on the device This is done in...

Page 538: ...hod Select the Authentication method that varies according to the Group Name assigned If the group does not require authentication then the user cannot configure any authentication The options are None No user authentication is used MD5 Password A password that is used for generating a key by the MD5 authentication method SHA Password A password that is used for generating a key by the SHA Secure ...

Page 539: ...de Basic mode The access rights of a community can configure with Read Only Read Write or SNMP Admin In addition you can restrict the access to the community to only certain MIB objects by selecting a view defined in the SNMP Views page Advanced Mode The access rights of a community are defined by a group defined in the Groups page You can configure the group with a specific security model The acc...

Page 540: ... the management station to the device Basic Select this mode for a selected community In this mode there is no connection to any group You can only choose the community access level Read Only Read Write or SNMP Admin and optionally further qualify it for a specific view By default it applies to the entire MIB If this is selected enter the following fields Access Mode Select the access rights of th...

Page 541: ...fications STEP 3 Select Enable for Authentication Notifications to enable SNMP authentication failure notification STEP 4 Click Apply The SNMP Trap settings are written to the Running Configuration file Notification Recipients Trap messages are generated to report system events as defined in RFC 1215 The system can generate traps defined in the MIB that it supports Trap receivers aka Notification ...

Page 542: ...ent to the management station based on the OID of the notification that is about to be sent Defining SNMPv1 2 Notification Recipients To define a recipient in SNMPv1 2 STEP 1 Click SNMP Notification Recipients SNMPv1 2 This page contains recipients for SNMPv1 2 STEP 2 Click Add STEP 3 Enter the parameters Server Definition Select whether to specify the remote log server by IP address or name IP Ve...

Page 543: ... listed in the Community page Notification Version Select the trap SNMP version Either SNMPv1 or SNMPv2 may be used as the version of traps with only a single version enabled at a time Notification Filter Select to enable filtering the type of SNMP notifications sent to the management station The filters are created in the Notification Filter page Filter Name Select the SNMP filter that defines th...

Page 544: ... sent UDP Port Enter the UDP port used to for notifications on the recipient device Notification Type Select whether to send traps or informs If both are required two recipients must be created Timeout Enter the amount of time seconds the device waits before re sending informs traps Timeout Range 1 300 default 15 Retries Enter the number of times that the device resends an inform request Retries R...

Page 545: ...ification Filters The Notification Filter page enables configuring SNMP notification filters and Object IDs OIDs that are checked After creating a notification filter it is possible to attach it to a notification recipient in the Notification Recipients SNMPv1 2 page and Notification Recipients SNMPv3 page The notification filter enables filtering the type of SNMP notifications that are sent to th...

Page 546: ...e level of the selected node s children Click nodes in the view to pass from one node to its sibling Use the scrollbar to bring siblings in view If Object ID is used the entered object identifier is included in the view if the Include in filter option is selected STEP 4 Select or deselect Include in filter If this is selected the selected MIBs are included in the filter otherwise they are excluded...

Page 547: ...SNMP SNMP Notification Filters 529 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1 3 26 ...

Page 548: ... of Cisco and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Reviews:

No comments