Cisco SF220-24 Administration Manual Download Page 236 | Manualshive

Page: 236 / 289

background image

Access Control

Access Control Lists

Cisco 220 Series Smart Switches Administration Guide Release 1.1.0.x

234

17

Access Control Lists

An Access Control List (ACL) is an ordered list of classification filters and actions.
Each single classification rule, together with its action, is called an Access Control
Element (ACE).

Each ACE is made up of filters that distinguish traffic groups and associated
actions. A single ACL may contain one or more ACEs, which are matched against
the contents of incoming frames. Either a DENY or PERMIT action is applied to
frames whose contents match the filter.

The switch supports a maximum of 512 ACLs, and a maximum of 128 ACEs per
ACL.

When a packet matches an ACE filter, the ACE action is taken and that ACL
processing is stopped. If the packet does not match the ACE filter, the next ACE is
processed. If all ACEs of an ACL have been processed without finding a match,
and if another ACL exists, it is processed in a similar manner.

NOTE

If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a
default action). Because of this default drop action you must explicitly add ACEs
into the ACL to permit all traffic, including management traffic, such as Telnet, HTTP,
or SNMP that is directed to the switch itself. For example, if you do not want to
discard all the packets that do not match the conditions in an ACL, you must
explicitly add a lowest priority ACE into the ACL that permits all the traffic.

If IGMP/MLD Snooping is enabled at a port bound with an ACL, add ACE filters in
the ACL to forward IGMP/MLD packets to the switch. Otherwise, IGMP/MLD
Snooping will fail at the port.

The order of the ACEs within the ACL is significant because they are applied in a
first-fit manner. The ACEs are processed sequentially, starting with the first ACE.

ACLs can be used for security, for example by permitting or denying certain traffic
flows, and also for traffic classification and prioritization in QoS advanced mode.

NOTE

A port can be either secured with ACLs or configured with advanced QoS policy,
but not both.

There can only be one ACL per port, with the exception that it is possible to
associate both an IPv4-based ACL and an IPv6-based ACL with a single port.

To associate more than one ACL with a port, a policy with one or more class maps
must be used (see

Configuring QoS Policies

in the

Configuring QoS Advanced

section).

«
...
234
235
236
237
238
...
»

Summary of Contents for SF220-24

Page 1: ...Cisco 220 Series Smart Switches Administration Guide Release 1 1 0 x July 21 2017 ADMINISTRATION GUIDE ...

Page 2: ...co and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Page 3: ... Chapter 2 Status and Statistics 21 Viewing Ethernet Interface 21 Viewing Etherlike Statistics 23 Viewing TCAM Utilization 24 Viewing Fan Status and Temperature 25 Managing RMON 27 Viewing RMON Statistics 28 Configuring and Viewing RMON Histories 30 Configuring and Viewing RMON Events 32 Configuring RMON Alarms 34 Chapter 3 Administration System Logs 37 Configuring System Log Settings 37 Configuri...

Page 4: ...mation 58 Device Models 59 Viewing System Summary 61 Configuring System Settings 63 Configuring Console Settings 64 Rebooting the Switch 64 Defining Idle Session Timeout 65 Ping a Host 66 Using Traceroute 66 Chapter 6 Administration Time Settings 68 System Time Options 69 Configuring System Time 69 Configuring SNTP Server 71 Time Range 72 Absolute Time Range 73 Periodic Time Range 73 Chapter 7 Adm...

Page 5: ...ation 91 Viewing LLDP Neighbors Information 94 Viewing LLDP Statistics 95 Viewing LLDP Overloading 95 Configuring CDP 98 Configuring CDP Properties 98 Configuring CDP Port Settings 100 Viewing CDP Local Information 101 Displaying CDP Neighbor Information 103 Viewing CDP Statistics 104 Chapter 9 Port Management 106 Port Management Workflow 106 Configuring Basic Port Settings 107 Configuring Error R...

Page 6: ...apter 10 Power over Ethernet 123 PoE Considerations 123 PoE on the Switch 124 Configuring PoE Properties 126 Configuring PoE Port Settings 128 Chapter 11 Managing VLANs 131 VLANs 131 Configuring Default VLAN 133 Creating VLANs 134 Configuring Interface s VLAN Settings 135 Configuring Port to VLAN 137 Viewing VLAN Membership 138 Configuring GVRP 140 Configuring Voice VLAN 141 Configuring Voice VLAN...

Page 7: ...ic MAC Addresses 160 Configuring Static MAC Address Filter 161 Configuring Dynamic MAC Address Aging Time 161 Querying Dynamic MAC Addresses 162 Configuring Reserved MAC Addresses 163 Chapter 14 Multicast Forwarding 164 Multicast Forwarding 164 Configuring Multicast Properties 167 Configuring IP Multicast Group Addresses 168 Configuring IGMP Snooping 169 Configuring MLD Snooping 171 Querying IGMP ...

Page 8: ... RADIUS Servers 191 Configuring Management Access Methods 193 Access Profile Rules Filters and Elements 193 Active Access Profile 194 Configuring Access Profiles 194 Configuring Profile Rules 196 Configuring Password Complexity Rules 198 Configuring Management Access Authentication 200 Configuring TCP UDP Services 201 Configuring Storm Control 203 Configuring Port Security 205 Configuring 802 1X 2...

Page 9: ...ng Option 82 Port CID Settings 223 Configuring IP Source Guard 224 Configuring IP Source Guard Interface Settings 224 Querying IP Source Binding Database 225 Configuring Dynamic ARP Inspection 226 ARP Cache Poisoning 227 How ARP Prevents Cache Poisoning 227 Interaction Between ARP Inspection and DHCP Snooping 228 Workflow to Configure ARP Inspection 228 Configuring ARP Inspection Properties 229 Co...

Page 10: ...S 802 1p 256 Mapping Queue to IP Precedence 256 Mapping Queue to DSCP 257 Configuring Interface Remark 257 Configuring Bandwidth 258 Configuring Egress Shaping per Queue 258 Configuring VLAN Rate Limit 259 Configuring VLAN Port Rate Limit 260 Configuring TCP Congestion Avoidance 261 Configuring QoS Basic Mode 261 Configuring Basic QoS Trust Mode 262 Configuring Basic QoS Interface Settings 263 Con...

Page 11: ... 275 Model Object IDs 276 Configuring SNMP Engine ID 276 Configuring SNMP Views 278 Configuring SNMP Groups 279 Managing SNMP Users 280 Configuring SNMP Communities 282 Configuring SNMP Notification Recipients 283 Configuring SNMPv1 2 Notification Recipients 284 Configuring SNMPv3 Notification Recipients 285 Appendix A Where to Go From Here 287 ...

Page 12: ...the Web based Interface The Cisco 220 switch can be accessed and managed by two methods over your IP network by using the web based interface or by using the command line interface through the console interface Using the console interface requires advanced user skills See the Cisco 220 Series Smart Switches Command Line Interface Reference Guide for more information about using the console interfa...

Page 13: ...cess to the switch will be lost You must enter the new IP address that the switch is using into your browser to use the web based interface If you are managing the switch through a console port connection the link is retained To configure the switch using the web based interface STEP 1 Power on the computer and your switch STEP 2 Connect the computer to the switch You can connect to the same IP su...

Page 14: ...tails on how to change the IP address on your computer depend upon the type of architecture and operating system that you are using Use your computers local Help and Support functionality and search for IP Addressing STEP 5 Open a web browser window If you are prompted to install an Active X plug in when connecting to the switch follow the prompts to accept the plug in STEP 6 Enter the IP address ...

Page 15: ... Complexity Rules section for more details about password complexity To change the password STEP 1 Enter the following fields to set a new administrative password Old Password Enter the current password default is cisco Password Enter a new password Confirm Password Enter the new password again for confirmation Password Strength Meter Displays the strength of the new password Disable Password Stre...

Page 16: ...the left of the Save application link indicates that Running Configuration changes that have been made have not yet been saved to the Startup Configuration file The flashing red X can be displayed by clicking the Disable Save Icon Blinking button on the Copy Save Configuration page When the switch auto discovers a device such as an IP phone it configures the port appropriately for the device These...

Page 17: ... through quick navigation the Getting Started page provides links to the most commonly used pages Category Link Name on the Page Linked Page Initial Setup Change Management Applications and Services Security TCP UDP Services page Change Device IP Address Administration Management Interface IPv4 Interface page Create VLAN VLAN Management Create VLAN page Configure Port Settings Port Management Port...

Page 18: ... various types of devices Fast Ethernet 10 100 bits These are displayed as FE Gigabit Ethernet 10 100 1000 bits These are displayed as GE LAG Port Channel These are displayed as LAG VLAN These are displayed as VLAN Quick Access Change Device Password Administration User Accounts page Upgrade Device Software Administration File Management Upgrade Backup Firmware Language page Backup Device Configur...

Page 19: ...ser logged on to the switch The default username is cisco The default password is cisco Language Menu This menu provides the following options Select a language Select one of the languages that appear in the menu This language will be the web based interface language Download Language Add a new language to the switch To upgrade a language file use the Upgrade Backup Firmware Language page Delete L...

Page 20: ... saved to the Startup Configuration file The flashing of the red X can be disabled on the Copy Save Configuration page Click Save to display the Copy Save Configuration page Save the Running Configuration file by copying it to the Startup Configuration file type on the switch After this save the red X icon and the Save application link are no longer displayed When the switch is rebooted it copies ...

Page 21: ...counters for the selected interface Clear Logs Clears log files Clear Table Clears table entries Close Returns to the main page If any changes were not applied to the Running Configuration a message appears Copper Test Click Copper Test to perform the related test Copy Settings A table typically contains one or more entries containing configuration settings Instead of modifying each entry individu...

Page 22: ...unning Configuration 2 Click Close to return to the main page Go Enter the query filtering criteria and click Go The results are displayed on the page Refresh Click to manually refresh the data on the page View All Interfaces Statistics Click to see the statistics counters for all interfaces on a single page View Interface Statistics Click to see the statistics counters for the selected interface ...

Page 23: ...ion can be selected This page is useful for analyzing the amount of traffic that is both sent and received and its dispersion Unicast Multicast and Broadcast To view Ethernet statistics and or set the refresh rate STEP 1 Click Status and Statistics Interface STEP 2 Enter the following information Interface Select the port or LAG for which the Ethernet statistics are displayed Refresh Rate Select t...

Page 24: ...s Good Multicast packets transmitted Broadcast Packets Good Broadcast packets transmitted STEP 3 Click Clear Interface Counters to clear the statistics counters for the selected interface STEP 4 Click Refresh to manually refresh the statistics counters for the selected interface STEP 5 Click View All Interfaces Statistics to see the statistics counters for all interfaces on a single page The Inter...

Page 25: ...d The following fields are displayed for the selected interface Frame Check Sequence FCS Errors Number of received frames that failed the Cyclic Redundancy Checks CRC Single Collision Frames Number of frames involved in a single collision but were successfully transmitted Late Collisions Number of collisions that have been detected after the first 512 bits of data Excessive Collisions Number of tr...

Page 26: ...Counters to clear the statistics counters for all interfaces Select an interface and click View Interface Statistics to see the statistics counters for the selected interface on a single page Click Refresh to manually refresh the statistics counters for all interfaces Viewing TCAM Utilization The switch architecture uses a Ternary Content Addressable Memory TCAM to support packet actions in wire s...

Page 27: ... Thermal Status The following fields are displayed FAN x Status Displays the operation status of the switch fans Operational Status Displays OK if the fan operates normally or displays Fault if the fan does not operate normally Speed Value Displays the fan speed in revolutions per minute RPM Thermal x Status Displays the status of the switch thermals Operational Status Displays OK when the thermal...

Page 28: ...d threshold Yellow Threshold Displays the yellow threshold value of the temperature thermal Red Threshold Displays the red threshold value of the temperature thermal The following table lists the yellow and red threshold values for two thermals applicable on different PoE switch models Model Yellow Threshold of Thermal 1 Red Threshold of Thermal 1 Yellow Threshold of Thermal 2 Red Threshold of The...

Page 29: ...not have to frequently poll the switch for information and enables the manager to get timely status reports because the switch reports events as they occur With this feature you can perform the following actions View the current statistics since the counter values were cleared You can also collect the values of these counters over a period of time and then view the table of collected data where ea...

Page 30: ...ics STEP 2 Enter the following information Interface Select the port or LAG for which RMON statistics are displayed Refresh Rate Select the time period that passes before RMON statistics are refreshed The following fields are displayed for the selected interface RMON Received Bytes Octets Number of octets received including bad packets and FCS octets but excluding framing bits RMON Drop Events Num...

Page 31: ...ns received If Jumbo Frames are enabled the threshold of Jabber Frames is raised to the maximum size of Jumbo Frames Frames of 64 Bytes Number of frames containing 64 bytes that were received Frames of 65 to 127 Bytes Number of frames containing 65 to 127 bytes that were received Frames of 128 to 255 Bytes Number of frames containing 128 to 255 bytes that were received Frames of 256 to 511 Bytes N...

Page 32: ...ics per interface Use the History Control Table page to define the sampling frequency amount of samples to store and the interface from where to gather the data After the data is sampled and stored it appears on the History Table page that can be viewed by clicking History Table Configuring RMON History Control Samples To define RMON control sample STEP 1 Click Status and Statistics RMON History R...

Page 33: ...d Statistics RMON History STEP 2 Click History Table STEP 3 Select the entry number to display the samples associated with that history entry and click Go The following fields are displayed for the selected history sample History Entry No Number of the history entry Owner History entry owner Sample No Statistics were taken from this sample Drop Events Number of dropped packets due to lack of netwo...

Page 34: ...nger than 1632 octets This number excludes frame bits but includes FCS octets that had either a bad FCS with an integral number of octets FCS Error or a bad FCS with a non integral octet Alignment Error number Collisions Number of collisions received Utilization Percentage of current interface traffic compared to the maximum traffic that the interface can handle STEP 4 Click History Control Table ...

Page 35: ...ntry Community Enter the SNMP community string to be included when traps are sent Description Enter a name for the event This name is used to attach an alarm to an event Notification Type Select the type of action that results from this event The available options are None No action occurs when the alarm goes off Log Event Log Table Add a log entry to the Event Log Table when the alarm goes off Tr...

Page 36: ...ry was entered Description Description of event that triggered the alarm STEP 3 Click Event Table to return to the Events page Configuring RMON Alarms RMON alarms provide a mechanism for setting thresholds and sampling intervals to generate exception events on any counter or any other SNMP object counter maintained by the agent Both the rising and falling thresholds must be configured in the alarm...

Page 37: ... an alarm is generated Rising Threshold Enter the rising counter value that triggers the rising threshold alarm Rising Event Select an event from those that you defined on the Events page to be performed when a rising event is triggered Falling Threshold Enter the falling counter value that triggers the falling threshold alarm Falling Event Select an event from those that you defined on the Events...

Page 38: ...co 220 Series Smart Switches Administration Guide Release 1 1 0 x 36 2 Owner Enter the name of the user or network management system that receives the alarm STEP 4 Click Apply The RMON alarm is added and the Running Configuration is updated ...

Page 39: ... a cyclical log file saved to flash memory and persists across reboots In addition you can send messages to remote SYSLOG servers in the form of SYSLOG messages This chapter covers the following topics Configuring System Log Settings Configuring Remote Logging Settings Viewing Memory Logs Configuring System Log Settings You can enable or disable logging on the switch and select the events to be lo...

Page 40: ...red in the log For example if Warning is selected all severity levels that are Warning and higher are stored in the log Emergency Alert Critical Error and Warning No events with severity level below Warning Notice Informational and Debug are stored To configure global log parameters STEP 1 Click Administration System Log Log Settings STEP 2 Enter the following information Logging Check Enable to e...

Page 41: ... IP address or name IP Version Select either Version 4 or Version 6 if the remote log server is identified by IP address Log Server IP Address Name Enter the IP address or hostname of the remote log server UDP Port Enter the UDP port to which the log messages are sent Facility Select a facility from which system logs are sent to the remote server Only one facility can be assigned to a server Minim...

Page 42: ...tored in the RAM log according to the configuration on the Log Settings page To view RAM logs STEP 1 Click Status and Statistics View Log RAM Memory The following fields are displayed Log Index Log entry number Log Time Time when message was generated Severity Event severity Description Message text describing the event STEP 2 Click Clear Logs to clear the log messages STEP 3 By default the SYSLOG...

Page 43: ...The minimum severity for logging is configured on the Log Settings page Flash logs remain when the switch is rebooted You can clear the logs manually To view flash logs STEP 1 Click Status and Statistics View Log Flash Memory The following fields are displayed Log Index Log entry number Log Time Time when message was generated Severity Event severity Description Message text describing the event S...

Page 44: ...ns Upgrade Backup Firmware Language Active Image Download Backup Configuration or Logs Configuration File Properties Copy Save Configuration Files DHCP Auto Configuration Files and File Types System files are files that contain configuration information or firmware images Various actions can be performed with these files Selecting the firmware file from which the switch boots Copying various types...

Page 45: ...witch If the switch is rebooted the Running Configuration is lost When the switch is rebooted this file type is copied from the Startup Configuration stored in flash to the Running Configuration stored in RAM To preserve any changes that you made to the switch you must save the Running Configuration to the Startup Configuration or another file type if you do not want the switch to reboot with this...

Page 46: ...ration providing a copy of the parameter values that is preserved if the switch is rebooted Firmware The program that controls the operations and functionality of the switch More commonly referred to as the image Language File The dictionary that enables the web based interface to be displayed in the selected language Flash Logs SYSLOG messages stored in flash memory File Actions The following act...

Page 47: ...hat you save the Running Configuration to the Startup Configuration before logging off to preserve any changes you made during this session A red X icon displayed to the left of the Save application link indicates that configuration changes have been made and have not yet been saved to the Startup Configuration file When you click Save the Copy Save Configuration page is displayed Save the Running...

Page 48: ...n the switch to a destination location such as a TFTP server To upgrade or backup the firmware image STEP 1 Click Administration File Management Upgrade Backup Firmware Language STEP 2 To replace the firmware image on the switch with a new version located on a TFTP server enter the following information Transfer Method Select via TFTP as the transfer method Save Action Select Upgrade as the action...

Page 49: ...tion Select whether to specify the TFTP server by IP address or domain name IP Version Select either Version 4 or Version 6 if the TFTP server is identified by IP address TFTP Server IP Address Name Enter the IP address or domain name of the TFTP server Destination File Name Enter the name of the firmware image that will be saved to the TFTP server STEP 7 Click Apply Upgrading the Language File If...

Page 50: ...s identified by IP address TFTP Server IP Address Name Enter the IP address or domain name of the TFTP server Source File Name Enter the name of the source language file located on the TFTP server STEP 3 Click Apply STEP 4 To upload a language file from another device such as your local PC to the switch do the following Transfer Method Select via HTTP HTTPS as the transfer method Save Action Selec...

Page 51: ...on Number Displays the firmware version of the active image Active Image Version Number After Reboot Displays the firmware version of the active image after reboot STEP 2 Select the image from the Active Image After Reboot drop down menu to identify the firmware image that is used as the active image after the switch is rebooted STEP 3 Click Apply STEP 4 Reboot the switch The switch will boot with...

Page 52: ...Action Select Download as the action TFTP Server Definition Select whether to specify the TFTP server by IP address or domain name IP Version Select either Version 4 or Version 6 if the TFTP server is identified by IP address TFTP Server IP Address Name Enter the IP address or domain name of the TFTP server Source File Name Enter the source file name Destination File Type Select the configuration ...

Page 53: ... address or domain name IP Version Select either Version 4 or Version 6 if the TFTP server is identified by IP address TFTP Server IP Address Name Enter the IP address or domain name of the TFTP server Source File Type Select the configuration file type to be stored on the TFTP server The switch supports storing the Running Configuration Startup Configuration Backup Configuration Mirror Configurat...

Page 54: ...iles Properties The following fields are displayed Configuration File Name The type of file Creation Time The date and time that file was modified STEP 2 If required select either the Startup Configuration Backup Configuration or both and click Clear Files to delete these files Copy Save Configuration Files When you click Apply on any window changes that you made to the switch configuration settin...

Page 55: ...ration From the Backup Configuration to the Running Configuration Startup Configuration or Backup Configuration From the Mirror Configuration to the Running Configuration Startup Configuration or Backup Configuration To copy one type of configuration file to another type of configuration file STEP 1 Click Administration File Management Copy Save Configuration STEP 2 Enter the following information...

Page 56: ...ich auto configuration from a DHCPv6 server is supported DHCPv4 Auto Configuration is triggered in the following cases After rebooting the switch when an IP address is allocated or renewed dynamically using DHCPv4 Upon an explicit DHCPv4 renewal request and if the switch and the server are configured to do so Upon automatic renewal of the DHCPv4 lease DHCPv6 Auto Configuration is triggered when th...

Page 57: ...CPv4 options 66 150 and 67 DHCPv6 options 59 and 60 If a server and configuration file options are not supplied by the DHCP server the user defined backup configuration file name is used for DHCPv4 or DHCPv6 If the DHCP server does not send these options and the backup TFTP server address parameter is empty then the switch sends TFTP request messages to limited Broadcast IPv4 address and continues...

Page 58: ...figuration STEP 1 Click Administration File Management DHCP Auto Configuration STEP 2 Enter the following information Auto Configuration via DHCP Check Enable to enable the DHCP Auto Configuration feature on the switch or uncheck to disable this feature Backup Server Definition Select whether to specify the TFTP server by IP address or domain name IP Version Select either Version 4 or Version 6 if...

Page 59: ... Management DHCP Auto Configuration Cisco 220 Series Smart Switches Administration Guide Release 1 1 0 x 57 4 STEP 3 Click Apply The DHCP Auto Configuration parameters are defined and the Running Configuration is updated ...

Page 60: ...on This chapter describes how to view system information and configure various options on the switch It includes the following topics Device Models Viewing System Summary Configuring System Settings Configuring Console Settings Rebooting the Switch Defining Idle Session Timeout Ping a Host Using Traceroute ...

Page 61: ...4 K9 EU SF220 24 K9 UK SF220 24 K9 AU SF220 24 K9 CN SF220 24P 24 FE copper ports and 2 special purpose combo ports GE SFP 1 to 24 SF220 24P K9 NA SF220 24P K9 EU SF220 24P K9 UK SF220 24P K9 AU SF220 24P K9 CN SF220 48 48 FE copper ports and 2 special purpose combo ports GE SFP N A SF220 48 K9 NA SF220 48 K9 EU SF220 48 K9 UK SF220 48 K9 AU SF220 48 K9 CN SF220 48P 48 FE copper ports and 2 specia...

Page 62: ...220 26P K9 NA SF220 26P K9 EU SF220 26P K9 UK SF220 26P K9 AU SF220 26P K9 BR SF220 26P K9 AR SG220 50 48 GE copper ports and 2 special purpose combo ports GE SFP N A SG220 50 K9 NA SG220 50 K9 EU SG220 50 K9 UK SG220 50 K9 AU SG220 50 K9 BR SG220 50 K9 AR SG220 50P 48 GE copper ports and 2 special purpose combo ports GE SFP 1 to 48 SF220 50P K9 NA SF220 50P K9 EU SF220 50P K9 UK SF220 50P K9 AU S...

Page 63: ...ncatenated with the three least significant bytes of the switch MAC address the six furthest right hexadecimal digits NOTE You can click Edit to go to the Administration System Settings page to edit the location contact and or hostname System Object ID Unique vendor identification of the network management subsystem contained in the SNMP entity System Uptime Time that has elapsed since the last re...

Page 64: ... or disabled HTTPS Service Shows whether the HTTPS service is enabled or disabled SNMP Service Shows whether the SNMP service is enabled or disabled Telnet Service Shows whether the Telnet service is enabled or disabled SSH Service Shows whether the SSH service is enabled or disabled NOTE You can click Edit to go to the Security TCP UDP Services page to enable or disable these services on the swit...

Page 65: ...e hostname of the switch Use only letters digits and hyphens Hostnames cannot begin or end with a hyphen No other symbols punctuation characters or blank spaces are permitted as specified in RFC1033 1034 1035 STEP 3 In the Custom Login Screen Settings area specify the system banners that are displayed when users try to access the switch The available banners are Login Banner Enter the text message...

Page 66: ...3 Click Apply The console port Baud rate is defined and the Running Configuration is updated Rebooting the Switch Some configuration changes require the switch to be rebooted before they take effect However rebooting the switch will delete the Running Configuration so it is critical that the Running Configuration is saved to the Startup Configuration before the switch is rebooted Clicking Apply do...

Page 67: ...at are not saved to another file are cleared when this action is selected The Mirror Configuration is not deleted when restoring to factory defaults Defining Idle Session Timeout Use the Idle Session Timeout page to configure the time intervals that the management sessions can remain idle before they timeout and the user must log in again to reestablish one of the following sessions HTTP session H...

Page 68: ...ether to specify the host by its IP address or name IP Version Select either Version 4 or Version 6 if the host is identified by IP address Host IP Address Name Enter the IP address or hostname of the host to be pinged Number of Pings Select User Defined to enter the number of times that the ping operation will be performed or select Use Default to use the default value STEP 3 Click Active Ping to...

Page 69: ...or name Host IP Address Name Enter the IP address or hostname of the host TTL Select User Defined to enter the maximum number of hops that Traceroute permits This is used to prevent a case where the sent frame gets into an endless loop The Traceroute command terminates when the destination is reached or when this value is reached To use the default value 30 select Use Default STEP 3 Click Apply ...

Page 70: ...reduces confusion in shared file systems as it is important for the modification times to be consistent regardless of the machine on which the file systems reside For these reasons it is important that the time configured on all of the devices on the network is accurate The switch supports Simple Network Time Protocol SNTP and when enabled the switch dynamically synchronizes its time with the SNTP...

Page 71: ...P ensures accurate network time synchronization of the switch up to the millisecond by using an SNTP server for the clock source NOTE Without synchronized time accurately correlating log files between devices is difficult even impossible We recommend that you use SNTP for the clock source Configuring System Time Use the System Time page to configure the current time time zone and the time source C...

Page 72: ...fset for New York is UTC 5 Time Zone Acronym Enter a user defined name that represents the time zone that you have configured This acronym appears in the Actual Time field STEP 5 In the Daylight Saving Settings area select how DST is defined Daylight Saving Check Enable to enable Daylight Saving Time Time Set Offset Enter the number of minutes offset from UTC Daylight Saving Type Click one of the ...

Page 73: ...ed Configuring SNTP Server The switch can be configured to synchronize its system clock with an SNTP server specified on the SNTP Settings page To specify an SNTP server by name you must first configure DNS servers on the switch and enable Main Clock Source SNTP Servers on the System Time page To add an SNTP server STEP 1 Click Administration Time Settings SNTP Settings STEP 2 Enter the following ...

Page 74: ...e range and begins and ends on a periodic basis It is defined in the Periodic Range pages If a time range includes both absolute and periodic ranges the process associated with it is activated only if both absolute start time and the periodic time range have been reached The process is deactivated when either of the time ranges are reached The device supports a maximum of 20 absolute time ranges T...

Page 75: ...gins Absolute Ending Time To define the start time enter the following Infinite Select for the time range to never end Date Time Enter the date and time that the Time Range ends STEP 4 To add a periodic time range click Periodic Range Periodic Time Range A periodic time element can be added to an absolute time range This limits the operation to certain time periods within the absolute range To add...

Page 76: ... Guide Release 1 1 0 x 74 6 Periodic Starting Time Enter the date and time that the Time Range begins on a periodic basis Periodic Ending Time Enter the date and time that the Time Range ends on a periodic basis STEP 5 Click Apply STEP 6 Click Time Range to access the Absolute Time Range ...

Page 77: ... Test page to perform the integrated cable tests on copper cables CAUTION When a port is tested it is set to the Down state and communications are interrupted After the test the port returns to the Up state We do not recommend that you run the test on a port that you are using to run the web based interface because communications with that device are disrupted To test copper cables attached to por...

Page 78: ...ing standard SFF 8472 The following FE SFP 100 Mbps transceivers are supported MFEBX1 100BASE BX 20U SFP transceiver for single mode fiber 1310 nm wavelength supports up to 20 km MFEFX1 100BASE FX SFP transceiver for multimode fiber 1310 nm wavelength supports up to 2 km MFELX1 100BASE LX SFP transceiver for single mode fiber 1310 nm wavelength supports up to 10 km The following GE SFP 1000 Mbps t...

Page 79: ...network traffic such as an intrusion detection system A network analyzer connected to the monitoring port processes the data packets for diagnosing debugging and performance monitoring The switch supports up to four mirroring sessions Each session can be used for local mirroring or remote mirroring purposes Mirroring does not affect the switching of network traffic on the source ports or VLANs Eac...

Page 80: ...ic from each port to the destination port Local VLAN Based Copies traffic from the local VLAN to the destination port RSPAN Source Session Utilizes a VLAN to copy traffic from a source port or a source VLAN to another device RSPAN Destination Session Utilizes a VLAN to copy traffic from a destination port to another device STEP 5 If Local Port Based is selected enter the following information Dest...

Page 81: ...t or VLAN as the source port or source VLAN If Port is selected select the source ports from where traffic is mirrored and select the type of traffic to be mirrored to the analyzer port The options are Rx Only Port mirroring on incoming packets Tx Only Port mirroring on outgoing packets Tx and Rx Port mirroring on both incoming and outgoing packets N A Traffic from this port is not mirrored If VLA...

Page 82: ...n The CPU Utilization page appears The CPU Input Rate field displays the rate of input frames to the CPU per second The window contains a graph of the CPU utilization The Y axis is percentage of usage and the X axis is the sample number STEP 2 Ensure that the CPU Utilization checkbox is enabled STEP 3 Select the Refresh Rate time period in seconds that passes before the statistics are refreshed A ...

Page 83: ...itch can be discovered by a network management system or other third party applications By default Bonjour is enabled on the Management VLAN The Bonjour console automatically detects the switch and displays it Bonjour Discovery can only be enabled globally It cannot be enabled on a per port or per VLAN basis The switch advertises all the services that have been enabled by the administrator based o...

Page 84: ...e packet In deployments where the CDP capable or LLDP capable devices are not directly connected and are separated with CDP incapable or LLDP incapable devices the CDP capable or LLDP capable devices may be able to receive the advertisement from other devices only if the CDP incapable or LLDP incapable devices flood the CDP or LLDP packets they receive If the CDP incapable or LLDP incapable device...

Page 85: ...r details NOTE CDP or LLDP does not distinguish if a port is in a LAG If there are multiple ports in a LAG CDP or LLDP transmit packets on each port without taking into account the fact that the ports are in a LAG The operation of CDP or LLDP is independent of the STP status of an interface If 802 1X port access control is enabled on an interface the switch will transmit and receive CDP or LLDP pa...

Page 86: ...age ports can be configured to receive or transmit LLDP PDUs and specify which TLVs to advertise Create LLDP MED network policies on the LLDP MED Network Policy page as described in the Configuring LLDP MED Network Policy section Associate LLDP MED network policies and the optional LLDP MED TLVs to the desired ports on the LLDP MED Port Settings page as described in the Configuring LLDP MED Port S...

Page 87: ...ect User Defined to set the amount of time that LLDP packets are held before the packets are discarded measured in multiples of the TLV Advertise Interval For example if the TLV Advertise Interval is 30 seconds and the Hold Multiplier is 4 then the LLDP packets are discarded after 120 seconds You can select Use Default to use the default value 4 Reinitializing Delay Select User Defined to enter th...

Page 88: ... port The available options are Tx Only Publishes only but does not discover Rx Only Discovers but does not publish Tx Rx Publishes and discovers Disable Disables LLDP on the port Available Optional TLVs Select the information to be published by the switch by moving the TLV to the Selected Optional TLVs list The available TLVs contain the following information Port Description Information about th...

Page 89: ...nt IP address of the switch STEP 4 Click Apply The LLDP port settings are modified and the Running Configuration is updated Configuring LLDP MED Network Policy LLDP Media Endpoint Discovery LLDP MED is an extension of LLDP that provides the following additional capabilities to support media endpoint devices Some of the features of the LLDP MED network policy are Enables the advertisement and disco...

Page 90: ...P MED Network Policy for Voice Application option to automatically generate and advertise a network policy for voice application based on the voice VLAN maintained by the switch STEP 3 Click Apply STEP 4 Click Add to add an LLDP MED network policy STEP 5 Enter the following information Network Policy Number Select the number of the policy to be created Application Select the type of application ty...

Page 91: ...n Discovery LLDP LLDP MED Port Settings STEP 2 To associate the LLDP MED network policy to a port select a port and click Edit STEP 3 Enter the following information Interface Select a port to be configured LLDP MED Status Enable or disable LLDP MED on this port Available Optional TLVs Select the TLVs that can be published by the switch by moving them to the Selected Optional TLVs list Available N...

Page 92: ... ID for example MAC address Chassis ID Identifier of chassis Where the chassis ID subtype is a MAC address the MAC address of the switch is displayed System Name Name of the switch System Description Description of the switch in alphanumeric format Supported System Capabilities Primary functions of the device such as Bridge WLAN AP or Router Enabled System Capabilities Primary enabled functions of...

Page 93: ...STEP 1 Click Administration Discovery LLDP LLDP Local Information STEP 2 Select the desired port from the Port drop down menu The following fields are displayed Global Chassis ID Subtype Type of chassis ID such as the MAC address Chassis ID Identifier of chassis Where the chassis ID subtype is a MAC address the MAC address of the switch is displayed System Name Name of switch System Description De...

Page 94: ...gotiation Supported Port speed auto negotiation support status Auto Negotiation Enabled Port speed auto negotiation active status Auto Negotiation Advertised Capabilities Port speed auto negotiation capabilities for example 1000BASE T half duplex mode 100BASE TX full duplex mode Operational MAU Type Medium Attachment Unit MAU type The MAU performs physical layer functions including digital data co...

Page 95: ...tware Revision Software version Serial Number Device serial number Manufacturer Name Device manufacturer name Model Name Device model name Asset ID Asset ID Location Information Civic Street address Coordinates Map coordinates latitude longitude and altitude ECS ELIN Emergency Call Service ECS Emergency Location Identification Number ELIN Network Policy Table Application Type Network policy applic...

Page 96: ...e LLDP neighbors information STEP 1 Click Administration Discovery LLDP LLDP Neighbor STEP 2 Select a local port and click Go The following fields are displayed Local Port Number of the local port to which the neighbor is connected Chassis ID Subtype Type of chassis ID for example MAC address Chassis ID Identifier of the 802 LAN neighboring device s chassis Port ID Subtype Type of the port identif...

Page 97: ...mes Errors Total number of received frames with errors Rx TLVs Discarded Total number of received TLVs that were discarded Rx TLVs Unrecognized Total number of received TLVs that were unrecognized Neighbor s Information Deletion Count Number of neighbor age outs on the port STEP 2 Click Refresh to refresh the LLDP statistics Viewing LLDP Overloading LLDP adds information as LLDP and LLDP MED TLVs ...

Page 98: ...ect a port and click Details The following fields are displayed LLDP Mandatory TLVs Size Bytes Total mandatory TLV byte size Status If the mandatory TLV group is transmitting or if the TLV group was overloaded LLDP MED Capabilities Size Bytes Total LLDP MED capabilities packets byte size Status Whether the LLDP MED capabilities packets were sent or they were overloaded LLDP MED Location Size Bytes...

Page 99: ...Optional TLVs Size Bytes Total LLDP optional TLVs packets byte size Status If the LLDP optional TLVs packets were sent or if they were overloaded LLDP MED Inventory Size Bytes Total LLDP MED inventory TLVs packets byte site Status If the LLDP MED inventory packets were sent or if they were overloaded 802 1 TLVs Size Bytes Total LLDP 802 1 TLVs packets byte size Status If the LLDP 802 1 TLVs packet...

Page 100: ...roperties Use the CDP Properties page to globally enable CDP on the switch and configure general CDP parameters To define CDP properties STEP 1 Click Administration Discovery CDP Properties STEP 2 Enter the following information CDP Status Check Enable to globally enable CDP on the switch CDP Frames Handling If CDP is disabled select the action to be taken if a packet that matches the selected cri...

Page 101: ...elect the format of the device ID MAC address serial number or host name Source Interface Select User Defined to use the IP address of the interface defined in the Interface field in the address TLV or select Use Default to use the IP address of the outgoing interface Interface If User Defined was selected for Source Interface select the interface Syslog Voice VLAN Mismatch Check Enable to send a ...

Page 102: ...ect a port and click Edit STEP 3 Enter the following information Interface Select the port to be defined CDP Status Check Enable to enable the CDP publishing option for the port NOTE The next three fields are operational when the switch has been set up to send traps to the management station Syslog Voice VLAN Mismatch Check Enable to send a SYSLOG message when a voice VLAN mismatch is detected Thi...

Page 103: ...ollowing fields are displayed CDP State Displays whether CDP is enabled or disabled on the port Device ID TLV Device ID Type Type of the device ID advertised in the device ID TLV Device ID Device ID advertised in the device ID TLV Address TLV Address s IP addresses advertised in the device address TLV Port TLV Port ID Identifier of port advertised in the port TLV Capabilities TLV Capabilities Capa...

Page 104: ...r Untrusted Ports TLV CoS 802 1p for Untrusted Ports If Extended Trust is disabled on the port this field displays the Layer 2 CoS value which is an 802 1D 802 1p priority value This is the COS value with which all packets received on an untrusted port are remarked by the device Power TLV Only applicable for PoE models Request ID Only applicable for PoE models Last power request ID received echoes...

Page 105: ...k Administration Discovery CDP CDP Neighbor Information The following fields are displayed Device ID Neighbor s device ID Local Interface Number of the local port to which the neighbor is connected Advertisement Version CDP protocol version Time to Live Time interval in seconds after which the information for this neighbor is deleted Capabilities Capabilities advertised by neighbor Platform Inform...

Page 106: ... applicable for PoE models Amount of power consumed by neighbor on the interface Version Neighbor s software version STEP 3 Click Clear Table to disconnect all connected neighbor devices from CDP STEP 4 Click Refresh to refresh the CDP neighbor information Viewing CDP Statistics The CDP Statistics page displays information regarding CDP frames that were sent or received from a port CDP statistics ...

Page 107: ...s Displays the CDP error counters Illegal Checksum Number of packets received with illegal checksum value Other Errors Number of packets received with errors other than illegal checksums Neighbors Over Maximum Number of times that packet information could not be stored in cache because of lack of room STEP 2 Select an interface and click Clear Interface Counters to clear the CDP statistics counter...

Page 108: ...on the Port Settings page as described in the Configuring Basic Port Settings section STEP 2 Enable or disable the error disabled ports to recover from specific causes and manually activate the suspended ports on the Error Recovery Settings page as described in the Configuring Error Recovery Settings section STEP 3 Enable or disable the Link Aggregation Control LAG protocol and configure the poten...

Page 109: ...se LEDs lit is a waste of energy The feature enables you to disable the port LEDs for link speed and PoE when they are not required and to enable the LEDs if they are needed debugging connecting additional devices etc On the System Summary page the LEDs that are displayed on the device board pictures are not affected by disabling the LEDs To configure the port settings STEP 1 Click Port Management...

Page 110: ...its transmission rate duplex mode and flow control abilities to other devices Operational Auto Negotiation Displays the current auto negotiation status on the port Administrative Port Speed Select the configured rate for the port The port type determines the available speed setting options You can designate Administrative Port Speed only when port auto negotiation is disabled Operational Port Spee...

Page 111: ...x fields Back Pressure Check Enable to enable the Back Pressure mode on the port used with Half Duplex mode to slow down the packet reception speed when the switch is congested It disables the remote port preventing it from sending packets by jamming the signal Flow Control Enable or disable 802 3X flow control or enable the auto negotiation of flow control on the port only when in Full Duplex mod...

Page 112: ...c causes You can also manually reactivate the suspended ports To configure error recovery settings STEP 1 Click Port Management Error Recovery Settings STEP 2 Enter the following global port settings Automatic Recovery Interval Enter the time in seconds to recover from the specified error disabled state The same interval is applied to all causes The default interval is 300 seconds Automatic ErrDis...

Page 113: ...s STEP 3 Click Apply The error recovery settings are modified and the Running Configuration is updated STEP 4 The Suspended errDisabled Interface Table displays a list of suspended ports To manually reactivate a suspended port select the desired port and click Reactivate Loopback Detection Loopback Detection LBD provides protection against loops by transmitting loop protocol packets out of ports o...

Page 114: ...on the port Port operational status is up Port is in STP forwarding disable state MSTP instance forwarding state instance 0 LBD frames are transmitted on the highest priority queue on LBD active ports in case of LAGs the LBD is transmitted on every active port member in LAG When a loop is detected the switch performs the following actions Sets the receiving ports or LAGs to Error Disable state Iss...

Page 115: ...tion global field to enable the feature STEP 3 Enter the Detection Interval This is the interval between transmissions of LBD packets STEP 4 Click Apply to save the configuration to the Running Configuration file The following fields are displayed for each interface regarding the Loopback Detection State Administrative Loopback detection is enabled Operational Loopback detection is enabled but not...

Page 116: ...oved which can be added prior to applying then the LACP button become available for editing Dynamic A LAG is dynamic if LACP is enabled on it A group of ports assigned to dynamic LAG are candidate ports LACP determines which candidate ports are active member ports The nonactive candidate ports are standby ports ready to replace any failing active member ports This section describes how to configur...

Page 117: ... devices In general a LAG is treated by the system as a single logical port In particular the LAG has port attributes similar to a regular port such as state and speed The switch supports eight LAGs Every LAG has the following characteristics All ports in a LAG must be of the same media type Ports in a LAG must not be assigned to another LAG No more than 8 ports are assigned to a static LAG and no...

Page 118: ...gure a dynamic LAG perform the following actions STEP 1 Enable LACP on the LAG Assign up to 16 candidates ports to the dynamic LAG by selecting and moving the ports from the Port List to the LAG Members List on the LAG Management page See Configuring LAG Management for more information STEP 2 Configure the LAG speed and flow control on the LAG Settings page See Configuring LAG Settings for more in...

Page 119: ...namic LAG This field can only be enabled after moving at least a port to the LAG in the next field LAG Members Move those ports that are to be assigned to the LAG from the Port List to the LAG Members list Up to 8 ports per static LAG can be assigned and 16 ports can be assigned to a dynamic LAG STEP 6 Click Apply The LAG membership is defined and the Running Configuration is updated Configuring L...

Page 120: ...s the current speed at which the LAG is operating Auto Advertisement Speed Select the speed capability to be advertised by the LAG The options are All Speed All port speed settings can be accepted 10M 10 Mbps speed 100M 100 Mbps speed 10M 100M 10 Mbps and 100 Mbps speeds 1000M 1000 Mbps speed Operational Advertisement Displays the current advertisement status The LAG advertises its capabilities to...

Page 121: ...orities are the same the local and remote MAC addresses are compared The priority of the device with the lowest MAC address controls candidate port selection to the LAG A dynamic LAG can have up to 16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode When there are more than eight ports in the dynamic LAG the switch on the controlling end ...

Page 122: ... that had link up is added to the LACP LAG and becomes active the other ports become non candidates In this way the neighbor device can for example get its IP address using DHCP and get its configuration using auto configuration Configuring LACP Parameters Use the LACP page to configure the candidate ports for the LAG and to configure the LACP parameters per port LACP timeout is a per port paramet...

Page 123: ...esigned to save power when there is no traffic on the link With Energy Efficient Ethernet power is reduced when the port is up but there is no traffic on it Energy Efficient Ethernet reduces overall power usage in Energy Detect mode Energy Efficient Ethernet is defined per port regardless of their LAG membership To enable Energy Efficient Ethernet on a port STEP 1 Click Port Management Energy Effi...

Page 124: ...Port Management Configuring Energy Efficient Ethernet Cisco 220 Series Smart Switches Administration Guide Release 1 1 0 x 122 9 ...

Page 125: ... and includes the following topics PoE Considerations PoE on the Switch Configuring PoE Properties Configuring PoE Port Settings PoE Considerations CAUTION The switch should be connected only to PoE networks without routing to the outside plant Model Power Dedicated to PoE PoE Ports PoE Standard Supported SF220 24P 180 Watts 1 to 24 802 3at SF220 26P 180 Watts 1 to 24 802 3at SF220 48P 375 Watts 1...

Page 126: ...itch may not operate properly and may not be able to properly supply power to its attaching PDs To prevent false detection you should disable PoE on the ports on the PoE switches that are used to connect to PSEs You should also first power up a PSE device before connecting it to a PoE switch When a device is being falsely detected as a PD you should disconnect the device from the PoE port and powe...

Page 127: ...PD consumes Power Consumption After the classification stage completes the PSE provides power to the powered device PD The PD without classification support will be assumed to be class 0 the maximum If a PD tries to consume more power than permitted by the standard the PSE stops supplying power to the port PoE supports two modes Port Limit The maximum power that the switch agrees to supply is limi...

Page 128: ...its power limit according to the class of the device connected to each specific port If at any time during the connectivity an attached PD requires more power from the switch than the configured allocation allows no matter if the switch is in Class Limit or Port Limit mode the switch does the following Maintains the up down status of the PoE port link Turns off power delivery to the PoE port Maint...

Page 129: ... are already connected disabling this feature only takes effect after you unplug their cables Traps Enables or disables traps If traps are enabled you must also enable the SNMP service and configure at least one SNMP notification recipient see Configuring SNMP Notification Recipients Power Trap Threshold Enters the usage threshold that is a percentage of the system power An alarm is initiated if t...

Page 130: ...rties page When the power consumed on the port exceeds the class limit the port power is turned off To configure PoE port settings STEP 1 Click Port Management PoE Port Settings STEP 2 To edit the power limit per port select a port and click Edit STEP 3 Enter the following information Interface Select the port to be configured PoE Administrative Status Enable or disable PoE on the port Time Range ...

Page 131: ...mation of the PD connected if the power mode is Class Limit Overload Counter Displays the total number of power overload occurrences Short Counter Displays the total number of power shortage occurrences Denied Counter Displays the number of times that the powered device was denied power Absent Counter Displays the number of times that the power was stopped to the powered device because the powered...

Page 132: ...Power over Ethernet Configuring PoE Port Settings Cisco 220 Series Smart Switches Administration Guide Release 1 1 0 x 130 10 ...

Page 133: ...ayer regardless of the physical LAN segment of the bridged network to which they are connected VLAN Description Each VLAN is configured with a unique VID VLAN ID with a value from 1 to 4094 A port on a device in a bridged network is a member of a VLAN if it can send data to and receive data from the VLAN A port is an untagged member of a VLAN if all packets destined for that port into the VLAN hav...

Page 134: ... only if the VID in its VLAN tag is 0 Frames belonging to a VLAN remain within the VLAN This is achieved by sending or forwarding a frame only to egress ports that are members of the target VLAN An egress port may be a tagged or untagged member of a VLAN The egress port Adds a VLAN tag to the frame if the egress port is a tagged member of the target VLAN and the original frame does not have a VLAN...

Page 135: ...ort VLAN related configuration as described in the Configuring Interface s VLAN Settings section Assign interfaces to VLANs as described in the Configuring Port to VLAN section View the current VLAN port membership for all interfaces as described in the Viewing VLAN Membership section Enable GVRP globally as well as on each port as described in the Configuring GVRP section Configure the voice VLAN...

Page 136: ...e PVID of the ports to the VID of the new default VLAN Adds the ports as untagged VLAN members of the new default VLAN To change the default VLAN STEP 1 Click VLAN Management Default VLAN Settings STEP 2 Enter the following information Current Default VLAN ID Displays the current default VLAN ID Default VLAN ID Enter a new VLAN ID to replace the default VLAN ID STEP 3 Click Apply The default VLAN ...

Page 137: ...ck Edit to modify the VLAN parameters STEP 3 To create a single VLAN select the VLAN radio button enter the VLAN ID VID and optionally the VLAN Name STEP 4 To create a range of VLANs select the Range radio button and specify the range of VLANs to be created in the VLAN Range fields STEP 5 Click Apply The VLANs are created and the Running Configuration is updated Configuring Interface s VLAN Settin...

Page 138: ...ne or more dot1p tunnel ports Administrative PVID Available in General and Trunk modes Enter the Port VLAN ID PVID of the VLAN to which incoming untagged and priority tagged frames are classified Frame Type Available in General mode Select the type of frame that the interface can receive Frames that are not of the configured frame type are discarded at ingress These frame types are only available ...

Page 139: ...igured on the Interface Settings page STEP 3 To change the registration of an interface to the VLAN select the desired option from the following list Forbidden The interface is not allowed to join the VLAN even from GVRP registration When a port is not a member of any other VLAN enabling this option on the port makes the port part of internal VLAN 4095 a reserved VID Excluded The interface is curr...

Page 140: ...t be the same if the ports are to send and receive untagged packets to and from the VLAN Otherwise traffic might leak from one VLAN to another Frames that are VLAN tagged can pass through other network devices that are VLAN aware or VLAN unaware If a destination end node is VLAN unaware but is to receive traffic from a VLAN then the last VLAN aware device if there is one must send frames of the de...

Page 141: ...rt is not a member of any other VLAN enabling this option on the port makes the port part of internal VLAN 4095 a reserved VID Excluded The interface is currently not a member of the VLAN This is the default for all the ports and LAGs The port can join the VLAN through GVRP registration Tagged Select whether the port is tagged This is not relevant for Access ports Untagged Select whether port is u...

Page 142: ...ngs page GVRP must be activated globally as well as on each port When it is activated it transmits and receives GARP Packet Data Units GPDUs VLANs that are defined but not active are not propagated To propagate the VLAN it must be up on at least one port To define the GVRP settings STEP 1 Click VLAN Management GVRP Settings STEP 2 Check Enable next to the GVRP Global Status field to globally enabl...

Page 143: ...s to the voice VLAN and assign the configured quality of service QoS to packets from the voice VLAN Dynamic Voice VLAN Modes The switch supports two dynamic voice VLAN modes They are Telephony OUI Organization Unique Identifier mode and Auto Voice VLAN mode The two modes affect how voice VLAN and or voice VLAN port memberships are configured The two modes are mutually exclusive to each other Telep...

Page 144: ...e VLAN cannot be the Guest VLAN if the voice VLAN mode is set to Telephony OUI The interface VLAN of a candidate port must be in General mode or Trunk mode The voice VLAN QoS decision has priority over any other QoS decision except for the Policy ACL QoS decision The voice VLAN QoS is applied to candidate ports that have joined the voice VLAN and to static ports Voice VLAN Options You can perform ...

Page 145: ...P Select the DSCP value that will be used by LLDP MED as a voice network policy Dynamic Voice VLAN Select one of the following voice VLAN modes Enable Auto Voice VLAN Select this option to enable the Auto Voice VLAN mode Enable Telephony OUI Select this option to enable the Telephony OUI mode Disable Select this option to disable the Voice VLAN STEP 3 Click Apply The VLAN properties are defined an...

Page 146: ...STEP 2 Specify the following general Telephony OUI parameters Telephony OUI Operational Status Displays whether OUIs are used to identify voice traffic CoS 802 1p Select the CoS queue to be assigned to voice traffic Remark CoS 802 1p Check to remark egress traffic Auto Membership Aging Time Enter the time delay to remove a port from the voice VLAN after all MAC addresses of the phones detected on ...

Page 147: ...STEP 2 To configure an interface to be a candidate port of the telephony OUI based voice VLAN select the desired interface and click Edit STEP 3 Enter the following information Interface Select the port or LAG to be configured Telephone OUI VLAN Membership Check Enable to set the interface as a candidate port of the telephony OUI based voice VLAN When packets that match one of the configured telep...

Page 148: ...Smart Switches Administration Guide Release 1 1 0 x 146 11 All QoS attributes are applied only on all packets that are classified to the voice VLAN STEP 4 Click Apply The Telephony OUI interface settings are defined and the Running Configuration is updated ...

Page 149: ...rotects a Layer 2 Broadcast domain from Broadcast storms by selectively setting links to standby mode to prevent loops In standby mode these links temporarily stop transferring user data After the topology changes so that the data transfer is made possible the links are automatically re activated Loops occur when alternate routes exist between hosts Loops in an extended network can cause switches ...

Page 150: ...on the entire port including VLAN B traffic MSTP solves this problem by enabling several STP instances so that it is possible to detect and mitigate loops separately in each instance By associating instances to VLANs each instance is associated with the Layer 2 domain on which it performs loop detection and mitigation This enables a port to be stopped in one instance such as traffic from VLAN A th...

Page 151: ...e the same priority then their MAC addresses are used to determine which is the Root Bridge The bridge priority value is provided in increments of 4096 For example 4096 8192 12288 and so on Hello Time Enter the interval in seconds that a Root Bridge waits between configuration messages The range is 1 to 10 seconds The default is 2 seconds Max Age Enter the interval in seconds that the switch can w...

Page 152: ...d on this page is active for all STP modes To configure STP on an interface STEP 1 Click Spanning Tree STP Interface Settings STEP 2 Select the interface type Port or LAG and click Go STEP 3 Select an interface and click Edit STEP 4 Enter the following information Interface Select the port or LAG to be defined Edge Port Enable or disable Fast Link on the interface If Fast Link mode is enabled for ...

Page 153: ...t forward traffic but it can learn new MAC addresses Forwarding The interface is in Forwarding mode and can forward traffic and learn new MAC addresses Designated Bridge ID Displays the bridge priority and the MAC address of the designated bridge Designated Port ID Displays the priority and interface ID of the selected interface Designated Cost Displays the cost of the interface participating in t...

Page 154: ...e port link type status by using the port link up duplex mode point to point for full duplex mode and share for half duplex mode Point to Point Operational Status Displays the current link type operating status Role Displays the role of the interface that has been assigned by STP to provide STP paths The possible roles are Root Lowest cost path to forward packets to the Root Bridge Designated The ...

Page 155: ...er being tested the Activate Protocol Migration is activated When a link partner is discovered by using STP click Activate Protocol Migration to run a Protocol Migration test This test discovers whether the link partner using STP still exists and if so whether it has migrated to RSTP or MSTP If it still exists as an STP link the device continues to communicate with it by using STP Otherwise if it ...

Page 156: ...using one single common spanning tree CST MSTP is fully compatible with RSTP bridges in that an MSTP BPDU can be interpreted by an RSTP bridge as an RSTP BPDU MSTP not only allows compatibility with RSTP bridges without configuration changes but also causes any RSTP bridges outside of an MSTP region to see the region as a single RSTP bridge regardless of the number of MSTP bridges inside the regio...

Page 157: ...can be mapped with more than one VLAN but each VLAN can only have one MSTP instance attached to it Up to 16 MSTP instances can be defined on the switch For those VLANs that are not explicitly mapped to one of the MSTP instances the switch automatically maps them to the Core and Internal Spanning Tree CIST instance The CIST instance is MSTP instance 0 To map VLANs to MSTP instances STEP 1 Click Spa...

Page 158: ...d MAC address of the Root Bridge for the selected MSTP instance Root Port Displays the root port of the selected MSTP instance Root Path Cost Displays the root path cost of the selected MSTP instance Bridge ID Displays the bridge priority and the MAC address of this switch for the selected MSTP instance Remaining Hops Displays the number of hops remaining to the next destination STEP 3 Click Apply...

Page 159: ...isabled MSTP is currently disabled Blocking The port on this instance is currently blocked and cannot forward traffic with the exception of BPDU data or learn MAC addresses Learning The port on this instance is in Learning mode and cannot forward traffic But it can learn new MAC addresses Forwarding The port on this instance is in Forwarding mode and can forward traffic and learn new MAC addresses...

Page 160: ...led on the port Type Displays the MSTP type of the port Boundary A Boundary port attaches MSTP bridges to a LAN in an outlying region If the port is a boundary port it also indicates whether the device on the other side of the link is working in RSTP or STP mode Internal The port is an internal port Designated Bridge ID Displays the bridge ID number that connects the link or shared LAN to the root...

Page 161: ...tatic addresses are configured by the user and therefore they do not expire A new source MAC address that appears in a frame arriving at the switch is added to the Dynamic Address table This MAC address is retained for a configurable period of time If another frame with the same source MAC address does not arrive at the switch before that time period expires the MAC entry is aged deleted from the ...

Page 162: ... 2 To add a static MAC address click Add STEP 3 Enter the following information VLAN ID Select an VLAN ID MAC Address Enter the MAC address Interface Select a port or LAG for the MAC address Status Select how the MAC address is treated The options are Permanent The switch never removes this MAC address If the static MAC address is saved to the Startup Configuration it is retained after rebooting D...

Page 163: ...ic MAC address filter profile is added and the Running Configuration is updated Configuring Dynamic MAC Address Aging Time The Dynamic Address Table contains the MAC addresses acquired by monitoring the source addresses of traffic entering the switch To prevent this table from overflowing and to make room for new MAC addresses an address is deleted if no traffic is received for a certain period Th...

Page 164: ...iteria is entered the entire table is displayed To query dynamic addresses STEP 1 Click MAC Address Tables Dynamic Address STEP 2 Enter the query criteria VLAN ID equals to Check and enter the VLAN ID for which the table is queried MAC Address equals to Check and enter the MAC address for which the table is queried Interface equals to Check and select the interface for which the table is queried T...

Page 165: ...es to be reserved and the actions how to deal with the frame To reserve a MAC address STEP 1 Click MAC Address Tables Reserved MAC Address STEP 2 Click Add STEP 3 Enter the following information MAC Address Select the MAC address to be reserved Action Select one of the following actions to be taken upon the arriving packet that matches the selected criteria Bridge Forwards the packet to all VLAN m...

Page 166: ...s Configuring Multicast Filtering Multicast Forwarding Multicast forwarding enables one to many information dissemination Multicast applications are useful for dissemination of information to multiple clients where clients do not require reception of the entire content A typical application is a Cable TV like service where clients can join a channel in the middle of a transmission and leave before...

Page 167: ...ge it responds with an IGMP Join message saying that the host wants to receive a specific Multicast stream and optionally from a specific source The switch with the IGMP snooping analyzes the Join messages and learns that the Multicast stream the host has requested must be forwarded to this specific port It then forwards the IGMP Join to the Mrouter only Similarly when the Mrouter receives an IGMP...

Page 168: ...nd hosts since they do not have to receive and filter all of the Multicast traffic generated in the network The following versions are supported IGMP v1 v2 v3 MLD v1 v2 A simple IGMP Snooping Querier An IGMP Querier is required to facilitate the IGMP protocol on a given subnet In general a Multicast router is also an IGMP Querier When there are multiple IGMP Queriers in a subnet the queriers elect...

Page 169: ...apped to Layer 2 Multicast 33 33 11 22 33 44 Configuring Multicast Properties Use the Properties page to globally enable IGMP Snooping and or IPv6 MLD Snooping on the switch and set the default action for unknown Multicast traffic By default all Multicast frames are flooded to all ports of the VLAN To configure Multicast properties STEP 1 Click Multicast Properties STEP 2 Enter the following infor...

Page 170: ...r Version 6 IP Multicast Group Address equals to Define the IP address of the Multicast group to be displayed STEP 3 Click Go The IP Multicast group addresses that match the criteria are displayed STEP 4 To add a static IP Multicast group address click Add NOTE Member ports for a static IP multicast group address can be configured statically only STEP 5 Enter the following information VLAN ID Sele...

Page 171: ...ded to the CPU The CPU analyzes the incoming packets and determines the following Which ports are asking to join which Multicast groups on what VLAN Which ports are connected to Multicast routers Mrouters that are generating IGMP queries Which ports are receiving PIM OSFP DVMRP or IGMP query protocols Ports asking to join a specific Multicast group issue an IGMP report that specifies which group t...

Page 172: ...The switch does not send the remaining IGMP reports for the group to the Multicast routers This feature prevents duplicate reports from being sent to the Multicast devices The switch always forwards only the first IGMPv1 or IGMPv2 report from all hosts for a group to all Multicast routers regardless of the Multicast router query also includes requests for IGMPv3 reports STEP 3 Select a VLAN and cl...

Page 173: ...le are sent by the elected querier The other values are derived from the switch IGMP Querier Version Select the IGMP version used if the switch becomes the elected querier Select IGMPv3 if there are switches and or Multicast routers in the VLAN that perform source specific IP Multicast forwarding STEP 5 Click Apply The IGMP Snooping settings are defined and the Running Configuration is updated Con...

Page 174: ... a specific Multicast group from the forwarding set of an incoming Multicast frame If you enable MLD Snooping in addition to the manually configured Multicast groups the result is a union of the Multicast groups and port memberships derived from the manual setup and the dynamic discovery by MLD Snooping However only the static definitions are preserved when the switch is rebooted To enable MLD Sno...

Page 175: ... query count to be used if the switch cannot derive the value from the messages sent by the elected querier Last Member Query Interval Enter the maximum response delay to be used if the switch cannot read maximum response time value from group specific queries sent by the elected querier Immediate Leave When enabled reduces the time that it takes to block unnecessary MLD traffic sent to a switch p...

Page 176: ...nd IGMP MLD registration messages It is required in order for all Mrouters can in turn forward the Multicast streams and propagate the registration messages to other subnets Use the Multicast Router Port page to statically configure or see dynamically detected ports connected to Mrouters To define Multicast router ports STEP 1 Click Multicast Multicast Router Port STEP 2 Enter the query criteria V...

Page 177: ... ports or LAGs to receive Multicast streams from a specific VLAN You can statically configure a port to Forward All if the devices connecting to the port do not support IGMP or MLD NOTE The configuration affects only the ports that are members of the selected VLAN To define Forward All Multicast STEP 1 Click Multicast Forward All STEP 2 Define the VLAN ID IP version and port type for which Multica...

Page 178: ...ter the maximum number of IGMP groups that are allowed on the interface IGMP Exceed Action Denies or replaces the existing group with the new group for which the IGMP report was received when the limit is reached MLD Maximum Multicast Group Enter the maximum number of MLD groups that are allowed on the interface MLD Exceed Action Denies or replaces the existing group with the new group for which t...

Page 179: ... Index Enter the sequence number for the profile IP Version Select ether Version 4 or Version 6 to apply the filter profile to IPv4 or IPv6 Multicast traffic Start Multicast Address Enter the starting Multicast group address End Multicast Address Enter the ending Multicast group address Action Denies or permits Multicast frames when the join group matches the profile IP group range STEP 5 Click Ap...

Page 180: ...erface Select the port or LAG to be defined Filter Enable or disable filtering Multicast traffic on this interface Filter Profile Index If enabled select the Multicast filter profile to be applied The Multicast filter settings defined in the profile are applied to the interface STEP 5 Click Apply The Running Configuration is updated ...

Page 181: ... are configured on the IPv4 Interface and IPv6 Interface pages The switch uses the default gateway if configured to communicate with devices that are not in the same IP subnet with the switch By default VLAN 1 is the management VLAN but this can be modified The switch can only be reached at the configured IP address through its management VLAN The factory default setting of the IPv4 address config...

Page 182: ...ests until a response is received from the DHCP server The System LED on the front panel of the switch changes to solid green when a new unique IP address is received from the DHCP server If a static IP address has been set the System LED also changes to solid green The System LED flashes when the switch is acquiring an IP address and is currently using the factory default IP address 192 168 1 254...

Page 183: ... Type Select one of the following options Dynamic Discovers the IP address using DHCP from the management VLAN Static Manually defines a static IP address If a static IP address is used enter the following fields IP Address Enter the management IP address of the switch The default is 192 168 1 254 Mask Enter the IP address mask or prefix length Network Mask Select and enter the IP address mask Pre...

Page 184: ...he Running Configuration is updated IPv6 Management and Interface The switch supports one IPv6 interface In additional to the default link local and Multicast addresses the switch also automatically adds global addresses to the interface based on the router advertisements that it receives Each address must be a valid IPv6 address that is specified in hexadecimal format by using 16 bit values separ...

Page 185: ...floor on the refresh time value If the server sends a refresh time option that is less than this value this value is used instead Information Refresh Time Select either Infinite no refresh unless the server sends this option or User Defined to manually set a value This value indicates how often the switch will refresh information received from the DHCPv6 server If this option is not received from ...

Page 186: ...ualified domain names NFQDNs turning them into FQDNs NOTE Do not include the initial period that separates an unqualified name from the domain name such as cisco com STEP 4 Click Apply The DNS parameters are defined and the Running Configuration is updated STEP 5 Click Details next to next to the DHCP Domain Search List field to view the list of DNS servers configured on the switch including the s...

Page 187: ...r in which unqualified names are completed during DNS queries Domain Name Name of domain that can be used on the switch Configuring Host Mapping Host name and IP address mappings are stored in the Host Mapping Table DNS cache This cache contains the static entries mapping pairs that are manually added to the cache Name resolution always begins by checking static entries and continues by sending re...

Page 188: ... following information IP Version Select either Version 6 or Version 4 Host Name Enter a user defined host name or fully qualified name Host names are restricted to the ASCII letters A through Z case insensitive the digits 0 through 9 the underscore and the hyphen A period is used to separate labels IP Address es Enter a single address or up to eight associated IP addresses IPv4 or IPv6 STEP 4 Cli...

Page 189: ... that pass through but are not directed at the switch This chapter describes various aspects of security and access control and includes the following topics Configuring Users Configuring TACACS Servers Configuring RADIUS Servers Configuring Management Access Methods Configuring Password Complexity Rules Configuring Management Access Authentication Configuring TCP UDP Services Configuring Storm Co...

Page 190: ...dit to modify a user STEP 3 Enter the following information User Name Enter a new username between 0 and 32 alphanumeric characters Password Enter a password The password must comply with the minimum strength and complexity requirements shown on the page Confirm Password Enter the password again Password Strength Meter Displays the strength of password The rules for password strength and complexit...

Page 191: ...evice and the TACACS server TACACS is supported only with IPv4 Some TACACS servers support a single connection that enables the device to receive all information in a single connection If the TACACS server does not support this the device reverts back to multiple connections Use the TACACS page to configure the TACACS servers and define the default parameters that are used for communicating with a...

Page 192: ...ity server and is the first server used If it cannot establish a session with the highest priority server the switch will try the next highest priority server Key String A key string is used to encrypt communications by using MD5 You can select Use Default to use the default key defined under the TACACS default parameters or you can select User Defined Encrypted or User Defined Plaintext to enter ...

Page 193: ...DIUS STEP 2 In the Use Default Parameters area enter the default RADIUS parameters that are applied to all RADIUS servers If a value is not entered for a specific server the switch uses the values in these fields Retries Enter the number of transmitted requests that are sent to the RADIUS server before a failure is considered to have occurred Timeout for Reply Enter the number of seconds that the ...

Page 194: ...elect Use Default to use the default key string Timeout for Reply Select User Defined to enter the number of seconds that the switch waits for an answer from the RADIUS server before retrying the query or switching to the next server or select Use Default to use the default value Authentication IP Port Enter the UDP port number of the RADUS server port for authentication requests Retries Select Us...

Page 195: ...udes the following topics Access Profile Rules Filters and Elements Active Access Profile Configuring Access Profiles Configuring Profile Rules Access Profile Rules Filters and Elements Access profiles consist of rules for allowing access to the switch Each access profile can consist of one or more rules The rules are executed in order of their priority within the access profile top to bottom Rule...

Page 196: ...a console only access profile has been activated the only way to deactivate it is through a direct connection from the management station to the physical console port on the switch After an access profile has been defined additional rules can be added or edited on the Profiles Rules page See Configuring Profile Rules for more details Configuring Access Profiles Use the Access Profiles page to crea...

Page 197: ...ch by using the management method selected The options are All Assigns all management methods to the rule Telnet Users requesting access to the switch who meet the Telnet access profile criteria are permitted or denied access Secure Telnet SSH Users requesting access to the switch who meet the SSH access profile criteria are permitted or denied access HTTP Assigns HTTP access to the rule Users req...

Page 198: ...enter the subnet mask in dotted decimal format Prefix Length Select the Prefix Length and enter the number of bits that comprise the source IP address prefix STEP 5 Click Apply The access profile is created and the Running Configuration is updated Configuring Profile Rules Access profiles can contain multiple rules to determine who is permitted to manage and access the switch and the access method...

Page 199: ...e Telnet Users requesting access to the switch who meet the Telnet access profile criteria are permitted or denied access Secure Telnet SSH Users requesting access to the switch who meet the Telnet access profile criteria are permitted or denied access HTTP Assigns HTTP access to the rule Users requesting access to the switch who meet the HTTP access profile criteria are permitted or denied Secure...

Page 200: ... the subnet mask in dotted decimal format Prefix Length Select the Prefix Length and enter the number of bits that comprise the source IP address prefix STEP 5 Click Apply The profile rule is added to the access profile and the Running Configuration is updated Configuring Password Complexity Rules Passwords are used to authenticate users accessing the switch Simple passwords are potential security...

Page 201: ...character that is repeated more than three times consecutively Have a minimum length of eight characters STEP 3 You can modify the default password settings in the following fields Minimal Password Length Enter the minimal number of characters required for passwords NOTE A zero length password no password is allowed and can still have password aging assigned to it Allowed Character Repetition Ente...

Page 202: ...d Local and all configured RADIUS servers are queried in priority order and do not reply the user is authenticated locally If an authentication method fails or the user has insufficient privilege level the user is denied access to the switch In other words if authentication fails at an authentication method the switch stops the authentication attempt it does not continue and does not attempt to us...

Page 203: ...switch usually for security reasons The active TCP and UDP connections are also displayed on the page To configure TCP UDP services STEP 1 Click Security TCP UDP Services The TCP Service Table displays the following information for all active TCP connections Service Name Address method through which the switch is offering the TCP service Type IP protocol type that the service uses Local IP Address...

Page 204: ...nections CLOSING Both sockets are shut down but we still do not have all our data sent UNKNOWN The state of the socket is unknown The UDP Service Table displays the following information for all active UDP connections Service Name Access method through which the switch is offering the UDP service Type IP protocol that the service uses Local IP Address Local IP address through which the switch is o...

Page 205: ...bles you to limit the number of frames entering the switch and to define the types of frames that are counted towards this limit When the rate of Broadcast unknown Multicast or unknown Unicast frames is higher than the user defined threshold frames received beyond the threshold are discarded or the interface shuts down To define Storm Control STEP 1 Click Security Storm Control STEP 2 Configure th...

Page 206: ...ic It will count unknown Multicast traffic towards the bandwidth threshold Storm Control Rate Threshold Enter the maximum rate at which unknown Multicast packets can be forwarded The default for this threshold is 10 000 Broadcast Enable or disable storm control for Broadcast traffic It will count Broadcast traffic towards the bandwidth threshold Storm Control Rate Threshold Enter the maximum rate ...

Page 207: ...owed addresses After the limit is reached the switch does not learn additional addresses In this mode the addresses are subject to aging and relearning When a frame with a new MAC address is detected on a port where it is not authorized the port is classically locked and the new MAC address of this frame is learned on another classically locked port or the port is dynamically locked and the maximu...

Page 208: ... Addresses Allowed Enter the maximum number of MAC addresses that can be learned on the interface if Limited Dynamic Lock learning mode is selected The range is 1 to 256 and the default is 1 Action on Violation If Interface Status is locked select an action to be applied to packets arriving on a locked interface The options are Discard Discards packets from any unlearned source Forward Forwards pa...

Page 209: ... external RADIUS server through the authenticator The authenticator monitors the result of the authentication In the 802 1x standard a device can be a supplicant and an authenticator at a port simultaneously requesting port access and granting port access However this device is only the authenticator and does not take on the role of a supplicant The following varieties of 802 1X exist Single sessi...

Page 210: ...IUS server must support DVA with RADIUS attributes tunnel type 64 VLAN 13 tunnel media type 65 802 6 and tunnel private group id a VLAN ID Guest VLAN Guest VLAN provides access to services that do not require the subscribing devices or ports to be 802 1x authenticated and authorized The Guest VLAN if configured is a static VLAN with the following characteristics Must be manually defined from an ex...

Page 211: ...802 1X Properties STEP 2 Enter the parameters Port Based Authentication Enable or disable port based 802 1X authentication Guest VLAN Select to enable the use of a Guest VLAN for unauthorized ports If a Guest VLAN is enabled all unauthorized ports automatically join the VLAN selected in the Guest VLAN ID field If a port is later authorized it is removed from the Guest VLAN Guest VLAN ID Select the...

Page 212: ...d Authorizes the interface without authentication RADIUS VLAN Assignment Select to enable Dynamic VLAN assignment on the selected port The options are Disable Ignore the VLAN authorization result and keep original VLAN of host Reject If get VLAN authorized information just use it However if there is no VLAN authorized information reject the host and make it unauthorized Static If get VLAN authoriz...

Page 213: ...orization state NOTE If the port is not in Force Authorized or Force Unauthorized it is in Auto Mode and the authenticator displays the state of the authentication in progress After the port is authenticated the state is shown as Authenticated Max Hosts Enter the number of maximum of authenticated hosts allowed on the specific interface This value only takes effect on multi sessions mode Quiet Per...

Page 214: ... network Multiple Sessions Enables the number of specific authorized hosts to access the port Each host is treated as if it was the first and only user and must be authenticated Filtering is based on the source MAC address To define 802 1X advanced settings for ports STEP 1 Click Security 802 1X Host and Session Authentication The authentication parameters are described for all ports All fields ex...

Page 215: ...oted Traps Select to enable traps Trap Frequency Defines how often traps are sent to the host This field can be defined only if multiple hosts are disabled STEP 4 Click Apply The settings are defined and the Running Configuration file is updated Viewing Authenticated Hosts Click Security 802 1X Authenticated Hosts The Authenticated Hosts page displays the following fields User Name Supplicant name...

Page 216: ...ration Configuring DoS Security Suite Settings Configuring SYN Protection Secure Core Technology SCT One method of resisting DoS attacks employed by the switch is the use of SCT SCT is enabled by default on the switch and cannot be disabled The Cisco device is an advanced device that handles management traffic protocol traffic and snooping traffic in addition to end user TCP traffic SCT ensures th...

Page 217: ...S policies are not active when a port has DoS protection To set global DoS protection settings and monitor SCT STEP 1 Click Security Denial of Service Security Suite Settings The CPU Protection Mechanism field displays Enabled which indicates that SCT is enabled STEP 2 Click Details beside the CPU Utilization field to go to the CPU Utilization page and view CPU resource utilization information STE...

Page 218: ...P 1 Click Security Denial of Service Interface Settings The Interface Settings Table displays the following information Interface Shows the port ID Denial of Service Protection Shows whether the DoS Protection feature is enabled or disabled on the port IP Gratuitous ARPs Protection Shows whether the IP gratuitous ARP protection feature is enabled or disabled on the port STEP 2 To edit the DoS sett...

Page 219: ... than the specific user defined threshold a deny SYN with MAC to me rule is applied on the port This rule is unbound from the port every user defined interval SYN Protection Period To configure the SYN Protection settings STEP 1 Click Security Denial of Service SYN Protection The SYN Protection Interface Table displays the following information Interface Shows the port ID Current State Shows wheth...

Page 220: ...pply The SYN Protection global settings are defined and the Running Configuration is updated Configuring DHCP Snooping DHCP Snooping provides network security by filtering untrusted DHCP messages and by building and by maintaining a DHCP Snooping binding database table DHCP Snooping acts as a firewall between untrusted hosts and DHCP servers DHCP Snooping differentiates between untrusted interface...

Page 221: ...e this feature By default it is disabled Option 82 Status Check Enable to enable global Option 82 insert on the switch or uncheck to disable this feature Remote ID If Option 82 is enabled select User Defined to manually enter the format remote ID or select Use Default to use the default value Backup Database Type Set the type of backup DHCP Snooping database agent The options are None Disables DHC...

Page 222: ...lobally enabled on the switch To define DHCP Snooping on VLANs STEP 1 Click Security DHCP Snooping VLAN Settings STEP 2 Select the VLANs from the Available VLANs column and add them to the Enabled VLANs column STEP 3 Click Apply DHCP Snooping is enabled on the selected VLANs the Running Configuration is updated Configuring DHCP Snooping Trusted Interfaces Use the Interface Settings page to define ...

Page 223: ...resses that are bound to the DHCP Snooping database STEP 1 Click Security DHCP Snooping Binding Database STEP 2 Define any of the following fields as a query filter VLAN ID Indicates the VLANs recorded in the DHCP database The database can be queried by VLAN MAC Address Indicates the MAC addresses recorded in the DHCP database The database can be queried by MAC address IP Address Indicates the IP ...

Page 224: ...DHCP Snooping Statistics STEP 2 Select the interface type Port or LAG click Go The following DHCP Snooping Option 82 statistical information is displayed Interface Port identifier or LAG identifier Forward Total number of forwarded packets Chaddr Check Dropped Total number of packets that are dropped by Chaddr check Untrust Port Dropped Total number of packets that are dropped by untrusted ports U...

Page 225: ... the port or LAG to be defined Allow Untrusted Select one of the following actions when the untrusted port receives DHCP packets Drop Drops DHCP packets with Option 82 information Keep Keeps DHCP packets with Option 82 information Replace Replaces DHCP packets with Option 82 information STEP 5 Click Apply The Running Configuration is updated Configuring Option 82 Port CID Settings Use the Option82...

Page 226: ...vent traffic attacks caused when a host tries to use the IP address of its neighbor NOTE IP Source Guard is applicable only for the switch models with the country of destination CN This section includes the following topics Configuring IP Source Guard Interface Settings Querying IP Source Binding Database Configuring IP Source Guard Interface Settings Use the Interface Settings page to enable IP S...

Page 227: ... IP source binding rule STEP 1 Click Security IP Source Guard Binding Database STEP 2 Define the preferred filter for searching the IP Source Guard database VLAN ID Queries the database by VLAN ID MAC Address Queries the database by MAC address IP Address Queries the database by IP address Interface Queries the database by interface number STEP 3 Click Go These appear in the Binding Database table...

Page 228: ...d the Running Configuration is updated Configuring Dynamic ARP Inspection Dynamic Address Resolution Protocol ARP is a TCP IP protocol for translating IP addresses into MAC addresses NOTE Dynamic ARP Inspection is applicable only for the switch models with the country of destination CN This section describes how to configure ARP on the switch and includes the following topics ARP Cache Poisoning H...

Page 229: ... trusted interface are simply forwarded Upon packet arrival on untrusted interfaces the following logic is implemented Search the ARP access control rules for the packet s IP MAC addresses If the IP address is found and the MAC address in the list matches the packet s MAC address then the packet is valid If the packet s IP address was not found and DHCP Snooping is enabled for the packet s VLAN se...

Page 230: ...spection uses the DHCP Snooping Binding database in addition to the ARP access control rules If DHCP Snooping is not enabled only the ARP access control rules are used Table1 ARP Default Workflow to Configure ARP Inspection To configure ARP Inspection STEP 1 Enable ARP Inspection and configure various options on the Security ARP Inspection Properties page See Configuring ARP Inspection Properties ...

Page 231: ...e ARP Inspection properties STEP 1 Click Security ARP Inspection Properties STEP 2 Enter the following information ARP Inspection Status Check Enable to enable ARP Inspection on the switch or uncheck to disable this feature By default ARP Inspection is disabled ARP Packet Validation Defines the following ARP Inspection validation properties Source MAC Address Check Enable to validate the source MA...

Page 232: ...4 Enter the following information Interface Select a port or LAG on which ARP Inspection trust mode can be enabled Trusted Interface Click Yes to enable ARP Inspection trust mode on the interface or click No to disable ARP Inspection trust mode on the interface If enabled the port or LAG is a trusted interface and ARP inspection is not performed on the ARP requests or replies sent to or from the i...

Page 233: ...estination IP Address Validation Failures Total number of ARP packets that the destination IP address validation fails IP MAC Mismatch Failures Total number of ARP packets that the IP address does not match the MAC address STEP 2 Click Refresh to refresh the data in the table or click Clear to clear all ARP Inspection statistics Configuring ARP Inspection VLAN Settings Use the VLAN Settings page t...

Page 234: ... interface If the packet s IP address is not listed in the ARP Inspection list or the DHCP Snooping database the switch rejects the packet To define ARP Inspection on VLANs STEP 1 Click Security ARP Inspection VLAN Settings STEP 2 Select the VLANs from the Available VLANs column and add them to the Enabled VLANs column STEP 3 Click Apply ARP Inspection settings are applied on the selected VLANs an...

Page 235: ...e information see the Quality of Service chapter ACLs enable network managers to define patterns filter and actions for ingress traffic Packets entering the switch on a port or LAG with an active ACL are either admitted or denied entry This chapter includes the following topics Access Control Lists Configuring MAC based ACLs Configuring MAC based ACEs Configuring IPv4 based ACLs Configuring IPv4 B...

Page 236: ...rop action you must explicitly add ACEs into the ACL to permit all traffic including management traffic such as Telnet HTTP or SNMP that is directed to the switch itself For example if you do not want to discard all the packets that do not match the conditions in an ACL you must explicitly add a lowest priority ACE into the ACL that permits all the traffic If IGMP MLD Snooping is enabled at a port...

Page 237: ...mes can be referred to using this flow name and QoS can be applied to these frames see Configuring QoS Advanced Mode Creating ACLs Workflow To create ACLs and associate them with an interface perform the following STEP 1 Create one or more of the following types of ACLs MAC based ACL on the MAC Based ACL page and the MAC Based ACE page See Configuring MAC based ACLs and Configuring MAC based ACEs ...

Page 238: ...licy containing the class map from the interface on the Policy Binding page See Configuring Policy Binding for more details Delete the class map containing the ACL from the policy See Configuring QoS Policies for more details Delete the class map containing the ACL See Configuring Class Mapping for more details Configuring MAC based ACLs MAC based ACLs are used to filter traffic based on Layer 2 f...

Page 239: ...ame of the ACL to which the ACE is being added Priority Enter the priority of the ACE ACEs with higher priority are processed first One is the highest priority Action Select the action taken upon a match The options are Permit Forwards packets that meet the ACE criteria Deny Drops packets that meet the ACE criteria Shutdown Drops packets that meet the ACE criteria and disables the port from where ...

Page 240: ...imal integer and you write 0 for each four zeros In this example because 1111 1111 FF the mask would be written as 000000FFFFFF Source MAC Address Select Any if all source addresses are acceptable or select User Defined to enter a source address or a range of source addresses Source MAC Address Value Enter the MAC address to which the source MAC address will be matched and its mask if relevant Sou...

Page 241: ...ents of flow definitions for per flow QoS handling see Configuring QoS Advanced Mode IPv4 based ACLs are defined on the IPv4 Based ACL page The rules are defined on the IPv4 Based ACE page IPv6 based ACLs are defined on the IPv6 Based ACL page To define an IPv4 based ACL STEP 1 Click Access Control IPv4 Based ACL The IPv4 Based ACL Table displays all currently defined IPv4 based ACLs STEP 2 To add...

Page 242: ...assigned to the packet matching the ACE The options are Permit Forwards packets that meet the ACE criteria Deny Drops packets that meet the ACE criteria Shutdown Drops packet that meets the ACE criteria and disables the port to which the packet was addressed Ports are reactivated on the Port Management Error Recovery Settings page Protocol Creates an ACE based on a specific protocol or protocol ID...

Page 243: ...esses Source IP Address Value Enter the IP address to which the source IP address will be matched Source IP Wildcard Mask Enter the mask to define a range of IP addresses This mask is different than in other uses such as subnet mask Setting a bit as 1 indicates not to care and 0 indicates to mask that value Destination IP Address Select Any if all destination address are acceptable or select User ...

Page 244: ...e flag is SET Unset Match if the flag is Not SET Don t care Ignore the TCP flag Type of Service Select the service type of IP packets The options are Any Any service type DSCP to match Differentiated Serves Code Point DSCP to match IP Precedence to match IP precedence is a model of TOS type of service that the network uses to help provide the appropriate QoS commitments This model uses the 3 most ...

Page 245: ... IPv6 based ACL STEP 1 Click Access Control IPv6 Based ACL STEP 2 To add a new IPv6 based ACL click Add STEP 3 Enter the name of a new ACL in the ACL Name field The names are case sensitive STEP 4 Click Apply The IPv6 based ACL is defined and the Running Configuration is updated STEP 5 Click IPv6 Based ACE Table The IPv6 Based ACE page opens You can view and or add rules to this IPv6 based ACL See...

Page 246: ... Select from list Select one of the following protocols TCP Transmission Control Protocol Enables two hosts to communicate and exchange data streams TCP guarantees packet delivery and guarantees that packets are transmitted and received in the order they were sent UDP User Datagram Protocol Transmits packets but does not guarantee their delivery ICMP Matches packets to the Internet Control Message...

Page 247: ...configure the source and destination ports TCP Flags Select one of more TCP flags with which to filter packets Filtered packets are either forwarded or dropped Filtering packets by TCP flags increases packet control which increases network security Set Match if the flag is SET Unset Match if the flag is Not SET Don t care Ignore the TCP flag Type of Service Select the service type of IP packets Th...

Page 248: ...nterface can be bound to only one ACL multiple interfaces can be bound to the same ACL by grouping them into a policy map and binding that policy map to the interface After an ACL is bound to an interface it cannot be edited modified or deleted until it is removed from all interfaces to which it is bound or in use NOTE It is possible to either bind an interface to a policy or to an ACL but both ca...

Page 249: ...e following Select MAC Based ACL Select a MAC based ACL to be bound to the interface Select IPv4 Based ACL Select an IPv4 based ACL to be bound to the interface Select IPv6 Based ACL Select an IPv6 based ACL to be bound to the interface STEP 6 Click Apply The ACL binding setting is modified and the Running Configuration is updated NOTE If no ACL is selected the ACLs that are previously bound to th...

Page 250: ...nts The QoS feature is used to optimize network performance QoS provides the classification of incoming traffic to traffic classes based on the following attributes Device configuration Ingress interface Packet content Combination of these attributes QoS includes the following Traffic Classification Classifies each incoming packet as belonging to a specific traffic flow based on the packet content...

Page 251: ...de a per flow QoS consists of a class map and a policer A class map defines the kind of traffic in a flow and contains one or more ACLs Packets that match the ACLs belong to the flow A policer applies the configured QoS to a flow The QoS configuration of a flow may consist of egress queue the DSCP or CoS 802 1p value and actions on out of profile excess traffic Disable Mode All traffic is mapped t...

Page 252: ...to each IP precedence as described in the Mapping IP Precedence to Queue section STEP 5 Designate an egress queue to each IP DSCP TC value on the DSCP to Queue page as described in the Mapping DSCP to Queue section If the switch is in DSCP trusted mode incoming packets are put into the egress queues based on their DSCP TC values STEP 6 Remark the CoS 802 1p priority IP precedence and or DSCP value...

Page 253: ...s page to configure the QoS mode for the switch and define the default CoS priority for each interface To select the QoS mode and define the default CoS priority for each interface STEP 1 Click Quality of Service General QoS Properties STEP 2 Select the QoS mode basic advanced or disabled that will be active on the switch STEP 3 Click Apply The QoS mode is defined and the Running Configuration is ...

Page 254: ... provide the highest level of priority of traffic to the highest numbered queue Weighted Round Robin WRR In WRR mode the number of packets sent from the queue is proportional to the weight of the queue the higher the weight the more frames are sent The queuing modes can be selected on the Queue page When the queuing mode is by Strict Priority the priority sets the order in which queues are service...

Page 255: ...only if Strict Priority queues are empty WRR Weight If WRR is selected enter the WRR weight assigned to the queue of WRR Bandwidth Displays the amount of bandwidth assigned to the queue These values represent the percent of the WRR weight STEP 3 Click Apply The queues are defined and the Running Configuration is updated Mapping CoS 802 1p to a Queue Use the CoS 802 1p to Queue page to map 802 1p p...

Page 256: ...ter the following information 802 1p Displays the 802 1p priority tag values to be assigned to an egress queue where 0 is the lowest and 7 is the highest priority Output Queue Select the egress queue to which the 802 1p priority is mapped Eight egress queues are supported where Queue 8 is the highest priority egress queue and Queue 1 is the lowest priority egress queue For each 802 1p priority sel...

Page 257: ...to egress queues The DSCP to Queue table determines the egress queues of the incoming IP packets based on their DSCP values The original VLAN Priority Tag VPT of the packet is unchanged It is possible to achieve the desired QoS in a network by simply changing the DSCP to Queue mapping the queue schedule method and bandwidth allocation The DSCP to Queue mapping is applicable to IP packets if one of...

Page 258: ...y of Service General Queues to CoS 802 1p STEP 2 For each output queue select the CoS 802 1p priority to which egress traffic from the queue is remarked STEP 3 Click Apply The Running Configuration is updated STEP 4 Click Restore Defaults to restore the Queue to CoS 802 1p mappings to factory defaults Mapping Queue to IP Precedence To map egress queue to IP precedence STEP 1 Click Quality of Servi...

Page 259: ...ge to remark the CoS 802 1p priority IP precedence and DSCP value for egress traffic on a port The CoS 802 1p priority and IP or the CoS 802 1p priority and DSCP value can be remarked simultaneously but the DSCP value and IP cannot be remarked simultaneously To remark egress traffic on an interface STEP 1 Click Quality of Service General Remark Interface Settings STEP 2 Select the interface type P...

Page 260: ...ured Ingress Rate Limit Check Enable to enable the ingress rate limit and enter the maximum amount of bandwidth allowed on the port in the Ingress Rate Limit field Egress Shaping Rates Check Enable to enable egress shaping on the port and enter the maximum bandwidth for the egress interface in the Committed Information Rate CIR field STEP 4 Click Apply The bandwidth settings are modified and the R...

Page 261: ...n be sent STEP 4 Click Apply The Running Configuration is updated Configuring VLAN Rate Limit Rate limiting per VLAN performed on the VLAN Ingress Rate Limit page enables traffic limiting on VLANs QoS rate limiting configured on the Policy Table page has priority over VLAN rate limiting For example if a packet is subject to QoS rate limits but is also subject to VLAN rate limiting and the rate lim...

Page 262: ...imiting on the ports that are bound to a specific VLAN When VLAN port ingress rate limiting is configured it limits aggregate traffic from the specified ports on the switch This feature requires that the switch is in QoS basic mode or in QoS advanced mode If both bandwidth limitation and VLAN port ingress rate limit are enabled at the same time the smaller setting will take precedence To define th...

Page 263: ...Within that domain packets are marked with 802 1p priority and or DSCP to signal the type of service they require Nodes within the domain use these fields to assign the packet to a specific output queue The initial packet classification and marking of these fields is done in the ingress of the trusted domain To configure QoS basic mode perform the following STEP 1 Select the QoS basic mode for the...

Page 264: ...e QoS Basic Mode Global Settings STEP 2 Select the trust mode when the switch is in QoS basic mode If a packet CoS level and DSCP tag are mapped to separate queues the trust mode determines the queue to which the packet is assigned CoS 802 1p Traffic is mapped to queues based on the VPT field in the VLAN tag or based on the per port default CoS 802 1p value if there is no VLAN tag on the incoming ...

Page 265: ...e QoS on an interface select the desired interface and click Edit STEP 4 Enter the following information Interface Select the port or LAG to be defined QoS State Check Enable to enable QoS on this interface or uncheck to disable QoS on this interface STEP 5 Click Apply The Running Configuration is updated Configuring QoS Advanced Mode Frames that match an ACL and were permitted entrance are implic...

Page 266: ...n ACL can be configured to one or more class maps regardless of policies A class map can belong to only one policy When a class map using single policer is bound to multiple ports each port has its own instance of single policer each applying the QoS on the class map flow at a port independent of each other An aggregate policer will apply the QoS to all of its flows in aggregation regardless of po...

Page 267: ...the same policer aggregate policer on the Aggregate Policer page See Configuring Aggregate Policers Create a policy that associates a class map with the aggregate policer on the Policy Class Maps page STEP 8 Bind the policy to the interfaces on the Policy Binding page as described in the Configuring Policy Binding section Configuring Advanced QoS Global Settings Use the Global Settings page to sel...

Page 268: ... Mode Status is set to Not Trusted the default CoS values configured on the interface will be used for prioritizing the traffic arriving on the interface If you have a policy on an interface then the default mode is irrelevant the action is according to the policy configuration and unmatched traffic is dropped STEP 3 Click Apply The Running Configuration is updated Configuring Class Mapping A clas...

Page 269: ...in the class map The options are IP A packet must match either IPv4 based ACL or IPv6 based ACL in the class map MAC A packet must match the MAC based ACL in the class map MAC or IP A packet must match either the IP based ACL or the MAC based ACL in the class map IP Select an IPv4 based ACL or IPv6 based ACL for the class map MAC Select a MAC based ACL for the class map Preferred ACL Select whethe...

Page 270: ...policer is created on the Aggregate Policer page An aggregate policer is defined if the policer is to be shared with more than one class Policers on a port cannot be shared with other policers in another device Each policer is defined with its own QoS specification with a combination of the following parameters A maximum allowed rate called a Committed Information Rate CIR measured in kbps An acti...

Page 271: ...ated Configuring QoS Policies Use the Policy Table page to define advanced QoS polices Only those policies that are bound to an interface are active see the Configuring Policy Binding section Each policy consists of One or more class maps of ACLs which define the traffic flows in the policy One or more aggregates that apply the QoS to the traffic flows in the policy After a policy has been added c...

Page 272: ...t trust mode Ignores the ingress CoS 802 1p and or DSCP value The matching packets are sent as best effort Always Trust Always trust the CoS 802 1p and DSCP of the matching packet If a packet is an IP packet the switch will put the packet in the egress queue based on its DSCP value and the DSCP to Queue Table Otherwise the egress queue of the packet is based on the packet s CoS 802 1p value and th...

Page 273: ... to an interface it filters and applies QoS to ingress traffic that belongs to the flows defined in the policy The policy does not apply to traffic egress to the same interface NOTE To edit a policy it must first be removed unbound from all those ports to which it is bound To define policy binding STEP 1 Click Quality of Service QoS Advanced Mode Policy Binding STEP 2 Select an existing policy def...

Page 274: ...Users Configuring SNMP Communities Configuring SNMP Notification Recipients SNMP Versions and Workflow The Cisco 220 switch functions as an SNMP agent and supports SNMP v1 v2 and v3 It also reports system events to trap receivers using the traps defined in the Management Information Base MIB that it supports SNMP v1 and v2 To control access to the system a list of SNMP communities are defined Each...

Page 275: ...n an SNMP message or both authentication and privacy are enabled on an SNMP message However privacy cannot be enabled without authentication Timeliness Protects against message delay or playback attacks The SNMP agent compares the incoming message time stamp to the message arrival time Key Management Defines key generation key updates and key use The switch supports SNMP notification filters based...

Page 276: ...fication recipients on the SNMP Notification Recipients SNMPv1 2 page as described in the Configuring SNMPv1 2 Notification Recipients section If you decide to use SNMP v3 STEP 1 Define the SNMP engine on the SNMP Engine ID page as described in the Configuring SNMP Engine ID Either create a unique engine ID or use the default engine ID STEP 2 Optionally define SNMP views on the SNMP Views page as ...

Page 277: ...aps MIB RFC1493 4188 Bridge MIB RFC2618 RADIUS Client MIB RFC2674 Bridge MIB Extension RFC2737 Entity MIB RFC2819 RMON RFC2863 The Interface Group MIB RFC3164 Syslog MIB RFC3621 PoE MIB only available for PoE models RFC3635 Ethernet Like MIB SNMP COMMUNITY MIB SNMP MIB LLDP MIB LLDP EXT MED MIB IEEE802 3 Annex 30C MIB CISCO CDP MIB CISCO ENVMON MIB CISCO PORT SECURITY MIB CISCO IMAGE MIB CISCO CON...

Page 278: ...gine ID is comprised of the enterprise number and the default MAC address The SNMP Engine ID must be unique for the administrative domain so that no two devices in a network have the same Engine ID Local information is stored in four MIB variables that are read only snmpEngineId snmpEngineBoots snmpEngineTime and snmpEngineMaxMessageSize Model Object ID SF220 24 1 3 6 1 4 1 9 6 1 84 24 1 SF220 24P...

Page 279: ...e is a hexadecimal string range 10 to 64 Each byte in the hexadecimal character strings is represented by two hexadecimal digits STEP 3 Click Apply The local Engine ID is defined and the Running Configuration is updated STEP 4 The Remote Engine ID Table lists all remote SNMP Engine IDs supported by the switch To add a remote Engine ID click Add STEP 5 Enter the following information Server Definit...

Page 280: ...ws The default views cannot be changed Views can be attached to groups on the SNMP Groups page or to a community which employs basic access mode on the SNMP Communities page To define SNMP views STEP 1 Click SNMP Views STEP 2 To add a new SNMP view click Add STEP 3 Enter the following information View Name Enter a unique view name Object ID Subtree Select User Defined to manually define an OID or ...

Page 281: ...In SNMPv3 there are three levels of security No security No authentication and no privacy Authentication Authentication and no privacy Authentication and privacy must be add the group with privacy SNMPv3 provides a means of controlling the content that each user can read or write and the notifications that they receive A group defines read or write privileges and a level of security It becomes ope...

Page 282: ... the SNMP message origins are authenticated View Choose a previously defined view for Read Write and Notify Associating a view with the Read Write and Notify access privileges of the group limits the scope of the MIB tree to which the group has read write and notify access Read Management access is read only for the selected view A read only view must be selected for an SNMP group Write Management...

Page 283: ...g to groups that have been deleted remain but they are inactive Authentication Method Select the authentication method that varies according to the Group Name assigned If the group does not require authentication then the user cannot configure any authentication The options are None No user authentication is used MD5 Uses a MD5 password or key to do the authentication SHA Uses a Secure Hash Algori...

Page 284: ...ic mode The access rights of a community can configure with Read Only or Read Write In addition you can restrict the access to the community to only certain MIB objects by selecting a view Advanced Mode The access rights of a community are defined by a group You can configure the group with a specific security model The access rights of a group are Read Write and Notify To define SNMP communities ...

Page 285: ...stem events as defined in RFC 1215 The system can generate traps defined in the MIB that it supports Trap receivers or notification recipients are network nodes where the trap messages are sent by the switch A list of notification recipients are defined as the targets of trap messages A trap receiver entry contains the IP address of the node and the SNMP credentials corresponding to the version th...

Page 286: ...ntified by IP address Recipient IP Address Name Enter the IP address or hostname of the recipient that the traps are sent UDP Port Enter the UDP port used for notifications on the recipient device Notification Type Select whether to send Traps or Informs If both are required two recipients must be created Timeout Enter the number of seconds that the switch waits before re sending informs The defau...

Page 287: ...ter the UDP port used for notifications on the recipient device Notification Type Select whether to send Traps or Informs If both are required two recipients must be created Timeout Enter the number of seconds that the switch waits before re sending informs The default is 15 seconds Retries Enter the number of times that the switch resends an inform request The default is 3 User Name Select the us...

Page 288: ...ected If the User Name was configured as No Authentication the Security Level will be No Authentication only However if the User Name has assigned Authentication and Privacy on the Users page the security level on this screen can be either No Authentication or Authentication or Privacy STEP 4 Click Apply The SNMPv3 notification recipient is defined and the Running Configuration is updated ...

Page 289: ... US support tsd_cisco_small_business _support_center_contacts html Cisco Firmware Downloads www cisco com go smallbizfirmware Select a link to download firmware for Cisco Products No login is required Cisco Open Source Requests www cisco com go smallbiz_opensource_request Cisco 220 Series Switches www cisco com go 220switches Warranty Information www cisco com go warranty Regulatory Compliance and...

Reviews:

No comments

Related manuals for SF220-24

Baseline 2226 Plus

Brand: 3Com Pages: 4

MMAC-Plus 9G426-02

Brand: Cabletron Systems Pages: 12

MMAC-Plus 9F310-02

Brand: Cabletron Systems Pages: 4

Brand: Cabletron Systems Pages: 16

Brand: cable matters Pages: 4

Brand: CableCreation Pages: 7

4-Port PoweredUSB 2.0 Hub 011006

Brand: CyberData Pages: 4

Brand: GBC Pages: 2

Brand: Silent Gliss Pages: 4

Brand: N-Tron Pages: 17

INTEGRAL Series

Brand: DAS AUDIO Pages: 45

Brand: IOGear Pages: 1

Brand: Crestron Pages: 36

Brand: H3C Pages: 39

Brand: IPGARD Pages: 2

Brand: Black Box Pages: 2

Brand: Gefen Pages: 48

Brand: Alloy Pages: 13

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands