Cisco SF500-24 Administration Manual Download Page 336 | Manualshive

Page: 336 / 477

background image

Configuring Security

Configuring 802.1X

Cisco 500 Series Stackable Managed Switch Administration Guide

327

18

open for all who want to access the network. If the host authentication fails,
or an EAPOL-logoff message is received, all attached clients are denied
access to the network.

•

Multiple Sessions—Enables the number of specific authorized hosts to
access the port. Each host is treated as if it were the first and only user and
must be authenticated. Filtering is based on the source MAC address.

To define 802.1X advanced settings for ports:

STEP 1

Click

Security

>

802.1X

>

Host and Session Authentication

. The

Host and

Session Authentication

page is displayed.

802.1X authentication parameters are described for all ports. All fields except the
following are described in the

Edit Host and Session Authentication

page.

•

Status

—Displays the host status. An asterisk indicates that the port is either

not linked or is down. The options are:

-

Unauthorized

—Either the port control is

Force Unauthorized

and the

port link is down, or the port control is

Auto

but a client has not been

authenticated via the port.

-

Force-Authorized

—Clients have full port access.

-

Single-host Lock

—Port control is

Auto

and only a single client has been

authenticated by using the port.

-

No Single Host

—Port control is

Auto

and Multiple Hosts mode is enabled.

At least one client has been authenticated.

-

Not in Auto Mode

—Auto port control is not enabled.

•

Number of Violations

—Displays the number of packets that arrive on the

interface in single-host mode, from a host whose MAC address is not the
supplicant MAC address.

STEP 2

Select a port, and click

Edit.

The

Edit Host and Session Authentication

page is

displayed.

STEP 3

Enter the parameters.

•

Interface

—Enter a port number for which host authentication is enabled.

•

Host Authentication

—Select one of the modes. These modes are

described above in

Defining Host and Session Authentication

.

NOTE

The following fields are only relevant if you select Single in the Host

Authentication field.

«
...
334
335
336
337
338
...
»

Summary of Contents for SF500-24

Page 1: ... Stackable Managed Switch Administration Guide 10 100 Switches SF500 24 SF500 24P SF500 48 SF500 48P Gigabit Switches SG500 28 SG500 28P SG500X 24 SG500X 24P SG500X 48 SG500X 48P SG500 52 SG500 52P ADMINISTRATION GUIDE ...

Page 2: ...Statistics 16 Viewing 802 1X EAP Statistics 19 Viewing TCAM Utilization 20 Managing RMON 22 Chapter 3 Managing System Logs 37 Setting System Log Settings 37 Setting Remote Logging Settings 39 Viewing Memory Logs 40 Chapter 4 Managing System Files 42 Upgrade Backup Firmware Language 46 Selecting the Active Image 49 Downloading or Backing up a Configuration or Log 51 Displaying Configuration File Cr...

Page 3: ... 6 General Administrative Information and Operations 36 System Information 38 Switch Models 42 Rebooting the Switch 46 Managing Stacked Switches 47 Assigning Unit IDs 53 Managing Stacks 61 TCAM Allocation 63 Monitoring the Fan Status and Temperature 65 Defining Idle Session Timeout 66 Pinging a Host 67 Traceroute 69 Chapter 7 System Time 71 System Time Options 72 Configuring System Time 75 Adding ...

Page 4: ...P 98 Configuring LLDP 99 Configuring CDP 132 Chapter 10 Port Management 146 Configuring Ports 146 Setting Basic Port Configuration 147 Configuring Link Aggregation 149 Configuring Green Ethernet 157 Chapter 11 Smartports 164 Overview 164 What is a Smartport 165 Smartport Types 165 Smartport Macros 168 Macro Failure and the Reset Operation 169 How the Smartport Feature Works 170 Auto Smartport 171 ...

Page 5: ...nfiguring VLAN Interface Settings 221 Defining VLAN Membership 223 GVRP Settings 228 VLAN Groups 232 Voice VLAN 240 Access Port Multicast TV VLAN 255 Customer Port Multicast TV VLAN 260 Chapter 14 Configuring the Spanning Tree Protocol 264 STP Flavors 265 Configuring STP Status and Global Settings 266 Defining Spanning Tree Interface Settings 269 Configuring Rapid Spanning Tree Settings 273 Multip...

Page 6: ...s 298 Adding IP Multicast Group Addresses 300 Configuring IGMP Snooping 301 MLD Snooping 303 Querying IGMP MLD IP Multicast Group 306 Defining Multicast Router Ports 307 Defining Forward All Multicast 308 Defining Unregistered Multicast Settings 309 Chapter 17 Configuring IP Information 311 Management and IP Interfaces 312 Defining VRRP 336 Defining IPv4 Routes 337 Defining RIP 339 Access Lists 33...

Page 7: ...ecurity 398 Configuring 802 1X 401 Denial of Service Prevention 420 Defining DHCP Snooping 432 IP Source Guard 432 Dynamic ARP Inspection 439 Chapter 19 Configuring DHCP 448 DHCP Snooping 449 DHCP Relay 449 Option 82 449 Interactions Between DHCP Snooping DHCP Relay and Option 82 451 DHCP Snooping Binding Database 455 DHCP GUI 459 465 Chapter 20 Access Control 466 Access Control Lists 466 Defining...

Page 8: ...ing SNMP Views 540 Creating SNMP Groups 541 Managing SNMP Users 543 Defining SNMP Communities 545 Defining Trap Settings 547 Notification Recipients 547 SNMP Notification Filters 551 Chapter 23 RIP 553 Overview 554 Limitations and Constraints 554 RIP Protocol Versions 555 How the RIP Protocol Works 555 How RIP Operates on the Device 561 Configuring RIP With CLI Commands 568 Configuring RIP Through...

Page 9: ...sements 605 Configuring VRRP To Remove from Admin Guide 605 Constraints and Interactions with Other Features 611 Configuring VRRP With CLI Commands 611 Configuring VRRP Through Web GUI 614 Chapter 25 Console Menu Interface 618 Connecting By Using a Terminal Emulation Application 618 Connecting By Using Telnet 621 Console Configuration Menu Navigation 622 Console Interface Main Menu 623 ...

Page 10: ...ons If you are using Internet Explorer 6 you cannot directly use an IPv6 address to access the switch You can however use the DNS Domain Name System server to create a domain name that contains the IPv6 address and then use that domain name in the address bar in place of the IPv6 address In Firefox the automatic pop up on top option is disabled by default Certain add ons enable this feature during...

Page 11: ... requests Chinese for example and Chinese has been loaded into your switch the Login page is automatically displayed in Chinese If Chinese has not been loaded into your switch the Login page is displayed in English The languages loaded into the switch have a language and country code en US en GB and so on For the Login page to be automatically displayed in a particular language based on the browse...

Page 12: ...rtup to prevent the Getting Started page from being displayed each time that you logon to the system If you select this option the System Summary page is opened instead of the Getting Started page Password Expiration The New Password page is displayed The first time you access the switch with the default username cisco and password cisco This page forces you to replace the factory default password...

Page 13: ... file After this save the red X icon and the Save application link are no longer displayed To logout click Logout in the top right corner of any page The system logs out of the switch When a timeout occurs or you intentionally log out of the system a message is displayed and the Login page opens with a message indicating the logged out state After you log in the application returns to the initial ...

Page 14: ...f devices Fast Ethernet 10 100 bits This are displayed as FE Gigabit Ethernet ports 10 100 1000 bits This are displayed as GE Create VLAN Create VLAN page Configure Port Settings Port Setting page Device Status System Summary System Summary page Port Statistics interface page RMON Statistics Statistics page View Log RAM Memory page Quick Access Change Device Password User Accounts page Upgrade Dev...

Page 15: ...splayed as XG LAG Port Channel These are displayed as LAG VLAN This are displayed as VLAN Tunnel This are displayed as Tunnel Unit Number Unit in stack In standalone models this is always 1 Slot Number The slot number is either 1 or 2 Slot number 1 identifies an SG500 or SG500X device Slot number 2 identifies an SF500 Interface Number Port LAG tunnel or VLAN ID ...

Page 16: ... Running Configuration file type by copying it to the Startup Configuration file type on the switch After this save the red X icon and the Save application link are no longer displayed When the switch is rebooted it copies the Startup Configuration file type to the Running Configuration and sets the switch parameters according to the data in the Running Configuration Username Displays the name of ...

Page 17: ...splay the page when there is not an active SYSLOG message follow the Status and Statistics View Log RAM Memory page path Management Buttons Button Name Description The Administrator can use the pull down menu to configure how many entries per page they wish to see at a time Indicates a mandatory field Add Click to display the related Add page and add an entry to a table Enter the information and c...

Page 18: ... Clear Logs Clears log files Clear Table Clears table entries Close Returns to main page If there are changes that were not applied to the Running Configuration a message is displayed Copy Settings A table typically contains one or more entries containing configuration settings Instead of modifying each entry individually it is possible to modify one entry and then copy it to multiple entries as d...

Page 19: ...ies for editing The Edit page opens and the entry can be modified 1 Click Apply to save the changes to the Running Configuration 2 Click Close to return to the main page Go Enter the query filtering criteria and click Go The results are displayed on the page Test Click Test to perform the related tests Management Buttons Continued Button Name Description ...

Page 20: ...es Viewing Etherlike Statistics Viewing GVRP Statistics Viewing 802 1X EAP Statistics Viewing TCAM Utilization Managing RMON Viewing Ethernet Interfaces The Interface page displays traffic statistics per port The refresh rate of the information can be selected This page is useful for analyzing the amount of traffic that is both sent and received and its dispersion Unicast Multicast and Broadcast ...

Page 21: ... every 60 seconds The Receive Statistics area displays information about incoming packets Total Bytes Octets Octets received including bad packets and FCS octets but excluding framing bits Unicast Packets Good Unicast packets received Multicast Packets Good Multicast packets received Broadcast Packets Good Broadcast packets received Packets with Errors Packets with errors received The Transmit Sta...

Page 22: ...me that passes before the Etherlike statistics are refreshed The fields are displayed for the selected interface Frame Check Sequence FCS Errors Received frames that failed the CRC cyclic redundancy checks Single Collision Frames The number of frames involved in a single collision but were successfully transmitted Late Collisions Collisions that have been detected after the first 512 bits of data ...

Page 23: ...specific interface for which GVRP statistics are to be displayed Refresh Rate Select the time period that passes before the GVRP statistics page is refreshed The Attribute Counter block displays the counters for various types of packets per interface Join Empty Number of GVRP Join Empty packets received transmitted Empty Number of GVRP empty packets received transmitted Leave Empty Number of GVRP ...

Page 24: ...802 1x EAP page is displayed STEP 2 Select the Interface that is polled for statistics STEP 3 Select the time period Refresh Rate that passes before the EAP statistics are refreshed The values are displayed for the selected interface EAPOL Frames Received Valid EAPOL frames received on the port EAPOL Frames Transmitted Valid EAPOL frames transmitted by the port EAPOL Start Frames Received EAPOL St...

Page 25: ...e switch architecture uses a TCAM Ternary Content Addressable Memory to support extensive data search in a short period of time TCAM holds the rules produced by other applications such as ACLs Access Control Lists and Quality of Service QoS The maximum number of TCAM rules that can be allocated by all applications on the SG500X device is 3072 and the Sx500 device is 2048 Some applications allocate...

Page 26: ...ed Up Per User Entry Comments QoS Advanced Mode Rules Per port 6 device No limit 1 or 2 TCAM entries per rule Access Control Rules Per port 6 device No limit 1 or 2 TCAM entries per rule Protocol based VLAN Per port 0 No limit 1 or 2 Rules are duplicated for protocol based VLANs two rules per VLAN MAC Based VLAN Per port 0 No limit No limit Rules are duplicated for MAC based VLANs two rules per VL...

Page 27: ...tch reports events as they occur With this feature you can perform the following actions View statistics counter values as they are currently meaning since the last time they were cleared You can also collect the values of these counters over a period of time and then view the table of collected data where each collected set is a single line of the History tab Define interesting changes in counter...

Page 28: ... of good Broadcast packets received This number does not include Multicast packets Multicast Packets Received Number of good Multicast packets received CRC Align Errors Number of CRC and Align errors that have occurred Undersize Packets Number of undersized packets less than 64 octets received Oversize Packets Number of oversized packets over 1518 octets received Fragments Number of fragments pack...

Page 29: ...bytes that were received Frames greater than 1024 Bytes Number of frames containing 1024 2000 bytes and Jumbo Frames that were received To clear statistics counters Click Clear Interface Counters to clear the selected interface s counters Click Clear All Interface Counters to clear the counters of all interfaces Configuring RMON History The RMON feature enables monitoring statistics per interface ...

Page 30: ... the number of samples to store Sampling Interval Enter the time in seconds that samples were collected from the ports The field range is 1 3600 Owner Enter the RMON station or user that requested the RMON information STEP 4 Click Apply The entry is added to the History Control Table page and the Running Configuration file is updated STEP 5 Click History Table to view the actual statistics Viewing...

Page 31: ... Good Broadcast packets received This number does not include Multicast packets Multicast Packets Good Multicast packets received CRC Align Errors CRC and Align errors that have occurred Undersize Packets Undersized packets less than 64 octets received Oversize Packets Oversized packets over 1518 octets received Fragments Fragments packets with less than 64 octets received excluding framing bits b...

Page 32: ...e event entry index number for the new entry Community Enter the SNMP community string to be included when traps are sent optional Description Enter a name for the event This name is used in the Add RMON Alarm page to attach an alarm to an event Notification Type Select the type of action that results from this event Values are None No action occurs when the alarm goes off Log Event Log Table Add ...

Page 33: ... No Events log entry number Log No Log number within the event Log Time Time that the log entry was entered Description Description of event that triggered the alarm Defining RMON Alarms RMON alarms provide a mechanism for setting thresholds and sampling intervals to generate exception events on any counter or any other SNMP object counter maintained by the agent Both the rising and falling thresh...

Page 34: ...arm The options are Absolute If the threshold is passed an alarm is generated Delta Subtracts the last sampled value from the current value The difference in the values is compared to the threshold If the threshold was passed an alarm is generated Rising Threshold Enter the value that triggers the rising threshold alarm Rising Event Select an event from those that you defined in the Events table t...

Page 35: ...ide 26 2 Rising and Falling Both a rising and falling value triggers the alarm Interval Enter the alarm interval time in seconds Owner Enter the name of the user or network management system that receives the alarm STEP 4 Click Apply The RMON alarm is written to the Running Configuration file ...

Page 36: ...ts across reboots In addition you can send messages to remote SYSLOG servers in the form of SNMP traps and SYSLOG messages This section covers the following sections Setting System Log Settings Setting Remote Logging Settings Viewing Memory Logs Setting System Log Settings You can enable or disable logging on the Log Settings page and select whether to aggregate log messages You can select the eve...

Page 37: ... of the higher severity events to be automatically stored in the log Lower severity events are not stored in the log For example if Warning is selected all severity levels that are Warning and higher are stored in the log Emergency Alert Critical Error and Warning No events with severity level below Warning are stored Notice Informational and Debug To set global log parameters STEP 1 Click Adminis...

Page 38: ...page opens This page displays the list of remote log servers STEP 2 Click Add The Add Remote Log Server page opens STEP 3 Enter the parameters Server Definition Select whether to specify the remote log server by IP address or name IP Version Select the supported IP format IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies ...

Page 39: ...rity Select the minimum level of system log messages to be sent to the server STEP 4 Click Apply The Add Remote Log Server page closes the SYSLOG server is added and the Running Configuration file is updated Viewing Memory Logs The switch can write to the following logs Log in RAM cleared during reboot Log in Flash memory cleared only upon user command You can configure the messages that are writt...

Page 40: ...ing the event To clear the log messages click Clear Logs The messages are cleared Flash Memory The Flash Memory page displays the messages that were stored in the Flash memory in chronological order The minimum severity for logging is configured in the Log Settings page Flash logs remain when the switch is rebooted You can clear the logs manually To view the Flash logs click Status and Statistics ...

Page 41: ...ues for the device When a configuration is referenced on the switch it is referenced by its configuration file type such as Startup Configuration or Running Configuration as opposed to a file name that can be modified by the user Content can be copied from one file type to another but the names of the file types cannot be changed by the user Other files on the device include firmware boot code and...

Page 42: ...retained in Flash and is preserved when the switch is rebooted At this time the Startup Configuration is copied to RAM and identified as the Running Configuration Mirror Configuration A copy of the Startup Configuration created by the switch when the following conditions exist The switch has been operating continuously for 24 hours No configuration changes have been made to the Running Configurati...

Page 43: ...rmware or boot code or replace a second language as described in Upgrade Backup Firmware Language section View the firmware image currently in use or select the image to be used in the next reboot as described in the Selecting the Active Image section Save configuration files on the switch to a location on another device as described in the Downloading or Backing up a Configuration or Log section ...

Page 44: ...et been saved to the Startup Configuration file When you click Save the Copy Save Configuration page is displayed Save the Running Configuration file by copying it to the Startup Configuration file After this save the red X icon and the Save link is hidden This section covers the following topics Upgrade Backup Firmware Language Selecting the Active Image Downloading or Backing up a Configuration ...

Page 45: ... When you upgrade the firmware the new image always replaces the image identified as the inactive image After uploading new firmware on the switch the switch continues to boot by using the active image the old version until you change the status of the new image to be the active image by using the procedure in the Selecting the Active Image section Then boot the switch NOTE If the switch is runnin...

Page 46: ... types are described in the Files and File Types section Note that the boot code can only be upgraded via TFTP b Server Definition Select whether to specify the TFTP server by IP address or domain name c IP Version Select whether an IPv4 or an IPv6 address is used d IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies hosts ...

Page 47: ...d If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks e Link Local Interface Select the link local interface if IPv6 is used from the list f TFTP Server IP Address Name Enter the IP address of the TFTP server g Destination File Name Enter the name...

Page 48: ...ntified as the inactive image to the active image You can reboot the switch by using the process described in the Rebooting the Switch section To select the active image STEP 1 Click Administration File Management Active Image The Active Image page opens The page displays the following Active Image Displays the image file that is currently active on the switch Active Image Version Number Displays ...

Page 49: ...ands When restoring a configuration file to the Startup Configuration or a backup configuration file the new file replaces the previous file When restoring to Startup Configuration the switch must be rebooted for the restored Startup Configuration to be used as the Running Configuration You can reboot the switch by using the process described in the Rebooting the Switch section To backup or restor...

Page 50: ... or the leading letter of the file name should not be a period and the file name should be between 1 and 160 characters Valid characters A Z a z 0 9 _ g Destination File Type Enter the destination configuration file type Only valid file types are displayed The file types are described in the Files and File Types section Backup Save Action Specifies that a file type is to be copied to a file on ano...

Page 51: ...ify that the file type on the switch is to be replaced with a new version of that file type from a file on another device do the following Otherwise go to the next procedure in this step a Source File Name Click Browse to select a file or enter the path and source file name to be used in the transfer b Destination File Type Select the configuration file type Only valid file types are displayed The...

Page 52: ...e Configuration Files Properties page opens This page provides the following fields Configuration File Name Displays the type of file Creation Time Displays the date and time that file was modified To clear the Startup Configuration file select it and click Clear Files Copying Configuration Files When you click Apply on any window changes that you made to the switch configuration settings are stor...

Page 53: ...STEP 3 Select the Destination File Name to be overwritten by the source file STEP 4 To disable enable blinking of Save icon click Disable Enable Save Icon Blinking STEP 5 Click Apply The file is copied Setting DHCP Auto Configuration DHCP Auto Configuration provides a means of passing configuration information automatically to the switch at the time it receives its IP address By default the switch...

Page 54: ...P addresses with each DHCP renew cycle IP addresses must be bound to MAC addresses in the DHCP server table This ensures that each device has its own reserved IP address and other relevant information To configure DHCP server auto configuration STEP 1 Click Administration File Management DHCP Auto Configuration The DHCP Auto Configuration page opens STEP 2 Enter the values Auto Configuration Via D...

Page 55: ... the switch in auto configuration NOTE The Last Auto Configuration TFTP Server IP Address and the Last Auto Configuration File Name are compared with the information received from a DHCP server when an IP address is received for the switch If these values do not match the switch transfers the configuration file from the TFTP server identified by the DHCP server into the Startup Configuration file ...

Page 56: ...ection describes how stacks are managed It covers the following topics Overview Types of Units in Stack Stack Ports Stack Topology Unit ID Assignment Master Selection Process Stack Changes and Unit ID Assignment Unit Failure in Stack Software Auto Synchronization in Stack Stack Configuration ...

Page 57: ...t all Sx500 and SG500X devices operate in Native Stacking Mode The units in a stack are connected through stack ports These devices are then collectively managed as a single logical device The stack is based on a single master backup and multiple slaves model An example of four devices connected into a stack is shown in Figure 1 Figure1 Stack Architecture A Stack provides the following benefits Ne...

Page 58: ...k consists of a maximum of four units A unit in a stack is one of the following types Master The master unit s ID must be either 1 or 2 The stack is managed through the master unit who manages itself the backup unit and the slave units Backup If the master unit fails the backup unit assumes the master role switchover The backup unit s ID must be either 1 or 2 Slave These units are managed by the m...

Page 59: ... s system mode Layer 2 or Layer 3 after reboot The startup configuration removal is done via the boot process at reboot The Layer 2 Layer 3 system mode of the backup and slaves units are derived from master unit This mode can be configured before the reboot process and might be affected after reboot Table1 describes whether the Startup Configuration and the system mode are retained after reboot Ta...

Page 60: ...ack ports must be set to the same speed in order for the stack to functions correctly When a Sx500 operates in stacking mode S1 and S2 operate as regular network ports and S3 and S4 operate as stack ports by default On the SG500X S1 and S2 are stack ports by default You can manually reconfigure S1 S2 and S3 S4 as network ports or stack ports as desired All the stack ports on a device operates in s...

Page 61: ...1G 10G 1G 1G 10G Cisco SFP H10GB CU5M Copper Cable 5G 1G 10G 1G 1G 10G Cisco SFP 10G SR Not supported Not supported 10G Not supported Not supported 10G Cisco SFP 10G LRM Not supported Not supported 10G Not supported Not supported 10G Cisco SFP 10G LR Not supported Not supported 10G Not supported Not supported 10G 1G SFP Module MGBSX1 1G 1G 1G 1G 1G 1G 1G SFP Module MGBLH1 1G 1G 1G 1G 1G 1G 1G SFP ...

Page 62: ...rced user speed EPROM speed 1G speed According to Forced user speed EPROM speed 1G speed 1G According to Forced user speed EPROM speed 1G speed According to Forced user speed EPROM speed 10G speed Table 3 Port Speeds Availability per Cable Type Stack Ports Network Ports Cable Type S1 S2 5G for SG500X and S3 S4 for Sx500 S1 S2 in Sx500 S1 S2 XG in SG500X S1 S2 5G for SG500X and S3 S4 for Sx500 S1 S...

Page 63: ...in a stack can be connected in one of the following types of topologies Chain Topology One stack port either left or right of the first unit is connected to the stack port in the second unit This is continued until all units in the stack are connected except for the first and last one Figure 2 shows a chain topology Figure 2 Stack in Chain Topology ...

Page 64: ...whereas the failure of one link in a chain connection causes the stack to be split Topology Discovery A stack is established by a process called topology discovery This process is triggered by a change in the up down status of a stack port The process is triggered in the following cases Changing the stack topology from a ring to a chain Merging two stacks into a single stack Splitting the stack In...

Page 65: ...ed Switch Administration Guide 56 5 During topology discovery each unit in a stack exchanges packets which contain topology information After the topology discovery process is completed each unit contains the stack mapping information table of all units in the stack ...

Page 66: ...licate Unit IDs If the user assigns the same unit ID to two separate units only one of them can join the stack with that unit ID If auto numbering has been selected the duplicate unit is assigned a new unit number If auto numbering was not selected the duplicate unit is shut down The following are examples of unit ID duplication that might occur Figure 4 shows a case where two units received the s...

Page 67: ...renumbered Figure 5 Duplicate Unit Renumbered Figure 6 shows a case where one of the duplicate units is renumbered The one with the lower MAC retains its unit ID see Master Selection Process for a description of this process Figure 6 Duplication Between Two Units With Auto Number Unit ID If a new stack has more than the maximum number of units 4 all extra units are shut down ...

Page 68: ... segments is selected as the master Note The up time of the backup unit is retained when it is selected as master in the switch failover process Unit ID If both units have the same number of time segments the unit with the lowest unit ID is selected MAC Address If both units IDs are the same the unit with the lowest MAC address is chosen NOTE For a stack to operate it must have a master unit A mas...

Page 69: ...nt Connecting Disconnecting a Stack Cable Connecting or disconnecting a stack cable or configuring a stack port link up or down triggers a topology change This can be the result of adding or removing a unit from the stack or from changing the stack topology between a chain and a ring Connecting a New Unit When a unit is inserted into the stack a stack topology change is triggered The unit ID is as...

Page 70: ...its that joined the stack are shut down and a notification is sent to the SYSLOG server Figure 7 shows an example of auto numbering when a master enabled unit joins the stack There are two units with unit ID 1 The master selection process selects the best unit to be the master unit it was up longer than the original one The other unit is made the backup Figure 7 Auto numbered Master enabled Unit F...

Page 71: ...aged Switch Administration Guide 62 5 Figure 9 shows what happens when a user assigned master enabled unit with Unit ID 1 joins a stack that already has a master unit with user assigned unit ID 1 Unit 1 does not join the stack and is shutdown Figure 9 User assigned Master enabled Unit ...

Page 72: ...onizes the backup immediately Synchronization is performed as soon as a command is executed This is transparent to the user If a unit is inserted into a running stack and is selected as a backup unit the master synchronizes it so that it has an up to date configuration and then generates a SYSLOG Master Backup Switchover When a master fails or when the user configures a force master on the backup ...

Page 73: ...r and the slave unit Packet forwarding on the slave unit resumes after the state of its ports are set to forwarding by the master according to STP NOTE Packet flooding to unknown unicast MAC addresses will occur until the MAC addresses are learned or relearned Reconnecting the Original Master Unit After Failover After failover if the original master is connected again the master selection process ...

Page 74: ...dware options see the Quick Start Guide From the System Mode and Stack Management page you can perform the following Change a standalone device to stacking mode Change the stacking mode the stack unit ID stack ports and the bit rate of the stack port of the devices in a stack Change the Layer 2 Layer3 system mode of a standalone or a stack Stack Settings To configure the stack at the stack level S...

Page 75: ...Standalone the device will be in Layer 2 mode after reboot unless the user changes the System Mode field to Layer 3 The following operational status and information of every unit in a stack are shown in the table Stack Unit Number Displays the unit ID of a known and active unit Model Name Model name of a known and active unit Port The name of the port that is connected Neighbor Name of the neighbo...

Page 76: ... unit will force itself to take on the master role after reboot This number can be either Auto which indicates that the system will number the unit or the number that was manually set in the Stack Unit Settings page Stack Ports The pair of ports that are to be used as stack ports if the unit is to remain in stacking mode after reboot Stack Port Speed The speed of the network ports for connecting t...

Page 77: ...cation Monitoring the Fan Status and Temperature Defining Idle Session Timeout Pinging a Host Traceroute System Information The System Summary page provides a graphic view of the switch and displays switch status hardware information firmware version information general Power over Ethernet PoE status and other items Displaying the System Summary To view system information click Status and Statisti...

Page 78: ...he three least significant bytes of the switch MAC address the six furthest right hexadecimal digits System Object ID Unique vendor identification of the network management subsystem contained in the entity used in SNMP System Uptime Time that has elapsed since the last reboot Current Time Current system time Base MAC Address Switch MAC address If the system is in stack mode the base MAC address o...

Page 79: ...ays whether HTTP is enabled disabled HTTPS Service Displays whether HTTPS is enabled disabled SNMP Service Displays whether SNMP is enabled disabled Telnet Service Displays whether Telnet is enabled disabled SSH Service Displays whether SSH is enabled disabled Click Edit to take you directly to the Security TCP UDP Services Page PoE Power Information on Master Unit Maximum Available PoE Power W Ma...

Page 80: ...lect the host name of this switch This is used in the prompt of CLI commands Use Default The default hostname System Name of these switches is switch123456 where 123456 represents the last three bytes of the switch MAC address in hex format User Defined Enter the hostname Use only letters digits and hyphens Host names cannot begin or end with a hyphen No other symbols punctuation characters or bla...

Page 81: ...ort VRRP and RIP Fast Ethernet 10 100 ports are designated as FE and Gigabit Ethernet ports 10 100 1000 are designated as GE in the table below NOTE Acronyms used for port descriptions have varied across software versions In previous releases e was used for fast Ethernet g for gigabit Ethernet in the GUI In the CLI fa is used for Fast Ethernet and gi for Gigabit Ethernet The following table descri...

Page 82: ...gabit PoE Stackable Managed Switch 375W 48 SG500X 24 SG500X 24 K9 24 Port Gigabit with 4 Port 10 Gigabit Stackable Managed Switch SG500X 24P SG500X 24P K9 24 Port Gigabit with 4 Port 10 Gigabit PoE Stackable Managed Switch 375W 24 SG500X 48 SG500X 48 K9 48 Port Gigabit with 4 Port 10 Gigabit Stackable Managed Switch SG500X 48P SG500X 48P K9 48 Port Gigabit with 4 Port 10 Gigabit PoE Stackable Mana...

Page 83: ...Administration Reboot The Reboot page opens STEP 2 Click one of the Reboot buttons to reboot the switch Clear Startup Configuration File Check to clear the configuration on the switch for the next time it boots up Reboot Reboots the switch Since any unsaved information in the Running Configuration is discarded when the switch is rebooted you must click Save in the upper right corner of any window ...

Page 84: ... entries per interface IP Hosts One entry per host Non IP Entries TCAM entries reserved for other applications such as ACL rules CoS policers and VLAN rate limits TCAM allocation can be modified incorrectly in one of the following ways The number of TCAM entries you allocate is less than the number currently in use The number of TCAM entries that you allocate is greater than the maximum available ...

Page 85: ... TCAM entries that have been used and the number still available IPv4 Routes Displays the number of IPv4 routes entries used and available IP Interfaces Displays the number of used and available IP interfaces entries IP Host Displays the number of IP host entries used and available Non IP Entries See definition above STEP 2 To change the TCAM allocation for IP entries on the Sx500 models only ente...

Page 86: ...e operating normally Temperature The internal temperature of the switch for relevant devices Defining Idle Session Timeout The Idle Session Timeout configures the time intervals that the management sessions can remain idle before they timeout and the user must login again to reestablish one of the following sessions HTTP Session Timeout HTTPS Session Timeout Console Session Timeout Telnet Session ...

Page 87: ...lobal as the type of IPv6 address to enter Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 ad...

Page 88: ...ceroute by entering the fields Host Definition Select whether hosts will be identified by their IP address or name IP Version If the host will be identified by its IP address select either IPv4 or IPv6 to indicate that it will be entered in the selected format IPv6 Address Type Select Link Local or Global as the type of IPv6 address to enter Link Local The IPv6 address uniquely identifies hosts on...

Page 89: ...is value is reached To use the default value 30 select Use Default Timeout Enter the length of time that the system waits for a frame to return before declaring it lost or select Use Default STEP 3 Click Activate Traceroute The operation is performed A page is displayed showing the Round Trip Time RTT and status for each trip in the fields Index Displays the number of the hop Host Displays a stop ...

Page 90: ...es systems reside For these reasons it is important that the time configured on the all devices on the network be accurate NOTE The switch supports Simple Network Time Protocol SNTP and when enabled the switch dynamically synchronizes the switch time with time from an SNTP server The switch operates only as an SNTP client and cannot provide time services to other devices This section describes the...

Page 91: ...EB login to the device When the user configures this feature for the first time if the time was not already set the device sets the time from the PC This way of setting time works with both HTTP and HTTPS connections SNTP Time can be received from SNTP time servers SNTP ensures accurate network time synchronization of the switch up to the millisecond by using an SNTP server for the clock source Wh...

Page 92: ...of the following ways Client Broadcast Reception passive mode SNTP server s broadcasts the time and the switch listens to these broadcasts When the switch is in this mode there is no need to define a Unicast SNTP server Client Broadcast Transmission active mode The switch as an SNTP client periodically requests SNTP time updates This mode can work in either of the following ways SNTP Anycast Clien...

Page 93: ... the system clock Main Clock Source SNTP Servers If you enable this the system time is obtained from an SNTP server To use this feature you must also configure a connection to an SNTP server in SNTP Interface Settings page Optionally enforce authentication of the SNTP sessions by using the SNTP Authentication page Alternate Clock Source PC via active HTTP HTTPS sessions Select to set the date and ...

Page 94: ...and the local time For example the Time Zone Offset for Paris is GMT 1 while the Time Zone Offset for New York is GMT 5 Daylight Savings Settings Select how DST is defined Daylight Savings Select to enable daylight Savings Time Time Set Offset Enter the number of minutes offset from GMT ranging from 1 1440 The default is 60 Daylight Savings Type Click one of the following USA DST will be set accor...

Page 95: ...are written to the Running Configuration file Adding a Unicast SNTP Server Up to eight Unicast SNTP servers can be configured NOTE To specify a Unicast SNTP server by name you must first configure DNS server s on the switch see the Defining DNS Servers section In order to add a Unicast SNTP server check the box enable SNTP Client Unicast To add a Unicast SNTP server STEP 1 Click Administration Tim...

Page 96: ...ve to the local clock in milliseconds The host determines the value of this offset using the algorithm described in RFC 2030 Delay The estimated round trip delay of the server s clock relative to the local clock over the network path between them in milliseconds The host determines the value of this delay using the algorithm described in RFC 2030 STEP 2 To add a Unicast SNTP server enable SNTP Cli...

Page 97: ...s type was selected SNTP Server Select the name of the SNTP server from a list of well known NTP servers If other is chosen enter name of SNTP server in the adjacent field Poll Interval Select to enable polling of the SNTP server for system time information All NTP servers that are registered for polling are polled and the clock is selected from the server with the lowest stratum level distance fr...

Page 98: ...the packets are transmitted to all SNTP servers on the subnet STEP 3 If the system is in Layer 3 router mode the 500X device is always in Layer 3 mode click Add to enter the interface for SNTP reception transmission The Add SNTP Interface Settings page opens Select an interface and select the reception transmission options STEP 4 Click Apply to save the settings to the Running Configuration file D...

Page 99: ...uthentication of an SNTP session between the switch and an SNTP server STEP 3 Click Apply to update the switch STEP 4 Click Add The Add SNTP Authentication page opens STEP 5 Enter the following parameters Authentication Key ID Enter the number used to identify this SNTP authentication key internally Authentication Key Enter the key used for authentication up to eight characters The SNTP server mus...

Page 100: ...ble tests performed on copper cables by the Virtual Cable Tester VCT VCT performs two types of tests Time Domain Reflectometry TDR technology tests the quality and characteristics of a copper cable attached to a port Cables of up to 140 meters long can be tested These results are displayed in the Test Results block of the Copper Test page DSP based tests are performed on active GE links to measure...

Page 101: ...ice are disrupted To test copper cables attached to ports STEP 1 Click Administration Diagnostics Copper Test The Copper Test page opens STEP 2 Select the port on which to run the test STEP 3 Click Copper Test STEP 4 When the message is displayed click OK to confirm that the link can go down or Cancel to abort the test The following fields are displayed in the Test Results block Last Update Time o...

Page 102: ...OTE TDR tests cannot be performed when the port speed is 10Mbit Sec Displaying Optical Module Status The Optical Module Status page displays the operating conditions reported by the SFP Small Form factor Pluggable transceiver Some information might not be available for SFPs that do not support the digital diagnostic monitoring standard SFF 8472 MSA compatible SFPs The following FE SFP 100Mbps tran...

Page 103: ...s operating Voltage SFP s operating voltage Current SFP s current consumption Output Power Transmitted optical power Input Power Received optical power Transmitter Fault Remote SFP reports signal loss Values are True False and No Signal N S Loss of Signal Local SFP reports signal loss Values are True and False Data Ready SFP is operational Values are True and False Configuring Port and VLAN Mirror...

Page 104: ... 34 the status in port mirroring is set to Not Ready because the VLAN34 is no longer in the database and VLAN23 was not created manually Only one instance of mirroring is supported system wide The analyzer port or target port for VLAN mirroring or port mirroring is the same for all the mirrored VLANs or ports To enable mirroring STEP 1 Click Administration Diagnostics Port and VLAN Mirroring The P...

Page 105: ...tions are Rx Only Port mirroring on incoming packets Tx Only Port mirroring on outgoing packets Tx and Rx Port mirroring on both incoming and outgoing packets STEP 4 Click Apply Port mirroring is added to the Running Configuration Viewing CPU Utilization and Secure Core Technology This section describes the Secure Core Technology SCT and how to view CPU usage The switch handles the following types...

Page 106: ...uite Settings and click Details The CPU Utilization page opens The CPU Input Rate field displays the rate of input frames to the CPU per second STEP 3 Select CPU Utilization to enable viewing CPU resource utilization information The window displays a graph of the CPU utilization The Y axis is percentage of usage and the X axis is the sample number STEP 4 Select the Refresh Rate time period in seco...

Page 107: ...ity TCP UDP Services page to enable or disable the switch services The switch can be discovered by a network management system or other third party applications By default Bonjour is enabled on the Management VLAN The Bonjour console automatically detects the device and displays it Bonjour for a System in Layer 2 Mode When the switch is in Layer 2 mode Bonjour Discovery is enabled globally it cann...

Page 108: ...covery packets to interfaces with IP addresses that have been associated with Bonjour on the Bonjour Discovery Interface Control table When the switch is operating in Layer 3 mode go to IP Configuration Management and IP Interface IPv4 Interface to configure an IP address to an interface If a interface such as a VLAN is deleted Goodbye packets are sent to deregister services the switch is advertis...

Page 109: ...terminates and processes incoming LLDP and CDP packets as required by the protocols In LLDP and CDP advertisements are encoded as TLV Type Length Value in the packet The following are additional points about CDP LLDP configuration CDP LLDP can be globally enabled or disabled and enabled disabled per port The CDP LLDP capability of a port is relevant only if CDP LLDP is globally enabled If CDP LLDP...

Page 110: ...tch will transmit and receive CDP LLDP packets to and from the interface only if the interface is authenticated and authorized If a port is the target of mirroring then for CDP LLDP it is considered down NOTE CDP and LLDP are link layer protocols for directly connected CDP LLDP capable devices to advertise themselves and their capabilities In deployments where the CDP LLDP capable devices are not ...

Page 111: ...ese MIB databases LLDP is a link layer protocol By default the switch terminates and processes all incoming LLDP packets as required by the protocol The LLDP protocol has an extension called LLDP Media Endpoint Discovery LLDP MED which provides and accepts information from media endpoint devices such as VoIP phones and video phones For further information about LLDP MED see LLDP MED LLDP Configura...

Page 112: ...pens STEP 2 Enter the parameters LLDP Status Select to enable LLDP on the switch selected by default LLDP Frames Handling If LLDP is not enabled select the action to be taken if a packet that matches the selected criteria is received Filtering Delete the packet Flooding Forward the packet to all VLAN members TLV Advertise Interval Enter the rate in seconds at which LLDP advertisement updates are s...

Page 113: ...ettings The Port Settings page enables activating LLDP and SNMP notification per port and entering the TLVs that are sent in the LLDP PDU The LLDP MED TLVs to be advertised can be selected in the LLDP MED Port Settings page and the management address TLV of the switch may be configured To define the LLDP port settings STEP 1 Click Administration Discovery LLDP Port Settings The Port Settings page ...

Page 114: ...lpha numeric format This includes the system s name and versions of the hardware operating system and networking software supported by the switch The value equals the sysDescr object System Capabilities Primary functions of the switch and whether or not these functions are enabled in the switch The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Rou...

Page 115: ...d with multiple IP addresses IP Address If Manual Advertise was selected select the Management IP address from the addresses provided STEP 3 Enter the relevant information and click Apply The port settings are written to the Running Configuration file LLDP MED LLDP Media Endpoint Discovery LLDP MED is an extension of LLDP that provides the following additional capabilities to support media endpoin...

Page 116: ...ly create the VLANs and their port memberships according to the network policies and their associated interfaces In addition an administrator can instruct the switch to automatically generate and advertise a network policy for voice application based on the voice VLAN maintained by the switch Refer the Auto Voice VLAN section for details on how the switch maintains its voice VLAN To define an LLDP...

Page 117: ...MED Port Settings Configuring LLDP MED Port Settings The LLDP MED Port Settings page enables the selection of the LLDP MED TLVs and or the network policies to be included in the outgoing LLDP advertisement for the desired interfaces Network Policies are configured using the LLDP MED Network Policy page NOTE If LLDP MED Network Policy for Voice Application LLDP MED Network Policy Page is Auto and A...

Page 118: ...y moving them to the Selected Optional TLVs list Available Network Policies Select the LLDP MED policies that will be published by LLDP by moving them to the Selected Network Policies list These were created in the LLDP MED Network Policy page To include one or more user defined network polices in the advertisement you must also select Network Policy from the Available Optional TLVs NOTE The follo...

Page 119: ...assis ID for example MAC address Chassis ID Identifier of chassis Where the chassis ID subtype is a MAC address the MAC address of the switch is displayed System Name Name of switch System Description Description of the switch in alpha numeric format Supported System Capabilities Primary functions of the device such as Bridge WLAN AP or Router Enabled System Capabilities Primary enabled function s...

Page 120: ... example the MAC address Chassis ID Identifier of chassis Where the chassis ID subtype is a MAC address the MAC address of the switch is displayed System Name Name of switch System Description Description of the switch in alpha numeric format Supported System Capabilities Primary functions of the device such as Bridge WLAN AP or Router Enabled System Capabilities Primary enabled function s of the ...

Page 121: ...g digital data conversion from the Ethernet interfaces collision detection and bit injection into the network for example 100BASE TX full duplex mode 802 3 Details 802 3 Maximum Frame Size The maximum supported IEEE 802 3 frame size 802 3 Link Aggregation Aggregation Capability Indicates whether the interface can be aggregated Aggregation Status Indicates whether the interface is aggregated Aggreg...

Page 122: ... offering media streaming capabilities as well as all Class 1 features Endpoint Class 3 Indicates a communications device class offering all Class 1 and Class 2 features plus location 911 Layer 2 switch support and device information management capabilities PoE Device Type Port PoE type for example powered PoE Power Source Port power source PoE Power Priority Port power priority PoE Power Value Po...

Page 123: ...y DSCP Displaying LLDP Neighbors Information The LLDP Neighbors Information page displays information that was received from neighboring devices After timeout based on the value received from the neighbor Time To Live TLV during which no LLDP PDU was received from a neighbor the information is deleted To view the LLDP neighbors information STEP 1 Click Administration Discovery LLDP LLDP Neighbors ...

Page 124: ...ormation about the port including manufacturer product name and hardware software version System Name Name of system that is published System Description Description of the network entity in alpha numeric format This includes the system name and versions of the hardware operating system and networking software supported by the device The value equals the sysDescr object Supported System Capabiliti...

Page 125: ...l duplex mode 802 3 Power via MDI MDI Power Support Port Class Advertised power support port class PSE MDI Power Support Indicates if MDI power is supported on the port PSE MDI Power State Indicates if MDI power is enabled on the port PSE Power Pair Control Ability Indicates if power pair control is supported on the port PSE Power Pair Power pair control type supported on the port PSE Power Class ...

Page 126: ...MED endpoint device class The possible device classes are Endpoint Class 1 Indicates a generic endpoint class offering basic LLDP services Endpoint Class 2 Indicates a media endpoint class offering media streaming capabilities as well as all Class 1 features Endpoint Class 3 Indicates a communications device class offering all Class 1 and Class 2 features plus location 911 Layer 2 switch support a...

Page 127: ...ion Enter the following data structures in hexadecimal as described in section 10 2 4 of the ANSI TIA 1057 standard Civic Civic or street address Coordinates Location map coordinates latitude longitude and altitude ECS ELIN Device s Emergency Call Service ECS Emergency Location Identification Number ELIN Unknown Unknown location information Network Policies Application Type Network policy applicat...

Page 128: ...ded Errors Total number of received frames with errors Rx TLVs Discarded Total number of received TLVs that were discarded Unrecognized Total number of received TLVs that were unrecognized Neighbor s Information Deletion Count Number of neighbor ageouts on the interface STEP 2 Click Refresh to view the latest statistics LLDP Overloading LLDP adds information as LLDP and LLDP MED TLVs into the LLDP...

Page 129: ...port select it and click Details The LLDP Overloading Details opens This page displays the following information for each TLV sent on the port LLDP Mandatory TLVs Size Bytes Total mandatory TLV byte size Status If the mandatory TLV group is being transmitted or if the TLV group was overloaded LLDP MED Capabilities Size Bytes Total LLDP MED capabilities packets byte size Status If the LLDP MED capa...

Page 130: ...DP MED 802 3 TLVs packets were sent or if they were overloaded LLDP Optional TLVs Size Bytes Total LLDP MED optional TLVs packets byte size Status If the LLDP MED optional TLVs packets were sent or if they were overloaded LLDP MED Inventory Size Bytes Total LLDP MED inventory TLVs packets byte size Status If the LLDP MED inventory packets were sent or if they were overloaded Total Bytes Total numb...

Page 131: ... proprietary protocol CDP Configuration Workflow The followings is sample workflow in configuring CDP on the switch You can also find additional CDP configuration guidelines in the LLDP CDP section STEP 1 Enter the CDP global parameters using the CDP Properties page STEP 2 Configure CDP per interface using the Interface Setting page STEP 3 If Auto Smartport is to detect the capabilities of CDP dev...

Page 132: ...er is incremented CDP Version Select the version of CDP to use CDP Hold Time Amount of time that CDP packets are held before the packets are discarded measured in multiples of the TLV Advertise Interval For example if the TLV Advertise Interval is 30 seconds and the Hold Multiplier is 4 then the LLDP packets are discarded after 120 seconds The following options are possible Use Default Use the def...

Page 133: ...al device is advertising STEP 3 Click Apply The LLDP properties are defined Editing CDP Interface Settings The Interface Settings page enables administrators to enable disable CDP per port Notifications can also be triggered when there are conflicts with CDP neighbors The conflict can be Voice VLAN data Native VLAN or Duplex By setting these properties it is possible to select the types of informa...

Page 134: ... fields are operational when the switch has been set up to send traps to the management station Syslog Voice VLAN Mismatch Select to enable the option of sending a SYSLOG message when a voice VLAN mismatch is detected This means that the voice VLAN information in the incoming frame does not match what the local device is advertising Syslog Native VLAN Mismatch Select to enable the option of sendin...

Page 135: ...V Device ID Type Type of the device ID advertised in the device ID TLV Device ID Device ID advertised in the device ID TLV Address TLV Address1 3 IP addresses advertised in the device address TLV Port TLV Port ID Identifier of port advertised in the port TLV Capabilities TLV Capabilities Capabilities advertised in the port TLV Version TLV Version Information about the software release on which the...

Page 136: ...ort this fields displays the Layer 2 CoS value meaning an 802 1D 802 1p priority value This is the COS value with which all packets received on an untrusted port are remarked by the device Power TLV Request ID Last power request ID received echoes the Request ID field last received in a Power Requested TLV It is 0 if no Power Requested TLV was received since the interface last transitioned to Up P...

Page 137: ...vertisement Version CDP protocol version Time to Live sec Time interval in seconds after which the information for this neighbor is deleted Capabilities Capabilities advertised by neighbor Platform Information from Platform TLV of neighbor Neighbor Interface Outgoing interface of the neighbor STEP 2 Select a device and click Details The CDP Neighbors Details page opens This page displays the follo...

Page 138: ...sco Discovery Protocol CDP frames that were sent or received from a port CDP packets are received from devices attached to the switches interfaces and are used for the Smartport feature See Configuring CDP for more information CDP statistics for a port are only displayed if CDP is enabled globally and on the port This is done in the CDP Properties page and the CDP Interface Settings page To view C...

Page 139: ...ckets received with errors other than illegal checksums Neighbors Over Maximum Number of times that packet information could not be stored in cache because of lack of room To clear all counters on all interfaces click Clear All Interface Counters To clear all counters on an interface select it and click Clear All Interface Counters ...

Page 140: ...l and configure the potential member ports to the desired LAGs by using the LAG Management page By default all LAGs are empty 3 Configure the Ethernet parameters such as speed and auto negotiation for the LAGs by using the LAG Settings page 4 Configure the LACP parameters for the ports that are members or candidates of a dynamic LAG by using the LACP page 5 Configure Green Ethernet and 802 3 Energ...

Page 141: ...mbo frames configuration changes take effect only after the Running Configuration is explicitly saved to the Startup Configuration File using the Copy Save Configuration page and the switch is rebooted STEP 4 To update the port settings select the desired port and click Edit The Edit Port Settings page opens STEP 5 Modify the following parameters Interface Select the port number Port Description E...

Page 142: ...t auto negotiation status on the port Administrative Port Speed Configure the speed of the port The port type determines which the available speeds You can designate Administrative Speed only when port auto negotiation is disabled Operational Port Speed Displays the current port speed that is the result of negotiation Administrative Duplex Mode Select the port duplex mode This field is configurabl...

Page 143: ...ontrol or enable the auto negotiation of Flow Control on the port only when in Full Duplex mode MDI MDIX the Media Dependent Interface MDI Media Dependent Interface with Crossover MDIX status on the port The options are MDIX Select to swap the port s transmit and receives pairs MDI Select to connect this switch to a station by using a straight through cable Auto Select to configure this switch to ...

Page 144: ...Aggregation Overview Static and Dynamic LAG Workflow Defining LAG Management Configuring LAG Settings Configuring LACP Link Aggregation Overview Link Aggregation Control Protocol LACP is part of the IEEE specification 802 3az that enables you to bundle several physical ports together to form a single logical channel LAG LAGs multiply the bandwidth increase port flexibility and provide link redunda...

Page 145: ...ses of all packets By IP and MAC Addresses Based on the destination and source IP addresses for IP packets and destination and source MAC addresses for non IP packets LAG Management In general a LAG is treated by the system as a single logical port In particular the LAG has port attributes similar to a regular port such as state and speed The switch supports eight LAGs Every LAG has the following ...

Page 146: ...ed and flow control by using the LAG Settings page To configure a dynamic LAG perform the following actions 1 Enable LACP on the LAG Assign up to 16 candidates ports to the dynamic LAG by selecting and moving the ports from the Port List to the LAG Members List by using the LAG Management page 2 Configure various aspects of the LAG such as speed and flow control by using the LAG Settings page 3 Se...

Page 147: ...it a dynamic LAG This field can only be enabled after moving a port to the LAG in the next field Port List Move those ports that are to be assigned to the LAG from the Port List to the LAG Members list Up to eight ports per static LAG can be assigned and 16 ports can be assigned to a dynamic LAG Unit Slot Displays the stacking member for which LAG information is defined STEP 3 Click Apply LAG memb...

Page 148: ...w Control default is disabled It is recommended to keep auto negotiation enabled on both sides of an aggregate link or disabled on both sides while ensuring that link speeds are identical Operational Auto Negotiation Displays the auto negotiation setting Administrative Speed Select the LAG speed Operational LAG Speed Displays the current speed at which the LAG is operating Administrative Advertise...

Page 149: ...more than eight candidate ports The selected candidate ports of the LAG are all connected to the same remote device Both the local and remote switches have a LACP system priority The following algorithm is used to determine whether LACP port priorities are taken from the local or remote device the local LACP System Priority is compared to the remote LACP System Priority The device with the lowest ...

Page 150: ...en the sending and receiving of consecutive LACP PDUs With all factors equal when the LAG is configured with more candidate ports than the maximum number of active ports allowed the switch selects ports as active from the dynamic LAG that has the highest priority NOTE The LACP setting is irrelevant on ports that are not members of a dynamic LAG To define the LACP settings STEP 1 Click Port Managem...

Page 151: ...inistrative status of the port Up Recovery from this mode to full operational mode is fast transparent and no frames are lost This mode is supported on both GE and FE ports Short Reach Mode This feature provides for power savings on a short length of cable After cable length is analyzed the power usage is adjusted for various cable lengths If the cable is shorter than 50 meters the switch uses les...

Page 152: ...ult Configuration Interactions Between Features 802 3az EEE Configuration Workflow 802 3az EEE Overview 802 3az EEE is designed to save power when there is no traffic on the link In Green Ethernet power is reduced when the port is down With 802 3az EEE power is reduced when the port is up but there is no traffic on it 802 3az EEE is only supported on devices with GE ports When using 802 3az EEE sy...

Page 153: ...process both link partners to exchange their 802 3az EEE capabilities Auto Negotiation functions automatically without user interaction when it is enabled on the device NOTE If Auto Negotiation is not enabled on a port the EEE is disabled The only exception is if the link speed is 1GB then EEE will still e enabled even though Auto Negotiation is disabled Link Level Discovery for 802 3az EEE In add...

Page 154: ...tion field to ensure that it is Enabled STEP 2 Ensure that 802 3 Energy Efficient Ethernet EEE is globally enabled in the Port Management Green Ethernet Properties page it is enabled by default This page also displays how much energy has been saved STEP 3 Ensure that 802 3az EEE is enabled on a port by opening the Green Ethernet Port Settings page a Select a port open the Edit Port Setting page b ...

Page 155: ...rt Reach mode if there are GE ports on the switch If this mode is changed a message is displayed The field still shows on switches that do not have GE ports but is invalid NOTE If Short Reach is enabled EEE should be disabled 802 3 Energy Efficient Ethernet EEE Globally enable or disable EEE mode only available if there are GE ports on the switch If this mode is changed a message is displayed Powe...

Page 156: ...ttings STEP 1 Click Port Management Green Ethernet Port Settings The Port Settings page opens The Port Settings page displays the following Global Parameter Status Describes the enabled features For each port the following fields are described Port The port number Energy Detect State of the port regarding Energy Detect mode Administrative Displays whether Energy Detect mode was enabled Operational...

Page 157: ...n both the local and remote link partners NOTE The window displays the Short Reach Energy Detect and EEE settings for each port however they are not enabled on any port unless they are also enabled globally by using the Properties page To enable Short Reach and EEE globally see the Setting Global Green Ethernet Properties section STEP 2 Select a Port and click Edit The Edit Port Setting page opens...

Page 158: ...ailure and the Reset Operation Auto Smartport Default Configuration Relationships with Other Features and Backwards Compatibility Common Smartport Tasks Web GUI Built in Smartport Macros Overview The Smartport feature provides a convenient way to save and share common configurations By applying the same Smartport macro to multiple interfaces the interfaces share a common set of configurations A Sm...

Page 159: ...martport type of the attaching device is automatically applied The Smartport feature consists of various components and works in conjunction with other features on the switch These components and features are described in the following sections Smartport Smartport types and Smartport macros described in this section Voice VLAN and Smartport described in the Voice VLAN section LLDP CDP for Smartpor...

Page 160: ...iated with two Smartport macros One macro called the macro serves to apply the desired configuration The other called the anti macro serves to undo all configuration performed by the macro when that interface happens to become a different Smartport type You can apply a Smartport macro by the following methods The macro name The associated Smartport type Statically from a Smartport macro by name on...

Page 161: ... signify the state of the interface regarding smartport The following describe these special Smartport types Default An interface that does not yet have a Smartport type assigned to it has the Default Smartport status Table 4 Smartport Type Supported by Auto Smartport Supported by Auto Smartport by default Unknown No No Default No No Printer No No Desktop No No Guest No No Server No No Host Yes No...

Page 162: ...Smartport Tasks section for troubleshooting tips NOTE Throughout this section the term aged out is used to describe the LLDP and CDP messages via their TTL If Auto Smartport is enabled and persistent status is disabled and no more CDP or LLDP messages are received on the interface before both TTLs of the most recent CDP and LLDP packets decrease to 0 then the anti macro will run and the Smartport ...

Page 163: ...Smartport Macros section for a listing of the built in Smartport macros for each device type Applying a Smartport Type to an Interface When Smartport types are applied to interfaces the Smartport types and configuration in the associated Smartport macros are saved in the Running Configuration File If the administrator saves the Running Configuration File into the Startup Configuration File the swi...

Page 164: ...iguration or Smartport macro is corrected you must perform a reset operation to reset the interface before it can be reapplied with a Smartport type in the Interface Settings pages See the workflow area in Common Smartport Tasks section for troubleshooting tips How the Smartport Feature Works You can apply a Smartport macro to an interface by the macro name or by the Smartport type associated with...

Page 165: ...and the anti macro runs in exactly the same manner removing all of the interface configuration Auto Smartport In order for Auto Smartport to automatically assign Smartport types to interfaces the Auto Smartport feature must be enabled globally and on the relevant interfaces which Auto Smartport should be allowed to configure By default Auto Smartport is enabled and allowed to configure all interfa...

Page 166: ...ch applies a Smartport macro to the interface based on the Smartport type of the attaching device Auto SmartPort derives the SmartPort types of attaching devices based on the CDP and or LLDP the devices advertise If for example an IP phone is attached to a port it transmits CDP or LLDP packets that advertise its capabilities After reception of these CDP and or LLDP packets the switch derives the a...

Page 167: ...filtering 0x20 Ignore Repeater 0x40 Ignore VoIP Phone 0x80 ip_phone Remotely Managed Device 0x100 Ignore CAST Phone Port 0x200 Ignore Two Port MAC Relay 0x400 Ignore Table 6 LLDP Capabilities Mapping to Smartport Type Capability Name LLDP Bit Smartport Type Other 1 Ignore Repeater IETF RFC 2108 2 Ignore MAC Bridge IEEE Std 802 1D 3 Switch WLAN Access Point IEEE Std 802 11 MIB 4 Wireless Access Poi...

Page 168: ...lict the matching Smartport type is applied to the interface If one of the devices is a switch the Switch Smartport type is used If one of the devices is an AP the Wireless Access Point Smartport type is used If one of the devices is an IP phone and another device is a host the ip_phone_desktop Smartport type is used If one of the devices is an IP phone desktop and the other is an IP phone or host...

Page 169: ...e switch is rebooted Enabling Persistent status on an interface eliminates the device detection delay that otherwise occurs NOTE The persistence of the Smartport types applied to the interfaces are effective between reboots only if the running configuration with the Smartport type applied at the interfaces is saved to the startup configuration file Error Handling When a smart port macro fails to a...

Page 170: ...n the switch and to configure a port with Auto Smartport perform the following steps STEP 1 To enable the Auto Smartport feature on the switch open the Smartport Properties page Set Administrative Auto Smartport to Enable or Enable by Voice VLAN STEP 2 Select whether the switch is to process CDP and or LLDP advertisements from connected devices STEP 3 Select which type of devices will be detected ...

Page 171: ...ew the macro source Change parameter defaults Restore the parameter defaults to the factory settings Bind a user defined macro pair a macro and its corresponding anti macro to a Smartport type 1 Open the Smartport Smartport Type Settings page 2 Select the Smartport Type 3 Click View Macro Source to view the current Smartport macro that is associated with the selected Smartport Type 4 Click Edit to...

Page 172: ... the Interface Settings page select the Port Type equals to checkbox STEP 2 Select Unknown and click Go STEP 3 Click Reset All Unknown Smartports Then reapply the macro as described above TIP The reason that the macro failed might be a conflict with a configuration on the interface made prior to applying the macro most often encountered with security and storm control settings a wrong port type a ...

Page 173: ... incoming CDP LLDP or both types of packets are used to detect the Smartport type of the attaching device s At least one must be checked in order for Auto Smartport to identify devices Operational CDP Status Displays the operational status of CDP Enable CDP if Auto Smartport is to detect the Smartport type based on CDP advertisement Operational LLDP Status Displays the operational status of LLDP E...

Page 174: ...binding an invalid macro or setting an invalid default parameter value will cause all ports of this Smartport type to become unknown STEP 1 Click Smartport Smartport Type Settings The Smartport Type Settings page opens STEP 2 To view the Smartport macro associated with a Smartport type select a Smartport type and click View Macro Source STEP 3 To modify the parameters of a macro or assign a user d...

Page 175: ... applying the associated macro Smartport Interface Settings Use the Interface Settings page to perform the following tasks Statically apply a specific Smartport type to an interface with interface specific values for the macro parameters Enable Auto Smartport on an interface Diagnose a Smartport macro that failed upon application and caused the Smartport type to become Unknown Reapply a Smartport ...

Page 176: ...d click Show Diagnostic This displays the command at which application of the macro failed See the workflow area in Common Smartport Tasks section for troubleshooting tips Proceed to reapply the macro after correcting the problem STEP 3 Resetting all Unknown interfaces to Default type Select the Port Type equals to checkbox Select Unknown and click Go Click Reset All Unknown Smartports Then reappl...

Page 177: ...nterface goes down or the switch is rebooted Persistent is applicable only if the Smartport Application of the interface is Auto Smartport Enabling Persistent at an interface eliminates the device detection delay that otherwise will occur Macro Parameters Displays the following fields for up to three parameters in the macro Parameter Name Name of parameter in macro Parameter Value Current value of...

Page 178: ...Smartports Built in Smartport Macros Cisco 500 Series Stackable Managed Switch Administration Guide 169 11 printer guest server host ip_camera ip_phone ip_phone_desktop switch router ap ...

Page 179: ...native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smar...

Page 180: ... description No Desktop no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no port security no port security mode no port security max no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto ...

Page 181: ...hich will be configured on the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast e...

Page 182: ...173 11 no_printer no_printer macro description No printer no switchport access vlan no switchport mode no port security no port security mode no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto ...

Page 183: ...h will be configured on the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enab...

Page 184: ...de 175 11 no_guest no_guest macro description No guest no switchport access vlan no switchport mode no port security no port security mode no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto ...

Page 185: ...red on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport...

Page 186: ...server no_server macro description No server no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no port security no port security mode no port security max no smartport storm control broadcast enable no smartport storm control broadcast level spanning tree portfast auto ...

Page 187: ...s The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include m...

Page 188: ...escription No host no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no port security no port security mode no port security max no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto ...

Page 189: ...tive_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree p...

Page 190: ... 11 no_ip_camera no_ip_camera macro description No ip_camera no switchport access vlan no switchport mode no port security no port security mode no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto ...

Page 191: ...VLAN ID max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN voice_vlan 1 max_hosts 10 the default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level...

Page 192: ... The voice VLAN ID Default Values are voice_vlan 1 smartport switchport trunk allowed vlan remove voice_vlan no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no port security no port security mode no port security max no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanni...

Page 193: ...n The voice VLAN ID max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN voice_vlan 1 max_hosts 10 the default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control bro...

Page 194: ...n voice_vlan The voice VLAN ID Default Values are voice_vlan 1 smartport switchport trunk allowed vlan remove voice_vlan no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no port security no port security mode no port security max no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include mult...

Page 195: ...s native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan native_vlan spanning tree link type point to point ...

Page 196: ...tch Administration Guide 187 11 no_switch no_switch macro description No switch macro keywords voice_vlan macro key description voice_vlan The voice VLAN ID no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no spanning tree link type ...

Page 197: ...tion native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan native_vlan smartport storm control broadcast level 10 smartport storm control broadcast enable spanning tree link type point to poi...

Page 198: ...o_router macro description No router macro keywords voice_vlan macro key description voice_vlan The voice VLAN ID no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no smartport storm control broadcast enable no smartport storm control broadcast level no spanning tree link type ...

Page 199: ...ve_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan native_vlan spanning tree link type point to point ...

Page 200: ...ed Switch Administration Guide 191 11 no_ap no_ap macro description No ap macro keywords voice_vlan macro key description voice_vlan The voice VLAN ID no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no spanning tree link type ...

Page 201: ...Priority and Class PoE on the Switch A PoE switch is PSE Power Sourcing Equipment that delivers electrical power to connected PD Powered Devices over existing copper cables without interfering with the network traffic updating the physical network or modifying the network infrastructure PoE Features PoE provides the following features Eliminates the need to run 110 220 V AC power to all devices on...

Page 202: ...ts class which is the amount of maximum power that the PD consumes Power Consumption After the classification stage completes the PSE provides power to the PD If the PD supports PoE but without classification it is assumed to be class 0 the maximum If a PD tries to consume more power than permitted by the standard the PSE stops supplying power to the port PoE supports two modes Port Limit The maxi...

Page 203: ...the switch than the configured allocation allows no matter if the switch is in Class Limit or Port Limit mode the switch does the following Maintains the up down status of the PoE port link Turns off power delivery to the PoE port Logs the reason for turning off power Generates an SNMP trap NOTE When a lower voltage PoE switch is connected to the SG500 series switch with PoE and connected via PoE ...

Page 204: ...ou must also enable SNMP and configure at least one SNMP Notification Recipient Power Trap Threshold Enter the usage threshold that is a percentage of the power limit An alarm is initiated if the power exceeds this value The following counters are displayed for each device or for all the units of the stack Nominal Power The total amount of power the switch can supply to all the connected PDs Consu...

Page 205: ... configures all ports to allocate up to 30 watts This results in 48 times 30 ports equalling 1440 watts which is too much The switch cannot provide enough power to each port so it provides power according to the priority The administrator sets the priority for each port allocating how much power it can be given These priorities are entered in the PoE Settings page See the Chapter 6 Switch Models t...

Page 206: ...layed only if the Power Mode set in the PoE Properties page is Class Limit The class determines the power level Power Consumption Displays the amount of power in milliwatts assigned to the powered device connected to the selected interface Overload Counter Displays the total number of power overload occurrences Short Counter Displays the total number of power shortage occurrences Denied Counter Di...

Page 207: ...hernet Devices Configuring the PoE Power Priority and Class Cisco 500 Series Stackable Managed Switch Administration Guide 198 12 STEP 4 Click Apply The PoE settings for the port are written to the Running Configuration file ...

Page 208: ...th each other over the Ethernet MAC layer regardless of the physical LAN segment of the bridged network to which they are connected VLAN Description Each VLAN is configured with a unique VID VLAN ID with a value from 1 to 4094 A port on a device in a bridged network is a member of a VLAN if it can send data to and receive data from the VLAN A port is an untagged member of a VLAN if all packets des...

Page 209: ...onfigured at the ingress port where the frame is received The frame is discarded at the ingress port if Ingress Filtering is enabled and the ingress port is not a member of the VLAN to which the packet belongs A frame is regarded as priority tagged only if the VID in its VLAN tag is 0 Frames belonging to a VLAN remain within the VLAN This is achieved by sending or forwarding a frame only to egress...

Page 210: ...et in the Edit VLAN Authentication page Default VLAN For more information refer to the Configuring Default VLAN Settings section Management VLAN in Layer 2 mode systems For more information refer to the Layer 2 IP Addressing section QinQ QinQ provides isolation between service provider networks and customers networks The switch is a provider bridge that supports port based c tagged service interfa...

Page 211: ...oups and Protocol based VLANs sections 7 If required configure TV VLAN as described in the Access Port Multicast TV VLAN and Customer Port Multicast TV VLAN sections Configuring Default VLAN Settings When using factory default settings the switch automatically creates VLAN 1 as the default VLAN the default interface status of all ports is Trunk and all ports are configured as untagged members of t...

Page 212: ...VID of the new default VLAN The original default VLAN ID is removed from the switch To be used it must be recreated Adds the ports as untagged VLAN members of the new default VLAN To change the default VLAN STEP 1 Click VLAN Management Default VLAN Settings The Default VLAN Settings page is displayed STEP 2 Enter the value for the following field Current Default VLAN ID Displays the current defaul...

Page 213: ... Create VLAN page displays the following fields for all VLANs VLAN ID User defined VLAN ID VLAN Name User defined VLAN name Type VLAN type Static VLAN is user defined Default VLAN is the default VLAN STEP 2 Click Add to add a new VLAN or select an existing VLAN and click Edit to modify the VLAN parameters The Add Edit VLAN page is displayed The page enables the creation of either a single VLAN or ...

Page 214: ...tch Interface VLAN Mode Select the interface mode for the VLAN The options are General The interface can support all functions as defined in the IEEE 802 1q specification The interface can be a tagged or untagged member of one or more VLANs Access The interface is an untagged member of a single VLAN A port configured in this mode is known as an access port Trunk The interface is an untagged member...

Page 215: ...s always enabled on access ports and trunk ports STEP 5 Click Apply The parameters are written to the Running Configuration file Defining VLAN Membership The Port to VLAN and Port VLAN Membership pages display the VLAN memberships of the ports in various presentations You can use them to add or remove memberships to or from the VLANs When a port is forbidden default VLAN membership that port is no...

Page 216: ...eral configured from the Interface Settings page Each port or LAG is displayed with its current registration to the VLAN STEP 3 Change the registration of an interface to the VLAN by selecting the desired option from the following list Forbidden The interface is not allowed to join the VLAN even from GVRP registration When a port is not a member of any other VLAN enabling this option on the port m...

Page 217: ...ship in the VLAN in which it was configured To assign a port to one or more VLANs STEP 1 Click VLAN Management Port VLAN Membership The Port VLAN Membership page is displayed STEP 2 Select interface type Port or LAG and click Go The following fields are displayed for all interfaces of the selected type Interface Port LAG ID Mode Interface VLAN mode that was selected in the Interface Settings page ...

Page 218: ...The port can join the VLAN through GVRP registration Tagged Select whether the port is tagged This is not relevant for Access ports Untagged Select whether port is untagged This is not relevant for Access ports PVID Port PVID is set to this VLAN If the interface is in access mode or trunk mode the switch automatically makes the interface an untagged member of the VLAN If the interface is in genera...

Page 219: ... on ports Defining GVRP Settings To define GVRP settings for an interface STEP 1 Click VLAN Management GVRP Settings The GVRP Settings page is displayed STEP 2 Select GVRP Global Status to enable GVRP globally STEP 3 Click Apply to set the global GVRP status STEP 4 Select an interface type Port or LAG and click Go to display all interfaces of that type STEP 5 To define GVRP settings for a port sel...

Page 220: ...ace Protocol Based VLAN If a protocol based VLAN has been defined the VLAN is taken from the Ethernet type protocol to VLAN mapping of the ingress interface PVID VLAN is taken from the port default VLAN ID MAC based Groups MAC based VLAN classification enable packets to be classified according to their source MAC address The user can then define MAC to VLAN mapping per interface The user can defin...

Page 221: ...d Group opens STEP 3 Enter the values for the following fields MAC Address Enter a MAC address to be assigned to a VLAN group NOTE This MAC address cannot be assigned to any other VLAN group Prefix Mask Enter one of the following Host Source host of the MAC address Length Prefix of the MAC address Group ID Enter a user created VLAN group ID number STEP 4 Click Apply The MAC address is assigned to ...

Page 222: ...defined and then bound to a port After the protocol group is bound to a port every packet originating from a protocol in the group will be assigned the VLAN that is configured in the Protocol Based Groups to VLAN page Workflow To define a protocol based VLAN group 1 Define a protocol group using the Protocol Based Groups page 2 For each required interface assign the protocol group to a VLAN using ...

Page 223: ...ter a protocol group ID STEP 4 Click Apply The Protocol Group is added and written to the Running Configuration file Protocol Based Groups to VLAN Mapping To map a protocol group to a port the port must be in General mode and not have DVA configured on it see Configuring VLAN Interface Settings Several groups can be bound to a single port with each port being associated to its own VLAN It is possi...

Page 224: ...Cisco 500 Series Stackable Managed Switch Administration Guide 215 13 VLAN ID Attaches the interface to a user defined VLAN ID STEP 4 Click Apply The protocol ports are mapped to VLANs and written to the Running Configuration file ...

Page 225: ...propriate configurations UC3xx UC5xx hosted All Cisco phones and VoIP endpoints support this deployment model For this model the UC3xx UC5xx Cisco phones and VoIP endpoints reside in the same voice VLAN The voice VLAN of UC3xx UC5xx defaults to VLAN 100 Third party IP PBX hosted Cisco SBTG CP 79xx SPA5xx phones and SPA8800 endpoints support this deployment model In this model the VLAN used by the ...

Page 226: ...phony OUI mode or has Auto Smartports enabled Dynamic Voice VLAN Modes The switch supports two dynamic voice VLAN modes Telephony OUI Organization Unique Identifier mode and Auto Voice VLAN mode The two modes affect how voice VLAN and or voice VLAN port memberships are configured The two modes are mutually exclusive to each other Telephony OUI In Telephony OUI mode the voice VLAN must be a manuall...

Page 227: ...e voice VLAN information from CDP and LLDP MED advertisements it receives from their neighbor voice systems and switches The switch expects the attaching voice devices to send voice VLAN tagged packets On ports where the voice VLAN is also the native VLAN voice VLAN untagged packets are possible Auto Voice VLAN Auto Smartports CDP and LLDP Defaults By factory defaults CDP LLDP and LLDP MED on the ...

Page 228: ...ertisements from directly connected neighbor devices If multiple neighbor switches and or routers such as Cisco UC devices are advertising their voice VLAN the voice VLAN from the device with the lowest MAC address is used NOTE If connecting the switch to a Cisco UC device you may need to configure the port on the UC device using the switchport voice vlan command to ensure the UC device advertises...

Page 229: ... there is no other devices from the port advertising a conflicting or superior capability If a device advertises itself as a phone the default Smartport macro is phone If a device advertises itself as a phone and host or phone and bridge the default Smartport macro is phone desktop Voice VLAN QoS Voice VLAN can propagate the CoS 802 1p and DSCP settings by using LLDP MED Network policies The LLDP ...

Page 230: ...nterface VLAN of a candidate port must be in General or Trunk mode The Voice VLAN QoS decision has priority over any other QoS decision except for the Policy ACL QoS decision The Voice VLAN QoS is applied to candidate ports that have joined the Voice VLAN and to static ports The voice flow is accepted if the MAC address can be learned by the Forwarding Database FDB If there is no free space in FDB...

Page 231: ...using the Smartport Interface Settings page NOTE Step 7 and Step 8 are optional as they are enabled by default Workflow2 To configure the Telephony OUI Method STEP 1 Open the VLAN Management Voice VLAN Properties page Set Dynamic Voice VLAN to Enable Telephony OUI NOTE If the device is currently in Auto Voice VLAN mode you must disable it before you can enable Telephony OUI STEP 2 Configure Teleph...

Page 232: ...e Voice VLAN Settings Operational Status block STEP 2 Enter values for the following fields Voice VLAN ID Enter the VLAN that is to be the Voice VLAN NOTE Changes in the voice VLAN ID CoS 802 1p and or DSCP will cause the switch to advertise the administrative voice VLAN as a static voice VLAN If the option Auto Voice VLAN Activation triggered by external Voice VLAN is selected then the default va...

Page 233: ...ces STEP 3 Click Apply The VLAN properties are written to the Running Configuration file Displaying Auto Voice VLAN Settings If Auto Voice VLAN mode is enabled use the Auto Voice VLAN page to view the relevant global and interface parameters You can also use this page to manually restart Auto Voice VLAN by clicking Restart Auto Voice VLAN After a short delay this resets the voice VLAN to the defau...

Page 234: ... VLAN and restart Auto Voice VLAN discovery on all the Auto Voice VLAN enabled switches in the LAN The Voice VLAN Local Table displays voice VLAN configured on the switch as well as any voice VLAN configuration advertised by directly connected neighbor devices It displays the following fields Interface Displays the interface on which voice VLAN configuration was received or configured If N A is di...

Page 235: ... No This is not the best local source STEP 3 Click Refresh to refresh the information on the page Configuring Telephony OUI OUIs are assigned by the Institute of Electrical and Electronics Engineers Incorporated IEEE Registration Authority Since the number of IP phone manufacturers is limited and well known the known OUI values cause the relevant frames and the port on which they are seen to be au...

Page 236: ...of the phones detected on the ports have aged out STEP 2 Click Apply to update the Running Configuration of the switch with these values The Telephony OUI table is displayed Telephony OUI First six digits of the MAC address that are reserved for OUIs Description User assigned OUI description STEP 3 Click Restore OUI Defaults to delete all of the user created OUIs and leave only the default OUIs in...

Page 237: ...e OUI QoS mode of voice VLAN To configure Telephony OUI on an interface STEP 1 Click VLAN Management Voice VLAN Telephony OUI Interface The Telephony OUI Interface page is displayed The Telephony OUI Interface page displays voice VLAN OUI parameters for all interfaces STEP 2 To configure an interface to be a candidate port of the telephony OUI based voice VLAN click Edit The Edit Interface Setting...

Page 238: ... Multicast server while including the Multicast TV VLAN in the Multicast packet header For this reasons the uplink ports should be statically configured as the following Trunk or general port type see Configuring VLAN Interface Settings Member on the Multicast TV VLAN The subscriber receiver ports can be associated with the Multicast TV VLAN only if it is defined in one of the two following types ...

Page 239: ...LAN then the software associates the IGMP packet with the Multicast TV VLAN Otherwise the IGMP message is associated to the access VLAN and the IGMP message is only forwarded within that VLAN The IGMP message is discarded if The STP RSTP state on the access port is discard The MSTP state for the access VLAN is discard The MSTP state for the Multicast TV VLAN is discard and the IGMP message is asso...

Page 240: ...are displayed Multicast Group IP address of the Multicast group Multicast TV VLAN VLAN to which the Multicast packets are assigned STEP 2 Click Add to associate a Multicast group to a VLAN Any VLAN can be selected When a VLAN is selected it becomes a Multicast TV VLAN STEP 3 Click Apply Multicast TV VLAN settings are modified and written to the Running Configuration file Receiver ports VLAN can be...

Page 241: ...tion file Customer Port Multicast TV VLAN A triple play service provisions three broadband services over a single broadband connection High speed Internet access Video Voice The triple play service is provisioned for service provider subscribers while keeping Layer 2 isolation between them Each subscriber has a CPE MUX box The MUX has multiple access ports that are connected to the subscriber s de...

Page 242: ...es the destination in the subscriber s network by the CPE MUX Workflow 1 Configure an access port as a customer port using the VLAN Management Interface Settings page See the QinQ section for more information 2 Configure the uplink port as a trunk or general port with subscriber and Multicast TV VLAN as tagged VLANS using the VLAN Management Interface Settings page 3 The user should create multica...

Page 243: ...e following fields CPE VLAN Enter the VLAN defined on the CPE box Multicast TV VLAN Select the Multicast TV VLAN which is mapped to the CPE VLAN STEP 4 Click Apply CPE VLAN Mapping is modified and written to the Running Configuration file CPE Port Multicast VLAN Membership The ports associated with the Multicast VLANs must be configured as customer ports see Configuring VLAN Interface Settings Use...

Page 244: ...ttings STP Flavors STP protects a Layer 2 Broadcast domain from Broadcast storms by selectively setting links to standby mode to prevent loops In standby mode these links temporarily stop transferring user data After the topology changes so that the data transfer is made possible the links are automatically re activated Loops occur when alternate routes exist between hosts Loops in an extended net...

Page 245: ...P It detects Layer 2 loops and attempts to mitigate them by preventing the involved port from transmitting traffic Since loops exist on a per Layer 2 domain basis a situation can occur where there is a loop in VLAN A and no loop in VLAN B If both VLANs are on Port X and STP wants to mitigate the loop it stops traffic on the entire port including VLAN B traffic MSTP solves this problem by enabling ...

Page 246: ...e STP ports The default path cost assigned to an interface varies according to the selected method Short Specifies the range 1 through 65 535 for port path costs Long Specifies the range 1 through 200 000 000 for port path costs Bridge Settings Priority Sets the bridge priority value After exchanging BPDUs the device with the lowest priority becomes the Root Bridge In the case that all bridges use...

Page 247: ...psed since the last topology change occurred The time is displayed in a days hours minutes seconds format STEP 3 Click Apply The STP Global settings are written to the Running Configuration file Defining Spanning Tree Interface Settings The STP Interface Settings page enables you to configure STP on a per port basis and to view the information learned by the protocol such as the designated bridge ...

Page 248: ...ated port Normally all root bridge ports are designated ports unless two or more ports of the root bridge are connected If the bridge receives superior BPDUs on a Root Guard enabled port Root Guard moves this port to a root inconsistent STP state This root inconsistent state is effectively equal to a listening state No traffic is forwarded across this port In this way Root Guard enforces the posit...

Page 249: ...dresses Listening The port is in Listening mode The port cannot forward traffic and cannot learn MAC addresses Learning The port is in Learning mode The port cannot forward traffic but it can learn new MAC addresses Forwarding The port is in Forwarding mode The port can forward traffic and learn new MAC addresses Designated Bridge ID Displays the bridge priority and the MAC address of the designat...

Page 250: ... being tested STEP 4 If a link partner is discovered by using STP click Activate Protocol Migration to run a Protocol Migration test This discovers whether the link partner using STP still exists and if so whether it has migrated to RSTP or MSTP If it still exists as an STP link the device continues to communicate with it by using STP Otherwise if it has been migrated to RSTP or MSTP the device co...

Page 251: ...ning Tree leaves This provides a configuration in which two ports are connected in a loop by a point to point link Backup ports are also used when a LAN has two or more established connections to a shared segment Disabled The port is not participating in Spanning Tree Mode Displays the current Spanning Tree mode Classic STP or RSTP Fast Link Operational Status Displays whether the Fast Link Edge P...

Page 252: ...t can be placed in the Forwarding State in another STP instance The MSTP Properties page enables you to define the global MSTP settings To configure MSTP 1 Set the STP Operation Mode to MSTP as described in the Configuring STP Status and Global Settings settings 2 Define MSTP instances Each MSTP instance calculates and builds a loop free topology to bridge packets from the VLANs that map to the in...

Page 253: ...egion to see the region as a single RSTP bridge regardless of the number of MSTP bridges inside the region itself For two or more switches to be in the same MST region they must have the same VLANs to MST instance mapping the same configuration revision number and the same region name Switches intended to be in the same MST region are never separated by switches from another MST region If they are...

Page 254: ... more than one VLAN but each VLAN can only have one MST Instance attached to it Configuration on this page and all of the MSTP pages applies if the system STP mode is MSTP Up to 16 MST instances can be defined on the Cisco 500 Series switches For those VLANs that are not explicitly mapped to one of the MST instances the switch automatically maps them to the CIST Core and Internal Spanning Tree ins...

Page 255: ...k Spanning Tree MSTP Instance Settings The MSTP Instance Settings page is displayed STEP 2 Enter the parameters Instance ID Select an MST instance to be displayed and defined Included VLAN Displays the VLANs mapped to the selected instance The default mapping is that all VLANs are mapped to the common and internal spanning tree CIST instance 0 Bridge Priority Set the priority of this bridge for th...

Page 256: ...is displayed STEP 2 Enter the parameters Instance equals To Select the MSTP instance to be configured Interface Type equals to Select whether to display the list of ports or LAGs STEP 3 Click Go The MSTP parameters for the interfaces on the instance are displayed STEP 4 Select an interface and click Edit The Edit MSTP Interface Settings page is displayed STEP 5 Enter the parameters Instance ID Sel...

Page 257: ...P algorithm to provide STP paths Root Forwarding packets through this interface provides the lowest cost path for forwarding packets to the root device Designated The interface through which the bridge is connected to the LAN which provides the lowest root path cost from the LAN to the Root Bridge for the MST instance Alternate The interface provides an alternate path to the root device from the r...

Page 258: ...gnated Bridge ID Displays the ID number of the bridge that connects the link or shared LAN to the root Designated Port ID Displays the Port ID number on the designated bridge that connects the link or the shared LAN to the root Designated Cost Displays the cost of the port participating in the STP topology Ports with a lower cost are less likely to be blocked if STP detects loops Remaining Hops Di...

Page 259: ...A MAC address that appears in a frame arriving at the switch is added to the Dynamic Address table This MAC address is retained for a configurable period of time If another frame with the same source MAC address does not arrive at the switch before that time period expires the MAC entry is deleted from the table When a frame arrives at the switch the switch searches for a corresponding matching MA...

Page 260: ...VLAN ID Select the VLAN ID for the port MAC Address Enter the interface MAC address Interface Select an interface unit slot port or LAG for the entry Status Select how the entry is treated The options are Permanent The system never removes this MAC address If the static MAC address is saved in the Startup Configuration it is retained after rebooting Delete on reset The static MAC address is delete...

Page 261: ... entered 300 seconds the aging time is between 300 and 599 seconds STEP 3 Click Apply The Dynamic MAC Address Table is updated Querying Dynamic Addresses To query dynamic addresses STEP 1 Click MAC Address Tables Dynamic Addresses The Dynamic Addresses page opens STEP 2 In the Filter block enter the following query criteria VLAN ID Enter the VLAN ID for which the table is queried MAC Address Enter...

Page 262: ...opens STEP 2 Click Add The Add Reserved MAC Address page opens STEP 3 Enter the values for the following fields MAC Address Select the MAC address to be reserved Frame Type Select a frame type based on the following criteria Ethernet V2 Applies to Ethernet V2 packets with the specific MAC address LLC Applies to Logical Link Control LLC packets with the specific MAC address LLC SNAP Applies to Logi...

Page 263: ...er Ports Defining Forward All Multicast Defining Unregistered Multicast Settings Multicast Forwarding Multicast forwarding enables one to many information dissemination Multicast applications are useful for dissemination of information to multiple clients where clients do not require reception of the entire content A typical application is a cable TV like service where clients can join a channel i...

Page 264: ...in this section is mostly for IGMP it also describes coverage of MLD where implied These queries reach the switch which in turn floods the queries to the VLAN and also learns the port where there is a Multicast router Mrouter When a host receives the IGMP query message it responds with an IGMP Join message saying that the host wants to receive a specific Multicast stream and optionally from a spec...

Page 265: ...nabled in a switch on a VLAN it analyzes the IGMP MLD packets it receives from the VLAN connected to the switch and Multicast routers in the network When a switch learns that a host is using IGMP MLD messages to register to receive a Multicast stream optionally from a specific source the switch adds the registration to its Multicast Forwarding Data Base MFDB IGMP MLD snooping can effectively reduc...

Page 266: ...ress For IPv4 this is mapped by taking the 23 low order bits from the IPv4 address and adding them to the 01 00 5e prefix By standard the upper nine bits of the IP address are ignored and any IP addresses that only differ in the value of these upper bits are mapped to the same Layer 2 address since the lower 23 bits that are used are identical For example 234 129 2 3 is mapped to a MAC Multicast g...

Page 267: ... before one or more IP Multicast group addresses can be mapped to a MAC group address Forwarding based on the MAC group address can result in an IP Multicast stream being forwarded to ports that have no receiver for the stream IP Group Address Based on the destination IP address of the IP packet G Source Specific IP Group Address Based on both the destination IP address and the source IP address o...

Page 268: ...ed from a VLAN that is configured to forward Multicast streams based on MAC group addresses and its destination address is a Layer 2 Multicast address the frame is forwarded to all ports that are members of the MAC group address The MAC Group Address page has the following functions Query and view information from the MFDB relating to a specific VLAN ID or a specific MAC address group This data is...

Page 269: ...N ID of the new Multicast group MAC Group Address Defines the MAC address of the new Multicast group STEP 6 Click Apply the MAC Multicast group is written to the Running Configuration file To configure and display the registration for the interfaces within the group select an address and click Details The MAC Group Address Settings page opens The page displays VLAN ID The VLAN ID of the Multicast ...

Page 270: ...ys all of the IP Multicast group addresses learned by snooping STEP 2 Enter the parameters required for filtering VLAN ID equals to Define the VLAN ID of the group to be displayed IP Version equals to Select IPv6 or IPv4 IP Multicast Group Address equals to Define the IP address of the Multicast group to be displayed This is only relevant when the Forwarding mode is S G Source IP Address equals to...

Page 271: ...ice is updated STEP 7 To configure and display the registration of an IP group address select an address and click Details The IP Multicast Interface Settings page opens The VLAN ID IP Version IP Multicast Group Address and Source IP Address selected are displayed as read only in the top of the window You can select the filter type Interface Type equals to Select whether to display ports or LAGs S...

Page 272: ...onnected to Multicast routers Mrouters that are generating IGMP queries Which ports are receiving PIM DVMRP or IGMP query protocols These are displayed on the IGMP Snooping page Ports asking to join a specific Multicast group issue an IGMP report that specifies which group s the host wants to join This results in the creation of a forwarding entry in the Multicast Forwarding Data Base The IGMP Sno...

Page 273: ...s table are sent by the elected querier The other values are derived from the switch STEP 4 Enter the parameters VLAN ID Select the VLAN ID on which IGMP snooping is defined IGMP Snooping Status Enable or disable the monitoring of network traffic for the selected VLAN Operational IGMP Snooping Status Displays the current status of the IGMP Snooping for the selected VLAN MRouter Ports Auto Learn En...

Page 274: ... sent by the elected querier Immediate Leave Enable Immediate Leave to decrease the time it takes to block a Multicast stream sent to a member port when an IGMP Group Leave message is received on that port IGMP Querier Status Enable or disable the IGMP Querier Administrative Querier Source IP Address Select the source IP address of the IGMP Querier This can be the IP address of the VLAN or it can ...

Page 275: ...AN NOTE The switch supports MLD Snooping only on static VLANs It does not support MLD Snooping on dynamic VLANs The switch uses this feature to build Multicast membership lists It uses the lists to forward Multicast packets only to switch ports where there are host nodes that are members of the Multicast groups The switch does not support MLD Querier Hosts use the MLD protocol to report their part...

Page 276: ...nooping and Bridge Multicast filtering are enabled STEP 3 Select a VLAN and click Edit The Edit MLD Snooping page opens STEP 4 Enter the parameters VLAN ID Select the VLAN ID MLD Snooping Status Enable or disable MLD snooping on the VLAN The switch monitors network traffic to determine which hosts have asked to be sent Multicast traffic The switch performs MLD snooping only when MLD snooping and B...

Page 277: ...Delay to be used if the switch cannot read Max Response Time value from Group Specific queries sent by the elected querier Operational Last Member Query Interval The Last Member Query Interval sent by the elected querier Immediate Leave When enabled reduces the time it takes to block unnecessary MLD traffic sent to a switch port STEP 5 Click Apply The Running Configuration file is updated Querying...

Page 278: ...s are displayed for each Multicast group VLAN The VLAN ID Group Address The Multicast group MAC address or IP address Source Address The sender address for all of the specified group ports Included Ports The list of destination ports for the Multicast stream Excluded Ports The list of ports not included in the group Compatibility Mode The oldest IGMP MLD version of registration from the hosts the ...

Page 279: ...he port is dynamically configured as a Multicast router port by a MLD IGMP query To enable the dynamic learning of Multicast router ports go to the Multicast IGMP Snooping page and the Multicast MLD Snooping page Forbidden This port is not to be configured as a Multicast router port even if IGMP or MLD queries are received on this port If Forbidden is enabled on a port Mrouter will not be learned ...

Page 280: ...ceive any Multicast streams even if IGMP MLD snooping designated the port to join a Multicast group None The port is not currently a Forward All port STEP 5 Click Apply The Running Configuration file is updated Defining Unregistered Multicast Settings Multicast frames are generally forwarded to all ports in the VLAN If IGMP MLD Snooping is enabled the switch learns about the existence of Multicast...

Page 281: ...etwork To define unregistered Multicast settings STEP 1 Click Multicast Unregistered Multicast The Unregistered Multicast page opens STEP 2 Define the following Interface Type equals to The view as all ports or all LAGs Port LAG Displays the port or LAG ID Unregistered Multicast Displays the forwarding status of the selected interface The possible values are Forwarding Enables forwarding of unregi...

Page 282: ...SG500X devices always work in Layer 3 enabled router mode The Sx500 devices can either be set to work in Layer 2 switch or Layer 3 router mode Therefore when this section refers to a device that works in Layer 3 mode this refers to all SG500X devices and those Sx500 devices that have been manually set to Layer 3 mode Some features are only available in Layer 2 or Layer 3 mode as described below In...

Page 283: ...ode the switch uses the default gateway if configured to communicate with devices that are not in the same IP subnet with the switch By default VLAN 1 is the management VLAN but this can be modified When operating in Layer 2 mode the switch can only be reached at the configured IP address through its management VLAN The factory default setting of the IP address configuration is DHCP This means tha...

Page 284: ... the DHCP server If a static IP address has been set the system status LED also changes to solid green The LED flashes when the switch is acquiring an IP address and is currently using the factory default IP address 192 168 1 254 The same rules apply when a client must renew the lease prior to its expiration date through a DHCPREQUEST message When no statically defined or DHCP acquired IP address ...

Page 285: ...en from a DHCP server To configure the IPv4 switch IP address STEP 1 Click Administration Management Interface IPv4 Interface The IPv4 Interface page opens STEP 2 Enter values for the following fields Management VLAN Select the Management VLAN used to access the switch through telnet or the Web GUI VLAN1 is the default Management VLAN IP Address Type Select one of the following options Dynamic Dis...

Page 286: ...s status of Auto Configuration feature You can configure this from Administration File Management DHCP Auto Configuration STEP 3 Click Apply The IPv4 interface settings are written to the Running Configuration file Defining IPv4 Interface when the Switch is in Layer 3 Mode The IPv4 Interface page is used when the switch is in Layer 3 mode This mode enables configuring multiple IP addresses for swi...

Page 287: ... from DHCP server IP Address Configured IP address for the interface Mask Configured IP address mask Status Results of the IP address duplication check Tentative There is no final result for the IP address duplication check Valid The IP address collision check was completed and no IP address collision was detected Valid Duplicated The IP address duplication check was completed and a duplicate IP a...

Page 288: ...gth Length of the IPv4 prefix STEP 6 Click Apply The IPv4 address settings are written to the Running Configuration file CAUTION When the system is in stacking mode with a Backup Master present configure the IP address as a static address to prevent disconnecting from the network during a Stacking Master switchover Managing IPv6 The Internet Protocol version 6 IPv6 is a network layer protocol for ...

Page 289: ...f the IPv6 ICMP error messages generated by the switch To define IPv6 global parameters STEP 1 In Layer 2 mode click Administration Management Interface IPv6 Global Configuration In Layer 3 mode click IP Configuration Management and IP Interfaces IPv6 Global Configuration The IPv6 Global Configuration page opens STEP 2 Enter values for the following fields ICMPv6 Rate Limit Interval Enter how ofte...

Page 290: ...is assigned New addresses remain in a tentative state during DAD verification Entering 0 in this field disables duplicate address detection processing on the specified interface Entering 1 in this field indicates a single transmission without follow up transmissions IPv6 Address Auto Configuration Enable automatic address configuration from the DHCP server If enabled the switch supports IPv6 state...

Page 291: ...ter IPv6 Address Type Select Link Local or Global as the type of IPv6 address to add Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the addre...

Page 292: ...fic it may be empty The switch randomly selects a router from the list The switch supports one static IPv6 default router Dynamic default routers are routers that have sent router advertisements to the switch IPv6 interface When adding or deleting IP addresses the following events occur When removing an IP interface all the default router IP addresses are removed Dynamic IP addresses cannot be rem...

Page 293: ...y Previously known neighboring network is unreachable The device is in Delay state for a predefined Delay Time If no confirmation is received the state changes to Probe Probe Neighboring network is unavailable and Unicast Neighbor Solicitation probes are being sent to verify the status STEP 2 Click Add to add a static default router The Add Default Router page opens The window displays the Link Lo...

Page 294: ...affic until the DNS process is resolved To configure an IPv6 Tunnel STEP 1 In Layer 2 mode click Administration Management Interface IPv6 Tunnel In Layer 3 mode click IP Configuration Management and IP Interface IPv6 Tunnel The IPv6 Tunnel page opens STEP 2 Enter values for the following fields Tunnel Number Displays the automatic tunnel router domain number Tunnel Type Always displayed as ISATAP ...

Page 295: ...e is 1 20 NOTE The ISATAP tunnel is not operational if the underlying IPv4 interface is not in operation STEP 3 Click Apply The tunnel is written to the Running Configuration file Defining IPv6 Neighbors Information The IPv6 Neighbors page enables configuring and viewing the list of IPv6 neighbors on the IPv6 interface The IPv6 Neighbor Table also known as IPv6 Neighbor Discovery Cache displays th...

Page 296: ...discovery cache information entry type static or dynamic State Specifies the IPv6 neighbor status The values are Incomplete Address resolution is working The neighbor has not yet responded Reachable Neighbor is known to be reachable Stale Previously known neighbor is unreachable No action is taken to verify its reachability until traffic must be sent Delay Previously known neighbor is unreachable ...

Page 297: ...rom IPv6 routers by using ICMP redirect messages This could happen when the default router the switch uses is not the router for traffic to which the IPv6 subnets that the switch wants to communicate To view IPv6 routing entries in Layer 2 mode STEP 1 Click Administration Management Interface IPv6 Routes or To view IPv6 routing entries in Layer 3 mode STEP 1 Click IP Configuration Management and I...

Page 298: ...ing Configuration file Defining IPv4 Routes When the switch is in Layer 3 mode this page enables configuring and viewing IPv4 static routes on the switch When routing traffic the next hop is decided on according to the longest prefix match LPM algorithm A destination IPv4 address may match multiple routes in the IPv4 Static Route Table The switch uses the matched route with the highest subnet mask...

Page 299: ...ritten to the Running Configuration file Configuring ARP The switch maintains an ARP Address Resolution Protocol table for all known devices that reside in its directly connected IP subnets A directly connected IP subnet is the subnet to which an IPv4 interface of the switch is connected When the switch needs to send route a packet to a local device it searches the ARP table to obtain the MAC addr...

Page 300: ...mmediately Static Deletes all of the static addresses immediately Normal Age Out Deletes dynamic addresses based on the configured ARP Entry Age Out time STEP 3 Click Apply The ARP global settings are written to the Running Configuration file The ARP table displays the following fields Interface The IPv4 Interface of the directly connected IP subnet where the IP device resides IP Address The IP ad...

Page 301: ...AC address in reply Serving as an ARP Proxy for another host effectively directs LAN traffic destination to the host The captured traffic is then typically routed by the Proxy to the intended destination by using another interface or by using a tunnel The process in which an ARP query request for a different IP address for proxy purposes results in the node responding with its own MAC address is s...

Page 302: ...ere the switch is to relay UDP Broadcast packets based on a configured UDP destination port The interface must be one of the IPv4 interfaces configured on the switch STEP 4 Enter the UDP Destination Port number for the packets that the switch is to relay Select the well known port from the drop down list or click the port radio button to enter the number manually STEP 5 Enter the Destination IP Ad...

Page 303: ... DHCP The default domain name is dynamically assigned by the DHCP server Static The default domain name is user defined N A No default domain name DNS Server Table DNS Server The IP addresses of the DNS servers Up to eight DNS servers can be defined Server State The active DNS server There can be only one active server Each static server has a priority a lower value means a higher priority When fi...

Page 304: ...ough VLAN2 or ISATAP DNS Server IP Address Enter the DNS server IP address Set DNS Server Active Select to activate the new DNS server STEP 6 Click Apply The DNS server is written to the Running Configuration file Mapping DNS Hosts The switch saves frequently queried domain names acquired from the DNS servers in a local DNS cache The cache can hold up to 64 static entries 64 dynamic entries and on...

Page 305: ...80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select whether ...

Page 306: ...ics below Permission to administer the switch is described in the following sections Configuring TACACS Configuring RADIUS Configuring Management Access Authentication Defining Access Profiles Configuring TCP UDP Services Protection from attacks directed at the switch CPU is described in the following sections Configuring TCP UDP Services Defining Storm Control Access control of end users to the n...

Page 307: ...ssword complexity is enabled by default If the password that you choose is not complex enough Password Complexity Settings are enabled in the Password Strength page you will be prompted to create another password Setting User Accounts The User Accounts page enables entering additional users that are permitted to access to the switch read only or read write or changing the passwords of existing use...

Page 308: ...ord Strength Meter Displays the strength of password The policy for password strength and complexity are configured in the Password Strength page User Level Select the privilege level of the user being added edited Read Only CLI Access 1 User cannot access the GUI and can only access CLI commands that do not change the switch configuration Read Limited Write CLI Access 7 User cannot access the GUI...

Page 309: ...ng Time expires Password Aging Time Enter the number of days that can elapse before the user will be prompted to change the password NOTE Password aging also applies to zero length passwords no password STEP 3 Select Password Complexity Settings to enable complexity rules for passwords If password complexity is enabled new passwords must conform to the following default settings Have a minimum len...

Page 310: ...aracter repetitions username password equivalence and manufacturer password equivalence may be done through the CLI See the CLI guide for further instruction Configuring TACACS The switch is a Terminal Access Controller Access Control System TACACS client that can use a TACACS server to provide centralized security TACACS provides the following services Authentication Provides authentication of ad...

Page 311: ... with all TACACS servers The switch can be configured to use this key or to use a key entered for an specific server entered in the Add TACACS Server page If you do not enter a key string in this field the server key entered in the Add TACACS Server page must match the encryption key used by the TACACS server If you enter both a key string here and a key string for an individual TACACS server the ...

Page 312: ... Authentication IP Port Enter the port number through which the TACACS session occurs Single Connection Select to enable a single open connection between the switch and the TACACS server STEP 7 Click Apply The TACACS server is added to the Running Configuration file of the switch Configuring RADIUS Remote Authorization Dial In User Service RADIUS servers provide a centralized 802 1X or MAC based n...

Page 313: ... Dead Time Enter the number of minutes that elapse before a non responsive RADIUS server is bypassed for service requests If the value is 0 the server is not bypassed Key String Enter the default key string used for authenticating and encrypting between the switch and the RADIUS server This key must match the key configured on the RADIUS server A key string is used to encrypt communications by usi...

Page 314: ...etries were made If Use Default is selected the switch uses the default timeout value Authentication Port Enter the UDP port number of the RADIUS server port for authentication requests Accounting Port Enter the UDP port number of the RADIUS server port for accounting requests Retries Enter the number of requests that are sent to the RADIUS server before a failure is considered to have occurred If...

Page 315: ...onfigured RADIUS servers are queried in priority order and do not reply the user is authenticated locally If an authentication method fails or the user has insufficient privilege level the user is denied access to the switch In other words if authentication fails at an authentication method the switch stops the authentication attempt it does not continue and does not attempt to use the next authen...

Page 316: ...to authenticate and authorize users accessing the switch through various access methods Access Profiles can limit management access from specific sources Only users who pass both the active access profile and the management access authentication methods are given management access to the switch There can only be a single access profile active on the switch at one time Access profiles consist of on...

Page 317: ...tion of the active access profile the switch generates a SYSLOG message to alert the system administrator of the attempt If a console only access profile has been activated the only way to deactivate it is through a direct connection from the management station to the physical console port on the switch For more information see Defining Profile Rules Use the Access Profiles page to create an acces...

Page 318: ...ets to rules as packets are matched on a first match basis One is the highest priority Management Method Select the management method for which the rule is defined The options are All Assigns all management methods to the rule Telnet Users requesting access to the switch who meet the Telnet access profile criteria are permitted or denied access Secure Telnet SSH Users requesting access to the swit...

Page 319: ...he format for the subnet mask for the source IP address and enter a value in one of the fields Network Mask Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format Prefix Length Select the Prefix Length and enter the number of bits that comprise the source IP address prefix STEP 6 Click Apply The access profile is written to the Running Configura...

Page 320: ...e priority When the packet is matched to a rule user groups are either granted or denied access to the switch The rule priority is essential to matching packets to rules as packets are matched on a first fit basis Management Method Select the management method for which the rule is defined The options are All Assigns all management methods to the rule Telnet Users requesting access to the switch w...

Page 321: ...urce IP address to which the access profile applies The Source IP Address field is valid for a subnetwork Select one of the following values All Applies to all types of IP addresses User Defined Applies to only those types of IP addresses defined in the fields IP Version Select the supported IP version of the source address IPv6 or IPv4 IP Address Enter the source IP address Mask Select the format...

Page 322: ... Services page is displayed STEP 2 Enable or disable the following TCP UDP services on the displayed services HTTP Service Indicates whether the HTTP service is enabled or disabled HTTPS Service Indicates whether the HTTPS service is enabled or disabled SNMP Service Indicates whether the SNMP service is enabled or disabled Telnet Service Indicates whether the Telnet service is enabled or disabled ...

Page 323: ...instance of the UDP service For example when two senders send data to the same destination STEP 3 Click Apply The services are written to the Running Configuration file Defining Storm Control When Broadcast Multicast or Unknown Unicast frames are received they are duplicated and a copy is sent to all possible egress ports This means that in practice they are sent to all ports belonging to the rele...

Page 324: ...port and click Edit The Edit Storm Control page is displayed STEP 3 Enter the parameters Interface Select the port for which storm control is enabled Storm Control Select to enable Storm Control Storm Control Rate Threshold Enter the maximum rate at which unknown packets can be forwarded The default for this threshold is 10 000 for FE devices and 100 000 for GE devices Storm Control Mode Select on...

Page 325: ...ached the switch does not learn additional addresses In this mode the addresses are subject to aging and re learning When a frame from a new MAC address is detected on a port where it is not authorized the port is classically locked and there is a new MAC address or the port is dynamically locked and the maximum number of allowed addresses has been exceeded the protection mechanism is invoked and ...

Page 326: ...The options are Classic Lock Locks the port immediately regardless of the number of addresses that have already been learned Limited Dynamic Lock Locks the port by deleting the current dynamic MAC addresses associated with the port The port learns up to the maximum addresses allowed on the port Both re learning and aging of MAC addresses are enabled Max No of Addresses Allowed Enter the maximum nu...

Page 327: ...framework enables a device the supplicant to request port access from a remote device authenticator to which it is connected Only when the supplicant requesting port access is authenticated and authorized is it permitted to send data to the port Otherwise the authenticator discards the supplicant data unless the data is sent to a Guest VLAN and or non authenticated VLANs Authentication of the supp...

Page 328: ...e VLAN that is assigned by the RADIUS server during the authentication process The switch classifies untagged packets to the assigned VLAN if the packets originated from the devices or ports that are authenticated and authorized For a device to be authenticated and authorized at a port which is DVA enabled The RADIUS server must authenticate the device and dynamically assign a VLAN to the device T...

Page 329: ...est VLAN provide access to services that do not require the subscribing devices or ports to be 802 1x or MAC Based authenticated and authorized An unauthenticated VLAN is a VLAN that allows access by both authorized and unauthorized devices or ports You can configure one or more VLAN to be an unauthenticated in the Creating VLANs section in the VLAN Management section An unauthenticated VLAN has t...

Page 330: ...ring Range pages These are used in the Edit Port Authentication page Optional Define one or more static VLANs as unauthenticated VLANs as described in the Defining 802 1X Properties section 802 1x authorized and unauthorized devices or ports can always send or receive packets to or from unauthenticated VLANs Define 802 1X settings for each port by using the Edit Port Authentication page Note the f...

Page 331: ...lable but the user credentials are incorrect access will be denied and the session terminated RADIUS Authenticate the user on the RADIUS server If no authentication is performed the session is not permitted None Do not authenticate the user Permit the session Guest VLAN Select to enable the use of a Guest VLAN for unauthorized ports If a Guest VLAN is enabled all unauthorized ports automatically j...

Page 332: ...s page is displayed STEP 2 Select a VLAN and click Edit The Edit VLAN Authentication page is displayed STEP 3 Select a VLAN STEP 4 Optionally uncheck Authentication to make the VLAN an unauthenticated VLAN STEP 5 Click Apply and the Running Configuration file is updated Defining 802 1X Port Authentication The Port Authentication page enables configuration of 802 1X parameters for each port Since s...

Page 333: ...tate The switch does not provide authentication services to the client through the interface Auto Enables port based authentication and authorization on the switch The interface moves between an authorized or unauthorized state based on the authentication exchange between the switch and the client Force Authorized Authorizes the interface without authentication RADIUS VLAN Assignment Select to ena...

Page 334: ...MAC address Only 8 MAC based authentications can be used on the port 802 1X and MAC Both 802 1X and MAC based authentication are performed on the switch The 802 1X authentication takes precedence NOTE For MAC authentication to succeed the RADIUS server supplicant username and password must be the supplicant MAC address The MAC address must be in lower case letters and entered without the or separa...

Page 335: ... EAP Requests Enter the maximum number of EAP requests that can be sent If a response is not received after the defined period supplicant timeout the authentication process is restarted Supplicant Timeout Enter the number of seconds that lapses before EAP requests are resent to the supplicant Server Timeout Enter the number of seconds that lapses before the switch resends a request to the authenti...

Page 336: ...t linked or is down The options are Unauthorized Either the port control is Force Unauthorized and the port link is down or the port control is Auto but a client has not been authenticated via the port Force Authorized Clients have full port access Single host Lock Port control is Auto and only a single client has been authenticated by using the port No Single Host Port control is Auto and Multipl...

Page 337: ...Defines how often traps are sent to the host This field can be defined only if multiple hosts are disabled STEP 4 Click Apply The settings are written to the Running Configuration file Viewing Authenticated Hosts To view details about authenticated users STEP 1 Click Security 802 1X Authenticated Hosts The Authenticated Hosts page is displayed This page displays the following fields User Name Supp...

Page 338: ... 802 1x enabled port the port is 802 1x active within the time period s defined in the recurring range s that are also within the absolute start and end time of the time range When a 802 1x enabled port is out of its assigned time range and or recurring time range it is 802 1x inactive and is equivalent to Force Unauthorized The switch supports a maximum of 20 absolute time ranges All time specifi...

Page 339: ...ecurring range that can then be added to a time range created in the Time Range page All time specifications are interpreted as local time Daylight Saving Time does not affect this To add a recurring time range STEP 1 Click Security 802 1X Recurring Range The Recurring Range page is displayed This page displays the recurring time ranges that have been defined STEP 2 Click Add and the Add Recurring...

Page 340: ...CMP packets ICMP Filtering page Discard fragmented IP packets from a specific interface IP Fragments Filtering page Deny attacks from Stacheldraht Distribution Invasor Trojan and Back Orifice Trojan Security Suite Settings page SCT The Cisco switch is an advanced switch that handles the following types of traffic in addition to end user traffic Management traffic Protocol traffic Snooping traffic ...

Page 341: ...STEP 3 Select DoS Prevention to enable the feature Disable Disable the feature System Level Prevention Enable that part of the feature that prevents attacks from Stacheldraht Distribution Invasor Trojan and Back Orifice Trojan STEP 4 If System Level Prevention or System Level and Interface Level Prevention is selected enable one or more of the following DoS Prevention options Stacheldraht Distribu...

Page 342: ...work 127 0 0 0 8 Used as the Internet host loopback address 192 0 2 0 24 Used as the TEST NET in documentation and example codes 224 0 0 0 4 As a Source IP Address Used in IPv4 Multicast address assignments and was formerly known as Class D Address Space 240 0 0 0 4 Except 255 255 255 255 32 as a Destination Address Reserved address range and was formerly known as Class E Address Space You can als...

Page 343: ...ten to the Running Configuration file Define SYN Filtering The SYN Filtering page enables filtering TCP packets that contain a SYN flag and are destined for one or more ports To define a SYN filter STEP 1 Click Security Denial of Service Prevention SYN Filtering The SYN Filtering page is displayed SYN Filtering Page STEP 2 Click Add The Add SYN Filtering page is displayed STEP 3 Enter the paramete...

Page 344: ...YN rate protection currently defined per interface STEP 2 Click Add The Add SYN Rate Protection page is displayed STEP 3 Enter the parameters Interface Select the interface on which the rate protection is being defined IP Address Enter the IP address for which the SYN rate protection is defined or select All Addresses If you enter the IP address enter either the mask or prefix length Network Mask ...

Page 345: ...Select the interface on which the ICMP filtering is being defined IP Address Enter the IPv4 address for which the ICMP packet filtering is activated or select All Addresses to block ICMP packets from all source addresses If you enter the IP address enter either the mask or prefix length Network Mask Select the format for the subnet mask for the source IP address and enter a value in one of the fie...

Page 346: ...IP network from which the fragmented IP packets is filtered or select All Addresses to block IP fragmented packets from all addresses If you enter the IP address enter either the mask or prefix length Network Mask Select the format for the subnet mask for the source IP address and enter a value in one of the field Mask Select the subnet to which the source IP address belongs and enter the subnet m...

Page 347: ...Source Guard on an interface IP source guard can be active on an interface only if DHCP Snooping is enabled on at least one of the port s VLANs The interface is DHCP untrusted All packets on trusted ports are forwarded If a port is DHCP trusted filtering of static IP addresses can be configured even though IP Source Guard is not active in that condition by enabling IP Source Guard on the port When...

Page 348: ...ies page STEP 2 Define the VLANs on which DHCP Snooping is enabled in the IP Configuration DHCP Interface Settings page STEP 3 Configure interfaces as trusted or untrusted in the IP Configuration DHCP DHCP Snooping Interface page STEP 4 Enable IP Source Guard in the Security IP Source Guard Properties page STEP 5 Enable IP Source Guard on the untrusted interfaces as required in the Security IP Sou...

Page 349: ...Filter field and click Go The ports LAGs on this unit are displayed along with the following IP Source Guard Indicates whether IP Source Guard is enabled on the port DHCP Snooping Trusted Interface Indicates whether this is a DHCP trusted interface STEP 3 Select the port LAG and click Edit The Edit Interface Settings page is displayed Select Enable in the IP Source Guard field to enable IP Source ...

Page 350: ...he TCAM Resources are checked Never Never try to reactivate inactive addresses The entries in the Binding database are displayed VLAN ID VLAN on which packet is expected MAC Address MAC address to be matched IP Address IP address to be matched Interface Interface on which packet is expected Status Displays whether interface is active Type Displays whether entry is dynamic or static Reason If the i...

Page 351: ...nder attack flows through the attacker s computer and then to the router switch or host Figure10 shows an example of ARP cache poisoning Figure10 ARP Cache Poisoning Hosts A B and C are connected to the switch on interfaces A B and C all of which are on the same subnet Their IP MAC addresses are shown in parentheses for example Host A uses IP address IA and MAC address MA When Host A needs to comm...

Page 352: ...inspected Untrusted Packets are inspected as described above ARP inspection is performed only on untrusted interfaces ARP packets that are received on the trusted interface are simply forwarded Upon packet arrival on untrusted interfaces the following logic is implemented Search the ARP access control rules for the packet s IP MAC addresses If the IP address is found and the MAC address in the lis...

Page 353: ...P addresses Addresses include 0 0 0 0 255 255 255 255 and all IP Multicast addresses Packets with invalid ARP Inspection bindings are logged and dropped Up to 1024 entries can be defined in the ARP Access Control table Interaction Between ARP Inspection and DHCP Snooping If DHCP Snooping is enabled ARP Inspection uses the DHCP Snooping Binding database in addition to the ARP access control rules I...

Page 354: ...ction Properties The Properties page is displayed Enter the following fields ARP Inspection Status Select to enable ARP Inspection ARP Packet Validation Select to enable the following validation checks Source MAC Compares the packet s source MAC address in the Ethernet header against the sender s MAC address in the ARP request This check is performed on both ARP requests and responses Destination ...

Page 355: ...ty ARP Inspection Interface Settings The Interface Settings page is displayed The ports LAGs and their ARP trusted untrusted status are displayed STEP 2 To set a port LAG as untrusted select the port LAG and click Edit The Edit Interface Settings page is displayed STEP 3 Select Trusted or Untrusted and click Apply to save the settings to the Running Configuration file Defining ARP Inspection Acces...

Page 356: ...yed STEP 3 Select a Access Control Group and enter the fields MAC Address MAC address of packet IP Address IP address of packet STEP 4 Click Apply The settings are defined and the Running Configuration file is updated Defining ARP Inspection VLAN Settings To enable ARP Inspection on VLANs and associate Access Control Groups with a VLAN STEP 1 Click Security ARP Inspection VLAN Settings The VLAN Se...

Page 357: ...ng DHCP snooping provides a security mechanism to prevent receiving false DHCP response packets and to log DHCP addresses It does this by treating ports on the switch as either trusted or untrusted A trusted port is a port that is connected to a DHCP server and is allowed to assign DHCP addresses DHCP messages received on trusted ports are allowed to pass through the switch An untrusted port is a ...

Page 358: ... 82 is to help to the DHCP server select the best IP subnet network pool from which to obtain an IP address The following Option 82 options are available on the switch DHCP Insertion Add Option 82 information to packets that do not have foreign Option 82 information DHCP Passthrough Forward or reject DHCP packets that contain Option 82 information from untrusted ports On trusted ports DHCP packets...

Page 359: ...abled and DHCP Relay is enabled DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives with Option 82 Option 82 Insertion Disabled Packet will be sent without Option 82 Packet will be sent with the original Option 82 Relay will insert Option 82 Bridge no Option 82 will be inse...

Page 360: ...rtion Disabled Packet will be sent without Option 82 Packet will be sent with the original Option 82 Relay will insert Option 82 Bridge no Option 82 will be inserted Relay will discard the packet Bridge Packet will be sent with the original Option 82 Option 82 Insertion Enabled Relay will be sent with Option 82 Bridge Option 82 will be added if port is trusted behaves as if DHCP Snooping is not en...

Page 361: ...t will be sent without Option 82 Packet will be sent with the original Option 82 Relay will discard Option 82 Bridge Packet will be sent without Option 82 Relay 1 If reply originates in switch packet will be sent without Option 82 2 If reply does not originate in switch packet is discarded Bridge Packet will be sent with the original Option 82 Option 82 insertion enabled Packet will be sent withou...

Page 362: ... Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives with Option 82 Option 82 Insertion Disabled Packet will be sent without Option 82 Packet will be sent with the original Option 82 Relay will discard Option 82 Bridge Packet will be sent without Option 82 Relay 1 If reply originates on the switch packet will be sent without Option 82 2 If reply does not origina...

Page 363: ... exists The DHCP Snooping Binding database is also used by IP Source Guard and Dynamic ARP Inspection features to determine legitimate packet sources DHCP Trusted Ports Ports can be either DHCP trusted or untrusted By default all ports are untrusted To create a port as trusted use the DHCP Snooping Interface Settings page Packets from these ports are automatically forwarded Packets from trusted po...

Page 364: ...an IP address DHCPACK to assign one or DHCPNAK to deny the address request STEP 5 Switch snoops packet If an entry exists in the DHCP Snooping Binding table that matches the packet the switch replaces it with IP MAC binding on receipt of DHCPACK STEP 6 Switch forwards DHCPOFFER DHCPACK or DHCPNAK Table 8 summarizes how DHCP packets are handled from both trusted and untrusted ports The DHCP Snoopin...

Page 365: ...HCPNAK Filter Same as DHCPOFFER Remove entry if exists DHCPDECLINE Check if there is information in the database If the information exists and does not match the interface on which the message was received the packet is filtered Otherwise the packet is forwarded to trusted interfaces only and the entry is removed from database Forward to trusted interfaces only DHCPRELEASE Same as DHCPDECLINE Same...

Page 366: ...ons Configuring DHCP Work Flow To configure DHCP Relay and DHCP Snooping STEP 1 Enable DHCP Snooping and or DHCP Relay in the IP Configuration DHCP Properties page or in the Security DHCP Snooping Properties page STEP 2 Define the interfaces on which DHCP Snooping is enabled in the IP Configuration DHCP Interface Settings page STEP 3 Configure interfaces as trusted or untrusted in the IP Configura...

Page 367: ...following options can be enabled Option 82 Passthrough Select to leave foreign Option 82 information when forwarding packets Verify MAC Address Select to verify that the source MAC address of the Layer 2 header matches the client hardware address as appears in the DHCP Header part of the payload on DHCP untrusted ports Backup Database Select to back up the DHCP Snooping Binding database on the dev...

Page 368: ...the Running Configuration file Defining DHCP Snooping Interfaces Settings Packets from untrusted ports LAGs are checked against the DHCP Snooping Binding database see the DHCP Snooping Binding Database page By default interfaces are trusted To designate an interface as untrusted STEP 1 Click IP Configuration DHCP DHCP Snooping Trusted Interfaces The DHCP Snooping Trusted Interfaces page is display...

Page 369: ...to the DHCP Snooping Binding database STEP 1 Click IP Configuration DHCP DHCP Snooping Binding Database The DHCP Snooping Binding Database page is displayed To see a subset of entries in the DHCP Snooping Binding database enter the relevant search criteria and click Go STEP 2 To add an entry click Add The Add DHCP Snooping Entry page is displayed STEP 3 Enter the fields VLAN ID VLAN on which packe...

Page 370: ... active ACL are either admitted or denied entry This section contains the following topics Access Control Lists Defining MAC based ACLs IPv4 based ACLs IPv6 Based ACLs Defining ACL Binding Access Control Lists An Access Control List ACL is an ordered list of classification filters and actions Each single classification rule together with its action is called an Access Control Element ACE Each ACE ...

Page 371: ...er of the ACEs within the ACL is significant since they are applied in a first fit manner The ACEs are processed sequentially starting with the first ACE ACLs can be used for security for example by permitting or denying certain traffic flows and also for traffic classification and prioritization in the QoS Advanced mode NOTE A port can be either secured with ACLs or configured with advanced QoS p...

Page 372: ...t is not in use The following describes the process of unbinding an ACL in order to modify it 1 If the ACL does not belong to a QoS Advanced Mode class map but it has been associated with an interface unbind it from the interface using the ACL Binding page 2 If the ACL is part of the class map and not bound to an interface then it can be modified 3 If the ACL is part of a class map contained in a ...

Page 373: ...r the name of the new ACL in the ACL Name field ACL names are case sensitive STEP 4 Click Apply The MAC based ACL is written to the Running Configuration file Adding Rules to a MAC based ACL To add rules ACEs to an ACL STEP 1 Click Access Control Mac Based ACE The Mac Based ACE page is displayed STEP 2 Select an ACL and click Go The ACEs in the ACL are listed STEP 3 Click Add The Add Mac Based ACE...

Page 374: ...ven a mask of 0000 0000 0000 0000 0000 0000 1111 1111 which means that you match on the bits where there is 0 and don t match on the bits where there are 1 s You need to translate the 1 s to a decimal integer and you write 0 for each four zeros In this example since 1111 1111 255 the mask would be written as 0 0 0 255 Source MAC Address Select Any if all source address are acceptable or User defin...

Page 375: ...lue NOTE ACLs are also used as the building elements of flow definitions for per flow QoS handling see QoS Advanced Mode The IPv4 Based ACL page enables adding ACLs to the system The rules are defined in the IPv4 Based ACE page IPv6 ACLs are defined in the IPv6 Based ACL page Defining an IPv4 based ACL To define an IPv4 based ACL STEP 1 Click Access Control IPv4 Based ACL The IPv4 Based ACL page i...

Page 376: ... to the packet matching the ACE The options are as follows Permit Forward packets that meet the ACE criteria Deny Drop packets that meet the ACE criteria Shutdown Drop packet that meets the ACE criteria and disable the port to which the packet was addressed Ports are reactivated from the Port Management page Protocol Select to create an ACE based on a specific protocol or protocol ID Select Any IP...

Page 377: ...tocol ID to Match Instead of selecting the name enter the protocol ID Source IP Address Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses Source IP Address Value Enter the IP address to which the source IP address will be matched Source IP Wildcard Mask Enter the mask to define a range of IP addresses Note that this mask is diffe...

Page 378: ...nd UDP protocols each have eight port ranges Destination Port Select one of the available values that are the same as the Source Port field described above NOTE You must specify the IP protocol for the ACE before you can enter the source and or destination port TCP Flags Select one or more TCP flags with which to filter packets Filtered packets are either forwarded or dropped Filtering packets by ...

Page 379: ...age type by name or enter the message type number Any All message types are accepted Select from list Select message type by name IGMP Type to match Number of message type that will be used for filtering purposes STEP 5 Click Apply The IPv4 based ACE is written to the Running Configuration file IPv6 Based ACLs The IPv6 Based ACL page displays and enables the creation of IPv6 ACLs which check pure ...

Page 380: ...ays the name of the ACL to which an ACE is being added Priority Enter the priority ACEs with higher priority are processed first Action Select the action assigned to the packet matching the ACE The options are as follows Permit Forward packets that meet the ACE criteria Deny Drop packets that meet the ACE criteria Shutdown Drop packets that meet the ACE criteria and disable the port to which the p...

Page 381: ... will be matched and its mask if relevant Destination IP Prefix Length Enter the prefix length of the IP address Source Port Select one of the following Any Match to all source ports Single Enter a single TCP UDP source port to which packets are matched This field is active only if 800 6 TCP or 800 17 UDP is selected in the IP Protocol drop down menu Range Select a range of TCP UDP source ports to...

Page 382: ...r filtering purposes STEP 5 Click Apply Defining ACL Binding When an ACL is bound to an interface its ACE rules are applied to packets arriving at that interface Packets that do not match any of the ACEs in the ACL are matched to a default rule whose action is to drop unmatched packets Although each interface can be bound to only one ACL multiple interfaces can be bound to the same ACL by grouping...

Page 383: ...and click Clear STEP 4 Select an interface and click Edit The Edit ACL Binding page is displayed STEP 5 Select the Interface to which the ACLs are to be bound STEP 6 Select one of the following Select MAC Based ACL Select a MAC based ACL to be bound to the interface Select IPv4 Based ACL Select an IPv4 based ACL to be bound to the interface Select IPv6 Based ACL Select an IPv6 based ACL to be boun...

Page 384: ... feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment This section covers the following topics QoS Features and Components Configuring QoS General QoS Basic Mode QoS Advanced Mode Managing QoS Statistics ...

Page 385: ...nt to Hardware Queues Assigns incoming packets to forwarding queues Packets are sent to a particular queue for handling as a function of the traffic class to which they belong Other Traffic Class Handling Attribute Applies QoS mechanisms to various classes including bandwidth management QoS Modes The QoS mode that is selected applies to all interfaces in the system Basic Mode Class of Service CoS ...

Page 386: ...ed to a single best effort queue so that no type of traffic is prioritized over another Only a single mode can be active at a time When the system is configured to work in QoS Advanced mode settings for QoS Basic mode are not active and vice versa When the mode is changed the following occurs When changing from QoS Advanced mode to any other mode policy profile definitions and class maps are delet...

Page 387: ...ckets will be put into the designated egress queues according to the CoS 802 1p priority in the packets This is done by using the CoS 802 1p to Queue page STEP 6 If required for Layer 3 traffic only assign a queue to each DSCP TC value by using the DSCP to Queue page STEP 7 Enter bandwidth and rate limits in the following pages a Set egress shaping per queue by using the Egress Shaping Per Queue p...

Page 388: ...he device in Basic mode Advanced QoS is enabled on the device in Advanced mode STEP 3 Select Port LAG and click GO to display modify all ports LAGs on the device and their CoS information The following fields are displayed for all ports LAGs Interface Type of interface Default CoS Default VPT value for incoming packets that do not have a VLAN Tag The default CoS is 0 The default is only relevant f...

Page 389: ...the queue the higher the weight the more frames are sent For example if all four queues are WRR and the default weights are used queue1 receives 1 15 of the bandwidth assuming all queues are saturated and there is congestion queue 2 receives 2 15 queue 3 receives 4 15 and queue 4 receives 8 15 of the bandwidth The type of WRR algorithm used in the device is not the standard Deficit WRR DWRR but ra...

Page 390: ...s happens only if strict priority queues are empty WRR Weight If WRR is selected enter the WRR weight assigned to the queue of WRR Bandwidth Displays the amount of bandwidth assigned to the queue These values represent the percent of the WRR weight STEP 3 Click Apply The queues are configured and the Running Configuration file is updated Mapping CoS 802 1p to a Queue The CoS 802 1p to Queue page m...

Page 391: ...802 1p trusted Queue 1 has the lowest priority queue 4 has the highest priority To map CoS values to egress queues STEP 1 Click Quality of Service General CoS 802 1p to Queue The CoS 802 1p to Queue page is displayed STEP 2 Enter the parameters 802 1p Displays the 802 1p priority tag values to be assigned to an egress queue where 0 is the lowest and 7 is the highest priority 1 1 Normal Best Effort...

Page 392: ... their DSCP values The original VPT VLAN Priority Tag of the packet is unchanged By simply changing the DSCP to Queue mapping and the Queue schedule method and bandwidth allocation it is possible to achieve the desired quality of services in a network The DSCP to Queue mapping is applicable to IP packets if The switch is in QoS Basic mode and DSCP is the trusted mode or The switch is in QoS Advanc...

Page 393: ...e the CIR This is defined in number of bytes of data To enter bandwidth limitation STEP 1 Click Quality of Service General Bandwidth The Bandwidth page is displayed The Bandwidth page displays bandwidth information for each interface The column is the ingress rate limit for the port divided by the total port bandwidth STEP 2 Select an interface and click Edit The Edit Bandwidth page is displayed S...

Page 394: ...frames on a per queue per port basis Egress rate limiting is performed by shaping the output load The switch limits all frames except for management frames Any frames that are not limited are ignored in the rate calculations meaning that their size is not included in the limit total Per queue Egress rate shaping can be disabled To define egress shaping per queue STEP 1 Click Quality of Service Gen...

Page 395: ...apply to rate limiting per VLAN It has lower precedence than any other traffic policing defined in the system For example if a packet is subject to QoS rate limits but is also subject to VLAN rate limiting and the rate limits conflict the QoS rate limits take precedence It is applied at the device level and within the device at the packet processor level If there is more than one packet processor ...

Page 396: ...nt even if it temporarily increases the bandwidth beyond the allowed limit Cannot be entered for LAGs STEP 4 Click Apply The VLAN rate limit is added and the Running Configuration file is updated TCP Congestion Avoidance The TCP Congestion Avoidance page enables activating a TCP congestion avoidance algorithm The algorithm breaks up or avoids TCP global synchronization in a congested node where th...

Page 397: ...m by using the QoS Properties page 2 Select the trust behavior using the Global Setting page The switch supports CoS 802 1p trusted mode and DSCP trusted mode CoS 802 1p trusted mode uses the 802 1p priority in the VLAN tag DSCP trusted mode use the DSCP value in the IP header If there is any port that as an exception should not trust the incoming CoS mark disable the QoS state on that port using ...

Page 398: ... VPT to queue can be configured in the mapping CoS 802 1p to Queue page DSCP All IP traffic is mapped to queues based on the DSCP field in the IP header The actual mapping of the DSCP to queue can be configured in the DSCP to Queue page If traffic is not IP traffic it is mapped to the best effort queue CoS 802 1p DSCP Either CoS 802 1p or DSCP whichever has been set STEP 3 Select Override Ingress ...

Page 399: ...CoS 802 1p trusted mode or DSCP trusted mode To enter QoS settings per interface STEP 1 Click Quality of Service QoS Basic Mode Interface Settings The Interface Settings page is displayed STEP 2 Select Port or LAG to display the list of ports or LAGs The list of ports LAGs is displayed QoS State displays whether QoS is enabled on the interface STEP 3 Select an interface and click Edit The Edit QoS...

Page 400: ...r applies the QoS to one or more class maps and thus one or more flows An aggregate policer can support class maps from different policies Per flow QoS are applied to flows by binding the policies to the desired ports A policy and its class maps can be bound to one or more ports but each port is bound with at most one policy Notes Single policer and aggregation policer are available when the switc...

Page 401: ... page You can also specify the QoS if needed by assigning a policer to a class map when you associate the class map to the policy Single Policer Create a policy that associates a class map with a single policer by using the Policy Table page and the Class Mapping page Within the policy define the single policer Aggregate Policer Create a QoS action for each flow that sends all matching frames to t...

Page 402: ...Not Trusted the Default CoS values configured on the interface will be used for prioritizing the traffic arriving on the interface See the Quality of Service QoS Advanced Mode Global Settings page for details If you have a policy on an interface then the Default Mode is irrelevant the action is according to the policy configuration and unmatched traffic is dropped STEP 4 Select Override Ingress DS...

Page 403: ...ic to the DSCP value used in the other domain to identify the same type of traffic These settings are active when the system is in the QoS basic mode and once activated they are active globally For example Assume that there are three levels of service Silver Gold and Platinum and the DSCP incoming values used to mark these levels are 10 20 and 30 respectively If this traffic is forwarded to anothe...

Page 404: ...s and the ACLs comprising each and enables you to add delete class maps To define a Class Map STEP 1 Click Quality of Service QoS Advanced Mode Class Mapping The Class Mapping page is displayed This page displays the already defined class maps STEP 2 Click Add The Add Class Mapping page is displayed A new class map is added by selecting one or two ACLs and giving the class map a name If a class ma...

Page 405: ...h a QoS specification There are two kinds of policers Single Regular Policer A single policer applies the QoS to a single class map and to a single flow based on the policer s QoS specification When a class map using single policer is bound to multiple ports each port has its own instance of single policer each applying the QoS on the class map flow at ports that are otherwise independent of each ...

Page 406: ...done when a class map is added to a policy If the policer is an aggregate policer you must create it using the Aggregate Policer page Defining Aggregate Policers An aggregate policer applies the QoS to one or more class maps therefore one or more flows An aggregation policer can support class maps from different policies and will apply the QoS to all its flow s in aggregation regardless of policie...

Page 407: ...le is updated Configuring a Policy The Policy Table Map page displays the list of advanced QoS polices defined in the system The page also allows you to create and delete polices Only those policies that are bound to an interface are active see Policy Binding page Each policy consists of One or more class maps of ACLs which define the traffic flows in the policy One or more aggregates that applies...

Page 408: ... Add The Add Policy Class Map page is displayed STEP 4 Enter the parameters Policy Name Displays the policy to which the class map is being added Class Map Name Select an existing class map to be associated with the policy Class maps are created in the Class Mapping page Action Type Select the action regarding the ingress CoS 802 1p and or DSCP value of all the matching packets Use default trust m...

Page 409: ... policer for the policy is a single policer Aggregate The policer for the policy is an aggregate policer Aggregate Policer Available in Layer 2 Mode only If Police Type is Aggregate select a previously defined in the Aggregate Policer page aggregate policer If Police Type is Single enter the following QoS parameters Ingress Committed Information Rate CIR Enter the CIR in Kbps See description in th...

Page 410: ...cy does not apply to traffic egress to the same port To edit a policy it must first be removed unbound from all those ports to which it is bound To define policy binding STEP 1 Click Quality of Service QoS Advanced Mode Policy Binding The Policy Binding page is displayed STEP 2 Select a Policy Name STEP 3 Select the Interface Type assigned to the policy STEP 4 Click Apply The QoS policy binding is...

Page 411: ...olicy Statistics are displayed for this policy Class Map Statistics are displayed for this class map In Profile Bytes Number of in profile bytes received Out of Profile Bytes Number of out profile bytes received STEP 2 Click Add The Add Single Policer Statistics page is displayed STEP 3 Enter the parameters Interface Select the interface for which statistics are accumulated Policy Name Select the ...

Page 412: ...ped packets based on interface queue and drop precedence NOTE QoS Statistics are shown only when the switch is in QoS Advanced Mode only This change is made in General QoS Properties To view Queues Statistics STEP 1 Click Quality of Service QoS Statistics Queues Statistics The Queues Statistics page is displayed This page displays the following fields Refresh Rate Select the time period that passe...

Page 413: ...unter Set Select the counter set Set 1 Displays the statistics for Set 1 that contains all interfaces and queues with a high DP Drop Precedence Set 2 Displays the statistics for Set 2 that contains all interfaces and queues with a low DP Interface Select the ports for which statistics are displayed The options are Unit No Selects the unit number Port Selects the port on the selected unit number fo...

Page 414: ...ommunities Notification Recipients SNMP Notification Filters SNMP Versions and Workflow The switch functions as SNMP agent and supports SNMPv1 v2 and v3 It also reports system events to trap receivers using the traps defined in the supported MIBs Management Information Base SNMPv1 and v2 To control access to the system a list of community entries is defined Each community entry consists of a commu...

Page 415: ...inst disclosure message content Cipher Block Chaining CBC DES is used for encryption Either authentication alone can be enabled on an SNMP message or both authentication and privacy can be enabled on an SNMP message However privacy cannot be enabled without authentication Timeliness Protects against message delay or playback attacks The SNMP agent compares the incoming message time stamp to the me...

Page 416: ...ou choose to restrict SNMP management to one address then input the address of your SNMP Management PC in the IP Address field STEP 3 Input the unique community string in the Community String field STEP 4 Optionally enable traps by using the Trap Settings page STEP 5 Optionally define a notification filter s by using the Notification Filter page STEP 6 Configure the notification recipients on the ...

Page 417: ...h Administration Guide 408 22 STEP 7 Define a notification recipient s by using the Notification Recipients SNMPv3 page Supported MIBs For a list of supported MIBs visit the following URL and navigate to the download area listed as Cisco MIBS www cisco com cisco software navigator html ...

Page 418: ... 9 6 1 80 48 2 SG500 28 28 Port Gigabit Stackable Managed Switch 9 6 1 81 28 1 SG500 28P 28 Port Gigabit PoE Stackable Managed Switch 9 6 1 81 28 2 SG500 52 52 Port Gigabit Stackable Managed Switch 9 6 1 81 52 1 SG500 52P 52 Port Gigabit PoE Stackable Managed Switch 9 6 1 81 52 2 SG500X 24 24 Port Gigabit with 4 Port 10 Gigabit Stackable Managed Switch 9 6 1 85 24 1 SG500X 24P 24 Port Gigabit with...

Page 419: ...trative domain so that no two devices in a network have the same engine ID Local information is stored in four MIB variables that are read only snmpEngineId snmpEngineBoots snmpEngineTime and snmpEngineMaxMessageSize CAUTION When the engine ID is changed all configured users and groups are erased To define the SNMP engine ID STEP 1 Click SNMP Engine ID The Engine ID page is displayed STEP 2 Choose...

Page 420: ...de through the Communities page To define SNMP views STEP 1 Click SNMP Views The Views page is displayed STEP 2 Click Add to define new views The Add View page is displayed STEP 3 Enter the parameters View Name Enter a view name between 0 30 characters Object ID Subtree Select the node in the MIB tree that is included or excluded in the selected SNMP view The options to select the object are as fo...

Page 421: ...ring acts as a password to gain access to an SNMP agent However neither the frames nor the community string are encrypted Therefore SNMPv1 and SNMPv2 are not secure In SNMPv3 the following security mechanisms can be configured Authentication The switch checks that the SNMP user is an authorized system administrator This is done for each frame Privacy SNMP frames can carry encrypted data Thus in SN...

Page 422: ... privacy If SNMPv3 is selected choose one of the following No Authentication and No Privacy Neither the Authentication nor the Privacy security levels are assigned to the group Authentication and No Privacy Authenticates SNMP messages and ensures the SNMP message origin is authenticated but does not encrypt them Authentication and Privacy Authenticates SNMP messages and encrypts them View Associat...

Page 423: ...utes of its group having the access privileges configured within the associated view Groups enable network managers to assign access rights to a group of users instead of to a single user A user can only belong to a single group To create an SNMPv3 user the following must first exist An engine ID must first be configured on the switch This is done in the Engine ID page An SNMPv3 group must be avai...

Page 424: ...P group to which the SNMP user belongs SNMP groups are defined in the Add Group page NOTE Users who belong to groups which have been deleted will remain but they are inactive Authentication Method Select the Authentication method The available authentication methods will vary according to the Group Name assigned If the group does not require authentication then the user cannot be configured any au...

Page 425: ...nagement station Communities are only defined in SNMPv1 and v2 because SNMPv3 works with users instead of communities The users belong to groups that have access rights assigned to them The Communities page associates communities with access rights either directly Basic mode or through groups Advanced mode Basic mode The access rights of a community can configure with Read Only Read Write or SNMP ...

Page 426: ...chable from other networks Link Local Interface If the IPv6 address type is Link Local select whether it is received through a VLAN or ISATAP IP Address Enter the SNMP management station IP address Community String Enter the community name used to authenticate the management station to the device Basic Select this mode for a selected community In this mode there is no connection to any group You c...

Page 427: ...ification Recipients SNMPv1 2 page or the Notification Recipients SNMPv3 page To define trap settings STEP 1 Click SNMP Trap Settings The Trap Settings page is displayed STEP 2 Select Enable for SNMP Notifications to specify that the switch can send SNMP notifications STEP 3 Select Enable for Authentication Notifications to enable SNMP authentication failure notification STEP 4 Click Apply The SNM...

Page 428: ...e by creating a filter in the Notification Filter page and attaching it to an SNMP notification recipient The notification filter enables filtering the type of SNMP notifications that are sent to the management station based on the OID of the notification that is about to be sent Defining SNMPv1 2 Notification Recipients To define a recipient in SNMPv1 2 STEP 1 Click SNMP Notification Recipients S...

Page 429: ... String names are generated from those listed in the Community page Notification Version Select the trap SNMP version Either SNMPv1 or SNMPv2 may be used as the version of traps with only a single version enabled at a time Notification Filter Select to enable filtering the type of SNMP notifications sent to the management station The filters are created in the Notification Filter page Filter Name ...

Page 430: ...tions on the recipient device Notification Type Select whether to send traps or informs If both are required two recipients must be created Timeout Enter the amount of time seconds the device waits before re sending informs traps Timeout Range 1 300 default 15 Retries Enter the number of times that the device resends an inform request Retries Range 1 255 default 3 User Name Select from the drop do...

Page 431: ...tion Filters The Notification Filter page enables configuring SNMP notification filters and Object IDs OIDs that are checked After creating a notification filter it is possible to attach it to a notification recipient in the Notification Recipients SNMPv1 2 page and Notification Recipients SNMPv3 page The notification filter enables filtering the type of SNMP notifications that are sent to the man...

Page 432: ...the selected node s parent and siblings press the Down arrow to descend to the level of the selected node s children Click nodes in the view to pass from one node to its sibling Use the scrollbar to bring siblings in view If Object ID is used the entered object identifier is included in the view if the Include in filter option is selected STEP 4 Select or deselect Include in filter If this is sele...

Page 433: ...P in active mode while hosts use passive mode The RIP feature is supported only on the SG500X platform which is always in Layer 3 router mode The switch supports 128 IP interfaces and 128 IP routes The default gateway is a static route and it is advertised by RIP in the same way as all other static routers if it is enabled by configuration When IP Routing is enabled RIP works fully When IP Routing...

Page 434: ...not sent but when RIP messages are received they are used to update the routing table information NOTE RIP can only be defined on manually configured IP interfaces meaning that RIP cannot be defined on an interface whose IP address was received from a DHCP server or whose IP address is the default IP address Offset Configuration A RIP message includes a metric number of hops for each route An offs...

Page 435: ... router rC additional 4 to the cost path as opposed to the path via router rB additional 2 to the cost path Therefore forwarding traffic via routing rB is preferred To achieve this the user configures a different offset metric value on each interface based on its line speed See Offset Configuration for more information Passive Mode Transmission of routing update messages over a specific IP interfa...

Page 436: ...efault route A default route is used to avoid listing every possible network in the routing updates when one or more closely connected routers in the system are prepared to transfer traffic to the networks that are not listed explicitly These routers create RIP entries for the address 0 0 0 0 just as if it were a network to which they are connected The user can enable the default route advertiseme...

Page 437: ...is shown in Figure13 which illustrates a network where some routers support RIP and others do not Figure13 A Network with RIP and non RIP Routers Router rA does not support RIP Therefore routing entries with an appropriate metric are configured statically on this router and on IP interfaces connected to router rA router rB In contrast routers rB and rC derive and distribute their routing entries u...

Page 438: ...an identifying number key identifier key string and optionally a send lifetime and accept lifetime value The send lifetime is the time period during which an authentication key on a key chain is valid to be sent the accept lifetime is the time period during which the authentication key on a key chain is received as valid Each transmitted RIP message contains the calculated MD5 digest of the messag...

Page 439: ... IP interface using the RIPv2 Settings page Enable passive mode on an IP interface using the RIPv2 Settings page Control which routes are processed in the incoming outgoing routing updates by specifying an IP address list on the IP interface see Configuring Access Lists Advertise default route entries on the IP interface using the RIPv2 Settings page Enable RIP authentication on an IP Interface us...

Page 440: ...r to Redistributing Static Route Configuration RIP Settings on an IP Interface To configure RIP on an IP interface STEP 1 Click IP Configuration RIPv2 RIPv2 Settings The RIPv2 Settings page is displayed STEP 2 RIP parameters are displayed per IP interface To add a new IP interface click Add to open the Add RIPv2 Settings page and enter the following fields IP Address Select an IP interface defined...

Page 441: ... select the Access List Name below Access List Name Specifies the Access List name which includes a list of IP addresses of RIP incoming routes filtering for a specified IP interface See Creating an Access List for a description of access lists Distribute list Out Specifies whether filtering is enabled disabled for RIP outgoing routes for the specified IP address es list If this field is enabled s...

Page 442: ...l click Clear All Interface Counters Displaying the RIP Peers Database To view the RIP Peers neighbors database STEP 1 Click IP Configuration RIPv2 RIPv2 Peer Router Database The RIPv2 Peer Router Database page is displayed The following fields are displayed for the peer router database Router IP Address IP interface defined on the Layer 2 interface Bad Packets Received Specifies the number of bad...

Page 443: ...s The Access List Settings page is displayed STEP 2 To add a new Access List click Add to open the Add Access List page and enter the following fields Name Define a name for the access list Source IPv4 Address Enter the source IPv4 address The following options are available Any All IP addresses are included User Defined Enter an IP address Source IPv4 Mask Enter the source IPv4 address mask type ...

Page 444: ...er an IP address Source IPv4 Mask Source IPv4 address mask type and value The following options are available Network Mask Enter the network mask for example 255 255 0 0 Prefix Length Enter the prefix length Action Action for the access list The following options are available Permit Permit entry of packets from the IP address es in the access list Deny Reject entry of packets from the IP address ...

Page 445: ...n the key identifier for sending packets is valid The fields are only described for the Accept Life Time The Send Life Time has the same fields Accept Life Time Specifies when packets with this key are accepted Select one of the following options Always Valid No limit to the life of the key identifier User Defined Life of the key chain is limited If this option is selected enter values in the foll...

Page 446: ...TEP 3 Enter the following fields Key Chain Name for the key chain Key Identifier Integer identifier for the key chain Key String Value of the key chain string NOTE Both the Accept Life Time and the Send LifeTime values can be entered The Accept Life Time indicates when the key identifier for receiving packets is valid The Send Life Time indicates when the key chain for sending packets is valid The...

Page 447: ... of the key identifier Duration Life of the key identifier is limited If this option is selected enter values in the following fields Duration Length of time that the key identifier is valid Enter the following fields Days Number of days that the key identifier is valid Hours Number of hours that the key identifier is valid Minutes Number of minutes that the key identifier is valid Seconds Number ...

Page 448: ...y of routing paths in the network In VRRP one physical router in a virtual router is elected as the master with the other physical router of the same virtual router acting as backups in case the master fails The physical routers are referred as VRRP routers The default gateway of a participating host is assigned to the virtual router instead of a physical router If the physical router that is rout...

Page 449: ... physical Ethernet interface of Router A Router A assumes the role of the virtual router master and is also known as the IP address owner As the virtual router master Router A controls the IP address of the virtual router and is responsible to route packets on behalf of the virtual router Clients 1 through 3 are configured with the default gateway IP address of 198 168 2 1 Client 4 is configured w...

Page 450: ...master is recovering both masters will forward packets and as a result there is some duplication regular behavior but no interruption For more detail on the roles that VRRP routers play and what happens if the virtual router master fails see the VRRP Router Priority and Preemption section Figure15 shows a LAN topology in which VRRP is configured Routers A and B share the traffic to and from client...

Page 451: ...d Switch Administration Guide 442 24 For virtual router 2 rB is the owner of IP address 192 168 2 2 and virtual router master and rA is the virtual router backup to rB Clients 3 and 4 are configured with the default gateway IP address of 192 168 2 2 ...

Page 452: ... on every VRRP routers that support the virtual router The following elements can be configured and customized Virtual Router Identification It must be assigned an identifier VRID and may be assigned a description The sections below describe the various attributes of the virtual router VRRP supports up to 255 virtual routers VRRP groups VRRP Versions The device supports the following VRRP version ...

Page 453: ...tual router must have an IP interface on the same IP subnet with respect to the IP addresses configured on the virtual router Assigning IP addresses to a virtual router is done according to the following rules All the VRRP routers supporting the virtual router must be configured with the same virtual router IP addresses in their configuration of the virtual router None of the IP addresses can be u...

Page 454: ...s defined on the interface If the source IP address was a default one a new default source IP address is taken VRRP Router Priority and Preemption An important aspect of the VRRP redundancy scheme is the ability to assign each VRRP router a VRRP priority The VRRP priority should express how efficiently a VRRP router would perform as a backup to a virtual router defined in the VRRP router If there ...

Page 455: ...s are sent every second by default the advertisement interval is configurable The advertisement Interval is in mS Range 50 40950 Default 1000 A non value is invalid In VRRP version 3 the operational advertise interval is rounded down the nearest 10ms In VRRP version 2 the operational advertise interval is rounded down to the nearest second The minimum operational value is 1 sec Configuring VRRP Th...

Page 456: ...alue 255 and this value cannot be changed If not enter the priority of this device based on its ability to function as a master 100 is the default for a non owner device Preempt Mode Select true false to enable disable preempt mode as described in VRRP Router Priority and Preemption Advertisement Interval Enter time interval as described in VRRP Advertisements NOTE If these parameters are changed ...

Page 457: ...enti seconds VRRPv2 256 Priority 256 Master Down Interval This is the time used to determine whether the master has failed or not This is calculated differently depending on the VRRP version as follows VRRPv3 3 Master Advertise Interval Skew time VRRPv2 3 Device Advertisement Interval Skew time Preempt Mode True False indicates whether the preemption state of the virtual router is enabled disabled...

Page 458: ... This section covers the following topics Connecting By Using a Terminal Emulation Application Connecting By Using Telnet Console Configuration Menu Navigation Console Interface Main Menu Connecting By Using a Terminal Emulation Application To establish a connection to the console interface by using a terminal emulation application Microsoft HyperTerminal in Windows XP is used here as an example c...

Page 459: ... the following connection parameters Rate in bits per second 115 200 Data bits 8 Parity None Stop bits 1 Flow control None STEP 2 Click OK The HyperTerminal window displays STEP 3 In the HyperTerminal window press Enter once or twice until the login menu displays Press Ctrl R to refresh the Menu CLI Login or to jump to the Menu CLI Login from any other window STEP 4 Enter cisco default as the User...

Page 460: ...ys STEP 3 Enter the command debug mode then press Enter then enter the command menu The Login displays Press Ctrl R to refresh the Menu CLI Login or to jump to the Menu CLI Login from any other window STEP 4 Select Edit to allow modification of the parameters STEP 5 Enter cisco default as the User Name STEP 6 Enter the password cisco default STEP 7 Press Enter NOTE If this is the first time you ha...

Page 461: ...he Open field and press Enter STEP 3 Type telnet a space and the switch IP address For example c telnet 192 168 1 114 STEP 4 Press Enter STEP 5 Enter username password The default username and password is cisco cisco STEP 6 Enter the command debug mode then press Enter then enter the command menu The Login displays Press Ctrl R to refresh the Menu CLI Login or to jump to the Menu CLI Login from an...

Page 462: ...or the action list does not display 3 Use the arrow keys to navigate to the correct field 4 Enter the parameter values or use the spacebar to toggle the values 5 Press ESC to return to the action list 6 Select Save by using the arrow keys to navigate to and highlight the action 7 Press Enter Your parameter values are saved to the Running Configuration To navigate through the lists Use the up or do...

Page 463: ...h Main Menu provides the following options System Configuration Menu Port Status Port Configuration System Mode Help Logout System Configuration Menu Use the System Configuration Menu to select one of the following options System Information Management Settings Username Password Settings Security Settings VLAN Management IP Configuration File Management Delete Startup Configuration Reboot to Facto...

Page 464: ...ersions Versions displays the software boot and hardware firmware versions General System Information Path Switch Main Menu System Configuration Menu System Information General System Information General System Information displays general information about the switch You can change the system contact details host name and system location information Management Settings Path Switch Main Menu Syste...

Page 465: ...imeout value in minutes If you do not want the Telnet session to timeout enter a value of 0 minutes SSH Configuration Path Switch Main Menu System Configuration Menu Management Settings Use the SSH Configuration menu to view or configure the following options SSH Server Configuration SSH Server Status SSH Crypto Key Generation SSH Keys Fingerprints SSH Server Configuration Path Switch Main Menu Sy...

Page 466: ...splayed when the key generation is complete STEP 5 Use UP arrow key to go the Action list SSH Keys Fingerprints Path Switch Main Menu System Configuration Menu Management Settings SSH Configuration SSH Keys Fingerprints SSH Keys Fingerprints displays the RSA and DSA keys if those keys were generated Select Refresh to update the screen SNMP Configuration Path Switch Main Menu System Configuration M...

Page 467: ...es the location or city name 1 64 characters State or Province Name Specifies the state or province name 1 64 characters Country Name Specifies the country name use 2 character code Validity Term Specifies number of days certification is valid Range 30 3650 Show Certificate Path Switch Main Menu System Configuration Menu Security Settings Use Show Certificate to view the internal SSL certificate D...

Page 468: ...Menu IP Configuration Use the IPv4 Address Configuration Menu to configure the switch IPv4 address IPv4 Address Settings Path Switch Main Menu System Configuration Menu IP Configuration Use IP Address Add IP Address Settings to add or change the switch IPv4 address IPv4 Address Enter the IPv4 address that you want to assign to the switch if the switch is disabled as a DHCP client Verify that the I...

Page 469: ...ss Configuration menu to configure the switch IPv6 address IPv6 Interface Enable Path Switch Main Menu System Configuration Menu IP Configuration IPv6 Address Configuration IPv6 Interface Enable Use IPv6 Interface Enable to select the IPv6 interface IPv6 Address Settings Path Switch Main Menu System Configuration Menu IP Configuration IPv6 Address Configuration Use the IPv6 Address Settings option...

Page 470: ...AP Enable Use the ISATAP Tunnel option to enable and to configure the IPv6 ISATAP Tunnel parameters See the Defining an IPv6 Interface section in the Configuring IP Information section for more information IPv6 ISATAP Interface Show Path Switch Main Menu System Configuration Menu IP Configuration IPv6 Address Configuration IPv6 ISATAP Interface Show The ISATAP Interface Show option displays the ac...

Page 471: ...igure the following options Ping IPv4 Ping IPv6 TraceRoute IPv4 TraceRoute IPv6 Telnet Session Ping IPv4 Path Switch Main Menu System Configuration Menu IP Configuration Network Configuration Ping IPv4 Use the Ping IPv4 option to enter the IPv4 address that you want to test Select Execute to begin the test The ping results are displayed in the Status and Statistics fields Ping IPv6 Path Switch Mai...

Page 472: ... Menu System Configuration Menu IP Configuration Network Configuration TraceRoute IPv6 Use the TraceRoute IPv6 option to enter the IPv6 address for the network route you want to trace Select Execute to begin the test TraceRoute displays the IP address status and statistics of the traceroute test in the Status and Results fields Telnet Session Path Switch Main Menu System Configuration Menu IP Conf...

Page 473: ...ways replaces the image identified as the inactive image After uploading new firmware on the switch the switch continues to boot by using the active image the old version until you change the status of the new image to be the active image You can change the image identified as the inactive image to the active image by using the procedure in the Active Image section Upgrade Backup IPv4 Path Switch ...

Page 474: ...he IP address of the TFTP server STEP 3 Change the active image using the Active Image menu STEP 4 Reboot the switch Active Image Path Switch Main Menu System Configuration Menu File Management Active Image The Active Image screen displays and configures whether Image1 or Image 2 is active and the firmware version associated with the image Delete Startup Configuration Delete the Startup Configurat...

Page 475: ... Port Status option from the Switch Main Menu displays the status of the ports for switches without PoE The Port Status option from the Switch Main Menu for switches with PoE displays the Port Status Menu that includes Port Status and PoE Status options Use Port Configuration and PoE Configuration to change the configuration of the ports Port Status Path Switch Main Menu Port Status Port Status Me...

Page 476: ...ve ports are displayed at one time Use the arrow keys to scroll up or down the list PoE Configuration Path Switch Main Menu Port Configuration Menu PoE Configuration Use PoE Configuration to change the PoE parameters on the PoE ports You can set the port Priority Low High or Critical enable PoE disable PoE and set the Power Allocation in mW System Mode Path Switch Main Menu System Mode Use System ...

Page 477: ...Cisco and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Reviews:

No comments

Related manuals for SF500-24

Brand: Datavideo Pages: 4

Brand: Datavideo Pages: 66

S5560S-EI Series

Brand: H3C Pages: 37

OfficeConnect WX4400

Brand: 3Com Pages: 528

Brand: Belkin Pages: 12

Brand: hager Pages: 4

Brand: Accton Technology Pages: 10

Brand: Lancom Pages: 23

Brand: KanexPro Pages: 35

Brand: C&C TECHNIC Pages: 2

Brand: KinAn Pages: 5

Brand: DSPPA Pages: 31

TM-1-8290/E/SVB

Brand: Eaton Pages: 2

Brand: Intermatic Pages: 1

Brand: SMC Networks Pages: 1

SIRCO MOT PV UL

Brand: socomec Pages: 20

Brand: Black Box Pages: 2

Brand: Gembird Pages: 10

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands