Cisco SF550X-24 Administration Manual Download Page 525 | Manualshive

Page: 525 / 725

background image

Security: Secure Sensitive Data Management

SSD Rules

323

Cisco Sx350, SG350X, SG350XG, Sx550X & SG550XG Series Managed Switches, Firmware Release 2.2.5.x

18

SSD Rules and User Authentication

SSD grants SSD permission only to authenticated and authorized users and according to the
SSD rules. A device depends on its user authentication process to authenticate and authorize
management access. To protect a device and its data including sensitive data and SSD
configurations from unauthorized access, it is recommended that the user authentication
process on a device is secured. To secure the user authentication process, you can use the local
authentication database, as well as secure the communication through external authentication
servers, such as a RADIUS server. The configuration of the secure communication to the
external authentication servers are sensitive data and are protected under SSD.

NOTE

The user credential in the local authenticated database is already protected by a non SSD related
mechanism

If a user from a channel issues an action that uses an alternate channel, the device applies the
read permission and default read mode from the SSD rule that match the user credential and
the alternate channel. For example, if a user logs in via a secure channel and starts a TFTP
upload session, the SSD read permission of the user on the insecure channel (TFTP) is applied

Default SSD Rules

The device has the following factory default rules:

The default rules can be modified, but they cannot be deleted. If the SSD default rules have
been changed, they can be restored.

Table 1

Rule Key

Rule Action

User Channel

Read

Permission Default

Read

Mode

Level 15

Secure XML
SNMP

Plaintext Only

Plaintext

Level 15

Secure

Both

Encrypted

Level 15

Insecure

Both

Encrypted

All Insecure

XML

SNMP

Exclude Exclude

All Secure

Encrypted

Only

Encrypted

All Insecure

Encrypted

Only

Encrypted

«
...
523
524
525
526
527
...
»

Summary of Contents for SF550X-24

Page 1: ...Cisco Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x ADMINISTRATION GUIDE ...

Page 2: ...ration 17 Interface Naming Conventions 18 Window Navigation 19 Search Facility 22 Chapter 2 Dashboard 23 Grid Management 23 System Health 24 Resource Utilization 25 Identification 26 Port Utilization 27 PoE Utilization 27 Latest Logs 28 Suspended Interfaces 28 Stack Topology 29 Traffic Errors 30 Chapter 3 Configuration Wizards 31 Getting Started Wizard 31 VLAN Configuration Wizard 33 ACL Wizard 34...

Page 3: ...Power 48 Switched Port Analyzer SPAN and RSPAN 54 Diagnostics 57 RMON 61 sFlow 69 View Logs 72 Chapter 5 Administration 74 Device Models 74 System Settings 77 Console Settings Autobaud Rate Support 77 User Accounts 78 Idle Session Timeout 79 System Log 80 Reboot 84 Routing Resources 85 Ping 89 Traceroute 91 Chapter 6 Administration File Management 92 System Files 92 Firmware Operations 94 File Ope...

Page 4: ...ignment 119 Master Selection Process 120 Stack Changes 120 Unit Failure in Stack 121 Stack Ports 123 Software Auto Synchronization in Stack 126 Stack Management 130 Chapter 8 Administration Time Settings 132 System Time Configuration 133 SNTP Modes 134 System Time 135 SNTP Unicast 137 SNTP Multicast Anycast 139 SNTP Authentication 140 Time Range 141 Recurring Time Range 143 Chapter 9 Administratio...

Page 5: ...r 11 Smartport 219 Overview 219 How the Smartport Feature Works 224 Auto Smartport 225 Error Handling 228 Default Configuration 228 Relationships with Other Features 229 Common Smartport Tasks 229 Configuring Smartport Using The Web based Interface 231 Built in Smartport Macros 236 Chapter 12 VLAN Management 247 Overview 247 Regular VLANs 254 Private VLAN Settings 262 GVRP Settings 262 VLAN Groups...

Page 6: ...298 MSTP Instance Settings 299 MSTP Interface Settings 300 Chapter 14 Managing MAC Address Tables 303 Static Addresses 304 Dynamic Addresses 305 Reserved MAC Addresses 306 Chapter 15 Multicast 308 Multicast Forwarding Overview 308 Properties 314 MAC Group Address 315 IP Multicast Group Address 316 IPv4 Multicast Configuration 318 IPv6 Multicast Configuration 324 IGMP MLD Snooping IP Multicast Grou...

Page 7: ...ew 396 How Rip Operates on the Device 397 Configuring RIP 400 Access Lists 405 Chapter 18 IP Configuration VRRP 408 Overview 408 VRRP Topology 409 Configurable Elements of VRRP 410 Configuring VRRP 413 Chapter 19 IP Configuration SLA 417 Overview 417 Using SLA 419 Chapter 20 Security 424 Configuring TACACS 425 RADIUS 429 Password Strength 440 Key Management 442 Management Access Method 445 Managem...

Page 8: ...Authentication 495 Host and Session Authentication 498 Authenticated Hosts 499 Locked Clients 499 Web Authentication Customization 500 Chapter 22 Security Secure Sensitive Data Management 504 Introduction 504 SSD Management 505 SSD Rules 505 SSD Properties 510 Configuration Files 513 SSD Management Channels 517 Menu CLI and Password Recovery 518 Configuring SSD 518 Chapter 23 Security SSH Server 5...

Page 9: ...rtisement Guard 540 Neighbor Discovery Inspection 541 DHCPv6 Guard 541 Neighbor Binding Integrity 542 IPv6 Source Guard 544 Attack Protection 545 Policies Global Parameters and System Defaults 547 Common Tasks 549 Default Settings and Configuration 551 Configuring IPv6 First Hop Security through Web GUI 552 Chapter 26 Access Control 571 Overview 571 MAC Based ACLs Creation 575 IPv4 based ACL Creat...

Page 10: ...1 Communities 633 Trap Settings 635 Notification Recipients 636 Notification Filter 640 Chapter 29 Smart Network Application SNA 642 SNA Sessions 643 SNA Graphics 644 Top Right Hand Menu 646 Topology View 647 Right Hand Information Panel 654 Operations 667 Overlays 672 Tags 676 Search 680 Notifications 682 Device Authorization Control DAC 685 DAC Workflow 685 Services 693 Saving SNA Settings 709 T...

Page 11: ...sic or Advanced Display Mode Quick Start Device Configuration Interface Naming Conventions Window Navigation Search Facility Starting the Web based Configuration Utility This section describes how to navigate the web based switch configuration utility If you are using a pop up blocker make sure it is disabled Browser Restrictions If you are using IPv6 interfaces on your management station use the ...

Page 12: ...twork or PC Logging In The default username password is cisco cisco The first time that you log in with the default username and password you are required to enter a new password NOTE If you have not previously selected a language for the GUI the language of the Login page is determined by the language s requested by your browser and the languages configured on your device If your browser requests...

Page 13: ... 5 Enter the new password and click Apply When the login attempt is successful the Getting Started page appears If you entered an incorrect username or password an error message appears and the Login page remains displayed on the window Select Don t show this page on startup to prevent the Getting Started page from being displayed each time that you log on to the system If you select this option t...

Page 14: ...nected device such as an IP phone see What is a Smartport and it configures the port appropriately for the device These configuration commands are written to the Running Configuration file This causes the Save icon to begin blinking when the you log on even though you did not make any configuration changes When you click Save the Copy Save Configuration page appears Save the Running Configuration ...

Page 15: ...s assigned to the OOB port must not belong to any IP subnet configured at the in band interfaces of the devices By default the OOB port is configured with the default IP address 192 168 1 254 This default IP address is used when no other address was assigned dynamically or statically This sub net is a reserved one and cannot be assigned on the in band interfaces Bridging Bridging between the OOB p...

Page 16: ...vention are also not supported Only Management ACLs are supported Stack Support The OOB port name is always mapped to the physical OOB port of master unit The physical OOB ports of slaves are not functional and will not establish a link when connected to a neighbor device or PC USB Port The USB port can be used for connecting external storage disk on key devices It can hold configuration SYSLOG an...

Page 17: ...he user switches from basic to advanced the browser reloads the page However after reload the user stays on the same page When the user switches from advanced to basic the browser reloads the page If the page exists also on the basic mode the user stays on the same page If the page does not exist in the basic mode the browser will load the first page of the folder which was used by the user If the...

Page 18: ... the Forums link takes you to the Support Community page Category Link Name on the Page Linked Page Initial Setup Manage Stack Administration Stack Management Change Management Applications and Services TCP UDP Services Change Device IP Address IPv4 Interface Create VLAN VLAN Settings Configure Port Settings Port Settings Device Status System Summary System Summary Port Statistics Interface RMON S...

Page 19: ...e 350 family Gigabit Ethernet ports 10 100 1000 bits These are displayed as GE Supported only on the 350 family Ten Gigabit Ethernet ports 1000 10 000 Mbps These are displayed as XG Out of Band Port This is displayed as OOB LAG Port Channel These are displayed as LAG VLAN These are displayed as VLAN Tunnel These are displayed as Tunnel Unit Number Number of the unit in the stack The unit number to...

Page 20: ...en made that have not yet been saved to the Startup Configuration file The flashing of the red X can be disabled on the Copy Save Configuration page Click Save to display the Copy Save Configuration page Save the Running Configuration file by copying it to the Startup Configuration file type on the device After this save the red X icon and the Save application link are no longer displayed When the...

Page 21: ...configuration utility labels disappear and in their place are the IDs of the strings that correspond to the IDs in the language file NOTE To upgrade a language file use the Upgrade Backup Firmware Language page Logout Click to log out of the web based switch configuration utility About Click to display the device name and device version number Help Click to display the online help The SYSLOG Alert...

Page 22: ...artup Configuration file type on the device Apply Click to apply changes to the Running Configuration on the device If the device is rebooted the Running Configuration is lost unless it is saved to the Startup Configuration file type or another file type Click Save to display the Copy Save Configuration page and save the Running Configuration to the Startup Configuration file type on the device Ca...

Page 23: ...e copied Click Copy Settings to display the popup 2 Enter the destination entry numbers in the to field 3 Click Apply to save the changes and click Close to return to the main page Delete After selecting an entry in the table click Delete to remove Details Click to display the details associated with the entry selected Edit Select the entry and click Edit The Edit page appears and the entry can be...

Page 24: ...d Switches Firmware Release 2 2 5 x 21 To access the search function enter a key word and click on the magnifying glass icon The following is an example of the results when searching for the keyword CDP If you are in Basic mode links to pages in Advanced mode are displayed but not available ...

Page 25: ...n the dashboard loads the modules you selected for the dashboard are loaded in their locations in the grid The data in the modules is updated periodically in intervals depending on the module type These intervals are configurable for some modules This following topics are covered in this chapter Grid Management System Health Resource Utilization Identification Port Utilization PoE Utilization Late...

Page 26: ...ing a module from the list of modules on the right and dragging and dropping it to any space in the grid The modules are divided into the following groups Small Modules are modules that take up a single square Large Modules take up two squares If you drag a module into a space currently occupied the new module replaces the previous one You can re arrange the placement of the modules in the grid by...

Page 27: ...d three buttons These button perform the following Pencil Opens configuration options depending on the module Refresh Refreshes the information X Removes the module from the dashboard System Health This module displays information about device temperature when such information is available for a standalone device or for each device in the stack as shown below The following icons are shown Fan Stat...

Page 28: ... options displayed System Health Click to open the Health and Power page Resource Utilization This module displays the utilization status in terms of a percentage of the various system resources as a bar chart as shown below The resources monitored are Multicast Groups Percentage of Multicast groups that exist out of the maximum possible number that are permitted to be defined MAC Address Table Pe...

Page 29: ...ddresses TCAM Utilization Information Click to open TCAM Utilization CPU Utilization Information Click to open CPU Utilization Identification This module displays basic information regarding the device and stack as shown below It displays the following fields System Description Displays description of the device Host Name Entered in the System Settings page or default is used Also can be added in ...

Page 30: ...the device The following configuration options right hand corner are available Refresh Time Select one of the options displayed System Settings Click to open System Settings System Summary Click to open System Summary Port Utilization This modules displays the ports on the device in either device or chart view The view is selected in the configuration options pencil icon in upper right corner Disp...

Page 31: ...26 2 Display Mode Chart View A list of ports is displayed The port utilization is displayed in bar format For each port the following port utilization information is displayed Tx green Rx blue Refresh Time Select one of the displayed options Interface Statistics Lick to link to the Status and Statistics Interface page ...

Page 32: ...dial from the traps threshold to 100 is red In the middle of the gauge the actual PoE utilization value is shown in watts Each bar represents the PoE utilization percentage value of the device on a scale of 0 to 100 If the PoE utilization is higher than the traps threshold the bar is red Otherwise the bar is green When hovering on a bar a tooltip appears showing the actual PoE utilization of the u...

Page 33: ...le displays interfaces that have been suspended in either device or table view The view is selected in the configuration options pencil icon in upper right corner Device View In this view the device is displayed This is shown below When units are connected in a stack a drop down selector enables the user to select the device to be viewed All suspended ports in the device are shown as red Hovering ...

Page 34: ...ay Mode Select either Device View or Table View Refresh Time Select one of the options displayed Error Recovery Settings Click to open Error Recovery Settings Stack Topology NOTE Stacking is only supported on the SG350 except for the Sx350 and SG550 family of devices This module is a graphic representation of the stack topology and is identical in behavior to the Stack Topology View section in the...

Page 35: ...error packets of various types that are counted on the RMON statistics The view is selected in the configuration options pencil icon in upper right corner The following can be selected in from the pencil icon Display Mode Device View The device module mode displays a diagram of the device as shown below In stacking mode a drop down selector enables you to select the device to be viewed All suspend...

Page 36: ...X SG550XG Series Managed Switches Firmware Release 2 2 5 x 2 Last traffic error Traffic error that occurred on a port and the last time the error occurred Refresh Time Select one of the refresh rates Traffic Error Information Click to link to the Statistics page ...

Page 37: ...izard and Next STEP 3 Enter the fields System Location Enter the physical location of the device System Contact Enter the name of a contact person Host Name Select the host name of this device This is used in the prompt of CLI commands Use Default The default hostname System Name of these switches is switch123456 where 123456 represents the last three bytes of the device MAC address in hex format ...

Page 38: ... of the DNS server STEP 6 Click Next STEP 7 Enter the fields Username Enter a new user name between 0 and 20 characters UTF 8 characters are not permitted Password Enter a password UTF 8 characters are not permitted If the password strength and complexity is defined the user password must comply with the policy configured in Password Strength Confirm Password Enter the password again Password Stre...

Page 39: ... mode STEP 1 Click Configuration Wizards VLAN Configuration Wizard STEP 2 Click Launch Wizard and Next STEP 3 Select the ports that are to be configured as trunk port by clicking with mouse on the required ports in the graphical display Ports that are already configured as Trunk ports are pre selected STEP 4 Click Next STEP 5 Enter the fields VLAN ID Select the VLAN you want to configure You can s...

Page 40: ... Interface Drop packets that meet the ACL criteria and disable the port from where the packets received Such ports can be reactivated from the Error Recovery Settings page STEP 6 For a MAC based ACL enter the fields Source MAC Address Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses Source MAC Value Enter the MAC address to whic...

Page 41: ...Any IP Accept all IP protocols packets TCP Accept Transmission Control Protocols packets UDP Accept User Datagram Protocols packets ICMP Accept ICMP Protocols packets IGMP Accept IGMP Protocols packets Source Port for TCP UDP Select a port from the drop down list Destination Port for TCP UDP Select a port from the drop down list Source IPAddress Select Any if all source address are acceptable or U...

Page 42: ...TEP 9 Confirm that you want the ACL and ACE to be created The details of the ACL rule are displayed You can click Add another rule to this ACL to add another rule STEP 10 Click Next and enter the ACL Binding information Binding Type Select one of the following options to bind the ACL Physical interfaces only Bind the ACL to a port In this case click a port or ports on which to bind the ACL VLANs o...

Page 43: ...x 34 Status and Statistics This section describes how to view device statistics It covers the following topics System Summary CPU Utilization Interface Etherlike Port Utilization GVRP 802 1X EAP ACL TCAM Utilization Health and Power Switched Port Analyzer SPAN Diagnostics RMON sFlow View Logs ...

Page 44: ...t the device host name is composed of the word switch concatenated with the three least significant bytes of the device MAC address the six furthest right hexadecimal digits System Object ID Unique vendor identification of the network management subsystem contained in the entity used in SNMP System Uptime Time that has elapsed since the last reboot Current Time Current system time Base MAC Address...

Page 45: ... Services page HTTP Service Whether HTTP is enabled disabled HTTPS Service Whether HTTPS is enabled disabled SNMP Service Whether SNMP is enabled disabled Telnet Service Whether Telnet is enabled disabled SSH Service Whether SSH is enabled disabled PoE Power Information on Master Unit on devices supporting PoE PoE Power Information on Master Unit Click on Detail to link you directly to the Overvie...

Page 46: ... management and protocol traffic no matter how much total traffic is received SCT is enabled by default on the device and cannot be disabled There are no interactions with other features To display CPU utilization STEP 1 Click Status and Statistics CPU Utilization The CPU Input Rate field displays the rate of input frames to the CPU per second The window contains a graph displaying CPU utilization...

Page 47: ...ce Ethernet statistics are refreshed The Receive Statistics area displays information about incoming packets Total Bytes Octets Octets received including bad packets and FCS octets but excluding framing bits Unicast Packets Good Unicast packets received Multicast Packets Good Multicast packets received Broadcast Packets Good Broadcast packets received Packets with Errors Packets with errors receiv...

Page 48: ...s Etherlike STEP 2 Enter the parameters Interface Select the specific interface for which Ethernet statistics are to be displayed Refresh Rate Select the amount of time that passes before the Etherlike statistics are refreshed The fields are displayed for the selected interface NOTE If one of the following fields shows a number of errors not 0 a Last Update time is displayed Frame Check Sequence F...

Page 49: ...the interface Ethernet statistics are refreshed The following fields are displayed for each port Interface Name of port Tx Utilization Amount of bandwidth used by outgoing packets Rx Utilization Amount of bandwidth used by incoming packets To view a graph of historical utilization over time on the port select a port and click the click View Interface History Graph In addition to the above the foll...

Page 50: ...kets per interface These are displayed for Received and Transmitted packets Join Empty GVRP Join Empty packets received transmitted Empty GVRP empty packets received transmitted Leave Empty GVRP Leave Empty packets received transmitted Join In GVRP Join In packets received transmitted Leave In GVRP Leave In packets received transmitted Leave All GVRP Leave All packets received transmitted The GVRP...

Page 51: ...by the port EAPOL Start Frames Received EAPOL Start frames received on the port EAPOL Logoff Frames Received EAPOL Logoff frames received on the port EAP Response ID Frames Received EAP Resp ID frames received on the port EAP Response Frames Received EAP Response frames received by the port other than Resp ID frames EAP Request ID Frames Transmitted EAP Req ID frames transmitted by the port EAP Re...

Page 52: ...ayed Global Trapped Packet Counter Number of packets trapped globally due to lack of resources Trapped Packets Port LAG Based The interfaces on which packets forwarded or rejected based on ACL rules Trapped Packets VLAN Based The VLANs on which packets forwarded or rejected based on ACL rules STEP 3 To manage statistics counters Click Clear Counters to clear the counters of all interfaces TCAM Uti...

Page 53: ...routing Maximum Number of available router TCAM entries that can be used for IPv4 Multicast routing IPv4 Policy Based Routing In Use Number of router TCAM entries used for IPv4 Policy based routing Maximum Number of available router TCAM entries that can be used for IPv4 Policy based routing IPv6 Routing In Use Number of router TCAM entries used for IPv6 Multicast routing Maximum Number of availab...

Page 54: ...n the SG550 series The RPS 2300 is a backup for AC power It is used for supplying power to the device if the AC power supply stops working It is only supported on the 550 family If it becomes necessary to switch to the backup power the device changes between the power sources without reboot and without any disruption to the device operation The device polls the RPS status every 1 sec if RPS is pro...

Page 55: ...e if it overheats and during the cool down period after overheating Event Action At least one temperature sensor exceeds the Warning threshold The following are generated SYSLOG message SNMP trap At least one temperature sensor exceeds the Critical threshold The following are generated SYSLOG message SNMP trap The following actions are performed System LED is set to solid amber if hardware support...

Page 56: ...unt of the power that will be saved on the device during one week This value is calculated based on the savings that occurred during the previous week Current PoE Power Savings Current amount of the PoE power saved on ports that have PDs connected to them and on which PoE is not operational due to the Time Range feature Cumulative PoE Power Savings Cumulative amount of the PoE power since the devi...

Page 57: ...s The following values are possible Ready Redundant fan is operational but not required Active One of the main fans is not working and this fan is replacing it Temperature The options are OK The temperature is below the warning threshold Warning The temperature is between the warning threshold to the critical threshold Critical Temperature is above the critical threshold N A Not relevant Main Powe...

Page 58: ...Port number of PD port1 PD Port 1 Status Connected or not connected PD Port 1 Type Type of PD PD Port 1 Budget Maximum amount of power that can be can be allocated for device PSE operation PD Port 2 ID Port number of PD port1 PD Port 2 Status Connected or not connected PD Port 2 Type Type of PD PD Port 2 Budget Maximum amount of power that can be can be allocated for device PSE operation If the de...

Page 59: ...pply is being used Failure Main power has failed Redundant Provides the status of the redundant power supply Displays one of the following Active Redundant Power Supply RPS supply is being used Available RPS is connected but is not being used Not Available RPS is connected but is already providing power to other devices Not Connected The RPS is not connected Present The RPS is connected Ethernet P...

Page 60: ...or an intrusion detection system is required A network analyzer connected to the monitoring port processes the data packets The device can mirror up to eight interfaces per session A packet which is received on a network port and assigned to a VLAN that is subject to mirroring is mirrored to the analyzer port even if the packet was eventually trapped or discarded Packets sent by the device are mir...

Page 61: ...dles various types of traffic The RSPAN VLAN must be configured on all the intermediate switches NOTE RSPAN does not always successfully copy all the packets when they are arrive from multiple sources simultaneously If accurate monitoring is required the TCAM based mirror policy can be used RSPAN Workflow The following workflow describes how to configure the start intermediate and final switches S...

Page 62: ...ugh the switch via the RSPAN VLAN Final Switch 1 Define the RSPAN VLAN This RSPAN VLAN must be the same in the start intermediate and final switches 2 Ensure that the source port which is connected to the intermediate switch is a member of the RSPAN VLAN 3 Define the Source Interface as Remote VLAN 4 Define a destination port and make sure it is not in the RSPAN VLAN 5 Define the Destination Type ...

Page 63: ...llowing options Local Interface Is the destination port on the same device as the source ports relevant to SPAN Remote VLAN Is the destination port on a different device than the source port relevant to RSPAN If the Destination Type is Remote VLAN configure the following field Reflector Port Select a unit port that functions as a target port on the first device If the Destination Type is Local Int...

Page 64: ...Port mirroring on incoming packets Tx Port mirroring on outgoing packets STEP 6 Click Apply The source interface for the mirroring is configured Diagnostics This section contains information for configuring port mirroring running cable tests and viewing device operational information It covers the following topics Copper Ports Tests Optical Module Status Tech Support Information Copper Ports Tests...

Page 65: ...own state and communications are interrupted After the test the port returns to the Up state It is not recommended that you run the copper port test on a port you are using to run the web based switch configuration utility because communications with that device are disrupted To test copper cables attached to ports STEP 1 Click Status and Statistics Diagnostics Copper Test STEP 2 Select the unit a...

Page 66: ...ic polarity detection and correction has been activated for the wire pair Pair Skew Difference in delay between wire pairs Optical Module Status The Optical Module Status page displays the operating conditions reported by the SFP Small Form factor Pluggable transceiver The following GE SFP 1000Mbps transceivers are supported MGBBX1 1000BASE BX 20U SFP transceiver for single mode fiber 1310 nm wave...

Page 67: ... of optical transceiver PID VLAN ID VID ID of optical transceiver Temperature Temperature Celsius at which the SFP is operating Voltage SFPs operating voltage Current SFPs current consumption Output Power Transmitted optical power Input Power Received optical power Transmitter Fault Remote SFP reports signal loss Values are True False and No Signal N S Loss of Signal Local SFP reports signal loss ...

Page 68: ... correct thresholds relative to your network s base line RMON decreases the traffic between the manager and the device since the SNMP manager does not have to poll the device frequently for information and enables the manager to get timely status reports since the device reports events as they occur With this feature you can perform the following actions View the current statistics from the time t...

Page 69: ...FCS octets but excluding framing bits Drop Events Packets dropped Packets Received Good packets received including Multicast and Broadcast packets Broadcast Packets Received Good Broadcast packets received This number does not include Multicast packets Multicast Packets Received Good Multicast packets received CRC Align Errors CRC and Align errors that have occurred Undersize Packets Undersized pa...

Page 70: ...at were sent or received Frames of 512 to 1023 Bytes Frames containing 512 1023 bytes that were sent or received Frames of 1024 Bytes or More Frames containing 1024 2000 bytes and Jumbo Frames that were sent or received STEP 4 To view counters in table view or graphic view Click View All Interfaces Statistics to see all ports in table view Click Graphic View to display these results in graphic for...

Page 71: ...w History table entry Source Interface Select the type of interface from which the history samples are to be taken Max No of Samples to Keep Enter the number of samples to store Sampling Interval Enter the time in seconds that samples are collected from the ports The field range is 1 3600 Owner Enter the RMON station or user that requested the RMON information STEP 4 Click Apply The entry is added...

Page 72: ...lign Errors CRC and Align errors that have occurred Undersize Packets Undersized packets less than 64 octets received Oversize Packets Oversized packets over 2000 octets received Fragments Fragments packets with less than 64 octets received excluding framing bits but including FCS octets Jabbers Total number of received packets that longer than 2000 octets This number excludes frame bits but inclu...

Page 73: ...munity must be defined using the Notification Recipients pages for the trap to reach the Network Management Station Description Enter a name for the event This name is used in the Add RMON Alarm page to attach an alarm to an event Notification Type Select the type of action that results from this event Values are None No action occurs when the alarm goes off Log Event Log Table Add a log entry to ...

Page 74: ...r setting thresholds and sampling intervals to generate exception events on counters or any other SNMP object counter maintained by the agent Both the rising and falling thresholds must be configured in the alarm After a rising threshold is crossed no rising events are generated until the companion falling threshold is crossed After a falling alarm is issued the next alarm is issued when a rising ...

Page 75: ...gers the rising threshold alarm Rising Event Select an event to be performed when a rising event is triggered Events are configured in the RMON Events Control page Falling Threshold Enter the value that triggers the falling threshold alarm Falling Event Select an event to be performed when a falling event is triggered Startup Alarm Select the first event from which to start generation of alarms Ri...

Page 76: ...ysis sFlow V5 defines How traffic is monitored The sFlow MIB that controls the sFlow agent The format of the sample data used by the sFlow agent when forwarding data to a central data collector The device provides support for two types of sFlow sampling flow sampling and counters sampling The following counters sampling is performed according to sFlow V5 if supported by the interface Generic inter...

Page 77: ...inition is By IPAddress IP Version Select whether an IPv4 or an IPv6 address for the server is used IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local addr...

Page 78: ... collected Flow Sampling State Enable disable flow sampling Sampling Rate If x is entered a flow sample will be taken for each x frames Maximum Header Size Maximum number of bytes that should be copied from a sampled packet Receiver Index Select one of the indices that was defined in the sFlow Receiver Settings pages Counter Sampling State Enable disable counters sampling Sampling Interval If x is...

Page 79: ...che in chronological order Entries are stored in the RAM log according to the configuration in the Log Settings page Pop Up SYSLOG Notifications When a new SYSLOG message is written to the RAM log file a notification is displayed in the web GUI showing its contents The web GUI will poll the RAM log every 10 seconds Notifications pop ups for all SYSLOGs created in the last 10 seconds will appear at...

Page 80: ...ash Memory The Flash Memory page displays the messages that stored in the Flash memory in chronological order The minimum severity for logging is configured in the Log Settings page Flash logs remain when the device is rebooted You can clear the logs manually To view the Flash logs click Status and Statistics View Log Flash Memory The Current Logging Threshold specifies the levels of logging that ...

Page 81: ...w system information and configure various options on the device It covers the following topics Device Models System Settings Console Settings Autobaud Rate Support Stack Management User Accounts Idle Session Timeout Time Settings System Log File Management Reboot Routing Resources Discovery Bonjour Discovery LLDP Discovery CDP Ping Traceroute ...

Page 82: ...edundant Fans Quantity Temperature Sensor SG350 10 SG350 10 10 port Gigabit Managed Switch 0 SG350 10P SG350 10P 10 port Gigabit POE Managed Switch 0 SG355 10P SG355 10P 10 port Gigabit POE Managed Switch Internal Power Supply 0 SG350 10MP SG350 10MP 10 port Gigabit Max POE Managed Switch 1 SG350 28 SG350 28 28 port Gigabit Managed Switch 0 SG350 28P SG350 28P 28 port Gigabit POE Managed Switch 2 ...

Page 83: ...4 SF550X 24 24 Port 10 100 Stackable Managed Switch 2 SF550X 24P 24 Port 10 100 PoE Stackable Managed Switch 4 SF550X 24MP 24 Port 10 100 PoE Stackable Managed Switch 5 SF550X 48 48 Port 10 100 Stackable Managed Switch 2 SF550X 48P 48 Port 10 100 PoE Stackable Managed Switch 5 SF550X 48MP 48 Port 10 100 PoE Stackable Managed Switch 5 SG550XG 8F8T 16 port Ten Gigabit Stackable Switch with RPS Suppo...

Page 84: ...ormat User Defined Enter the hostname Use only letters digits and hyphens Host names cannot begin or end with a hyphen No other symbols punctuation characters or blank spaces are permitted as specified in RFC1033 1034 1035 Custom Banner Settings The following banners can be set Login Banner Enter text to display on the Login page before login Click Preview to view the results Welcome Banner Enter ...

Page 85: ...evice and pressing the Enter key twice The device detects the baud rate automatically To enable Auto Detection or to manually set the baud rate of the console STEP 1 Click Administration Console Settings STEP 2 Select one of the following options in the Console Port Baud Rate field Auto Detection The console baud rate is detected automatically Static Select one of the available speeds STEP 3 Click...

Page 86: ... suitable log message is generated to the terminal STEP 3 Click Add to add a new user or click Edit to modify a user STEP 4 Enter the parameters User Name Enter a new username between 0 and 20 characters UTF 8 characters are not permitted Password Enter a password UTF 8 characters are not permitted If the password strength and complexity is defined the user password must comply with the policy con...

Page 87: ...sion timeout for various types of sessions STEP 1 Click Administration Idle Session Timeout STEP 2 Select the timeout for the each type of session from the corresponding list The default timeout value is 10 minutes STEP 3 Click Apply to set the configuration settings on the device Time Settings See Administration Time Settings System Log This section describes the system logging which enables the ...

Page 88: ...severity levels are listed from the highest severity to the lowest severity as follows Emergency System is not usable Alert Action is needed Critical System is in a critical condition Error System is in error condition Warning System warning has occurred Notice System is functioning properly but a system notice has occurred Informational Device information Debug Detailed information about an event...

Page 89: ... aggregated Originator Identifier Enables adding an origin identifier to SYSLOG messages The options are None Do not include the origin identifier in SYSLOG messages Hostname Include the system host name in SYSLOG messages IPv4 Address Include the IPv4 address of the sending interface in SYSLOG messages IPv6 Address Include the IPv6 address of the sending interface in SYSLOG messages User Defined ...

Page 90: ...he remote log server by IP address or name IP Version Select the supported IP format IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 10 is not routable and can be used for communication only on the local network Only one link local address is suppo...

Page 91: ...figuration to the Startup Configuration For more information on files and file types see the System Files section You can back up the device configuration by using the File Operations page or clicking Save at the top of the window You can also upload the configuration from a remote device in the same page You might want to set the time of the reboot for some time in the future This could happen fo...

Page 92: ... If you specify the month and day the reload is scheduled to take place at the specified time and date If you do not specify the month and day the reload takes place at the specified time on the current day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight The reload must...

Page 93: ...s can be modified incorrectly in one of the following ways The number of router TCAM entries you allocate is less than the number currently in use The number of router TCAM entries that you allocate is greater than the maximum available for that category maximum values are displayed on the page To view and modify routing resources STEP 1 Click Administration Routing Resources The following fields ...

Page 94: ... Count is the number of Multicast routes recorded on the device and TCAM Entries is the number of TCAM entries being used for the Multicast routes Maximum Entries Select one of the following options Use Default Use default values User Defined Enter a value IPv4 Policy Based Routing Resources IPv4 Policy Based Routes 4 TCAM entries per route Count is the number of Multicast routes recorded on the d...

Page 95: ...AM Entries is the number of TCAM entries being used for the Multicast routes Maximum Entries Select one of the following options Use Default Use default values User Defined Enter a value IPv6 Policy Based Routing Resources IPv6 Policy Based Routes 4 TCAM entries per route Count is the number of Multicast routes recorded on the device and TCAM Entries is the number of TCAM entries being used for th...

Page 96: ...ntries that can be used for IPv4 Policy based routing IPv6 Routing In Use Number of TCAM entries utilized for IPv6 routing Maximum Maximum number of TCAM entries available for IPv6 Routing IPv6 Multicast Routing In Use Number of TCAM entries utilized for IPv6 Multicast routing Maximum Maximum number of TCAM entries available for IPv6 Multicast routing IPv6 Policy Based Routing In Use Number of rou...

Page 97: ...ol Message Protocol ICMP echo request packets to the target host and waiting for an ICMP response sometimes called a pong It measures the round trip time and records any packet loss To ping a host STEP 1 Click Administration Ping STEP 2 Configure ping by entering the fields Host Definition Select whether to specify the source interface by its IP address or name This field influences the interfaces...

Page 98: ...l Unicast IPV6 type that is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select from where it is received Destination IPAddress Name Address or host name of the device to be pinged Whether this is an IP address or host name depends on the Host Definition Ping Interval Length of time the system waits between ping packets Ping is repeated the ...

Page 99: ...ication messages If the Host Definition field was By Name all IPv4 and IPv6 addresses will be displayed in this drop down field If the Host Definition field was By IPAddress only the existing IP addresses of the type specified in the IP Version field will be displayed Host IPAddress Name Enter the host address or name TTL Enter the maximum number of hops that Traceroute permits This is used to pre...

Page 100: ...flash system folder is a system file Various actions can be performed with these files such as selecting the firmware file from which the device boots copying various types of configuration files internally on the device or copying files to or from an external device such as an external server Configuration files on the device are defined by their type and contain the settings and parameter values...

Page 101: ...vice when the following conditions exist The device has been operating continuously for 24 hours No configuration changes have been made to the Running Configuration in the previous 24 hours The Startup Configuration is identical to the Running Configuration Only the system can copy the Startup Configuration to the Mirror Configuration However you can copy from the Mirror Configuration to other fi...

Page 102: ...ack master will automatically upgrade the firmware of a newly added unit if the unit does not have identical firmware as the master There are two firmware images stored on the device One of the images is identified as the active image and other image is identified as the inactive image When updating the device s firmware the new firmware is always overwriting the inactive image After uploading new...

Page 103: ... server By IP address or By name If Server Definition is By Address IP Version If Server Definition is By Address Select whether an IPv4 or an IPv6 address for the server is used IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and c...

Page 104: ...ble SSH server authentication which is disabled by default click Edit by Remote SSH Server Authentication This takes you to the SSH Server Authentication page to configure the SSH server STEP 4 Return to this page STEP 5 Select one of the following methods to perform SSH Client Authentication Use SSH Client System Credentials Sets permanent SSH user credentials Click System Credentials to go to th...

Page 105: ...the link local interface from the list Server IPAddress Name Enter the IP address or domain name of the SCP server whichever is relevant Update Source Enter the name of the source file Backup Destination Enter the name of the backup file STEP 7 Click Apply If the files passwords and server addresses are correct one of the following may happen If SSH server authentication is enabled in the SSH Serv...

Page 106: ...n files are taken from the master unit When restoring a configuration file to the Running Configuration the imported file adds any configuration commands that did not exist in the old file and overwrites any parameter values in the existing configuration commands When restoring a configuration file to the Startup Configuration the new file replaces the previous file When restoring to Startup Confi...

Page 107: ...TTPS USB or Internal Flash STEP 1 Click Administration File Management File Operations STEP 2 Enter the following fields Operation Type Select Update File Destination File Type Select one of the configuration file types to update Copy Method Select HTTP HTTPS USB or Internal Flash File Name Enter name of file to be updated from source file STEP 3 Click Apply to begin the operation To update a syst...

Page 108: ...k local interface from the list Server IPAddress Name Enter the IP address or name of the TFTP server Source Enter the update file name STEP 3 Click Apply to begin the operation To update a system configuration file using SCP STEP 1 Click Administration File Management File Operations STEP 2 Enter the following fields Operation Type Select Update File Destination File Type Select one of the config...

Page 109: ...n be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface from the list Server IPAddress Name Enter the I...

Page 110: ...ields Operation Type Select Backup File Source File Type Select one of the configuration file types to backup Copy Method Select USB or Internal Flash File Name Enter name of destination backup file Sensitive Data Handling Select how sensitive data should be included in the backup file The following options are available Exclude Do not include sensitive data in the backup Encrypt Include sensitive...

Page 111: ...ication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface from the list Server IPAddress Name Enter the IP address or name of...

Page 112: ... if required SSH Client Authentication Client authentication can be done in one of the following ways Use SSH Client System Credentials Sets permanent SSH user credentials Click System Credentials to go to the SSH User Authentication page where the user password can be set once for all future use Use SSH Client One Time Credentials Enter the following Username Enter a username for this copy action...

Page 113: ...in the backup in its plaintext form NOTE The available sensitive data options are determined by the current user SSD rules For details refer to Secure Sensitive Data Management SSD Rules page STEP 4 Click Apply to begin the operation To copy a system configuration file to another type of configuration file STEP 1 Click Administration File Management File Operations STEP 2 Enter the following field...

Page 114: ...ermissions Read write permissions of the user for the file Size Size of file Last Modified Date and time that file was modified Full Path Path of file DHCP Auto Configuration Image Update The Auto Configuration Image Update feature provides a convenient method to automatically configure switches in a network and upgrade their firmware This process enables the administrator to remotely ensure that ...

Page 115: ...rator The first time that it applies for its IP address from the DHCP server the device downloads and reboots itself with the configuration file and or image specified by the DHCP server The Auto Configuration process supports downloading a configuration file that includes sensitive information such as RADIUS server keys and SSH SSL keys by using the Secured Copy Protocol SCP and the Secure Sensit...

Page 116: ...ss and configuration file name path from the DHCP messages received if any In addition DHCP Image Update uses the indirect file name of the firmware if any in the messages This information is specified as DHCP options in the Offer message coming from the DHCPv4 servers and in the Information Reply messages coming from DHCPv6 servers If this information is not found in the DHCP server messages back...

Page 117: ... by the DHCP server the Backup Server IPAddress Name and the Backup Configuration File Name from the DHCP Auto Configuration Image Update is used The new configuration file is used if its name is different than the name of the configuration file previously used on the device or if the device has never been configured The device is rebooted with the new configuration file at the end of the Auto Con...

Page 118: ...n the following conditions are fulfilled The IP address of the device is dynamically assigned renewed at reboot or explicitly renewed by administrative action or automatically renewed due to an expiring lease Explicit renewal can be activated in the IPv4 Interface page If Auto Image Update is enabled the Auto Image Update process is triggered when an indirect image file name is received from a DHC...

Page 119: ...ole stack For auto configuration the new configuration file is downloaded to the master unit and synchronized to backup before reload For auto image update the new image is copied and saved to the inactive image of the master unit As the part of the copy process the master unit synchronizes the image to all the units in the stack before the reload A configuration file that is placed on the TFTP SC...

Page 120: ...ted this becomes the Running Configuration file DHCP Server Configure the DHCP server with the following options DHCPv4 66 single server address or 150 list of server addresses 67 name of configuration file DHCPv6 Option 59 server address Options 60 name of configuration file plus indirect image file name separated by a comma Auto Image Update Preparations To prepare the DHCP and TFTP SCP servers ...

Page 121: ...s field to enable DHCP Auto Configuration This feature is enabled by default but can be disabled here Download Protocol Select one of the following options Auto by File Extension Select to indicate that Auto Configuration uses the TFTP or SCP protocol depending on the extension of the configuration file If this option is selected the extension of the configuration file does not necessarily have to...

Page 122: ... on the Enable Disable link to navigate to the SSH Server Authentication page There you can enable authentication of the SSH server to be used for the download and enter the trusted SSH server if required SSH Client Authentication Click on the System Credentials link to enter user credentials in the SSH User Authentication page Backup Server Definition Select whether the backup server will be conf...

Page 123: ...ackup Indirect Image File Name Enter the indirect image file name to be used This is a file that holds the path to the image An example of an indirect image file name is indirect cisco scp This file contains the path and name of the firmware image The following fields are displayed Last Auto Configuration Image Server IPAddress Address of the last backup server Last Auto Configuration File Name Na...

Page 124: ...zation in Stack Stack Management Stack Management Overview Devices can either function on their own or they can be connected into a stack of devices in various stacking modes see Stack Unit Mode By default a device is always stackable but has no port configured as a stack port All the ports in the devices are configured as network ports by default A device without any stack port can be thought of ...

Page 125: ... dynamically By adding a unit the administrator can dynamically increase the number of ports in the stack while maintaining a single point of management Similarly units can be removed to decrease network capacity The stacked system supports redundancy in the following ways The backup unit becomes the master of the stack if the original master fails The stack system supports two types of topologies...

Page 126: ...be a master enabled unit When the master enabled unit fails the stack continues to function as long as there is a backup unit the active unit that assumes the master role If the backup unit fails in addition to the master and the only functioning units are the slave units these also stop functioning after one minute This means for example that if after 1 minute you plug in a cable to a port of one...

Page 127: ...types of topologies Chain Topology Each unit is connected to the neighboring unit but there is no cable connection between the first and last unit See Stack Architecture Chain Topology shows a chain topology Ring Topology Each unit is connected to the neighboring unit The last unit is connected to the first unit The following shows a ring topology of an eight unit stack Stack in Ring Topology 550 ...

Page 128: ...he stack fails During topology discovery each unit in a stack exchanges packets which contain topology information After the topology discovery process is completed each unit contains the stack mapping information of all units in the stack Unit ID Assignment After topology discovery is completed each unit in a stack is assigned a unique unit ID The unit ID is set in the Stack Management page in on...

Page 129: ... The following shows a case where two units manually assigned the same unit ID Unit 1 does not join the stack and is shut down It did not win the master selection process between the master enabled units 1 or 2 Duplicate Unit Shut Down The following shows a case where one of the duplicate units auto numbered is renumbered Duplicate Unit Renumbered ...

Page 130: ...unt in the following priority System Up Time The master enabled units exchange up time which is measured in segments of 10 minutes The unit with the higher number of segments is selected If both units have the same number of time segments and the unit ID of one of the units was set manually while the other unit s unit ID was set automatically the unit with the manually defined unit ID is selected ...

Page 131: ...When units are added or removed to and from a stack it triggers topology changes master election process and or unit ID assignment Connecting a New Unit When a unit is inserted into the stack a stack topology change is triggered The unit ID is assigned in case of auto numbering and the unit is configured by the master One of the following cases can occur when connecting a new unit to an existing s...

Page 132: ...to be the master unit The best unit is the unit with the higher uptime in segments of 10 minutes The other unit is made the backup Auto numbered Master enabled Unit The following shows what happens when a user assigned master enabled unit with Unit ID 1 joins a stack that already has a master unit with user assigned unit ID 1 The newer Unit 1 does not join the stack and is shutdown User assigned M...

Page 133: ...ACP and GVRP are not synchronized When a master is being configured it synchronizes the backup immediately Synchronization is performed as soon as a command is executed This is transparent If a unit is inserted into a running stack and is selected as a backup unit the master synchronizes it so that it has an up to date configuration and then generates a SYNC COMPLETE SYSLOG message This is a uniqu...

Page 134: ...nd the slave unit Packet forwarding on the slave unit resumes after the state of its ports are set to forwarding by the master according to STP NOTE Packet flooding to unknown Unicast MAC addresses occurs until the MAC addresses are learned or relearned Reconnecting the Original Master Unit After Failover After failover if the original master is connected again the master selection process is perf...

Page 135: ...G1 and XG2 or interfaces XG3 and XG4 Other combination of interlaces in the same stack LAG is not supported Stack Port States Stack ports can be in one of the following states Down Port operational status is down or stack port operational status is up but traffic cannot pass on the port Active Stack port was added to a stack LAG whose stack port operational status is up and traffic can pass on the...

Page 136: ... be active the remainder of the stack ports are set to standby mode inactive Default Stack and Network Ports All ports are configured as network ports by default Auto Selection of Port Speed The stacking cable type is discovered automatically when the cable is connected to the port auto discovery is the default setting The system automatically identifies the stack cable type and selects the highes...

Page 137: ...on Each unit in a stack automatically downloads firmware from the master unit if the firmware which the unit and the master are running is different The unit automatically reboots itself to run the new version Stack Ports or Network Ports Connector Type All ports Cisco SFP H10GB CU1M Passive Copper Cable 1G 10G Cisco SFP H10GB CU3M Passive Copper Cable 1G 10G Cisco SFP H10GB CU5M Passive Copper Ca...

Page 138: ...k Management page as described below Change Stacking Mode Change of stacking mode requires system reboot and changing from Native to Hybrid mode erases device configuration Before changing from the Native to the Hybrid mode it is recommended to save the configuration file to an external server for example via TFTP or HTTP Changing from Hybrid Stacking mode to Native Stacking mode does not erase th...

Page 139: ...630 400 Feature Table Sx550X SG550XG Hybrid Stack Feature Table SG350X SG350XG Hybrid Stack OOB port Not Supported Supported Not Supported MAC table size 16K 64K 16K ACL TCAM 1K reserved 2K reserved 1K reserved Router TCAM 992 affects also default and Max setting per each type 7168 affects also default and Max setting per each type 992 affects also default and Max setting per each type ARP table s...

Page 140: ...eplaced by a unit of a different type for example FE unit most of the port based configuration VLANs STP ACL 802 1x etc are applied automatically to the new port type Some static port type related configuration will fail and errors might be reported for example if port speed was configured to 1GB and this port number in the new unit supports up to 100Mbps speed but this will not cause the rest of ...

Page 141: ...ack in which all of the units are of the same type Hybrid Stacking Device is part of a stack that can consist of either mixed types of 350 devices or mixed types of 550 devices but not a mix of 350 and 550 devices Stack Topology Displays whether the topology of the stack is chain or ring Stack Master Displays the unit ID of the master unit of the stack Stack Topology View This view provides a grap...

Page 142: ...splays the stacking port number unit that it is connected to if there is one the port speed and its connection status See an example of this in the following Click on a black network ports that you want to select as a stacking port The network port then becomes yellow to indicate that it will be a stacking port If you click on a yellow stacking port it becomes a network port black STEP 3 To config...

Page 143: ...t Stack Management 135 Cisco Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 7 STEP 4 Click Apply and Reboot The parameters are copied to the Running Configuration file and the stack is rebooted ...

Page 144: ...le systems as it is important for the modification times to be consistent regardless of the machine on which the file systems reside For these reasons it is important that the time configured on all of the devices on the network is accurate NOTE The device supports Simple Network Time Protocol SNTP and when enabled the device dynamically synchronizes the device time with time from an SNTP server T...

Page 145: ...information The configuration of time from the computer is saved to the Running Configuration file You must copy the Running Configuration to the Startup Configuration to enable the device to use the time from the computer after reboot The time after reboot is set during the first WEB login to the device When you configure this feature for the first time if the time was not already set the device ...

Page 146: ...supply DHCP option 100 in order for dynamic time zone configuration to take place SNTP Modes The device can receive system time from an SNTP server in one of the following ways Client Broadcast Reception passive mode SNTP servers broadcast the time and the device listens to these broadcasts When the device is in this mode there is no need to define a Unicast SNTP server Client Broadcast Transmissi...

Page 147: ... Enter the following parameters Clock Source Settings Select the source used to set the system clock Main Clock Source SNTP Servers If this is enabled the system time is obtained from an SNTP server To use this feature you must also configure a connection to an SNTP server in the SNTP Multicast Anycast page Optionally enforce authentication of the SNTP sessions by using the SNTP Authentication pag...

Page 148: ...esent this time zone This acronym appears in the Actual Time field Daylight Savings Settings Select how DST is defined Daylight Savings Select to enable Daylight Saving Time Time Set Offset Enter the number of minutes offset from GMT ranging from 1 1440 The default is 60 Daylight Savings Type Click one of the following USA DST is set according to the dates used in the USA European DST is set accor...

Page 149: ...onfigure DNS server s on the device see DNS Settings To add a Unicast SNTP server STEP 1 Click Administration Time Settings SNTP Unicast STEP 2 Enter the following fields SNTP Client Unicast Select to enable the device to use SNTP predefined Unicast clients with Unicast SNTP servers IPv4 Source Interface Select the IPv4 interface whose IPv4 address will be used as the source IPv4 address in messag...

Page 150: ...conds The host determines the value of this offset using the algorithm described in RFC 2030 Delay Estimated round trip delay of the server s clock relative to the local clock over the network path between them in milliseconds The host determines the value of this delay using the algorithm described in RFC 2030 Source How the SNTP server was defined for example manually or from DHCPv6 server Inter...

Page 151: ...e SNTPserver for system time information All NTP servers that are registered for polling are polled and the clock is selected from the server with the lowest stratum level distance from the reference clock that is reachable The server with the lowest stratum is considered to be the primary server The server with the next lowest stratum is a secondary server and so forth If the primary server is do...

Page 152: ...ets are transmitted to all SNTP servers on the subnet STEP 3 Click Add to select the interface for SNTP Select an interface STEP 4 Click Apply to save the settings to the Running Configuration file SNTP Authentication SNTP clients can authenticate responses by using HMAC MD5 An SNTP server is associated with a key which is used as input together with the response itself to the MD5 function the res...

Page 153: ...pted Enter the key used for authentication up to eight characters in encrypted format The SNTP server must send this key for the device to synchronize to it Authentication Key Plaintext Enter the key used for authentication up to eight characters in plaintext format The SNTP server must send this key for the device to synchronize to it Trusted Key Select to enable the device to receive synchroniza...

Page 154: ...me ranges are reached The device supports a maximum of 10 absolute time ranges All time specifications are interpreted as local time Daylight Saving Time does not affect this To ensure that the time range entries take effect at the desired times the system time must be set The time range feature can be used for the following Limit access of computers to the network during business hours for exampl...

Page 155: ...peration to certain time periods within the absolute range To add a recurring time range element to an absolute time range STEP 1 Click Administration Time Settings Recurring Range The existing recurring time ranges are displayed filtered per a specific absolute time range STEP 2 Select the absolute time range to which to add the recurring range STEP 3 To add a new recurring time range click Add S...

Page 156: ...Discovery packets to interfaces with IP addresses that have been associated with Bonjour on the Bonjour Discovery Interface Control table Use to IPv4 Interface to configure an IP address to an interface If an interface such as a VLAN is deleted the device will send out Bonjour Goodbye packets to the interface to deregister itself and its services Neighbor devices receiving the Goodbye packets will...

Page 157: ...their capabilities By default the device sends an LLDP CDP advertisement periodically to all its interfaces and processes incoming LLDP and CDP packets as required by the protocols In LLDP and CDP advertisements are encoded as TLV Type Length Value in the packet The following CDP LLDP configuration notes apply CDP LLDP can be enabled or disabled globally or per port The CDP LLDP capability of a po...

Page 158: ...t of the STP status of an interface If 802 1x port access control is enabled at an interface the device transmits and receives CDP LLDP packets to and from the interface only if the interface is authenticated and authorized If a port is the target of mirroring then CDP LLDP considers it down NOTE CDP and LLDP are link layer protocols for directly connected CDP LLDP capable devices to advertise the...

Page 159: ...ronments LLDP standardizes methods for network devices to advertise themselves to other systems and to store discovered information LLDP enables a device to advertise its identification configuration and capabilities to neighboring devices that then store the data in a Management Information Base MIB The network management system models the topology of the network by querying these MIB databases L...

Page 160: ...4 Associate LLDP MED network policies and the optional LLDP MED TLVs to the desired interfaces by using the LLDP MED Port Settings page 5 If Auto Smartport is to detect the capabilities of LLDP devices enable LLDP in the Properties page 6 Display overloading information by using the LLDP Overloading page LLDP Properties The Properties page enables entering LLDP general parameters such as enabling ...

Page 161: ...dvertise the MAC address of the device Host Name Advertise the host name of the device STEP 3 In the LED MED Properties Fast Start Repeat Count field enter the number of times LLDP packets are sent when the LLDP MED Fast Start mechanism is initialized This occurs when a new endpoint device links to the device For a description of LLDP MED refer to the LLDP MED Network Policy section STEP 4 Click A...

Page 162: ...tware version System Name System s assigned name in alpha numeric format The value equals the sysName object System Description Description of the network entity in alpha numeric format This includes the system s name and versions of the hardware operating system and networking software supported by the device The value equals the sysDescr object System Capabilities Primary functions of the device...

Page 163: ... Do not advertise the management IP address Manual Advertise Select this option and the management IP address to be advertised We recommend you select this option when the device is configured with multiple IP addresses IPAddress If Manual Advertise was selected select the Management IP address from the addresses provided 802 1 VLAN and Protocol PVID Select to advertise the PVID in the TLV Port Pr...

Page 164: ...th DSCP 46 Network policies are associated with ports by using the LLDP MED Port Settings page An administrator can manually configure one or more network policies and the interfaces where the policies are to be sent It is the administrator s responsibility to manually create the VLANs and their port memberships according to the network policies and their associated interfaces In addition an admin...

Page 165: ...network policies for the outgoing LLDP packets using the LLDP MED Port Settings LLDP MED Port Settings The LLDP MED Port Settings page enables the selection of the LLDP MED TLVs and or the network policies to be included in the outgoing LLDP advertisement for the desired interfaces Network policies are configured using the LLDP MED Network Policy page NOTE If LLDP MED Network Policy for Voice Appl...

Page 166: ...station that supports MED is discovered for example a SNMP managing system when there is a topology change Selected Optional TLVs Select the TLVs that can be published by the device by moving them from the Available Optional TLVs list to the Selected Optional TLVs list Selected Network Policies Select the LLDP MED policies to be published by LLDP by moving them from the Available Network Policies ...

Page 167: ...tus Global Information Chassis ID Subtype Type of chassis ID for example MAC address Chassis ID Identifier of chassis Where the chassis ID subtype is a MAC address the MAC address of the device appears System Name Name of device System Description Description of the device in alpha numeric format Supported System Capabilities Primary functions of the device such as Bridge WLAN AP or Router Enabled...

Page 168: ... is a MAC address the MAC address of the device appears System Name Name of device System Description Description of the device in alpha numeric format Supported System Capabilities Primary functions of the device such as Bridge WLAN AP or Router Enabled System Capabilities Primary enabled function s of the device Port ID Subtype Type of the port identifier that is shown Port ID Identifier of port...

Page 169: ...erfaces collision detection and bit injection into the network for example 100BASE TX full duplex mode 802 3 Details 802 3 Maximum Frame Size The maximum supported IEEE 802 3 frame size 802 3 Link Aggregation Aggregation Capability Indicates whether the interface can be aggregated Aggregation Status Indicates whether the interface is aggregated Aggregation Port ID Advertised aggregated interface I...

Page 170: ...ection of the remote link partner s Tx value Remote Rx Echo Indicates the local link partner s reflection of the remote link partner s Rx value 4 Wire Power via MDI 4 Pair PoE Supported Indicates system and port support enabling the 4 pair wire true only for specific ports that have this HW ability Spare Pair Detection Classification Required Indicates that the 4 pair wire is needed PD Spare Pair ...

Page 171: ...tware version Serial Number Device serial number Manufacturer Name Device manufacturer name Model Name Device model name Asset ID Asset ID Location Information Civic Street address Coordinates Map coordinates latitude longitude and altitude ECS ELIN Emergency Call Service ECS Emergency Location Identification Number ELIN Network Policy Table Application Type Network policy application type for exa...

Page 172: ...ion STEP 2 Select the interface for which LLDP neighbor information is to be displayed This page displays the following fields for the selected interface Local Port Number of the local port to which the neighbor is connected Chassis ID Subtype Type of chassis ID for example MAC address Chassis ID Identifier of the 802 LAN neighboring device s chassis Port ID Subtype Type of the port identifier tha...

Page 173: ...ndicate Other Repeater Bridge WLAN AP Router Telephone DOCSIS cable device and station respectively Bits 8 through 15 are reserved Enabled System Capabilities Primary enabled function s of the device Management Address Table Address Subtype Managed address subtype for example MAC or IPv4 Address Managed address Interface Subtype Port subtype Interface Number Port number MAC PHY Details Auto Negoti...

Page 174: ...wer Priority Port power priority PD Requested Power Value Amount of power requested by the pod device PSE Allocated Power Value Amount of power allocated by the PSE to the PD 4 Wire Power via MDI 4 Pair PoE Supported Indicates system and port support enabling the 4 pair wire true only for specific ports that have this HW ability Spare Pair Detection Classification Required Indicates that the 4 pai...

Page 175: ...n of the remote link partner s Rx value MED Details Capabilities Supported MED capabilities enabled on the port Current Capabilities MED TLVs advertised by the port Device Class LLDP MED endpoint device class The possible device classes are Endpoint Class 1 Indicates a generic endpoint class offering basic LLDP services Endpoint Class 2 Indicates a media endpoint class offering media streaming cap...

Page 176: ...tocol VLAN IDs VLAN IDs VLAN ID Table VID Port and Protocol VLAN ID VLAN Name Advertised VLAN names Protocol IDs Protocol ID Advertised protocol IDs Location Information Enter the following data structures in hexadecimal as described in section 10 2 4 of the ANSI TIA 1057 standard Civic Civic or street address Coordinates Location map coordinates latitude longitude and altitude ECS ELIN Device s E...

Page 177: ... displays LLDP statistical information per port To view the LLDP statistics STEP 1 Click Administration Discovery LLDP LLDP Statistics For each port the fields are displayed Interface Identifier of interface can also be the OOB port Tx Frames Total Number of transmitted frames Rx Frames Total Number of received frames Discarded Total number of received frames that discarded Errors Total number of ...

Page 178: ...rface Port identifier This can also be an OOB port Total Bytes In Use Total number of bytes of LLDP information in each packet Available Bytes Left Total number of available bytes left for additional LLDP information in each packet Status Whether TLVs are being transmitted or if they are overloaded STEP 2 To view the overloading details for a port select it and click Details This page contains the...

Page 179: ...byte size Status If the LLDP MED 802 3 TLVs packets sent or if they overloaded LLDP Optional TLVs Size Bytes Total LLDP MED optional TLVs packets byte size Status If the LLDP MED optional TLVs packets sent or if they overloaded LLDP MED Inventory Size Bytes Total LLDP MED inventory TLVs packets byte size Status If the LLDP MED inventory packets sent or if they overloaded Total Total Bytes Total nu...

Page 180: ... global parameters using the CDP Properties page STEP 2 Configure CDP per interface using the CDP Interface Settings page STEP 3 If Auto Smartport is used to detect the capabilities of CDP devices enable CDP in the Properties page See Smartport Types for a description of how CDP is used to identify devices for the Smartport feature To enter CDP general parameters STEP 1 Click Administration Discov...

Page 181: ...t time 180 seconds User Defined Enter the time in seconds CDP Transmission Rate The rate in seconds at which CDP advertisement updates are sent The following options are possible Use Default Use the default rate 60 seconds User Defined Enter the rate in seconds Device ID Format Select the format of the device ID MAC address or serial number The following options are possible MAC Address Use the MA...

Page 182: ...AN data Native VLAN or Duplex By setting these properties it is possible to select the types of information to be provided to devices that support the LLDP protocol The LLDP MED TLVs to be advertised can be selected in the LLDP MED Port Settings page To define the CDP interface settings STEP 1 Click Administration Discovery CDP Interface Settings This page displays the following CDP information fo...

Page 183: ...AN information in the incoming frame does not match what the local device is advertising Syslog Duplex Mismatch Select to enable sending a SYSLOG message when duplex information mismatch is detected This means that the duplex information in the incoming frame does not match what the local device is advertising STEP 3 Enter the relevant information and click Apply The port settings are written to t...

Page 184: ...ll half duplex TLV Appliance TLV Appliance ID Type of device attached to port advertised in the appliance TLV Appliance VLAN ID VLAN on the device used by the appliance for instance if the appliance is an IP phone this is the voice VLAN Extended Trust TLV Extended Trust Enabled indicates that the port is trusted meaning that the host server from which the packet is received is trusted to mark the ...

Page 185: ...he supplier s request to the pod device for its Power Consumption TLV The device always displays No Preference in this field 4 Wire Power via MDI UPOE TLV Displays whether this TLV is supported 4 Pair PoE Supported Displays whether PoE is supported Spare Pair Detection Classification Required Displays whether this classification is required PD Spare Pair Desired State Displays the PD spare pair de...

Page 186: ...bor Neighbor Interface Outgoing interface of the neighbor STEP 4 Select a device and click Details This page contains the following fields about the neighbor Device ID Identifier of the neighboring device ID System Name Name of the neighboring device ID Local Interface Interface number of port through which frame arrived Advertisement Version Version of CDP Time to Live Time interval in seconds af...

Page 187: ...first value is received The interface transitions to Down Available Power Amount of power consumed by port Management Power Level Displays the supplier s request to the pod device for its Power Consumption TLV The device always displays No Preference in this field Power Request Request ID Last power request ID received echoes the Request ID field last received in a Power Requested TLV It is 0 if n...

Page 188: ...s and are used for the Smartport feature See Discovery CDP for more information CDP statistics for a port are only displayed if CDP is enabled globally and on the port This is done in the CDP Properties page and the CDP Interface Settings page To view CDP statistics STEP 1 Click Administration Discovery CDP CDP Statistics The following fields are displayed for every interface including the OOB por...

Page 189: ...Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 8 STEP 2 To clear all counters on all interfaces click Clear All Interface Counters To clear all counters on an interface select it and click Clear Interface Counters ...

Page 190: ...form the following actions 1 Configure port by using the Port Settings page 2 Enable disable the Link Aggregation Control LAG protocol and configure the potential member ports to the desired LAGs by using the LAG Management page By default all LAGs are empty 3 Configure the Ethernet parameters such as speed and auto negotiation for the LAGs by using the LAG Settings page 4 Configure the LACP param...

Page 191: ...t experience link flap events Jumbo Frames Check to support packets of up to 9 KB in size If Jumbo Frames is not enabled default the system supports packet size up to 2 000 bytes Note that receiving packets bigger than 9 KB might cause the receiving port to shutdown Also sending packets bigger than 10 KB bytes might cause the receiving port to shutdown For jumbo frames to take effect the device mu...

Page 192: ...k status of the port Not relevant for the OOB port Time Range Select to enable the time range during which the port is in Up state When the time range is not active the port is in shutdown If a time range is configured it is effective only when the port is administratively Up Time Range Name Select the profile that specifies the time range Not relevant for the OOB port If a time range is not yet d...

Page 193: ...l devices The options are Max Capability All port speeds and duplex mode settings can be accepted 10 Half 10 Mbps speed and Half Duplex mode does not appear on XG devices 10 Full 10 Mbps speed and Full Duplex mode does not appear on XG devices 100 Half 100 Mbps speed and Half Duplex mode does not appear on XG devices 100 Full 100 Mbps speed and Full Duplex mode 1000 Full 1000 Mbps speed and Full D...

Page 194: ... device to automatically detect the correct pinouts for connection to another device Operational MDI MDIX Displays the current MDI MDIX setting Protected Port Select to make this a protected port A protected port is also referred as a Private VLAN Edge PVE The features of a protected port are as follows Protected Ports provide Layer 2 isolation between interfaces Ethernet ports and LAGs that share...

Page 195: ...tions 802 1x Single Host Violation Select to enable automatic error recovery when the port has been shut down by 802 1x ACL Deny Select to enable automatic error recovery mechanism by an ACL action STP BPDU Guard Select to enable automatic error recovery mechanism when the port has been shut down by STP BPDU guard STP Loopback Guard Enable automatic recovery when the port has been shut down by STP...

Page 196: ...d the packet Loopback Detection operates independently of STP After a loop is discovered the port that received the loops is placed in the Shut Down state A trap is sent and the event is logged Network managers can define a Detection Interval that sets the time interval between LBD packets The following loop cases can be detected by the Loopback Detection protocol Shorted wire Port that loop backs...

Page 197: ...ck detection is not enabled by default Interactions with Other Features If STP is enabled on a port on which Loopback Detection is enabled the port must be in STP forwarding state Configuring LBD To enable and configure LBD STEP 1 Enable Loopback Detection system wide in the Loopback Detection Settings page below STEP 2 Enable Loopback Detection on access ports in the Loopback Detection Settings p...

Page 198: ...the configuration to the Running Configuration file Link Aggregation This section describes how to configure LAGs It covers the following topics Link Aggregation Overview Default Settings and Configuration Static and Dynamic LAG Workflow LAG Management LAG Settings LACP Link Aggregation Overview Link Aggregation Control Protocol LACP is part of the IEEE specification 802 3az that enables you to bu...

Page 199: ...on Layer 2 or Layer 3 packet header information The device supports two modes of load balancing By MAC Addresses Based on the destination and source MAC addresses of all packets By IP and MAC Addresses Based on the destination and source IP addresses for IP packets and destination and source MAC addresses for non IP packets LAG Management In general a LAG is treated by the system as a single logic...

Page 200: ... Settings page To configure a dynamic LAG perform the following actions 1 Enable LACP on the LAG Assign up to 16 candidates ports to the dynamic LAG by selecting and moving the ports from the Port List to the LAG Members List by using the LAG Management page 2 Configure various aspects of the LAG such as speed and flow control by using the LAG Settings page 3 Set the LACP priority and timeout of t...

Page 201: ...n the selected LAG This makes it a dynamic LAG This field can only be enabled after moving a port to the LAG in the next field Unit Slot Displays the stacking member for which LAG information is defined Port List Move those ports that are to be assigned to the LAG from the Port List to the LAG Members list Up to eight ports per static LAG can be assigned and 16 ports can be assigned to a dynamic L...

Page 202: ...ently active or inactive Administrative Auto Negotiation Enables or disable auto negotiation on the LAG Auto negotiation is a protocol between two link partners that enables a LAG to advertise its transmission speed and flow control to its partner the Flow Control default is disabled It is recommended to keep auto negotiation enabled on both sides of an aggregate link or disabled on both sides whi...

Page 203: ...h used to determine which of the candidate ports become active member ports in a dynamic LAG configured with more than eight candidate ports The selected candidate ports of the LAG are all connected to the same remote device Both the local and remote switches have a LACP system priority The following algorithm is used to determine whether LACP port priorities are taken from the local or remote dev...

Page 204: ...ol This device s ports are not yet configured to LACP If the LAG link cannot come up the device cannot ever become configured A similar case occurs with dual NIC network boot computers e g PXE which receive their LAG configuration only after they bootup When several LACP configured ports are configured and the link comes up in one or more ports but there are no LACP responses from the link partner...

Page 205: ... Overview UDLD Global Settings UDLD Interface Settings UDLD Neighbors UDLD Overview UDLD is a Layer 2 protocol that enables devices connected through fiber optic or twisted pair Ethernet cables to detect unidirectional links A unidirectional link occurs whenever traffic from a neighboring device is received by the local device but traffic from the local device is not received by the neighbor The p...

Page 206: ...ort UDLD or The neighbor does not receive traffic from the local device The UDLD action in this case depends on the UDLD mode of the device as explained below UDLD supports the following modes of operation Normal If the link state of the port is determined to be bi directional and the UDLD information times out while the link on the port is still up UDLD tries to re establish the state of the port...

Page 207: ...D mode A notification is issued Device is in aggressive UDLD mode The port is shut down While the interface is in the bidirectional or the undetermined state the device periodically sends a message each message time seconds The above steps are performed over and over A port that was shut down can be reactivated manually in the Error Recovery Settings page For more information see Reactivating a Sh...

Page 208: ...ctional If you want UDLD to be enabled on a copper port you must enable it per port When you globally enable UDLD it is only enabled on fiber ports Set the UDLD mode to normal when you do not want to shut down ports unless it is known for sure that the link is unidirectional Set the UDLD mode to aggressive when you want both unidirectional and bidirectional link loss Dependencies On Other Features...

Page 209: ...the UDLD Global Settings page a Enter the Message Time b In the Fiber Port UDLD Default State field enter either Disabled Normal or Aggressive as the global UDLD status STEP 2 Click Apply Workflow2 To change the UDLD configuration of a fiber port or to enable UDLD on a copper port perform the following steps STEP 1 Open the UDLD Global Settings page a Select a port b Select either Default Disabled...

Page 210: ...relevant for fiber ports The UDLD state of copper ports must be set individually in the UDLD Interface Settings page The possible states are Disabled UDLD is disabled on all ports of the device Normal Device shuts down an interface if the link is unidirectional If the link is undetermined a notification is issued Aggressive Device shuts down an interface if the link is uni directional If the link ...

Page 211: ...are Detection The latest UDLD state of the port is in the process of being determined Expiration time has not yet expired since the last determination if there was one or since UDLD began running on the port so that the state is not yet determined Bidirectional Traffic sent by the local device is received by its neighbor and traffic from the neighbor is received by the local device Undetermined Th...

Page 212: ...determined Expiration time has not yet expired since the last determination if there was one or since UDLD began running on the port so that the state is not yet determined Bidirectional Traffic sent by the local device is received by its neighbor and traffic from the neighbor is received by the local device Undetermined The state of the link between the port and its connected port cannot be deter...

Page 213: ...D over existing copper cables without interfering with the network traffic updating the physical network or modifying the network infrastructure Features PoE provides the following features Eliminates the need to run 110 220 V AC power to all devices on a wired LAN Removes the necessity for placing all network devices next to power sources Eliminates the need to deploy double cabling systems in an...

Page 214: ...imit The maximum power the device agrees to supply is limited to the value the system administrator configures regardless of the Classification result Class Power Limit The maximum power the device agrees to supply is determined by the results of the Classification stage This means that it is set as per the Client s request PoE Devices Uplink ports may function as a Powered Device PD with 1 or 2 P...

Page 215: ...PoE AF AT SF350 48 N A N A SF350 48P N A 60W PoE AF AT SF350 48MP N A 60W PoE AF AT SG350 10P 60W PoE AF AT AF AT SG355 10P 60W PoE AF AT AF AT SG350 10MP 60W PoE AF AT AF AT SG350 10SFP AF AT N A SG350 28P N A 60W PoE AF AT SG350 28MP N A 60W PoE AF AT SG350 52P N A 60W PoE AF AT SG350 52MP N A 60W PoE AF AT SG350X 24P N A 60W PoE AF AT SG350X 24MP N A 60W PoE af at SG350X 48P N A 60W PoE AF AT S...

Page 216: ...power a PSE is allowed to supply to a PD During device operation to change the mode from Class Power Limit to Port Limit and vice versa The power values per port that configured for the Port Limit mode are retained SG350X 48MP N A 60W PoE AF AT SF550X 24P N A 60W PoE AF AT SF550X 24MP N A 60W PoE AF AT SF550X 48P N A 60W PoE AF AT SF550X 48MP N A 60W PoE AF AT SG550X 24P N A 60W PoE AF AT SG550X 2...

Page 217: ...ntains the up down status of the PoE port link Turns off power delivery to the PoE port Logs the reason for turning off power Generates an SNMP trap PoE Properties NOTE This section is only relevant for devices supporting PoE The PoE Properties page enables selecting either the Port Limit or Class Limit PoE mode and specifying the PoE traps to be generated These settings are entered in advance Whe...

Page 218: ...ystem PoE information for enabling PoE on the interfaces and monitoring the current power usage and maximum power limit per port when the PoE mode is Port Limit NOTE PoE can be configured on the device for a specific period This feature enables you to define per port the days in the week and the hours that PoE is enabled When the time range is not active PoE is disabled To use this feature a time ...

Page 219: ...strative Status Enable or disable PoE on the port Time Range Select to enabled PoE on the port Time Range Name If Time Range has been enabled select the time range to be used Time ranges are defined in the Time Range page To define a new time range click Edit Priority Level Select the port priority low high or critical for use when the power supply is low For example if the power supply is running...

Page 220: ...the pod device identifies itself to the PSE Signatures are generated during pod device detection classification or maintenance The Class Limit Settings page displays system PoE information for enabling PoE on the interfaces and monitoring the current power usage and maximum power limit per port NOTE PoE can be configured on the device for a specific period This feature enables you to define per po...

Page 221: ... Name If Time Range has been enabled select the time range to be used Time ranges are defined in the Time Range page Click Edit to got to the Time Range page Priority Level Select the port priority low high or critical for use when the power supply is low For example if the power supply is running at 99 usage and port 1 is prioritized as high but port 3 is prioritized as low port 1 receives power ...

Page 222: ...vice detection classification or maintenance STEP 4 Click Apply The PoE settings for the port are written to the Running Configuration file Statistics This page displays the power consumption trend which is the average power consumption over time This is useful for monitoring and debugging of PoE behavior The device stores PoE port consumption values in units of watts over time This enables calcul...

Page 223: ...t Counters Overload Counter Number of overload conditions detected Short Counter Number of short conditions detected Denied Counter Number of denied conditions detected Absent Counter Number of absent conditions detected Invalid Signature Counter Number of invalid signature conditions detected The following operations can be performed in the main page Clear Event Counters Clear the displayed event...

Page 224: ... friendly and to reduce the power consumption of a device Green Ethernet is different from EEE in that Green Ethernet energy detect is enabled on all devices whereas only Gigabyte ports are enable with EEE The Green Ethernet feature can reduce overall power usage in the following ways Energy Detect Mode On an inactive link the port moves into inactive mode saving power while keeping the Administra...

Page 225: ...ystem Summary page the LEDs that are displayed on the device board pictures are not affected by disabling the LEDs Power savings current power consumption and cumulative energy saved can be monitored The total amount of saved energy can be viewed as a percentage of the power that would have been consumed by the physical interfaces had they not been running in Green Ethernet mode The saved energy d...

Page 226: ... save power during periods of no traffic 802 3az EEE supports IEEE 802 3 MAC operation at 100 Mbps and 1000 Mbps LLDP is used to select the optimal set of parameters for both devices If LLDP is not supported by the link partner or is disabled 802 3az EEE still be operational but it might not be in the optimal operational mode The 802 3az EEE feature is implemented using a port mode called Low Powe...

Page 227: ...y for 802 3az EEE In addition to the capabilities described above 802 3az EEE capabilities and settings are also advertised using frames based on the organizationally specific TLVs defined in Annex G of IEEE Std 802 1AB protocol LLDP LLDP is used to further optimize 802 3az EEE operation after auto negotiation is completed The 802 3az EEE TLV is used to fine tune system wake up and refresh duratio...

Page 228: ... the port it is enabled by default c Select whether to enable or disable advertisement of 802 3az EEE capabilities through LLDP in 802 3 Energy Efficient Ethernet EEE LLDP it is enabled by default STEP 4 To see 802 3 EEE related information on the local device open the LLDP Local Information page and view the information in the 802 3 Energy Efficient Ethernet EEE block STEP 5 To display 802 3az EE...

Page 229: ...tings are only displayed for devices that have GE ports EEE works only when ports are set to Auto negotiation The exception is that EEE is still functional even when Auto Negotiation is disabled but the port is at 1GB or higher The Short reach and Energy Detect features are always enabled on XG devices and cannot be disabled On devices with FE or GE ports these features can be enabled or disabled ...

Page 230: ...gy Efficient Ethernet EEE State of the port regarding the EEE feature Administrative Displays whether EEE was enabled Operational Displays whether EEE is currently operating on the local port This is a function of whether it has been enabled Administrative Status whether it has been enabled on the local port and whether it is operational on the local port LLDP Administrative Displays whether adver...

Page 231: ...ent Green Ethernet 181 Cisco Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 9 STEP 7 Click Apply The Green Ethernet port settings are written to the Running Configuration file ...

Page 232: ...ay to save and share common configurations By applying the same Smartport macro to multiple interfaces the interfaces share a common set of configurations A Smartport macro is a script of CLI Command Line Interface commands A Smartport macro can be applied to an interface by the macro name or by the Smartport type associated with the macro Applying a Smartport macro by macro name can be done only ...

Page 233: ...port described in the Voice VLAN section LLDP CDP for Smartport described in the Discover LLDP and Discovery CDP sections respectively Additionally typical work flows are described in the Common Smartport Tasks section What is a Smartport A Smartport is an interface to which a built in or user defined macro may be applied These macros are designed to provide a means of quickly configuring the devi...

Page 234: ...ro by the following methods The associated Smartport type Statically from a Smartport macro by name only from the CLI A Smartport macro can be applied by its Smartport type statically from CLI and GUI and dynamically by Auto Smartport Auto Smartport derives the Smartport types of the attached devices based on CDP capabilities LLDP system capabilities and or LLDP MED capabilities The following desc...

Page 235: ...iod Unknown If a Smartport macro is applied to an interface and an error occurs the interface is assigned the Unknown status In this case the Smartport and Auto Smartport features do not function on the interface until you correct the error and applies the Reset action performed in the Interface Settings that resets the Smartport status See the workflow area in Common Smartport Tasks section for t...

Page 236: ... To associate a user defined macro to a Smartport type its anti macro must be defined as well smartport type name for example my_printer no_smartport type name for example no_my_printer Smartport macros are bound to Smartport types in the Type Settings page See Built in Smartport Macros for a listing of the built in Smartport macros for each device type Applying a Smartport Type to an Interface Wh...

Page 237: ...tings page Show Diagnostics popup After the source of the problem is determined and the existing configuration or Smartport macro is corrected you must perform a reset operation to reset the interface before it can be reapplied with a Smartport type in the Interface Settings pages See the workflow area in Common Smartport Tasks section for troubleshooting tips How the Smartport Feature Works You c...

Page 238: ...ort types to interfaces the Auto Smartport feature must be enabled globally and on the relevant interfaces which Auto Smartport should be allowed to configure By default Auto Smartport is enabled and allowed to configure all interfaces The Smartport type assigned to each interface is determined by the CDP and LLDP packets received on the each interface respectively If multiple devices are attached...

Page 239: ...ies After reception of these CDP and or LLDP packets the device derives the appropriate Smartport type for phone and applies the corresponding Smartport macro to the interface where the IP phone attaches Unless Persistent Auto Smartport is enabled on an interface the Smartport type and resulting configuration applied by Auto Smartport is removed if the attaching device s ages out links down reboot...

Page 240: ... Relay 0x400 Ignore LLDP Capabilities Mapping to Smartport Type Capability Name LLDP Bit Smartport Type Other 1 Ignore Repeater IETF RFC 2108 2 Ignore MAC Bridge IEEE Std 802 1D 3 Switch WLAN Access Point IEEE Std 802 11 MIB 4 Wireless Access Point Router IETF RFC 1812 5 Router Telephone IETF RFC 4293 6 ip_phone DOCSIS cable device IETF RFC 4639 and IETF RFC 4546 7 Ignore Station Only IETF RFC 429...

Page 241: ...ersistent Auto Smartport Interface If the Persistent status of an interface is enabled its Smartport type and the configuration that is already applied dynamically by Auto Smartport remains on the interface even after the attaching device ages out the interface goes down and the device is rebooted assuming the configuration was saved The Smartport type and the configuration of the interface are no...

Page 242: ...y OUI Common Smartport Tasks This section describes some common tasks to setup Smartport and Auto Smartport Workflow1 To globally enable Auto Smartport on the device and to configure a port with Auto Smartport perform the following steps STEP 1 To enable the Auto Smartport feature on the device open the Properties page Set Administrative Auto Smartport to Enable or Enable by Voice VLAN STEP 2 Sele...

Page 243: ...g steps Through this procedure you can accomplish the following View the macro source Change parameter defaults Restore the parameter defaults to the factory settings Bind a user defined macro pair a macro and its corresponding anti macro to a Smartport type 1 Open the Type Settings page 2 Select the Smartport Type 3 Click View Macro Source to view the current Smartport macro that is associated wi...

Page 244: ...wn interfaces is STEP 1 In the Interface Settings page select the Port Type equals to checkbox STEP 2 Select Unknown and click Go STEP 3 Click Reset All Unknown Smartports Then reapply the macro as described above TIP The reason that the macro failed might be a conflict with a configuration on the interface made prior to applying the macro most often encountered with security and storm control set...

Page 245: ...rational Auto Smartport Displays the Auto Smartport status Auto Smartport Device Detection Method Select whether incoming CDP LLDP or both types of packets are used to detect the Smartport type of the attaching device s At least one must be checked in order for Auto Smartport to identify devices Operational CDPStatus Displays the operational status of CDP Enable CDPifAuto Smartport is to detect th...

Page 246: ...rt NOTE Changes to Auto Smartport types cause the new settings to be applied to interfaces which have already been assigned that type by Auto Smartport In this case binding an invalid macro or setting an invalid default parameter value causes all ports of this Smartport type to become unknown STEP 1 Click Smartport Smartport Type Settings STEP 2 To view the Smartport macro associated with a Smartp...

Page 247: ...o an interface applying the associated macro Interface Settings Use the Interface Settings page to perform the following tasks Statically apply a specific Smartport type to an interface with interface specific values for the macro parameters Enable Auto Smartport on an interface Diagnose a Smartport macro that failed upon application and caused the Smartport type to become Unknown Reapply a Smartp...

Page 248: ...terface to all newly created VLANs STEP 2 Smartport Diagnostic If a Smartport macro fails the Smartport Type of the interface is Unknown Select an interface which is of unknown type and click Show Diagnostic This displays the command at which application of the macro failed See the workflow area in Common Smartport Tasks section for troubleshooting tips Proceed to reapply the macro after correctin...

Page 249: ...rtport type to an interface remains even if the interface goes down or the device is rebooted Persistent is applicable only if the Smartport Application of the interface is Auto Smartport Enabling Persistent at an interface eliminates the device detection delay that otherwise occurs Macro Parameters Displays the following fields for up to three parameters in the macro Parameter Name Name of parame...

Page 250: ...keywords native_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security ...

Page 251: ... smartport storm control include multicast spanning tree portfast auto printer printer macro description printer macro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode access switchport access vlan native_vlan single host port security...

Page 252: ...ee portfast auto guest guest macro description guest macro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discar...

Page 253: ... key description native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security dis...

Page 254: ...be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10...

Page 255: ...e_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control b...

Page 256: ... allowed devices on the port Default Values are native_vlan Default VLAN voice_vlan 1 max_hosts 10 the default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include mul...

Page 257: ...ds native_vlan voice_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN voice_vlan 1 max_hosts 10 the default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trunk native vlan...

Page 258: ...ntrol broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto switch switch macro description switch macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default ...

Page 259: ...AN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan native_vlan smartport storm control broadcast level 10 smartport storm control broadcast enable spanning tree link type point to point no_router no_router macro description No router macro keywords voice_vlan macro key descr...

Page 260: ... Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 200 10 ap ap macro description ap macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port ...

Page 261: ...ridged network to which they are connected VLAN Description Each VLAN is configured with a unique VLAN ID VID with a value from 1 to 4094 A port on a device in a bridged network is a member of a VLAN if it can send data to and receive data from the VLAN A port is an untagged member of a VLAN if all packets destined for that port into the VLAN have no VLAN tag A port is a tagged member of a VLAN if...

Page 262: ...ged only if the VID in its VLAN tag is 0 Frames belonging to a VLAN remain within the VLAN This is achieved by sending or forwarding a frame only to egress ports that are members of the target VLAN An egress port may be a tagged or untagged member of a VLAN The egress port Adds a VLAN tag to the frame if the egress port is a tagged member of the target VLAN and the original frame does not have a V...

Page 263: ...kets into the provider network The S tag is used to segregate traffic between various customers while preserving the customer VLAN tags Customer traffic is encapsulated with an S tag with TPID 0x8100 regardless of whether it was originally c tagged or untagged The S tag enables this traffic to be treated as an aggregate within a provider bridge network where the bridging is based on the S tag VID ...

Page 264: ...to the primary VLAN There can only be a single isolated VLAN per private VLAN Community VLAN also known as a Secondary VLAN To create a sub group of ports community within a VLAN the ports must be added a community VLAN The community VLAN is used to enable Layer 2 connectivity from community ports to promiscuous ports and to community ports of the same community There can be a single community VLA...

Page 265: ...switch trunk ports send and receive tagged traffic of the private VLAN s various VLANs primary isolated and the communities The switch supports 16 primary VLANs and 256 secondary VLANs Traffic Flow The following describes traffic flow from hosts to servers routers or other hosts Figure 1 Traffic from Hosts to Servers Routers Isolated 1 Isolated 2 Server Community 1 Community 1 Promiscous Promiscou...

Page 266: ...d Switches Firmware Release 2 2 5 x 11 The following describes server router traffic reply to host Figure 2 Server Router Traffic to Hosts Isolated 1 Isolated 2 Server Community 1 Community 1 Promiscous Promiscous Isolated Isolated Community Community Community Community 1 Primary VLAN ...

Page 267: ...low Multicast traffic to be forwarded rather than flooded on the primary VLAN The isolated and community VLANs continue to flood Multicast traffic DHCP snooping ARP Inspection IP Source Guard The system prevents adding or removing isolated or community VLANs to a private VLAN while the above features are enabled Features Not Supported on Private VLAN The following features are not supported on pri...

Page 268: ...es for every secondary VLAN in a private VLAN The resources for the following features are allocated per VLAN within the private VLAN Dynamic MAC Addresses MAC addresses learned on primary VLANs are copied to all community VLANs and to the isolated VLAN MAC addresses learned on isolated community VLANs are copied to the primary VLAN DHCP Snooping A TCAM rule is required to trap DHCP traffic ARP In...

Page 269: ...low To configure VLANs 1 Create the required VLANs as described in the VLAN Settings section 2 Set the desired VLAN related configuration for ports and enable QinQ on an interface as described in the Interface Settings section 3 Assign interfaces to VLANs as described in the Port to VLAN section or the Port VLAN Membership section 4 View the current VLAN port membership for all the interfaces as d...

Page 270: ...the port is removed from the VLAN RADIUS servers cannot assign the default VLAN to 802 1x supplicants by using Dynamic VLAN Assignment VLAN Settings You can create a VLAN but this has no effect until the VLAN is attached to at least one port either manually or dynamically Ports must always belong to one or more VLANs The device supports up to 4K VLANs including the default VLAN Each VLAN must be c...

Page 271: ...tdown the VLAN In this state the VLAN does not transmit receive messages from to higher levels For example if you shut down a VLAN on which an IP interface is configured bridging into the VLAN continues but the switch cannot transmit and receive IP traffic on the VLAN Link Status SNMP Traps Select to enable link status generation of SNMP traps STEP 5 Click Apply to create the VLAN s Interface Sett...

Page 272: ...vate VLAN Promiscuous Select to set the interface as promiscuous Frame Type Select the type of frame that the interface can receive Frames that are not of the configured frame type are discarded at ingress These frame types are only available in General mode Possible values are Admit All The interface accepts all types of frames untagged frames tagged frames and priority tagged frames Admit Tagged...

Page 273: ...en end nodes must either be manually configured or must dynamically learn the VLANs and their port memberships from Generic VLAN Registration Protocol GVRP Untagged port membership between two VLAN aware devices with no intervening VLAN aware devices must be to the same VLAN In other words the PVID on the ports between the two devices must be the same if the ports are to send and receive untagged ...

Page 274: ...akes the port part of internal VLAN 4095 a reserved VID Excluded The interface is currently not a member of the VLAN This is the default for all the ports and LAGs when the VLAN is newly created Tagged The interface is a tagged member of the VLAN Untagged The interface is an untagged member of the VLAN Frames of the VLAN are sent untagged to the interface VLAN Multicast MTV VLAN The interface used...

Page 275: ...nd will be re applied if the mode is reactivated on the interface To assign a port to one or more VLANs STEP 1 Click VLAN Management Port VLAN Membership STEP 2 Select interface type Port or LAG and click Go The following fields are displayed for all interfaces of the selected type Interface Port LAG ID Mode Interface VLAN mode that was selected in the Interface Settings page Administrative VLANs ...

Page 276: ...agged VLANs When the port is in General mode it will be a tagged member of these VLAN Forbidden VLANs When the port is in General mode the interface is not allowed to join the VLAN even from GVRP registration When a port is not a member of any other VLAN enabling this option on the port makes the port part of internal VLAN 4095 a reserved VID General PVID When the port is in General mode it will b...

Page 277: ...ommunity VLANs to the Selected Community VLANs list Community VLANs are used to allow Layer 2 connectivity from community ports to promiscuous ports and to community ports of the same community This is called Community VLAN Range on the main page STEP 4 Click Apply The settings are modified and written to the Running Configuration file GVRP Settings Adjacent VLAN aware devices can exchange VLAN in...

Page 278: ... set the global GVRP status STEP 4 Select an interface type Port or LAG and click Go to display all interfaces of that type STEP 5 To define GVRP settings for a port select it and click Edit STEP 6 Enter the values for the following fields Interface Select the interface Port or LAG to be edited GVRP State Select to enable GVRP on this interface Dynamic VLAN Creation Select to enable Dynamic VLAN C...

Page 279: ...rnet type protocol to VLAN mapping of the ingress interface PVID VLAN is taken from the port default VLAN ID MAC based VLAN Group Overview MAC based VLAN classification enable packets to be classified according to their source MAC address You can then define MAC to VLAN mapping per interface You can define several MAC based VLAN groups which each group containing different MAC addresses These MAC ...

Page 280: ... address Group ID Enter a user created VLAN group ID number STEP 4 Click Apply The MAC address is assigned to a VLAN group MAC Based Groups to VLAN See Table 1 for a description of the availability of this feature Ports LAGs must be in General mode To assign a MAC based VLAN group to a VLAN on an interface STEP 1 Click VLAN Management VLAN Groups MAC Based Groups to VLAN STEP 2 Click Add STEP 3 En...

Page 281: ...rkflow To define a subnet based VLAN group 1 Define a subnet based group using the Subnet based Groups page 2 For each required interface assign the subnet based group to a VLAN using Subnet based Groups to VLAN page The interfaces cannot have a Dynamic VLAN DVA assigned to it In IS mode the setting can be saved even when the device is not in general mode to be activated later NOTE If the interfac...

Page 282: ...AN The currently defined mappings are displayed STEP 2 To associate an interface with a protocol based group and VLAN click Add The Group Type field displays the type of group being mapped STEP 3 Enter the following fields Interface Port or LAG number assigned to VLAN according to protocol based group Group ID Protocol group ID VLAN ID Attaches the specified group for this interface to a user defi...

Page 283: ...oup is based Protocol DSAP SSAP Displays the protocol value in hex Group ID Displays the protocol group ID to which the interface is added STEP 2 Click the Add Button STEP 3 Enter the following fields Encapsulation Protocol Packet type The following options are available Ethernet V2 If this is selected select the Ethernet Type LLC SNAP rfc1042 If this is selected enter the Protocol Value LLC If th...

Page 284: ...o associate an interface with a protocol based group and VLAN click Add The Group Type field displays the type of group being mapped STEP 3 Enter the following fields Interface Port or LAG number assigned to VLAN according to protocol based group Group ID Protocol group ID VLAN ID Attaches the interface to a user defined VLAN ID STEP 4 Click Apply The protocol ports are mapped to VLANs and written...

Page 285: ...ndpoints support this deployment model In this model the VLAN used by the phones is determined by the network configuration There may or may not be separate voice and data VLANs The phones and VoIP endpoints register with an on premise IP PBX IP Centrex ITSP hosted Cisco CP 79xx SPA5xx phones and SPA8800 endpoints support this deployment model For this model the VLAN used by the phones is determin...

Page 286: ... Telephony OUI mode and a port is manually configured as a candidate to join the voice VLAN the device dynamically adds the port to the voice VLAN if it receives a packet with a source MAC address matching to one of the configured telephony OUIs An OUI is the first three bytes of an Ethernet MAC address For more information about Telephony OUI see Telephony OUI Auto Voice VLAN In Auto Voice VLAN m...

Page 287: ...guration voice VLAN information received in neighbor CDP advertisement and voice VLAN information received in the Voice VLAN Discovery Protocol VSDP If desired you can activate Auto Voice VLAN immediately without waiting for a trigger When Auto Smartport is enabled depending on Auto Voice VLAN mode Auto Smartport is enabled when Auto Voice VLAN becomes operational If desired you can make Auto Smar...

Page 288: ...urce is discovered or until the Auto Voice VLAN is restarted by the user When restarted the device resets the voice VLAN to the default voice VLAN and restarts the Auto Voice VLAN discovery When a new voice VLAN is configured discovered the device automatically creates it and replaces all the port memberships of the existing voice VLAN to the new voice VLAN This may interrupt or terminate existing...

Page 289: ...f the voice streams using advanced QoS For Telephony OUI voice streams you can override the quality of service and optionally remark the 802 1p of the voice streams by specifying the desired CoS 802 1p values and using the remarking option under Telephony OUI Voice VLAN Constraints The following constraints exist Only one Voice VLAN is supported A VLAN that is defined as a Voice VLAN cannot be rem...

Page 290: ...P 3 Set Dynamic Voice VLAN to Enable Auto Voice VLAN STEP 4 Select the Auto Voice VLAN Activation method NOTE If the device is currently in Telephony OUI mode you must disable it before you can configure Auto Voice Vlan STEP 5 Click Apply STEP 6 Configure Smartports as described in the Common Smartport Tasks section STEP 7 Configure LLDP CDP as described in the Discover LLDP and Discovery CDP sect...

Page 291: ... or Auto Voice VLAN Configure how Auto Voice VLAN is triggered To view and configure Voice VLAN properties STEP 1 Click VLAN Management Voice VLAN Properties The voice VLAN settings configured on the device are displayed in the Voice VLAN Settings Administrative Status block The voice VLAN settings that are actually being applied to the voice VLAN deployment are displayed in the Voice VLAN Setting...

Page 292: ...tings fields are displayed Dynamic Voice VLAN Select this field to disable or enable voice VLAN feature in one of the following ways Enable Auto Voice VLAN Enable Dynamic Voice VLAN in Auto Voice VLAN mode Enable Telephony OUI Enable Dynamic Voice VLAN in Telephony OUI mode Disable Disable Auto Voice Vlan or Telephony OUI Auto Voice VLAN Activation If Auto Voice VLAN was enabled select one of the ...

Page 293: ...s the information about the current voice VLAN and its source Auto Voice VLAN Status Displays whether Auto Voice VLAN is enabled Voice VLAN ID The identifier of the current voice VLAN Source Type Displays the type of source where the voice VLAN is discovered by the root device CoS 802 1p Displays CoS 802 1p values to be used by the LLDP MED as a voice network policy DSCP Displays DSCP values to be...

Page 294: ...ce Static User defined voice VLAN configuration defined on the device CDP UC that advertised voice VLAN configuration is running CDP LLDP UC that advertised voice VLAN configuration is running LLDP Voice VLAN ID The identifier of the advertised or configured voice VLAN Voice VLAN ID The identifier of the current voice VLAN CoS 802 1p The advertised or configured CoS 802 1p values that are used by ...

Page 295: ...e the Telephony OUI page to view existing OUIs and add new OUIs To configure Telephony OUI and or add a new Voice VLAN OUI STEP 1 Click VLAN Management Voice VLAN Telephony OUI The Telephony OUI page contains the following fields Telephony OUI Operational Status Displays whether OUIs are used to identify voice traffic CoS 802 1p Select the CoS queue to be assigned to voice traffic Remark CoS 802 1...

Page 296: ... All Quality of Service QoS values configured to the Voice VLAN are applied to all of the incoming frames that are received on the interface and are classified to the Voice VLAN Telephony Source MAC Address SRC The QoS values configured for the Voice VLAN are applied to any incoming frame that is classified to the Voice VLAN and contains an OUI in the source MAC address that matches a configured t...

Page 297: ...nsmission frames for each subscriber VLAN Subscribers who are not on the same data VLAN Layer 2 isolated and are connected to the device with different VLAN ID membership can share the same Multicast stream by joining the ports to the same Multicast VLAN ID The network port connected to the Multicast server is statically configured as a member in the Multicast VLAN ID The network ports which throu...

Page 298: ... to join or leave a Multicast group Device performs IGMP snooping and configures the access port according to its Multicast membership on Multicast TV VLAN The device decides for each IGMP packet that is received on an access port whether to associate it with the access VLAN or with the Multicast TV VLAN according to the following rules If an IGMP message is received on an access port with destina...

Page 299: ...onfiguration Regular VLAN Multicast TV VLAN VLAN Membership Source and all receiver ports must be static members in the same data VLAN Source and receiver ports cannot be members in the same data VLAN Group registration All Multicast group registration is dynamic Groups must be associated to Multicast VLAN statically but actual registration of station is dynamic Receiver ports VLAN can be used to ...

Page 300: ...TV VLAN settings are modified and written to the Running Configuration file Port Multicast VLAN Membership To define the Multicast TV VLAN configuration STEP 1 Click VLAN Management Access Port Multicast TV VLAN Port Multicast VLAN Membership STEP 2 Select a VLAN from Multicast TV VLAN STEP 3 Select an interface from Interface Type STEP 4 The Candidate Access Ports list contains all access ports c...

Page 301: ... or S VID except for IGMP snooping messages from the TV receivers which are associated with the Multicast TV VLAN VOD information that is also sent from the TV receivers are sent like any other type of traffic Packets from the service provider network that received on the network port to the subscriber are sent on the service provider network as double tag packets while the outer tag Service Tag o...

Page 302: ... STEP 2 Click Add STEP 3 Enter the following fields CPE VLAN Enter the VLAN defined on the CPE box Multicast TV VLAN Select the Multicast TV VLAN which is mapped to the CPE VLAN STEP 4 Click Apply CPE VLAN Mapping is modified and written to the Running Configuration file Port Multicast VLAN Membership The ports associated with the Multicast VLANs must be configured as customer ports see Interface ...

Page 303: ...Customer Port Multicast TV VLAN Cisco Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 242 11 Click Apply The new settings are modified and written to the Running Configuration file ...

Page 304: ...ast domain from Broadcast storms by selectively setting links to standby mode to prevent loops In standby mode these links temporarily stop transferring user data After the topology changes so that the data transfer is made possible the links are automatically re activated Loops occur when alternate paths exist between hosts Loops can cause switches to relay the same packets indefinitely resulting...

Page 305: ... forwarded to the port that is blocked This is not an efficient usage of bandwidth as the blocked port will always be unused MSTP solves this problem by enabling several STP instances so that it is possible to detect and mitigate loops separately in each instance This enables a port to be blocked for one or more STP instances but non blocked for other STP instances If different VLANs are associate...

Page 306: ... MAC addresses are used to determine the Root Bridge The bridge priority value is provided in increments of 4096 For example 4096 8192 12288 and so on Hello Time Set the interval in seconds that a Root Bridge waits between configuration messages Max Age Set the interval in seconds that the device can wait without receiving a configuration message before attempting to redefine its own configuration...

Page 307: ...rovide STP path Root Forwarding packets through this interface provides the lowest cost path for forwarding packets to the root device Designated The interface through which the bridge is connected to the LAN which provides the lowest root path cost from the LAN to the Root Bridge for the MST instance Alternate The interface provides an alternate path to the root device from the root interface Bac...

Page 308: ...ted port Normally all root bridge ports are designated ports unless two or more ports of the root bridge are connected If the bridge receives superior BPDUs on a Root Guard enabled port Root Guard moves this port to a root inconsistent STP state This root inconsistent state is effectively equal to a listening state No traffic is forwarded across this port In this way Root Guard enforces the positi...

Page 309: ...mode The port cannot forward traffic and cannot learn MAC addresses Learning The port is in Learning mode The port cannot forward traffic but it can learn new MAC addresses Forwarding The port is in Forwarding mode The port can forward traffic and learn new MAC addresses Designated Bridge ID Displays the bridge priority and the MAC address of the designated bridge Designated Port ID Displays the p...

Page 310: ... discovers whether the link partner using STP still exists and if so whether it has migrated to RSTP or MSTP If it still exists as an STP link the device continues to communicate with it by using STP Otherwise if it has been migrated to RSTP or MSTP the device communicates with it using RSTP or MSTP respectively STEP 6 Select an interface and click Edit STEP 7 Enter the parameters Interface Set th...

Page 311: ...to a shared segment Disabled The port is not participating in Spanning Tree Mode Displays the current Spanning Tree mode Classic STP or RSTP Fast Link Operational Status Displays whether the Fast Link Edge Port is enabled disabled or automatic for the interface The values are Enabled Fast Link is enabled Disabled Fast Link is disabled Auto Fast Link mode is enabled a few seconds after the interfac...

Page 312: ...tive in what VLAN and associate these MSTP instances to VLAN s accordingly STEP 4 Configure the MSTP attributes by MSTP Properties MSTP Instance Settings VLANs to a MSTP Instance MSTP Properties The global MSTP configures a separate Spanning Tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree instance MSTP enables formation of MST regions that ...

Page 313: ...on of the current MST configuration The field range is from 0 to 65535 Max Hops Set the total number of hops that occur in a specific region before the BPDU is discarded Once the BPDU is discarded the port information is aged out The field range is from 1 to 40 IST Master Displays the regions master STEP 5 Click Apply The MSTP properties are defined and the Running Configuration file is updated VL...

Page 314: ...ick Edit STEP 3 Enter the parameters MSTP Instance ID Select the MST instance VLANs Define the VLANs being mapped to this MST instance Action Define whether to Add map the VLAN to the MST instance or Remove it STEP 4 Click Apply The MSTP VLAN mappings are defined and the Running Configuration file is updated MSTP Instance Settings The MSTP Instance Settings page enables you to configure and view p...

Page 315: ...figuration file is updated MSTP Interface Settings The MSTP Interface Settings page enables you to configure the port MSTP settings for every MST instance and to view information that has currently been learned by the protocol such as the designated bridge per MST instance To configure the ports in an MST instance STEP 1 Click Spanning Tree MSTP Interface Settings STEP 2 Enter the parameters Insta...

Page 316: ... from instance 0 and can be viewed on the STP Interface Settings page Port Role Displays the port or LAG role per port or LAG per instance assigned by the MSTP algorithm to provide STP paths Root Forwarding packets through this interface provides the lowest cost path for forwarding packets to the root device Designated Port The interface through which the bridge is connected to the LAN which provi...

Page 317: ...e port is an internal port Designated Bridge ID Displays the ID number of the bridge that connects the link or shared LAN to the root Designated Port ID Displays the Port ID number on the designated bridge that connects the link or the shared LAN to the root Designated Cost Displays the cost of the port participating in the STPtopology Ports with a lower cost are less likely to be blocked if STP d...

Page 318: ...appears in a frame arriving at the device is added to the Dynamic Address table This MAC address is retained for a configurable period of time If another frame with the same source MAC address does not arrive at the device before that time period expires the MAC entry is aged deleted from the table When a frame arrives at the device the device searches for a corresponding matching destination MAC ...

Page 319: ... addresses STEP 2 Click Add STEP 3 Enter the parameters VLAN ID Select the VLAN ID for the port MAC Address Enter the interface MAC address Interface Select an interface unit slot port or LAG for the entry Status Select how the entry is treated The options are Permanent The system never removes this MAC address If the static MAC address is saved in the Startup Configuration it is retained after re...

Page 320: ...ess Settings STEP 2 Enter Aging Time The aging time is a value between the user configured value and twice that value minus 1 For example if you entered 300 seconds the aging time is between 300 and 599 seconds STEP 3 Click Apply The aging time is updated Dynamic Addresses To query dynamic addresses STEP 1 Click MAC Address Tables Dynamic Addresses STEP 2 In the Filter block you can enter the foll...

Page 321: ...except for the following field Protocol Displays the protocol supported on the device called Peer STEP 2 Click Add STEP 3 Enter the values for the following fields MAC Address Select the MAC address to be reserved Frame Type Select a frame type based on the following criteria Ethernet V2 Applies to Ethernet V2 packets with the specific MAC address LLC Applies to Logical Link Control LLC packets wi...

Page 322: ... information dissemination Multicast applications are useful for dissemination of information to multiple clients where clients do not require reception of the entire content A typical application is a cable TV like service where clients can join a channel in the middle of a transmission and leave before it ends The data is sent only to relevant ports Forwarding the data only to the relevant ports...

Page 323: ...saved as G You can configure one of the following ways of forwarding Multicast frames MAC Group Address Based on the destination MAC address in the Ethernet frame NOTE One or more IP Multicast group addresses can be mapped to a MAC group address Forwarding based on the MAC group address can result in an IP Multicast stream being forwarded to ports that have no receiver for the stream IP Group Addr...

Page 324: ...ast frame to all the ports that have registered to receive the Multicast stream using IGMP MLD Join messages The system maintains lists of Multicast groups for each VLAN and these lists manage the Multicast information that each port should receive The Multicast groups and their receiving ports can be configured statically or learned dynamically using IGMP or MLD protocols snooping Multicast Regis...

Page 325: ... by a local server but the router if one exists on that network does not support Multicast The device can be configured to be an IGMP Querier as a backup querier or in situation where a regular IGMP Querier does not exist The device is not a full capability IGMP Querier If the device is enabled as an IGMP Querier it starts after 60 seconds have passed with no IGMP traffic queries detected from a M...

Page 326: ... value of these upper bits are mapped to the same Layer 2 address since the lower 23 bits that are used are identical For example 234 129 2 3 is mapped to a MAC Multicast group address 01 00 5e 01 02 03 Up to 32 IP Multicast group addresses can be mapped to the same Layer 2 address For IPv6 this is mapped by taking the 32 low order bits of the Multicast address and adding the prefix of 33 33 For e...

Page 327: ... single upstream interface and one or more downstream interfaces These designations are explicitly configured there is no protocol to determine what type each interface is A proxy device performs the router portion of IGMP MLD on its downstream interfaces and the host portion of IGMP MLD on its upstream interface Only one tree is supported Forwarding Rules and Querier The following rules are appli...

Page 328: ... IPv6 address is configured on the VLAN the operational forwarding method for IPv6 Multicast will be IP Group Address NOTE For IPv6 IP Group Address and Source Specific IP Group Address modes the device checks a match only for 4 bytes of the destination Multicast address and for the source address For the destination Multicast address the last 4 bytes of group ID are matched For the source address...

Page 329: ...ot To define and view MAC Multicast groups STEP 1 Click Multicast MAC Group Address STEP 2 Enter the Filter parameters VLAN ID Equals To Set the VLAN ID of the group to be displayed MAC Group Address Equals To Set the MAC address of the Multicast group to be displayed If no MAC GroupAddress is specified the page contains all the MAC Group Addresses from the selected VLAN STEP 3 Click Go and the MA...

Page 330: ...to the Multicast group as a result of IGMP MLD snooping Forbidden Specifies that this port is not allowed to join this Multicast group on this VLAN None Specifies that the port is not currently a member of this Multicast group on this VLAN STEP 10 Click Apply and the Running Configuration file is updated NOTE Entries that created in the IP Multicast Group Address page cannot be deleted in this pag...

Page 331: ...ss of the new Multicast group Source Specific Indicates that the entry contains a specific source and adds the address in the IP Source Address field If not the entry is added as a G entry an IP group address from any IP source Source IPAddress Defines the source address to be included STEP 6 Click Apply The IP Multicast group is added and the device is updated STEP 7 To configure and display the ...

Page 332: ...icast Configuration IGMP Snooping When IGMP Snooping is globally enabled the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic The device performs IGMP Snooping only if both IGMP snooping and Bridge Multicast filtering are enabled The IGMP Snooping Table is displayed The fields displayed are described in the Edit page below In addition the foll...

Page 333: ...er Number of MLD group specific queries sent before the device assumes there are no more members for the group if the device is the elected querier Use Query Robustness x This value is set in MLD VLAN Settings page The number in parentheses is the current query robustness value User Defined Enter a user defined value IGMPQuerier Status Select to enable this feature This feature is required if ther...

Page 334: ...cast Configuration IGMP Interface Settings The following fields are displayed for each interface on which IGMP is enabled Interface Name Interface on which IGMP snooping is defined Router IGMP Version IGMP version Query Robustness Enter the number of expected packet losses on a link Query Interval sec Interval between the General Queries to be used if this device is the elected querier Query Max R...

Page 335: ...tween the General Queries to be used if this device is the elected querier Query Max Response Interval sec Delay used to calculate the Maximum Response Code inserted into the periodic General Queries Last Member Query Interval msec Enter the Maximum Response Delay to be used if the device cannot read Max Response Time value from group specific queries sent by the elected querier Multicast TTL Thre...

Page 336: ... User defined access list Select the standard IPv4 access list name defining the SSM range These access lists are defined in Access Lists STEP 3 Click Apply The Running Configuration file is updated STEP 4 To add protection to a VLAN click Add and enter the following fields Upstream Interface Select the upstream interface Since there is only a single upstream interface if one has already been sele...

Page 337: ...ast packet from the source If the packet is not received on this interface it is discarded Outgoing Interfaces Interfaces through which packets will be forwarded Uptime Length of time in hours minutes and seconds that the entry has been in the IP Multicast routing table Expiry Time Length of time in hours minutes and seconds until the entry is removed from the IP Multicast routing table ...

Page 338: ...g is globally enabled the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic The device performs MLD Snooping only if both MLD snooping and Bridge Multicast filtering are enabled The MLD Snooping Table is displayed The fields displayed are described in the Edit page below In addition the following fields are displayed MLD Snooping Status Display...

Page 339: ...cific queries sent before the device assumes there are no more members for the group if the device is the elected querier Use Query Robustness x This value is set in MLD VLAN Settings page The number in parentheses is the current query robustness value User Defined Enter a user defined value MLD Querier Status Select to enable this feature This feature is required if there is no Multicast router M...

Page 340: ...ueries to be used if this device is the elected querier Query Max Response Interval sec Delay used to calculate the Maximum Response Code inserted into the periodic general queries Last Member Query Interval msec Maximum Response Delay to be used if the device cannot read Max Response Time value from group specific queries sent by the elected querier Multicast TTL Threshold Enter the Time to Live ...

Page 341: ...d into the periodic General Queries Last Member Query Interval msec Enter the Maximum Response Delay to be used if the device cannot read Max Response Time value from group specific queries sent by the elected querier Multicast TTL Threshold Enter the Time to Live TTL threshold of packets being forwarded on an interface Multicast packets with a TTL value less than the threshold are not forwarded o...

Page 342: ...s are defined in Access Lists STEP 3 Click Apply The Running Configuration file is updated STEP 4 To add protection to a VLAN click Add and enter the following fields Upstream Interface Select the outgoing interface Downstream Interface Select the incoming interface Downstream Protection Select one of the following options Use Global Use the status set in the global block Disable This disables for...

Page 343: ...nfiguration 259 Cisco Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 14 Expiry Time Length of time in hours minutes and seconds until the entry is removed from the IP Multicast routing table ...

Page 344: ...t two entries on this page To query for a IP Multicast group STEP 1 Click Multicast IGMP MLD Snooping IP Multicast Group STEP 2 Set the type of snooping group for which to search IGMP or MLD STEP 3 Enter some or all of following query filter criteria Group Address equals to Defines the Multicast group MAC address or IP address to query Source Address equals to Defines the sender address to query V...

Page 345: ...ct whether to display ports or LAGs STEP 3 Click Go The interfaces matching the query criteria are displayed STEP 4 For each port or LAG select its association type The options are as follows Static The port is statically configured as a Multicast router port Dynamic Display only The port is dynamically configured as a Multicast router port by a MLD IGMP query To enable the dynamic learning of Mul...

Page 346: ...e the following VLAN ID equals to The VLAN ID the ports LAGs are to be displayed Interface Type equals to Define whether to display ports or LAGs STEP 3 Click Go The status of all ports LAGs are displayed STEP 4 Select the port LAG that is to be defined as Forward All by using the following methods Static The port receives all Multicast streams Forbidden Ports cannot receive any Multicast streams ...

Page 347: ...To view either ports or LAGs STEP 3 Click Go STEP 4 Define the following Port LAG Displays the port or LAG ID Displays the forwarding status of the selected interface The possible values are Forwarding Enables forwarding of unregistered Multicast frames to the selected interface Filtering Enables filtering rejecting of unregistered Multicast frames to the selected interface STEP 5 Click Apply The ...

Page 348: ...ns that the device acts as a DHCPv4 client and sends out a DHCPv4 request during boot up If the device receives a DHCPv4 response from the DHCPv4 server with an IPv4 address it sends Address Resolution Protocol ARP packets to confirm that the IP address is unique If the ARP response shows that the IPv4 address is in use the device sends a DHCPDECLINE message to the offering DHCP server and sends a...

Page 349: ...n this virtual interface is used as the local address when communicating with remote IP applications the communication will not be aborted even if the actual route to the remote application was changed The operational state of a loopback interface is always up You define an IP address either IPv4 or IPv6 on it and use this IP address as the local IP address for IP communication with remote IP appl...

Page 350: ...gure IP addresses for device management This IP address can be configured on a port a LAG VLAN loopback interface or out of band interface NOTE The device software consumes one VLAN ID VID for every IP address configured on a port or LAG The device takes the first VID that is not used starting from 4094 To configure the IPv4 addresses STEP 1 Click IP Configuration IPv4 Management and Interfaces IP...

Page 351: ...icated IP address was detected for the default IP address Delayed The assignment of the IP address is delayed for 60 second if DHCP Client is enabled on startup in order to give time to discover DHCP address Not Received Relevant for DHCP Address When a DCHP Client starts a discovery process it assigns a dummy IP address 0 0 0 0 before the real address is obtained This dummy address has the status...

Page 352: ... algorithm A destination IPv4 address may match multiple routes in the IPv4 Static Route Table The device uses the matched route with the highest subnet mask that is the longest prefix match If more than one default gateway is defined the lowest IPv4 address from among all the configured default gateways is used To define an IP static route STEP 1 Click IP Configuration IPv4 Management and Interfa...

Page 353: ...route prefix for the destination IP Prefix Length IP route prefix for the destination IP Route Type Select the route type Reject Rejects the route and stops routing to the destination network via all gateways This ensures that if a frame arrives with the destination IP of this route it is dropped Remote Indicates that the route is a remote path Next Hop Router IPAddress Enter the next hop IP addre...

Page 354: ...on IPv4 Management and Interfaces ARP STEP 2 Enter the parameters ARPEntryAge Out Enter the number of seconds that dynamic addresses can remain in the ARP table A dynamic address ages out after the time it is in the table exceeds the ARP Entry Age Out time When a dynamic address ages out it is deleted from the table and only returns when it is relearned Clear ARP Table Entries Select the type of A...

Page 355: ... that network NOTE The ARP proxy feature is only available when the device is in L3 mode The ARP Proxy is aware of the destination of traffic and offers another MAC address in reply Serving as an ARP Proxy for another host effectively directs LAN traffic destination to the host The captured traffic is then typically routed by the Proxy to the intended destination by using another interface or by u...

Page 356: ...urce IP Interface to where the device is to relay UDP Broadcast packets based on a configured UDP destination port The interface must be one of the IPv4 interfaces configured on the device STEP 4 Enter the UDP Destination Port number for the packets that the device is to relay Select a well known port from the drop down list or click the port radio button to enter the number manually STEP 5 Enter ...

Page 357: ...lay Overview DHCP Relay relays DHCP packets to the DHCP server The device can relay DHCP messages received from VLANs that do not have IP addresses Whenever DHCP Relay is enabled on a VLAN without an IP address Option 82 is inserted automatically This insertion is in the specific VLAN and does not influence the global administration state of Option 82 insertion Transparent DHCP Relay For Transpare...

Page 358: ...ase only DHCP Relay can and does broadcast DHCP messages between DHCP client and DHCP server Unicast DHCP messages are passed by regular routers and therefore if DHCP Relay is enabled on a VLAN without an IP address an external router is needed DHCP Relay and only DHCP Relay relays DHCP messages to a DHCP server Interactions Between DHCPv4 Snooping DHCPv4 Relay and Option 82 The following tables d...

Page 359: ...ves without Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives with Option 82 Option 82 Insertion Disabled Packet is sent without Option 82 Packet is sent with the originalOption 82 Relay inserts Option 82 Bridge no Option 82 is inserted Relay discards the packet Bridge Packet is sent with the original Option 82 Option 82 Insertion Enabled Relay is sent with Op...

Page 360: ...ion 82 insertion disabled Packet is sent without Option 82 Packet is sent with the original Option 82 Relay discards Option 82 Bridge Packet is sent without Option 82 Relay 1 If reply originates in device packet is sent without Option 82 2 If reply does not originate in device packet is discarded Bridge Packet is sent with the original Option 82 Option 82 insertion enabled Packet is sent without O...

Page 361: ...is also used by IP Source Guard and Dynamic ARP Inspection features to determine legitimate packet sources DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address Packet arrives withoutOption 82 Packet arrives with Option 82 Packet arrives withoutOption 82 Packet arrives with Option 82 Option 82 Insertion Disabled Packet is sent withoutOption 82 Packet is sent with the original Option 8...

Page 362: ...the device handles DHCP packets when both the DHCP client and DHCP server are trusted The DHCP Snooping Binding database is built in this process DHCP Trusted Packet Handling The actions are STEP 1 Device sends DHCPDISCOVER to request an IP address or DHCPREQUEST to accept an IP address and lease STEP 2 Device snoops packet and adds the IP MAC information to the DHCP Snooping Binding database STEP...

Page 363: ...ding to DHCP information If the destination address is unknown the packet is filtered DHCPREQUEST Forward to trusted interfaces only Forward to trusted interfaces only DHCPACK Filter Same as DHCPOFFER and an entry is added to the DHCP Snooping Binding database DHCPNAK Filter Same as DHCPOFFER Remove entry if exists DHCPDECLINE Check if there is information in the database If the information exists...

Page 364: ... options Configuring DHCP Work Flow To configure DHCP Relay and DHCP Snooping STEP 1 Enable DHCP Snooping and or DHCP Relay in the Properties page STEP 2 Define the interfaces on which DHCP Snooping is enabled in the Interface Settings page STEP 3 Configure interfaces as trusted or untrusted in the DHCP Snooping Trusted Interfaces page STEP 4 Optional Add entries to the DHCP Snooping Binding datab...

Page 365: ...tches the client hardware address as appears in the DHCP Header part of the payload on DHCP untrusted ports Backup Database Select to back up the DHCP Snooping Binding database on the device s flash memory STEP 2 Click Apply The settings are written to the Running Configuration file STEP 3 To define a DHCP server click Add STEP 4 Enter the IP address of the DHCP server and click Apply The settings...

Page 366: ...ings to the Running Configuration file DHCP Snooping Binding Database See How the DHCP Snooping Binding Database is Built for a description of how dynamic entries are added to the DHCP Snooping Binding database Note the following points about maintenance of the DHCP Snooping Binding database The device does not update the DHCP Snooping Binding database when a station moves to another interface If ...

Page 367: ...ld Status Active IP Source Guard is active on the device Inactive IP Source Guard is not active on the device Reason No Problem No Resource No Snoop VLAN Trust Port STEP 2 To add an entry click Add STEP 3 Enter the fields VLAN ID VLAN on which packet is expected MAC Address MAC address of packet IPAddress IP address of packet Interface Unit Slot Interface on which packet is expected Type The possi...

Page 368: ...tion The hardware address or client identifier of a host is manually mapped to an IP address This is done in the Static Hosts page Dynamic Allocation A client obtains a leased IP address for a specified period of time that can be infinite If the DHCP client does not renew the allocated IPAddress the IP address is revoked at the end of this period and the client must request another IP address This...

Page 369: ...d DHCP pools in the Network Pool page The device answers DHCP queries from this IP interface For example if the pool s range is 1 1 1 1 1 1 1 254 add an IP address in this range if you want directly connected clients to receive IP address from the configured pool Do this in the IPv4 Interface page STEP 7 View the allocated IP addresses using the Address Binding page IP addresses can be deleted in ...

Page 370: ... via DHCP relay the address used belongs to the IP subnet specified by minimum IP address and IP mask of the pool and the pool is a remote pool Up to eight network pools can be defined To create a pool of IP addresses and define their lease durations STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Server Network Pools The previously defined network pools are displayed These field...

Page 371: ...s of the DNS server available to the DHCP client Domain Name Option 15 Enter the domain name for a DHCP client NetBIOS WINS Server IPAddress Option 44 Enter the NetBIOS WINS name server available to a DHCP client NetBIOS Node Type Option 46 Select how to resolve the NetBIOS name Valid node types are Hybrid A hybrid combination of b node and p node is used When configured to use h node a computer a...

Page 372: ...addresses in a pool may be assigned to clients A single IP address or a range of IP addresses can be excluded The excluded addresses are excluded from all DHCP pools To define an excluded address range STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Server Excluded Addresses The previously defined excluded IP addresses are displayed STEP 2 To add a range of IP addresses to be exc...

Page 373: ...th Check and enter the number of bits that comprise the address prefix Identifier Type Set how to identify the specific static host Client Identifier Enter a unique identification of the client specified in hexadecimal notation such as 01b60819681172 or MAC Address Enter the MAC address of the client Enter either the Client Identifier or MAC Address according to which type you selected Client Name...

Page 374: ...IOS names to IP addresses SNTP Server IPAddress Option 4 Select one of the device s SNTP servers if already configured or select Other and enter the IP address of the time server for the DHCP client File Server IPAddress siaddr Enter the IP address of the TFTP SCP server from which the configuration file is downloaded File Server Host Name sname Option 66 Enter the name of the TFTP SCP server Conf...

Page 375: ...ex Select if you want to enter the hex value of the parameter for the DHCP option Ahex value can be provided in place of any other type of value For instance you can provide a hex value of an IP address instead of the IP address itself No validation is made of the hex value therefore if you enter a HEX value which represents an illegal value no error is provided and the client might not be able to...

Page 376: ...ration The lease expiration date and time of the host s IP address or Infinite is such was the lease duration defined Type The manner in which the IP address was assigned to the client The possible options are Static The hardware address of the host was mapped to an IP address Dynamic The IP address obtained dynamically from the device is owned by the client for a specified period of time The IP a...

Page 377: ...6 was designed to replace IPv4 the predominantly deployed Internet protocol IPv6 introduces greater flexibility in assigning IP addresses because the address size increases from 32 bit to 128 bit addresses IPv6 addresses are written as eight groups of four hexadecimal digits for example FE80 0000 0000 0000 0000 9C00 876A 130B The abbreviated form in which a group of zeroes can be left out and repl...

Page 378: ...re static and are used by the system until explicitly removed by the user They are not changed by routing protocols When static routes must be updated this must be done explicitly by the user It is the user s responsibility to prevent routing loops in the network Static IPv6 routes are either Directly attached meaning that the destination is directly attached to an interface on the device so that ...

Page 379: ...lient Settings Unique Identifier DUID Format This is the identifier of the DHCP client that is used by the DHCP server to locate the client It can be in one of the following formats Link Layer Default If you select this option the MAC address of the device is used Enterprise Number If you select this option enter the following fields Enterprise Number The vendors registered Private Enterprise numb...

Page 380: ...IPv6 address STEP 6 To configure the interface as a DHCPv6 client meaning to enable the interface to receive information from the DHCPv6 server such as SNTP configuration and DNS information enter the DHCPv6 Client fields Stateless Select to enable the interface as a stateless DHCPv6 client This enables reception of configuration information from a DHCP server Information Minimum Refresh Time This...

Page 381: ...device but rather to another device STEP 8 Click Apply to enable IPv6 processing on the selected interface Regular IPv6 interfaces have the following addresses automatically configured Link local address using EUI 64 format interface ID based on a device s MAC address All node link local Multicast addresses FF02 1 Solicited Node Multicast address format FF02 1 FFXX X STEP 9 Click IPv6 Address Tabl...

Page 382: ...NS Servers List of DNS servers received from the DHCPv6 server DNS Domain Search List List of domains received from the DHCPv6 server SNTP Servers List of SNTP servers received from the DHCPv6 server POSIX Timezone String Timezone received from the DHCPv6 server Configuration Server Server containing configuration file received from the DHCPv6 server Configuration Path Name Path to configuration f...

Page 383: ...active The system does not have a default router for ISATAP traffic until the DNS process is resolved This is a point to point definition When creating a manual tunnel you enter both the source IP address one of the device s IP addresses and the destination IPv4 address 6 4 Tunnel 6to4 is an automatic tunneling mechanism that uses the underlying IPv4 network as a non Broadcast multiple access link...

Page 384: ...ress over the ISATAP tunnel interface The IPv6 address has a 64 bit network prefix of fe80 with the rest of the 64 bit formed by concatenating 0000 5EFE and the IPv4 address Auto Automatically selects the lowest IPv4 address from among all of its configured IPv4 interfaces as the source address for packets sent on the tunnel interface Manual Specifies the IPv4 address to use as the source address ...

Page 385: ... the interval for router solicitation queries The bigger the number the more frequent the queries The interval can be the Default Value or a User Defined interval NOTE The ISATAP tunnel is not operational if the underlying IPv4 interface is not in operation STEP 5 Select one of the displayed interfaces these were defined as a tunnel in the IPv6 Interfaces page in the IPv6 Tunnel Table and click Ad...

Page 386: ... the tunnel Host Name DNS name of the remote host IPv4 Address IPv4 address of the remote host ISATAP Router Name For ISATAP tunnels only Select one of the following options to configure a global string that represents a specific automatic tunnel router domain name Use Default This is always ISATAP User Defined Enter the router s domain name STEP 7 Click Apply The tunnel is saved to the Running Co...

Page 387: ...es that typically belong to different nodes A packet sent to anAnycast address is delivered to the closest interface as defined by the routing protocols in use identified by the Anycast address NOTE Anycast cannot be used if the IPv6 address is on an ISATAP interface IPv6 Address In addition to the default link local and Multicast addresses the device also automatically adds global addresses to th...

Page 388: ...enter the following fields Router Preference Select either Low Medium or High preference for the router Router advertisement messages are sent with the preference configured in this field If no preference is configured they are sent with a medium preference Associating a preference with a router is useful when for example two routers on a link provide equivalent but not equal cost routing and poli...

Page 389: ... this command To prevent synchronization with other IPv6 nodes the actual interval used is randomly selected from a value between the minimum and maximum values Minimum Router Advertisement Interval Enter the minimum amount of time that can pass between router advertisements User Defined or select Use Default to user the system default NOTE The minimum RA interval may never be more than 75 of the ...

Page 390: ...e address of a packet Infinite Select this value to set the field to 4 294 967 295 which represents infinity User Defined Enter a value Preferred Lifetime The remaining length of time in seconds that this prefix will continue to be preferred After this time has passed the prefix should no longer be used as a source address in new communications but packets received on such an interface are process...

Page 391: ...on local traffic it may be empty The device randomly selects a router from the list The device supports one static IPv6 default router Dynamic default routers are routers that have sent router advertisements to the device IPv6 interface When adding or deleting IP addresses the following events occur When removing an IP interface all the default router IP addresses are removed Dynamic IP addresses ...

Page 392: ...to Point A point to point tunnel Interface Displays the outgoing Link Local interface Default Router IPv6 Address The IP address of the static default router Metric Enter the cost of this hop STEP 4 Click Apply The default router is saved to the Running Configuration file IPv6 Neighbors The IPv6 Neighbors page enables configuring and viewing the list of IPv6 neighbors on the IPv6 interface The IPv...

Page 393: ...ery cache information entry type static or dynamic State Specifies the IPv6 neighbor status The values are Incomplete Address resolution is working The neighbor has not yet responded Reachable Neighbor is known to be reachable Stale Previously known neighbor is unreachable No action is taken to verify its reachability until traffic must be sent Delay Previously known neighbor is unreachable The in...

Page 394: ...number from 1 to 32 Prefix lists are configured to filter traffic based on a match of an exact prefix length or a match within a range when the ge and le keywords are used The Greater Than and Lower Than parameters are used to specify a range of prefix lengths and provide more flexible configuration than using only the network length argument A prefix list is processed using an exact match when ne...

Page 395: ...he rule for the prefix list Permit Permits networks that matches the condition Deny Denies networks that matches the condition Description Text IPv6 Prefix IP route prefix Prefix Length IP route prefix length Greater Than Minimum prefix length to be used for matching Select one of the following options No Limit No minimum prefix length to be used for matching User Defined Minimum prefix length to ...

Page 396: ...m the IP address es in the access list STEP 3 Click Apply The settings are written to the Running Configuration file IPv6 Routes The IPv6 Forwarding Table contains the various routes that have been configured One of these routes is a default route IPv6 address 0 that uses the default router selected from the IPv6 Default Router List to send packets to destination devices that are not in the same I...

Page 397: ...t is visible and reachable from other networks Point to Point A Point to point tunnel Metric Value used for comparing this route to other routes with the same destination in the IPv6 router table All default routes have the same value Lifetime Time period during which the packet can be sent and resent before being deleted Route Type How the destination is attached and the method used to obtain the...

Page 398: ...ervers When a DHCPv6 packet is received on an interface the packet is relayed both to the servers on the interface list if it exists and to the servers on the global destination list Dependencies with Other Features The DHCPv6 client and DHCPv6 relay functions are mutually exclusive on an interface Global Destinations To configure a list of DHCPv6 servers to which all DHCPv6 packets are relayed ST...

Page 399: ...s Only Select to forward packets to the DHCPv6 global destination servers only IPv6Address Type Enter the type of the destination address to which client messages are forwarded The address type can be Link Local Global or Multicast All_DHCP_Relay_Agents_and_Servers DHCPv6 Server IPAddress Enter the address of the DHCPv6 server to which packets are forwarded Destination IPv6 Interface Enter the int...

Page 400: ...the packets will be matched against the ACLs from lower to higher number Route Map IPType Select either IPv6 or IPv4 depending on the type of the next hop IP address Match ACL Select a previously defined ACL Packets will be matched to this ACL IPv6 Next Hop Type If the next hop address is an IPv6 address select one of the following characteristics Global An IPv6 address that is a global Unicast IP...

Page 401: ...und IPv6 Route Map Select an IPv6 route map to bind to the interface STEP 3 Click Apply The Running Configuration file is updated Policy Based Routes To view the route maps that defined STEP 1 Click IP Configuration Policy Based Routing Policy Based Routes STEP 2 Previously defined route maps are displayed Interface Name Interface on which route map is bound Route Map Name Name of route map Route ...

Page 402: ... 2 In Basic Mode enter the parameters Server Definition Select one of the following options for defining the DNS server By IP Address IP Address will be entered for DNS server Disabled No DNS server will be defined Server IPAddress If you selected By IP Address above enter the IP address of the DNS server Default Domain Name Enter the DNS domain name used to complete unqualified host names The dev...

Page 403: ...earch List Click Details to view the list of DNS servers configured on the device STEP 4 Click Apply The Running Configuration file is updated The DNS Server Table displays the following information for each DNS server configured DNS Server The IP address of the DNS server Preference Each server has a preference value a lower value means a higher chance of being used Source Source of the server s ...

Page 404: ...defined by the user in the DNS Settings page and dynamic entries received from DHCPv4 and DHCPv6 servers To view the domain names that have been configured on the device click IP Configuration Domain Name System Search List The following fields are displayed for each DNS server configured on the device Domain Name Name of domain that can be used on the device Source Source of the server s IP addre...

Page 405: ...to clear some or all of the entries in the Host Mapping Table Static Only Deletes the static hosts Dynamic Only Deletes the dynamic hosts All Dynamic Static Deletes the static and dynamic hosts The Host Mapping Table displays the following fields Host Name User defined host name or fully qualified name IPAddress The host IP address IP Version IP version of the host IP address Type Is this a Dynami...

Page 406: ...ists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select the interface through which it is received Host Name Enter a user defined host name or fully qualified name Host names are restricted to the ASCII letters...

Page 407: ...ve routers advertise their routes to others passive routers listen and update their routes based on advertisements but do not advertise Typically routers run RIP in active mode while hosts use passive mode The default gateway is a static route and it is advertised by RIP in the same way as all other static routers if it is enabled by configuration When IP Routing is enabled RIP works fully When IP...

Page 408: ...on on the specified interface If IP Routing is disabled RIP messages are not sent although when RIP messages are received they are used to update the routing table information NOTE RIP can only be defined on manually configured IP interfaces meaning that RIP cannot be defined on an interface whose IPaddress was received from a DHCPserver or whose IP address is the default IP address Offset Configu...

Page 409: ...ter rD to router rA is higher via router rC additional 4 to the cost path as opposed to the path via router rB additional 2 to the cost path Therefore forwarding traffic via routing rB is preferred To achieve this you configure a different offset metric value on each interface based on its line speed See Offset Configuration for more information Passive Mode Transmission of routing update messages...

Page 410: ...sed to avoid listing every possible network in the routing updates when one or more closely connected routers in the system are prepared to transfer traffic to the networks that are not listed explicitly These routers create RIP entries for the address 0 0 0 0 just as if it a network to which they are connected You can enable the default route advertisement and configure it with a given metric Red...

Page 411: ...vior If the metric value of a route is equal to or less than 15 this value is used in the RIP protocol when advertising this route If the metric value of a static route is greater than 15 the route is not advertised to other routers using RIP User Defined Metric Causes RIP to use the metric value entered by the user Using RIP in Network with Non Rip Devices Static route configuration and connected...

Page 412: ...er The receiving router compares this key to its own configured key If they are the same it accepts the route MD5 Uses MD5 digest authentication Each router is configured with a set of secret keys This set is called a key chain Each key chain consists of one or more keys Each key has an identifying number key identifier key string and optionally a send lifetime and accept lifetime value The send l...

Page 413: ...g routes on an IP interface using theRIPv2 Settings page Enable passive mode on an IP interface using the RIPv2 Settings page Control which routes are processed in the incoming outgoing routing updates by specifying an IP address list on the IP interface see Access Lists Advertise default route entries on the IP interface using the RIPv2 Settings page Enable RIP authentication on an IP Interface u...

Page 414: ... metric for the propagated static route configuration This results in the following behavior If the metric value of a static route is equal to or less than 15 this value is used in the RIP protocol when advertising this static route If the metric value of a static route is greater than 15 the static route is not advertised to other routers using RIP User Defined Metric Enter the value of the metri...

Page 415: ...ric number of the specified IP interface This reflects the additional cost of using this interface based on the speed of the interface Default Route Advertisement This option is defined globally in the RIPv2 Properties page You can use the global definition or define this field for the specific interface The following options are available Global Use the global settings defined in the RIPv2 Proper...

Page 416: ...abled select the Access List Name below Access List Name Select theAccess List name which includes a list of IPaddresses of RIP outgoing routes filtering for a specified IP interface See Access List Settingsfor a description of access lists STEP 3 Click Apply The settings are written to the Running Configuration file RIPv2 Statistic To view the RIP statistical counters for each IP address STEP 1 C...

Page 417: ...e incorrect For example the IP destination is a Broadcast or the metric is 0 or greater than 16 Last Updated Indicates the last time RIP received RIP routes from the remote IP address STEP 2 To clear all counters click Clear All Interface Counters Access Lists See Filtering Routing Updates for a description of access lists To create access lists do the following 1 Create an access list with a sing...

Page 418: ... packets from the IP address es in the access list STEP 3 Click Apply The settings are written to the Running Configuration file Source IPv4 Access List To populate an access list with IP addresses STEP 1 Click IP Configuration IPv4 Management and Interfaces Access List Source IPv4 Address List STEP 2 To modify the parameters of an access list click Add and modify any of the following fields Acces...

Page 419: ... Series Managed Switches Firmware Release 2 2 5 x 408 17 Permit Permit entry of packets from the IP address es in the access list Deny Reject entry of packets from the IP address es in the access list STEP 3 Click Apply The settings are written to the Running Configuration file ...

Page 420: ...and reliability of routing paths in the network In VRRP one physical router in a virtual router is elected as the master with the other physical router of the same virtual router acting as backups in case the master fails The physical routers are referred as VRRP routers The default gateway of a participating host is assigned to the virtual router instead of a physical router If the physical route...

Page 421: ...uter and is responsible to route packets on behalf of the virtual router Clients 1 through 3 are configured with the default gateway IP address of 198 168 2 1 Client 4 is configured with the default gateway IP address of 198 168 2 2 NOTE The VRRP router that is the IP address owner responds processes packets whose destination is to the IP address The VRRP router that is the virtual router master b...

Page 422: ...y and what happens if the virtual router master fails see VRRP Router Priority and Preemption The following shows a LAN topology in which VRRP is configured Routers A and B share the traffic to and from clients 1 through 4 and Routers A and B act as virtual router backups to each other if either router fails Load Sharing VRRP Topology In this topology two virtual routers are configured For virtual...

Page 423: ...CLI commands or through the web GUI as described in the Configuring VRRP section To configure a virtual router you configure its information such as the virtual router ID and its IP addresses on every VRRP routers that support the virtual router The following elements can be configured and customized Virtual Router Identification It must be assigned an identifier VRID and may be assigned a descrip...

Page 424: ...or which the current master assumes responsibility A VRRP router supporting a virtual router must have an IP interface on the same IP subnet with respect to the IP addresses configured on the virtual router Assigning IP addresses to a virtual router is done according to the following rules All the VRRP routers supporting the virtual router must be configured with the same virtual router IP address...

Page 425: ... An important aspect of the VRRP redundancy scheme is the ability to assign each VRRP router a VRRP priority The VRRP priority must express how efficiently a VRRP router would perform as a backup to a virtual router defined in the VRRP router If there are multiple backup VRRP routers for the virtual router the priority determines which backup VRRP router is assigned as master if the current master...

Page 426: ...ational advertise interval is rounded down to the nearest second The minimum operational value is 1 sec Configuring VRRP Virtual Routers VRRP properties can be configured and customized in the VRRP Virtual Routers page STEP 1 Click IP Configuration IPv4 Management and Interfaces VRRP Virtual Routers The virtual routers are displayed The fields are described in the Add page except for the following...

Page 427: ...ult for a non owner device Preempt Mode Select one of the following options True When a VRRP router is configured with higher priority than the current master is up it replaces the current master False Even if a VRRP router with a higher priority than the current master is up it does not replace the current master Only the original master when it becomes available replaces the backup IP SLA Track ...

Page 428: ...Master down Preempt Mode Is Preempt mode enabled My Parameters of virtual router selected Priority Priority of this virtual router s device based on its ability to function as a master Advertisement Interval Time interval as described in VRRP Advertisements Source IP Address IP address to be used in VRRP messages Master Parameters of master device Priority 255 Advertisement Interval Time interval ...

Page 429: ...lid VRRP packet types Invalid VRRP ID Displays number of packets with invalid VRRP IDs Invalid Protocol Number Displays number of packets with invalid protocol numbers Invalid IP List Displays number of packets with invalid IP lists Invalid Interval Displays number of packets with invalid intervals Invalid Authentication Displays number of packets that failed authentication STEP 2 Select an interf...

Page 430: ...using static routing a situation may exist where the master router continues to act as master router since it is functional although connectivity from the router to the default route next hop is lost IP VRRP SLA provides a mechanism to track the connectivity to the VRRP router default route next hop If connectivity to the next hop is lost the master router VRRP priority is decremented thus allowin...

Page 431: ...lowing table specifies the conversion of the IP SLAs operation return code to the object state NOTE If the IP SLAs operation specified by the track argument is not configured or is its schedule is pending its state is OK NOTE An application that is bound to a non existing tracking object will receive the Up state SLA Operation State This can be either Scheduled which means the operation begins imm...

Page 432: ...ciated applications Using SLA ICMP Echo Operations IP SLA ICMP Echo operations can be configured in this page These operations will be executed according to the frequency entered STEP 1 Click IP Configuration IPv4 Management and Interfaces SLA ICMP Echo Operations The ICMP Echo operations are displayed some fields described in the Add page State Displays either Pending or Scheduled as described in...

Page 433: ... amount of time an IP SLA operation waits for a response to its request packet It is recommend that the value of the milliseconds argument be based on the sum of the maximum round trip time RTT value for the packets and the processing time of the IP SLAs operation STEP 4 Click Apply to save the settings SLA Tracks SLA tracks can be configured in this page SLA tracks are used to track IP SLA return...

Page 434: ...save the settings ICMP Echo Statistics To view SLA statistics STEP 1 Click IP Configuration IPv4 Management and Interfaces SLA ICMP Echo Statistics STEP 2 Enter the following fields SLA Operation Select one of the operations that were previously defined Refresh Rate Select the how often the statistics should be refreshed The available options are No Refresh Statistics are not refreshed 15 Sec Stat...

Page 435: ...2 2 5 x 422 19 ICMP Echo Replies Number of reply packets that were received ICMP Echo Errors Number of error packets that were received To refresh these counters click Clear Counters Clears counters for selected operation Clear All Operations Counters Clears counters for all operations Refresh Refresh the counters ...

Page 436: ...IP Configuration SLA Using SLA 423 Cisco Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 19 ...

Page 437: ...ol and so they appear twice in the list of topics below Permission to administer the device is described in the following sections Configuring TACACS Password Strength Management Access Method Management Access Authentication Key Management Secure Sensitive Data Management SSL Server SSH Server SSH Client Protection from attacks directed at the device CPU is described in the following sections TCP...

Page 438: ...m TACACS server to provide centralized security for all of its devices In this way authentication and authorization can be handled on a single server for all devices in the organization The device can act as a TACACS client that uses the TACACS server for the following services Authentication Provides authentication of users logging onto the device by using usernames and user defined passwords Aut...

Page 439: ...essions using either a RADIUS or TACACS server The user configurable TCP port used for TACACS server accounting is the same TCP port that is used for TACACS server authentication and authorization The following information is sent to the TACACS server by the device when a user logs in or out Defaults The following defaults are relevant to this feature No default TACACS server is defined by default...

Page 440: ...onfigured priorities of the available TACACS servers to select the TACACS server to be used by the device TACACS Client The TACACS page enables configuring TACACS servers Only users who have privilege level 15 on the TACACS server can administer the device Privilege level 15 is given to a user or group of users on the TACACS server by the following string in the user or group definition service ex...

Page 441: ...going interface STEP 4 Click Apply The TACACS default settings are added to the Running Configuration file These are used if the equivalent parameters are not defined in the Add page The information for each TACACS server is displayed in the TACACS Server Table The fields in this table are entered in the Add page except for the Status field This fields describes whether the server is connected or ...

Page 442: ...he key can be entered in Encrypted or Plaintext form If you do not have an encrypted key string from another device enter the key string in plaintext mode and click Apply The encrypted key string is generated and displayed If you enter a key this overrides the default key string if one has been defined for the device on the main page Timeout for Reply Select User Defined and enter the amount of ti...

Page 443: ... passwords Authorization Performed at login After the authentication session is completed an authorization session starts using the authenticated username The RADIUS server then checks user privileges Accounting Enable accounting of login sessions using the RADIUS server This enables a system administrator to generate accounting reports from the RADIUS server The user configurable TCP port used fo...

Page 444: ...the device uses the values in these fields Retries Enter the number of transmitted requests that are sent to the RADIUS server before a failure is considered to have occurred Timeout for Reply Enter the number of seconds that the device waits for an answer from the RADIUS server before retrying the query or switching to the next server Dead Time Enter the number of minutes that elapse before a non...

Page 445: ...e interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6 Address Type Link Local is selected from the list Server IPAddress Name Enter the RADIUS server by IP address or name Priority Enter the priority of the server The priori...

Page 446: ... the dead time If you enter 0 minutes there is no dead time Usage Type Enter the RADIUS server authentication type The options are Login RADIUS server is used for authenticating users that ask to administer the device 802 1X RADIUS server is used for 802 1x authentication All RADIUS server is used for authenticating user that ask to administer the device and for 802 1X authentication STEP 6 Click ...

Page 447: ...erver Keys STEP 2 Enter the default RADIUS keys if required Values entered in the Default Key are applied to all servers configured in the Add RADIUS Server page to use the default key Default Key Enter the default key string used for authenticating and encrypting between the device and the RADIUS client Select one of the following options Keep existing default key For specified servers the device...

Page 448: ...S Server Groups To set up a group of users that will be using the device as its RADIUS server STEP 1 Click Security RADIUS Server RADIUS Server Groups STEP 2 Click Add and enter the following fields Group Name Enter a name for the group Privilege Level Enter the management access privilege level of the group Time Range Check to enable applying a time range to this group Time Range Name If Time Ran...

Page 449: ...g in plaintext mode The encrypted key string is generated and displayed STEP 3 Click Apply The user definition is added to the Running Configuration file of the device RADIUS Server Accounting The Radius server saves the last accounting logs in a cycle file on FLASH These can be displayed To display RADIUS server accounting STEP 1 Click Security RADIUS Server RADIUS Server Accounting RADIUS accoun...

Page 450: ... type of account viewed and the details received for it Not all fields are always displayed Event Time See above Event Type See above User Name See above Authentication Method See above NAS IPv4 Address See NAS Address above NAS Port Port used on the switch at the NAS address User Address See above Accounting Session Time See Event Time above Session Termination Reason Displays reason for session ...

Page 451: ...e depend on the type of account viewed and the details received for it Not all fields are always displayed Event Time See above User Name See above Authentication Method See User Type above Rejection Reason Reason that the user was rejected NAS IPv4 Address Address of the Network Accessed Server NAS The NAS is the switch running the RADIUS client NAS Port Port used on the NAS UserAddress If the us...

Page 452: ...which is the time period that passes before the statistics are refreshed Incoming Packets on Authentication Port How many packets received on the authentication port Incoming Access Requests from Unknown Addresses Number of incoming access requests from unknown NAS addresses Duplicate Incoming Access Requests Number of retransmitted packets received Sent Access Accepts Number of access accepts sen...

Page 453: ...ests with Bad Authenticator Number of incoming accounting requests with bad authenticator Incoming Accounting Packets with Other Mistakes Number of incoming accounting packets with other mistakes Incoming Not Recorded Accounting Requests Number of incoming accounting requests not recorded Incoming Accounting Packets of Unknown Type Number of incoming accounting packets of unknown type To clear the...

Page 454: ...complexity rules for passwords If password complexity is enabled new passwords must conform to the following default settings Have a minimum length of eight characters Contain characters from at least three character classes uppercase letters lowercase letters numbers and special characters available on a standard keyboard Are different from the current password Contain no character that is repeat...

Page 455: ...may be done through the CLI See the CLI Reference Guide for further instruction Key Management NOTE This section is only relevant for the 550 family This section describes how to configure key chains for applications and protocols such as RIP See IP Configuration RIPv2 for a description of how RIP uses key chain for authentication It covers the following topics Key Chain Key Settings Key Chain NOT...

Page 456: ...Accept Life Time and Send Life Times always fail The following fields are relevant for the Accept Life Time and Send Life Time fields Start Date Enter the earliest date that the key identifier is valid Start Time Enter the earliest time that the key identifier is valid on the Start Date End Time Specifies the last date that the key identifier is valid Select one of the following options Infinite N...

Page 457: ...e has the same fields Accept Life Time Specifies when packets with this key are accepted Select one of the following options Always Valid No limit to the life of the key identifier User Defined Life of the key chain is limited If this option is selected enter values in the following fields Start Date Enter the earliest date that the key identifier is valid Start Time Enter the earliest time that t...

Page 458: ...ess from specific sources Only users who pass both the active access profile and the management access authentication methods are given management access to the device There can only be a single access profile active on the device at one time Access profiles consist of one or more rules The rules are executed in order of their priority within the access profile top to bottom Rules are composed of ...

Page 459: ...ion from the management station to the physical console port on the device For more information see Profile Rules Use the Access Profiles page to create an access profile and to add its first rule If the access profile only contains a single rule you are finished To add additional rules to the profile use the Profile Rules page STEP 1 Click Security Mgmt Access Method Access Profiles This page dis...

Page 460: ...Users requesting access to the device that meets the HTTP access profile criteria are permitted or denied Secure HTTP HTTPS Users requesting access to the device that meets the HTTPS access profile criteria are permitted or denied SNMP Users requesting access to the device that meets the SNMP access profile criteria are permitted or denied Action Select the action attached to the rule The options ...

Page 461: ...ules to determine who is permitted to manage and access the device and the access methods that may be used Each rule in an access profile contains an action and criteria one or more parameters to match Each rule has a priority rules with the lowest priority are checked first If the incoming packet matches a rule the action associated with the rule is performed If no matching rule is found within t...

Page 462: ...ied Secure HTTP HTTPS Users requesting access to the device that meets the HTTPS access profile criteria are permitted or denied SNMP Users requesting access to the device that meets the SNMP access profile criteria are permitted or denied Action Select one of the following options Permit Allow device access to users coming from the interface and IP source defined in this rule Deny Deny device acc...

Page 463: ...rified If authorization is not enabled only the identity of the user is verified The authorization authentication method used is determined by the order that the authentication methods are selected If the first authentication method is not available the next selected method is used For example if the selected authentication methods are RADIUS and Local and all configured RADIUS servers are queried...

Page 464: ...ers For the RADIUS server to grant access to the web based configuration utility the RADIUS server must return cisco avpair shell priv lvl 15 TACACS User authorized authenticated on the TACACS server You must have configured one or more TACACS servers None User is allowed to access the device without authorization authentication Local Username and password are checked against the data stored on th...

Page 465: ...nto the device By default the device contains a certificate that can be modified HTTPS is enabled by default SSL Server Authentication Settings It may be required to generate a new certificate to replace the default certificate found on the device To create a new certificate STEP 1 Click Security SSL Server SSL Server Authentication Settings Information appears for certificate 1 and 2 in the SSL S...

Page 466: ...t a certificate STEP 1 Click Security SSL Server SSL Server Authentication Settings STEP 2 Click Import Certificate STEP 3 Enter the following fields Certificate ID Select the active certificate Certificate Source Displays that the certificate is user defined Certificate Copy in the received certificate Import RSA Key Pair Select to enable copying in the new RSA key pair Public Key Copy in the RSA...

Page 467: ... SSH Client TCP UDP Services The TCP UDP Services page enables TCP or UDP based services on the device usually for security reasons The device offers the following TCP UDP services HTTP Enabled by factory default HTTPS Enabled by factory default SNMP Disabled by factory default Telnet Disabled by factory default SSH Disabled by factory default The active TCP connections are also displayed in this ...

Page 468: ...Local IP address through which the device is offering the service Local Port Local TCP port through which the device is offering the service Remote IPAddress IP address of the remote device that is requesting the service Remote Port TCP port of the remote device that is requesting the service State Status of the service The UDP Service table displays the following information Service Name Access m...

Page 469: ...ol Storm Control Settings STEP 2 Select a port and click Edit STEP 3 Enter the parameters Interface Select the port for which storm control is enabled Unicast Storm Control Storm Control State Select to enable Storm Control for Unicast packets Rate Threshold Enter the maximum rate at which unknown packets can be forwarded This value can be entered by Kbits sec or By percentage of the total availab...

Page 470: ...Enter the maximum rate at which unknown packets can be forwarded This value can be entered by Kbits sec or By percentage of the total available bandwidth Trap on Storm Select to send a trap when a storm occurs on a port If this is not selected the trap is not sent Shutdown on Storm Select to shutdown a port when a storm occurs on the port If this is not selected extra traffic is discarded STEP 4 C...

Page 471: ... control Multicast Traffic Type Only for Multicast traffic Registered or Unregistered Bytes Passed Number of bytes received Bytes Dropped Number of bytes dropped because of storm control Last Drop Time Time that the last byte was dropped STEP 4 To clear all counters on all interfaces click Clear All Interfaces Counters To clear all counters on an interface select it and click Clear Interface Count...

Page 472: ...e subject to aging and re learning Secure Permanent Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port set by Max No of Addresses Allowed Relearning and aging are disabled Secure Delete on Reset Deletes the current dynamic MAC addresses associated with the port after reset New MAC addresses can be learned as Delete ...

Page 473: ...h re learning and aging of MAC addresses are enabled Secure Permanent Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port set by Max No of Addresses Allowed Relearning and aging are enabled Secure Delete on Reset Deletes the current dynamic MAC addresses associated with the port after reset New MAC addresses can be l...

Page 474: ...chapter for information about 802 1X authentication IP Source Guard IP Source Guard is a security feature that can be used to prevent traffic attacks caused when a host tries to use the IP address of its neighbor When IP Source Guard is enabled the device only transmits client IP traffic to IP addresses contained in the DHCP Snooping Binding database This includes both addresses added by DHCP Snoo...

Page 475: ...y become inactive Port security cannot be enabled if source IP and MAC address filtering is configured on a port IP Source Guard uses TCAM resources and requires a single TCAM rule per IP Source Guard address entry If the number of IP Source Guard entries exceeds the number of available TCAM rules the extra addresses are inactive Filtering If IP Source Guard is enabled on a port then DHCP packets ...

Page 476: ...Guard is enabled on an untrusted port LAG DHCP packets allowed by DHCP Snooping are transmitted If source IP address filtering is enabled packet transmission is permitted as follows IPv4 traffic Only IPv4 traffic with a source IP address that is associated with the specific port is permitted Non IPv4 traffic All non IPv4 traffic is permitted See Interactions with Other Features for more informatio...

Page 477: ... Guard enabled ports To view the DHCP Snooping Binding database and see TCAM usage set Insert Inactive STEP 1 Click Security IP Source Guard Binding Database STEP 2 The DHCP Snooping Binding database uses TCAM resources for managing the database Complete the Insert Inactive field to select how frequently the device should attempt to activate inactive entries It has the following options Retry Freq...

Page 478: ...nication within a Layer 2 Broadcast domain by mapping IP addresses to a MAC addresses A malicious user can attack hosts switches and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet This can happen because ARP allows a gratuitous reply from a host even if an ARP request was not r...

Page 479: ...se the MAC address MC as the destination MAC address for traffic intended for IA or IB which enables Host C intercepts that traffic Because Host C knows the true MAC addresses associated with IA and IB it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination Host C has inserted itself into the traffic stream from Host A to Host B the classic man in ...

Page 480: ...ping Binding database the packet is invalid and is dropped A SYSLOG message is generated If a packet is valid it is forwarded and the ARP cache is updated If the ARP Packet Validation option is selected Properties page the following additional validation checks are performed Source MAC Compares the packet s source MAC address in the Ethernet header against the sender s MAC address in the ARP reque...

Page 481: ...ed and the Access Control Rules for each VLAN in the VLAN Settings page Properties To configure ARP Inspection properties STEP 1 Click Security ARP Inspection Properties Enter the following fields ARP Inspection Status Select to enable ARP Inspection ARP Packet Validation Select to enable validation checks Log Buffer Interval Select one of the following options Retry Frequency Enable sending SYSLO...

Page 482: ... change the ARP trusted status of a port LAG STEP 1 Click Security ARP Inspection Interface Settings The ports LAGs and their ARP trusted untrusted status are displayed STEP 2 To set a port LAG as untrusted select the port LAG and click Edit STEP 3 Select Trusted or Untrusted and click Apply to save the settings to the Running Configuration file ARP Access Control To add entries to the ARP Inspect...

Page 483: ...C Address MAC address of packet STEP 4 Click Apply The settings are defined and the Running Configuration file is updated VLAN Settings To enable ARP Inspection on VLANs and associate Access Control Groups with a VLAN STEP 1 Click Security ARP Inspection VLAN Settings STEP 2 To enable ARP Inspection on a VLAN move the VLAN from the Available VLANs list to the Enabled VLANs list STEP 3 To associate...

Page 484: ...raffic in addition to end user TCP traffic SCT ensures that the device receives and processes management and protocol traffic no matter how much total traffic is received This is done by rate limiting TCP traffic to the CPU There are no interactions with other features SCT can be monitored in the Security Suite Settings page Details button Types of DoS Attacks The following types of packets or oth...

Page 485: ... uses a client program to connect to handlers which are compromised systems that issue commands to zombie agents which in turn facilitate the DoS attack Agents are compromised via the handlers by the attacker Using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts Each handler can control up to a thousand agents Invasor Tr...

Page 486: ...ears if you attempt to enable DoS Prevention when an ACL is defined on the interface or if you attempt to define an ACL on an interface on which DoS Prevention is enabled A SYN attack cannot be blocked if there is an ACL active on an interface Default Configuration The DoS Prevention feature has the following defaults The DoS Prevention feature is disabled by default SYN FIN protection is enabled ...

Page 487: ...Distribution Invasor Trojan and Back Orifice Trojan STEP 5 If System Level Prevention or System Level and Interface Level Prevention is selected enable one or more of the following DoS Prevention options Stacheldraht Distribution Discards TCP packets with source TCP port equal to 16660 Invasor Trojan Discards TCP packets with destination TCP port equal to 2140 and source TCP port equal to 1024 Bac...

Page 488: ... Protection STEP 2 Enter the parameters Block SYN FIN Packets Select to enable the feature All TCP packets with both SYN and FIN flags are dropped on all ports SYN Protection Mode Select between three modes Disable The feature is disabled on a specific interface Report Generates a SYSLOG message The status of the port is changed to Attacked when the threshold is passed Block and Report When a TCP ...

Page 489: ...iew of the protocol such as loopback addresses including addresses within the following ranges 0 0 0 0 8 Except 0 0 0 0 32 as a Source Address Addresses in this block refer to source hosts on this network 127 0 0 0 8 Used as the Internet host loopback address 192 0 2 0 24 Used as the TEST NET in documentation and example codes 224 0 0 0 4 As a Source IPAddress Used in IPv4 Multicast address assign...

Page 490: ...ich Denial of Service prevention is enabled STEP 5 Click Apply The Martian addresses are written to the Running Configuration file SYN Filtering The SYN Filtering page enables filtering TCP packets that contain a SYN flag and are destined for one or more ports To define a SYN filter STEP 1 Click Security Denial of Service Prevention SYN Filtering STEP 2 Click Add STEP 3 Enter the parameters Interf...

Page 491: ...rity Denial of Service Prevention SYN Rate Protection This page appears the SYN rate protection currently defined per interface STEP 2 Click Add STEP 3 Enter the parameters Interface Select the interface on which the rate protection is being defined IPAddress Enter the IP address for which the SYN rate protection is defined or select All Addresses If you enter the IP address enter either the mask ...

Page 492: ... from all source addresses If you enter the IP address enter either the mask or prefix length Network Mask Select the format for the subnet mask for the source IP address and enter a value in one of the field Mask Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format Prefix Length Select the Prefix Length and enter the number of bits that compr...

Page 493: ... enter the IP address enter either the mask or prefix length Network Mask Select the format for the subnet mask for the source IP address and enter a value in one of the field Mask Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format Prefix Length Select the Prefix Length and enter the number of bits that comprise the source IP address prefix ...

Page 494: ...operties Port Authentication Host and Session Authentication Authenticated Hosts Locked Clients Web Authentication Customization Overview 802 1x authentication restricts unauthorized clients from connecting to a LAN through publicity accessible ports 802 1x authentication is a client server model In this model network devices have the following specific roles Client or supplicant Authenticator Aut...

Page 495: ...e client to use MAC based or web based authentication Authenticator An authenticator is a network device that provides network services and to which supplicant ports are connected The following authentication methods are supported 802 1x based Supported in all authentication modes MAC based Supported in all authentication modes WEB based Supported only in multi sessions modes In 802 1x based authe...

Page 496: ...ses and allows access to the network for stations connected to interfaces regardless of authentication results Open Access changes the normal behavior of blocking traffic on a authentication enabled port until authentication and authorization are successfully performed The default behavior of authentication is still to block all traffic except Extensible Authentication Protocol over LAN EAPoL Howe...

Page 497: ...ethods configured on the port Port Host Modes Ports can be placed in the following port host modes configured in the Host and Session Authentication page Single Host Mode A port is authorized if there is an authorized client Only one host can be authorized on a port When a port is unauthorized and the guest VLAN is enabled untagged traffic is remapped to the guest VLAN Tagged traffic is dropped un...

Page 498: ...nt on a port is set in the Port Authentication page Multi Sessions Mode Unlike the single host and multi host modes a port in the multi session mode does not have an authentication status This status is assigned to each client connected to the port Tagged traffic belonging to an unauthenticated VLAN is always bridged regardless of whether the host is authorized or not Tagged and untagged traffic f...

Page 499: ...horized with the old method 802 1x Based Authentication The 802 1x based authenticator relays transparent EAP messages between 802 1x supplicants and authentication servers The EAP messages between supplicants and the authenticator are encapsulated into the 802 1x messages and the EAP messages between the authenticator and authentication servers are encapsulated into the RADIUS messages This is de...

Page 500: ...ication is enabled on a port the switch drops all traffic coming onto the port from unauthorized clients except for ARP DHCP and DNS packets These packets are allowed to be forwarded by the switch so that even unauthorized clients can get an IP address and be able to resolve the host or domain names All HTTP HTTPS over IPv4 packets from unauthorized clients are trapped to the CPU on the switch If ...

Page 501: ...to the Running Configuration file Unauthenticated VLANs and the Guest VLAN Unauthenticated VLANs and the guest VLAN provide access to services that do not require the supplicant devices or ports to be authenticated and authorized The guest VLAN is the VLAN that is assigned to an unauthorized client You can configure the guest VLAN and one or more VLANs to be unauthenticated in the Properties page ...

Page 502: ...rized clients are assigned to the guest VLAN using the TCAM rule and are bridged via the guest VLAN The tagged traffic belonging to an unauthenticated VLAN is bridged via the VLAN This mode cannot be configured on the same interface with policy based VLANs RADIUS VLAN Assignment or Dynamic VLAN Assignment An authorized client can be assigned a VLAN by the RADIUS server if this option is enabled in...

Page 503: ...ned VLAN feature is enabled the host modes behave as follows Single Host and Multi Host Mode Untagged traffic and tagged traffic belonging to the RADIUS assigned VLAN are bridged via this VLAN All other traffic not belonging to unauthenticated VLANs is discarded Multi Sessions Mode Untagged traffic and tagged traffic not belonging to the unauthenticated VLANs arriving from the client are assigned ...

Page 504: ...port You can also configure the device to send SNMP traps with a configurable minimum time between consecutive traps If seconds 0 traps are disabled If minimum time is not specified it defaults to 1 second for the restrict mode and 0 for the other modes Quiet Period The Quiet period is a period when the port single host or multi host modes or the client multi sessions mode cannot attempt authentic...

Page 505: ...ation method and port mode are supported Legend The port mode also supports the guest VLAN and RADIUS VLAN assignment N S The authentication method does not support the port mode NOTE You can simulate the single host mode by setting Max Hosts parameter to 1 in the Port Authentication page Authentication Methods and Port Modes Authentication Method Single host Multi host Multi sessions Device in L3...

Page 506: ...s are dropped unless they belong to the RADIUS VLAN or to the unauthent icated VLANs Frames are bridged based on the static VLAN configuration Frames are bridged based on the static VLAN configurat ion Multi host Frames are re mapped to the guest VLAN Frames are dropped unless they belongs to the guest VLAN or to the unauthent icated VLANs Frames are dropped Frames are dropped unless they belongs ...

Page 507: ... Authentication STEP 10 Select a port and click Edit STEP 11 Set the Administrative Port Control field to Auto STEP 12 Define the authentication methods STEP 13 Click Apply and the Running Configuration file is updated Full multi sessions Frames are re mapped to the guest VLAN Frames are re mappedto the guest VLAN unless they belongs to the unauthent icated VLANs Frames are dropped Frames are drop...

Page 508: ... described in Port Authentication STEP 4 Click Apply and the Running Configuration file is updated Use the Copy Settings button to copy settings from one port to another Workflow 4 To configure the quiet period STEP 1 Click Security 802 1X MAC Web Authentication Port Authentication STEP 2 Select a port and click Edit STEP 3 Enter the quiet period in the Quiet Period field STEP 4 Click Apply and th...

Page 509: ...ort Based Authentication Enable or disable port based authentication If this is disabled 802 1X MAC based and web based authentication are disabled Authentication Method Select the user authentication methods The options are RADIUS None Perform port authentication first by using the RADIUS server If no response is received from RADIUS for example if the server is down then no authentication is per...

Page 510: ...To enable traps select one of more of the following options 802 1x Authentication Failure Traps Select to generate a trap if 802 1x authentication fails 802 1x Authentication Success Traps Select to generate a trap if 802 1x authentication succeeds MAC Authentication Failure Traps Select to generate a trap if MAC authentication fails MAC Authentication Success Traps Select to generate a trap if MA...

Page 511: ...ings for all ports STEP 2 Select a port including the OOB port and click Edit STEP 3 Enter the parameters Interface Select a port including the OOB port Current Port Control Displays the current port authorization state If the state is Authorized the port is either authenticated or the Administrative Port Control is Force Authorized Conversely if the state is Unauthorized then the port is either n...

Page 512: ...sed on the supplicant MAC address Only 8 MAC based authentications can be used on the port NOTE For MAC authentication to succeed the RADIUS server supplicant username and password must be the supplicant MAC address The MAC address must be in lower case letters and entered without the or separators for example 0020aa00bbcc Web Based Authentication Select to enable web based authentication based on...

Page 513: ...Set this value to 1 to simulate single host mode for web based authentication in multi sessions mode Quiet Period Enter the length of the quiet period Resending EAP Enter the number of seconds that the device waits for a response to an ExtensibleAuthentication Protocol EAP request identity frame from the supplicant client before resending the request Max EAP Requests Enter the maximum number of EA...

Page 514: ...ost Authentication Select one of the modes These modes are described above in Port Host Modes Single Host Violation Settings only displayed if host authentication is Single Host Action on Violation Select the action to be applied to packets arriving in Single Session Single Host mode from a host whose MAC address is not the supplicant MAC address The options are Protect Discard Discards the packet...

Page 515: ...nts To view clients who have been locked out because of failed login attempts and to unlock a locked client STEP 1 Click Security 802 1X MAC Web Authentication Locked Client The following fields are displayed Interface Port that is locked MAC Address Displays the current port authorization state If the state is Authorized the port is either authenticated or the Administrative Port Control is Force...

Page 516: ...ication Customization STEP 2 Click Add STEP 3 Select a language from the Language drop down list STEP 4 Select Set as Default Display Language if this language is the default language the default language pages are displayed if the end user does not select a language STEP 5 Click Apply and the settings are saved to the Running Configuration file To customize the web authentication pages STEP 1 Cli...

Page 517: ...ink Color Enter the ASCII code of the hyperlink color The selected color is shown in the Text field Current Logo Image Displays the name of the file containing the current logo image Logo Image Select one of the following options None No logo Default Use the default logo Other Select to enter a customized logo If the Other logo option is selected the following options are available Logo Image File...

Page 518: ...age Selection Select to enable the end user to select a language Language Dropdown Label Enter the label of the language selection dropdown Login Button Label Enter the label of the login button Login Progress Label Enter the text that will be displayed during the login process STEP 8 Click Apply and the settings are saved to the Running Configuration file STEP 9 Click Edit labeled 4 The following...

Page 519: ...P 14 Click the Edit button on the right side of the page STEP 15 Enter the Success Message which is the text that will be displayed if the end user successfully logs in STEP 16 Click Apply and the settings are saved to the Running Configuration file To preview the login or success message click Preview To set the default language of the GUI interface as the default language for Web based authentic...

Page 520: ...SD Rules SSD Properties Configuration Files SSD Management Channels Menu CLI and Password Recovery Configuring SSD Introduction SSD protects sensitive data on a device such as passwords and keys permits and denies access to sensitive data encrypted and in plain text based on user credentials and SSD rules and protects configuration files containing sensitive data from being tampered with In additi...

Page 521: ...sensitive data The SSD configuration parameters themselves are sensitive data and are protected under SSD All configuration of SSD is performed through the SSD pages that are only available to users with the correct permissions see SSD Rules SSD Rules SSD rules define the read permissions and default read mode given to a user session on a management channel An SSD rule is uniquely identified by it...

Page 522: ...plied The channel types supported are Secure Specifies the rule applies only to secure channels Depending on the device it may support some or all of the following secure channels Console port interface SCP SSH and HTTPS Insecure Specifies that this rule applies only to insecure channels Depending on the device it may support some or all of the following insecure channels Telnet TFTP and HTTP Secu...

Page 523: ...re subjected to the read permission of the rule The following options exist but some might be rejected depending on the read permission If the user defined read permission for a user is Exclude for example and the default read mode is Encrypted the user defined read permission prevails Exclude Do not allow reading sensitive data Encrypted Sensitive data is presented in encrypted form Plaintext Sen...

Page 524: ...dered to be a level 15 user SNMP users on Insecure XML and SNMP SNMPv1 v2 and v3 with no privacy channel are considered as All users SNMP community names are not used as user names to match SSD rules Access by a specific SNMPv3 user can be controlled by configuring an SSD rule with a user name matching the SNMPv3 user name There must always be at least one rule with read permission Plaintext Only ...

Page 525: ... servers are sensitive data and are protected under SSD NOTE The user credential in the local authenticated database is already protected by a non SSD related mechanism If a user from a channel issues an action that uses an alternate channel the device applies the read permission and default read mode from the SSD rule that match the user credential and the alternate channel For example if a user ...

Page 526: ...n read mode returns to the default read mode of the SSD rule SSD Properties SSD properties are a set of parameters that in conjunction with the SSD rules define and control the SSD environment of a device The SSD environment consists of these properties Controlling how the sensitive data is encrypted Controlling the strength of security on configuration files Controlling how the sensitive data is ...

Page 527: ...n be configured to be either the default passphrase or a user defined passphrase By default the local passphrase and default passphrase are identical It can be changed by administrative actions from either the Command Line Interface if available or the web based interface It is automatically changed to the passphrase in the startup configuration file when the startup configuration becomes the runn...

Page 528: ...on file with Configuration File Integrity Control It is recommended that Configuration File Integrity Control be enabled when a device uses a user defined passphrase with Unrestricted Configuration File Passprhase Control CAUTION Any modification made to a configuration file that is integrity protected is considered tampering A device determines whether the integrity of a configuration file is pro...

Page 529: ...ms the source content to the format of the destination file if the two files are of different formats File SSD Indicator When copying the Running or Startup Configuration file into a text based configuration file the device generates and places the file SSD indicator in the text based configuration file to indicate whether the file contains encrypted sensitive data plaintext sensitive data or excl...

Page 530: ...tion file the SSD configuration in the Startup Configuration file is reset to default If there is a passphrase in the SSD control block of the source configuration file the device will reject the source file and the copy fails if there is encrypted sensitive data in the file not encrypted by the key generated from the passphrase in the SSD control block If there is an SSD control block in the sour...

Page 531: ... in the source file is in plaintext If the passphrase is encrypted it is ignored When directly configuring the passphrase non file copy in the Running Configuration the passphrase in the command must be entered in plaintext Otherwise the command is rejected Configuration commands with encrypted sensitive data that are encrypted with the key generated from the local passphrase are configured into t...

Page 532: ... the file Otherwise plaintext sensitive data may be unexpectedly exposed Sensitive Data Zero Touch Auto Configuration SSD Zero touch Auto Configuration is the auto configuration of target devices with encrypted sensitive data without the need to manually pre configure the target devices with the passphrase whose key is used to encrypted the sensitive data The device currently supports Auto Configu...

Page 533: ... without manually pre configuring the target devices with the passphrase This is zero touch because the target devices learn the passphrase directly from the configuration file NOTE Devices that are out of the box or in factory default states use the default anonymous user to access the SCP server SSD Management Channels Devices can be managed over management channels such as telnet SSH and web SS...

Page 534: ...cation If SSD is supported this option is only permitted if the local passphrase is identical to the default passphrase If a device is configured with a user defined passphrase the user is unable to activate password recovery Configuring SSD The SSD feature is configured in the following pages SSD properties are set in the SSD Properties page SSD rules are defined in the SSD Rules page SSD Propert...

Page 535: ... in Configuration File Passphrase Control Configuration File Integrity Control Select to enable this feature See Configuration File Integrity Control STEP 3 Select a Read Mode for the current session see Elements of an SSD Rule STEP 4 Click Apply The settings are saved to the Running Configuration file To change the local passphrase STEP 1 Click Change Local Passphrase and enter a new Local Passph...

Page 536: ...s that this rule applies to all users Channel This defines the security level of the input channel to which the rule applies Select one of the following options Secure Indicates that this rule applies only to secure channels console SCP SSH and HTTPS not including the SNMP and XML channels Insecure Indicates that this rule applies only to insecure channels Telnet TFTP and HTTP not including the SN...

Page 537: ...odes are subjected to the read permission of the rule The following options exist but some might be rejected depending on the rule s read permission Exclude Do not allow reading the sensitive data Encrypted Sensitive data is presented encrypted Plaintext Sensitive data is presented as plaintext STEP 3 Click Apply The settings are saved to the Running Configuration file STEP 4 The following actions...

Page 538: ...user either by password or by public key At the same time the remote user as a SSH client can perform SSH Server Authentication to authenticate the device using the device public key fingerprint SSH Server can operate in the following modes By Internally generated RSA DSA Keys Default Setting An RSA and a DSA key are generated Users log on the SSH Server application and are automatically authentic...

Page 539: ...SSH User authentication by password in the SSH User Authentication page STEP 3 Establish SSH sessions to the device from a SSH client application such as PUTTY Workflow3 Create an SSH session with SSH user authentication by public key with without bypassing management authentication perform the following steps STEP 1 Enable SSH server in the TCP UDP Services page STEP 2 Enable SSH User authenticat...

Page 540: ...llows Enabled If a user is defined in the local database and this user passed SSH Authentication using a public key the authentication by the local database username and password is skipped NOTE The configured authentication method for this specific management method console Telnet SSH and so on must be Local i e not RADIUS or TACACS See Management Access Method for more details Not Enabled After ...

Page 541: ...ame Enter a user name Key Type Select either RSA or DSA Public Key Copy the public key generated by an external SSH client application like PuTTY into this text box STEP 5 Click Apply to save the new user The following fields are displayed for all active users IPAddress IP address of the active user SSH User Name User name of the active user SSH Version Version of SSH used by the active user Ciphe...

Page 542: ... are displayed for each key Key Type RSA or DSA Key Source Auto Generated or User Defined Fingerprint Fingerprint generated from the key STEP 2 Select either an RSA or DSA key STEP 3 You can perform any of the following actions Generate Generates a key of the selected type Edit Enables you to copy in a key from another device Enter the following fields Key Type As described above Public Key Enter ...

Page 543: ...n a central SSH server When configuration files are transferred over a network Secure Copy SCP which is an application that utilizes the SSH protocol ensures that sensitive data such as username password cannot be intercepted Secure Copy SCP is used to securely transfer firmware boot image configuration files language files and log files from a central SCP server to a device With respect to SSH th...

Page 544: ... trusted When SSH server authentication is enabled the user must add an entry for the trusted servers to the Trusted SSH Servers Table This table stores the following information per each SSH Trusted server for a maximum of 16 servers and contains the following information Server IP address host name Server public key fingerprint When SSH server authentication is enabled the SSH client running on ...

Page 545: ...the SSH server This is not done through the device s management system although after a username has been established on the server the server password can be changed through the device s management system The username password must then be created on the device When the device tries to establish a SSH session to a SSH server the username password supplied by the device must match the username pas...

Page 546: ...to another because of security considerations If there are multiple switches in the network the process of creating public private keys for all the switches might be time consuming because each public private key must be created and then loaded onto the SSH server To facilitate this process an additional feature enables secure transfer of the encrypted private key to all switches in the system Whe...

Page 547: ...thms hmac sha1 hmac md5 NOTE Compression algorithms are not supported Before You Begin The following actions must be performed before using the SCP feature When using the password authentication method a username password must be set up on the SSH server When using public private keys authentication method the public key must be stored on the SSH server Common Tasks This section describes some com...

Page 548: ... or the password entered in the SSH User Authentication page can be used STEP 3 Set up a username password or modify the password on the remote SSH server This activity depends on the server and is not described here STEP 4 If the public private key method is being used perform the following steps a Select whether to use an RSA or DSA key create a username and then generate the public private keys...

Page 549: ...the Trusted SSH Servers table SSH User Authentication Use this page to select an SSH user authentication method set a username and password on the device if the password method is selected or generate an RSA or DSA key if the public private key method is selected To select an authentication method and set the username password keys STEP 1 Click Security SSH Client SSH User Authentication STEP 2 Se...

Page 550: ... Source Auto Generated or User Defined Fingerprint Fingerprint generated from the key STEP 6 To handle an RSA or DSA key select either RSA or DSA and perform one of the following actions Generate Generate a new key Edit Display the keys for copying pasting to another device Delete Delete the key Details Display the keys SSH Server Authentication To enable SSH server authentication and define the t...

Page 551: ...address IPv6 Address Type If the SSH server IP address is an IPv6 address select the IPv6 address type The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the inter...

Page 552: ...pe The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicas...

Page 553: ...S works and how to configure it in the GUI It covers the following topics IPv6 First Hop Security Overview Router Advertisement Guard Neighbor Discovery Inspection DHCPv6 Guard Neighbor Binding Integrity IPv6 Source Guard Attack Protection Policies Global Parameters and System Defaults Common Tasks Default Settings and Configuration Configuring IPv6 First Hop Security through Web GUI ...

Page 554: ... Neighbor Discovery Protocol messages DHCPv6 messages and user data messages according to a number of different rules Figure 1 IPv6 First Hop Security Configuration A separate and independent instance of IPv6 First Hop Security runs on each VLAN on which the feature is enabled Abbreviations IPv6 Host End Node Monitor First Hop Switch IPv6 Router 370572 Name Description CPA message Certification Pa...

Page 555: ...attached to each VLAN that is not attached to a user defined policy and the second one is connected to each interface and VLAN that is not attached to a user defined policy These policies cannot be attached explicitly by the user See Policies Global Parameters and System Defaults IPv6 First Hop Security Pipe If IPv6 First Hop Security is enabled on a VLAN the switch traps the following messages Ro...

Page 556: ...rd feature DHCPv6 Guard validates these messages drops illegal message and legal messages passes to the IPv6 Source Guard feature Trapped data messages are passed to the IPv6 Source Guard feature IPv6 Source Guard validates received messages trapped data messages NDP messages from ND Inspection and DHCPv6 messages from DHCPv6 Guard using the Neighbor Binding Table drops illegal messages and passes...

Page 557: ...p Security Perimeter IPv6 First Hop Security switches can form a perimeter separating untrusted area from trusted area All switches inside the perimeter support IPv6 First Hop Security and hosts and routers inside this perimeter are trusted devices For example in Figure 2 Switch B and Switch C are inner links inside the protected area Figure 2 IPv6 First Hop Security Perimeter ...

Page 558: ...treats trapped RA messages RA Guard supports the following functions Filtering of received RA CPA and ICMPv6 redirect messages Validation of received RA messages Filtering of Received RA CPA and IPCMv6 redirect Messages RA Guard discards RA and CPA messages received on interfaces whose role are not router The interface role is configured in the RA Guard Settings page Validation of RA messages RA G...

Page 559: ...CPv6 Guard treats the trapped DHCPv6 messages DHCPv6 Guard supports the following functions Filtering of received DHCPv6 messages DHCP Guard discards DHCPv6 reply messages received on interfaces whose role is client The interface role is configured in the DHCPv6 Guard Settings page Validation of received DHCPv6 messages DHCPv6 Guard validates DHCPv6 messages that match the filtering based on the D...

Page 560: ...ixes defined in the RA Prefix table A global IPv6 address provided by a DHCPv6 server must belong to one of the prefixes defined in the IPv6 Prefix List in IPv6 Prefixes page If a message does not pass this verification it is dropped and a rate limited SYSLOG message is sent Neighbor Binding Table Overflow When there is no free space to create a new entry no entry is created and a SYSLOG message i...

Page 561: ...nst the same binding anchor to confirm that the originator owns the source IP address The exception to this rule occurs when an IPv6 host roams in the L2 domain or changes its MAC address In this case the host is still the owner of the IP address but the associated binding anchor might have changed To cope with this case the defined NBI NDP behavior implies verification of whether or not the host ...

Page 562: ... policy attached to an interface These policies are configured in the Neighbor Binding Settings page IPv6 Source Guard If Neighbor Binding Integrity NB Integrity is enabled IPv6 Source Guard validates the source IPv6 addresses of NDP and DHCPv6 messages regardless of whether IPv6 Source Guard is enabled If IPv6 Source Guard is enabled together with NB Integrity IPv6 Source Guard configures the TCA...

Page 563: ...ce IPv6 addresses Attack Protection The section describes attack protection provided by IPv6 First Hop Security Protection against IPv6 Router Spoofing An IPv6 host can use the received RA messages for IPv6 router discovery Stateless address configuration A malicious host could send RA messages advertising itself as an IPv6 router and providing counterfeit prefixes for stateless address configurat...

Page 564: ...own the DAD_NS message is forwarded only on inner interfaces If the given IPv6 address is known the DAD_NS message is forwarded only on the interface where the IPv6 address is bound An NA message is dropped if the target IPv6 address is bound with another interface Protection against DHCPv6 Server Spoofing An IPv6 host can use the DHCPv6 protocol for Stateless Information configuration Statefull a...

Page 565: ... are used to apply the feature to packets Policies Policies contain the rules of verification that are performed on input packets They can be attached to VLANs and also to ports and LAGs If the feature is not enabled on a VLAN the policies have no effect Policies can be user defined or default policies see below Default Policies Empty default polices exist for each FHS feature and are by default a...

Page 566: ... packet on an interface is built in the following way The rules configured in policies attached to the interface port or LAG on which the packet arrived are added to the set The rules configured in the policy attached to the VLAN are added to the set if they have not been added at the port level The global rules are added to the set if they have not been added at the VLAN or port level Rules defin...

Page 567: ...the Policy Attachment VLAN or Policy Attachment Port pages DHCPv6 Guard Work Flow STEP 1 In the DHCPv6 Guard Settings page enter the list of VLANs on which this feature is enabled STEP 2 In this same page set the global configuration values that are used if no values are set in a policy STEP 3 If required either configure a user defined policy or add rules to the default policies for the feature S...

Page 568: ...olicy or add rules the default policies for the feature STEP 4 Add any manual entries required in the Neighbor Binding Table page STEP 5 Attach the policy to a VLAN port or LAG using either the Policy Attachment VLAN or Policy Attachment Port pages IPv6 Source Guard Work Flow STEP 1 In the IPv6 Source Guard Settings page enter the list of VLANs on which this feature is enabled STEP 2 If required e...

Page 569: ...ckets If required a policy can be added or the packet drop logging can be added to the system defined default policy To configure IPv6 First Hop Security common parameters STEP 1 Click Security IPv6 First Hop Security FHS Settings The currently defined polices are displayed For each policy its Policy Type is displayed which indicates whether it is a default or user defined policy STEP 2 Enter the ...

Page 570: ...Click to jump to PolicyAttachment Port page where you can attach this policy to a port RA Guard Settings Use the RA Guard Settings page to enable the RA Guard feature on a specified group of VLANs and to set the global configuration values for this feature If required a policy can be added or the system defined default RA Guard policies can be configured in this page To configure RA Guard STEP 1 C...

Page 571: ...es verification of the advertised Other Configuration flag within an IPv6 RA Guard policy Inherited Feature is inherited from either the VLAN or system default client No Verification Disables verification of the advertised Other Configuration flag On Enables verification of the advertised Managed Other flag Off The value of the flag must be 0 RAAddress List Specify the list of addresses to filter ...

Page 572: ...boundary of Advertised Default Router Preference Low Specifies the minimum allowed Advertised Default Router Preference value The following values are acceptable low medium and high see RFC4191 Medium Specifies the minimum allowed Advertised Default Router Preference value The following values are acceptable low medium and high see RFC4191 High Specifies the minimum allowed Advertised Default Rout...

Page 573: ...TEP 1 Click Security IPv6 First Hop Security DHCPv6 Guard Settings The currently defined polices are displayed For each policy its Policy Type is displayed which indicates whether it is a default or user defined policy STEP 2 Enter the following global configuration fields DHCPv6 Guard VLAN List Enter one or more VLANs on which DHCPv6 Guard is enabled Device Role Displays the device role See defin...

Page 574: ... the VLAN or system default client Client Role of device is client Server Role of device is server Match Reply Prefixes Select to enable verification of the advertised prefixes in received DHCP reply messages within a DHCPv6 Guard policy Inherited Value is inherited from either the VLAN or system default no verification No Verification Advertised prefixes are not verified Match List IPv6 prefix li...

Page 575: ...than or equal to this value STEP 6 Click Apply to add the settings to the Running Configuration file STEP 7 To attach this policy to an interface Attach Policy to VLAN Click to jump to Policy Attachment VLAN page where you can attach this policy to a VLAN Attach Policy to Interface Click to jump to PolicyAttachment Port page where you can attach this policy to a port ND Inspection Settings Use the...

Page 576: ...red click Add to create an ND Inspection policy STEP 5 Enter the following fields Policy Name Enter a user defined policy name Device Role Select one of the following to specify the role of the device attached to the port for ND Inspection Inherited Role of device is inherited from either the VLAN or system default client Host Role of device is host Router Role of device is router Drop Unsecure Se...

Page 577: ...his policy to a port Neighbor Binding Settings The Neighbor Binding table is a database table of IPv6 neighbors connected to a device is created from information sources such as Neighbor Discovery Protocol NDP snooping This database or binding table is used by various IPv6 guard features to prevent spoofing and redirect attacks Use the Neighbor Binding Settings page to enable the Neighbor Binding ...

Page 578: ...CPv6 Messages Binding from DHCPv6 is allowed Neighbor Binding Entry Limits Specify the maximum number of Neighbor Binding entries per type of interface or address Entries Per VLAN Specifies the neighbor binding limit per VLAN Select either No Limit or enter a User Defined value Entries Per Interface Specifies the neighbor binding limit per interface Select either No Limit or enter a User Defined v...

Page 579: ...methods of global IPv6 addresses within an IPv6 Neighbor Binding policy select one of the following options Any Any configuration methods stateless and manual are allowed for global IPv6 bound from NDP messages Stateless Only stateless auto configuration is allowed for global IPv6 bound from NDP messages Disable Binding from NDP messages is disabled Binding from DHCPv6 Messages Select to enable bi...

Page 580: ...Guard Settings The existing policies are displayed The fields are displayed below except for the Policy Type field This displays whether the policy is user defined or a default one STEP 2 Enter the following global configuration fields IPv6 Source Guard VLAN List Enter one or more VLANs on which IPv6 Source Guard is enabled Port Trust Displays that by default the policies are for untrusted ports T...

Page 581: ...ist Select the VLANs to which the policy is attached STEP 3 Click Apply to add the settings to the Running Configuration file Policy Attachment Port To attach a policy to one or more ports or LAGs STEP 1 Click Security IPv6 First Hop Security Policy Attachment Port The list of policies that are already attached are displayed along with their Interface number Policy Type Policy Name and VLAN List S...

Page 582: ...at added the IPv6 address only available for dynamic entries Static Added manually NDP Learnt from Neighbor Discovery Protocol messages DHCP Learnt from DHCPv6 protocol messages State State of the entry Tentative The new host IPv6 address is under validation Since its lifetime is less than 1 sec its expiration time is not displayed Valid The host IPv6 address was bound Expiry Time Sec Remaining ti...

Page 583: ...c entries Dynamic Only Clear only dynamic entries All Dynamic Static Clear static and dynamic entries STEP 3 The following fields are displayed for the exiting entries VLAN ID VLAN on which the prefixes are relevant IPv6 Prefix IPv6 prefix Prefix Length IPv6 prefix length Origin Entry is dynamic learned or static manually configured Autoconfig The prefix can be used for stateless configuration Exp...

Page 584: ...matched RA Prefix List RA prefix list to be matched Minimal Hop Limit Is minimum RA hop limit verification enabled Maximal Hop Limit Is maximum RA hop limit verification enabled Minimal Router Preference Is minimum router preference verification enabled Maximal Router Preference Is maximum router preference verification enabled DHCPv6 Guard Status DHCPv6 Guard State on Current VLAN Is DHCPv6 Guard...

Page 585: ... messages are validated Max Entries per VLAN Maximum number of dynamic Neighbor Binding table entries per VLAN allowed Max Entries per Interface Maximum number of Neighbor Binding table entries per interface allowed Max Entries per MAC Address Maximum number of Neighbor Binding table entries per MAC address allowed IPv6 Source Guard Status IPv6 Source Guard State on Current VLAN Is IPv6 Source Gua...

Page 586: ...llowing types of messages RA Router Advertisement messages REDIR Redirect messages NS Neighbor Solicitation messages NA Neighbor Advertisement messages RS Router Solicitation message DHCPv6 Messages The number of received and dropped messages are displayed for the following types of DHCPv6 messages ADV Advertise messages REP Reply messages REC Reconfigure messages REL REP Relay reply messages LEAS...

Page 587: ... or denied entry This section contains the following topics Overview MAC Based ACLs Creation IPv4 based ACL Creation IPv6 Based ACL Creation ACL Binding Overview An Access Control List ACL is an ordered list of classification filters and actions Each single classification rule together with its action is called an Access Control Element ACE Each ACE is made up of filters that distinguish traffic g...

Page 588: ...ic If IGMP MLD snooping is enabled on a port bound with an ACL add ACE filters in the ACL to forward IGMP MLD packets to the device Otherwise IGMP MLD snooping fails at the port The order of the ACEs within the ACL is significant since they are applied in a first fit manner The ACEs are processed sequentially starting with the first ACE ACLs can be used for security for example by permitting or de...

Page 589: ...ackets with identical characteristics as follows Layer 2 Packets Identical source and destination MAC addresses Layer 3 Packets Identical source and destination IP addresses Layer 4 Packets Identical source and destination IP and L4 port For any new flow the first packet that is trapped from a specific interface causes the generation of an informational SYSLOG message Additional packets from the s...

Page 590: ...06 Jun 2013 12 38 53 3SWCOS I LOGDENYINET gi0 1 deny ACE IPv4 255 1 1 1 1 1 1 1 10 protocol 1 DSCP 54 ICMP Type Echo Reply ICMP code 5 trapped For an L4 packet 06 Jun 2013 09 53 46 3SWCOS I LOGDENYINETPORTS gi0 1 deny ACE IPv4 TCP 1 1 1 1 55 1 1 1 10 66 trapped Configuring ACLs This section describes how to create ACLs and add rules ACEs to them Creating ACLs Workflow To create ACLs and associate ...

Page 591: ...s follows Unbind the policy containing the class map from the interface by using Policy Binding Delete the class map containing the ACL from the policy using the Configuring a Policy Edit Delete the class map containing the ACL by using Defining Class Mapping Only then can the ACL be modified as described in this section MAC Based ACLs Creation MAC based ACLs are used to filter traffic based on La...

Page 592: ...E criteria Deny Drop packets that meet the ACE criteria Shutdown Drop packets that meet the ACE criteria and disable the port from where the packets received Such ports can be reactivated from the Error Recovery Settings page Logging Select to enable logging ACL flows that match the ACL rule Time Range Select to enable limiting the use of the ACL to a specific time range Time Range Name If Time Ra...

Page 593: ...urce MAC Wildcard Mask Enter the mask to define a range of MAC addresses VLAN ID Enter the VLAN ID section of the VLAN tag to match 802 1p Select Include to use 802 1p 802 1p Value Enter the 802 1p value to be added to the VPT tag 802 1p Mask Enter the wildcard mask to be applied to the VPT tag Ethertype Enter the frame Ethertype to be matched STEP 5 Click Apply The MAC based ACE is saved to the R...

Page 594: ...ased ACL is saved to the Running Configuration file IPv4 Based ACE NOTE Each IPv4 based rule consumes one TCAM rule Note that the TCAM allocation is performed in couples such that for the first ACE 2 TCAM rules are allocated and the second TCAM rule is allocated to the next ACE and so forth To add rules ACEs to an IPv4 based ACL STEP 1 Click Access Control IPv4 Based ACE STEP 2 Select an ACL and c...

Page 595: ...lect to create an ACE based on a specific protocol or protocol ID Select Any IPv4 to accept all IP protocols Otherwise select one of the following protocols from the drop down list Selected from list ICMP Internet Control Message Protocol IGMP Internet Group Management Protocol IP in IP IP in IP encapsulation TCP Transmission Control Protocol EGP Exterior Gateway Protocol IGP Interior Gateway Prot...

Page 596: ...000 0000 0000 0000 0000 1111 1111 which means that you match on the bits where there is 0 and don t match on the bits where there are 1 s You need to translate the 1 s to a decimal integer and you write 0 for each four zeros In this example since 1111 1111 255 the mask would be written as 0 0 0 255 Destination IPAddress Select Any if all destination address are acceptable or User defined to enter ...

Page 597: ...oint DSCP to match IP Precedence to match IP precedence is a model of TOS type of service that the network uses to help provide the appropriate QoS commitments This model uses the 3 most significant bits of the service type byte in the IP header as described in RFC 791 and RFC 1349 ICMP If the IP protocol of the ACL is ICMP select the ICMP message type used for filtering purposes Either select the...

Page 598: ...uilding elements of flow definitions for per flow QoS handling IPv6 Based ACL To define an IPv6 based ACL STEP 1 Click Access Control IPv6 Based ACL This window contains the list of defined ACLs and their contents STEP 2 Click Add STEP 3 Enter the name of a new ACL in the ACL Name field The names are case sensitive STEP 4 Click Apply The IPv6 based ACL is saved to the Running Configuration file IP...

Page 599: ...the System Time section Protocol Select to create an ACE based on a specific protocol Select Any IPv6 to accept all IP protocols Otherwise select one of the following protocols TCP Transmission Control Protocol Enables two hosts to communicate and exchange data streams TCP guarantees packet delivery and guarantees that packets are transmitted and received in the order they sent UDP User Datagram P...

Page 600: ...es They are the same as for the Source Port field described above NOTE You must specify the IPv6 protocol for the ACL before you can configure the source and or destination port TCPFlags Select one or more TCPflags with which to filter packets Filtered packets are either forwarded or dropped Filtering packets by TCP flags increases packet control which increases network security Set Match if the f...

Page 601: ...ackets arriving at that interface Packets that do not match any of the ACEs in the ACL are matched to a default rule whose action is to drop unmatched packets Although each interface can be bound to only one ACL multiple interfaces can be bound to the same ACL by grouping them into a policy map and binding that policy map to the interface After an ACL is bound to an interface it cannot be edited m...

Page 602: ...Apply The ACL binding is modified and the Running Configuration file is updated NOTE If no ACL is selected the ACL s that is previously bound to the VLAN are unbound ACL Binding Port To bind an ACL to a port or LAG STEP 1 Click Access Control ACL Binding Port STEP 2 Select an interface type Ports LAGs Port or LAG STEP 3 Click Go For each type of interface selected all interfaces of that type are d...

Page 603: ...rded NOTE Default Action can be defined only if IP Source Guard is not activated on the interface Output ACL MAC Based ACL Select a MAC based ACL to be bound to the interface IPv4 Based ACL Select an IPv4 based ACL to be bound to the interface IPv6 Based ACL Select an IPv6 based ACL to be bound to the interface Default Action Select one of the following options Deny Any If packet does not match an...

Page 604: ...e Quality of Service feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment This section covers the following topics QoS Features and Components General QoS Basic Mode QoS Advanced Mode QoS Statistics ...

Page 605: ... the port The classification is done by ACL Access Control List and only traffic that meets the ACL criteria is subject to CoS or QoS classification Assignment to Software Queues Assigns incoming packets to forwarding queues Packets are sent to a particular queue for handling as a function of the traffic class to which they belong See Queue Other Traffic Class Handling Attribute Applies QoS mechan...

Page 606: ... on whether the trust mode is CoS 802 1p or DSCP respectively Advanced Mode Per flow Quality of Service QoS In advanced mode a per flow QoS consists of a class map and or a policer A class map defines the kind of traffic in a flow and contains one or more ACLs Packets that match the ACLs belong to the flow A policer applies the configured QoS to a flow The QoS configuration of a flow may consist o...

Page 607: ...rusted mode incoming packets are put into the egress queues based on the their DSCP TC value STEP 5 Designate an egress queue to each CoS 802 1p priority If the device is in CoS 802 1 trusted mode all incoming packets are put into the designated egress queues according to the CoS 802 1p priority in the packets This is done by using the CoS 802 1p to a Queue page STEP 6 If required for Layer 3 traf...

Page 608: ... mode The following options are available Disable QoS is disabled on the device Basic QoS is enabled on the device in Basic mode Advanced QoS is enabled on the device in Advanced mode STEP 3 Select Port LAG and click GO to display modify all ports LAGs on the device and their CoS information The following fields are displayed for all ports LAGs Interface Type of interface Default CoS Default VPT v...

Page 609: ...e queue the higher the weight the more frames are sent For example if there are a maximum of four queues possible and all four queues are WRR and the default weights are used queue 1 receives 1 15 of the bandwidth assuming all queues are saturated and there is congestion queue 2 receives 2 15 queue 3 receives 4 15 and queue 4 receives 8 15 of the bandwidth The type of WRR algorithm used in the dev...

Page 610: ... If WRR is selected enter the WRR weight assigned to the queue of WRR Bandwidth Displays the amount of bandwidth assigned to the queue These values represent the percent of the WRR weight STEP 3 Click Apply The queues are configured and the Running Configuration file is updated CoS 802 1p to a Queue The CoS 802 1p to Queue page maps 802 1p priorities to egress queues The CoS 802 1p to Queue Table ...

Page 611: ...es to egress queues STEP 1 Click Quality of Service General CoS 802 1p to Queue STEP 2 Enter the parameters 802 1p Displays the 802 1p priority tag values to be assigned to an egress queue where 0 is the lowest and 7 is the highest priority Output Queue Select the egress queue to which the 802 1p priority is mapped Either four or eight egress queues are supported where Queue 4 or Queue 8 is the hi...

Page 612: ...es to egress queues The DSCP to Queue Table determines the egress queues of the incoming IP packets based on their DSCP values The original VPT VLAN Priority Tag of the packet is unchanged By simply changing the DSCP to Queue mapping and the Queue schedule method and bandwidth allocation it is possible to achieve the desired quality of services in a network The DSCP to Queue mapping is applicable ...

Page 613: ...ystem where 8 is highest DSCP 63 55 47 39 31 23 15 7 Queue 6 6 7 5 4 3 2 1 DSCP 62 54 46 38 30 22 14 6 Queue 6 6 7 5 4 3 2 1 DSCP 61 53 45 37 29 21 13 5 Queue 6 6 7 5 4 3 2 1 DSCP 60 52 44 36 28 20 12 4 Queue 6 6 7 5 4 3 2 1 DSCP 59 51 43 35 27 19 11 3 Queue 6 6 7 5 4 3 2 1 DSCP 58 50 42 34 26 18 10 2 Queue 6 6 7 5 4 3 2 1 DSCP 57 49 41 33 25 17 9 1 Queue 6 6 7 5 4 3 2 1 DSCP 56 48 40 32 24 16 8 0...

Page 614: ...ped STEP 3 Click Apply The Running Configuration file is updated Bandwidth The Bandwidth page displays bandwidth information for each interface To view the bandwidth information STEP 1 Click Quality of Service General Bandwidth The fields in this page are described in the Edit page below except for the following fields Ingress Rate Limit Queue 7 7 8 6 5 4 3 1 DSCP 60 52 44 36 28 20 12 4 Queue 7 7 ...

Page 615: ...te Limit Select to enable the ingress rate limit which is defined in the field below Ingress Rate Limit Kbits per sec Enter the maximum amount of bandwidth allowed on the interface NOTE The two Ingress Rate Limit fields do not appear when the interface type is LAG Ingress Committed Burst Size CBS Enter the maximum burst size of data for the ingress interface in bytes of data This amount can be sen...

Page 616: ...rate limit and burst size for each queue STEP 2 Select an interface type Port or LAG and click Go STEP 3 Select a Port LAG and click Edit This page enables shaping the egress for up to eight queues on each interface STEP 4 Select the Interface STEP 5 For each queue that is required enter the following fields Enable Shaping Select to enable egress shaping on this queue Committed Information Rate CI...

Page 617: ... a unit and for each unit in a stack To define the VLAN ingress rate limit STEP 1 Click Quality of Service General VLAN Ingress Rate Limit This page displays the VLAN Ingress Rate Limit Table STEP 2 Click Add STEP 3 Enter the parameters VLAN ID Select a VLAN Committed Information Rate CIR Enter the average maximum amount of data that can be accepted into the VLAN in Kilobits per second Committed B...

Page 618: ...packet or enter a new value in the Reassigned field DSCPAssignment Select either Unchanged to leave the original DSCP value in the packet or enter a value in the Reassigned field Queue Assignment Enter the Queue assignment for iSCSI traffic By default it is assigned to Queue 7 STEP 3 Click Apply to save the settings The iSCSI Flow Table displays the various iSCSI flows that have been defined Two i...

Page 619: ...pics Overview Global Settings Interface Settings Overview In QoS Basic mode a specific domain in the network can be defined as trusted Within that domain packets are marked with 802 1p priority and or DSCP to signal the type of service they require Nodes within the domain use these fields to assign the packet to a specific output queue The initial packet classification and marking of these fields ...

Page 620: ...vice is in Basic mode If a packet CoS level and DSCP tag are mapped to separate queues the Trust mode determines the queue to which the packet is assigned CoS 802 1p Traffic is mapped to queues based on the VPT field in the VLAN tag or based on the per port default CoS 802 1p value if there is no VLAN tag on the incoming packet the actual mapping of the VPT to queue can be configured in the mappin...

Page 621: ...he best effort queue and no classification prioritization takes place QoS State of the Port is Enabled Port prioritize traffic on ingress is based on the system wide configured trusted mode which is either CoS 802 1p trusted mode or DSCP trusted mode To enter QoS settings per interface STEP 1 Click Quality of Service QoS Basic Mode Interface Settings STEP 2 Select Port or LAG to display the list o...

Page 622: ...of services Thus a policy contains one or more flows each with a user defined QoS The QoS of a class map flow is enforced by the associating policer There are two type of policers single policer and aggregate policer Each policer is configured with a QoS specification A single policer applies the QoS to a single class map and thus to a single flow based on the policer QoS specification An aggregat...

Page 623: ...es Workflow to Configure Advanced QoS Mode To configure Advanced QoS mode perform the following 1 Select Advanced mode for the system by using the QoS Properties page Select the Trust Mode using the Global Settings page If a packet CoS level and DSCP tag are mapped to separate queues the Trust mode determines the queue to which the packet is assigned If internal DSCP values are different from thos...

Page 624: ...g packet the actual mapping of the VPT to queue can be configured in the mapping CoS 802 1p to Queue page DSCP All IP traffic is mapped to queues based on the DSCP field in the IP header The actual mapping of the DSCP to queue can be configured in the DSCP to Queue page If traffic is not IP traffic it is mapped to the best effort queue CoS 802 1p DSCP Select to use Trust CoS mode for non IP traffi...

Page 625: ...ps the original DSCP value of the out of profile IP packets with a new value based on the Out of Profile DSCP Mapping Table The device uses the new values to assign resources and the egress queues to these packets The device also physically replaces the original DSCP value in the out of profile packets with the new DSCP value To use the out of profile DSCP exceed action remap the DSCP value in the...

Page 626: ...ry CoS default setting for this interface Class Mapping A Class Map defines a traffic flow with ACLs Access Control Lists defined on it A MAC ACL IPACL and IPv6 ACL can be combined into a class map Class maps are configured to match packet criteria on a match all or match any basis They are matched to packets on a first fit basis meaning that the action associated with the first matched class map ...

Page 627: ...P 3 Enter the parameters Class Map Name Enter the name of a new class map Match ACL Type The criteria that a packet must match in order to be considered to belong to the flow defined in the class map The options are IP A packet must match either of the IP based ACLs in the class map MAC A packet must match the MAC based ACL in the class map IP and MAC A packet must match the IP based ACL and the M...

Page 628: ...n the Aggregate Policer page An aggregate policer is defined if the policer is to be shared with more than one class Policers on a port cannot be shared with other policers in another device Each policer is defined with its own QoS specification with a combination of the following parameters Peak Enforcement Select to enable action if peak burst size is exceeded Peak Information Rate PIR Enter the...

Page 629: ... of this in the Bandwidth page Ingress Committed Burst Size CBS Enter the maximum burst size even if it goes beyond the CIR in bytes See the description of this in the Bandwidth page Exceed Action Select the action to be performed on incoming packets that exceed the CIR Possible values are Drop Packets exceeding the defined CIR value are dropped Out of Profile DSCP The DSCP values of packets excee...

Page 630: ...Quality of Service QoS Advanced Mode Policy Table This page displays the list of defined policies STEP 2 Click Policy Class Map Table to display the Policy Class Maps page or Click Add to open the Add Policy Table page STEP 3 Enter the name of the new policy in the New Policy Name field STEP 4 Click Apply The QoS policy profile is added and the Running Configuration file is updated Policy Class Ma...

Page 631: ...e matching packets If the new value 0 63 is a DSCP use the new DSCP and the DSCP to Queue Table to determine the egress queue of the matching IP packets Otherwise use the new value 1 8 as the egress queue number for all the matching packets Traffic Redirect Select whether to redirect matching traffic If so select the unit port to which traffic will be redirected Redirect Target Select the unit por...

Page 632: ...ion of this in the Bandwidth page Ingress Committed Burst Size CBS Enter the CBS in bytes See a description of this in the Bandwidth page Exceed Action Select the action assigned to incoming packets exceeding the CIR The options are Drop Packets exceeding the defined CIR value are dropped Out of Profile DSCP IP packets exceeding the defined CIR are forwarding with a new DSCP derived from the Out O...

Page 633: ...e bound To define policy binding STEP 1 Click Quality of Service QoS Advanced Mode Policy Binding STEP 2 Select an Interface Type if required STEP 3 Click Go The policies for that interface are displayed STEP 4 Click Edit STEP 5 Select the following for the input policy interface Input Policy Binding Select to bind the input policy to the interface Policy Name Select the input policy being bound D...

Page 634: ... policy An Aggregate Policer is bound to one or more class maps from one or more policies Viewing Single Policer Statistics The Single Policer Statistics page indicates the number of in profile and out of profile packets that are received from an interface that meet the conditions defined in the class map of a policy NOTE This page is not displayed when the device is in Layer 3 mode To view police...

Page 635: ...ck Quality of Service QoS Statistics Aggregate Policer Statistics This page displays the following fields Aggregate Policer Name Policer on which statistics are based In Profile Bytes Number of in profile packets that received Out of Profile Bytes Number of out of profile packets that received STEP 2 Click Add STEP 3 Select an Aggregate Policer Name one of the previously created Aggregate Policers...

Page 636: ...s for Set 1 that contains all interfaces and queues with a high DP Drop Precedence Set 2 Displays the statistics for Set 2 that contains all interfaces and queues with a low DP Interface Queue statistics are displayed for this interface Queue Packets forwarded or tail dropped from this queue Drop Precedence Lowest drop precedence has the lowest probability of being dropped Total Packets Number of ...

Page 637: ...queue for which statistics are displayed Drop Precedence Enter the drop precedence that indicates the probability of being dropped Select one of the following options Low Whether to count packets with low probability of being dropped High Whether to count packets with high probability of being dropped All Whether to count packets all packets no matter what their probability of being dropped is STE...

Page 638: ... Recipients Notification Filter Overview SNMP Versions and Workflow The device functions as SNMP agent and supports SNMPv1 v2 and v3 It also reports system events to trap receivers using the traps defined in the supported MIBs Management Information Base SNMPv1 and v2 To control access to the system a list of community entries is defined Each community entry consists of a community string and its ...

Page 639: ...agent compares the incoming message time stamp to the message arrival time Key Management Defines key generation key updates and key use The device supports SNMP notification filters based on Object IDs OID OIDs are used by the system to manage device features SNMP Workflow NOTE For security reasons SNMP is disabled by default Before you can manage the device via SNMP you must enable SNMP on the T...

Page 640: ... Define the SNMP engine by using the Engine ID page Either create a unique Engine ID or use the default Engine ID Applying an Engine ID configuration clears the SNMP database STEP 2 Optionally define SNMP view s by using the Views page This limits the range of OIDs available to a community or group STEP 3 Define groups by using the Groups page STEP 4 Define users by using the Users page where they...

Page 641: ...e Managed Switch 9 6 1 91 24 9 SG350XG 48T SG350XG 48T 48 Port 10GBase T Stackable Managed Switch 9 6 1 91 48 9 SG350XG 2F10 SG350XG 2F10 12 Port 10G Stackable Managed Switch 9 6 1 91 12 9 SG350 10 SG350 10 10 Port Gigabit Managed Switch 9 6 1 95 10 3 SG350 10P SG350 10P 10 Port Gigabit PoE Managed Switch 9 6 1 95 10 5 SG355 10P SG355 10P 10 Port Gigabit PoE Managed Switch 9 6 1 95 10 10 SG350 10M...

Page 642: ... 6 1 92 24 1 SF550X 24P 24 Port 10 100 PoE Stackable Managed Switch 9 6 1 92 24 5 SF550X 24MP 24 Port 10 100 PoE Stackable Managed Switch 9 6 1 92 24 6 SF550X 48 48 Port 10 100 Stackable Managed Switch 9 6 1 92 48 1 SF550X 48P 48 Port 10 100 PoE Stackable Managed Switch 9 6 1 92 48 5 SF550X 48MP 48 Port 10 100 PoE Stackable Managed Switch 9 6 1 92 48 6 SG550XG 8F8T SG550XG 8F8T 16 Port 10G Stackab...

Page 643: ...que for the administrative domain so that no two devices in a network have the same engine ID Local information is stored in four MIB variables that are read only snmpEngineId snmpEngineBoots snmpEngineTime and snmpEngineMaxMessageSize CAUTION When the engine ID is changed all configured users and groups are erased To define the SNMP engine ID STEP 1 Click SNMP Engine ID STEP 2 Choose which to use...

Page 644: ...ation on the local network only Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6Address Type Link Local is selected from the list Server IPAdd...

Page 645: ...d in the selected SNMP view The options to select the object are as follows Select from list Enables you to navigate the MIB tree Press the Up arrow to go to the level of the selected node s parent and siblings press the Down arrow to descend to the level of the selected node s children Click nodes in the view to pass from one node to its sibling Use the scrollbar to bring siblings in view User De...

Page 646: ...tication Authentication and no privacy Authentication and privacy SNMPv3 provides a means of controlling the content each user can read or write and the notifications they receive A group defines read write privileges and a level of security It becomes operational when it is associated with an SNMP user or community NOTE To associate a non default view with a group first create the view in the Vie...

Page 647: ...e selected view Otherwise a user or a community associated with this group is able to read all MIBs except those that control SNMP itself Write Management access is write for the selected view Otherwise a user or a community associated with this group is able to write all MIBs except those that control SNMP itself Notify Limits the available content of the traps to those included in the selected v...

Page 648: ...he local or remote SNMP entity to which the user is connected Changing or removing the local SNMPEngine ID deletes the SNMPv3 User Database To receive inform messages and request information you must define both a local and remote user Local User is connected to the local device Remote IP Address User is connected to a different SNMP entity in addition to the local device If the remote Engine ID i...

Page 649: ...e Encrypted or Plaintext mode can be selected STEP 4 Click Apply to save the settings Communities Access rights in SNMPv1 and SNMPv2 are managed by defining communities in the Communities page The community name is a type of shared password between the SNMP management station and the device It is used to authenticate the SNMP management station Communities are only defined in SNMPv1 and v2 because...

Page 650: ...nk A link local address has a prefix of FE80 is not routable and can be used for communication on the local network only Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface If the IPv6 ...

Page 651: ...ights STEP 4 Click Apply The SNMP Community is defined and the Running Configuration is updated Trap Settings The Trap Settings page enables configuring whether SNMP notifications are sent from the device and for which cases The recipients of the SNMP notifications can be configured in the SNMPv1 2 Notification Recipients page or the SNMPv3 Notification Recipients page To define trap settings STEP...

Page 652: ... also possible to filter certain notifications This can be done by creating a filter in the Notification Filter page and attaching it to an SNMP notification recipient The notification filter enables filtering the type of SNMP notifications that are sent to the management station based on the OID of the notification that is about to be sent SNMPv1 2 Notification Recipients To define a recipient in...

Page 653: ...hat is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select whether it is received through a VLAN or ISATAP Recipient IPAddress Name Enter the IP address or server name of where the traps are sent UDP Port Enter the UDP port used for notifications on the recipient device Notification Type Select whether to send Traps or Informs If both are re...

Page 654: ...inform messages for communication with IPv4 SNMP servers Traps IPv4 Source Interface Select the source interface whose IPv6 address will be used as the source IPv6 address in trap messages for communication with IPv6 SNMP servers Informs IPv6 Source Interface Select the source interface whose IPv4 address will be used as the source IPv4 address in inform messages for communication with IPv4 SNMP s...

Page 655: ...device waits before re sending informs traps Timeout Range 1 300 default 15 Retries Enter the number of times that the device resends an inform request Retries Range 1 255 default 3 User Name Select from the drop down list the user to whom SNMP notifications are sent In order to receive notifications this user must be defined on the Users page and its engine ID must be remote Security Level Select...

Page 656: ...fine a notification filter STEP 1 Click SNMP Notification Filter The Notification Filter page contains notification information for each filter The table is able to filter notification entries by Filter Name STEP 2 Click Add STEP 3 Enter the parameters Filter Name Enter a name between 0 30 characters Object ID Subtree Select the node in the MIB tree that is included or excluded in the selected SNM...

Page 657: ... Notification Filter 377 Cisco Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 21 STEP 5 Click Apply The SNMP views are defined and the running configuration is updated ...

Page 658: ...ying of configurations globally on all supported devices in the network NOTE SNA can only be run on products of the 350 and 550 families Devices from the Sx250 family of devices can provide SNA information when they are connected to the network but SNA cannot be launched from these devices The following topics are covered in this chapter SNA Sessions SNA Graphics Topology View Right Hand Informati...

Page 659: ...s If the credentials are rejected you are informed of the rejection and of the rejection reason After SNA loads it creates a management sessions with all other SNA capable devices in the network over a WebSocket using the same credentials used to login to SNA As a result only SNA capable devices using the same credentials provide data and management capabilities Other devices do not appear as SNA ...

Page 660: ...e number of possible concurrent web management sessions for the SNA manager along with active regular web management sessions Session settings can be saved See Saving SNA Settings SNA Graphics The SNA feature is a graphical representation of the user network When the main page of the SNA is opened the screen is divided into the following parts Topology View Right Hand Information Panel Topology Ov...

Page 661: ...50 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 645 29 Access Point Client PC Client Phone Client Unknown Device Side Panel Connection Side Panel Multi Selection Side Panel Port Table 1 Icon Descriptions Icon Description ...

Page 662: ...ctions A Save configuration changes to the Startup Configuration file B Open the DAC List Management system See Device Authorization Control DAC C Open the Global Notifications page See Notifications D Open the follow window This window displays or enables the following Displays your Access Permissions Log out of system by clicking Log out Upgrade your permissions by clicking Upgrade Permission E ...

Page 663: ... information on individual devices and the connections between them Figure 1 Topology View See Icon Descriptions for a description of the network nodes shown in Figure 1 Various overlays can be selected for the topology views that affect the graphic representation of elements See Topology Overlays The topology discovery mechanism uses information gathered from LLDP and CDP TLVs to identify devices...

Page 664: ...de VLAN membership Spanning Tree PoE and Link Utilization If you select the VLAN Membership overlay for example VLAN information is added to the topological view See Overlays for a complete description Topology Elements The Topology view displays the following types of entities Devices Ports Connections Between Devices Clouds Devices Detected devices are represented as nodes in the topology view a...

Page 665: ... their icon and displaying a device explorer screen for the device Devices in the network are separated into the following categories Backbone devices Basic skeleton of the network By default all switches routers and access points detected on the network are designated automatically as backbone devices After a backbone device is detected it remains on the topology map until it is manually removed ...

Page 666: ...ded manually All tags associated with this device are lost and is not restored even if the device is detected again in the future SNA periodically attempts to connect to offline devices to verify if a managed or an SNA switch has come back online During these attempts an indication is displayed on the device Client devices End point clients of the network for example PCs IP phones usually connecte...

Page 667: ...e clients The following sample displays two clients connected to a cloud device a client PC device and a device of unknown type Ports To view the ports on a device select that device and then double click it This opens a panel that displays all ports of the device including all units if the device is in stack mode The following attributes are displayed Port name Unit ...

Page 668: ...n the side panel as shown below Interface Naming Names for interfaces from SNA or partial SNA devices are made up of the following parts A prefix based on the port type FE for fast ports GE for Giga ports or XG for ten gigabyte ports An interface ID which is the interface number on a non stacking device or the unit ID and the interface ID separated by a slash on a stacking device The slot of the p...

Page 669: ... Less than 1GB Level 2 1GB to less than 10GB Level 3 More than 10 GB Links whose capacity cannot be calculated or links between a backbone device and its clients are shown as level 1 links The connection between SNA capable devices is detected from both sides If there is a difference between the calculated capacities of the connection between the two sides the width is drawn according to the lower...

Page 670: ...e devices among them SNA draws a cloud on the topology map and displays the devices detected in this cloud as connected clients Most SNA operations are not applicable to clouds Right Hand Information Panel The area to the right of the topology view displays an information panel which displays attributes of the selected elements and enables performing actions on them The right hand information pane...

Page 671: ...SNA Right Hand Information Panel Cisco Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 655 29 Figure 2 shows a sample of the right hand information panel Figure 2 Right Hand Information Panel ...

Page 672: ... of the type of device and the strongest two forms of identification by which the device was recognized The hierarchy of the identification methods is as follows Host name IP address MAC address For example For example if the host name IP address and MAC address of a device are known the host name and the IP address are shown If the host name or IP address is not known the MAC address replaces the...

Page 673: ...ith other devices the client groups counts as the number of devices that are contained in it For example when selecting a backbone device and a client group containing 5 clients the header shows six devices selected If notifications exist for the device the number of notifications is displayed Right Hand Information Panel Cogwheel The following actions can be performed on the selected devices or c...

Page 674: ...he client explorer filtered by the type of device in the client group Delete This option only appears when all the selected devices are offline devices Selecting this action deletes all the selected devices from the topology map Basic Information Block The Basic Information block displays attributes of the selected single element The block is not displayed when more than one entity is selected Som...

Page 675: ... existing addresses IPv4 and IPv6 can be seen by pressing the icon next to the label 192 168 1 55 923 a8bc 234 MAC Address The base MAC address of the device 00 00 b0 83 1f ac Description Editable field of up to 80 characters Saved on SNA storage SNA Support Possible values Full Support for SNA devices Partial Support for managed devices No SNA support for unmanaged devices This parameter appears ...

Page 676: ...ower used out of the maximum power supply If the device is a stacked device a field appears for each PoE capable unit in the stack with the unit ID If the device is standalone or a single unit the label of the field does not mention the unit ID This means that a maximum of eight fields may appear here 15 22W 18 0W Parameter Name Notes Example Product Name Taken from the device description MIB This...

Page 677: ...tised addresses IPv4 and IPv6 can be seen by clicking an icon next to the label 192 168 1 55 923 a8bc 234 MAC Address The base MAC address of the device 00 00 b0 83 1f ac Device Type The type of client device Phone Host Unknown Connected Interface The interface through which the device is reached on the closest switch GE1 14 The following parameters only appear when View all is clicked Connection ...

Page 678: ...sed by SNA to connect to the parent device Additional advertised addresses IPv4 and IPv6 can be seen by pressing an icon next to the label 192 168 1 55 923 a8bc 234 MAC Address of parent device The base MAC address of the parent device 00 00 b0 83 1f ac Connected Through Cloud This label appears if the client group is connected to the network through a cloud The label replaces the host name IP add...

Page 679: ...interfaces are joined by dashes GE1 4 GE1 6 XG2 4 8 VLAN Membership Shows the active VLANs the interface is a member in Dashed lines are used to join consecutive VLANs 1 6 13 19 1054 2012 2100 4094 Port Utilization Tx Rx Appears only for ports 80 42 LAG Type Appears only for LAGs Possible values are Standard or LACP Switchboard Mode Possible values Access Trunk General Customer Private Host Privat...

Page 680: ...gle SNA device See Notifications for additional details Services Block This section of the information panel displays available services for the current selection of elements Only services that are relevant for all selected elements are displayed This section is not displayed if elements which do not support services are a part of the selection or when devices and interfaces are selected together ...

Page 681: ...cs on an interface or device select a specific parameter to view from a list of available parameters according to the parameters supported by the embedded counters history feature You can then view the status of this parameter on the selected interface for the previous year The following graphs can be viewed Port Utilization Graph PoE Consumption Graph Port PoE Consumption Graph Device Traffic Gra...

Page 682: ...onsumption Graph Device This graph is a device level graph that shows the PoE utilization of the device over time The graph is available for all PoE devices with full SNA support The graph is represented per unit and you can select a number of units from a single or multiple stacks to view simultaneously The data is shown as a number of watts 0 the PoE capacity of the selected unit with the highes...

Page 683: ...rfaces ports or LAGs of devices with full SNA support The data in both versions is shown as a number of packets 0 being the highest value in sampled range with number and frequency of samples depending on the displayed time scale Last five minutes 20 samples one every 15 seconds Last hour 60 samples one every minute Last day 24 samples one every hour Last week 7 samples one every day Last 3 months...

Page 684: ...ons using the same credentials used to log in to SNA Manually Adding a Device or Switch to the Topology View Elements can be manually added to the topology view If an SNA capable device or a managed switch that exists in the network is not detected automatically and displayed in the topology you can add it manually by performing the following STEP 1 Click in the top right corner of the Topology vi...

Page 685: ...ar only when the relevant overlay is active The following columns are displayed in the Device Explorer table Port LAG Name Full interface name Unit ID Displays only in the port table and for stacked switches Port Type Displays only in the port table Physical type of the port Admin Status The interface s administrative status Operational Status The interface s operational state If the interface is ...

Page 686: ...ce is a member In trunk mode displays a U next to the untagged VLAN This field may contain a long list of VLANs If the complete list does not fit in the table it may be viewed in full on the right hand information When the Spanning Tree overlay is selected the following columns are displayed STP Mode Active STP mode of the interface Port Role STP role of the interface Spanning Tree State STP state...

Page 687: ...y of the link according to its status relevant to the selected overlay See Overlays When selecting a link in the connection explorer the interfaces anchoring the link on both sides are selected Client Explorer This explorer enables viewing information about selected clients in a client group such as a group of IP phones This explorer is comprised of a table with a row for each device in the client...

Page 688: ...r This field may contain a long list of VLANs If the complete list does not fit in the table it can be viewed in the right hand information panel when selecting the client The client explorer is not supported for client groups that are connected to the network through a cloud Overlays Overlays are layers of information that can be activated on the topology view to add more information or affect th...

Page 689: ...nk in the connection When viewing the connection explorer each link shows its own utilization in both directions The utilization for each direction of a link is calculated by checking the information from both sides if the link is between SNA capable devices and using the higher value as the utilization value For example if a link is between port 1 of device A and port 2 of device B the calculatio...

Page 690: ...reached An icon is added to power supplying switches and is colored according to the switches power budget consumption Device supplying 0 80 of its power budget Normal Device supplying 81 95 of its power budget Yellow Device supplying 96 100 of its power budget Red Devices receiving power over Ethernet are surrounded by a halo Connections containing at least one link over which power is supplied a...

Page 691: ...ice is a member of the VLAN is unmarked A link between an SNA device and a non SNA device whose interface on the SNA device is not in the VLAN is unmarked A link between SNA devices where the connected interfaces in both devices are members of the VLAN is highlighted as a member of the VLAN A link between an SNA device and a non SNA device whose interface on the SNA device is a member of the VLAN ...

Page 692: ...is the actual blocked interface Tags Tags are used to identify devices in the Topology view by attributes or by user defined names Tags are used to quickly select multiple elements by searching for a specific tag For example you can search for all network nodes labelled with the IP Phone tag Tags can be built in or user defined Built in tags Applied automatically to nodes based on information gath...

Page 693: ...ne According to advertised data on discovery protocols PC According to advertised data on discovery protocols host Notifications According to SNA internal data State based is displayed if unread notifications exist on the device PoE PSE According to SNA internal data displayed if a device is capable of supplying power via PoE even if it doesn t actually supply any power PoE PD According to SNA int...

Page 694: ...G350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 678 29 View Tags To view a list of all Tags perform the following STEP 1 Click the Hamburger menu in the left hand side of the Topology view The following menu is displayed ...

Page 695: ...t Open tags inventory A list of tags is displayed as shown below STEP 3 Click the search icon for a specific tag in the Close and Find Devices column to see a list of devices with the selected tag User Defined Tags You can create new tags and add them manually to selected elements in the topology in the Tags section of the right hand information ...

Page 696: ...er defined tags and you can remove them at any time Since these tags are distinct from the built in tags it is possible for tags with the same name to appear twice on a single element as long as one of them is user defined and the other is built in To add a tag to a device perform the following steps STEP 1 Select the device STEP 2 In the Tag section click the Add tag name text box A list of tags ...

Page 697: ...on its topology element The search can be refined by adding keywords to limit the fields searched If you enter a keyword followed by a colon and the search term the search term is searched for only in the specified field The following are the supported keywords IP MAC and Tag If the search term is contained in quotes only exact matches are found The following is an example of searching by tag STEP...

Page 698: ...old configured for the RAM logs are detected by SNA The notifications in SNA are separated according to the categories based on their SYSLOG severity level The color of the notification indicates its severity as described below Rank 1 Red Critical Alert or Emergency Rank 2 Orange Warning or Error Rank 3 Blue Informational or Notice When an event generating a notification occurs an indication appea...

Page 699: ...ss of whether they occurred while the SNA session was active or inactive Click to view the table containing an aggregated list of notifications for the complete network This table displays the last 300 events logged in the network by SNA or partial SNA devices Viewing the specifics of a notification removes the new notification annotation from the topology view but all notifications are still avai...

Page 700: ...Smart Network Application SNA Notifications Cisco Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 684 29 Timestamp Severity SYSLOG text ...

Page 701: ...ded RADIUS server RADIUS host server can be configured on one of the SNA devices Device authorization is done via MAC authentication DAC Workflow The DAC workflow consists of the following steps STEP 1 Activate DAC See Accessing DAC STEP 2 Configure a RADIUS server device and client devices See Specify a RADIUS Server and Clients STEP 3 Add the client devices to the white list See DAC List Managem...

Page 702: ...te it as he RADIUS server for the network by clicking Set as DAC server The following menu is displayed STEP 5 If the device has more than a single IP address select one of those addresses as the one to be used by DAC The list of addresses indicates whether the IP interface is static or dynamic You will be warned if selecting a dynamic interface that the address may not be stable When editing an e...

Page 703: ...s client Select at least one client for the DAC RADIUS server If no clients are selected you will be unable to apply the settings STEP 9 When a switch is selected as a client a window with its ports is displayed Select the ports from the client switch on which to apply 802 1 x authentications The SNA recommends a list of all edge ports all the ports that are not known to be connected to other swit...

Page 704: ...y to the server s startup configuration this option is selected by default Until a device is added to the white list it is not allowed access to the network You can view and change the white and black lists at any time as long as a DAC RADIUS server is defined and reachable When applying the DAC settings you are presented with a report listing actions that will be applied to the participating devi...

Page 705: ...onnection Remove RADIUS server connection Update 802 1x settings Update interface authentication settings Update interface host and session settings It is possible and likely for multiple actions to appear for each device Each action can have its own status Warnings Possible warnings for DAC server include Selected IP interface is dynamic Possible warnings for DAC clients include Device is already...

Page 706: ...the Unauthenticated device icon The DAC List Management page is displayed with the list of unauthenticated devices STEP 2 Select the devices you want to add to the white list and click Add to Whitelist STEP 3 Select the devices you want to add to the black list and click Add to Blacklist STEP 4 Click Apply Packets entering on the ports on the device are authenticated on the RADIUS server To manage...

Page 707: ...the settings on selected devices or interfaces or select an entry from one device and copy the entry to other devices You can also use the settings from one of the devices or interfaces as the settings for all other devices or interfaces in the selection For most services a GUI page is displayed where specific parameters can be defined for the service After you enter the parameters in the GUI page...

Page 708: ...gs For each of these device level services the tickets showing the current configurations of the selected devices show the following identifying information in addition to service specific parameters Device host name IP address If more than one IP address exists for the device the one used by SNA to access the device is displayed Device model The alphanumeric string representing the device model F...

Page 709: ...he RADIUS server with the lowest IPv4 address The RADIUS server with the lowest IPv6 address The entry created by the service has a priority of 0 and usage type login If an entry with the same IP address or host name as the new entry already exists with priority 0 and usage type 802 1x the existing entry is updated to usage type all If an entry with a different IP address or host name already exis...

Page 710: ...t Number of the authentication port Authentication Methods List of the authentication methods used for each device by the channel currently used on SNA HTTP or HTTPS The common values for this parameter are Local or RADIUS Local If the current value for a device is any other value the copy option is not available for this device When copying settings the value RADIUS Local is mapped to the RADIUS ...

Page 711: ...ed by the service will have preference 1 If a static entry of preference 1 already exists and was displayed the static server is replaced by the new entry Displayed Editable Parameters To define a new DNS server enter its IPv4 or IPv6 address SYSLOG Server Configuration This service enables defining the SYSLOG server used by the selected devices Current Configuration For every selected device the ...

Page 712: ...synchronize the time settings between all devices in the network It is especially advisable when viewing historical statistical information on multiple devices Current Configuration For every selected device the current configuration is displayed The current clock source with the following options is displayed Default SNTP servers Default servers displayed if the clock source is SNTP User defined ...

Page 713: ...or IPv6 When applying the server all current configured servers are deleted and the server one is added Time Zone must be configured with this option Local Clock Changes the device clock source to local clock The date time and time zone must be configured Set Date and Time Date and time if local clock is configured Time Zone Time zone offset if a user defined SNTP server or local time is configure...

Page 714: ... Firmware version as follows Operations The following operations are available from the service Download firmware via HTTP Used to download a new firmware file In the local file system browse to the new firmware file and select it This file is then downloaded to all devices participating in the service After downloading the new firmware the device also automatically makes it the active firmware ve...

Page 715: ...at every device that finishes the download automatically reboots in order to finish the upgrade operation this option is selected by default Download configuration via HTTP Used to download a new configuration file In the local file system browse to the new configuration file and select it This file is then downloaded to the startup configuration of all devices participating in the service ...

Page 716: ...G Series Managed Switches Firmware Release 2 2 5 x 700 29 When activating the download you can request that all devices reboot after downloading the configuration file to make the new configurations active Reboot Click Go to reboot the devices without performing any other actions ...

Page 717: ...meters are displayed as shown below The following parameters are displayed SNA Power Schedule active inactive Power schedule details if active Whether time power is active each day beginning on Monday and ending on Sunday Behavior of ports in off schedule times The options include PoE power inactive Data inactive Both PoE power and data inactive Custom Displayed if an SNA created schedule is not a...

Page 718: ... or deleted The schedule created by this service uses a reserved name orch_power_sched Time ranges with other names are ignored by SNA When applying the settings the applied behavior is bound to all selected ports All ports that are not selected are unbound from the schedule if they were previously bound Non PoE ports are only affected if one of the behaviors which shut down data is selected If a ...

Page 719: ...lication SNA Services Cisco Sx350 SG350X SG350XG Sx550X SG550XG Series Managed Switches Firmware Release 2 2 5 x 703 29 The following is displayed STEP 3 Click Select Ports STEP 4 Select one or more ports and click Done ...

Page 720: ...has been defined Interface Level Port LAGs VLANs Services Some services are relevant to interfaces rather than devices When activating these services select one or more interfaces and then select a service from the list of services available The following services are available for interfaces Power Management Settings Port PoE priority and applying schedule behavior VLAN Membership port LAG Switch...

Page 721: ...run when all selected ports belong to the same device or stack Displayed Parameters PoE Administrative Status Enabled Disabled This parameter only appears for PoE ports Port Power Priority Low High Critical This parameter only appears for PoE ports SNA Power Schedule Applied Not Applied This parameter appears only if the device has a power schedule created by SNA Schedule behavior This information...

Page 722: ...inactive If no PoE ports are selected the schedule can only be applied or removed from the port and no behavior can be selected Applying the schedule to the ports has the same behavior as selecting the Data inactive option If a combination of PoE and non PoE ports is selected when applying the settings to the PoE ports the option PoE power and data inactive is treated as if it were Data inactive a...

Page 723: ... the network you are alerted that a newer version was detected including the time it was created and the device it was detected on and prompted to select the version of settings that SNA should use The following settings can be saved Positions of all backbone devices in the network Any client device designated as a backbone device retains this status Any tag manually added to elements in the netwo...

Page 724: ...50XG Series Managed Switches Firmware Release 2 2 5 x 708 29 Technical Details The following are technical details of the SNA feature Supported browsers IE10 and above Chrome FireFox Safari on MAC OS 6 1 2 7 0 2 Supported OS Win 7 Win 8 Win 8 1 Linux 2 6 3 11 MAC OSX version 10 7 and up ...

Page 725: ...co and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Reviews:

No comments

Related manuals for SF550X-24

Brand: 3Com Pages: 8

Brand: DANLERS Pages: 2

Brand: socomec Pages: 78

Brand: DANLERS Pages: 2

Digital Energy STS-400-25-3

Brand: GE Pages: 49

Brand: Orno Pages: 2

CEFLA PIR DALIP

Brand: DANLERS Pages: 2

Brand: H-Tronic Pages: 15

Brand: ATEN Pages: 4

Brand: Edge-Core Pages: 65

QSW-4600 Series

Brand: QTech Pages: 58

Brand: Qvis Pages: 7

Brand: ALFAtron Pages: 45

Brand: N-Tron Pages: 169

Brand: MaxTech Pages: 10

Brand: CYP Pages: 72

Brand: coval Pages: 2

Luzense RADIM RF

Brand: Unilamp Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands