Home
/
Cisco
/
Small Business 200
/
Administration Manual

Cisco Small Business 200, Administration Manual

Share

Page: 261 / 351

Cisco Small Business 200 Administration Manual Download Page 261

Security

Configuring RADIUS

Cisco Small Business 200 Series Smart Switch Administration Guide

248

17

Configuring RADIUS

Remote Authorization Dial-In User Service (RADIUS) servers provide a centralized
802.1X or MAC-based network access control. The device is a RADIUS client that
can use a RADIUS server to provide centralized security.

An organization can establish a Remote Authorization Dial-In User Service
(RADIUS) server to provide centralized 802.1X or MAC-based network access
control for all of its devices. In this way, authentication and authorization can be
handled on a single server for all devices in the organization.

The device can act as a RADIUS client that uses the RADIUS server for the
following services:

•

Authentication

—Provides authentication of regular and 802.1X users

logging onto the device by using usernames and user-defined passwords.

•

Authorization

—Performed at login. After the authentication session is

completed, an authorization session starts using the authenticated
username. The server then checks user privileges.

Defaults

The following defaults are relevant to this feature:

•

No default RADIUS server is defined by default.

«
...
259
260
261
262
263
...
»

Summary of Contents for Small Business 200

Page 1: ...Cisco Small Business 200 Series Smart Switch Administration Guide Release 1 3 ADMINISTRATION GUIDE ...

Page 2: ...9 Chapter 2 Status and Statistics 12 Viewing Ethernet Interfaces 12 Viewing Etherlike Statistics 13 Viewing 802 1X EAP Statistics 14 Managing RMON 16 Viewing RMON Statistics 16 Configuring RMON History 18 Viewing the RMON History Table 19 Defining RMON Events Control 20 Viewing the RMON Events Logs 22 Defining RMON Alarms 22 Chapter 3 Administration System Log 26 Setting System Log Settings 26 Set...

Page 3: ...8 Auto Configuration Download Protocol TFTP or SCP 48 SSH Client Authentication Parameters 48 Auto Configuration Process 49 Configuring DHCP Auto Configuration 50 Chapter 5 Administration General Information 54 Device Models 54 System Information 56 Displaying the System Summary 56 Configuring the System Settings 57 Rebooting the Device 58 Monitoring Fan Status 60 Defining Idle Session Timeout 61 ...

Page 4: ...ation Discovery 80 Configuring Bonjour Discovery 80 Bonjour in Layer 2 System Mode 80 LLDP and CDP 81 Configuring LLDP 82 LLDP Overview 83 Setting LLDP Properties 84 Editing LLDP Port Settings 85 LLDP MED Network Policy 87 Configuring LLDP MED Port Settings 89 Displaying LLDP Port Status 90 Displaying LLDP Local Information 91 Displaying LLDP Neighbors Information 95 Accessing LLDP Statistics 99 L...

Page 5: ...Rules 121 LACP With No Link Partner 121 Setting LACP Parameter Settings 122 Configuring Green Ethernet 123 Green Ethernet Overview 123 Power Saving by Disabling Port LEDs 124 802 3az Energy Efficient Ethernet Feature 125 Setting Global Green Ethernet Properties 127 Setting Green Ethernet Properties for Ports 128 Chapter 10 Smartport 132 Overview 132 What is a Smartport 133 Smartport Types 133 Spec...

Page 6: ...t Using The Web based Interface 145 Smartport Properties 146 Smartport Type Settings 147 Smartport Interface Settings 148 Built in Smartport Macros 150 Chapter 11 Port Management PoE 162 PoE on the Device 162 PoE Features 162 PoE Operation 163 PoE Configuration Considerations 163 Configuring PoE Properties 165 Configuring PoE Settings 166 PoE priority example 166 Chapter 12 VLAN Management 170 VLA...

Page 7: ...terfaces to Voice VLAN on Basis of OUIs 191 Chapter 13 Spanning Tree 194 STP Flavors 194 Configuring STP Status and Global Settings 195 Defining Spanning Tree Interface Settings 197 Configuring Rapid Spanning Tree Settings 199 Chapter 14 Managing MAC Address Tables 202 Types of MAC Addresses 202 Configuring Static MAC Addresses 203 Managing Dynamic MAC Addresses 204 Configuring Dynamic MAC Address...

Page 8: ...w 224 Layer 2 IP Addressing 224 IPv4 Management and Interfaces 225 Defining an IPv4 Interface 225 ARP 227 228 IPv6 Global Configuration 229 IPv6 Interface 229 IPv6 Tunnel 232 Configuring Tunnels 233 Defining IPv6 Addresses 234 IPv6 Default Router List 235 Defining IPv6 Neighbors Information 236 Viewing IPv6 Route Tables 238 Domain Name 239 DNS Settings 240 Search List 241 Host Mapping 242 Chapter ...

Page 9: ...ring TCP UDP Services 259 Defining Storm Control 261 Configuring Port Security 262 Configuring 802 1X 265 802 1X Parameters Workflow 265 Defining 802 1X Properties 266 Defining 802 1X Port Authentication 267 Defining Host and Session Authentication 269 Viewing Authenticated Hosts 270 Denial of Service Prevention 271 Secure Core Technology SCT 271 Types of DoS Attacks 271 Defense Against DoS Attack...

Page 10: ... Modifying the User Password on the SSH Server 284 Chapter 19 Security Secure Sensitive Data Management 286 Introduction 286 SSD Management 287 SSD Rules 287 Elements of an SSD Rule 288 SSD Rules and User Authentication 291 Default SSD Rules 291 SSD Default Read Mode Session Override 292 SSD Properties 292 Passphrase 293 Default and User defined Passphrases 293 Local Passphrase 293 Configuration F...

Page 11: ...lity of Service 304 QoS Features and Components 305 QoS Operation 305 QoS Workflow 306 Configuring QoS General 306 Setting QoS Properties 306 Interface QoS Settings 308 Configuring QoS Queues 308 Mapping CoS 802 1p to a Queue 310 Mapping DSCP to Queue 312 Configuring Bandwidth 315 Configuring Egress Shaping per Queue 316 Managing QoS Statistics 317 Viewing Queues Statistics 317 Chapter 21 SNMP 320...

Page 12: ...Configuring SNMP Views 325 Creating SNMP Groups 327 Managing SNMP Users 329 Defining SNMP Communities 331 Defining Trap Settings 333 Notification Recipients 333 Defining SNMPv1 2 Notification Recipients 334 Defining SNMPv3 Notification Recipients 335 SNMP Notification Filters 337 ...

Page 13: ...Cisco Small Business 200 Series Smart Switch Administration Guide 13 Contents ...

Page 14: ...igate the web based switch configuration utility If you are using a pop up blocker make sure it is disabled Browser Restrictions If you are using older versions of Internet Explorer you cannot directly use an IPv6 address to access the device You can however use the DNS Domain Name System server to create a domain name that contains the IPv6 address and then use that domain name in the address bar...

Page 15: ...requests Chinese for example and Chinese has been loaded into your device the Login page is automatically displayed in Chinese If Chinese has not been loaded into your device the Login page appears in English The languages loaded into the device have a language and country code en US en GB and so on For the Login page to be automatically displayed in a particular language based on the browser requ...

Page 16: ...se see the Launching the Configuration Utility section in the Administration Guide for additional information Select Don t show this page on startup to prevent the Getting Started page from being displayed each time that you log on to the system If you select this option the System Summary page is opened instead of the Getting Started page HTTP HTTPS You can either open an HTTP session not secured...

Page 17: ...covers a device such as an IP phone see What is a Smartport and it configures the port appropriately for the device These configuration commands are written to the Running Configuration file This causes the Save icon to begin blinking when the you log on even though you did not make any configuration changes When you click Save the Copy Save Configuration page appears Save the Running Configuratio...

Page 18: ...ming Conventions Within the GUI interfaces are denoted by concatenating the following elements Links on the Getting Started page Category Link Name on the Page Linked Page Change Management Applications and Services TCP UDP Services page Change Device IP Address IPv4 Interface page Create VLAN Create VLAN page Configure Port Settings Port Setting page Device Status System Summary System Summary pa...

Page 19: ...owing types of interfaces are found on the various types of devices Fast Ethernet 10 100 bits These are displayed as FE Gigabit Ethernet ports 10 100 1000 bits These are displayed as GE LAG Port Channel These are displayed as LAG VLAN These are displayed as VLAN Tunnel These are displayed as Tunnel Interface Number Port LAG tunnel or VLAN ID ...

Page 20: ...ade that have not yet been saved to the Startup Configuration file The flashing of the red X can be disabled on the Copy Save Configuration page Click Save to display the Copy Save Configuration page Save the Running Configuration file by copying it to the Startup Configuration file type on the device After this save the red X icon and the Save application link are no longer displayed When the dev...

Page 21: ...s disappear and in their place are the IDs of the strings that correspond to the IDs in the language file NOTE To upgrade a language file use the Upgrade Backup Firmware Language page Logout Click to log out of the web based switch configuration utility About Click to display the device name and device version number Help Click to display the online help The SYSLOG Alert Status icon appears when a...

Page 22: ...unning Configuration to the Startup Configuration file type on the device Apply Click to apply changes to the Running Configuration on the device If the device is rebooted the Running Configuration is lost unless it is saved to the Startup Configuration file type or another file type Click Save to display the Copy Save Configuration page and save the Running Configuration to the Startup Configurat...

Page 23: ...destination entry numbers in the to field 3 Click Apply to save the changes and click Close to return to the main page Delete After selecting an entry in the table click Delete to remove Details Click to display the details associated with the entry selected Edit Select the entry and click Edit The Edit page appears and the entry can be modified 1 Click Apply to save the changes to the Running Con...

Page 24: ...Getting Started Window Navigation 11 Cisco Small Business 200 Series Smart Switch Administration Guide 1 ...

Page 25: ...ful for analyzing the amount of traffic that is both sent and received and its dispersion Unicast Multicast and Broadcast To display Ethernet statistics and or set the refresh rate STEP 1 Click Status and Statistics Interface STEP 2 Enter the parameters Interface Select the type of interface and specific interface for which Ethernet statistics are to be displayed Refresh Rate Select the time perio...

Page 26: ...transmitted including bad packets and FCS octets but excluding framing bits Unicast Packets Good Unicast packets transmitted Multicast Packets Good Multicast packets transmitted Broadcast Packets Good Broadcast packets transmitted To clear statistics counters Click Clear Interface Counters to clear counters for the interface displayed Click View All Interfaces Statistics to see all ports on a sing...

Page 27: ...he first 512 bits of data Excessive Collisions Number of transmissions rejected due to excessive collisions Oversize Packets Packets greater than 2000 octets received Internal MAC Receive Errors Frames rejected because of receiver errors Pause Frames Received Received flow control pause frames Pause Frames Transmitted Flow control pause frames transmitted from the selected interface To clear stati...

Page 28: ...ID Frames Received EAP Resp ID frames received on the port EAP Response Frames Received EAP Response frames received by the port other than Resp ID frames EAP Request ID Frames Transmitted EAP Req ID frames transmitted by the port EAP Request Frames Transmitted EAP Request frames transmitted by the port Invalid EAPOL Frames Received Unrecognized EAPOL frames received on this port EAP Length Error ...

Page 29: ...orts because the device reports events as they occur With this feature you can perform the following actions View the current statistics since the counter values were cleared You can also collect the values of these counters over a period of time and then view the table of collected data where each collected set is a single line of the History tab Define interesting changes in counter values such ...

Page 30: ...ets received This number does not include Multicast packets Multicast Packets Received Number of good Multicast packets received CRC Align Errors Number of CRC and Align errors that have occurred Undersize Packets Number of undersized packets less than 64 octets received Oversize Packets Number of oversized packets over 2000 octets received Fragments Number of fragments packets with less than 64 o...

Page 31: ...taining 256 511 bytes that were received Frames of 512 to 1023 Bytes Number of frames containing 512 1023 bytes that were received Frames greater than 1024 Bytes Number of frames containing 1024 2000 bytes and Jumbo Frames that were received To clear statistics counters Click Clear Interface Counters to clear the selected interfaces counters Click View All Interfaces Statistics to see all ports on...

Page 32: ...istory table entry Source Interface Select the type of interface from which the history samples are to be taken Max No of Samples to Keep Enter the number of samples to store Sampling Interval Enter the time in seconds that samples are collected from the ports The field range is 1 3600 Owner Enter the RMON station or user that requested the RMON information STEP 4 Click Apply The entry is added to...

Page 33: ...s CRC and Align errors that have occurred Undersize Packets Undersized packets less than 64 octets received Oversize Packets Oversized packets over 2000 octets received Fragments Fragments packets with less than 64 octets received excluding framing bits but including FCS octets Jabbers Total number of received packets that were longer than 2000 octets This number excludes frame bits but includes F...

Page 34: ...n event Notification Type Select the type of action that results from this event Values are None No action occurs when the alarm goes off Log Event Log Table Add a log entry to the Event Log table when the alarm is triggered Trap SNMP Manager and SYSLOG Server Send a trap to the remote log server when the alarm goes off Log and Trap Add a log entry to the Event Log table and send a trap to the rem...

Page 35: ...s entered Description Description of event that triggered the alarm Defining RMON Alarms RMON alarms provide a mechanism for setting thresholds and sampling intervals to generate exception events on any counter or any other SNMP object counter maintained by the agent Both the rising and falling thresholds must be configured in the alarm After a rising threshold is crossed no rising events are gene...

Page 36: ...olute If the threshold is crossed an alarm is generated Delta Subtracts the last sampled value from the current value The difference in the values is compared to the threshold If the threshold was crossed an alarm is generated Rising Threshold Enter the value that triggers the rising threshold alarm Rising Event Select an event to be performed when a rising event is triggered Events are created in...

Page 37: ...0 Series Smart Switch Administration Guide 24 2 Interval Enter the alarm interval time in seconds Owner Enter the name of the user or network management system that receives the alarm STEP 4 Click Apply The RMON alarm is saved to the Running Configuration file ...

Page 38: ...Status and Statistics Managing RMON 25 Cisco Small Business 200 Series Smart Switch Administration Guide 2 ...

Page 39: ...rsists across reboots In addition you can send messages to remote SYSLOG servers in the form of SNMP traps and SYSLOG messages This section covers the following sections Setting System Log Settings Setting Remote Logging Settings Viewing Memory Logs Setting System Log Settings You can enable or disable logging on the Log Settings page and select whether to aggregate log messages You can select the...

Page 40: ...es all of the higher severity events to be automatically stored in the log Lower severity events are not stored in the log For example if Warning is selected all severity levels that are Warning and higher are stored in the log Emergency Alert Critical Error and Warning No events with severity level below Warning are stored Notice Informational and Debug To set global log parameters STEP 1 Click A...

Page 41: ...lect the severity levels of the messages to be logged to the RAM Flash Memory Logging Select the severity levels of the messages to be logged to the Flash memory STEP 3 Click Apply The Running Configuration file is updated Setting Remote Logging Settings The Remote Log Servers page enables defining remote SYSLOG servers where log messages are sent using the SYSLOG protocol For each server you can ...

Page 42: ...er the IP address or domain name of the log server UDP Port Enter the UDP port to which the log messages are sent Facility Select a facility value from which system logs are sent to the remote server Only one facility value can be assigned to a server If a second facility code is assigned the first facility value is overridden Description Enter a server description Minimum Severity Select the mini...

Page 43: ... number Log Time Time when message was generated Severity Event severity Description Message text describing the event To clear the log messages click Clear Logs The messages are cleared Flash Memory The Flash Memory page displays the messages that were stored in the Flash memory in chronological order The minimum severity for logging is configured in the Log Settings page Flash logs remain when t...

Page 44: ...Administration System Log Viewing Memory Logs 31 Cisco Small Business 200 Series Smart Switch Administration Guide 3 ...

Page 45: ... configuration information firmware images or boot code Various actions can be performed with these files such as selecting the firmware file from which the device boots copying various types of configuration files internally on the device or copying files to or from an external device such as an external server The possible methods of file transfer are Internal copy HTTP HTTPS that uses the facil...

Page 46: ... the device to operate This is the only file type that is modified when you change parameter values on the device If the device is rebooted the Running Configuration is lost The Startup Configuration stored in Flash overwrites the Running Configuration stored in RAM To preserve any changes you made to the device you must save the Running Configuration to the Startup Configuration or another file t...

Page 47: ...unctionality of the device More commonly referred to as the image Boot Code Controls the basic system startup and launches the firmware image Language File The dictionary that enables the web based configuration utility windows to be displayed in the selected language Flash Log SYSLOG messages stored in Flash memory File Actions The following actions can be performed to manage firmware and configu...

Page 48: ...up the boot code Import or upgrade a second language file The following methods for transferring files are supported HTTP HTTPS that uses the facilities provided by the browser TFTP that requires a TFTP server Secure Copy Protocol SCP that requires an SCP server If a new language file was loaded onto the device the new language can be selected from the drop down menu It is not necessary to reboot ...

Page 49: ...FTP server Backup Specifies that a copy of the file type is to be saved to a file on another device Enter the following fields File Type Select the destination file type Only valid file types are shown The file types are described in the Files and File Types section TFTP Server Definition Select whether to specify the TFTP server by IP address or domain name IP Version Select whether an IPv4 or an...

Page 50: ...ions Then enter the following fields only unique fields are described for non unique fields see the descriptions above Remote SSH Server Authentication To enable SSH server authentication which is disabled by default click Edit This takes you to the SSH Server Authentication page to configure the SSH server and return to this page Use the SSH Server Authentication page to select an SSH user authen...

Page 51: ...ress uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPv6 type that is visible and reachable ...

Page 52: ...tartup Configuration the device must be rebooted for the restored Startup Configuration to be used as the Running Configuration You can reboot the device by using the process described in the Rebooting the Device section Configuration File Backwards Compatibility When restoring configuration files from an external device to the device the following compatibility issues might arise Change Queues Mo...

Page 53: ...r restore the system configuration file STEP 1 Click Administration File Management Download Backup Configuration Log STEP 2 Select the Transfer Method STEP 3 If you selected via TFTP enter the parameters Otherwise skip to STEP 4 Select either Download or Backup as the Save Action Download Save Action Specifies that the file on another device replaces a file type on the device Enter the following ...

Page 54: ... b IP Version Select whether an IPv4 or an IPv6 address is used c IPv6 Address Type Select the IPv6 address type if used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address e...

Page 55: ...e in this step a Source File Name Click Browse to select a file or enter the path and source file name to be used in the transfer b Destination File Type Select the configuration file type Only valid file types are displayed The file types are described in the Files and File Types section c Click Apply The file is transferred from the other device to the device If Save Action is Backup copying a f...

Page 56: ...als to go to the SSH User Authentication page where the user password can be set once for all future use Use SSH Client One Time Credentials Enter the following Username Enter a username for this copy action Password Enter a password for this copy SCP Server Definition Select whether to specify the TFTP server by IP address or by domain name IP Version Select whether an IPv4 or an IPv6 address is ...

Page 57: ...pes are described in the Files and File Types section Sensitive Data Select how sensitive data should be included in the backup file The following options are available Exclude Do not include sensitive data in the backup Encrypted Include sensitive data in the backup in its encrypted form Plaintext Include sensitive data in the backup in its plaintext form NOTE The available sensitive data options...

Page 58: ...e mirror configuration files STEP 3 If required select either the Startup Configuration Backup Configuration or both and click Clear Files to delete these files This page provides the following fields Configuration File Name Displays the type of file Creation Time Displays the date and time that file was modified Copy Save Configuration When you click Apply on any window changes that you made to t...

Page 59: ...e Management Copy Save Configuration STEP 2 Select the Source File Name to be copied Only valid file types are displayed described in the Files and File Types section STEP 3 Select the Destination File Name to be overwritten by the source file If you are backing up a configuration file select one of the following formats for the backup file Exclude Sensitive data is not included in the backup file...

Page 60: ...nd SSH SSL keys by using the Secured Copy Protocol SCP and the Secure Sensitive Data SSD feature See Security Secure Sensitive Data Management DHCPv4 Auto Configuration is triggered in the following cases After reboot when an IP address is allocated or renewed dynamically using DHCPv4 Upon an explicit DHCPv4 renewal request and if the device and the server are configured to do so Upon automatic re...

Page 61: ...tension indicates that files with this extension are downloaded using SCP over SSH while files with other extensions are downloaded using TFTP For example if the file extension specified is xyz files with the xyz extension are downloaded using SCP and files with the other extensions are downloaded using TFTP TFTP Only The download is done through TFTP regardless of the file extension of the config...

Page 62: ...d not send these options and the backup TFTP SCP server address parameter is empty then For DHCPv4 SCP The Auto Configuration process is halted TFTP The device sends TFTP Request messages to a limited Broadcast address for IPv4 or ALL NODES address for IPv6 on its IP interfaces and continues the process of Auto Configuration with the first answering TFTP server For DHCPv6 The Auto Configuration pr...

Page 63: ...iguration process is completed Configuring DHCP Auto Configuration Workflow To configure DHCP Auto Configuration 1 Configure the DHCPv4 and or DHCPv6 servers to send the required options this process is not described in this guide 2 Configure Auto Configuration parameters 3 Set the IP Address Type to Dynamic in the IPv4 Interface page Web Configuration The DHCP Auto Configuration page is used to p...

Page 64: ... auto configuration uses the TFTP or SCP protocol depending on the extension of the configuration file If this option is selected the extension of the configuration file does not necessarily have to be given If it is not given the default extension is used as indicated below File Extension for SCP If Auto By File Extension is selected you can indicate a file extension here Any file with this exten...

Page 65: ...of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6 is used f...

Page 66: ...Administration File Management DHCP Auto Configuration 53 Cisco Small Business 200 Series Smart Switch Administration Guide 4 ...

Page 67: ...he device It covers the following topics Device Models System Information Rebooting the Device Monitoring Fan Status Defining Idle Session Timeout Pinging a Host Device Models All models can be fully managed through the web based switch configuration utility NOTE The following port conventions are used GE is used for Gigabit Ethernet 10 100 1000 ports FE is used for Fast Ethernet 10 100 ports ...

Page 68: ...l purpose combo ports N A N A SG200 26 SLM2024T 24 GE ports 2 GE special purpose combo ports N A N A SG200 26P SLM2024PT 24 GE ports 2 GE special purpose combo ports 100W 12 ports FE1 FE6 FE13 FE18 SG200 50 SLM2048T 48 GE ports 2 GE special purpose combo ports N A N A SG200 50P SLM2048PT 48 GE ports 2 GE special purpose combo ports 180W 24 ports FE1 FE12 FE25 FE36 SF200 24 SLM224GT 24 FE ports 2 G...

Page 69: ...lick Edit to go the System Settings page to enter this information Host Name Name of the device Click Edit to go the System Settings page to enter this information By default the device hostname is composed of the word device concatenated with the three least significant bytes of the device MAC address the six furthest right hexadecimal digits System Object ID Unique vendor identification of the n...

Page 70: ...imit Configuring the System Settings To enter system settings STEP 1 Click Administration System Settings STEP 2 View or modify the system settings System Description Displays a description of the device System Location Enter the location where the device is physically located System Contact Enter the name of a contact person Host Name Select the host name of this device This is used in the prompt...

Page 71: ...tion For more information on files and file types see the System Files section You can back up the configuration by using Administration File Management Copy Save Configuration or clicking Save at the top of the window You can also upload the configuration from a remote device See the Download Backup Configuration Log section There are cases when you might prefer to set the time of the reboot for ...

Page 72: ...do not specify the month and day the reload takes place at the specified time on the current day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight The reload must take place within 24 days NOTE This option can only be used if the system time has either been set manually o...

Page 73: ... following are generated SYSLOG message SNMP trap At least one temperature sensor exceeds the Critical threshold The following are generated SYSLOG message SNMP trap The following actions are performed System LED is set to solid amber if hardware supports this Disable Ports When the Critical temperature has been exceeded for two minutes all ports will be shut down On devices that support PoE Disab...

Page 74: ...irection On relevant devices The direction that the fans are working in for example Front to Back Defining Idle Session Timeout The Idle Session Timeout configures the time interval during which the HTTP session can remain idle before it times out and you must log in again to reestablish the session HTTP Session Timeout HTTPS Session Timeout To set the idle session timeout of an HTTP or HTTPS sess...

Page 75: ... the type of IPv6 address to enter Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is...

Page 76: ...on Guide 5 Status Displays whether the ping succeeded or failed STEP 3 Click Activate Ping to ping the host The ping status appears and another message is added to the list of messages indicating the result of the ping operation STEP 4 View the results of ping in the Ping Counters and Status section of the page ...

Page 77: ...duces confusion in shared file systems as it is important for the modification times to be consistent regardless of the machine on which the file systems reside For these reasons it is important that the time configured on all of the devices on the network is accurate NOTE The device supports Simple Network Time Protocol SNTP and when enabled the device dynamically synchronizes the device time wit...

Page 78: ...ration of time from the computer is saved to the Running Configuration file You must copy the Running Configuration to the Startup Configuration in order to enable the device to use the time from the computer after reboot The time after reboot is set during the first WEB login to the device When you configure this feature for the first time if the time was not already set the device sets the time ...

Page 79: ...ion 100 in order for dynamic time zone configuration to take place SNTP Modes The device can receive the system time from an SNTP server in one of the following ways Client Broadcast Reception passive mode SNTP servers broadcast the time and the device listens to these broadcasts When the device is in this mode there is no need to define a Unicast SNTP server Client Broadcast Transmission active m...

Page 80: ... these were defined Last Synchronized Server Address stratum and type of the SNTP server from which time was last taken STEP 2 Enter these parameters Clock Source Settings Select the source used to set the system clock Main Clock Source SNTP Servers If you enable this the system time is obtained from an SNTP server To use this feature you must also configure a connection to an SNTP server in the S...

Page 81: ... server This acronym appears in the Actual Time field Time Zone Offset Select the difference in hours between Greenwich Mean Time GMT and the local time For example the Time Zone Offset for Paris is GMT 1 while the Time Zone Offset for New York is GMT 5 Time Zone Acronym Enter a user defined name that represents the time zone you have configured This acronym appears in the Actual Time field Daylig...

Page 82: ...are Day Day of the week on which DST ends every year Week Week within the month from which DST ends every year Month Month of the year in which DST ends every year Time The time at which DST ends every year STEP 3 Click Apply The system time values are written to the Running Configuration file Adding a Unicast SNTP Server Up to 16 Unicast SNTP servers can be configured NOTE To specify a Unicast SN...

Page 83: ... received from this SNTP server Offset The estimated offset of the server s clock relative to the local clock in milliseconds The host determines the value of this offset using the algorithm described in RFC 2030 Delay The estimated round trip delay of the server s clock relative to the local clock over the network path between them in milliseconds The host determines the value of this delay using...

Page 84: ...IP address The format depends on which address type was selected SNTP Server Select the name of the SNTP server from a list of well known NTP servers If other is chosen enter name of SNTP server in the adjacent field Poll Interval Select to enable polling of the SNTP server for system time information All NTP servers that are registered for polling are polled and the clock is selected from the ser...

Page 85: ...Client Broadcast Transmission Select to transmit SNTP IPv4 synchronization packets requesting system time information The packets are transmitted to all SNTP servers on the subnet SNTP IPv6 Anycast Client Mode Client Broadcast Transmission Select to transmit SNTP IPv6 synchronization packets requesting system time information The packets are transmitted to all SNTP servers on the subnet STEP 3 If ...

Page 86: ...eys STEP 1 Click Administration Time Settings SNTP Authentication STEP 2 Select SNTP Authentication to support authentication of an SNTP session between the device and an SNTP server STEP 3 Click Apply to update the device STEP 4 Click Add STEP 5 Enter the following parameters Authentication Key ID Enter the number used to identify this SNTP authentication key internally Authentication Key Enter t...

Page 87: ...able tests performed on copper cables by the Virtual Cable Tester VCT VCT performs two types of tests Time Domain Reflectometry TDR technology tests the quality and characteristics of a copper cable attached to a port Cables of up to 140 meters long can be tested These results are displayed in the Test Results block of the Copper Test page DSP based tests are performed on active GE links to measur...

Page 88: ...ons with that device are disrupted To test copper cables attached to ports STEP 1 Click Administration Diagnostics Copper Test STEP 2 Select the port on which to run the test STEP 3 Click Copper Test STEP 4 When the message appears click OK to confirm that the link can go down or Cancel to abort the test The following fields are displayed in the Test Results block Last Update Time of the last test...

Page 89: ...s NOTE TDR tests cannot be performed when the port speed is 10Mbit Sec Displaying Optical Module Status The Optical Module Status page displays the operating conditions reported by the SFP Small Form factor Pluggable transceiver Some information might not be available for SFPs that do not support the digital diagnostic monitoring standard SFF 8472 MSA compatible SFPs The following FE SFP 100Mbps t...

Page 90: ...e SFP s operating voltage Current SFP s current consumption Output Power Transmitted optical power Input Power Received optical power Transmitter Fault Remote SFP reports signal loss Values are True False and No Signal N S Loss of Signal Local SFP reports signal loss Values are True and False Data Ready SFP is operational Values are True and False Configuring Port and VLAN Mirroring Port mirroring...

Page 91: ...tains the following fields Destination Port Port to which traffic is to be copied the analyzer port Source Interface Interface port or VLAN from which traffic is sent to the analyzer port Type Type of monitoring incoming to the port Rx outgoing from the port Tx or both Status Displays one of the following values Active Both source and destination interfaces are up and forwarding traffic Not Ready ...

Page 92: ...fic Excessive traffic burdens the CPU and might prevent normal device operation The device uses the Secure Core Technology SCT feature to ensure that the device receives and processes management and protocol traffic no matter how much total traffic is received SCT is enabled by default on the device and cannot be disabled There are no interactions with other features To display CPU utilization STE...

Page 93: ...enable or disable the device services The device can be discovered by a network management system or other third party applications By default Bonjour is enabled and runs on the Management VLAN The Bonjour console automatically detects the device and displays it Bonjour in Layer 2 System Mode Bonjour Discovery can only be enabled globally and not on a per port or per VLAN basis The device advertis...

Page 94: ... the protocols In LLDP and CDP advertisements are encoded as TLV Type Length Value in the packet The following CDP LLDP configuration notes apply CDP LLDP can be globally enabled or disabled and enabled disabled per port The CDP LLDP capability of a port is relevant only if CDP LLDP is globally enabled If CDP LLDP is globally enabled the device filters out incoming CDP LLDP packets from ports that...

Page 95: ... device transmits and receives CDP LLDP packets to and from the interface only if the interface is authenticated and authorized If a port is the target of mirroring then according to CDP LLDP it is considered down NOTE CDP and LLDP are link layer protocols for directly connected CDP LLDP capable devices to advertise themselves and their capabilities In deployments where the CDP LLDP capable device...

Page 96: ... is a link layer protocol By default the device terminates and processes all incoming LLDP packets as required by the protocol The LLDP protocol has an extension called LLDP Media Endpoint Discovery LLDP MED which provides and accepts information from media endpoint devices such as VoIP phones and video phones For further information about LLDP MED see LLDP MED Network Policy LLDP Configuration Wo...

Page 97: ...nter the parameters LLDP Status Select to enable LLDP on the device enabled by default LLDP Frames Handling If LLDP is not enabled select the action to be taken if a packet that matches the selected criteria is received Filtering Delete the packet Flooding Forward the packet to all VLAN members TLV Advertise Interval Enter the rate in seconds at which LLDP advertisement updates are sent or use the...

Page 98: ...tivating LLDP and SNMP notification per port and entering the TLVs that are sent in the LLDP PDU The LLDP MED TLVs to be advertised can be selected in the LLDP MED Port Settings page and the management address TLV of the device may be configured To define the LLDP port settings STEP 1 Click Administration Discovery LLDP Port Settings This page contains the port LLDP information STEP 2 Select a por...

Page 99: ...object System Capabilities Primary functions of the device and whether or not these functions are enabled in the device The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Router Telephone DOCSIS cable device and station respectively Bits 8 through 15 are reserved 802 3 MAC PHY Duplex and bit rate capability and the current duplex and bit rate setti...

Page 100: ...d click Apply The port settings are written to the Running Configuration file LLDP MED Network Policy LLDP Media Endpoint Discovery LLDP MED is an extension of LLDP that provides the following additional capabilities to support media endpoint devices Some of the features of the LLDP Med Network Policy are Enables the advertisement and discovery of network polices for real time applications such as...

Page 101: ...mberships according to the network policies and their associated interfaces In addition an administrator can instruct the device to automatically generate and advertise a network policy for voice application based on the voice VLAN maintained by the device Refer the Auto Voice VLAN section for details on how the device maintains its voice VLAN To define an LLDP MED network policy STEP 1 Click Admi...

Page 102: ...advertisement for the desired interfaces Network Policies are configured using the LLDP MED Network Policy page NOTE If LLDP MED Network Policy for Voice Application LLDP MED Network Policy Page is Auto and Auto Voice VLAN is in operation then the device automatically generates an LLDP MED Network Policy for Voice Application for all the ports that are LLDP MED enabled and are members of the voice...

Page 103: ...E The following fields must be entered in hexadecimal characters in the exact data format that is defined in the LLDP MED standard ANSI TIA 1057_final_for_publication pdf Location Coordinate Enter the coordinate location to be published by LLDP Location Civic Address Enter the civic address to be published by LLDP Location ECS ELIN Enter the Emergency Call Service ECS ELIN location to be published...

Page 104: ...terface Port identifier LLDP Status LLDP publishing option LLDP MED Status Enabled or disabled Local PoE Local PoE information advertised Remote PoE PoE information advertised by the neighbor of neighbors Number of neighbors discovered Neighbor Capability of 1st Device Displays the primary functions of the neighbor for example Bridge or Router Displaying LLDP Local Information To view the LLDP loc...

Page 105: ...fier that is shown Port ID Identifier of port Port Description Information about the port including manufacturer product name and hardware software version Management Address Displays the table of addresses of the local LLDP agent Other remote managers can use this address to obtain information related to the local device The address consists of the following elements Address Subtype Type of manag...

Page 106: ... Indicates whether the interface is aggregated Aggregation Port ID Advertised aggregated interface ID 802 3 Energy Efficient Ethernet EEE If device supports EEE Local Tx Indicates the time in micro seconds that the transmitting link partner waits before it starts transmitting data after leaving Low Power Idle LPI mode Local Rx Indicates the time in micro seconds that the receiving link partner req...

Page 107: ...e PoE Power Priority Port power priority PoE Power Value Port power value Hardware Revision Hardware version Firmware Revision Firmware version Software Revision Software version Serial Number Device serial number Manufacturer Name Device manufacturer name Model Name Device model name Asset ID Asset ID Location Information Civic Street address Coordinates Map coordinates latitude longitude and alt...

Page 108: ...view the LLDP neighbors information STEP 1 Click Administration Discovery LLDP LLDP Neighbors Information This page contains the following fields Local Port Number of the local port to which the neighbor is connected Chassis ID Subtype Type of chassis ID for example MAC address Chassis ID Identifier of the 802 LAN neighboring device s chassis Port ID Subtype Type of the port identifier that is sho...

Page 109: ...equals the sysDescr object Supported System Capabilities Primary functions of the device The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Router Telephone DOCSIS cable device and station respectively Bits 8 through 15 are reserved Enabled System Capabilities Primary enabled function s of the device Management Address Table Address Subtype Managed...

Page 110: ...rt PSE Power Class Advertised power class of the port 802 3 Details 802 3 Maximum Frame Size Advertised maximum frame size that is supported on the port 802 3 Link Aggregation Aggregation Capability Indicates if the port can be aggregated Aggregation Status Indicates if the port is currently aggregated Aggregation Port ID Advertised aggregated port ID 802 3 Energy Efficient Ethernet EEE Remote Tx ...

Page 111: ...s Endpoint Class 3 Indicates a communications device class offering all Class 1 and Class 2 features plus location 911 Layer 2 switch support and device information management capabilities PoE Device Type Port PoE type for example powered PoE Power Source Port s power source PoE Power Priority Port s power priority PoE Power Value Port s power value Hardware Revision Hardware version Firmware Revi...

Page 112: ... or street address Coordinates Location map coordinates latitude longitude and altitude ECS ELIN Device s Emergency Call Service ECS Emergency Location Identification Number ELIN Unknown Unknown location information Network Policies Application Type Network policy application type for example Voice VLAN ID VLAN ID for which the network policy is defined VLAN Type VLAN type Tagged or Untagged for w...

Page 113: ... Information Deletion Count Number of neighbor ageouts on the interface STEP 2 Click Refresh to view the latest statistics LLDP Overloading LLDP adds information as LLDP and LLDP MED TLVs into the LLDP packets LLDP overload occurs when the total amount of information to be included in a LLDP packet exceed the maximum PDU size supported by an interface The LLDP Overloading page displays the number ...

Page 114: ...pabilities Size Bytes Total LLDP MED capabilities packets byte size Status If the LLDP MED capabilities packets were sent or if they were overloaded LLDP MED Location Size Bytes Total LLDP MED location packets byte size Status If the LLDP MED locations packets were sent or if they were overloaded LLDP MED Network Policy Size Bytes Total LLDP MED network policies packets byte size Status If the LLD...

Page 115: ...ytes Total number of bytes of LLDP information in each packet Left to Send Bytes Total number of available bytes left for additional LLDP information in each packet Configuring CDP This section describes how to configure CDP It covers the following topics Setting CDP Properties Editing CDP Interface Settings Displaying CDP Local Information Displaying CDP Neighbors Information Viewing CDP Statisti...

Page 116: ...ameters STEP 1 Click Administration Discovery CDP Properties STEP 2 Enter the parameters CDP Status Select to enable CDP on the device CDP Frames Handling If CDP is not enabled select the action to be taken if a packet that matches the selected criteria is received Bridging Forward the packet based on the VLAN Filtering Delete the packet Flooding VLAN unaware flooding that forwards incoming CDP pa...

Page 117: ...nterface IP address to be used in the TLV of the frames The following options are possible Use Default Use the IP address of the outgoing interface User Defined Use the IP address of the interface in the Interface field in the address TLV Interface IF User Defined was selected for Source Interface select the interface Syslog Voice VLAN Mismatch Check to send a SYSLOG message when a voice VLAN mism...

Page 118: ...hing option for the port Reporting Conflicts with CDP Neighbors Displays the status of the reporting options that are enabled disabled in the Edit page Voice VLAN Native VLAN Duplex No of Neighbors Number of neighbors detected The bottom of the page has four buttons Copy Settings Select to copy a configuration from one port to another Edit Fields explained in Step 2 below CDP Local Information Det...

Page 119: ...e when duplex information mismatch is detected This means that the duplex information in the incoming frame does not match what the local device is advertising STEP 3 Enter the relevant information and click Apply The port settings are written to the Running Configuration Displaying CDP Local Information To view information that is advertised by the CDP protocol about the local device STEP 1 Click...

Page 120: ...e ID Type of device attached to port advertised in the appliance TLV Appliance VLAN ID VLAN on the device used by the appliance for instance if the appliance is an IP phone this is the voice VLAN Extended Trust TLV Extended Trust Enabled indicates that the port is trusted meaning that the host server from which the packet is received is trusted to mark the packets itself In this case packets recei...

Page 121: ...Management Power Level Displays the supplier s request to the powered device for its Power Consumption TLV The device always displays No Preference in this field Displaying CDP Neighbors Information The CDP Neighbors Information page displays CDP information received from neighboring devices After timeout based on the value received from the neighbor Time To Live TLV during which no CDP PDU was re...

Page 122: ...information for this neighbor is deleted Capabilities Primary functions of the device The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Router Telephone DOCSIS cable device and station respectively Bits 8 through 15 are reserved Platform Identifier of the neighbors platform Neighbor Interface Interface number of the neighbor through which frame ar...

Page 123: ... 1 Click Administration Discovery CDP CDP Statistics The following fields are displayed for every interface Packets Received Transmitted Version 1 Number of CDP version 1 packets received transmitted Version 2 Number of CDP version 2 packets received transmitted Total Total number of CDP packets received transmitted The CDP Error Statistics section displays the CDP error counters Illegal Checksum ...

Page 124: ...Administration Discovery Configuring CDP 111 Cisco Small Business 200 Series Smart Switch Administration Guide 8 ...

Page 125: ...protocol and configure the potential member ports to the desired LAGs by using the LAG Management page By default all LAGs are empty 3 Configure the Ethernet parameters such as speed and auto negotiation for the LAGs by using the LAG Settings page 4 Configure the LACP parameters for the ports that are members or candidates of a dynamic LAG by using the LACP page 5 Configure Green Ethernet and 802 ...

Page 126: ...Configuration is explicitly saved to the Startup Configuration File using the Copy Save Configuration page and the device is rebooted STEP 4 To update the port settings select the desired port and click Edit STEP 5 Modify the following parameters Interface Select the port number Port Type Displays the port type and speed The possible options are Copper Ports Regular not Combo support the following...

Page 127: ... the speed of the port The port type determines which the available speeds You can designate Administrative Speed only when port auto negotiation is disabled Operational Port Speed Displays the current port speed that is the result of negotiation Administrative Duplex Mode Select the port duplex mode This field is configurable only when auto negotiation is disabled and the port speed is set to 10M...

Page 128: ...e device is congested It disables the remote port preventing it from sending packets by jamming the signal Flow Control Enable or disable 802 3x Flow Control or enable the auto negotiation of Flow Control on the port only when in Full Duplex mode MDI MDIX the Media Dependent Interface MDI Media Dependent Interface with Crossover MDIX status on the port The options are MDIX Select to swap the port ...

Page 129: ...orts assigned to a static LAG are always active members After a LAG is manually created the LACP option cannot be added or removed until the LAG is edited and a member is removed which can be added prior to applying then the LACP button become available for editing Dynamic A LAG is dynamic if LACP is enabled on it The group of ports assigned to dynamic LAG are candidate ports LACP determines which...

Page 130: ...Every LAG has the following characteristics All ports in a LAG must be of the same media type To add a port to the LAG it cannot belong to any VLAN except the default VLAN Ports in a LAG must not be assigned to another LAG No more than eight ports are assigned to a static LAG and no more than 16 ports can be candidates for a dynamic LAG All the ports in a LAG must have auto negotiation disabled al...

Page 131: ...Enable LACP on the LAG Assign up to 16 candidates ports to the dynamic LAG by selecting and moving the ports from the Port List to the LAG Members List by using the LAG Management page 2 Configure various aspects of the LAG such as speed and flow control by using the LAG Settings page 3 Set the LACP priority and timeout of the ports in the LAG by using the LACP page Defining LAG Management The LAG...

Page 132: ...the LAG Members list Up to eight ports per static LAG can be assigned and 16 ports can be assigned to a dynamic LAG STEP 3 Click Apply LAG membership is saved to the Running Configuration file Configuring LAG Settings The LAG Settings page displays a table of current settings for all LAGs You can configure the settings of selected LAGs and reactivate suspended LAGs by launching the Edit LAG Settin...

Page 133: ... Operational LAG Speed Displays the current speed at which the LAG is operating Administrative Advertisement Select the capabilities to be advertised by the LAG The options are Max Capability All LAG speeds and both duplex modes are available 10 Full The LAG advertises a 10 Mbps speed and the mode is full duplex 100 Full The LAG advertises a 100 Mbps speed and the mode is full duplex 1000 Full The...

Page 134: ...est MAC address controls candidate port selection to the LAG A dynamic LAG can have up to 16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode When there are more than eight ports in the dynamic LAG the device on the controlling end of the link uses port priorities to determine which ports are bundled into the LAG and which ports are put i...

Page 135: ... DHCP and get its configuration using auto configuration Setting LACP Parameter Settings Use the LACP page to configure the candidate ports for the LAG and to configure the LACP parameters per port With all factors equal when the LAG is configured with more candidate ports than the maximum number of active ports allowed 8 the device selects ports as active from the dynamic LAG on the device that h...

Page 136: ...s enabled on all devices where only the Gigabyte ports are enable with EEE The Green Ethernet feature can reduce overall power usage in the following ways Energy Detect Mode On an inactive link the port moves into inactive mode saving power while keeping the Administrative status of the port Up Recovery from this mode to full operational mode is fast transparent and no frames are lost This mode is...

Page 137: ...devices etc On the System Summary page the LEDs that are displayed on the device board pictures are not affected by disabling the LEDs Power savings current power consumption and cumulative energy saved can be monitored The total amount of saved energy can be viewed as a percentage of the power that would have been consumed by the physical interfaces had they not been running in Green Ethernet mod...

Page 138: ...tions of their functionality and save power during periods of no traffic 802 3az EEE supports IEEE 802 3 MAC operation at 100 Mbps and 1000 Mbps LLDP is used to select the optimal set of parameters for both devices If LLDP is not supported by the link partner or is disabled 802 3az EEE still be operational but it might not be in the optimal operational mode The 802 3az EEE feature is implemented u...

Page 139: ...802 3az EEE capabilities and settings are also advertised using frames based on the organizationally specific TLVs defined in Annex G of IEEE Std 802 1AB protocol LLDP LLDP is used to further optimize 802 3az EEE operation after auto negotiation is completed The 802 3az EEE TLV is used to fine tune system wake up and refresh durations Availability of 802 3az EEE Please check the release notes for ...

Page 140: ... page b Check the 802 3 Energy Efficient Ethernet EEE mode on the port it is enabled by default c Select whether to enable or disable advertisement of 802 3az EEE capabilities through LLDP in 802 3 Energy Efficient Ethernet EEE LLDP it is enabled by default STEP 4 To see 802 3 EEE related information on the local device open the Administration Discovery LLDP LLDP Local Information page and view th...

Page 141: ...gy Saved Displays the amount of energy saved from the last device reboot This value is updated each time there is an event that affects power saving 802 3 Energy Efficient Ethernet EEE Globally enable or disable EEE mode Port LEDs Select to enable the port LEDs When these are disabled they do not display link status activity etc STEP 3 Click Apply The Green Ethernet Properties are written to the R...

Page 142: ...ch mode Administrative Displays whether Short Reach mode was enabled Operational Displays whether Short Reach mode is currently operating Reason If Short Reach mode is not operational displays the reason Cable Length Displays VCT returned cable length in meters NOTE Short reach mode is only supported on RJ45 GE ports it does not apply to Combo ports 802 3 Energy Efficient Ethernet EEE State of the...

Page 143: ...Reach and EEE globally see Setting Global Green Ethernet Properties STEP 2 Select a Port and click Edit STEP 3 Select to enable or disable Energy Detect mode on the port STEP 4 Select to enable or disable Short Reach mode on the port if there are GE ports on the device STEP 5 Select to enable or disable 802 3 Energy Efficient Ethernet EEE mode on the port if there are GE ports on the device STEP 6...

Page 144: ...Port Management Configuring Green Ethernet 131 Cisco Small Business 200 Series Smart Switch Administration Guide 9 ...

Page 145: ...rt Error Handling Default Configuration Relationships with Other Features and Backwards Compatibility Common Smartport Tasks Configuring Smartport Using The Web based Interface Built in Smartport Macros Overview The Smartport feature provides a convenient way to save and share common configurations By applying the same Smartport macro to multiple interfaces the interfaces share a common set of con...

Page 146: ...and features are described in the following sections Smartport Smartport types and Smartport macros described in this section Voice VLAN and Smartport described in the Voice VLAN section LLDP CDP for Smartport described in the Configuring LLDP and Configuring CDP sections respectively Additionally typical work flows are described in the Common Smartport Tasks section What is a Smartport A Smartpor...

Page 147: ...o called the macro serves to apply the desired configuration The other called the anti macro serves to undo all configuration performed by the macro when that interface happens to become a different Smartport type The following describes the relationship of Smartport types and Auto Smartport Smartport and Auto Smartport Types Smartport Type Supported by Auto Smartport Supported by Auto Smartport b...

Page 148: ...ollowing cases A link down up operation is performed on the interface The device is restarted All devices attached to the interface have aged out which is defined as the absence of CDP and or LLDP advertisement from the device for a specified time period Unknown If a Smartport macro is applied to an interface and an error occurs the interface is assigned the Unknown status In this case the Smartpo...

Page 149: ...e View Macro Source button on the Smartport Type Settings page A macro and the corresponding anti macro are paired together in association with each Smartport type The macro applies the configuration and the anti macro removes it Two Smartport macros are paired by their names as follows macro_name for example printer no_macro_name for example no_printer the anti Smartport macro of Smartport macro ...

Page 150: ...d the Reset Operation A Smartport macro might fail if there is a conflict between the existing configuration of the interface and a Smartport macro When a Smartport macro fails a SYSLOG message containing the following parameters is sent Port number Smartport type The line number of the failed CLI command in the macro When a Smartport macro fails on an interface the status of the interface is set ...

Page 151: ...n manually assign a Smartport type to an interface from the Smartport Interface Settings Page Auto Smartport When a device is detected from an interface the Smartport macro if any that corresponds to the Smartport type of the attaching device is automatically applied Auto Smartport is enabled by default globally and at the interface level In both cases the associated anti macro is run when the Sma...

Page 152: ...e Voice VLAN for more information on enabling Auto Voice VLAN Identifying Smartport Type If Auto Smartport is globally enabled in the Properties page and at an interface in the Interface Settings page the device applies a Smartport macro to the interface based on the Smartport type of the attaching device Auto Smartport derives the Smartport types of attaching devices based on the CDP and or LLDP ...

Page 153: ... 0x01 Router TB Bridge 0x02 Wireless Access Point SR Bridge 0x04 Ignore Switch 0x08 Switch Host 0x10 Host IGMP conditional filtering 0x20 Ignore Repeater 0x40 Ignore VoIP Phone 0x80 ip_phone Remotely Managed Device 0x100 Ignore CAST Phone Port 0x200 Ignore Two Port MAC Relay 0x400 Ignore LLDP Capabilities Mapping to Smartport Type Capability Name LLDP Bit Smartport Type Other 1 Ignore Repeater IET...

Page 154: ...is no conflict the matching Smartport type is applied to the interface If one of the devices is a switch the Switch Smartport type is used If one of the devices is an AP the Wireless Access Point Smartport type is used If one of the devices is an IP phone and another device is a host the ip_phone_desktop Smartport type is used If one of the devices is an IP phone desktop and the other is an IP pho...

Page 155: ...attaching device to it ages out the interface goes down or the device is rebooted Enabling Persistent status on an interface eliminates the device detection delay that otherwise occurs NOTE The persistence of the Smartport types applied to the interfaces are effective between reboots only if the running configuration with the Smartport type applied at the interfaces is saved to the startup configu...

Page 156: ...n the device and to configure a port with Auto Smartport perform the following steps STEP 1 To enable the Auto Smartport feature on the device open the Smartport Properties page Set Administrative Auto Smartport to Enable or Enable by Voice VLAN STEP 2 Select whether the device is to process CDP and or LLDP advertisements from connected devices STEP 3 Select which type of devices are to be detecte...

Page 157: ...h this procedure you can accomplish the following View the macro source Change parameter defaults Restore the parameter defaults to the factory settings 1 Open the Smartport Smartport Type Settings page 2 Select the Smartport Type 3 Click View Macro Source to view the current Smartport macro that is associated with the selected Smartport Type 4 Click Edit to open a new window in which you can modi...

Page 158: ...s STEP 1 In the Interface Settings page select the Port Type equals to checkbox STEP 2 Select Unknown and click Go STEP 3 Click Reset All Unknown Smartports Then reapply the macro as described above TIP The reason that the macro failed might be a conflict with a configuration on the interface made prior to applying the macro most often encountered with security and storm control settings a wrong p...

Page 159: ...LAN is the default Auto Smartport Device Detection Method Select whether incoming CDP LLDP or both types of packets are used to detect the Smartport type of the attaching device s At least one must be checked in order for Auto Smartport to identify devices Operational CDP Status Displays the operational status of CDP Enable CDP if Auto Smartport is to detect the Smartport type based on CDP adverti...

Page 160: ...inding an invalid macro or setting an invalid default parameter value causes all ports of this Smartport type to become unknown STEP 1 Click Smartport Smartport Type Settings STEP 2 To view the Smartport macro associated with a Smartport type select a Smartport type and click View Macro Source STEP 3 To modify the parameters of a macro select a Smartport type and click Edit STEP 4 Enter the fields...

Page 161: ...meters Enable Auto Smartport on an interface Diagnose a Smartport macro that failed upon application and caused the Smartport type to become Unknown Reapply a Smartport macro after it fails for one of the following types of interfaces switch router and AP It is expected that the necessary corrections have been made prior to clicking Reapply See the workflow area in Common Smartport Tasks section f...

Page 162: ...isplays the command at which application of the macro failed See the workflow area in Common Smartport Tasks section for troubleshooting tips Proceed to reapply the macro after correcting the problem STEP 3 Resetting all Unknown interfaces to Default type Select the Port Type equals to checkbox Select Unknown and click Go Click Reset All Unknown Smartports Then reapply the macro as described above...

Page 163: ...n or the device is rebooted Persistent is applicable only if the Smartport Application of the interface is Auto Smartport Enabling Persistent at an interface eliminates the device detection delay that otherwise occurs Macro Parameters Displays the following fields for up to three parameters in the macro Parameter Name Name of parameter in macro Parameter Value Current value of parameter in macro T...

Page 164: ...ax_hosts macro key description native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses por...

Page 165: ...cast spanning tree portfast auto printer printer macro description printer macro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresse...

Page 166: ...cro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 sm...

Page 167: ... which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadc...

Page 168: ...aximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicas...

Page 169: ...ured on the port Default Values are native_vlan Default VLAN switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_ip_camera no_ip_camera macro descr...

Page 170: ...default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_ip_phone no_ip_phone macro de...

Page 171: ...e untag VLAN which will be configured on the port voice_vlan The voice VLAN ID max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN voice_vlan 1 max_hosts 10 the default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresse...

Page 172: ...rol broadcast level no smartport storm control include multicast spanning tree portfast auto switch switch macro description switch macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allow...

Page 173: ...LAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan native_vlan smartport storm control broadcast level 10 smartport storm control broadcast enable spanning tree link type point to point no_router no_router macro description No router macro keywords voice_vlan macro key desc...

Page 174: ... Series Smart Switch Administration Guide 10 no smartport storm control broadcast level no spanning tree link type ap ap macro description ap macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port ...

Page 175: ...SE Power Sourcing Equipment that delivers electrical power to connected PD Powered Devices over existing copper cables without interfering with the network traffic updating the physical network or modifying the network infrastructure See Device Models for information concerning PoE support on various models PoE Features PoE provides the following features Eliminates the need to run 110 220 V AC po...

Page 176: ...s which is the amount of maximum power that the PD consumes Power Consumption After the classification stage completes the PSE provides power to the PD If the PD supports PoE but without classification it is assumed to be class 0 the maximum If a PD tries to consume more power than permitted by the standard the PSE stops supplying power to the port PoE supports two modes Port Limit The maximum pow...

Page 177: ...quires more power from the device than the configured allocation allows no matter if the device is in Class Limit or Port Limit mode the device does the following Maintains the up down status of the PoE port link Turns off power delivery to the PoE port Logs the reason for turning off power Generates an SNMP trap CAUTION Consider the following when connecting switches capable of supplying PoE The ...

Page 178: ...t might consume much less than the maximum power allowed Output power is disabled during power on reboot initialization and system configuration to ensure that PDs are not damaged To configure PoE on the device and monitor current power usage STEP 1 Click Port Management PoE Properties STEP 2 Enter the values for the following fields Power Mode Select one of the following options Port Limit The ma...

Page 179: ...in two ways depending on the Power Mode Port Limit Power is limited to a specified wattage For these settings to be active the system must be in PoE Port Limit mode That mode is configured in the PoE Properties page When the power consumed on the port exceeds the port limit the port power is turned off Class Limit Power is limited based on the class of the connected PD For these settings to be act...

Page 180: ... STEP 3 Enter the value for the following field Interface Select the port to configure PoE Administrative Status Enable or disable PoE on the port Power Priority Level Select the port priority low high or critical for use when the power supply is low For example if the power supply is running at 99 usage and port 1 is prioritized as high but port 3 is prioritized as low port 1 receives power and p...

Page 181: ...tage occurrences Denied Counter Displays number of times the powered device was denied power Absent Counter Displays the number of times that power was stopped to the powered device because the powered device was no longer detected Invalid Signature Counter Displays the times an invalid signature was received Signatures are the means by which the powered device identifies itself to the PSE Signatu...

Page 182: ...Port Management PoE Configuring PoE Settings 169 Cisco Small Business 200 Series Smart Switch Administration Guide 11 ...

Page 183: ...ich they are connected VLAN Description Each VLAN is configured with a unique VID VLAN ID with a value from 1 to 4094 A port on a device in a bridged network is a member of a VLAN if it can send data to and receive data from the VLAN A port is an untagged member of a VLAN if all packets destined for that port into the VLAN have no VLAN tag A port is a tagged member of a VLAN if all packets destine...

Page 184: ... enabled and the ingress port is not a member of the VLAN to which the packet belongs A frame is regarded as priority tagged only if the VID in its VLAN tag is 0 Frames belonging to a VLAN remain within the VLAN This is achieved by sending or forwarding a frame only to egress ports that are members of the target VLAN An egress port may be a tagged or untagged member of a VLAN The egress port Adds ...

Page 185: ... provider bridge network where the bridging is based on the S tag VID S VID only The S Tag is preserved while traffic is forwarded through the network service provider s infrastructure and is later removed by an egress device An additional benefit of QinQ is that there is no need to configure customers edge devices QinQ is enabled in the VLAN Management Interface Settings page VLAN Configuration W...

Page 186: ...omatically configures the port as an untagged member of the default VLAN A port is no longer a member of a VLAN if the VLAN is deleted or the port is removed from the VLAN When the VID of the default VLAN is changed the device performs the following on all the ports in the VLAN after saving the configuration and rebooting the device Removes VLAN membership of the ports from the original default VL...

Page 187: ...ult VLAN Each VLAN must be configured with a unique VID VLAN ID with a value from 1 to 4094 The device reserves VID 4095 as the Discard VLAN All packets classified to the Discard VLAN are discarded at ingress and are not forwarded to a port To create a VLAN STEP 1 Click VLAN Management Create VLAN The Create VLAN page contains the following fields for all VLANs VLAN ID User defined VLAN ID VLAN Na...

Page 188: ...heir VLAN parameters are displayed STEP 3 To configure a Port or LAG select it and click Edit STEP 4 Enter the values for the following fields Interface Select a Port LAG Interface VLAN Mode Select the interface mode for the VLAN The options are General The interface can support all functions as defined in the IEEE 802 1q specification The interface can be a tagged or untagged member of one or mor...

Page 189: ...g frames that are classified as VLANs of which the interface is not a member Ingress filtering can be disabled or enabled on general ports It is always enabled on access ports and trunk ports STEP 5 Click Apply The parameters are written to the Running Configuration file Defining VLAN Membership The Port to VLAN and Port VLAN Membership pages display the VLAN memberships of the ports in various pr...

Page 190: ...configured from the Interface Settings page Each port or LAG appears with its current registration to the VLAN STEP 3 Change the registration of an interface to the VLAN by selecting the desired option from the following list Forbidden The interface is not allowed to join the VLAN When a port is not a member of any other VLAN enabling this option on the port makes the port part of internal VLAN 40...

Page 191: ...r LAG and click Go The following fields are displayed for all interfaces of the selected type Interface Port LAG ID Mode Interface VLAN mode that was selected in the Interface Settings page Administrative VLANs Drop down list that displays all VLANs of which the interface might be a member Operational VLANs Drop down list that displays all VLANs of which the interface is currently a member LAG If ...

Page 192: ...e is in access mode or trunk mode the device automatically makes the interface an untagged member of the VLAN If the interface is in general mode you must manually configure VLAN membership STEP 5 Click Apply The settings are modified and written to the Running Configuration file STEP 6 To see the administrative and operational VLANs on an interface click Details Voice VLAN In a LAN voice devices ...

Page 193: ...es is determined by the network configuration There may or may not be separate voice and data VLANs The phones and VoIP endpoints register with an on premise IP PBX IP Centrex ITSP hosted Cisco CP 79xx SPA5xx phones and SPA8800 endpoints support this deployment model For this model the VLAN used by the phones is determined by the network configuration There may or may not be separate voice and dat...

Page 194: ...hony OUI In Telephony OUI mode the voice VLAN must be a manually configured VLAN and cannot be the default VLAN When the device is in Telephony OUI mode and a port is manually configured as a candidate to join the voice VLAN the device dynamically adds the port to the voice VLAN if it receives a packet with a source MAC address matching to one of the configured telephony OUIs An OUI is the first t...

Page 195: ... packets are possible Auto Voice VLAN Auto Smartports CDP and LLDP Defaults By factory defaults CDP LLDP and LLDP MED on the device are enabled auto Smartport mode is enabled Basic QoS with trusted DSCP is enabled and all ports are members of default VLAN 1 which is also the default Voice VLAN In addition Dynamic Voice VLAN mode is the default to Auto Voice VLAN with enabling based on trigger and ...

Page 196: ...connecting the device to a Cisco UC device you may need to configure the port on the UC device using the switchport voice vlan command to ensure the UC device advertises its voice VLAN in CDP at the port It synchronizes the voice VLAN related parameters with other Auto Voice VLAN enabled switches using Voice Service Discovery Protocol VSDP The device always configures itself with the voice VLAN fr...

Page 197: ...ings by using LLDP MED Network policies The LLDP MED is set by default to response with the Voice QoS setting if an appliance sends LLDP MED packets MED supported devices must send their voice traffic with the same CoS 802 1p and DSCP values as received with the LLDP MED response You can disable the automatic update between Voice VLAN and LLDP MED and use his own network policies Working with the ...

Page 198: ... on Auto Voice VLAN Auto Smartports CDP and LLDP cover most common voice deployment scenarios This section describes how to deploy voice VLAN when the default configuration does not apply Workflow1 To configure Auto Voice VLAN STEP 1 Open the VLAN Management Voice VLAN Properties page STEP 2 Select the Voice VLAN ID It cannot be set to VLAN ID 1 this step is not required for dynamic Voice VLAN STE...

Page 199: ...ure Telephony OUI in the Telephony OUI page STEP 3 Configure Telephony OUI VLAN membership for ports in the Telephony OUI Interface page Configuring Voice VLAN This section describes how to configure voice VLAN It covers the following topics Configuring Voice VLAN Properties Displaying Auto Voice VLAN Settings Configuring Telephony OUI Configuring Voice VLAN Properties Use the Voice VLAN Propertie...

Page 200: ...ed CoS 802 1p Select a CoS 802 1p value that to be used by LLDP MED as a voice network policy Refer to Administration Discovery LLDP LLDP MED Network Policy for additional details DSCP Selection of DSCP values that to be used by the LLDP MED as a voice network policy Refer to Administration Discovery LLDP LLDP MED Network Policy for additional details Dynamic Voice VLAN Select this field to disabl...

Page 201: ... discovery and synchronization process on all the switches in the LAN that are Auto Voice VLAN enabled NOTE This only resets the voice VLAN to the default voice vlan if the Source Type is in the Inactive state To view Auto Voice VLAN parameters STEP 1 Click VLAN Management Voice VLAN Auto Voice VLAN The Operation Status block on this page shows the information about the current voice VLAN and its ...

Page 202: ...e configuration was done on the device itself If an interface appears a voice configuration was received from a neighbor Source MAC Address MAC address of a UC from which the voice configuration was received Source Type Type of UC from which voice configuration was received The following options are available Default Default voice VLAN configuration on the device Static User defined voice VLAN con...

Page 203: ...and the port on which they are seen to be automatically assigned to a Voice VLAN The OUI Global table can hold up to 128 OUIs This section covers the following topics Adding OUIs to the Telephony OUI Table Adding Interfaces to Voice VLAN on Basis of OUIs Adding OUIs to the Telephony OUI Table Use the Telephony OUI page to configure Telephony OUI QoS properties In addition the Auto Membership Aging...

Page 204: ...ect the top checkbox All the OUIs are selected and can be deleted by clicking Delete If you then click Restore the system recovers the known OUIs STEP 4 To add a new OUI click Add STEP 5 Enter the values for the following fields Telephony OUI Enter a new OUI Description Enter an OUI name STEP 6 Click Apply The OUI is added to the Telephony OUI Table Adding Interfaces to Voice VLAN on Basis of OUIs...

Page 205: ...To configure an interface to be a candidate port of the telephony OUI based voice VLAN click Edit STEP 3 Enter the values for the following fields Interface Select an interface Telephony OUI VLAN Membership If enabled the interface is a candidate port of the telephony OUI based voice VLAN When packets that match one of the configured telephony OUI are received the port is added to the voice VLAN V...

Page 206: ...VLAN Management Voice VLAN 193 Cisco Small Business 200 Series Smart Switch Administration Guide 12 ...

Page 207: ...hanges so that the data transfer is made possible the links are automatically re activated Loops occur when alternate routes exist between hosts Loops in an extended network can cause switches to forward traffic indefinitely resulting in increased traffic load and reduced network efficiency STP provides a tree topology for any arrangement of switches and interconnecting links by creating a unique ...

Page 208: ...ee STP Status Global Settings STEP 2 Enter the parameters Global Settings Spanning Tree State Enable or disable STP on the device STP Operation Mode Select an STP mode BPDU Handling Select how Bridge Protocol Data Unit BPDU packets are managed when STP is disabled on the port or the device BPDUs are used to transmit spanning tree information Filtering Filters BPDU packets when Spanning Tree is dis...

Page 209: ... own configuration Forward Delay Set the interval in seconds that a bridge remains in a learning state before forwarding packets For more information refer to Defining Spanning Tree Interface Settings Designated Root Bridge ID The bridge priority concatenated with the MAC address of the device Root Bridge ID The Root Bridge priority concatenated with the MAC address of the Root Bridge Root Port Th...

Page 210: ...nvergence The options are Enable Enables Fast Link immediately Auto Enables Fast Link a few seconds after the interface becomes active This allows STP to resolve loops before enabling Fast Link Disable Disables Fast Link NOTE It is recommended to set the value to Auto so that the device sets the port to fast link mode if a host is connected to it or sets it as a regular STP port if connected to an...

Page 211: ...Filtering Filters BPDU packets when Spanning Tree is disabled on an interface Flooding Floods BPDU packets when Spanning Tree is disabled on an interface Path Cost Set the port contribution to the root path cost or use the default cost generated by the system Priority Set the priority value of the port The priority value influences the port choice when a bridge has two ports connected in a loop Th...

Page 212: ...ce settings are written to the Running Configuration file Configuring Rapid Spanning Tree Settings Rapid Spanning Tree Protocol RSTP enables a faster STP convergence without creating forwarding loops The RSTP Interface Settings page enables you to configure RSTP per port Any configuration that is done on this page is active when the global STP mode is set to RSTP To enter RSTP settings STEP 1 Clic...

Page 213: ...as opposed to high speed Auto Automatically determines the device status by using RSTP BPDUs Point to Point Operational Status Displays the Point to Point operational status if the Point to Point Administrative Status is set to Auto Role Displays the role of the port that was assigned by STP to provide STP paths The possible roles are Root Lowest cost path to forward packets to the Root Bridge Des...

Page 214: ...ace becomes active Port Status Displays the RSTP status on the specific port Disabled STP is currently disabled on the port Blocking The port is currently blocked and it cannot forward traffic or learn MAC addresses Listening The port is in Listening mode The port cannot forward traffic and cannot learn MAC addresses Learning The port is in Learning mode The port cannot forward traffic however it ...

Page 215: ...t appears in a frame arriving at the device is added to the Dynamic Address table This MAC address is retained for a configurable period of time If another frame with the same source MAC address does not arrive at the device before that time period expires the MAC entry is aged deleted from the table When a frame arrives at the device the device searches for a corresponding matching destination MA...

Page 216: ...tic addresses STEP 2 Click Add STEP 3 Enter the parameters VLAN ID Select the VLAN ID for the port MAC Address Enter the interface MAC address Interface Select an interface port or LAG for the entry Status Select how the entry is treated The options are Permanent The system never removes this MAC address If the static MAC address is saved in the Startup Configuration it is retained after rebooting...

Page 217: ...ng Time The aging time is a value between the user configured value and twice that value minus 1 For example if you entered 300 seconds the aging time is between 300 and 599 seconds STEP 3 Click Apply The aging time is updated Querying Dynamic Addresses To query dynamic addresses STEP 1 Click MAC Address Tables Dynamic Addresses STEP 2 In the Filter block you can enter the following query criteria...

Page 218: ...Managing MAC Address Tables Managing Dynamic MAC Addresses 205 Cisco Small Business 200 Series Smart Switch Administration Guide 14 To delete all of the dynamic MAC addresses click Clear Table ...

Page 219: ...Ports Defining Forward All Multicast Defining Unregistered Multicast Settings Multicast Forwarding Multicast forwarding enables one to many information dissemination Multicast applications are useful for dissemination of information to multiple clients where clients do not require reception of the entire content A typical application is a cable TV like service where clients can join a channel in t...

Page 220: ...in this section is mostly for IGMP it also describes coverage of MLD where implied These queries reach the device which in turn floods the queries to the VLAN and also learns the port where there is a Multicast router Mrouter When a host receives the IGMP query message it responds with an IGMP Join message saying that the host wants to receive a specific Multicast stream and optionally from a spec...

Page 221: ...LD snooping is enabled in a device on a VLAN it analyzes the IGMP MLD packets it receives from the VLAN connected to the device and Multicast routers in the network When a device learns that a host is using IGMP MLD messages to register to receive a Multicast stream optionally from a specific source the device adds the registration to its Multicast Forwarding Data Base MFDB IGMP MLD snooping can e...

Page 222: ... status By default all Multicast frames are flooded to all ports of the VLAN To selectively forward only to relevant ports and filter drop the Multicast on the rest of the ports enable Bridge Multicast filtering status in the Properties page If filtering is enabled Multicast frames are forwarded to a subset of the ports in the relevant VLAN as defined in the Multicast Forwarding Data Base Multicas...

Page 223: ...e Multicast filtering and select the forwarding method STEP 1 Click Multicast Properties STEP 2 Enter the parameters Bridge Multicast Filtering Status Select to enable filtering VLAN ID Select the VLAN ID to set its forwarding method Forwarding Method for IPv6 Set one of the following forwarding methods for IPv6 addresses MAC Group Address IP Group Address or Source Specific IP Group Address Forwa...

Page 224: ... viewing the forwarding information when the mode is IP Address Group or IP and Source Group use the IP Multicast Group Address page To define and view MAC Multicast groups STEP 1 Click Multicast MAC Group Address STEP 2 Enter the parameters VLAN ID Equals To Set the VLAN ID of the group to be displayed MAC Group Address Equals To Set the MAC address of the Multicast group to be displayed If no MA...

Page 225: ... interface to the Multicast group as a static member Dynamic Indicates that the interface was added to the Multicast group as a result of IGMP MLD snooping Forbidden Specifies that this port is not allowed to join this group on this VLAN None Specifies that the port is not currently a member of this Multicast group on this VLAN STEP 10 Click Apply and the Running Configuration file is updated NOTE...

Page 226: ...he Multicast group is only defined by destination STEP 3 Click Go The results are displayed in the lower block STEP 4 Click Add to add a static IP Multicast Group Address STEP 5 Enter the parameters VLAN ID Defines the VLAN ID of the group to be added IP Version Select the IP address type IP Multicast Group Address Define the IP address of the new Multicast group Source Specific Indicates that the...

Page 227: ...page By default a Layer 2 device forwards Multicast frames to all ports of the relevant VLAN essentially treating the frame as if it were a Broadcast With IGMP Snooping the device forwards Multicast frames to ports that have registered Multicast clients NOTE The device supports IGMP Snooping only on static VLANs It does not support IGMP Snooping on dynamic VLANs When IGMP Snooping is enabled globa...

Page 228: ...k traffic for the selected VLAN Operational IGMP Snooping Status Displays the current status of the IGMP Snooping for the selected VLAN MRouter Ports Auto Learn Enable or disable auto learning of the ports to which the Mrouter is connected Query Robustness Enter the Robustness Variable value to be used if this device is the elected querier Operational Query Robustness Displays the robustness varia...

Page 229: ...cast stream sent to a member port when an IGMP Group Leave message is received on that port STEP 5 Click Apply The Running Configuration file is updated MLD Snooping Hosts use the MLD protocol to report their participation in Multicast sessions and the device uses MLD snooping to build Multicast membership lists It uses these lists to forward Multicast packets only to device ports where there are ...

Page 230: ...ic definitions are preserved when the system is rebooted To enable MLD Snooping STEP 1 Click Multicast MLD Snooping STEP 2 Enable or disable MLD Snooping Status When MLD Snooping is globally enabled the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic The device performs MLD Snooping only if both MLD snooping and Bridge Multicast filtering are...

Page 231: ... calculate the Maximum Response Code inserted into the General Queries Last Member Query Counter Enter the Last Member Query Count to be used if the device cannot derive the value from the messages sent by the elected querier Operational Last Member Query Counter Displays the operational value of the Last Member Query Counter Last Member Query Interval Enter the Maximum Response Delay to be used i...

Page 232: ...up MAC address or IP address to query Source Address equals to Defines the sender address to query VLAN ID equals to Defines the VLAN ID to query STEP 4 Click Go The following fields are displayed for each Multicast group VLAN The VLAN ID Group Address The Multicast group MAC address or IP address Source Address The sender address for all of the specified group ports Included Ports The list of des...

Page 233: ...figured as a Multicast router port by a MLD IGMP query To enable the dynamic learning of Multicast router ports go to the Multicast IGMP Snooping page and the Multicast MLD Snooping page Forbidden This port is not to be configured as a Multicast router port even if IGMP or MLD queries are received on this port If Forbidden is enabled on a port Mrouter is not learned on this port i e MRouter Ports ...

Page 234: ...ams even if IGMP MLD snooping designated the port to join a Multicast group None The port is not currently a Forward All port STEP 5 Click Apply The Running Configuration file is updated Defining Unregistered Multicast Settings Multicast frames are generally forwarded to all ports in the VLAN If IGMP MLD Snooping is enabled the device learns about the existence of Multicast groups and monitors whi...

Page 235: ... in the network To define unregistered Multicast settings STEP 1 Click Multicast Unregistered Multicast STEP 2 Define the following Interface Type equals to The view as all ports or all LAGs Port LAG Displays the port or LAG ID Unregistered Multicast Displays the forwarding status of the selected interface The possible values are Forwarding Enables forwarding of unregistered Multicast frames to th...

Page 236: ...Multicast Defining Unregistered Multicast Settings 223 Cisco Small Business 200 Series Smart Switch Administration Guide 15 ...

Page 237: ...nd default gateway are configured on the IPv4 Interface page The device uses the default gateway if configured to communicate with devices that are not in the same IP subnet as the device By default VLAN 1 is the management VLAN but this can be modified The device can only be reached at the configured IP address through its management VLAN The factory default setting of the IPv4 address configurat...

Page 238: ...anged the device issues gratuitous ARP packets to the corresponding VLAN to check IP address collisions This rule also applies when the device reverts to the default IP address The system status LED changes to solid green when a new unique IP address is received from the DHCP server If a static IP address has been set the system status LED also changes to solid green The LED flashes when the devic...

Page 239: ...eived from a DHCP server it is saved as the server s host name DHCP option 12 will not be requested by the device The DHCP server must be configured to send option 12 regardless of what is requested in order to make use of this feature If a static IP address is used configure the following fields IP Address Enter the IP address and configure one of the following Mask fields Network Mask Select and...

Page 240: ... subnets directly connected to it A directly connected IP subnet is the subnet to which an IPv4 interface of the device is connected When the device is required to send route a packet to a local device it searches the ARP table to obtain the MAC address of the device The ARP table contains both static and dynamic addresses Static addresses are manually configured and do not age out The device crea...

Page 241: ...ctly connected IP subnet where the IP device resides IP Address The IP address of the IP device MAC Address The MAC address of the IP device Status Whether the entry was manually entered or dynamically learned STEP 4 Click Add STEP 5 Enter the parameters IP Version The IP address format supported by the host Only IPv4 is supported VLAN In Layer 2 displays the management VLAN ID For devices in Laye...

Page 242: ...r of the DHCP client that is used by the DHCP server to locate the client It can be in one of the following formats Link Layer Default If you select this option the MAC address of the device is used Enterprise Number If you select this option enter the following fields Enterprise Number The vendors registered Private Enterprise number as maintained by IANA Identifier The vendor defined hex string ...

Page 243: ...User Defined to set a value Information Refresh Time This value indicates how often the device will refresh information received from the DHCPv6 server If this option is not received from the server the value entered here is used Select either Infinite no refresh unless the server sends this option or User Defined to set a value STEP 5 To configure additional IPv6 parameters enter the following fi...

Page 244: ...initiate refresh of the stateless information received from the DHCPv6 server DHCPv6 Client Details The DHCPv6 Client Details button displays information received on the interface from a DHCPv6 server It is active when the interface selected is defined as a DHCPv6 stateless client When the button is pressed it displays the following fields for the information that was received from the DHCP server...

Page 245: ... IPv4 address and a destination IPv4 address The IPv6 packet is encapsulated between these addresses ISATAP Tunnels The type of tunnel that can be configured on the device is called an Intra Site Automatic Tunnel Addressing Protocol ISATAP tunnel which is a point to multi point tunnel The source address is the IPv4 address of the device When configuring an ISATAP tunnel the destination IPv4 addres...

Page 246: ...nt to the Interface option in Layer 3 because in Layer 2 there is only one interface NOTE If the IPv4 address is changed the local address of the tunnel interface is also changed None Disable the tunnel Manual Enter the IPv4 source address to be used ISATAP Router Name A global string that represents a specific automatic tunnel router domain name The name can either be the default name ISATAP or a...

Page 247: ...dress is supported If a link local address exists on the interface this entry replaces the address in the configuration Global An IPv6 address that is a global Unicast IPV6 type that is visible and reachable from other networks IPv6 Address In Layer 2 the device supports one IPv6 interface In addition to the default link local and Multicast addresses the device also automatically adds global addre...

Page 248: ... IP addresses are removed Dynamic IP addresses cannot be removed An alert message appears after an attempt is made to insert more than a single user defined address An alert message appears when attempting to insert a non link local type address meaning fe80 To define a default router STEP 1 Click Administration Management Interface IPv6 Default Router List This page displays the following fields ...

Page 249: ... outgoing Link Local interface Default Router IPv6 Address The IP address of the default router STEP 4 Click Apply The default router is saved to the Running Configuration file Defining IPv6 Neighbors Information The IPv6 Neighbors page enables configuring and viewing the list of IPv6 neighbors on the IPv6 interface The IPv6 Neighbor Table also known as IPv6 Neighbor Discovery Cache displays the M...

Page 250: ... specified IPv6 address Type Neighbor discovery cache information entry type static or dynamic State Specifies the IPv6 neighbor status The values are Incomplete Address resolution is working The neighbor has not yet responded Reachable Neighbor is known to be reachable Stale Previously known neighbor is unreachable No action is taken to verify its reachability until traffic must be sent Delay Pre...

Page 251: ... subnet as the device In addition to the default route the table also contains dynamic routes that are ICMP redirect routes received from IPv6 routers by using ICMP redirect messages This could happen when the default router the device uses is not the router for traffic to which the IPv6 subnets that the device wants to communicate To view IPv6 routes STEP 1 Click Administration Management Interfa...

Page 252: ...ue Lifetime Time period during which the packet can be sent and resent before being deleted Route Type How the destination is attached and the method used to obtain the entry The following values are Local A directly connected network whose prefix is derived from a manually configured device s IPv6 address Dynamic The destination is an indirectly attached remote IPv6 subnet address The entry was o...

Page 253: ...e device sends DNS query packets after the number of retries has been exhausted Use Default Select to use the default value This value 2 Polling Retries 1 Polling Timeout User Defined Select to enter a user defined value Default Parameters Enter the following default parameters Default Domain Name Enter the DNS domain name used to complete unqualified host names The device appends this to all non ...

Page 254: ...ntry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select the interface through which it is received DNS Server IP Address Enter the DNS server IP address DNS Server State Select to activate the new DNS server STEP 5 Click Apply The DNS ser...

Page 255: ...er or and an entry for each IP address configured on the device by DHCP There can be 256 dynamic entries Name resolution always begins by checking static entries continues by checking the dynamic entries and ends by sending requests to the external DNS server Eight IP addresses are supported per DNS server per host name To add a host name and its IP address STEP 1 Click IP Configuration Domain Nam...

Page 256: ... identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other ne...

Page 257: ...pics below Permission to administer the device is described in the following sections Defining Users Configuring RADIUS Configuring Management Access Authentication Defining Management Access Method SSL Server SSL Server Protection from attacks directed at the device CPU is described in the following sections Configuring TCP UDP Services Defining Storm Control Access control of end users to the ne...

Page 258: ... Accounts The User Accounts page enables entering additional users that are permitted to access to the device or changing the passwords of existing users After adding a user as described below the default user is removed from the system NOTE It is not permitted to delete all users If all users are selected the Delete button is disabled To add a new user STEP 1 Click Administration User Accounts Th...

Page 259: ...password again Password Strength Meter Displays the strength of password The policy for password strength and complexity are configured in the Password Strength page STEP 5 Click Apply The user is added to the Running Configuration file of the device Setting Password Complexity Rules Passwords are used to authenticate users accessing the device Simple passwords are potential security hazards There...

Page 260: ...e of the characters Do not repeat or reverse the manufacturers name or any variant reached by changing the case of the characters STEP 4 If the Password Complexity Settings are enabled the following parameters may be configured Minimal Password Length Enter the minimal number of characters required for passwords NOTE A zero length password no password is allowed and can still have password aging a...

Page 261: ...ess control for all of its devices In this way authentication and authorization can be handled on a single server for all devices in the organization The device can act as a RADIUS client that uses the RADIUS server for the following services Authentication Provides authentication of regular and 802 1X users logging onto the device by using usernames and user defined passwords Authorization Perfor...

Page 262: ... uses the values in these fields Retries Enter the number of transmitted requests that are sent to the RADIUS server before a failure is considered to have occurred Timeout for Reply Enter the number of seconds that the device waits for an answer from the RADIUS server before retrying the query or switching to the next server Dead Time Enter the number of minutes that elapse before a non responsiv...

Page 263: ...lobal The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6 Address Type Link Local is selected from the list Server IP Address Name Enter the RADIUS server by IP address or name Priority Enter the priority of the server The priority determines the order the device attempts to contact the server...

Page 264: ...2 1x authentication All RADIUS server is used for authenticating user that ask to administer the device and for 802 1X authentication STEP 5 To display sensitive data in plaintext form in the configuration file click Display Sensitive Data As Plaintext STEP 6 Click Apply The RADIUS server definition is added to the Running Configuration file of the device Configuring Management Access Authenticati...

Page 265: ...User is authenticated on a RADIUS server You must have configured one or more RADIUS servers None User is allowed to access the device without authentication Local Username and password are checked against the data stored on the local device These username and password pairs are defined in the User Accounts page NOTE The Local or None authentication method must always be selected last All authenti...

Page 266: ...ed and enables selecting one access profile to be the active one When a user attempts to access the device through an access method the device looks to see if the active access profile explicitly permits management access to the device through this method If no match is found access is denied When an attempt to access the device is in violation of the active access profile the device generates a S...

Page 267: ...es as packets are matched on a first match basis One is the highest priority Management Method Select the management method for which the rule is defined The options are All Assigns all management methods to the rule HTTP Users requesting access to the device that meets the HTTP access profile criteria are permitted or denied Secure HTTP HTTPS Users requesting access to the device that meets the H...

Page 268: ...ly The access profile is written to the Running Configuration file You can now select this access profile as the active access profile Defining Profile Rules Access profiles can contain up to 128 rules to determine who is permitted to manage and access the device and the access methods that may be used Each rule in an access profile contains an action and criteria one or more parameters to match E...

Page 269: ... are permitted or denied Secure HTTP HTTPS Users requesting access to the device that meets the HTTPS access profile criteria are permitted or denied SNMP Users requesting access to the device that meets the SNMP access profile criteria are permitted or denied Action Select Permit to permit the users that attempt to access the device by using the configured access method from the interface and IP ...

Page 270: ...dress prefix STEP 5 Click Apply and the rule is added to the access profile SSL Server This section describes the Secure Socket Layer SSL feature SSL Overview The Secure Socket Layer SSL feature is used to open an HTTPS session to the device An HTTPS session may be opened with the default certificate that exists on the device Some browsers generate warnings when using a default certificate since t...

Page 271: ...e is valid Valid To Specifies the date up to which the certificate is valid Certificate Source Specifies whether the certificate was generated by the system Auto Generated or the user User Defined STEP 2 Select an active certificate STEP 3 You can perform one of the following actions by clicking the relevant button Edit Select one of the certificates and enter the following fields for it Regenerat...

Page 272: ...e RSA public key Private Key Encrypted Select and copy in the RSA private key in encrypted form Private Key Plaintext Select and copy in the RSA private key in plain text form Display Sensitive Data as Encrypted Click this button to display this key as encrypted When this button is clicked the private keys are written to the configuration file in encrypted form when Apply is clicked Details Displa...

Page 273: ... Service Indicates whether the SNMP service is enabled or disabled SSH Service Indicates whether the SSH server service is enabled or disabled The TCP Service Table displays the following fields for each service Service Name Access method through which the device is offering the TCP service Type IP protocol the service uses Local IP Address Local IP address through which the device is offering the...

Page 274: ...me is turned into many creating the potential for a traffic storm Storm protection enables you to limit the number of frames entering the device and to define the types of frames that are counted towards this limit When the rate of Broadcast Multicast or Unknown Unicast frames is higher than the user defined threshold frames received beyond the threshold are discarded To define Storm Control STEP ...

Page 275: ...rity can be increased by limiting access on a port to users with specific MAC addresses The MAC addresses can be either dynamically learned or statically configured Port security monitors received and learned packets Access to locked ports is limited to users with specific MAC addresses Port Security has four modes Classic Lock All learned MAC addresses on the port are locked and the port does not...

Page 276: ...s is not learned on that port In addition to one of these actions you can also generate traps and limit their frequency and number to avoid overloading the devices NOTE To use 802 1X on a port it must be in multiple host or multi session modes Port security on a port cannot be set if the port is in single mode see the 802 1x Host and Session Authentication page To configure port security STEP 1 Cl...

Page 277: ...Allowed Enter the maximum number of MAC addresses that can be learned on the port if Limited Dynamic Lock learning mode is selected The number 0 indicates that only static addresses are supported on the interface Action on Violation Select an action to be applied to packets arriving on a locked port The options are Discard Discards packets from any unlearned source Forward Forwards packets from an...

Page 278: ... device can be a supplicant and an authenticator at a port simultaneously requesting port access and granting port access However this device is only the authenticator and does not take on the role of a supplicant The following varieties of 802 1X exist Single session 802 1X Single session single host In this mode the device as an authenticator supports a single 802 1x session and grants permissio...

Page 279: ...nticated Hosts page Defining 802 1X Properties The 802 1X Properties page is used to globally enable 802 1X and define how ports are authenticated For 802 1X to function it must be activated both globally and individually on each port To define port based authentication STEP 1 Click Security 802 1X Properties STEP 2 Enter the parameters Port Based Authentication Enable or disable port based 802 1X...

Page 280: ... for all ports STEP 2 Select a port and click Edit STEP 3 Enter the parameters Interface Select a port User Name Displays the username Current Port Control Displays the current port authorization state If the state is Authorized the port is either authenticated or the Administrative Port Control is Force Authorized Conversely if the state is Unauthorized then the port is either not authenticated o...

Page 281: ...r displays the state of the authentication in progress After the port is authenticated the state is shown as Authenticated Quiet Period Enter the number of seconds that the device remains in the quiet state following a failed authentication exchange Resending EAP Enter the number of seconds that the device waits for a response to an Extensible Authentication Protocol EAP request identity frame fro...

Page 282: ...user and must be authenticated Filtering is based on the source MAC address To define 802 1X advanced settings for ports STEP 1 Click Security 802 1X Host and Session Authentication 802 1X authentication parameters are described for all ports All fields except the following are described in the Edit Host and Session Authentication page Status Displays the host status An asterisk indicates that the...

Page 283: ...AC address The options are Protect Discard Discards the packets Restrict Forward Forwards the packets Shutdown Discards the packets and shuts down the port The ports remains shut down until reactivated or until the device is rebooted Traps on single host violation Select to enable traps Trap Frequency on Single Host Violation Defines how often traps are sent to the host This field can be defined o...

Page 284: ...ce is the use of SCT SCT is enabled by default on the device and cannot be disabled The Cisco device is an advanced device that handles management traffic protocol traffic and snooping traffic in addition to end user TCP traffic SCT ensures that the device receives and processes management and protocol traffic no matter how much total traffic is received This is done by rate limiting TCP traffic t...

Page 285: ...evice and should be blocked A definition of what constitutes a SYN attack can be set in the SYN Protection page When the device identifies such an attack on an interface it is reported in this page Defense Against DoS Attacks The Denial of Service DoS Prevention feature assists the system administrator in resisting DoS attacks in the following ways Enable TCP SYN protection If this feature is enab...

Page 286: ...able this feature SYN Protection The network ports might be used by hackers to attack the device in a SYN attack which consumes TCP resources buffers and CPU power Since the CPU is protected using SCT TCP traffic to the CPU is limited However if one or more ports are attacked with a high rate of SYN packets the CPU receives only the attacker packets thus creating Denial of Service When using the S...

Page 287: ...e applied on the port SYN Protection Period Time in seconds before unblocking the SYN packets the deny SYN with MAC to me rule is unbound from the port STEP 3 Click Apply SYN protection is defined and the Running Configuration file is updated The SYN Protection Interface Table displays the following fields for every port or LAG as requested by the user Current Status Interface status The possible ...

Page 288: ...Security Denial of Service Prevention 275 Cisco Small Business 200 Series Smart Switch Administration Guide 17 ...

Page 289: ...tween an SSH client in this case the device and an SSH server SSH client helps the user manage a network composed of one or more switches in which various system files are stored on a central SSH server When configuration files are transferred over a network Secure Copy SCP which is an application that utilizes the SSH protocol ensures that sensitive data such as username password cannot be interc...

Page 290: ...th on the device and on the SSH server although this guide does not describe server operations The following illustrates a typical network configuration in which the SCP feature might be used Typical Network Configuration Protection Methods When data is transferred from an SSH server to a device client the SSH server uses various methods for client authentication These are described below Password...

Page 291: ...device when it is booted One of these keys is used to encrypt the data being downloaded from the SSH server The RSA key is used by default If the user deletes one or both of these keys they are regenerated The public private keys are encrypted and stored in the device memory The keys are part of the device configuration file and the private key can be displayed to the user in encrypted or plaintex...

Page 292: ...rver for a maximum of 16 servers and contains the following information Server IP address host name Server public key fingerprint When SSH server authentication is enabled the SSH client running on the device authenticates the SSH server using the following authentication process The device calculates the fingerprint of the received SSH server s public key The device searches the SSH Trusted Serve...

Page 293: ...auto configuration of an out of box device device with factory default configuration SSH server authentication is disabled by default Supported Algorithms When the connection between a device as an SSH client and an SSH server is established the client and SSH server exchange data in order to determine the algorithms to use in the SSH transport layer The following algorithms are supported on the c...

Page 294: ...ge STEP 2 If the password method was selected perform the following steps a Create a global password in the SSH User Authentication page or create a temporary one in the Upgrade Backup Firmware Language or Backup Configuration Log pages when you actually activate the secure data transfer b Upgrade the firmware boot image or language file using SCP by selecting the via SCP over SSH option in the Up...

Page 295: ...rate a public private key in the SSH User Authentication page STEP 2 Set the SSD properties and create a new local passphrase in the Secure Sensitive Data Management Properties page STEP 3 Click Details to view the generated encrypted keys and copy them including the Begin and End footers from the Details page to an external device Copy the public and private keys separately STEP 4 Log on to anoth...

Page 296: ...his is the default setting If this is selected enter a password or retain the default one By RSA Public Key If this is selected create an RSA public and Private key in the SSH User Key Table block By DSA Public Key If this is selected create a DSA public private key in the SSH User Key Table block STEP 3 Enter the Username no matter what method was selected or user the default username This must m...

Page 297: ...ine the trusted servers STEP 1 Click Security SSH Client SSH Server Authentication STEP 2 Select Enable to enable SSH server authentication STEP 3 Click Add and enter the following fields for the SSH trusted server Server Definition Select one of the following ways to identify the SSH server By IP Address If this is selected enter the IP address of the server in the fields below By Name If this is...

Page 298: ...uely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from othe...

Page 299: ...Properties Configuration Files SSD Management Channels Menu CLI and Password Recovery Configuring SSD Introduction SSD protects sensitive data on a device such as passwords and keys permits and denies access to sensitive data encrypted and in plain text based on user credentials and SSD rules and protects configuration files containing sensitive data from being tampered with In addition SSD enable...

Page 300: ...tive data The SSD configuration parameters themselves are sensitive data and are protected under SSD All configuration of SSD is performed through the SSD pages that are only available to users with the correct permissions see SSD Rules SSD Rules SSD rules define the read permissions and default read mode given to a user session on a management channel An SSD rule is uniquely identified by its use...

Page 301: ...annel types supported are Secure Specifies the rule applies only to secure channels Depending on the device it may support some or all of the following secure channels Console port interface SCP SSH and HTTPS Insecure Specifies that this rule applies only to insecure channels Depending on the device it may support some or all of the following insecure channels Telnet TFTP and HTTP Secure XML SNMP ...

Page 302: ...following options exist but some might be rejected depending on the read permission If the user defined read permission for a user is Exclude for example and the default read mode is Encrypted the user defined read permission prevails Exclude Do not allow reading sensitive data Encrypted Sensitive data is presented in encrypted form Plaintext Sensitive data is presented in plaintext form Each mana...

Page 303: ...s is considered to be a level 15 user SNMP users on Insecure XML and SNMP SNMPv1 v2 and v3 with no privacy channel are considered as All users SNMP community names are not used as user names to match SSD rules Access by a specific SNMPv3 user can be controlled by configuring an SSD rule with a user name matching the SNMPv3 user name There must always be at least one rule with read permission Plain...

Page 304: ...ommunication through external authentication servers such as RADIUS and TACACS servers The configuration of the secure communication to the external authentication servers are sensitive data and are protected under SSD NOTE The user credential in the local authenticated database is already protected by a non SSD related mechanism If a user from a channel issues an action that uses an alternate cha...

Page 305: ...the following occurs User changes it again Session is terminated The read permission of the SSD rule that is applied to the session user is changed and is no longer compatible with the current read mode of the session In this case the session read mode returns to the default read mode of the SSD rule SSD Properties SSD properties are a set of parameters that in conjunction with the SSD rules defin...

Page 306: ...configuration file or in the CLI GUI If better security and protection are desired an administrator should configure SSD on a device to use a user defined passphrase instead of the default passphrase A user defined passphrase should be treated as a well guard secret so that the security of the sensitive data on the device is not compromised A user defined passphrase can be configured manually in p...

Page 307: ...crypted sensitive data in a configuration file from devices that do not have the passphrase This mode should be used when a user does not want to expose the passphrase in a configuration file After a device is reset to the factory default its local passphrase is reset to the default passphrase As a result the device will be not able to decrypt any sensitive data encrypted based on a user defined p...

Page 308: ...n manually upload and download a configuration file to and from a remote file server A device can automatically download its Startup Configuration from a remote file server during the auto configuration stage using DHCP Configuration files stored on remote file servers are referred to as remote configuration files A Running Configuration file contains the configuration currently being used by a de...

Page 309: ...rol end respectively Startup Configuration File The device currently supports copying from the Running Backup Mirror and Remote Configuration files to a Startup Configuration file The configurations in the Startup Configuration are effective and become the Running Configuration after reboot A user can retrieve the sensitive data encrypted or in plaintext from a startup configuration file subject t...

Page 310: ...igures the Startup Configuration file with the passphrase that is used to generate the key to decrypt the sensitive data in the source configuration file Any SSD configurations that are not found are reset to the default If there is an SSD control block in the source configuration file and the file contains plaintext sensitive data excluding the SSD configurations in the SSD control block the file...

Page 311: ...e the File SSD Indicator in a Mirror Configuration file always indicates that the file contains encrypted sensitive data By default auto mirror configuration service is enabled To configure auto mirror configuration to be enabled or disabled click Administration File Management Configuration File Properties A user can display copy and upload the complete mirror and backup configuration files subje...

Page 312: ...the device downloads the boot file remote configuration file into the Startup Configuration file from a file server and then reboots NOTE The file server may be specified by the bootp siaddr and sname fields as well as DHCP option 150 and statically configured on the device The user can safely auto configure target devices with encrypted sensitive data by first creating the configuration file that...

Page 313: ...tes use the default anonymous user to access the SCP server SSD Management Channels Devices can be managed over management channels such as telnet SSH and web SSD categories the channels into the following types based on their security and or protocols secured insecure secure XML SNMP and insecure XML SNMP The following describes whether SSD considers each management channel to be secure or insecu...

Page 314: ...efault passphrase If a device is configured with a user defined passphrase the user is unable to activate password recovery Configuring SSD The SSD feature is configured in the following pages SSD properties are set in the Properties page SSD rules are defined in the SSD Rules page SSD Properties Only users with SSD read permission of Plaintext only or Both are allowed to set SSD properties To con...

Page 315: ...Rules Only users with SSD read permission of Plaintext only or Both are allowed to set SSD rules To configure SSD rules STEP 1 Click Security Secure Sensitive Data Management SSD Rules The currently defined rules are displayed STEP 2 To add a new rule click Add Enter the following fields User This defines the user s to which the rule applies Select one of the following options Specific User Select...

Page 316: ...any form Plaintext Only Higher read permission than above ones Users are permitted to get sensitive data in plaintext only Encrypted Only Middle read permission Users are permitted to get sensitive data as encrypted only Both Plaintext and Encrypted Highest read permission Users have both encrypted and plaintext permissions and are permitted to get sensitive data as encrypted and in plaintext Defa...

Page 317: ...y of Service feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment This section covers the following topics QoS Features and Components Configuring QoS General Managing QoS Statistics ...

Page 318: ...raffic Class Handling Attribute Applies QoS mechanisms to various classes including bandwidth management QoS Operation When using the QoS feature all traffic of the same class receives the same treatment which consists of a single QoS action of determining the egress queue on the egress port based on the indicated QoS value in the incoming frame This is the VLAN Priority Tag VPT 802 1p value in La...

Page 319: ...kets are put into the egress queues based on the their DSCP TC value STEP 5 Designate an egress queue to each CoS 802 1p priority If the device is in CoS 802 1 trusted mode all incoming packets are put into the designated egress queues according to the CoS 802 1p priority in the packets This is done by using the CoS 802 1p to Queue page STEP 6 Enter bandwidth and rate limits in the following pages...

Page 320: ...tagged frames if Trust CoS is selected Select Restore Defaults to restore the factory CoS default setting for this interface STEP 6 Click DSCP Override Table to enter the DSCP values STEP 7 DSCP In displays the DSCP value of the incoming packet that needs to be re marked to an alternative value Select the new DSCP value to override the incoming value Select Restore Defaults to restore the factory ...

Page 321: ...Gs The list of ports LAGs is displayed QoS State displays whether QoS is enabled on the interface STEP 3 Select an interface and click Edit STEP 4 Select the Port or LAG interface STEP 5 Click to enable or disable QoS State for this interface STEP 6 Click Apply The Running Configuration file is updated Configuring QoS Queues The device supports either 4 or 8 queues for each interface selected in t...

Page 322: ...in queues are serviced until their quota has been used up and then another queue is serviced It is also possible to assign some of the lower queues to WRR while keeping some of the higher queues in strict priority In this case traffic for the strict priority queues is always sent before traffic from the WRR queues Only after the strict priority queues have been emptied is traffic from the WRR queu...

Page 323: ...Table determines the egress queues of the incoming packets based on the 802 1p priority in their VLAN Tags For incoming untagged packets the 802 1p priority is the default CoS 802 1p priority assigned to the ingress ports Default Mapping for 4 Queues 802 1p Values 0 7 7 being the highest Queue 4 queues 1 4 4 being the highest priority Notes 0 1 Background 1 1 Best Effort 2 2 Excellent Effort 3 3 C...

Page 324: ... the lowest priority queue 4 or 8 has the highest priority To map CoS values to egress queues STEP 1 Click Quality of Service General CoS 802 1p to Queue STEP 2 Enter the parameters 802 1p Displays the 802 1p priority tag values to be assigned to an egress queue where 0 is the lowest and 7 is the highest priority 802 1p Values 0 7 7 being the highest Queue 8 queues 1 8 8 is the highest priority St...

Page 325: ...s queues The DSCP to Queue Table determines the egress queues of the incoming IP packets based on their DSCP values The original VPT VLAN Priority Tag of the packet is unchanged By simply changing the DSCP to Queue mapping and the Queue schedule method and bandwidth allocation it is possible to achieve the desired quality of services in a network DSCP to Queue mapping is applicable to IP packets i...

Page 326: ...3 4 3 3 2 1 1 Table 5 DSCP to Queue Default Mapping 8 Queues System 7 is highest and 8 is used for stack control purposes DSCP 63 55 47 39 31 23 15 7 Queue 6 6 7 5 4 3 2 1 DSCP 62 54 46 38 30 22 14 6 Queue 6 6 7 5 4 3 2 1 DSCP 61 53 45 37 29 21 13 5 Queue 6 6 7 5 4 3 2 1 DSCP 60 52 44 36 28 20 12 4 Queue 6 6 7 5 4 3 2 1 DSCP 59 51 43 35 27 19 11 3 Queue 6 6 7 5 4 3 2 1 DSCP 58 50 42 34 26 18 10 2 ...

Page 327: ... 7 Queue 7 7 8 6 5 4 3 1 DSCP 62 54 46 38 30 22 14 6 Queue 7 7 8 6 5 4 3 1 DSCP 61 53 45 37 29 21 13 5 Queue 7 7 8 6 5 4 3 1 DSCP 60 52 44 36 28 20 12 4 Queue 7 7 8 6 5 4 3 1 DSCP 59 51 43 35 27 19 11 3 Queue 7 7 8 6 5 4 3 1 DSCP 58 50 42 34 26 18 10 2 Queue 7 7 8 6 5 4 3 1 DSCP 57 49 41 33 25 17 9 1 Queue 7 7 8 6 5 4 3 1 DSCP 56 48 40 32 24 16 8 0 Queue 7 7 7 8 7 7 1 2 Table 5 DSCP to Queue Defau...

Page 328: ...gress rate limit is the number of bits per second that can be received from the ingress interface Excess bandwidth above this limit is discarded The following values are entered for egress shaping Committed Information Rate CIR sets the average maximum amount of data allowed to be sent on the egress interface measured in bits per second Committed Burst Size CBS is the burst of data that is allowed...

Page 329: ...terface Committed Information Rate CIR Enter the maximum bandwidth for the egress interface Egress Committed Burst Size CBS Enter the maximum burst size of data for the egress interface in bytes of data This amount can be sent even if it temporarily increases the bandwidth beyond the allowed limit STEP 5 Click Apply The bandwidth settings are written to the Running Configuration file Configuring E...

Page 330: ... enable egress shaping on this queue Committed Information Rate CIR Enter the maximum rate CIR in Kbits per second Kbps CIR is the average maximum amount of data that can be sent Committed Burst Size CBS Enter the maximum burst size CBS in bytes CBS is the maximum burst of data allowed to be sent even if a burst exceeds CIR STEP 6 Click Apply The bandwidth settings are written to the Running Confi...

Page 331: ...d queues with a high DP Drop Precedence Set 2 Displays the statistics for Set 2 that contains all interfaces and queues with a low DP Interface Queue statistics are displayed for this interface Queue Packets were forwarded or tail dropped from this queue Drop Precedence Lowest drop precedence has the lowest probability of being dropped Total Packets Number of packets forwarded or tail dropped Tail...

Page 332: ...1 that contains all interfaces and queues with a high DP Drop Precedence Set 2 Displays the statistics for Set 2 that contains all interfaces and queues with a low DP Interface Select the ports for which statistics are displayed The options are Port Selects the port on the selected unit number for which statistics are displayed All Ports Specifies that statistics are displayed for all ports Queue ...

Page 333: ...ics SNMP Versions and Workflow Model OIDs SNMP Engine ID Configuring SNMP Views Creating SNMP Groups Managing SNMP Users Defining SNMP Communities Defining Trap Settings Notification Recipients SNMP Notification Filters SNMP Versions and Workflow The device functions as SNMP agent and supports SNMPv1 v2 and v3 It also reports system events to trap receivers using the traps defined in the supported...

Page 334: ...defines a User Security Model USM that includes Authentication Provides data integrity and data origin authentication Privacy Protects against disclosure message content Cipher Block Chaining CBC DES is used for encryption Either authentication alone can be enabled on an SNMP message or both authentication and privacy can be enabled on an SNMP message However privacy cannot be enabled without auth...

Page 335: ...ou choose to restrict SNMP management to one address then input the address of your SNMP Management PC in the IP Address field STEP 3 Input the unique community string in the Community String field STEP 4 Optionally enable traps by using the Trap Settings page STEP 5 Optionally define a notification filter s by using the Notification Filter page STEP 6 Configure the notification recipients on the ...

Page 336: ...tion Object ID SG200 18 16 GE ports 2 GE special purpose combo ports 9 6 1 88 18 1 SG200 26 24 GE ports 2 GE special purpose combo ports 9 6 1 88 26 1 SG200 26P 24 GE ports 2 GE special purpose combo ports 9 6 1 88 26 2 SG200 50 48 GE ports 2 GE special purpose combo ports 9 6 1 88 50 1 SG200 50P 48 GE ports 2 GE special purpose combo ports 9 6 1 88 50 2 SF200 24 24 FE ports 2 GE special purpose c...

Page 337: ... the administrative domain so that no two devices in a network have the same engine ID Local information is stored in four MIB variables that are read only snmpEngineId snmpEngineBoots snmpEngineTime and snmpEngineMaxMessageSize CAUTION When the engine ID is changed all configured users and groups are erased To define the SNMP engine ID STEP 1 Click SNMP Engine ID STEP 2 Choose which to use for Lo...

Page 338: ...cal address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local in...

Page 339: ...e as follows Select from list Enables you to navigate the MIB tree Press the Up arrow to go to the level of the selected node s parent and siblings press the Down arrow to descend to the level of the selected node s children Click nodes in the view to pass from one node to its sibling Use the scrollbar to bring siblings in view User Defined Enter an OID not offered in the Select from list option S...

Page 340: ... authorized system administrator This is done for each frame Privacy SNMP frames can carry encrypted data Thus in SNMPv3 there are three levels of security No security No authentication and no privacy Authentication Authentication and no privacy Authentication and privacy SNMPv3 provides a means of controlling the content each user can read or write and the notifications they receive A group defin...

Page 341: ...igin is authenticated but does not encrypt them Authentication and Privacy Authenticates SNMP messages and encrypts them View Associating a view with the read write and notify access privileges of the group limits the scope of the MIB tree to which the group has read write and notify access View Select a previously defined view for Read Write and Notify Read Management access is read only for the ...

Page 342: ...his is done in the Engine ID page An SNMPv3 group must be available An SNMPv3 group is defined in the Groups page To display SNMP users and define new ones STEP 1 Click SNMP Users This page contains existing users STEP 2 Click Add This page provides information for assigning SNMP access control privileges to SNMP users STEP 3 Enter the parameters User Name Enter a name for the user Engine ID Selec...

Page 343: ... generating a key by the MD5 authentication method SHA Password A password that is used for generating a key by the SHA Secure Hash Algorithm authentication method Authentication Password If authentication is accomplished by either a MD5 or a SHA password enter the local user password in either Encrypted or Plaintext Local user passwords are compared to the local database and can contain up to 32 ...

Page 344: ...d Only Read Write or SNMP Admin In addition you can restrict the access to the community to only certain MIB objects by selecting a view defined in the SNMP Views page Advanced Mode The access rights of a community are defined by a group defined in the Groups page You can configure the group with a specific security model The access rights of a group are Read Write and Notify To define SNMP commun...

Page 345: ...mode there is no connection to any group You can only choose the community access level Read Only Read Write or SNMP Admin and optionally further qualify it for a specific view By default it applies to the entire MIB If this is selected enter the following fields Access Mode Select the access rights of the community The options are Read Only Management access is restricted to read only Changes can...

Page 346: ...ed in RFC 1215 The system can generate traps defined in the MIB that it supports Trap receivers aka Notification Recipients are network nodes where the trap messages are sent by the device A list of notification recipients are defined as the targets of trap messages A trap receiver entry contains the IP address of the node and the SNMP credentials corresponding to the version that is included in t...

Page 347: ... IPv4 or IPv6 IPv6 Address Type Select either Link Local or Global Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configur...

Page 348: ... of SNMP notifications sent to the management station The filters are created in the Notification Filter page Filter Name Select the SNMP filter that defines the information contained in traps defined in the Notification Filter page STEP 4 Click Apply The SNMP Notification Recipient settings are written to the Running Configuration file Defining SNMPv3 Notification Recipients To define a recipient...

Page 349: ...ipients must be created Timeout Enter the amount of time seconds the device waits before re sending informs traps Timeout Range 1 300 default 15 Retries Enter the number of times that the device resends an inform request Retries Range 1 255 default 3 User Name Select from the drop down list the user to whom SNMP notifications are sent In order to receive notifications this user must be defined on ...

Page 350: ...d Notification Recipients SNMPv3 page The notification filter enables filtering the type of SNMP notifications that are sent to the management station based on the OID of the notification to be sent To define a notification filter STEP 1 Click SNMP Notification Filter The Notification Filter page contains notification information for each filter The table is able to filter notification entries by ...

Page 351: ...ed the entered object identifier is included in the view if the Include in filter option is selected STEP 4 Select or deselect Include in filter If this is selected the selected MIBs are included in the filter otherwise they are excluded STEP 5 Click Apply The SNMP views are defined and the running configuration is updated ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands