Cisco Small Business 300 Administration Manual Download Page 339

Page: 339 / 483

Security

SSL Server

Cisco Small Business 300 Series Managed Switch Administration Guide

322

To open an HTTPS session with a user-created certificate, perform the following
actions:

1. Generate a certificate.

2. Request that the certificate be certified by a CA.

3. Import the signed certificate into the device.

Default Settings and Configuration

By default, the device contains a certificate that can be modified.

HTTPS is enabled by default.

SSL Server Authentication Settings

It may be required to generate a new certificate to replace the default certificate
found on the device.

To create a new certificate, modify an existing one, or import a certificate:

STEP 1

Click

Security > SSL Server > SSL Server Authentication Settings.

Information appears for certificate 1 and 2 in the SSL Server Key Table. These
fields are defined in the

Edit

page except for the following fields:

•

Valid From—

Specifies the date from which the certificate is valid.

•

Valid To—

Specifies the date up to which the certificate is valid.

•

Certificate Source—

Specifies whether the certificate was generated by

the system (Auto Generated) or the user (User Defined).

STEP 2

Select an active certificate.

STEP 3

You can perform one of the following actions by clicking the relevant button:

•

Edit—

Select one of the certificates and enter the following fields for it:

Regenerate RSA Key—

Select to regenerate the RSA key.

Key Length—

Enter the length of the RSA key to be generated.

Common Name—

Specifies the fully-qualified device URL or IP address.

If unspecified, defaults to the lowest IP address of the device (when the
certificate is generated).

Summary of Contents for Small Business 300

Page 1: ...Cisco Small Business 300 Series Managed Switch Administration Guide Release 1 3 ADMINISTRATION GUIDE ...

Page 2: ...ons 9 Chapter 2 Status and Statistics 12 Viewing Ethernet Interfaces 12 Viewing Etherlike Statistics 13 Viewing GVRP Statistics 15 Viewing 802 1X EAP Statistics 16 Viewing TCAM Utilization 17 Managing RMON 18 Viewing RMON Statistics 18 Configuring RMON History 20 Viewing the RMON History Table 21 Defining RMON Events Control 22 Viewing the RMON Events Logs 24 Defining RMON Alarms 24 Chapter 3 Admi...

Page 3: ...Copy Save Configuration 48 DHCP Auto Configuration 49 DHCP Server Options 50 Auto Configuration Download Protocol TFTP or SCP 50 SSH Client Authentication Parameters 51 Auto Configuration Process 51 Configuring DHCP Auto Configuration 53 Chapter 5 Administration General Information 56 Device Models 56 System Information 58 Displaying the System Summary 58 Configuring the System Settings 60 Console...

Page 4: ...7 Administration Diagnostics 84 Testing Copper Ports 84 Displaying Optical Module Status 86 MSA compatible SFPs 86 Configuring Port and VLAN Mirroring 87 Viewing CPU Utilization and Secure Core Technology 89 Chapter 8 Administration Discovery 92 Configuring Bonjour Discovery 92 Bonjour in Layer 2 System Mode 92 Bonjour in Layer 3 System Mode 93 LLDP and CDP 94 Configuring LLDP 95 LLDP Overview 96 ...

Page 5: ...t Configuration 125 Configuring Link Aggregation 128 Link Aggregation Overview 129 Load Balancing 129 Default Settings and Configuration 130 Static and Dynamic LAG Workflow 130 Defining LAG Management 131 Configuring LAG Settings 132 Configuring LACP 134 LACP Priority and Rules 134 LACP With No Link Partner 134 Setting LACP Parameter Settings 135 Configuring Green Ethernet 136 Green Ethernet Overv...

Page 6: ...port Types 153 Multiple Devices Attached to the Port 154 Persistent Auto Smartport Interface 155 Error Handling 155 Default Configuration 156 Relationships with Other Features and Backwards Compatibility 156 Common Smartport Tasks 156 Configuring Smartport Using The Web based Interface 159 Smartport Properties 159 Smartport Type Settings 160 Smartport Interface Settings 161 Built in Smartport Macr...

Page 7: ...AN Per Interface 197 Voice VLAN 198 Voice VLAN Overview 198 Dynamic Voice VLAN Modes 199 Voice End Points 200 Auto Voice VLAN Auto Smartports CDP and LLDP 200 Voice VLAN QoS 202 Voice VLAN Constraints 203 Voice VLAN Workflows 203 Configuring Voice VLAN 204 Configuring Voice VLAN Properties 205 Displaying Auto Voice VLAN Settings 206 Configuring Telephony OUI 208 Adding OUIs to the Telephony OUI Ta...

Page 8: ...Properties 226 Mapping VLANs to a MSTP Instance 227 Defining MSTP Instance Settings 228 Defining MSTP Interface Settings 229 Chapter 14 Managing MAC Address Tables 232 Types of MAC Addresses 232 Configuring Static MAC Addresses 233 Managing Dynamic MAC Addresses 234 Configuring Dynamic MAC Address Aging Time 234 Querying Dynamic Addresses 234 Defining Reserved MAC Addresses 235 Chapter 15 Multicas...

Page 9: ...ystem Mode 257 Defining IPv4 Interface in Layer 3 System Mode 258 IPv4 Routes 260 ARP 261 ARP Proxy 262 UDP Relay IP Helper 263 DHCPv4 Snooping Relay 263 DHCPv4 Snooping 263 DHCPv4 Relay 264 Transparent DHCP Relay 264 Option 82 264 Interactions Between DHCPv4 Snooping DHCPv4 Relay and Option 82 265 DHCP Snooping Binding Database 269 DHCP Trusted Ports 270 How the DHCP Snooping Binding Database is ...

Page 10: ...ion 285 IPv6 Interface 285 IPv6 Tunnel 288 Configuring Tunnels 289 Defining IPv6 Addresses 290 IPv6 Default Router List 291 Defining IPv6 Neighbors Information 293 Viewing IPv6 Route Tables 294 DHCPv6 Relay 296 Dependencies with Other Features 296 Global Destinations 296 Interface Settings 297 Domain Name 297 DNS Settings 298 Search List 299 Host Mapping 300 Chapter 17 Security 302 Defining Users ...

Page 11: ...efining Profile Rules 319 SSL Server 321 SSL Overview 321 Default Settings and Configuration 322 SSL Server Authentication Settings 322 Configuring TCP UDP Services 324 Defining Storm Control 325 Configuring Port Security 326 Configuring 802 1X 329 802 1X Parameters Workflow 332 Defining 802 1X Properties 332 Defining 802 1X Port Authentication 334 Defining Host and Session Authentication 337 View...

Page 12: ...ng IP Source Guard on Interfaces 351 Binding Database 352 Dynamic ARP Inspection 353 How ARP Prevents Cache Poisoning 354 Interaction Between ARP Inspection and DHCP Snooping 355 ARP Defaults 355 ARP Inspection Work Flow 356 Defining ARP Inspection Properties 356 Defining Dynamic ARP Inspection Interfaces Settings 357 Defining ARP Inspection Access Control 357 Defining ARP Inspection Access Contro...

Page 13: ...r 369 SSD Control Block 370 Startup Configuration File 370 Running Configuration File 371 Backup and Mirror Configuration File 372 Sensitive Data Zero Touch Auto Configuration 373 SSD Management Channels 374 Menu CLI and Password Recovery 375 Configuring SSD 375 SSD Properties 375 SSD Rules 376 Chapter 19 Security SSH Client 380 Secure Copy SCP and SSH 380 Protection Methods 381 Passwords 381 Publ...

Page 14: ...Server Authentication 393 Chapter 21 Access Control 396 Access Control Lists 396 Defining MAC based ACLs 398 Adding Rules to a MAC based ACL 399 IPv4 based ACLs 401 Defining an IPv4 based ACL 401 Adding Rules ACEs to an IPv4 Based ACL 402 IPv6 Based ACLs 405 Adding Rules ACEs for an IPv6 Based ACL 406 Defining ACL Binding 409 Chapter 22 Quality of Service 412 QoS Features and Components 413 QoS Mo...

Page 15: ...w to Configure Advanced QoS Mode 431 Configuring Global Settings 431 Configuring Out of Profile DSCP Mapping 432 Defining Class Mapping 434 QoS Policers 435 Defining Aggregate Policers 436 Configuring a Policy 437 Policy Class Maps 438 Policy Binding 440 Managing QoS Statistics 440 Policer Statistics 441 Viewing Single Policer Statistics 441 Viewing Aggregated Policer Statistics 442 Viewing Queues...

Page 16: ... Configuring SNMP Views 452 Creating SNMP Groups 453 Managing SNMP Users 455 Defining SNMP Communities 457 Defining Trap Settings 459 Notification Recipients 460 Defining SNMPv1 2 Notification Recipients 460 Defining SNMPv3 Notification Recipients 462 SNMP Notification Filters 463 ...

Page 17: ...Cisco Small Business 300 Series Managed Switch Administration Guide 16 Contents ...

Page 18: ...vigate the web based switch configuration utility If you are using a pop up blocker make sure it is disabled Browser Restrictions If you are using older versions of Internet Explorer you cannot directly use an IPv6 address to access the device You can however use the DNS Domain Name System server to create a domain name that contains the IPv6 address and then use that domain name in the address ba...

Page 19: ... requests Chinese for example and Chinese has been loaded into your device the Login page is automatically displayed in Chinese If Chinese has not been loaded into your device the Login page appears in English The languages loaded into the device have a language and country code en US en GB and so on For the Login page to be automatically displayed in a particular language based on the browser req...

Page 20: ...ase see the Launching the Configuration Utility section in the Administration Guide for additional information Select Don t show this page on startup to prevent the Getting Started page from being displayed each time that you log on to the system If you select this option the System Summary page is opened instead of the Getting Started page HTTP HTTPS You can either open an HTTP session not secure...

Page 21: ...scovers a device such as an IP phone see What is a Smartport and it configures the port appropriately for the device These configuration commands are written to the Running Configuration file This causes the Save icon to begin blinking when the you log on even though you did not make any configuration changes When you click Save the Copy Save Configuration page appears Save the Running Configurati...

Page 22: ...ge Links on the Getting Started page Category Link Name on the Page Linked Page Change Management Applications and Services TCP UDP Services page Change Device IP Address IPv4 Interface page Create VLAN Create VLAN page Configure Port Settings Port Setting page Device Status System Summary System Summary page Port Statistics Interface page RMON Statistics Statistics page View Log RAM Memory page Q...

Page 23: ...ting the following elements Type of interface The following types of interfaces are found on the various types of devices Fast Ethernet 10 100 bits These are displayed as FE Gigabit Ethernet ports 10 100 1000 bits These are displayed as GE LAG Port Channel These are displayed as LAG VLAN These are displayed as VLAN Tunnel These are displayed as Tunnel Interface Number Port LAG tunnel or VLAN ID ...

Page 24: ...made that have not yet been saved to the Startup Configuration file The flashing of the red X can be disabled on the Copy Save Configuration page Click Save to display the Copy Save Configuration page Save the Running Configuration file by copying it to the Startup Configuration file type on the device After this save the red X icon and the Save application link are no longer displayed When the de...

Page 25: ...ls disappear and in their place are the IDs of the strings that correspond to the IDs in the language file NOTE To upgrade a language file use the Upgrade Backup Firmware Language page Logout Click to log out of the web based switch configuration utility About Click to display the device name and device version number Help Click to display the online help The SYSLOG Alert Status icon appears when ...

Page 26: ...Running Configuration to the Startup Configuration file type on the device Apply Click to apply changes to the Running Configuration on the device If the device is rebooted the Running Configuration is lost unless it is saved to the Startup Configuration file type or another file type Click Save to display the Copy Save Configuration page and save the Running Configuration to the Startup Configura...

Page 27: ... destination entry numbers in the to field 3 Click Apply to save the changes and click Close to return to the main page Delete After selecting an entry in the table click Delete to remove Details Click to display the details associated with the entry selected Edit Select the entry and click Edit The Edit page appears and the entry can be modified 1 Click Apply to save the changes to the Running Co...

Page 28: ...Getting Started Window Navigation 11 Cisco Small Business 300 Series Managed Switch Administration Guide 1 ...

Page 29: ... port The refresh rate of the information can be selected This page is useful for analyzing the amount of traffic that is both sent and received and its dispersion Unicast Multicast and Broadcast To display Ethernet statistics and or set the refresh rate STEP 1 Click Status and Statistics Interface STEP 2 Enter the parameters Interface Select the type of interface and specific interface for which ...

Page 30: ... Statistics area displays information about outgoing packets Total Bytes Octets Octets transmitted including bad packets and FCS octets but excluding framing bits Unicast Packets Good Unicast packets transmitted Multicast Packets Good Multicast packets transmitted Broadcast Packets Good Broadcast packets transmitted To clear statistics counters Click Clear Interface Counters to clear counters for ...

Page 31: ...undancy checks Single Collision Frames Frames that were involved in a single collision but were successfully transmitted Late Collisions Collisions that have been detected after the first 512 bits of data Excessive Collisions Number of transmissions rejected due to excessive collisions Oversize Packets Packets greater than 2000 octets received Internal MAC Receive Errors Frames rejected because of...

Page 32: ... which GVRP statistics are to be displayed Refresh Rate Select the time period that passes before the GVRP statistics page is refreshed The Attribute Counter block displays the counters for various types of packets per interface Join Empty Number of GVRP Join Empty packets received transmitted Empty Number of GVRP empty packets received transmitted Leave Empty Number of GVRP Leave Empty packets re...

Page 33: ...ics 802 1x EAP STEP 2 Select the Interface that is polled for statistics STEP 3 Select the time period Refresh Rate that passes before the EAP statistics are refreshed The values are displayed for the selected interface EAPOL Frames Received Valid EAPOL frames received on the port EAPOL Frames Transmitted Valid EAPOL frames transmitted by the port EAPOL Start Frames Received EAPOL Start frames rec...

Page 34: ...Viewing TCAM Utilization The device architecture uses a TCAM Ternary Content Addressable Memory to support packet actions in wire speed TCAM holds the rules produced by applications such as ACLs Access Control Lists Quality of Service QoS IP Routing and user created rules The maximum number of TCAM rules that can be allocated by all applications on the device is 512 Some applications allocate rule...

Page 35: ...e the SNMP manager does not have to poll the device frequently for information and enables the manager to get timely status reports because the device reports events as they occur With this feature you can perform the following actions View the current statistics since the counter values were cleared You can also collect the values of these counters over a period of time and then view the table of...

Page 36: ...ding Multicast and Broadcast packets Broadcast Packets Received Number of good Broadcast packets received This number does not include Multicast packets Multicast Packets Received Number of good Multicast packets received CRC Align Errors Number of CRC and Align errors that have occurred Undersize Packets Number of undersized packets less than 64 octets received Oversize Packets Number of oversize...

Page 37: ...256 to 511 Bytes Number of frames containing 256 511 bytes that were received Frames of 512 to 1023 Bytes Number of frames containing 512 1023 bytes that were received Frames greater than 1024 Bytes Number of frames containing 1024 2000 bytes and Jumbo Frames that were received To clear statistics counters Click Clear Interface Counters to clear the selected interfaces counters Click View All Inte...

Page 38: ...History table entry Source Interface Select the type of interface from which the history samples are to be taken Max No of Samples to Keep Enter the number of samples to store Sampling Interval Enter the time in seconds that samples are collected from the ports The field range is 1 3600 Owner Enter the RMON station or user that requested the RMON information STEP 4 Click Apply The entry is added t...

Page 39: ...rs CRC and Align errors that have occurred Undersize Packets Undersized packets less than 64 octets received Oversize Packets Oversized packets over 2000 octets received Fragments Fragments packets with less than 64 octets received excluding framing bits but including FCS octets Jabbers Total number of received packets that were longer than 2000 octets This number excludes frame bits but includes ...

Page 40: ...an event Notification Type Select the type of action that results from this event Values are None No action occurs when the alarm goes off Log Event Log Table Add a log entry to the Event Log table when the alarm is triggered Trap SNMP Manager and SYSLOG Server Send a trap to the remote log server when the alarm goes off Log and Trap Add a log entry to the Event Log table and send a trap to the re...

Page 41: ...as entered Description Description of event that triggered the alarm Defining RMON Alarms RMON alarms provide a mechanism for setting thresholds and sampling intervals to generate exception events on any counter or any other SNMP object counter maintained by the agent Both the rising and falling thresholds must be configured in the alarm After a rising threshold is crossed no rising events are gen...

Page 42: ...solute If the threshold is crossed an alarm is generated Delta Subtracts the last sampled value from the current value The difference in the values is compared to the threshold If the threshold was crossed an alarm is generated Rising Threshold Enter the value that triggers the rising threshold alarm Rising Event Select an event to be performed when a rising event is triggered Events are created i...

Page 43: ... Series Managed Switch Administration Guide 26 2 Interval Enter the alarm interval time in seconds Owner Enter the name of the user or network management system that receives the alarm STEP 4 Click Apply The RMON alarm is saved to the Running Configuration file ...

Page 44: ...Status and Statistics Managing RMON 27 Cisco Small Business 300 Series Managed Switch Administration Guide 2 ...

Page 45: ...ersists across reboots In addition you can send messages to remote SYSLOG servers in the form of SNMP traps and SYSLOG messages This section covers the following sections Setting System Log Settings Setting Remote Logging Settings Viewing Memory Logs Setting System Log Settings You can enable or disable logging on the Log Settings page and select whether to aggregate log messages You can select th...

Page 46: ...ses all of the higher severity events to be automatically stored in the log Lower severity events are not stored in the log For example if Warning is selected all severity levels that are Warning and higher are stored in the log Emergency Alert Critical Error and Warning No events with severity level below Warning are stored Notice Informational and Debug To set global log parameters STEP 1 Click ...

Page 47: ...elect the severity levels of the messages to be logged to the RAM Flash Memory Logging Select the severity levels of the messages to be logged to the Flash memory STEP 3 Click Apply The Running Configuration file is updated Setting Remote Logging Settings The Remote Log Servers page enables defining remote SYSLOG servers where log messages are sent using the SYSLOG protocol For each server you can...

Page 48: ...ter the IP address or domain name of the log server UDP Port Enter the UDP port to which the log messages are sent Facility Select a facility value from which system logs are sent to the remote server Only one facility value can be assigned to a server If a second facility code is assigned the first facility value is overridden Description Enter a server description Minimum Severity Select the min...

Page 49: ...y number Log Time Time when message was generated Severity Event severity Description Message text describing the event To clear the log messages click Clear Logs The messages are cleared Flash Memory The Flash Memory page displays the messages that were stored in the Flash memory in chronological order The minimum severity for logging is configured in the Log Settings page Flash logs remain when ...

Page 50: ...Administration System Log Viewing Memory Logs 33 Cisco Small Business 300 Series Managed Switch Administration Guide 3 ...

Page 51: ... Auto Configuration System Files System files are files that contain configuration information firmware images or boot code Various actions can be performed with these files such as selecting the firmware file from which the device boots copying various types of configuration files internally on the device or copying files to or from an external device such as an external server The possible metho...

Page 52: ... Configuration Contains the parameters currently being used by the device to operate This is the only file type that is modified when you change parameter values on the device If the device is rebooted the Running Configuration is lost The Startup Configuration stored in Flash overwrites the Running Configuration stored in RAM To preserve any changes you made to the device you must save the Runnin...

Page 53: ... Boot Code Controls the basic system startup and launches the firmware image Language File The dictionary that enables the web based configuration utility windows to be displayed in the selected language Flash Log SYSLOG messages stored in Flash memory File Actions The following actions can be performed to manage firmware and configuration files Upgrade the firmware or boot code or replace a secon...

Page 54: ...HTTPS that uses the facilities provided by the browser TFTP that requires a TFTP server Secure Copy Protocol SCP that requires an SCP server If a new language file was loaded onto the device the new language can be selected from the drop down menu It is not necessary to reboot the device There are two firmware images stored on the device One of the images is identified as the active image and othe...

Page 55: ...TFTP server Backup Specifies that a copy of the file type is to be saved to a file on another device Enter the following fields File Type Select the destination file type Only valid file types are shown The file types are described in the Files and File Types section TFTP Server Definition Select whether to specify the TFTP server by IP address or domain name IP Version Select whether an IPv4 or a...

Page 56: ...tions Then enter the following fields only unique fields are described for non unique fields see the descriptions above Remote SSH Server Authentication To enable SSH server authentication which is disabled by default click Edit This takes you to the SSH Server Authentication page to configure the SSH server and return to this page Use the SSH Server Authentication page to select an SSH user authe...

Page 57: ...dress uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPv6 type that is visible and reachable...

Page 58: ...e The page displays the following Active Image Displays the image file that is currently active on the device Active Image Version Number Displays the firmware version of the active image Active Image After Reboot Displays the image that is active after reboot Active Image Version Number After Reboot Displays the firmware version of the active image as it be after reboot STEP 2 Select the image fr...

Page 59: ...ted to meet QoS objectives with the new Queues mode See the CLI Reference Guide for a listing of these QoS commands Change Queues Mode from 8 to 4 Queue related configuration commands that conflict with the new Queues mode are rejected meaning that the download of the configuration file fails Use the System Mode and Stack Management page to change the Queues mode Change the System Mode If the Syst...

Page 60: ... need to select the IP Version related options c IPv6 Address Type Select the IPv6 address type if used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the inte...

Page 61: ...and reachable from other networks d Link Local Interface Select the link local interface from the list e TFTP Server IP Address Name Enter the IP address or domain name of the TFTP server f Source File Type Enter the source configuration file type Only valid file types are displayed The file types are described in the Files and File Types section g Sensitive Data Select how sensitive data should b...

Page 62: ...ypes are described in the Files and File Types section b Sensitive Data Select how sensitive data should be included in the backup file The following options are available Exclude Do not include sensitive data in the backup Encrypted Include sensitive data in the backup in its encrypted form Plaintext Include sensitive data in the backup in its plaintext form NOTE The available sensitive data opti...

Page 63: ... if used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global ...

Page 64: ... SSD rules For details refer to Secure Sensitive Data Management SSD Rules page Destination File Name Name of file being copied to STEP 6 Click Apply The file is upgraded or backed up Configuration Files Properties The Configuration Files Properties page allows you to see when various system configuration files were created It also enables deleting the Startup Configuration and Backup Configuratio...

Page 65: ...Unless the Running Configuration is copied to the Startup Configuration or another configuration file all changes made since the last time the file was copied are lost when the device is rebooted The following combinations of copying internal file types are allowed From the Running Configuration to the Startup Configuration or Backup Configuration From the Startup Configuration to the Running Conf...

Page 66: ...ble this feature click Disable Enable Save Icon Blinking STEP 5 Click Apply The file is copied DHCP Auto Configuration Auto configuration enables passing configuration information to hosts on a TCP IP network Based on this protocol the Auto Configuration feature enables a device to download configuration files from a TFTP SCP server The device can be configured as a DHCPv4 client in which auto con...

Page 67: ...ient is enabled When the DHCPv6 server packets contain the configuration filename option DHCP Server Options DHCP messages might contain the configuration server name address and the configuration file name path these are optional options These options are found in the Offer message coming from the DHCPv4 servers and in the Information Reply messages coming from DHCPv6 servers Backup information c...

Page 68: ...d server list SSH Client Authentication parameters are required to access the SSH server by the client which is the device The default SSH Client authentication parameters are SSH Authentication method by username password SSH username anonymous SSH password anonymous NOTE The SSH Client authentication parameters can also be used when downloading a file for manual download a download that is not p...

Page 69: ... TFTP or SCP When downloading using SCP the device accepts any specified SCP SSH server without authentication if either of the following is true The SSH server authentication process is disabled Note that by default the SSH server authentication is disabled in order to allow downloading configuration file for devices with factory default configuration for example out of box devices The SSH Server...

Page 70: ...evice to receive configuration information from a specific file on a specific server Note the following regarding the DHCP auto configuration process A configuration file that is placed on the TFTP SCP server must match the form and format requirements of the supported configuration file The form and format of the file are checked but the validity of the configuration parameters is not checked pri...

Page 71: ...using SCP for downloading the configuration files select one of the following options Remote SSH Server Authentication Click on the Enable Disable link to navigate to the SSH Server Authentication page There you can enable authentication of the SSH server to be used for the download and enter the trusted SSH server if required SSH Client Authentication Click on the System Credentials link to enter...

Page 72: ... Interface Select the link local interface if IPv6 is used from the list Backup Server IP Address Name Enter the IP address or the name of the server to be used if no server IP address was specified in the DHCP message Backup Configuration File Name Enter the path and file name of the file to be used if no configuration file name was specified in the DHCP message STEP 4 Click Apply The parameters ...

Page 73: ...tatus Defining Idle Session Timeout Pinging a Host Traceroute Device Models All models can be fully managed through the web based switch configuration utility In Layer 2 system mode the device forwards packets as a VLAN aware bridge In Layer 3 system mode the device performs both IPv4 routing and VLAN aware bridging When the device operates in Layer 3 system mode the VLAN Rate Limit and QoS police...

Page 74: ...combo ports GE SFP 62W 8 SG300 20 SRW2016 K9 16 GE ports and 4 special purpose ports 2 uplinks and 2 combo ports N A N A SG300 28 SRW2024 K9 24 GE ports and 4 special purpose ports 2 uplinks and 2 combo ports N A N A SG300 28P SRW2024P K9 24 GE ports and 4 special purpose ports 2 uplinks and 2 combo ports 180W 24 SG300 52 SRW2048 K9 48 GE ports and 4 special purpose ports 2 uplinks and 2 combo por...

Page 75: ...plus 4 GE special purpose ports 2 uplinks and 2 combo ports N A N A SF300 48P SRW248G4P K9 48 FE ports plus 4 GE special purpose ports 2 uplinks and 2 combo ports 375W 48 SG300 52MP SG300 52MP K9 52 Port Gigabit PoE Managed Switch 740W 48 SG300 10SFP SG300 10SFP K9 10 Port Gigabit Managed SFP Switch N A N A ESW2 350G 52 ESW2 350G 52 K9 52 Port Gigabit Managed Switch N A N A ESW2 350G 52DC ESW2 350...

Page 76: ...he six furthest right hexadecimal digits System Uptime Time that has elapsed since the last reboot Current Time Current system time Base MAC Address Device MAC address Jumbo Frames Jumbo frame support status This support can be enabled or disabled by using the Port Settings page of the Port Management menu NOTE Jumbo frames support takes effect only after it is enabled and after the device is rebo...

Page 77: ...f the first language This is always English Language Version Language package version of the first or English language Language MD5 Checksum MD5 checksum of the language file PoE Power Information Maximum Available PoE Power W Maximum available power that can be delivered by the PoE Total PoE Power Consumption W Total PoE power delivered to connected PoE devices PoE Power Mode Port Limit or Class ...

Page 78: ...evice in Layer 2 system mode L3 Select to place the device in Layer 3 system mode Custom Login Screen Settings To display text on the Login page enter the text in the Login Banner text box Click Preview to view the results NOTE When you define a login banner from the web based configuration utility it also activates the banner for the CLI interfaces Console Telnet and SSH STEP 3 Click Apply to sav...

Page 79: ...on before the device is rebooted Clicking Apply does not save the configuration to the Startup Configuration For more information on files and file types see the System Files section You can back up the configuration by using Administration File Management Copy Save Configuration or clicking Save at the top of the window You can also upload the configuration from a remote device See the Download B...

Page 80: ...duled to take place at the specified time and date If you do not specify the month and day the reload takes place at the specified time on the current day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight The reload must take place within 24 days NOTE This option can only...

Page 81: ...LAN rate limits To view and modify router resources STEP 1 Click Administration Router Resources The following fields are displayed Neighbors Count is the number of neighbors recorded on the device and TCAM Entries is the total number of TCAM entries being used for neighbors Interfaces Count is the number of IP addresses on interfaces on the device and TCAM Entries is the total number of TCAM entr...

Page 82: ...f it is incorrect an error message is displayed If it is correct the allocation is saved to the Running Configuration file and a reboot is performed Monitoring Fan Status The Health page displays the fan status on all devices with fans Depending on the model there are one or more fans on a device Some models have no fans at all On devices on which a temperature sensor is assembled for protecting t...

Page 83: ...ensor exceeds the Critical threshold The following are generated SYSLOG message SNMP trap The following actions are performed System LED is set to solid amber if hardware supports this Disable Ports When the Critical temperature has been exceeded for two minutes all ports will be shut down On devices that support PoE Disable the PoE circuitry so that less power is consumed and less heat is emitted...

Page 84: ...dle Session Timeout STEP 2 Select the timeout for the each session from the corresponding list The default timeout value is 10 minutes STEP 3 Click Apply to set the configuration settings on the device Pinging a Host Ping is a utility used to test if a remote host can be reached and to measure the round trip time for packets sent from the device to a destination device Ping operates by sending Int...

Page 85: ...at is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select from where it is received Host IP Address Name Address or host name of the device to be pinged Whether this is an IP address or host name depends on the Host Definition Ping Interval Length of time the system waits between ping packets Ping is repeated the number of times configured i...

Page 86: ...s uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable fro...

Page 87: ... A page appears showing the Round Trip Time RTT and status for each trip in the fields Index Displays the number of the hop Host Displays a stop along the route to the destination Round Trip Time 1 3 Displays the round trip time in ms for the first through third frame and the status of the first through third operation ...

Page 88: ...Administration General Information Traceroute 71 Cisco Small Business 300 Series Managed Switch Administration Guide 5 ...

Page 89: ...educes confusion in shared file systems as it is important for the modification times to be consistent regardless of the machine on which the file systems reside For these reasons it is important that the time configured on all of the devices on the network is accurate NOTE The device supports Simple Network Time Protocol SNTP and when enabled the device dynamically synchronizes the device time wi...

Page 90: ...uration of time from the computer is saved to the Running Configuration file You must copy the Running Configuration to the Startup Configuration in order to enable the device to use the time from the computer after reboot The time after reboot is set during the first WEB login to the device When you configure this feature for the first time if the time was not already set the device sets the time...

Page 91: ...tion 100 in order for dynamic time zone configuration to take place SNTP Modes The device can receive the system time from an SNTP server in one of the following ways Client Broadcast Reception passive mode SNTP servers broadcast the time and the device listens to these broadcasts When the device is in this mode there is no need to define a Unicast SNTP server Client Broadcast Transmission active ...

Page 92: ...erver Address stratum and type of the SNTP server from which time was last taken STEP 2 Enter these parameters Clock Source Settings Select the source used to set the system clock Main Clock Source SNTP Servers If you enable this the system time is obtained from an SNTP server To use this feature you must also configure a connection to an SNTP server in the SNTP Interface Settings page Optionally ...

Page 93: ...P server This acronym appears in the Actual Time field Time Zone Offset Select the difference in hours between Greenwich Mean Time GMT and the local time For example the Time Zone Offset for Paris is GMT 1 while the Time Zone Offset for New York is GMT 5 Time Zone Acronym Enter a user defined name that represents the time zone you have configured This acronym appears in the Actual Time field Dayli...

Page 94: ... are Day Day of the week on which DST ends every year Week Week within the month from which DST ends every year Month Month of the year in which DST ends every year Time The time at which DST ends every year STEP 3 Click Apply The system time values are written to the Running Configuration file Adding a Unicast SNTP Server Up to 16 Unicast SNTP servers can be configured NOTE To specify a Unicast S...

Page 95: ...s received from this SNTP server Offset The estimated offset of the server s clock relative to the local clock in milliseconds The host determines the value of this offset using the algorithm described in RFC 2030 Delay The estimated round trip delay of the server s clock relative to the local clock over the network path between them in milliseconds The host determines the value of this delay usin...

Page 96: ... IP address The format depends on which address type was selected SNTP Server Select the name of the SNTP server from a list of well known NTP servers If other is chosen enter name of SNTP server in the adjacent field Poll Interval Select to enable polling of the SNTP server for system time information All NTP servers that are registered for polling are polled and the clock is selected from the se...

Page 97: ...lect to transmit SNTP IPv4 synchronization packets requesting system time information The packets are transmitted to all SNTP servers on the subnet SNTP IPv6 Anycast Client Mode Client Broadcast Transmission Select to transmit SNTP IPv6 synchronization packets requesting system time information The packets are transmitted to all SNTP servers on the subnet STEP 3 If the system is in Layer 3 system ...

Page 98: ...Select SNTP Authentication to support authentication of an SNTP session between the device and an SNTP server STEP 3 Click Apply to update the device STEP 4 Click Add STEP 5 Enter the following parameters Authentication Key ID Enter the number used to identify this SNTP authentication key internally Authentication Key Enter the key used for authentication up to eight characters The SNTP server mus...

Page 99: ...rt time and the recurring time range have been reached The process is deactivated when either of the time ranges is reached The device supports a maximum of 10 absolute time ranges All time specifications are interpreted as local time Daylight Saving Time does not affect this To ensure that the time range entries take effect at the desired times the system time must be set The time range feature c...

Page 100: ... time range click Recurring Range Recurring Time Range A recurring time element can be added to an absolute time range This limits the operation to certain time periods within the absolute range To add a recurring time range element to an absolute time range STEP 1 Click Administration Time Settings Recurring Range The existing recurring time ranges are displayed filtered per a specific absolute t...

Page 101: ...cable tests performed on copper cables by the Virtual Cable Tester VCT VCT performs two types of tests Time Domain Reflectometry TDR technology tests the quality and characteristics of a copper cable attached to a port Cables of up to 140 meters long can be tested These results are displayed in the Test Results block of the Copper Test page DSP based tests are performed on active GE links to measu...

Page 102: ...ions with that device are disrupted To test copper cables attached to ports STEP 1 Click Administration Diagnostics Copper Test STEP 2 Select the port on which to run the test STEP 3 Click Copper Test STEP 4 When the message appears click OK to confirm that the link can go down or Cancel to abort the test The following fields are displayed in the Test Results block Last Update Time of the last tes...

Page 103: ...rs NOTE TDR tests cannot be performed when the port speed is 10Mbit Sec Displaying Optical Module Status The Optical Module Status page displays the operating conditions reported by the SFP Small Form factor Pluggable transceiver Some information might not be available for SFPs that do not support the digital diagnostic monitoring standard SFF 8472 MSA compatible SFPs The following FE SFP 100Mbps ...

Page 104: ...ge SFP s operating voltage Current SFP s current consumption Output Power Transmitted optical power Input Power Received optical power Transmitter Fault Remote SFP reports signal loss Values are True False and No Signal N S Loss of Signal Local SFP reports signal loss Values are True and False Data Ready SFP is operational Values are True and False Configuring Port and VLAN Mirroring Port mirrorin...

Page 105: ...both and later on delete VLAN 34 the status in port mirroring is set to Not Ready because the VLAN34 is no longer in the database and VLAN23 was not created manually Only one instance of mirroring is supported system wide The analyzer port or target port for VLAN mirroring or port mirroring is the same for all the mirrored VLANs or ports To enable mirroring STEP 1 Click Administration Diagnostics ...

Page 106: ...irroring on incoming packets Tx Only Port mirroring on outgoing packets Tx and Rx Port mirroring on both incoming and outgoing packets STEP 4 Click Apply Port mirroring is added to the Running Configuration Viewing CPU Utilization and Secure Core Technology This section describes the Secure Core Technology SCT and how to view CPU usage The device handles the following types of traffic in addition ...

Page 107: ...U Utilization The CPU Utilization page appears The CPU Input Rate field displays the rate of input frames to the CPU per second The window contains a graph of the CPU utilization The Y axis is percentage of usage and the X axis is the sample number STEP 2 Select the Refresh Rate time period in seconds that passes before the statistics are refreshed A new sample is created for each time period ...

Page 108: ...Administration Diagnostics Viewing CPU Utilization and Secure Core Technology 91 Cisco Small Business 300 Series Managed Switch Administration Guide 7 ...

Page 109: ...curity TCP UDP Services page to enable or disable the device services The device can be discovered by a network management system or other third party applications By default Bonjour is enabled on the Management VLAN The Bonjour console automatically detects the device and displays it Bonjour in Layer 2 System Mode When the device is in Layer 2 system mode Bonjour Discovery is enabled globally it ...

Page 110: ... Bonjour Discovery Interface Control table When the device is operating in Layer 3 system mode go to IP Configuration Management and IP Interface IPv4 Interface to configure an IP address to an interface If an interface such as a VLAN is deleted Goodbye packets are sent to deregister services the device is advertising from the neighboring cache table within the local network The Bonjour Discovery ...

Page 111: ...ollowing CDP LLDP configuration notes apply CDP LLDP can be globally enabled or disabled and enabled disabled per port The CDP LLDP capability of a port is relevant only if CDP LLDP is globally enabled If CDP LLDP is globally enabled the device filters out incoming CDP LLDP packets from ports that are CDP LLDP disabled If CDP LLDP is globally disabled the device can be configured to discard VLAN a...

Page 112: ... authorized If a port is the target of mirroring then according to CDP LLDP it is considered down NOTE CDP and LLDP are link layer protocols for directly connected CDP LLDP capable devices to advertise themselves and their capabilities In deployments where the CDP LLDP capable devices are not directly connected and are separated with CDP LLDP incapable devices the CDP LLDP capable devices may be a...

Page 113: ...ses all incoming LLDP packets as required by the protocol The LLDP protocol has an extension called LLDP Media Endpoint Discovery LLDP MED which provides and accepts information from media endpoint devices such as VoIP phones and video phones For further information about LLDP MED see LLDP MED Network Policy LLDP Configuration Workflow Following are examples of actions that can be performed with t...

Page 114: ...DP is not enabled select the action to be taken if a packet that matches the selected criteria is received Filtering Delete the packet Flooding Forward the packet to all VLAN members TLV Advertise Interval Enter the rate in seconds at which LLDP advertisement updates are sent or use the default Topology Change SNMP Notification Interval Enter the minimum time interval between SNMP notifications Ho...

Page 115: ... sent in the LLDP PDU The LLDP MED TLVs to be advertised can be selected in the LLDP MED Port Settings page and the management address TLV of the device may be configured To define the LLDP port settings STEP 1 Click Administration Discovery LLDP Port Settings This page contains the port LLDP information STEP 2 Select a port and click Edit This page provides the following fields Interface Select t...

Page 116: ... object System Capabilities Primary functions of the device and whether or not these functions are enabled in the device The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Router Telephone DOCSIS cable device and station respectively Bits 8 through 15 are reserved 802 3 MAC PHY Duplex and bit rate capability and the current duplex and bit rate sett...

Page 117: ...e Management IP address from the addresses provided STEP 3 Enter the relevant information and click Apply The port settings are written to the Running Configuration file LLDP MED Network Policy LLDP Media Endpoint Discovery LLDP MED is an extension of LLDP that provides the following additional capabilities to support media endpoint devices Some of the features of the LLDP Med Network Policy are E...

Page 118: ...emberships according to the network policies and their associated interfaces In addition an administrator can instruct the device to automatically generate and advertise a network policy for voice application based on the voice VLAN maintained by the device Refer the Auto Voice VLAN section for details on how the device maintains its voice VLAN To define an LLDP MED network policy STEP 1 Click Adm...

Page 119: ... advertisement for the desired interfaces Network Policies are configured using the LLDP MED Network Policy page NOTE If LLDP MED Network Policy for Voice Application LLDP MED Network Policy Page is Auto and Auto Voice VLAN is in operation then the device automatically generates an LLDP MED Network Policy for Voice Application for all the ports that are LLDP MED enabled and are members of the voic...

Page 120: ...TE The following fields must be entered in hexadecimal characters in the exact data format that is defined in the LLDP MED standard ANSI TIA 1057_final_for_publication pdf Location Coordinate Enter the coordinate location to be published by LLDP Location Civic Address Enter the civic address to be published by LLDP Location ECS ELIN Enter the Emergency Call Service ECS ELIN location to be publishe...

Page 121: ...Interface Port identifier LLDP Status LLDP publishing option LLDP MED Status Enabled or disabled Local PoE Local PoE information advertised Remote PoE PoE information advertised by the neighbor of neighbors Number of neighbors discovered Neighbor Capability of 1st Device Displays the primary functions of the neighbor for example Bridge or Router Displaying LLDP Local Information To view the LLDP l...

Page 122: ...shown Port ID Identifier of port Port Description Information about the port including manufacturer product name and hardware software version Management Address Displays the table of addresses of the local LLDP agent Other remote managers can use this address to obtain information related to the local device The address consists of the following elements Address Subtype Type of management IP addr...

Page 123: ...us Indicates whether the interface is aggregated Aggregation Port ID Advertised aggregated interface ID 802 3 Energy Efficient Ethernet EEE If device supports EEE Local Tx Indicates the time in micro seconds that the transmitting link partner waits before it starts transmitting data after leaving Low Power Idle LPI mode Local Rx Indicates the time in micro seconds that the receiving link partner r...

Page 124: ...rce PoE Power Priority Port power priority PoE Power Value Port power value Hardware Revision Hardware version Firmware Revision Firmware version Software Revision Software version Serial Number Device serial number Manufacturer Name Device manufacturer name Model Name Device model name Asset ID Asset ID Location Information Civic Street address Coordinates Map coordinates latitude longitude and a...

Page 125: ...o view the LLDP neighbors information STEP 1 Click Administration Discovery LLDP LLDP Neighbors Information This page contains the following fields Local Port Number of the local port to which the neighbor is connected Chassis ID Subtype Type of chassis ID for example MAC address Chassis ID Identifier of the 802 LAN neighboring device s chassis Port ID Subtype Type of the port identifier that is s...

Page 126: ...e equals the sysDescr object Supported System Capabilities Primary functions of the device The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Router Telephone DOCSIS cable device and station respectively Bits 8 through 15 are reserved Enabled System Capabilities Primary enabled function s of the device Management Address Table Address Subtype Manag...

Page 127: ...ort PSE Power Class Advertised power class of the port 802 3 Details 802 3 Maximum Frame Size Advertised maximum frame size that is supported on the port 802 3 Link Aggregation Aggregation Capability Indicates if the port can be aggregated Aggregation Status Indicates if the port is currently aggregated Aggregation Port ID Advertised aggregated port ID 802 3 Energy Efficient Ethernet EEE Remote Tx...

Page 128: ...res Endpoint Class 3 Indicates a communications device class offering all Class 1 and Class 2 features plus location 911 Layer 2 switch support and device information management capabilities PoE Device Type Port PoE type for example powered PoE Power Source Port s power source PoE Power Priority Port s power priority PoE Power Value Port s power value Hardware Revision Hardware version Firmware Re...

Page 129: ...ic or street address Coordinates Location map coordinates latitude longitude and altitude ECS ELIN Device s Emergency Call Service ECS Emergency Location Identification Number ELIN Unknown Unknown location information Network Policies Application Type Network policy application type for example Voice VLAN ID VLAN ID for which the network policy is defined VLAN Type VLAN type Tagged or Untagged for...

Page 130: ...s Information Deletion Count Number of neighbor ageouts on the interface STEP 2 Click Refresh to view the latest statistics LLDP Overloading LLDP adds information as LLDP and LLDP MED TLVs into the LLDP packets LLDP overload occurs when the total amount of information to be included in a LLDP packet exceed the maximum PDU size supported by an interface The LLDP Overloading page displays the number...

Page 131: ...apabilities Size Bytes Total LLDP MED capabilities packets byte size Status If the LLDP MED capabilities packets were sent or if they were overloaded LLDP MED Location Size Bytes Total LLDP MED location packets byte size Status If the LLDP MED locations packets were sent or if they were overloaded LLDP MED Network Policy Size Bytes Total LLDP MED network policies packets byte size Status If the LL...

Page 132: ...Bytes Total number of bytes of LLDP information in each packet Left to Send Bytes Total number of available bytes left for additional LLDP information in each packet Configuring CDP This section describes how to configure CDP It covers the following topics Setting CDP Properties Editing CDP Interface Settings Displaying CDP Local Information Displaying CDP Neighbors Information Viewing CDP Statist...

Page 133: ...rameters STEP 1 Click Administration Discovery CDP Properties STEP 2 Enter the parameters CDP Status Select to enable CDP on the device CDP Frames Handling If CDP is not enabled select the action to be taken if a packet that matches the selected criteria is received Bridging Forward the packet based on the VLAN Filtering Delete the packet Flooding VLAN unaware flooding that forwards incoming CDP p...

Page 134: ...Interface IP address to be used in the TLV of the frames The following options are possible Use Default Use the IP address of the outgoing interface User Defined Use the IP address of the interface in the Interface field in the address TLV Interface IF User Defined was selected for Source Interface select the interface Syslog Voice VLAN Mismatch Check to send a SYSLOG message when a voice VLAN mis...

Page 135: ...n for each interface CDP Status CDP publishing option for the port Reporting Conflicts with CDP Neighbors Displays the status of the reporting options that are enabled disabled in the Edit page Voice VLAN Native VLAN Duplex No of Neighbors Number of neighbors detected The bottom of the page has four buttons Copy Settings Select to copy a configuration from one port to another Edit Fields explained...

Page 136: ...ge when duplex information mismatch is detected This means that the duplex information in the incoming frame does not match what the local device is advertising STEP 3 Enter the relevant information and click Apply The port settings are written to the Running Configuration Displaying CDP Local Information To view information that is advertised by the CDP protocol about the local device STEP 1 Clic...

Page 137: ...ce ID Type of device attached to port advertised in the appliance TLV Appliance VLAN ID VLAN on the device used by the appliance for instance if the appliance is an IP phone this is the voice VLAN Extended Trust TLV Extended Trust Enabled indicates that the port is trusted meaning that the host server from which the packet is received is trusted to mark the packets itself In this case packets rece...

Page 138: ... Management Power Level Displays the supplier s request to the powered device for its Power Consumption TLV The device always displays No Preference in this field Displaying CDP Neighbors Information The CDP Neighbors Information page displays CDP information received from neighboring devices After timeout based on the value received from the neighbor Time To Live TLV during which no CDP PDU was r...

Page 139: ... information for this neighbor is deleted Capabilities Primary functions of the device The capabilities are indicated by two octets Bits 0 through 7 indicate Other Repeater Bridge WLAN AP Router Telephone DOCSIS cable device and station respectively Bits 8 through 15 are reserved Platform Identifier of the neighbors platform Neighbor Interface Interface number of the neighbor through which frame a...

Page 140: ...P 1 Click Administration Discovery CDP CDP Statistics The following fields are displayed for every interface Packets Received Transmitted Version 1 Number of CDP version 1 packets received transmitted Version 2 Number of CDP version 2 packets received transmitted Total Total number of CDP packets received transmitted The CDP Error Statistics section displays the CDP error counters Illegal Checksum...

Page 141: ... protocol and configure the potential member ports to the desired LAGs by using the LAG Management page By default all LAGs are empty 3 Configure the Ethernet parameters such as speed and auto negotiation for the LAGs by using the LAG Settings page 4 Configure the LACP parameters for the ports that are members or candidates of a dynamic LAG by using the LACP page 5 Configure Green Ethernet and 802...

Page 142: ... Configuration is explicitly saved to the Startup Configuration File using the Copy Save Configuration page and the device is rebooted STEP 4 To update the port settings select the desired port and click Edit STEP 5 Modify the following parameters Interface Select the port number Port Type Displays the port type and speed The possible options are Copper Ports Regular not Combo support the followin...

Page 143: ...List ACL configurations The reactivate operation brings the port up without regard to why the port was suspended Auto Negotiation Select to enable auto negotiation on the port Auto negotiation enables a port to advertise its transmission speed duplex mode and Flow Control abilities to the port link partner Operational Auto Negotiation Displays the current auto negotiation status on the port Admini...

Page 144: ...k partner Back Pressure Select the Back Pressure mode on the port used with Half Duplex mode to slow down the packet reception speed when the device is congested It disables the remote port preventing it from sending packets by jamming the signal Flow Control Enable or disable 802 3x Flow Control or enable the auto negotiation of Flow Control on the port only when in Full Duplex mode MDI MDIX the ...

Page 145: ...ership Devices connected to protected ports are not allowed to communicate with each other even if they are members of the same VLAN Both ports and LAGs can be defined as protected or unprotected Protected LAGs are described in the Configuring LAG Settings section Member in LAG If the port is a member of a LAG the LAG number appears otherwise this field is left blank STEP 6 Click Apply The Port Se...

Page 146: ...e ports LACP determines which candidate ports are active member ports The non active candidate ports are standby ports ready to replace any failing active member ports Load Balancing Traffic forwarded to a LAG is load balanced across the active member ports thus achieving an effective bandwidth close to the aggregate bandwidth of all the active member ports of the LAG Traffic load balancing over t...

Page 147: ...from the LAG its original configuration is reapplied Protocols such as Spanning Tree consider all the ports in the LAG to be one port Default Settings and Configuration Ports are not members of a LAG and are not candidates to become part of a LAG Static and Dynamic LAG Workflow After a LAG has been manually created LACP cannot be added or removed until the LAG is edited and a member is removed Onl...

Page 148: ...sired LAG on the Edit LAG Membership page To select the load balancing algorithm of the LAG STEP 1 Click Port Management Link Aggregation LAG Management STEP 2 Select one of the following Load Balance Algorithms MAC Address Perform load balancing by source and destination MAC addresses on all packets IP MAC Address Perform load balancing by the source and destination IP addresses on IP packets and...

Page 149: ...lect a LAG and click Edit STEP 3 Enter the values for the following fields LAG Select the LAG ID number Description Enter the LAG name or a comment LAG Type Displays the port type that comprises the LAG Administrative Status Set the selected LAG to be Up or Down Operational Status Displays whether the LAG is currently operating Time Range Select to enable the time range during which the port is in...

Page 150: ...G The options are Max Capability All LAG speeds and both duplex modes are available 10 Full The LAG advertises a 10 Mbps speed and the mode is full duplex 100 Full The LAG advertises a 100 Mbps speed and the mode is full duplex 1000 Full The LAG advertises a 1000 Mbps speed and the mode is full duplex Operational Advertisement Displays the Administrative Advertisement status The LAG advertises its...

Page 151: ...west MAC address controls candidate port selection to the LAG A dynamic LAG can have up to 16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode When there are more than eight ports in the dynamic LAG the device on the controlling end of the link uses port priorities to determine which ports are bundled into the LAG and which ports are put ...

Page 152: ...g DHCP and get its configuration using auto configuration Setting LACP Parameter Settings Use the LACP page to configure the candidate ports for the LAG and to configure the LACP parameters per port With all factors equal when the LAG is configured with more candidate ports than the maximum number of active ports allowed 8 the device selects ports as active from the dynamic LAG on the device that ...

Page 153: ...is enabled on all devices where only the Gigabyte ports are enable with EEE The Green Ethernet feature can reduce overall power usage in the following ways Energy Detect Mode On an inactive link the port moves into inactive mode saving power while keeping the Administrative status of the port Up Recovery from this mode to full operational mode is fast transparent and no frames are lost This mode i...

Page 154: ... devices etc On the System Summary page the LEDs that are displayed on the device board pictures are not affected by disabling the LEDs Power savings current power consumption and cumulative energy saved can be monitored The total amount of saved energy can be viewed as a percentage of the power that would have been consumed by the physical interfaces had they not been running in Green Ethernet mo...

Page 155: ...rtions of their functionality and save power during periods of no traffic 802 3az EEE supports IEEE 802 3 MAC operation at 100 Mbps and 1000 Mbps LLDP is used to select the optimal set of parameters for both devices If LLDP is not supported by the link partner or is disabled 802 3az EEE still be operational but it might not be in the optimal operational mode The 802 3az EEE feature is implemented ...

Page 156: ... 802 3az EEE capabilities and settings are also advertised using frames based on the organizationally specific TLVs defined in Annex G of IEEE Std 802 1AB protocol LLDP LLDP is used to further optimize 802 3az EEE operation after auto negotiation is completed The 802 3az EEE TLV is used to fine tune system wake up and refresh durations Availability of 802 3az EEE Please check the release notes for...

Page 157: ...g page b Check the 802 3 Energy Efficient Ethernet EEE mode on the port it is enabled by default c Select whether to enable or disable advertisement of 802 3az EEE capabilities through LLDP in 802 3 Energy Efficient Ethernet EEE LLDP it is enabled by default STEP 4 To see 802 3 EEE related information on the local device open the Administration Discovery LLDP LLDP Local Information page and view t...

Page 158: ...rgy Saved Displays the amount of energy saved from the last device reboot This value is updated each time there is an event that affects power saving 802 3 Energy Efficient Ethernet EEE Globally enable or disable EEE mode Port LEDs Select to enable the port LEDs When these are disabled they do not display link status activity etc STEP 3 Click Apply The Green Ethernet Properties are written to the ...

Page 159: ...ach mode Administrative Displays whether Short Reach mode was enabled Operational Displays whether Short Reach mode is currently operating Reason If Short Reach mode is not operational displays the reason Cable Length Displays VCT returned cable length in meters NOTE Short reach mode is only supported on RJ45 GE ports it does not apply to Combo ports 802 3 Energy Efficient Ethernet EEE State of th...

Page 160: ... Reach and EEE globally see Setting Global Green Ethernet Properties STEP 2 Select a Port and click Edit STEP 3 Select to enable or disable Energy Detect mode on the port STEP 4 Select to enable or disable Short Reach mode on the port if there are GE ports on the device STEP 5 Select to enable or disable 802 3 Energy Efficient Ethernet EEE mode on the port if there are GE ports on the device STEP ...

Page 161: ...ng topics Overview What is a Smartport Smartport Types Smartport Macros Macro Failure and the Reset Operation How the Smartport Feature Works Auto Smartport Error Handling Default Configuration Relationships with Other Features and Backwards Compatibility Common Smartport Tasks Configuring Smartport Using The Web based Interface Built in Smartport Macros ...

Page 162: ...anually assign a Smartport type to an interface The result is the corresponding Smartport macro is applied to the interface Auto Smartport Auto Smartport waits for a device to be attached to the interface before applying a configuration When a device is detected from an interface the Smartport macro if assigned that corresponds to the Smartport type of the attaching device is automatically applied...

Page 163: ... AP Smartport Types Smartport types refers to the types of devices attached or to be attached to Smartports The device supports the following Smartport types Printer Desktop Guest Server Host IP Camera IP phone IP Phone Desktop Switch Router Wireless Access Point Smartport types are named so that they describe the type of device connected to an interface Each Smartport type is associated with two ...

Page 164: ... types of the attached devices based on CDP capabilities LLDP system capabilities and or LLDP MED capabilities The following describes the relationship of Smartport types and Auto Smartport Smartport and Auto Smartport Types Smartport Type Supported by Auto Smartport Supported by Auto Smartport by default Unknown No No Default No No Printer No No Desktop No No Guest No No Server No No Host Yes No ...

Page 165: ... devices attached to the interface have aged out which is defined as the absence of CDP and or LLDP advertisement from the device for a specified time period Unknown If a Smartport macro is applied to an interface and an error occurs the interface is assigned the Unknown status In this case the Smartport and Auto Smartport features do not function on the interface until you correct the error and a...

Page 166: ...on with each Smartport type The macro applies the configuration and the anti macro removes it There are two types of Smartport macros Built In These are macros provided by the system One macro applies the configuration profile and the other removes it The macro names of the built in Smartport macros and the Smartport type they are associated with as follows macro name for example printer no_macro ...

Page 167: ...e of the interface is set to this static type If the Startup Configuration File specifies a Smartport type that was dynamically assigned by Auto Smartport If the Auto Smartport Global Operational state the interface Auto Smartport state and the Persistent Status are all Enable the Smartport type is set to this dynamic type Else the corresponding anti macro is applied and the interfaces status is s...

Page 168: ...ort types must be statically assigned to the desired interfaces This can be done by navigating to the Smartport Interface Settings page selecting the radio button of the desired interface and clicking Edit Then select the Smartport type you want to assign and adjust the parameters as necessary before clicking Apply There are two ways to apply a Smartport macro by Smartport type to an interface Sta...

Page 169: ...ersistent Status is enabled the interface configuration is retained If not the Smartport Type reverts to Default Enabling Auto Smartport Auto Smartport can be enabled globally in the Properties page in the following ways Enabled This manually enables Auto Smartport and places it into operation immediately Enable by Auto Voice VLAN This enables Auto Smartport to operate if Auto Voice VLAN is enable...

Page 170: ...g device s ages out links down reboots or conflicting capabilities are received Aging out times are determined by the absence of CDP and or LLDP advertisements from the device for a specified time period Using CDP LLDP Information to Identify Smartport Types The device detects the type of device attached to the port based on the CDP LLDP capabilities This mapping is shown in the following tables C...

Page 171: ...s through that interface in order to assign the correct Smartport type The assignment is based on the following algorithm LLDP Capabilities Mapping to Smartport Type Capability Name LLDP Bit Smartport Type Other 1 Ignore Repeater IETF RFC 2108 2 Ignore MAC Bridge IEEE Std 802 1D 3 Switch WLAN Access Point IEEE Std 802 11 MIB 4 Wireless Access Point Router IETF RFC 1812 5 Router Telephone IETF RFC ...

Page 172: ...dynamically by Auto Smartport remains on the interface even after the attaching device ages out the interface goes down and the device is rebooted assuming the configuration was saved The Smartport type and the configuration of the interface are not changed unless Auto Smartport detects an attaching device with a different Smartport type If the Persistent status of an interface is disabled the int...

Page 173: ...TE When upgrading from a firmware version that does not support Auto Smartport to a firmware level that supports Auto Smartport the Auto Voice VLAN is disabled after the upgrade If Telephony OUI was enabled before the upgrade then Auto Smartport is disabled after the upgrade and Telephony OUI remains enabled Common Smartport Tasks This section describes some common tasks to setup Smartport and Aut...

Page 174: ... on the interface open the Smartport Interface Settings page STEP 2 Select the interface and click Edit STEP 3 Select the Smartport type that is to be assigned to the interface in the Smartport Application field STEP 4 Set the macro parameters as required STEP 5 Click Apply Workflow3 To adjust Smartport macro parameter defaults and or bind a user defined macro pair to a Smartport type perform the ...

Page 175: ...bleshoot then correct the problem Consider the troubleshooting tip below STEP 4 Click Edit A new window appears in which you can click Reset to reset the interface STEP 5 Return to the main page and reapply the macro using either Reapply for devices that are not switches routers or APs or Reapply Smartport Macro for switches routers or APs to run the Smartport Macro on the interface A second metho...

Page 176: ...le Auto Smartport on the device Enable by Auto Voice VLAN This enables Auto Smartport but puts it in operation only when Auto Voice VLAN is also enabled and in operation Enable by Auto Voice VLAN is the default Auto Smartport Device Detection Method Select whether incoming CDP LLDP or both types of packets are used to detect the Smartport type of the attaching device s At least one must be checked...

Page 177: ...rameters for the Smartport types applied by Auto Smartport from the Smartport Type Settings page configures the default values for these parameters These defaults are used by Auto Smartport NOTE Changes to Auto Smartport types cause the new settings to be applied to interfaces which have already been assigned that type by Auto Smartport In this case binding an invalid macro or setting an invalid d...

Page 178: ...sociated with the Smartport type are modified Auto Smartport automatically reapplies the macro to the interfaces currently assigned with the Smartport type by Auto Smartport Auto Smartport does not apply the changes to interfaces that were statically assigned a Smartport type NOTE There is no method to validate macro parameters because they do not have a type association Therefore any entry is val...

Page 179: ...wing ways Select a group of Smartport types switches routers or APs and click Reapply Smartport Macro The macros are applied to all selected interface types Select an interface that is UP and click Reapply to reapply the last macro that was applied to the interface The Reapply action also adds the interface to all newly created VLANs STEP 2 Smartport Diagnostic If a Smartport macro fails the Smart...

Page 180: ... the corresponding Smartport macro To statically assign a Smartport type and apply the corresponding Smartport macro to the interface select the desired Smartport type Persistent Status Select to enable the Persistent status If enabled the association of a Smartport type to an interface remains even if the interface goes down or the device is rebooted Persistent is applicable only if the Smartport...

Page 181: ...ip_camera ip_phone ip_phone_desktop switch router ap desktop desktop interface configuration for increased network security and reliability when connecting a desktop device such as a PC to a switch port macro description Desktop macro keywords native_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devices ...

Page 182: ... allowed vlan remove all no port security no port security mode no port security max no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto printer printer macro description printer macro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port ...

Page 183: ...ontrol broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto guest guest macro description guest macro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode acce...

Page 184: ...clude multicast spanning tree portfast auto server server macro description server macro keywords native_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smar...

Page 185: ...st auto host host macro description host macro keywords native_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_...

Page 186: ...t level no smartport storm control include multicast spanning tree portfast auto ip_camera ip_camera macro description ip_camera macro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max a...

Page 187: ...ro keywords native_vlan voice_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN voice_vlan 1 max_hosts 10 the default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trunk na...

Page 188: ...broadcast level no smartport storm control include multicast spanning tree portfast auto ip_phone_desktop ip_phone_desktop macro description ip_phone_desktop macro keywords native_vlan voice_vlan max_hosts macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID max_hosts The maximum number of allowed devices on the port Default Values are ...

Page 189: ...switchport trunk allowed vlan remove all no port security no port security mode no port security max no smartport storm control broadcast enable no smartport storm control broadcast level no smartport storm control include multicast spanning tree portfast auto switch switch macro description switch macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be...

Page 190: ...k type router router macro description router macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan native_vlan smartport storm con...

Page 191: ...e voice VLAN ID no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no smartport storm control broadcast enable no smartport storm control broadcast level no spanning tree link type ap ap macro description ap macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port ...

Page 192: ...Smartport Built in Smartport Macros 175 Cisco Small Business 300 Series Managed Switch Administration Guide 10 ...

Page 193: ...PSE Power Sourcing Equipment that delivers electrical power to connected PD Powered Devices over existing copper cables without interfering with the network traffic updating the physical network or modifying the network infrastructure See Device Models for information concerning PoE support on various models PoE Features PoE provides the following features Eliminates the need to run 110 220 V AC p...

Page 194: ...ss which is the amount of maximum power that the PD consumes Power Consumption After the classification stage completes the PSE provides power to the PD If the PD supports PoE but without classification it is assumed to be class 0 the maximum If a PD tries to consume more power than permitted by the standard the PSE stops supplying power to the port PoE supports two modes Port Limit The maximum po...

Page 195: ...equires more power from the device than the configured allocation allows no matter if the device is in Class Limit or Port Limit mode the device does the following Maintains the up down status of the PoE port link Turns off power delivery to the PoE port Logs the reason for turning off power Generates an SNMP trap CAUTION Consider the following when connecting switches capable of supplying PoE The...

Page 196: ...it might consume much less than the maximum power allowed Output power is disabled during power on reboot initialization and system configuration to ensure that PDs are not damaged To configure PoE on the device and monitor current power usage STEP 1 Click Port Management PoE Properties STEP 2 Enter the values for the following fields Power Mode Select one of the following options Port Limit The m...

Page 197: ... per port the days in the week and the hours that PoE is enabled When the time range is not active PoE is disabled To use this feature a time range must first be defined in the Time Range page Click Port Management PoE Settings This page limits the power per port in two ways depending on the Power Mode Port Limit Power is limited to a specified wattage For these settings to be active the system mu...

Page 198: ...2 Select a port and click Edit The list of fields below is for Port Limit Power Mode The fields are slightly different if the Power Mode is Class Limit STEP 3 Enter the value for the following field Interface Select the port to configure PoE Administrative Status Enable or disable PoE on the port Time Range Select to enabled PoE on the port Time Range Name If Time Range has been enabled select the...

Page 199: ...r of power shortage occurrences Denied Counter Displays number of times the powered device was denied power Absent Counter Displays the number of times that power was stopped to the powered device because the powered device was no longer detected Invalid Signature Counter Displays the times an invalid signature was received Signatures are the means by which the powered device identifies itself to ...

Page 200: ...Port Management PoE Configuring PoE Settings 183 Cisco Small Business 300 Series Managed Switch Administration Guide 11 ...

Page 201: ...Configuring VLAN Interface Settings Defining VLAN Membership GVRP Settings VLAN Groups Voice VLAN Access Port Multicast TV VLAN Customer Port Multicast TV VLAN VLANs A VLAN is a logical group of ports that enables devices associated with it to communicate with each other over the Ethernet MAC layer regardless of the physical LAN segment of the bridged network to which they are connected ...

Page 202: ...s added to each Ethernet frame The tag contains a VLAN ID between 1 and 4094 and a VLAN Priority Tag VPT between 0 and 7 See Quality of Service for details about VPT When a frame enters a VLAN aware device it is classified as belonging to a VLAN based on the four byte VLAN tag in the frame If there is no VLAN tag in the frame or the frame is priority tagged only the frame is classified to the VLAN...

Page 203: ...on with each other by using Generic VLAN Registration Protocol GVRP As a result VLAN information is propagated through a bridged network VLANs on a device can be created statically or dynamically based on the GVRP information exchanged by devices A VLAN can be static or dynamic from GVRP but not both For more information about GVRP refer to the GVRP Settings section Some VLANs can have additional ...

Page 204: ... required change the default VLAN by using the Configuring Default VLAN Settings section 2 Create the required VLANs by using the Creating VLANs section 3 Set the desired VLAN related configuration for ports and enable QinQ on an interface using the Configuring VLAN Interface Settings section 4 Assign interfaces to VLANs by using the Configuring Port to VLAN section or the Configuring VLAN Members...

Page 205: ...r saving the configuration and rebooting the device Removes VLAN membership of the ports from the original default VLAN possible only after reboot Changes the PVID Port VLAN Identifier of the ports to the VID of the new default VLAN The original default VLAN ID is removed from the device To be used it must be recreated Adds the ports as untagged VLAN members of the new default VLAN To change the d...

Page 206: ...eate VLAN page contains the following fields for all VLANs VLAN ID User defined VLAN ID VLAN Name User defined VLAN name Type VLAN type Dynamic VLAN was dynamically created through Generic VLAN Registration Protocol GVRP Static VLAN is user defined Default VLAN is the default VLAN STEP 2 Click Add to add a new VLAN or select an existing VLAN and click Edit to modify the VLAN parameters The page en...

Page 207: ... of one or more VLANs Access The interface is an untagged member of a single VLAN A port configured in this mode is known as an access port Trunk The interface is an untagged member of one VLAN at most and is a tagged member of zero or more VLANs A port configured in this mode is known as a trunk port Customer Selecting this option places the interface in QinQ mode This enables you to use your own...

Page 208: ...erships to or from the VLANs When a port is forbidden default VLAN membership that port is not allowed membership in any other VLAN An internal VID of 4095 is assigned to the port To forward the packets properly intermediate VLAN aware devices that carry VLAN traffic along the path between end nodes must either be manually configured or must dynamically learn the VLANs and their port memberships f...

Page 209: ...he following list Forbidden The interface is not allowed to join the VLAN even from GVRP registration When a port is not a member of any other VLAN enabling this option on the port makes the port part of internal VLAN 4095 a reserved VID Excluded The interface is currently not a member of the VLAN This is the default for all the ports and LAGs The port can join the VLAN through GVRP registration T...

Page 210: ...or LAG and click Go The following fields are displayed for all interfaces of the selected type Interface Port LAG ID Mode Interface VLAN mode that was selected in the Interface Settings page Administrative VLANs Drop down list that displays all VLANs of which the interface might be a member Operational VLANs Drop down list that displays all VLANs of which the interface is currently a member LAG If...

Page 211: ...y makes the interface an untagged member of the VLAN If the interface is in general mode you must manually configure VLAN membership STEP 5 Click Apply The settings are modified and written to the Running Configuration file STEP 6 To see the administrative and operational VLANs on an interface click Details GVRP Settings Adjacent VLAN aware devices can exchange VLAN information with each other by ...

Page 212: ... the global GVRP status STEP 4 Select an interface type Port or LAG and click Go to display all interfaces of that type STEP 5 To define GVRP settings for a port select it and click Edit STEP 6 Enter the values for the following fields Interface Select the interface Port or LAG to be edited GVRP State Select to enable GVRP on this interface Dynamic VLAN Creation Select to enable Dynamic VLAN Creat...

Page 213: ... based VLAN groups which each group containing different MAC addresses These MAC based groups can be assigned to specific ports LAGs MAC based VLAN groups cannot contain overlapping ranges of MAC addresses on the same port Workflow To define a MAC based VLAN group 1 Assign a MAC address to a VLAN group ID using the MAC Based Groups page 2 For each required interface a Assign the VLAN group to a VL...

Page 214: ... General mode To assign a MAC based VLAN group to a VLAN on an interface STEP 1 Click VLAN Management VLAN Groups MAC Based Groups to VLAN STEP 2 Click Add STEP 3 Enter the values for the following fields Group Type Displays that the group is MAC Based Interface Enter a general interface port LAG through which traffic is received Group ID Select a VLAN group defined in the MAC Based Groups page VL...

Page 215: ...appropriate configurations UC3xx UC5xx hosted All Cisco phones and VoIP endpoints support this deployment model For this model the UC3xx UC5xx Cisco phones and VoIP endpoints reside in the same voice VLAN The voice VLAN of UC3xx UC5xx defaults to VLAN 100 Third party IP PBX hosted Cisco SBTG CP 79xx SPA5xx phones and SPA8800 endpoints support this deployment model In this model the VLAN used by th...

Page 216: ... in Telephony OUI mode or has Auto Smartports enabled Dynamic Voice VLAN Modes The device supports two dynamic voice VLAN modes Telephony OUI Organization Unique Identifier mode and Auto Voice VLAN mode The two modes affect how voice VLAN and or voice VLAN port memberships are configured The two modes are mutually exclusive to each other Telephony OUI In Telephony OUI mode the voice VLAN must be a...

Page 217: ...n the voice VLAN information from CDP and LLDP MED advertisements it receives from their neighbor voice systems and switches The device expects the attaching voice devices to send voice VLAN tagged packets On ports where the voice VLAN is also the native VLAN voice VLAN untagged packets are possible Auto Voice VLAN Auto Smartports CDP and LLDP Defaults By factory defaults CDP LLDP and LLDP MED on ...

Page 218: ...rom directly connected neighbor devices If multiple neighbor switches and or routers such as Cisco Unified Communication UC devices are advertising their voice VLAN the voice VLAN from the device with the lowest MAC address is used NOTE If connecting the device to a Cisco UC device you may need to configure the port on the UC device using the switchport voice vlan command to ensure the UC device a...

Page 219: ...cro to the port if there is no other devices from the port advertising a conflicting or superior capability If a device advertises itself as a phone the default Smartport macro is phone If a device advertises itself as a phone and host or phone and bridge the default Smartport macro is phone desktop Voice VLAN QoS Voice VLAN can propagate the CoS 802 1p and DSCP settings by using LLDP MED Network ...

Page 220: ...VLAN ID can be configured for the Voice VLAN only if the current Voice VLAN does not have candidate ports The interface VLAN of a candidate port must be in General or Trunk mode The Voice VLAN QoS is applied to candidate ports that have joined the Voice VLAN and to static ports The voice flow is accepted if the MAC address can be learned by the Forwarding Database FDB If there is no free space in ...

Page 221: ...s using the Smartport Interface Settings page NOTE Step 7 and Step 8 are optional as they are enabled by default Workflow2 To configure the Telephony OUI Method STEP 1 Open the VLAN Management Voice VLAN Properties page Set Dynamic Voice VLAN to Enable Telephony OUI NOTE If the device is currently in Auto Voice VLAN mode you must disable it before you can enable Telephony OUI STEP 2 Configure Tele...

Page 222: ...AN Settings Operational Status block STEP 2 Enter values for the following fields Voice VLAN ID Enter the VLAN that is to be the Voice VLAN NOTE Changes in the voice VLAN ID CoS 802 1p and or DSCP cause the device to advertise the administrative voice VLAN as a static voice VLAN If the option Auto Voice VLAN Activation triggered by external Voice VLAN is selected then the default values need to be...

Page 223: ...ned from external sources STEP 3 Click Apply The VLAN properties are written to the Running Configuration file Displaying Auto Voice VLAN Settings If Auto Voice VLAN mode is enabled use the Auto Voice VLAN page to view the relevant global and interface parameters You can also use this page to manually restart Auto Voice VLAN by clicking Restart Auto Voice VLAN After a short delay this resets the v...

Page 224: ...e VLAN and restart Auto Voice VLAN discovery on all the Auto Voice VLAN enabled switches in the LAN The Voice VLAN Local Table displays voice VLAN configured on the device as well as any voice VLAN configuration advertised by directly connected neighbor devices It contains the following fields Interface Displays the interface on which voice VLAN configuration was received or configured If N A appe...

Page 225: ...This is not the best local source STEP 3 Click Refresh to refresh the information on the page Configuring Telephony OUI OUIs are assigned by the Institute of Electrical and Electronics Engineers Incorporated IEEE Registration Authority Since the number of IP phone manufacturers is limited and well known the known OUI values cause the relevant frames and the port on which they are seen to be automa...

Page 226: ...resses of the phones detected on the ports have aged out STEP 2 Click Apply to update the Running Configuration of the device with these values The Telephony OUI table appears Telephony OUI First six digits of the MAC address that are reserved for OUIs Description User assigned OUI description STEP 3 Click Restore OUI Defaults to delete all of the user created OUIs and leave only the default OUIs ...

Page 227: ...e basis of the OUI identifier and to configure the OUI QoS mode of voice VLAN To configure Telephony OUI on an interface STEP 1 Click VLAN Management Voice VLAN Telephony OUI Interface The Telephony OUI Interface page contains voice VLAN OUI parameters for all interfaces STEP 2 To configure an interface to be a candidate port of the telephony OUI based voice VLAN click Edit STEP 3 Enter the values...

Page 228: ... the Multicast server while including the Multicast TV VLAN in the Multicast packet header For this reasons the network ports must be statically configured as the following Trunk or general port type see Configuring VLAN Interface Settings Member on the Multicast TV VLAN The subscriber receiver ports can be associated with the Multicast TV VLAN only if it is defined in one of the two following typ...

Page 229: ...st TV VLAN then the software associates the IGMP packet with the Multicast TV VLAN Otherwise the IGMP message is associated to the access VLAN and the IGMP message is only forwarded within that VLAN The IGMP message is discarded if The STP RSTP state on the access port is discard The MSTP state for the access VLAN is discard The MSTP state for the Multicast TV VLAN is discard and the IGMP message ...

Page 230: ...st Group IP address of the Multicast group Multicast TV VLAN VLAN to which the Multicast packets are assigned STEP 2 Click Add to associate a Multicast group to a VLAN Any VLAN can be selected When a VLAN is selected it becomes a Multicast TV VLAN STEP 3 Click Apply Multicast TV VLAN settings are modified and written to the Running Configuration file Receiver ports VLAN can be used to both send an...

Page 231: ...ulticast TV VLAN A triple play service provisions three broadband services over a single broadband connection High speed Internet access Video Voice The triple play service is provisioned for service provider subscribers while keeping Layer 2 isolation between them Each subscriber has a CPE MUX box The MUX has multiple access ports that are connected to the subscriber s devices PC telephone and so...

Page 232: ...that determines the destination in the subscriber s network by the CPE MUX Workflow 1 Configure an access port as a customer port using the VLAN Management Interface Settings page See QinQ for more information 2 Configure the network port as a trunk or general port with subscriber and Multicast TV VLAN as tagged VLANS using the VLAN Management Interface Settings page 3 Create a Multicast TV VLAN w...

Page 233: ...VLAN defined on the CPE box Multicast TV VLAN Select the Multicast TV VLAN which is mapped to the CPE VLAN STEP 4 Click Apply CPE VLAN Mapping is modified and written to the Running Configuration file CPE Port Multicast VLAN Membership The ports associated with the Multicast VLANs must be configured as customer ports see Configuring VLAN Interface Settings Use the Port Multicast VLAN Membership pa...

Page 234: ...VLAN Management Customer Port Multicast TV VLAN 217 Cisco Small Business 300 Series Managed Switch Administration Guide 12 ...

Page 235: ... Flavors STP protects a Layer 2 Broadcast domain from Broadcast storms by selectively setting links to standby mode to prevent loops In standby mode these links temporarily stop transferring user data After the topology changes so that the data transfer is made possible the links are automatically re activated Loops occur when alternate routes exist between hosts Loops in an extended network can c...

Page 236: ...STP wants to mitigate the loop it stops traffic on the entire port including VLAN B traffic MSTP solves this problem by enabling several STP instances so that it is possible to detect and mitigate loops separately in each instance By associating instances to VLANs each instance is associated with the Layer 2 domain on which it performs loop detection and mitigation This enables a port to be stoppe...

Page 237: ...lowest priority becomes the Root Bridge In the case that all bridges use the same priority then their MAC addresses are used to determine the Root Bridge The bridge priority value is provided in increments of 4096 For example 4096 8192 12288 and so on Hello Time Set the interval in seconds that a Root Bridge waits between configuration messages Max Age Set the interval in seconds that the device c...

Page 238: ...the STP protocol To configure STP on an interface STEP 1 Click Spanning Tree STP Interface Settings STEP 2 Select an interface and click Edit STEP 3 Enter the parameters Interface Select the Port or LAG on which Spanning Tree is configured STP Enables or disables STP on the port Edge Port Enables or disables Fast Link on the port If Fast Link mode is enabled on a port the port is automatically set...

Page 239: ... topology predictable The devices behind the ports that have BPDU Guard enabled cannot influence the STP topology At the reception of BPDUs the BPDU guard operation disables the port that has BPDU configured In this case a BPDU message is received and an appropriate SNMP trap is generated BPDU Handling Select how BPDU packets are managed when STP is disabled on the port or the device BPDUs are use...

Page 240: ...s the priority and interface of the selected port Designated Cost Displays the cost of the port participating in the STP topology Ports with a lower cost are less likely to be blocked if STP detects loops Forward Transitions Displays the number of times the port has changed from the Blocking state to Forwarding state Speed Displays the speed of the port LAG Displays the LAG to which the port belon...

Page 241: ...RSTP or MSTP the device communicates with it using RSTP or MSTP respectively STEP 5 Select an interface and click Edit STEP 6 Enter the parameters Interface Set the interface and specify the port or LAG where RSTP is to be configured Point to Point Administrative Status Define the point to point link status Ports defined as Full Duplex are considered Point to Point port links Enable This port is a...

Page 242: ...splays the current Spanning Tree mode Classic STP or RSTP Fast Link Operational Status Displays whether the Fast Link Edge Port is enabled disabled or automatic for the interface The values are Enabled Fast Link is enabled Disabled Fast Link is disabled Auto Fast Link mode is enabled a few seconds after the interface becomes active Port Status Displays the RSTP status on the specific port Disabled...

Page 243: ...hese MSTP instances to VLAN s accordingly 4 Configure the MSTP attributes by Defining MSTP Properties Defining MSTP Instance Settings Mapping VLANs to a MSTP Instance Defining MSTP Properties The global MSTP configures a separate Spanning Tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree instance MSTP enables formation of MST regions that can...

Page 244: ...field range is from 0 to 65535 Max Hops Set the total number of hops that occur in a specific region before the BPDU is discarded Once the BPDU is discarded the port information is aged out The field range is from 1 to 40 IST Master Displays the regions master STEP 4 Click Apply The MSTP properties are defined and the Running Configuration file is updated Mapping VLANs to a MSTP Instance The VLAN ...

Page 245: ...ed STEP 2 To add a VLAN to an MSTP instance select the MST instance and click Edit STEP 3 Enter the parameters MST Instance ID Select the MST instance VLANs Define the VLANs being mapped to this MST instance Action Define whether to add map the VLAN to the MST instance or remove it STEP 4 Click Apply The MSTP VLAN mappings are defined and the Running Configuration file is updated Defining MSTP Ins...

Page 246: ... this device for the selected instance Remaining Hops Displays the number of hops remaining to the next destination STEP 3 Click Apply The MST Instance configuration is defined and the Running Configuration file is updated Defining MSTP Interface Settings The MSTP Interface Settings page enables you to configure the port MSTP settings for every MST instance and to view information that has current...

Page 247: ...ce is in Listening mode The port cannot forward traffic and cannot learn MAC addresses Learning The port on this instance is in Learning mode The port cannot forward traffic but it can learn new MAC addresses Forwarding The port on this instance is in Forwarding mode The port can forward traffic and learn new MAC addresses Boundary The port on this instance is a boundary port It inherits its state...

Page 248: ...rt MSTP MSTP is enabled on the port Type Displays the MST type of the port Boundary A Boundary port attaches MST bridges to a LAN in a remote region If the port is a boundary port it also indicates whether the device on the other side of the link is working in RSTP or STP mode Internal The port is an internal port Designated Bridge ID Displays the ID number of the bridge that connects the link or ...

Page 249: ...e MAC address that appears in a frame arriving at the device is added to the Dynamic Address table This MAC address is retained for a configurable period of time If another frame with the same source MAC address does not arrive at the device before that time period expires the MAC entry is aged deleted from the table When a frame arrives at the device the device searches for a corresponding matchi...

Page 250: ...atic addresses STEP 2 Click Add STEP 3 Enter the parameters VLAN ID Select the VLAN ID for the port MAC Address Enter the interface MAC address Interface Select an interface port or LAG for the entry Status Select how the entry is treated The options are Permanent The system never removes this MAC address If the static MAC address is saved in the Startup Configuration it is retained after rebootin...

Page 251: ...lue between the user configured value and twice that value minus 1 For example if you entered 300 seconds the aging time is between 300 and 599 seconds STEP 3 Click Apply The aging time is updated Querying Dynamic Addresses To query dynamic addresses STEP 1 Click MAC Address Tables Dynamic Addresses STEP 2 In the Filter block you can enter the following query criteria VLAN ID Enter the VLAN ID for...

Page 252: ...ved MAC Addresses page opens STEP 2 Click Add STEP 3 Enter the values for the following fields MAC Address Select the MAC address to be reserved Frame Type Select a frame type based on the following criteria Ethernet V2 Applies to Ethernet V2 packets with the specific MAC address LLC Applies to Logical Link Control LLC packets with the specific MAC address LLC SNAP Applies to Logical Link Control ...

Page 253: ... Ports Defining Forward All Multicast Defining Unregistered Multicast Settings Multicast Forwarding Multicast forwarding enables one to many information dissemination Multicast applications are useful for dissemination of information to multiple clients where clients do not require reception of the entire content A typical application is a cable TV like service where clients can join a channel in ...

Page 254: ... in this section is mostly for IGMP it also describes coverage of MLD where implied These queries reach the device which in turn floods the queries to the VLAN and also learns the port where there is a Multicast router Mrouter When a host receives the IGMP query message it responds with an IGMP Join message saying that the host wants to receive a specific Multicast stream and optionally from a spe...

Page 255: ... and Multicast routers in the network When a device learns that a host is using IGMP MLD messages to register to receive a Multicast stream optionally from a specific source the device adds the registration to its Multicast Forwarding Data Base MFDB IGMP MLD snooping can effectively reduce Multicast traffic from streaming bandwidth intensive IP applications A device using IGMP MLD snooping only fo...

Page 256: ...bits are mapped to the same Layer 2 address since the lower 23 bits that are used are identical For example 234 129 2 3 is mapped to a MAC Multicast group address 01 00 5e 01 02 03 Up to 32 IP Multicast group addresses can be mapped to the same Layer 2 address For IPv6 this is mapped by taking the 32 low order bits of the Multicast address and adding the prefix of 33 33 For example the IPv6 Multic...

Page 257: ...ific IP Group Address Based on both the destination IP address and the source IP address of the IP packet S G By selecting the forwarding mode you can define the method used by hardware to identify Multicast flow by one of the following options MAC Group Address IP Group Address or Source Specific IP Group Address S G is supported by IGMPv3 and MLDv2 while IGMPv1 2 and MLDv1 support only G which i...

Page 258: ...relating to a specific VLAN ID or a specific MAC address group This data is acquired either dynamically through IGMP MLD snooping or statically by manual entry Add or delete static entries to the MFDB that provide static forwarding information based on MAC destination addresses Display a list of all ports LAGs that are a member of each VLAN ID and MAC address group and enter whether traffic is for...

Page 259: ... address and click Details The page contains VLAN ID The VLAN ID of the Multicast group MAC Group Address The MAC address of the group STEP 7 Select the port or LAG to be displayed from the Filter Interface Type menu STEP 8 Click Go to display the port or LAG membership STEP 9 Select the way that each interface is associated with the Multicast group Static Attaches the interface to the Multicast g...

Page 260: ...y relevant when the Forwarding mode is S G Source IP Address equals to Define the source IP address of the sending device If mode is S G enter the sender S This together with the IP Group Address is the Multicast group ID S G to be displayed If mode is G enter an to indicate that the Multicast group is only defined by destination STEP 3 Click Go The results are displayed in the lower block When Bo...

Page 261: ...p as a static member Forbidden Specifies that this port is forbidden from joining this group on this VLAN None Indicates that the port is not currently a member of this Multicast group on this VLAN This is selected by default until Static or Forbidden is selected STEP 9 Click Apply The Running Configuration file is updated Configuring IGMP Snooping To support selective Multicast forwarding IPv4 Br...

Page 262: ...Multicast domain of snooping switches in the absence of a Multicast router For example where Multicast content is provided by a local server but the router if one exists on that network does not support Multicast The speed of IGMP Querier activity must be aligned with the IGMP snooping enabled switches Queries must be sent at a rate that is aligned to the snooping table aging time If queries are s...

Page 263: ...erier Operational Query Robustness Displays the robustness variable sent by the elected querier Query Interval Enter the interval between the General Queries to be used if this device is the elected querier Operational Query Interval The time interval in seconds between General Queries sent by the elected querier Query Max Response Interval Enter the delay used to calculate the Maximum Response Co...

Page 264: ...er Select IGMPv3 if there are switches and or Multicast routers in the VLAN that perform source specific IP Multicast forwarding STEP 5 Click Apply The Running Configuration file is updated MLD Snooping Hosts use the MLD protocol to report their participation in Multicast sessions and the device uses MLD snooping to build Multicast membership lists It uses these lists to forward Multicast packets ...

Page 265: ...tic definitions are preserved when the system is rebooted To enable MLD Snooping STEP 1 Click Multicast MLD Snooping STEP 2 Enable or disable MLD Snooping Status When MLD Snooping is globally enabled the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic The device performs MLD Snooping only if both MLD snooping and Bridge Multicast filtering ar...

Page 266: ...o calculate the Maximum Response Code inserted into the General Queries Last Member Query Counter Enter the Last Member Query Count to be used if the device cannot derive the value from the messages sent by the elected querier Operational Last Member Query Counter Displays the operational value of the Last Member Query Counter Last Member Query Interval Enter the Maximum Response Delay to be used ...

Page 267: ...oup MAC address or IP address to query Source Address equals to Defines the sender address to query VLAN ID equals to Defines the VLAN ID to query STEP 4 Click Go The following fields are displayed for each Multicast group VLAN The VLAN ID Group Address The Multicast group MAC address or IP address Source Address The sender address for all of the specified group ports Included Ports The list of de...

Page 268: ...nfigured as a Multicast router port by a MLD IGMP query To enable the dynamic learning of Multicast router ports go to the Multicast IGMP Snooping page and the Multicast MLD Snooping page Forbidden This port is not to be configured as a Multicast router port even if IGMP or MLD queries are received on this port If Forbidden is enabled on a port Mrouter is not learned on this port i e MRouter Ports...

Page 269: ...eams even if IGMP MLD snooping designated the port to join a Multicast group None The port is not currently a Forward All port STEP 5 Click Apply The Running Configuration file is updated Defining Unregistered Multicast Settings Multicast frames are generally forwarded to all ports in the VLAN If IGMP MLD Snooping is enabled the device learns about the existence of Multicast groups and monitors wh...

Page 270: ...d in the network To define unregistered Multicast settings STEP 1 Click Multicast Unregistered Multicast STEP 2 Define the following Interface Type equals to The view as all ports or all LAGs Port LAG Displays the port or LAG ID Unregistered Multicast Displays the forwarding status of the selected interface The possible values are Forwarding Enables forwarding of unregistered Multicast frames to t...

Page 271: ... 2 system mode the device operates as a Layer 2 VLAN aware device and has no routing capabilities In Layer 3 system mode the device has IP routing capabilities as well as Layer 2 system mode capabilities In this system mode a Layer 3 port still retains much of the Layer 2 functionality such as Spanning Tree Protocol and VLAN membership In Layer 3 system mode the device does not support MAC based V...

Page 272: ...ponse shows that the IPv4 address is in use the device sends a DHCPDECLINE message to the offering DHCP server and sends another DHCPDISCOVER packet that restarts the process If the device does not receive a DHCPv4 response in 60 seconds it continues to send DHCPDISCOVER queries and adopts the default IPv4 address 192 168 1 254 24 IP address collisions occur when the same IP address is used in the...

Page 273: ...ice can have multiple IP addresses Each IP address can be assigned to specified ports LAGs or VLANs These IP addresses are configured in the IPv4 Interface and IPv6 Interfaces pages in Layer 3 system mode This provides more network flexibility than the Layer 2 system mode in which only a single IP address can be configured Operating in Layer 3 system mode the device can be reached at all its IP ad...

Page 274: ... define a static IP address NOTE DHCP Option 12 Host Name option is supported when the device is an DHCP client If DHCP Option 12 is received from a DHCP server it is saved as the server s host name DHCP option 12 will not be requested by the device The DHCP server must be configured to send option 12 regardless of what is requested in order to make use of this feature If a static IP address is us...

Page 275: ... Interface page is used when the device is in Layer 3 system mode This mode enables configuring multiple IP addresses for device management and provides routing services The IP address can be configured on a port a LAG or VLAN interface Operating in Layer 3 mode the device routes traffic between the directly attached IP subnets configured on the device The device continues to bridge traffic betwee...

Page 276: ...in order to give time to discover DHCP address Not Received Relevant for DHCP Address When a DCHP Client starts a discovery process it assigns a dummy IP address 0 0 0 0 before the real address is obtained This dummy address has the status of Not Received STEP 2 Click Add STEP 3 Select one of the following fields Interface Select Port LAG or VLAN as the interface associated with this IP configurat...

Page 277: ...llowing fields Destination IP Prefix Enter the destination IP address prefix Mask Select and enter information for one of the following Network Mask The IP route prefix for the destination IP Prefix Length The IP route prefix for the destination IP Route Type Select the route type Reject Rejects the route and stops routing to the destination network via all gateways This ensures that if a frame ar...

Page 278: ... 3 routing as well as to forward generated traffic To define the ARP tables STEP 1 Click IP Configuration IPv4 Management and Interfaces ARP STEP 2 Enter the parameters ARP Entry Age Out Enter the number of seconds that dynamic addresses can remain in the ARP table A dynamic address ages out after the time it is in the table exceeds the ARP Entry Age Out time When a dynamic address ages out it is ...

Page 279: ...evice STEP 6 Click Apply The ARP entry is saved to the Running Configuration file ARP Proxy The Proxy ARP technique is used by the device on a given IP subnet to answer ARP queries for a network address that is not on that network NOTE The ARP proxy feature is only available when the device is in L3 mode The ARP Proxy is aware of the destination of traffic and offers another MAC address in reply S...

Page 280: ...P Helper STEP 2 Click Add STEP 3 Select the Source IP Interface to where the device is to relay UDP Broadcast packets based on a configured UDP destination port The interface must be one of the IPv4 interfaces configured on the device STEP 4 Enter the UDP Destination Port number for the packets that the device is to relay Select a well known port from the drop down list or click the port radio but...

Page 281: ...ayer 3 system mode the device can also relay DHCP messages received from VLANs that do not have IP addresses Whenever DHCP Relay is enabled on a VLAN without an IP address Option 82 is inserted automatically This insertion is in the specific VLAN and does not influence the global administration state of Option 82 insertion Transparent DHCP Relay For Transparent DHCP Relay where an external DHCP re...

Page 282: ...DHCP server DHCP client and DHCP server are connected to different VLANs In the case only DHCP Relay can and does broadcast DHCP messages between DHCP client and DHCP server Unicast DHCP messages are passed by regular routers and therefore if DHCP Relay is enabled on a VLAN without an IP address or if the device is not a router Layer 2 device then an external router is needed DHCP Relay and only D...

Page 283: ...with Option 82 Bridge no Option 82 is sent Packet is sent with the original Option 82 Relay is sent with Option 82 Bridge no Option 82 is sent Relay discards the packet Bridge Packet is sent with the original Option 82 DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives wit...

Page 284: ...f DHCP Snooping is not enabled Packet is sent with the original Option 82 Relay is sent with Option 82 Bridge Option 82 is inserted if port is trusted behaves as if DHCP Snooping is not enabled Relay discards the packet Bridge Packet is sent with the original Option 82 DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 ...

Page 285: ...iginates in device packet is sent without Option 82 2 If reply does not originate in device packet is discarded Bridge Packet is sent with the original Option 82 Option 82 insertion enabled Packet is sent without Option 82 Relay Packet is sent without Option 82 Bridge Packet is sent with the Option 82 Relay discards Option 82 Bridge Packet is sent without Option 82 Relay Packet is sent without Opt...

Page 286: ... client if it exists DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address Packet arrives without Option 82 Packet arrives with Option 82 Packet arrives without Option 82 Packet arrives with Option 82 Option 82 Insertion Disabled Packet is sent without Option 82 Packet is sent with the original Option 82 Relay discards Option 82 Bridge Packet is sent without Option 82 Relay 1 If reply...

Page 287: ...usted by default How the DHCP Snooping Binding Database is Built The following describes how the device handles DHCP packets when both the DHCP client and DHCP server are trusted The DHCP Snooping Binding database is built in this process DHCP Trusted Packet Handling The actions are STEP 1 Device sends DHCPDISCOVER to request an IP address or DHCPREQUEST to accept an IP address and lease STEP 2 De...

Page 288: ...ly Forwarded to trusted interfaces only DHCPOFFER Filter Forward the packet according to DHCP information If the destination address is unknown the packet is filtered DHCPREQUEST Forward to trusted interfaces only Forward to trusted interfaces only DHCPACK Filter Same as DHCPOFFER and an entry is added to the DHCP Snooping Binding database DHCPNAK Filter Same as DHCPOFFER Remove entry if exists DH...

Page 289: ...e relayed DHCP Default Configuration The following describes DHCP Snooping and DHCP Relay default options DHCP Default Options Configuring DHCP Work Flow To configure DHCP Relay and DHCP Snooping DHCPRELEASE Same as DHCPDECLINE Same as DHCPDECLINE DHCPINFORM Forward to trusted interfaces only Forward to trusted interfaces only DHCPLEASEQUE RY Filtered Forward Packet Type Arriving from Untrusted In...

Page 290: ...operties To configure DHCP Relay DHCP Snooping and Option 82 STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Snooping Relay Properties or Security DHCP Snooping Enter the following fields Option 82 Select Option 82 to insert Option 82 information into packets DHCP Relay Select to enable DHCP Relay DHCP Snooping Status Select to enable DHCP Snooping If DHCP Snooping is enabled the...

Page 291: ...s STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Snooping Relay Interface Settings STEP 2 To enable DHCP Relay or DHCP Snooping on an interface click ADD STEP 3 Select the interface and the features to be enabled DHCP Relay or DHCP Snooping STEP 4 Click Apply The settings are written to the Running Configuration file DHCP Snooping Trusted Interfaces Packets from untrusted ports ...

Page 292: ...ote that if the IP source guard and or ARP inspection features are active the clients that are not written in the DHCP Snooping Binding database are not be able to connect to the network To add entries to the DHCP Snooping Binding database STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Snooping Relay DHCP Snooping Binding Database To see a subset of entries in the DHCP Snooping ...

Page 293: ...ocation The hardware address of a host is manually mapped to an IP address Dynamic Allocation A client obtains a leased IP address for a specified period of time that can be infinite If the DHCP client does not renew the allocated IP Address the IP address is revoked at the end of this period and the client must request another IP address DHCP Options The following tables defines DHCP options supp...

Page 294: ...r but cannot be set in the GUI or CLI 51 Extension IP Address Lease Time 44 NetBIOS NetBIOS over TCP IP Name Server Option netbios name server 46 NetBIOS NetBIOS over TCP IP Node Type Option netbios node type Option Option Name Description 50 Requested IP Address The option is created by the DHCP client during renew 53 DHCP Message Type The option specifies the DHCP message type value message type...

Page 295: ...ult Workflow for Enabling Feature To configure the device as a DHCPv4 server STEP 1 Enable the device as a DHCP server using the DHCP Server Properties page STEP 2 If there are any IP addresses that you do not want to be assigned configure them using the Excluded Addresses page STEP 3 Define up to 8 network pools of IP addresses using the Network Pools page STEP 4 Configure clients that will be as...

Page 296: ...etwork These addresses are allocated to various clients within that subnet When a client requests an IP address the device as DHCP server allocates an IP address according to the following Directly attached Client The device allocates an address from the network pool whose subnet matches the subnet configured on the device s IP interface from which the DHCP request was received Remote Client The d...

Page 297: ...ase in number of days The range is 0 to 49710 days Hours The number of hours in the lease A days value must be supplied before an hours value can be added Minutes The number of minutes in the lease A days value and an hours value must be added before a minutes value can be added Default Router IP Address Option 3 Enter the default router for the DHCP client Domain Name Server IP Address Option 6 S...

Page 298: ... TFTP SCP server from which the configuration file is downloaded File Server Host Name sname Enter the name of the TFTP SCP server Configuration File Name file Enter the name of the file that is used as a configuration file Excluded Addresses By default the DHCP server assumes that all pool addresses in a pool may be assigned to clients A single IP address or a range of IP addresses can be exclude...

Page 299: ...dress prefix Identifier Type Set how to identify the specific static host Client Identifier Enter a unique identification of the client specified in dotted hexadecimal notation such as 01b6 0819 6811 72 or MAC Address Enter the MAC address of the client Client Name Enter the name of the static host using a standard set of ASCII characters The client name must not include the domain name Default Ro...

Page 300: ...servers if already configured or select Other and enter the IP address of the time server for the DHCP client File Server IP Address siaddr Enter the IP address of the TFTP SCP server from which the configuration file is downloaded File Server Host Name sname Enter the name of the TFTP SCP server Configuration File Name file Enter the name of the file that is used as a configuration file Address B...

Page 301: ... Internet Protocol version 6 IPv6 is a network layer protocol for packet switched internetworks IPv6 was designed to replace IPv4 the predominantly deployed Internet protocol IPv6 introduces greater flexibility in assigning IP addresses because the address size increases from 32 bit to 128 bit addresses IPv6 addresses are written as eight groups of four hexadecimal digits for example FE80 0000 000...

Page 302: ...ent Settings Unique Identifier DUID Format This is the identifier of the DHCP client that is used by the DHCP server to locate the client It can be in one of the following formats Link Layer Default If you select this option the MAC address of the device is used Enterprise Number If you select this option enter the following fields Enterprise Number The vendors registered Private Enterprise number...

Page 303: ...inite no refresh unless the server sends this option or User Defined to set a value Information Refresh Time This value indicates how often the device will refresh information received from the DHCPv6 server If this option is not received from the server the value entered here is used Select either Infinite no refresh unless the server sends this option or User Defined to set a value STEP 5 To con...

Page 304: ... initiate refresh of the stateless information received from the DHCPv6 server DHCPv6 Client Details The DHCPv6 Client Details button displays information received on the interface from a DHCPv6 server It is active when the interface selected is defined as a DHCPv6 stateless client When the button is pressed it displays the following fields for the information that was received from the DHCP serve...

Page 305: ... and a destination IPv4 address The IPv6 packet is encapsulated between these addresses ISATAP Tunnels The type of tunnel that can be configured on the device is called an Intra Site Automatic Tunnel Addressing Protocol ISATAP tunnel which is a point to multi point tunnel The source address is the IPv4 address or one of the IPv4 addresses of the device When configuring an ISATAP tunnel the destina...

Page 306: ...Auto Automatically selects the lowest IPv4 address from among all of its configured IPv4 interfaces on the device This option is equivalent to the Interface option in Layer 3 because in Layer 2 there is only one interface NOTE If the IPv4 address is changed the local address of the tunnel interface is also changed None Disable the tunnel Manual Enter the IPv4 source address to be used The IPv4 add...

Page 307: ...lds IPv6 Interface Displays the interface on which the IPv6 address is to be defined If an is displayed this means that the IPv6 interface is not enabled but has been configured IPv6 Address Type Select the type of the IPv6 address to add Link Local An IPv6 address that uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for ...

Page 308: ...evice STEP 5 IPv6 Default Router List The IPv6 Default Router List page enables configuring and viewing the default IPv6 router addresses This list contains the routers that are candidates to become the device default router for non local traffic it may be empty The device randomly selects a router from the list The device supports one static IPv6 default router Dynamic default routers are routers...

Page 309: ...rocess Default router has not yet responded Reachable Positive confirmation was received within the Reachable Time Unreachable Positive confirmation was not received within the Reachable Time Stale Previously known neighboring network is unreachable and no action is taken to verify its reachability until it is necessary to send traffic Delay Previously known neighboring network is unreachable The ...

Page 310: ...esses the entry type static or dynamic and the state of the neighbor To define IPv6 neighbors STEP 1 n Layer 2 system mode click Administration Management Interface IPv6 Neighbors In Layer 3 system mode click IP Configuration IPv6 Management and Interfaces IPv6 Neighbors STEP 2 You can select a Clear Table option to clear some or all of IPv6 addresses in the IPv6 Neighbors Table Static Only Delete...

Page 311: ...interface The address must be a valid IPv6 address MAC Address Enter the MAC address mapped to the specified IPv6 address STEP 5 Click Apply The Running Configuration file is updated STEP 6 To change the type of an IP address from Dynamic to Static select the address click Edit and use the Edit IPv6 Neighbors page Viewing IPv6 Route Tables The IPv6 Forwarding Table contains the various routes that...

Page 312: ...cal address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global An IPv6 address that is a global Unicast IPV6 type that is visible and reachable from other networks Point to Point A Point to point tunnel Me...

Page 313: ...packets are forwarded Two sets of DHCPv6 servers can be configured Global Destinations Packets are always relayed to these DHCPv6 servers Interface List This is a per interface list of DHCPv6 servers When a DHCPv6 packet is received on an interface the packet is relayed both to the servers on the interface list if it exists and to the servers on the global destination list Dependencies with Other ...

Page 314: ... on an interface and optionally add a DHCPv6 server for an interface click Add Enter the fields Source Interface Select the interface port LAG VLAN or tunnel for which DHCPv6 Relay is enabled Use Global Destinations Only Select to forward packets to the DHCPv6 global destination servers only IPv6 Address Type Enter the type of the destination address to which client messages are forwarded The addr...

Page 315: ...conds that the device will wait for a response to a DNS query Polling Interval Enter how often in seconds the device sends DNS query packets after the number of retries has been exhausted Use Default Select to use the default value This value 2 Polling Retries 1 Polling Timeout User Defined Select to enter a user defined value Default Parameters Enter the following default parameters Default Domai...

Page 316: ... one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select the interface through which it is received DNS Server IP Address Enter the DNS server IP ad...

Page 317: ...s These are mapping pairs that were either added by the system as a result of being used by the user or and an entry for each IP address configured on the device by DHCP There can be 256 dynamic entries Name resolution always begins by checking static entries continues by checking the dynamic entries and ends by sending requests to the external DNS server Eight IP addresses are supported per DNS s...

Page 318: ...sed The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unica...

Page 319: ...t of topics below Permission to administer the device is described in the following sections Defining Users Configuring TACACS Configuring RADIUS Configuring Management Access Authentication Defining Management Access Method SSL Server SSL Server Protection from attacks directed at the device CPU is described in the following sections Configuring TCP UDP Services Defining Storm Control Access Cont...

Page 320: ...cisco The first time that you log in with the default username and password you are required to enter a new password Password complexity is enabled by default If the password that you choose is not complex enough Password Complexity Settings are enabled in the Password Strength page you are prompted to create another password Setting User Accounts The User Accounts page enables entering additional...

Page 321: ... and a suitable log message is generated to the terminal STEP 3 Click Add to add a new user or click Edit to modify a user STEP 4 Enter the parameters User Name Enter a new username between 0 and 20 characters UTF 8 characters are not permitted Password Enter a password UTF 8 characters are not permitted If the password strength and complexity is defined the user password must comply with the poli...

Page 322: ...ected the user is prompted to change the password when the Password Aging Time expires Password Aging Time Enter the number of days that can elapse before the user is prompted to change the password NOTE Password aging also applies to zero length passwords no password STEP 3 Select Password Complexity Settings to enable complexity rules for passwords If password complexity is enabled new passwords...

Page 323: ... the current password upon a password change STEP 5 Click Apply The password settings are written to the Running Configuration file NOTE Configuring the username password equivalence and manufacturer password equivalence may be done through the CLI See the CLI Reference Guide for further instruction Configuring TACACS An organization can establish a Terminal Access Controller Access Control System...

Page 324: ...ction If the TACACS server does not support this the device reverts to multiple connections Accounting Using a TACACS Server The user can enable accounting of login sessions using either a RADIUS or TACACS server The user configurable TCP port used for TACACS server accounting is the same TCP port that is used for TACACS server authentication and authorization The following information is sent to ...

Page 325: ...ACS and Add TACACS Server pages STEP 3 Select TACACS in the Management Access Authentication page so that when a user logs onto the device authentication is performed on the TACACS server instead of in the local database NOTE If more than one TACACS server has been configured the device uses the configured priorities of the available TACACS servers to select the TACACS server to be used by the dev...

Page 326: ...figured for the individual TACACS server takes precedence Timeout for Reply Enter the amount of time that passes before the connection between the device and the TACACS server times out If a value is not entered in the Add TACACS Server page for a specific server the value is taken from this field Source IPv4 Address Enter the device IPv4 source addresses to be used by the TACACS server Source IPv...

Page 327: ...munications by using MD5 You can select the default key on the device or the key can be entered in Encrypted or Plaintext form If you do not have an encrypted key string from another device enter the key string in plaintext mode and click Apply The encrypted key string is generated and displayed If you enter a key this overrides the default key string if one has been defined for the device on the ...

Page 328: ...on Provides authentication of regular and 802 1X users logging onto the device by using usernames and user defined passwords Authorization Performed at login After the authentication session is completed an authorization session starts using the authenticated username The TACACS server then checks user privileges Accounting Enable accounting of login sessions using the RADIUS server This enables a...

Page 329: ...rt Based Access Control 802 1X MAC Based Specifies that the RADIUS server is used for 802 1x port accounting Management Access Specifies that the RADIUS server is used for user login accounting Both Port Based Access Control and Management Access Specifies that the RADIUS server is used for both user login accounting and 802 1x port accounting None Specifies that the RADIUS server is not used for ...

Page 330: ...v6 Address Enter the source IPv6 address to be used STEP 4 Click Apply The RADIUS default settings for the device are updated in the Running Configuration file To add a RADIUS server click Add STEP 5 Enter the values in the fields for each RADIUS server To use the default values entered in the RADIUS page select Use Default Server Definition Select whether to specify the RADIUS server by IP addres...

Page 331: ...n answer from the RADIUS server before retrying the query or switching to the next server if the maximum number of retries were made If Use Default is selected the device uses the default timeout value Authentication Port Enter the UDP port number of the RADIUS server port for authentication requests Accounting Port Enter the UDP port number of the RADIUS server port for accounting requests Retrie...

Page 332: ...r example if the selected authentication methods are RADIUS and Local and all configured RADIUS servers are queried in priority order and do not reply the user is authenticated locally If an authentication method fails or the user has insufficient privilege level the user is denied access to the device In other words if authentication fails at an authentication method the device stops the authenti...

Page 333: ... Access Profiles can limit management access from specific sources Only users who pass both the active access profile and the management access authentication methods are given management access to the device There can only be a single access profile active on the device at one time Access profiles consist of one or more rules The rules are executed in order of their priority within the access pro...

Page 334: ... device generates a SYSLOG message to alert the system administrator of the attempt If a console only access profile has been activated the only way to deactivate it is through a direct connection from the management station to the physical console port on the device For more information see Defining Profile Rules Use the Access Profiles page to create an access profile and to add its first rule I...

Page 335: ...ne is the highest priority Management Method Select the management method for which the rule is defined The options are All Assigns all management methods to the rule Telnet Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access Secure Telnet SSH Users requesting access to the device that meets the SSH access profile criteria are permitte...

Page 336: ...format Prefix Length Select the Prefix Length and enter the number of bits that comprise the source IP address prefix STEP 7 Click Apply The access profile is written to the Running Configuration file You can now select this access profile as the active access profile Defining Profile Rules Access profiles can contain up to 128 rules to determine who is permitted to manage and access the device an...

Page 337: ... requesting access to the device that meets the Telnet access profile criteria are permitted or denied access Secure Telnet SSH Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access HTTP Assigns HTTP access to the rule Users requesting access to the device that meets the HTTP access profile criteria are permitted or denied Secure HTTP HT...

Page 338: ...r the source IP address and enter a value in one of the field Network Mask Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format Prefix Length Select the Prefix Length and enter the number of bits that comprise the source IP address prefix STEP 5 Click Apply and the rule is added to the access profile SSL Server This section describes the Secur...

Page 339: ...er Authentication Settings Information appears for certificate 1 and 2 in the SSL Server Key Table These fields are defined in the Edit page except for the following fields Valid From Specifies the date from which the certificate is valid Valid To Specifies the date up to which the certificate is valid Certificate Source Specifies whether the certificate was generated by the system Auto Generated ...

Page 340: ... CA enter the following Certificate ID Select the active certificate Certificate Copy in the received certificate Import RSA KEY Pair Select to enable copying in the new RSA key pair Public Key Copy in the RSA public key Private Key Encrypted Select and copy in the RSA private key in encrypted form Private Key Plaintext Select and copy in the RSA private key in plain text form Display Sensitive Da...

Page 341: ... STEP 2 Enable or disable the following TCP UDP services on the displayed services HTTP Service Indicates whether the HTTP service is enabled or disabled HTTPS Service Indicates whether the HTTPS service is enabled or disabled SNMP Service Indicates whether the SNMP service is enabled or disabled Telnet Service Indicates whether the Telnet service is enabled or disabled SSH Service Indicates wheth...

Page 342: ...he service instance of the UDP service For example when two senders send data to the same destination STEP 3 Click Apply The services are written to the Running Configuration file Defining Storm Control When Broadcast Multicast or Unknown Unicast frames are received they are duplicated and a copy is sent to all possible egress ports This means that in practice they are sent to all ports belonging ...

Page 343: ...the maximum rate at which unknown packets can be forwarded The default for this threshold is 10 000 for FE devices and 100 000 for GE devices Storm Control Mode Select one of the modes Unknown Unicast Multicast Broadcast Counts unknown Unicast Broadcast and Multicast traffic towards the bandwidth threshold Multicast Broadcast Counts Broadcast and Multicast traffic towards the bandwidth threshold B...

Page 344: ...te On Reset ones up to the maximum addresses allowed on the port Relearning and aging are disabled When a frame from a new MAC address is detected on a port where it is not authorized the port is classically locked and there is a new MAC address or the port is dynamically locked and the maximum number of allowed addresses has been exceeded the protection mechanism is invoked and one of the followi...

Page 345: ...ent Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port set by Max No of Addresses Allowed Relearning and aging are enabled Secure Delete on Reset Deletes the current dynamic MAC addresses associated with the port after reset New MAC addresses can be learned as Delete On Reset ones up to the maximum addresses allowed...

Page 346: ...request port access from a remote device authenticator to which it is connected Only when the supplicant requesting port access is authenticated and authorized is it permitted to send data to the port Otherwise the authenticator discards the supplicant data unless the data is sent to a Guest VLAN and or non authenticated VLANs Authentication of the supplicant is performed by an external RADIUS ser...

Page 347: ...orted when the device is in Layer 2 system mode For a device to be authenticated and authorized at a port which is DVA enabled The RADIUS server must authenticate the device and dynamically assign a VLAN to the device The user can configure an alternative VLAN ahead of time to be used if the RADIUS server does not assign a VLAN The assigned VLAN must not be the default VLAN and must have been crea...

Page 348: ...t allows access by both authorized and unauthorized devices or ports You can configure one or more VLANs to be unauthenticated in Creating VLANs An unauthenticated VLAN has the following characteristics It must be a static VLAN and cannot be the Guest VLAN or the Default VLAN The member ports must be manually configured as tagged members The member ports must be trunk and or general ports An acces...

Page 349: ...orized and unauthorized devices or ports can always send or receive packets to or from unauthenticated VLANs Define 802 1X settings for each port by using the Edit Port Authentication page Note the following On this page DVA can be activated on a port by selecting the RADIUS VLAN Assignment field You can select the Guest VLAN field to have untagged incoming frames go to the guest VLAN Define host ...

Page 350: ...cate the user Permit the session Guest VLAN Select to enable the use of a Guest VLAN for unauthorized ports If a Guest VLAN is enabled all unauthorized ports automatically join the VLAN selected in the Guest VLAN ID field If a port is later authorized it is removed from the Guest VLAN Guest VLAN ID Select the guest VLAN from the list of VLANs Guest VLAN Timeout Define a time period After linkup if...

Page 351: ...EP 4 Optionally uncheck Authentication to make the VLAN an unauthenticated VLAN STEP 5 Click Apply and the Running Configuration file is updated Defining 802 1X Port Authentication The Port Authentication page enables configuration of 802 1X parameters for each port Since some of the configuration changes are only possible while the port is in Force Authorized state such as host authentication it ...

Page 352: ...thorizes the interface without authentication RADIUS VLAN Assignment Select to enable Dynamic VLAN assignment on the selected port Dynamic VLAN assignment is possible only when the 802 1X mode is set to Multiple Session After authentication the port joins the supplicant VLAN as an untagged port in that VLAN Alternate VLAN Assignment If RADIUS VLAN Assignment is enabled you can select one of the fo...

Page 353: ...cified Reauthentication Period Reauthentication Period Enter the number of seconds after which the selected port is reauthenticated Reauthenticate Now Select to enable immediate port re authentication Authenticator State Displays the defined port authorization state The options are Initialize In process of coming up Force Authorized Controlled port state is set to Force Authorized forward traffic ...

Page 354: ...ion was terminated if applicable STEP 4 Click Apply The port settings are written to the Running Configuration file Defining Host and Session Authentication The Host and Session Authentication page enables defining the mode in which 802 1X operates on the port and the action to perform if a violation has been detected The 802 1X modes are Single Only a single authorized host can access the port Po...

Page 355: ...using the port No Single Host Port control is Auto and Multiple Hosts mode is enabled At least one client has been authenticated Not in Auto Mode Auto port control is not enabled Number of Violations Displays the number of packets that arrive on the interface in single host mode from a host whose MAC address is not the supplicant MAC address STEP 2 Select a port and click Edit STEP 3 Enter the par...

Page 356: ...he Running Configuration file Viewing Authenticated Hosts To view details about authenticated users STEP 1 Click Security 802 1X Authenticated Hosts This page displays the following fields User Name Supplicant names that were authenticated on each port Port Number of the port Session Time DD HH MM SS Amount of time that the supplicant was logged on the port Authentication Method Method by which th...

Page 357: ... the CPU There are no interactions with other features SCT can be monitored in the Denial of Service Denial of Service Prevention Security Suite Settings page Details button Types of DoS Attacks The following types of packets or other strategies might be involved in a Denial of Service attack TCP SYN Packets These packets often have a false sender address Each packets is handled like a connection ...

Page 358: ...andlers by the attacker Using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts Each handler can control up to a thousand agents Invasor Trojan A trojan enables the attacker to download a zombie agent or the trojan may contain one Attackers can also break into systems using automated tools that exploit flaws in programs th...

Page 359: ...you attempt to define an ACL on an interface on which DoS Prevention is enabled A SYN attack cannot be blocked if there is an ACL active on an interface Default Configuration The DoS Prevention feature has the following defaults The DoS Prevention feature is disabled by default SYN FIN protection is enabled by default even if DoS Prevention is disabled If SYN protection is enabled the default prot...

Page 360: ...Enable that part of the feature that prevents attacks from Stacheldraht Distribution Invasor Trojan and Back Orifice Trojan STEP 5 If System Level Prevention or System Level and Interface Level Prevention is selected enable one or more of the following DoS Prevention options Stacheldraht Distribution Discards TCP packets with source TCP port equal to 16660 Invasor Trojan Discards TCP packets with ...

Page 361: ... Security Denial of Service Prevention SYN Protection STEP 2 Enter the parameters Block SYN FIN Packets Select to enable the feature All TCP packets with both SYN and FIN flags are dropped on all ports SYN Protection Mode Select between three modes Disable The feature is disabled on a specific interface Report Generates a SYSLOG message The status of the port is changed to Attacked when the thresh...

Page 362: ...in the Martian Addresses page Addresses that are illegal from the point of view of the protocol such as loopback addresses including addresses within the following ranges 0 0 0 0 8 Except 0 0 0 0 32 as a Source Address Addresses in this block refer to source hosts on this network 127 0 0 0 8 Used as the Internet host loopback address 192 0 2 0 24 Used as the TEST NET in documentation and example c...

Page 363: ...h Enter the prefix of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled STEP 5 Click Apply The Martian addresses are written to the Running Configuration file SYN Filtering The SYN Filtering page enables filtering TCP packets that contain a SYN flag and are destined for one or more ports To define a SYN filter STEP 1 Click Security Denial of Servi...

Page 364: ...ection STEP 1 Click Security Denial of Service Prevention SYN Rate Protection This page appears the SYN rate protection currently defined per interface STEP 2 Click Add STEP 3 Enter the parameters Interface Select the interface on which the rate protection is being defined IP Address Enter the IP address for which the SYN rate protection is defined or select All Addresses If you enter the IP addre...

Page 365: ...packet filtering is activated or select All Addresses to block ICMP packets from all source addresses If you enter the IP address enter either the mask or prefix length Network Mask Select the format for the subnet mask for the source IP address and enter a value in one of the field Mask Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format Pre...

Page 366: ...at comprise the source IP address prefix STEP 4 Click Apply The IP fragmentation is defined and the Running Configuration file is updated IP Source Guard IP Source Guard is a security feature that can be used to prevent traffic attacks caused when a host tries to use the IP address of its neighbor When IP Source Guard is enabled the device only transmits client IP traffic to IP addresses contained...

Page 367: ... entry If the number of IP Source Guard entries exceeds the number of available TCAM rules the extra addresses are inactive Filtering If IP Source Guard is enabled on a port then DHCP packets allowed by DHCP Snooping are permitted If source IP address filtering is enabled IPv4 traffic Only traffic with a source IP address that is associated with the port is permitted Non IPv4 traffic Permitted Inc...

Page 368: ...ket transmission is permitted as follows IPv4 traffic Only IPv4 traffic with a source IP address that is associated with the specific port is permitted Non IPv4 traffic All non IPv4 traffic is permitted See Interactions with Other Features for more information about enabling IP Source Guard on interfaces To configure IP Source Guard on interfaces STEP 1 Click Security IP Source Guard Interface Set...

Page 369: ...rce Guard Binding Database STEP 2 The DHCP Snooping Binding database uses TCAM resources for managing the database Complete the Insert Inactive field to select how frequently the device should attempt to activate inactive entries It has the following options Retry Frequency The frequency with which the TCAM resources are checked Never Never try to reactivate inactive addresses STEP 3 Click Apply t...

Page 370: ...r 2 Broadcast domain by mapping IP addresses to a MAC addresses A malicious user can attack hosts switches and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet This can happen because ARP allows a gratuitous reply from a host even if an ARP request was not received After the atta...

Page 371: ...nto the traffic stream from Host A to Host B the classic man in the middle attack How ARP Prevents Cache Poisoning The ARP inspection feature relates to interfaces as either trusted or untrusted see Security ARP Inspection Interface Setting page Interfaces are classified by the user as follows Trusted Packets are not inspected Untrusted Packets are inspected as described above ARP inspection is pe...

Page 372: ...performed for ARP responses IP Addresses Compares the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 255 255 255 and all IP Multicast addresses Packets with invalid ARP Inspection bindings are logged and dropped Up to 1024 entries can be defined in the ARP Access Control table Interaction Between ARP Inspection and DHCP Snooping If DHCP Snooping is enabled ARP Inspe...

Page 373: ...ction STEP 1 Click Security ARP Inspection Properties Enter the following fields ARP Inspection Status Select to enable ARP Inspection ARP Packet Validation Select to enable the following validation checks Source MAC Compares the packets source MAC address in the Ethernet header against the senders MAC address in the ARP request This check is performed on both ARP requests and responses Destinatio...

Page 374: ...ports LAGs are ARP Inspection untrusted To change the ARP trusted status of a port LAG STEP 1 Click Security ARP Inspection Interface Settings The ports LAGs and their ARP trusted untrusted status are displayed STEP 2 To set a port LAG as untrusted select the port LAG and click Edit STEP 3 Select Trusted or Untrusted and click Apply to save the settings to the Running Configuration file Defining A...

Page 375: ...up and enter the fields MAC Address MAC address of packet IP Address IP address of packet STEP 4 Click Apply The settings are defined and the Running Configuration file is updated Defining ARP Inspection VLAN Settings To enable ARP Inspection on VLANs and associate Access Control Groups with a VLAN STEP 1 Click Security ARP Inspection VLAN Settings STEP 2 To enable ARP Inspection on a VLAN move th...

Page 376: ...Security Dynamic ARP Inspection 359 Cisco Small Business 300 Series Managed Switch Administration Guide 17 ...

Page 377: ... Properties Configuration Files SSD Management Channels Menu CLI and Password Recovery Configuring SSD Introduction SSD protects sensitive data on a device such as passwords and keys permits and denies access to sensitive data encrypted and in plain text based on user credentials and SSD rules and protects configuration files containing sensitive data from being tampered with In addition SSD enabl...

Page 378: ...itive data The SSD configuration parameters themselves are sensitive data and are protected under SSD All configuration of SSD is performed through the SSD pages that are only available to users with the correct permissions see SSD Rules SSD Rules SSD rules define the read permissions and default read mode given to a user session on a management channel An SSD rule is uniquely identified by its us...

Page 379: ...hannel types supported are Secure Specifies the rule applies only to secure channels Depending on the device it may support some or all of the following secure channels Console port interface SCP SSH and HTTPS Insecure Specifies that this rule applies only to insecure channels Depending on the device it may support some or all of the following insecure channels Telnet TFTP and HTTP Secure XML SNMP...

Page 380: ... following options exist but some might be rejected depending on the read permission If the user defined read permission for a user is Exclude for example and the default read mode is Encrypted the user defined read permission prevails Exclude Do not allow reading sensitive data Encrypted Sensitive data is presented in encrypted form Plaintext Sensitive data is presented in plaintext form Each man...

Page 381: ...ns is considered to be a level 15 user SNMP users on Insecure XML and SNMP SNMPv1 v2 and v3 with no privacy channel are considered as All users SNMP community names are not used as user names to match SSD rules Access by a specific SNMPv3 user can be controlled by configuring an SSD rule with a user name matching the SNMPv3 user name There must always be at least one rule with read permission Plai...

Page 382: ...communication through external authentication servers such as RADIUS and TACACS servers The configuration of the secure communication to the external authentication servers are sensitive data and are protected under SSD NOTE The user credential in the local authenticated database is already protected by a non SSD related mechanism If a user from a channel issues an action that uses an alternate ch...

Page 383: ... the following occurs User changes it again Session is terminated The read permission of the SSD rule that is applied to the session user is changed and is no longer compatible with the current read mode of the session In this case the session read mode returns to the default read mode of the SSD rule SSD Properties SSD properties are a set of parameters that in conjunction with the SSD rules defi...

Page 384: ... configuration file or in the CLI GUI If better security and protection are desired an administrator should configure SSD on a device to use a user defined passphrase instead of the default passphrase A user defined passphrase should be treated as a well guard secret so that the security of the sensitive data on the device is not compromised A user defined passphrase can be configured manually in ...

Page 385: ...ncrypted sensitive data in a configuration file from devices that do not have the passphrase This mode should be used when a user does not want to expose the passphrase in a configuration file After a device is reset to the factory default its local passphrase is reset to the default passphrase As a result the device will be not able to decrypt any sensitive data encrypted based on a user defined ...

Page 386: ...an manually upload and download a configuration file to and from a remote file server A device can automatically download its Startup Configuration from a remote file server during the auto configuration stage using DHCP Configuration files stored on remote file servers are referred to as remote configuration files A Running Configuration file contains the configuration currently being used by a d...

Page 387: ...trol end respectively Startup Configuration File The device currently supports copying from the Running Backup Mirror and Remote Configuration files to a Startup Configuration file The configurations in the Startup Configuration are effective and become the Running Configuration after reboot A user can retrieve the sensitive data encrypted or in plaintext from a startup configuration file subject ...

Page 388: ...figures the Startup Configuration file with the passphrase that is used to generate the key to decrypt the sensitive data in the source configuration file Any SSD configurations that are not found are reset to the default If there is an SSD control block in the source configuration file and the file contains plaintext sensitive data excluding the SSD configurations in the SSD control block the fil...

Page 389: ...re the File SSD Indicator in a Mirror Configuration file always indicates that the file contains encrypted sensitive data By default auto mirror configuration service is enabled To configure auto mirror configuration to be enabled or disabled click Administration File Management Configuration File Properties A user can display copy and upload the complete mirror and backup configuration files subj...

Page 390: ... the device downloads the boot file remote configuration file into the Startup Configuration file from a file server and then reboots NOTE The file server may be specified by the bootp siaddr and sname fields as well as DHCP option 150 and statically configured on the device The user can safely auto configure target devices with encrypted sensitive data by first creating the configuration file tha...

Page 391: ...r in factory default states use the default anonymous user to access the SCP server SSD Management Channels Devices can be managed over management channels such as telnet SSH and web SSD categories the channels into the following types based on their security and or protocols secured insecure secure XML SNMP and insecure XML SNMP The following describes whether SSD considers each management channe...

Page 392: ...SD is supported this option is only permitted if the local passphrase is identical to the default passphrase If a device is configured with a user defined passphrase the user is unable to activate password recovery Configuring SSD The SSD feature is configured in the following pages SSD properties are set in the Properties page SSD rules are defined in the SSD Rules page SSD Properties Only users ...

Page 393: ...ode for the current session see Elements of an SSD Rule To change the local passphrase STEP 4 Click Change Local Passphrase and enter a new Local Passphrase Default Use the devices default passphrase User Defined Plaintext Enter and confirm a new passphrase SSD Rules Only users with SSD read permission of Plaintext only or Both are allowed to set SSD rules To configure SSD rules STEP 1 Click Secur...

Page 394: ...Pv3 without privacy Read Permission The read permissions associated with the rule These can be the following Exclude Lowest read permission Users are not permitted to get sensitive data in any form Plaintext Only Higher read permission than above ones Users are permitted to get sensitive data in plaintext only Encrypted Only Middle read permission Users are permitted to get sensitive data as encry...

Page 395: ...ata Management Configuring SSD Cisco Small Business 300 Series Managed Switch Administration Guide 378 18 Restore All Rules to Default Restore all user modified default rules to the default rule and remove all user defined rules ...

Page 396: ...Security Secure Sensitive Data Management Configuring SSD 379 Cisco Small Business 300 Series Managed Switch Administration Guide 18 ...

Page 397: ...etween an SSH client in this case the device and an SSH server SSH client helps the user manage a network composed of one or more switches in which various system files are stored on a central SSH server When configuration files are transferred over a network Secure Copy SCP which is an application that utilizes the SSH protocol ensures that sensitive data such as username password cannot be inter...

Page 398: ...oth on the device and on the SSH server although this guide does not describe server operations The following illustrates a typical network configuration in which the SCP feature might be used Typical Network Configuration Protection Methods When data is transferred from an SSH server to a device client the SSH server uses various methods for client authentication These are described below Passwor...

Page 399: ... device when it is booted One of these keys is used to encrypt the data being downloaded from the SSH server The RSA key is used by default If the user deletes one or both of these keys they are regenerated The public private keys are encrypted and stored in the device memory The keys are part of the device configuration file and the private key can be displayed to the user in encrypted or plainte...

Page 400: ...erver for a maximum of 16 servers and contains the following information Server IP address host name Server public key fingerprint When SSH server authentication is enabled the SSH client running on the device authenticates the SSH server using the following authentication process The device calculates the fingerprint of the received SSH server s public key The device searches the SSH Trusted Serv...

Page 401: ... auto configuration of an out of box device device with factory default configuration SSH server authentication is disabled by default Supported Algorithms When the connection between a device as an SSH client and an SSH server is established the client and SSH server exchange data in order to determine the algorithms to use in the SSH transport layer The following algorithms are supported on the ...

Page 402: ...age STEP 2 If the password method was selected perform the following steps a Create a global password in the SSH User Authentication page or create a temporary one in the Upgrade Backup Firmware Language or Backup Configuration Log pages when you actually activate the secure data transfer b Upgrade the firmware boot image or language file using SCP by selecting the via SCP over SSH option in the U...

Page 403: ...erate a public private key in the SSH User Authentication page STEP 2 Set the SSD properties and create a new local passphrase in the Secure Sensitive Data Management Properties page STEP 3 Click Details to view the generated encrypted keys and copy them including the Begin and End footers from the Details page to an external device Copy the public and private keys separately STEP 4 Log on to anot...

Page 404: ...This is the default setting If this is selected enter a password or retain the default one By RSA Public Key If this is selected create an RSA public and Private key in the SSH User Key Table block By DSA Public Key If this is selected create a DSA public private key in the SSH User Key Table block STEP 3 Enter the Username no matter what method was selected or user the default username This must ...

Page 405: ...fine the trusted servers STEP 1 Click Security SSH Client SSH Server Authentication STEP 2 Select Enable to enable SSH server authentication STEP 3 Click Add and enter the following fields for the SSH trusted server Server Definition Select one of the following ways to identify the SSH server By IP Address If this is selected enter the IP address of the server in the fields below By Name If this i...

Page 406: ...quely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from oth...

Page 407: ...evice These can be modified by the user The SSH session is opened using a special SSH client application such as PuTTY SSH Server can operate in the following modes By Internally generated RSA DSA Keys Default Setting An RSA and a DSA key are generated Users log on the SSH Server application and are automatically authenticated to open a session on the device when they supply the IP address of the ...

Page 408: ...he following steps STEP 1 Generate an RSA or DSA key on an external SSH client application such as PuTTY STEP 2 Enable SSH user authentication by public key or password in the SSH User Authentication page STEP 3 Enable Automatic Login if required see Automatic Login below STEP 4 Add a user in the SSH User Authentication page and copy in the public key generated externally STEP 5 Log onto an extern...

Page 409: ...cal user database You can prevent additional authentication by configuring the Automatic Login feature which works as follows Enabled If a user is defined in the local database and this user passed SSH Authentication using a public key the authentication by the local database username and password is skipped NOTE The configured authentication method for this specific management method console Teln...

Page 410: ...ey Fingerprint Fingerprint generated from the public keys STEP 3 Click Add to add a new user and enter the fields SSH User Name Enter a user name Key Type Select either RSA or DSA Public Key Copy the public key generated by an external SSH client application like PuTTY into this text box SSH Server Authentication A public and private RSA and DSA key are automatically generated when the device is b...

Page 411: ...nables you to delete a key Details Enables you to view the generated key The Details window also enables you to click Display Sensitive Data as Plaintext If this is clicked the keys are displayed as plaintext and not in encrypted form If the key is already being displayed as plaintext you can click Display Sensitive Data as Encrypted to display the text in encrypted form STEP 4 If new keys were co...

Page 412: ...Security SSH Server SSH Server Configuration Pages 395 Cisco Small Business 300 Series Managed Switch Administration Guide 20 ...

Page 413: ...or denied entry This section contains the following topics Access Control Lists Defining MAC based ACLs IPv4 based ACLs IPv6 Based ACLs Defining ACL Binding Access Control Lists An Access Control List ACL is an ordered list of classification filters and actions Each single classification rule together with its action is called an Access Control Element ACE Each ACE is made up of filters that disti...

Page 414: ...g fails at the port The order of the ACEs within the ACL is significant since they are applied in a first fit manner The ACEs are processed sequentially starting with the first ACE ACLs can be used for security for example by permitting or denying certain traffic flows and also for traffic classification and prioritization in the QoS Advanced mode NOTE A port can be either secured with ACLs or con...

Page 415: ...unbinding an ACL in order to modify it 1 If the ACL does not belong to a QoS Advanced Mode class map but it has been associated with an interface unbind it from the interface using the ACL Binding page 2 If the ACL is part of the class map and not bound to an interface then it can be modified 3 If the ACL is part of a class map contained in a policy bound to an interface you must perform the chain...

Page 416: ...CL To add rules ACEs to an ACL STEP 1 Click Access Control Mac Based ACE STEP 2 Select an ACL and click Go The ACEs in the ACL are listed STEP 3 Click Add STEP 4 Enter the parameters ACL Name Displays the name of the ACL to which an ACE is being added Priority Enter the priority of the ACE ACEs with higher priority are processed first One is the highest priority Action Select the action taken upon...

Page 417: ...0 0000 0000 0000 0000 0000 1111 1111 which means that you match on the bits where there is 0 and don t match on the bits where there are 1 s You need to translate the 1 s to a decimal integer and you write 0 for each four zeros In this example since 1111 1111 255 the mask would be written as 0 0 0 255 Source MAC Address Select Any if all source address are acceptable or User defined to enter a sou...

Page 418: ...s including wildcards DSCP IP precedence value NOTE ACLs are also used as the building elements of flow definitions for per flow QoS handling see QoS Advanced Mode The IPv4 Based ACL page enables adding ACLs to the system The rules are defined in the IPv4 Based ACE page IPv6 ACLs are defined in the IPv6 Based ACL page Defining an IPv4 based ACL To define an IPv4 based ACL STEP 1 Click Access Contr...

Page 419: ...CE criteria Deny Drop packets that meet the ACE criteria Shutdown Drop packet that meets the ACE criteria and disable the port to which the packet was addressed Ports are reactivated from the Port Management page Time Range Select to enable limiting the use of the ACL to a specific time range Time Range Name If Time Range is selected select the time range to be used Time ranges are defined in the ...

Page 420: ... Message Protocol EIGRP Enhanced Interior Gateway Routing Protocol OSPF Open Shortest Path First IPIP IP in IP PIM Protocol Independent Multicast L2TP Layer 2 Tunneling Protocol ISIS IGP specific protocol Protocol ID to Match Instead of selecting the name enter the protocol ID Source IP Address Select Any if all source address are acceptable or User defined to enter a source address or range of so...

Page 421: ... following Any Match to all source ports Single Enter a single TCP UDP source port to which packets are matched This field is active only if 800 6 TCP or 800 17 UDP is selected in the Select from List drop down menu Range Select a range of TCP UDP source ports to which the packet is matched There are eight different port ranges that can be configured shared between source and destination ports TCP...

Page 422: ... be used for filtering purposes ICMP Code The ICMP messages can have a code field that indicates how to handle the message Select one of the following options to configure whether to filter on this code Any Accept all codes User defined Enter an ICMP code for filtering purposes IGMP If the ACL is based on IGMP select the IGMP message type to be used for filtering purposes Either select the message...

Page 423: ... Rules ACEs for an IPv6 Based ACL STEP 1 Click Access Control IPv6 Based ACE This window contains the ACE rules for a specified ACL group of rules STEP 2 Select an ACL and click Go All currently defined IP ACEs for the selected ACL are displayed STEP 3 Click Add STEP 4 Enter the parameters ACL Name Displays the name of the ACL to which an ACE is being added Priority Enter the priority ACEs with hi...

Page 424: ...Message Protocol ICMP Protocol ID to Match Enter the ID of the protocol to be matched Source IP Address Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses Source IP Address Value Enter the IP address to which the source IP address is to be matched and its mask if relevant Source IP Prefix Length Enter the prefix length of the sour...

Page 425: ...y Set Match if the flag is SET Unset Match if the flag is Not SET Dont care Ignore the TCP flag Type of Service The service type of the IP packet ICMP If the ACL is based on ICMP select the ICMP message type that is used for filtering purposes Either select the message type by name or enter the message type number If all message types are accepted select Any Any All message types are accepted Sele...

Page 426: ...CL but both cannot be bound To bind an ACL to an interface STEP 1 Click Access Control ACL Binding STEP 2 Select an interface type Ports LAGs Port or LAG STEP 3 Click Go For each type of interface selected all interfaces of that type are displayed with a list of their current ACLs Interface Identifier of interface MAC ACL ACLs of type MAC that are bound to the interface if any IPv4 ACL ACLs of typ...

Page 427: ...ket does not match an ACL it is denied dropped Enable If packet does not match an ACL it is permitted forwarded NOTE Permit Any can be defined only if IP Source Guard is not activated on the interface STEP 7 Click Apply The ACL binding is modified and the Running Configuration file is updated NOTE If no ACL is selected the ACL s that is previously bound to the interface is unbound ...

Page 428: ...Access Control Defining ACL Binding 411 Cisco Small Business 300 Series Managed Switch Administration Guide 21 ...

Page 429: ...ture is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment This section covers the following topics QoS Features and Components Configuring QoS General QoS Basic Mode QoS Advanced Mode Managing QoS Statistics ...

Page 430: ...eues Assigns incoming packets to forwarding queues Packets are sent to a particular queue for handling as a function of the traffic class to which they belong See Configuring QoS Queues Other Traffic Class Handling Attribute Applies QoS mechanisms to various classes including bandwidth management QoS Modes The QoS mode that is selected applies to all interfaces in the system Basic Mode Class of Se...

Page 431: ...o a single best effort queue so that no type of traffic is prioritized over another Only a single mode can be active at a time When the system is configured to work in QoS Advanced mode settings for QoS Basic mode are not active and vice versa When the mode is changed the following occurs When changing from QoS Advanced mode to any other mode policy profile definitions and class maps are deleted A...

Page 432: ...he CoS 802 1p to Queue page STEP 6 If required for Layer 3 traffic only assign a queue to each DSCP TC value by using the DSCP to Queue page STEP 7 Enter bandwidth and rate limits in the following pages a Set egress shaping per queue by using the Egress Shaping Per Queue page b Set ingress rate limit and egress shaping rate per port by using the Bandwidth page c Set VLAN ingress rate limit by usin...

Page 433: ...ed for all ports LAGs Interface Type of interface Default CoS Default VPT value for incoming packets that do not have a VLAN Tag The default CoS is 0 The default is only relevant for untagged frames and only if the system is in Basic mode and Trust CoS is selected in the Global Settings page Select Restore Defaults to restore the factory CoS default setting for this interface STEP 4 Click Apply Th...

Page 434: ...suming all queues are saturated and there is congestion queue 2 receives 2 15 queue 3 receives 4 15 and queue 4 receives 8 15 of the bandwidth The type of WRR algorithm used in the device is not the standard Deficit WRR DWRR but rather Shaped Deficit WRR SDWRR The queuing modes can be selected in the Queue page When the queuing mode is by strict priority the priority sets the order in which queues...

Page 435: ...ays the amount of bandwidth assigned to the queue These values represent the percent of the WRR weight STEP 3 Click Apply The queues are configured and the Running Configuration file is updated Mapping CoS 802 1p to a Queue The CoS 802 1p to Queue page maps 802 1p priorities to egress queues The CoS 802 1p to Queue Table determines the egress queues of the incoming packets based on the 802 1p prio...

Page 436: ...only if one of the following exists 5 4 Voice Cisco IP phone default 6 4 Interwork Control LVS phone RTP 7 4 Network Control 802 1p Values 0 7 7 being the highest Queue 4 queues 1 4 4 being the highest priority Notes 802 1p Values 0 7 7 being the highest Queue 8 queues 1 8 8 is the highest priority Standalone 7 Queues 8 is the highest priority used for stack control traffic stack Notes 0 1 1 Backg...

Page 437: ...ority egress queue and Queue1 is the lowest priority STEP 3 For each 802 1p priority select the Output Queue to which it is mapped STEP 4 Click Apply 801 1p priority values to queues are mapped and the Running Configuration file is updated Mapping DSCP to Queue The DSCP IP Differentiated Services Code Point to Queue page maps DSCP values to egress queues The DSCP to Queue Table determines the egre...

Page 438: ...4 46 38 30 22 14 6 Queue 3 3 4 3 3 2 1 1 DSCP 61 53 45 37 29 21 13 5 Queue 3 3 4 3 3 2 1 1 DSCP 60 52 44 36 28 20 12 4 Queue 3 3 4 3 3 2 1 1 DSCP 59 51 43 35 27 19 11 3 Queue 3 3 4 3 3 2 1 1 DSCP 58 50 42 34 26 18 10 2 Queue 3 3 4 3 3 2 1 1 DSCP 57 49 41 33 25 17 9 1 Queue 3 3 4 3 3 2 1 1 DSCP 56 48 40 32 24 16 8 0 Queue 3 3 4 3 3 2 1 1 Table 5 DSCP to Queue Default Mapping 8 Queues System 7 is hi...

Page 439: ...4 26 18 10 2 Queue 6 6 7 5 4 3 2 1 DSCP 57 49 41 33 25 17 9 1 Queue 6 6 7 5 4 3 2 1 DSCP 56 48 40 32 24 16 8 0 Queue 6 6 6 7 6 6 1 1 Table 6 DSCP to Queue Default Mapping 8 Queues System 8 is highest DSCP 63 55 47 39 31 23 15 7 Queue 7 7 8 6 5 4 3 1 DSCP 62 54 46 38 30 22 14 6 Queue 7 7 8 6 5 4 3 1 DSCP 61 53 45 37 29 21 13 5 Queue 7 7 8 6 5 4 3 1 DSCP 60 52 44 36 28 20 12 4 Queue 7 7 8 6 5 4 3 1 ...

Page 440: ...e two values Ingress Rate Limit and Egress Shaping Rate which determine how much traffic the system can receive and send The ingress rate limit is the number of bits per second that can be received from the ingress interface Excess bandwidth above this limit is discarded The following values are entered for egress shaping Committed Information Rate CIR sets the average maximum amount of data allow...

Page 441: ...efined in the field below Ingress Rate Limit Enter the maximum amount of bandwidth allowed on the interface NOTE The two Ingress Rate Limit fields do not appear when the interface type is LAG Ingress Committed Burst Size CBS Enter the maximum burst size of data for the ingress interface in bytes of data This amount can be sent even if it temporarily increases the bandwidth beyond the allowed limit...

Page 442: ...g per Queue The Egress Shaping Per Queue page displays the rate limit and burst size for each queue STEP 2 Select an interface type Port or LAG and click Go STEP 3 Select a Port LAG and click Edit This page enables shaping the egress for up to eight queues on each interface STEP 4 Select the Interface STEP 5 For each queue that is required enter the following fields Enable Shaping Select to enable...

Page 443: ... than one packet processor on the device the configured VLAN rate limit value is applied to each of the packet processors independently Devices with up to 24 ports have a single packet processor while devices of 48 ports or more have two packet processors To define the VLAN ingress rate limit STEP 1 Click Quality of Service General VLAN Ingress Rate Limit This page displays the VLAN Ingress Rate L...

Page 444: ...e initial packet classification and marking of these fields is done in the ingress of the trusted domain Workflow to Configure Basic QoS Mode To configure Basic QoS mode perform the following 1 Select Basic mode for the system by using the QoS Properties page 2 Select the trust behavior using the Global Setting page The device supports CoS 802 1p trusted mode and DSCP trusted mode CoS 802 1p trust...

Page 445: ...ing CoS 802 1p to Queue page DSCP All IP traffic is mapped to queues based on the DSCP field in the IP header The actual mapping of the DSCP to queue can be configured in the DSCP to Queue page If traffic is not IP traffic it is mapped to the best effort queue CoS 802 1p DSCP Either CoS 802 1p or DSCP whichever has been set STEP 3 Select Override Ingress DSCP to override the original DSCP values i...

Page 446: ...list of ports or LAGs QoS State displays whether QoS is enabled on the interface STEP 3 Select an interface and click Edit STEP 4 Select the Port or LAG interface STEP 5 Click to enable or disable QoS State for this interface STEP 6 Click Apply The Running Configuration file is updated QoS Advanced Mode Frames that match an ACL and were permitted entrance are implicitly labeled with the name of th...

Page 447: ...esired ports A policy and its class maps can be bound to one or more ports but each port is bound with at most one policy Notes Single policer and aggregation policer are available when the device is in Layer 2 mode An ACL can be configured to one or more class maps regardless of policies A class map can belong to only one policy When a class map using single policer is bound to multiple ports eac...

Page 448: ...Policy Class Map page You can also specify the QoS if needed by assigning a policer to a class map when you associate the class map to the policy Single Policer Create a policy that associates a class map with a single policer by using the Policy Table page and the Class Mapping page Within the policy define the single policer Aggregate Policer Create a QoS action for each flow that sends all matc...

Page 449: ... Not Trusted the Default CoS values configured on the interface are used for prioritizing the traffic arriving on the interface See the Quality of Service QoS Advanced Mode Global Settings page for details If you have a policy on an interface then the Default Mode is irrelevant the action is according to the policy configuration and unmatched traffic is dropped STEP 4 Select Override Ingress DSCP ...

Page 450: ... of that type of traffic to the DSCP value used in the other domain to identify the same type of traffic These settings are active when the system is in the QoS basic mode and once activated they are active globally For example Assume that there are three levels of service Silver Gold and Platinum and the DSCP incoming values used to mark these levels are 10 20 and 30 respectively If this traffic ...

Page 451: ...he list of defined class maps and the ACLs comprising each and enables you to add delete class maps To define a Class Map STEP 1 Click Quality of Service QoS Advanced Mode Class Mapping This page displays the already defined class maps STEP 2 Click Add A new class map is added by selecting one or two ACLs and giving the class map a name If a class map has two ACLs you can specify that a frame must...

Page 452: ...cer is configured with a QoS specification There are two kinds of policers Single Regular Policer A single policer applies the QoS to a single class map and to a single flow based on the policer s QoS specification When a class map using single policer is bound to multiple ports each port has its own instance of single policer each applying the QoS on the class map flow at ports that are otherwise...

Page 453: ...gning a policer to a class map is done when a class map is added to a policy If the policer is an aggregate policer you must create it using the Aggregate Policer page Defining Aggregate Policers An aggregate policer applies the QoS to one or more class maps therefore one or more flows An aggregation policer can support class maps from different policies and applies the QoS to all its flow s in ag...

Page 454: ...ing Configuration file is updated Configuring a Policy The Policy Table Map page displays the list of advanced QoS polices defined in the system The page also allows you to create and delete polices Only those policies that are bound to an interface are active see Policy Binding page Each policy consists of One or more class maps of ACLs which define the traffic flows in the policy One or more agg...

Page 455: ...ck Add STEP 4 Enter the parameters Policy Name Displays the policy to which the class map is being added Class Map Name Select an existing class map to be associated with the policy Class maps are created in the Class Mapping page Action Type Select the action regarding the ingress CoS 802 1p and or DSCP value of all the matching packets Use default trust mode Ignore the ingress CoS 802 1p and or ...

Page 456: ...he policy is a single policer Aggregate The policer for the policy is an aggregate policer Aggregate Policer Available in Layer 2 system mode only If Police Type is Aggregate select a previously defined in the Aggregate Policer page aggregate policer If Police Type is Single enter the following QoS parameters Ingress Committed Information Rate CIR Enter the CIR in Kbps See a description of this in...

Page 457: ...d unbound from all those ports to which it is bound NOTE It is possible to either bind a port to a policy or to an ACL but both cannot be bound To define policy binding STEP 1 Click Quality of Service QoS Advanced Mode Policy Binding STEP 2 Select a Policy Name and Interface Type if required STEP 3 Click Go The policy is selected STEP 4 Select the following for the policy interface Binding Select ...

Page 458: ...d when the device is in Layer 3 mode To view policer statistics STEP 1 Click Quality of Service QoS Statistics Single Policer Statistics This page displays the following fields Interface Statistics are displayed for this interface Policy Statistics are displayed for this policy Class Map Statistics are displayed for this class map In Profile Bytes Number of in profile bytes received Out of Profile...

Page 459: ...tics are displayed STEP 4 Click Apply An additional request for statistics is created and the Running Configuration file is updated Viewing Queues Statistics The Queues Statistics page displays queue statistics including statistics of forwarded and dropped packets based on interface queue and drop precedence NOTE QoS Statistics are shown only when the device is in QoS Advanced Mode only This chang...

Page 460: ...tal Packets Number of packets forwarded or tail dropped Tail Drop Packets Percentage of packets that were tail dropped STEP 2 Click Add STEP 3 Enter the parameters Counter Set Select the counter set Set 1 Displays the statistics for Set 1 that contains all interfaces and queues with a high DP Drop Precedence Set 2 Displays the statistics for Set 2 that contains all interfaces and queues with a low...

Page 461: ... and queues with a low DP Interface Select the ports for which statistics are displayed The options are Port Selects the port on the selected unit number for which statistics are displayed All Ports Specifies that statistics are displayed for all ports Queue Select the queue for which statistics are displayed Drop Precedence Enter drop precedence that indicates the probability of being dropped STE...

Page 462: ...Quality of Service Managing QoS Statistics 445 Cisco Small Business 300 Series Managed Switch Administration Guide 22 ...

Page 463: ...pics SNMP Versions and Workflow Model OIDs SNMP Engine ID Configuring SNMP Views Creating SNMP Groups Managing SNMP Users Defining SNMP Communities Defining Trap Settings Notification Recipients SNMP Notification Filters SNMP Versions and Workflow The device functions as SNMP agent and supports SNMPv1 v2 and v3 It also reports system events to trap receivers using the traps defined in the supporte...

Page 464: ... defines a User Security Model USM that includes Authentication Provides data integrity and data origin authentication Privacy Protects against disclosure message content Cipher Block Chaining CBC DES is used for encryption Either authentication alone can be enabled on an SNMP message or both authentication and privacy can be enabled on an SNMP message However privacy cannot be enabled without aut...

Page 465: ...you choose to restrict SNMP management to one address then input the address of your SNMP Management PC in the IP Address field STEP 3 Input the unique community string in the Community String field STEP 4 Optionally enable traps by using the Trap Settings page STEP 5 Optionally define a notification filter s by using the Notification Filter page STEP 6 Configure the notification recipients on the...

Page 466: ...83 10 1 SG300 10MP 8 GE ports and 2 special purpose combo ports GE SFP 9 6 1 83 10 3 SG300 10P 8 GE ports and 2 special purpose combo ports GE SFP 9 6 1 83 10 2 SG300 20 16 GE ports and 4 special purpose ports 2 uplinks and 2 combo ports 9 6 1 83 20 1 SG300 28 24 GE ports and 4 special purpose ports 2 uplinks and 2 combo ports 9 6 1 83 28 1 SG300 28P 24 GE ports and 4 special purpose ports 2 uplin...

Page 467: ... unique for the administrative domain so that no two devices in a network have the same engine ID SF300 24 24 FE ports plus 4 GE special purpose ports 2 uplinks and 2 combo ports 9 6 1 82 24 1 SF300 24P 24 FE ports plus 4 GE special purpose ports 2 uplinks and 2 combo ports 9 6 1 82 24 2 SF300 48 48 FE ports plus 4 GE special purpose ports 2 uplinks and 2 combo ports 9 6 1 82 48 1 SF300 48P 48 FE ...

Page 468: ...octet Set to 3 to indicate the MAC address that follows Last 6 octets MAC address of the device None No engine ID is used User Defined Enter the local device engine ID The field value is a hexadecimal string range 10 64 Each byte in the hexadecimal character strings is represented by two hexadecimal digits All remote engine IDs and their IP addresses are displayed in the Remote Engine ID table STE...

Page 469: ...ddress or domain name of the log server Engine ID Enter the Engine ID STEP 5 Click Apply The Running Configuration file is updated Configuring SNMP Views A view is a user defined label for a collection of MIB subtrees Each subtree ID is defined by the Object ID OID of the root of the relevant subtrees Either well known names can be used to specify the root of the desired subtree or an OID can be e...

Page 470: ...excluded STEP 5 Click Apply STEP 6 In order to verify your view configuration select the user defined views from the Filter View Name list The following views exist by default Default Default SNMP view for read and read write views DefaultSuper Default SNMP view for administrator views Other views can be added Object ID Subtree Displays the subtree to be included or excluded in the SNMP view Objec...

Page 471: ...ick SNMP Groups This page contains the existing SNMP groups and their security levels STEP 2 Click Add STEP 3 Enter the parameters Group Name Enter a new group name Security Model Select the SNMP version attached to the group SNMPv1 v2 or v3 Three types of views with various security levels can be defined For each security level select the views for Read Write and Notify by entering the following ...

Page 472: ...elf Notify Limits the available content of the traps to those included in the selected view Otherwise there is no restriction on the contents of the traps This can only be selected for SNMPv3 STEP 4 Click Apply The SNMP group is saved to the Running Configuration file Managing SNMP Users An SNMP user is defined by the login credentials username passwords and authentication method and by the contex...

Page 473: ...Remote IP Address User is connected to a different SNMP entity besides the local device If the remote Engine ID is defined remote devices receive inform messages but cannot make requests for information Enter the remote engine ID Group Name Select the SNMP group to which the SNMP user belongs SNMP groups are defined in the Add Group page NOTE Users who belong to groups which have been deleted rema...

Page 474: ...ties Access rights in SNMPv1 and SNMPv2 are managed by defining communities in the Communities page The community name is a type of shared password between the SNMP management station and the device It is used to authenticate the SNMP management station Communities are only defined in SNMPv1 and v2 because SNMPv3 works with users instead of communities The users belong to groups that have access r...

Page 475: ...tion only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select whether it is received through a VLAN or ISATAP IP Addre...

Page 476: ...ity Group Name Select an SNMP group that determines the access rights STEP 4 Click Apply The SNMP Community is defined and the Running Configuration is updated Defining Trap Settings The Trap Settings page enables configuring whether SNMP notifications are sent from the device and for which cases The recipients of the SNMP notifications can be configured in the Notification Recipients SNMPv1 2 pag...

Page 477: ...nfiguring the destination to which SNMP notifications are sent and the types of SNMP notifications that are sent to each destination traps or informs The Add Edit pop ups enable configuring the attributes of the notifications An SNMP notification is a message sent from the device to the SNMP management station indicating that a certain event has occurred such as a link up down It is also possible ...

Page 478: ...P Port Enter the UDP port used for notifications on the recipient device Notification Type Select whether to send Traps or Informs If both are required two recipients must be created Timeout Enter the number of seconds the device waits before re sending informs Retries Enter the number of times that the device resends an inform request Community String Select from the pull down the community strin...

Page 479: ... on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6 Address Type Link Local is selected from the pull down list Recipient I...

Page 480: ...ated nor encrypted Authentication Indicates the packet is authenticated but not encrypted Privacy Indicates the packet is both authenticated and encrypted Notification Filter Select to enable filtering the type of SNMP notifications sent to the management station The filters are created in the Notification Filter page Filter Name Select the SNMP filter that defines the information contained in tra...

Page 481: ...filter The options to select the object are as follows Select from list Enables you to navigate the MIB tree Press the Up arrow to go to the level of the selected node s parent and siblings press the Down arrow to descend to the level of the selected node s children Click nodes in the view to pass from one node to its sibling Use the scrollbar to bring siblings in view If Object ID is used the ent...

Page 482: ...SNMP SNMP Notification Filters 465 Cisco Small Business 300 Series Managed Switch Administration Guide 23 ...

Page 483: ...of Cisco and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Search results

Summary of Contents for Small Business 300

Reviews:

Related manuals for Small Business 300

Brands by name

Popular brands

Cisco Small Business 300, Administration Manual

Search results

Summary of Contents for Small Business 300

Reviews:

Related manuals for Small Business 300

Brands by name

Popular brands