manualshive.com logo in svg

Cisco SRW208MP, Administration Manual

The Cisco SRW208MP Administration Manual is a comprehensive guide for managing and configuring your Cisco SRW208MP switch. With a focus on simplicity and functionality, this manual provides step-by-step instructions and troubleshooting tips. Download the free manual from manualshive.com to enhance your networking capabilities effortlessly.

Share
Download
background image

Secure Sensitive Data

Configuring SSD

Cisco Small Business 200 Series Smart Switch Administration Guide 

269

19

To configure SSD rules:

STEP 1

Click 

Security

 > 

Secure Sensitive Data Management 

SSD Rules

. The 

SSD 

Rules 

page

 

is displayed.

The currently-defined rules are displayed.

STEP  2

To add a new rule, click Add. Enter the following fields:

User

—This defines the user(s) to which the rule applies: Select one of the 

following options:

-

Specific User—

Select and enter the specific user name to which this rule 

applies (this user does not necessarily have to be defined).

-

Default User (cisco)—

Indicates that this rule applies to the default user.

-

Level 15—

Indicates that this rule applies to all users with privilege level 

15.

-

All—

Indicates that this rule applies to all users.

Channel

—This defines the security level of the input channel to which the 

rule applies: Select one of the following options:

-

Secure—

Indicates that this rule applies only to secure channels 

(console, SSH and HTTPS), not including the XML channels.

-

Insecure

—Indicates that this rule applies only to insecure channels 

(Telnet, TFTP and HTTP), not including the XML channels.

-

Secure XML SNMP

—Indicates that this rule applies only to XML over 

HTTPS with privacy.

-

Insecure XML SNMP

—Indicates that this rule applies only to XML over 

HTTP or  without privacy.

Read Permission—The read permissions associated with the rule. These 
can be the following:

-

Exclude

—Lowest read permission. Users are not permitted to get 

sensitive data in any form.

-

Plaintext Only

—Higher read permission than above ones. Users are 

permitted to get sensitive data in plaintext only.

-

Encrypted Only

—Middle read permission. Users are permitted to get 

sensitive data as encrypted only.

Summary of Contents for SRW208MP

Page 1: ...Cisco Small Business 200 Series Smart Switch Administration Guide Release 1 2 7 ADMINISTRATION GUIDE ...

Page 2: ...Statistics 12 Viewing 802 1X EAP Statistics 13 Managing RMON 15 Chapter 3 Managing System Logs 18 Setting System Log Settings 18 Setting Remote Logging Settings 20 Viewing Memory Logs 21 Chapter 4 Managing System Files 23 Types of System Files 23 Upgrade Backup Firmware Language 27 Downloading or Backing up a Configuration or Log 29 Viewing Configuration Files Properties 32 Copying Configuration F...

Page 3: ...esting Copper Ports 56 Displaying Optical Module Status 58 Configuring Port and VLAN Mirroring 59 Viewing CPU Utilization and Secure Core Technology 61 Chapter 8 Configuring Discovery 63 Configuring Bonjour Discovery 63 LLDP and CDP 64 Configuring LLDP 65 Configuring CDP 86 Chapter 9 Port Management 95 Configuring Ports 95 Setting Basic Port Configuration 96 Configuring Link Aggregation 98 Configu...

Page 4: ...tport Macros 132 Chapter 11 Managing Power over Ethernet Devices 156 PoE on the Switch 156 Configuring PoE Properties 158 Configuring the PoE Power Priority and Class 159 Chapter 12 VLAN Management 163 VLANs 163 Configuring Default VLAN Settings 166 Creating VLANs 167 Configuring VLAN Interface Settings 168 Defining VLAN Membership 170 Voice VLAN 174 Chapter 13 Configuring the Spanning Tree Protoc...

Page 5: ...P Snooping 207 MLD Snooping 209 Querying IGMP MLD IP Multicast Group 212 Defining Multicast Router Ports 213 Defining Forward All Multicast 214 Defining Unregistered Multicast Settings 215 Chapter 16 Configuring IP Information 217 Management and IP Interfaces 217 Configuring ARP 229 Domain Name Systems 231 Chapter 17 Configuring Security 235 Defining Users 236 Configuring RADIUS 239 Configuring Ma...

Page 6: ...n 262 SSL Server Authentication Settings 262 Chapter 19 Secure Sensitive Data 264 Introduction to the SSD Feature 264 SSD Management 265 SSD Properties 270 Configuration Files 271 Encryption of Sensitive Data 278 SSD Management Channels 279 Menu CLI and Password Recovery 280 Configuring SSD 280 282 Chapter 20 Configuring Quality of Service 283 QoS Features and Components 284 Configuring QoS Genera...

Page 7: ...te the web based switch configuration utility If you are using a pop up blocker make sure it is disabled Browsers have the following restrictions If you are using older versions of Internet Explorer you cannot directly use an IPv6 address to access the switch You can however use the DNS Domain Name System server to create a domain name that contains the IPv6 address and then use that domain name i...

Page 8: ...ur browser requests Chinese for example and Chinese has been loaded into your switch the Login page is automatically displayed in Chinese If Chinese has not been loaded into your switch the Login page is displayed in English The languages loaded into the switch have a language and country code en US en GB and so on For the Login page to be automatically displayed in a particular language based on ...

Page 9: ...ror message is displayed and the Login page remains displayed on the window Select Don t show this page on startup to prevent the Getting Started page from being displayed each time that you log on to the system If you select this option the System Summary page is opened instead of the Getting Started page HTTP HTTPS You can either open an HTTP session not secured by clicking Log In or you can ope...

Page 10: ...ge When the switch auto discovers a device such as an IP phone see Chapter 10 What is a Smartport and it configures the port appropriately for the device These configuration commands are written to the Running Configuration file This causes the Save icon to begin blinking when the you log on even though you did not make any configuration changes When you click Save the Copy Save Configuration page...

Page 11: ...aming Conventions Within the GUI interfaces are denoted by concatenating the following elements Links on the Getting Started page Category Link Name on the Page Linked Page Change Management Applications and Services TCP UDP Services page Change Device IP Address IPv4 Interface page Create VLAN Create VLAN page Configure Port Settings Port Setting page Device Status System Summary System Summary p...

Page 12: ...owing types of interfaces are found on the various types of devices Fast Ethernet 10 100 bits These are displayed as FE Gigabit Ethernet ports 10 100 1000 bits These are displayed as GE LAG Port Channel These are displayed as LAG VLAN These are displayed as VLAN Tunnel These are displayed as Tunnel Interface Number Port LAG tunnel or VLAN ID ...

Page 13: ...n made that have not yet been saved to the Startup Configuration file The flashing of the red X can be disabled on the Copy Save Configuration page Click Save to display the Copy Save Configuration page Save the Running Configuration file by copying it to the Startup Configuration file type on the switch After this save the red X icon and the Save application link are no longer displayed When the ...

Page 14: ...disappear and in their place are the IDs of the strings that correspond to the IDs in the language file NOTE To upgrade a language file use the Upgrade Backup Firmware Language page Logout Click to log out of the web based switch configuration utility About Click to display the switch name and switch version number Help Click to display the online help The SYSLOG Alert Status icon is displayed whe...

Page 15: ...ning Configuration to the Startup Configuration file type on the switch Apply Click to apply changes to the Running Configuration on the switch If the switch is rebooted the Running Configuration is lost unless it is saved to the Startup Configuration file type or another file type Click Save to display the Copy Save Configuration page and save the Running Configuration to the Startup Configuratio...

Page 16: ... destination entry numbers in the to field 3 Click Apply to save the changes and click Close to return to the main page Delete After selecting an entry in the table click Delete to remove Details Click to display the details associated with the entry selected Edit Select the entry and click Edit The Edit page opens and the entry can be modified 1 Click Apply to save the changes to the Running Conf...

Page 17: ...the amount of traffic that is both sent and received and its dispersion Unicast Multicast and Broadcast To display Ethernet statistics and or set the refresh rate STEP 1 Click Status and Statistics Interface The Interface page is displayed STEP 2 Enter the parameters Interface Select the type of interface and specific interface for which Ethernet statistics are to be displayed Refresh Rate Select ...

Page 18: ...ing bad packets and FCS octets but excluding framing bits Unicast Packets Good Unicast packets transmitted Multicast Packets Good Multicast packets transmitted Broadcast Packets Good Broadcast packets transmitted To clear statistics counters Click Clear Interface Counters to clear counters for the interface displayed Click Clear All Interface Counters to clear counters for all interfaces Viewing E...

Page 19: ...irst 512 bits of data Excessive Collisions Number of transmissions rejected due to excessive collisions Oversize Packets Packets greater than 2000 octets received Internal MAC Receive Errors Frames rejected because of receiver errors Pause Frames Received Received flow control pause frames Pause Frames Transmitted Flow control pause frames transmitted from the selected interface To clear statistic...

Page 20: ...t EAP Response ID Frames Received EAP Resp ID frames received on the port EAP Response Frames Received EAP Response frames received by the port other than Resp ID frames EAP Request ID Frames Transmitted EAP Req ID frames transmitted by the port EAP Request Frames Transmitted EAP Request frames transmitted by the port Invalid EAPOL Frames Received Unrecognized EAPOL frames received on this port EA...

Page 21: ... event has not been detected Late collision event has not been detected Received Rx error event has not been detected Packet has a valid CRC To view RMON statistics and or set the refresh rate STEP 1 Click Status and Statistics RMON Statistics The Statistics page is displayed STEP 2 Select the Interface for which Ethernet statistics are to be displayed STEP 3 Select the Refresh Rate the time perio...

Page 22: ...d FCS with a non integral octet Alignment Error number A Jabber packet is defined as an Ethernet frame that satisfies the following criteria Packet data length is greater than MRU Packet has an invalid CRC Received Rx Error Event has not been detected Collisions Number of collisions received If Jumbo Frames are enabled the threshold of Jabber Frames is raised to the maximum size of Jumbo Frames Fr...

Page 23: ...mall Business 200 Series Smart Switch Administration Guide 24 2 To clear statistics counters Click Clear Interface Counters to clear the selected interface s counters Click Clear All Interface Counters to clear the counters of all interfaces ...

Page 24: ...nd persists across reboots In addition you can send messages to remote SYSLOG servers in the form of SYSLOG messages This section covers the following sections Setting System Log Settings Setting Remote Logging Settings Viewing Memory Logs Setting System Log Settings You can enable or disable logging on the Log Settings page and select whether to aggregate log messages You can select the events by...

Page 25: ...gher severity events to be automatically stored in the log Lower severity events are not stored in the log For example if Warning is selected all severity levels that are Warning and higher are stored in the log Emergency Alert Critical Error and Warning No events with severity level below Warning are stored Notice Informational and Debug To set global log parameters STEP 1 Click Administration Sy...

Page 26: ... page opens This page displays the list of remote log servers STEP 2 Click Add The Add Remote Log Server page opens STEP 3 Enter the parameters Server Definition Select whether to identify the remote log server by IP address or name IP Version Select the supported IP format IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifie...

Page 27: ... closes the SYSLOG server is added and the Running Configuration file is updated Viewing Memory Logs The switch can write to the following logs Log in RAM cleared during reboot Log in Flash memory cleared only upon user command You can configure the messages that are written to each log by severity and a message can go to more than one log including logs that reside on external SYSLOG servers RAM ...

Page 28: ...he messages that were stored in the Flash memory in chronological order The minimum severity for logging is configured in the Log Settings page Flash logs remain when the switch is rebooted You can clear the logs manually To view the Flash logs click Status and Statistics View Log Flash Memory The Flash Memory page opens This page displays the following fields Log Index Log entry number Log Time T...

Page 29: ...are files that contain configuration information firmware images or boot code Various actions can be performed with these files such as selecting the firmware file from which the switch boots copying various types of configuration files internally on the switch or copying files to or from an external device such as an external server The possible methods of file transfer are Internal copy HTTP HTT...

Page 30: ...rameter values on the device If the switch is rebooted the Running Configuration is lost The Startup Configuration stored in Flash overwrites the Running Configuration stored in RAM To preserve any changes you made to the switch you must save the Running Configuration to the Startup Configuration or another file type Startup Configuration The parameter values that were saved by copying another con...

Page 31: ...les the web based configuration utility windows to be displayed in the selected language Flash Log SYSLOG messages stored in Flash memory File Actions The following actions can be performed to manage firmware and configuration files Upgrade the firmware or boot code or replace a second language as described in Upgrade Backup Firmware Language section Save configuration files on the switch to a loc...

Page 32: ... can be selected from the drop down menu It is not necessary to reboot the switch A single firmware image is stored on the switch After new firmware has been successfully loaded into the switch the device needs to be rebooted prior to the new firmware taking effect The Summary page continues to show the previous image prior to the reboot Upgrading Backing Up Firmware or Language File To upgrade or...

Page 33: ...twork link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Sele...

Page 34: ...the imported file adds any configuration commands that did not exist in the old file and overwrites any parameter values in the existing configuration commands When restoring a configuration file to the Startup Configuration or a backup configuration file the new file replaces the previous file When restoring to Startup Configuration the switch must be rebooted for the restored Startup Configurati...

Page 35: ...ly one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks d Link Local Interface Select the link local interface from the list e TFTP Server Enter the IP address of the TFTP server f Source File Name Enter the sour...

Page 36: ...he source configuration file type Only valid file types are displayed The file types are described in the Files and File Types section g Sensitive Data Select how sensitive data should be included in the backup file The following options are available Exclude Do not include sensitive data in the backup Encrypted Include sensitive data in the backup in its encrypted form Plaintext Include sensitive...

Page 37: ...ource File Type Select the configuration file type Only valid file types are displayed The file types are described in the Files and File Types section b Sensitive Data Select how sensitive data should be included in the backup file The following options are available Exclude Do not include sensitive data in the backup Encrypted Include sensitive data in the backup in its encrypted form Plaintext ...

Page 38: ...files This page provides the following fields Configuration File Name Displays the type of file Creation Time Displays the date and time that file was modified Copying Configuration Files When you click Apply on any window changes that you made to the switch configuration settings are stored only in the Running Configuration To preserve the parameters in the Running Configuration the Running Confi...

Page 39: ... in the backup file in encrypted form Plaintext Sensitive data is included in the backup file in plain text NOTE The available sensitive data options are determined by the current user SSD rules For details refer to Secure Sensitive Data Management SSD Rules page STEP 4 The Save Icon Blinking field indicates whether an icon blinks when there is unsaved data To disable enable this feature click Dis...

Page 40: ...ns sname and siaddr and DHCP option 150 or option 66 This is an optional parameter Backup Configuration File Name You can specify the backup configuration filename This file is used if no filename was specified in the DHCP message This is an optional parameter Auto Configuration Process When the Auto Configuration process is triggered the following sequence of events occurs The DHCP server is acce...

Page 41: ...rocess is completed Configuring DHCP Auto Configuration The DHCP Auto Configuration page is used to perform the following actions when the information is not provided in a DHCP message Enable DHCP auto configuration feature Specify the download protocol Configure the switch to receive configuration information from a specific file on a specific server Note the following regarding the DHCP auto con...

Page 42: ...if no server IP address was specified in the DHCP message Backup Configuration File Name Enter the path and file name of the file to be used if no configuration file name was specified in the DHCP message The window displays the following Last Auto Configuration Server IP Address Displays the IP address of the TFTP server last used to perform auto configuration Last Auto Configuration File Name Di...

Page 43: ... Timeout Pinging a Host Switch Models All models can be fully managed through the web based switch configuration utility In Layer 2 system mode the switch forwards packets as a VLAN aware bridge In Layer 3 system mode the switch performs both IPv4 routing and VLAN aware bridging NOTE The following port conventions are used GE is used for Gigabit Ethernet 10 100 1000 ports FE is used for Fast Ether...

Page 44: ...P SLM2024PT 24 GE ports 2 GE special purpose combo ports 100W 12 ports FE1 FE6 FE13 FE18 SG200 50 SLM2048T 48 GE ports 2 GE special purpose combo ports SG200 50P SLM2048PT 48 GE ports 2 GE special purpose combo ports 180W 24 ports FE1 FE12 FE25 FE36 SF200 24 SLM224GT 24 FE ports 2 GE special purpose combo ports SF200 24P SLM224PT 24 FE ports 2 GE special purpose combo ports 100W 12 ports FE1 FE6 F...

Page 45: ...tion System Contact Name of a contact person Click Edit to go the System Settings page to enter this information Host Name Name of the switch Click Edit to go the System Settings page to enter this information By default the switch hostname is composed of the word switch concatenated with the three least significant bytes of the switch MAC address the six furthest right hexadecimal digits System U...

Page 46: ...the switch System Location Enter the location where the switch is physically located System Contact Enter the name of a contact person Host Name Select the host name of this switch This is used in the prompt of CLI commands Use Default The default hostname System Name of these switches is switch123456 where 123456 represents the last three bytes of the switch MAC address in hex format User Defined...

Page 47: ... or Log section in the Managing System Files section To reboot the switch STEP 1 Click Administration Reboot The Reboot page opens STEP 2 Click one of the Reboot buttons to reboot the switch Clear Startup Configuration File Check to clear the configuration on the switch for the next time it boots up Reboot Reboots the switch Since any unsaved information in the Running Configuration is discarded w...

Page 48: ... for the specific model Temperature in Celsius and Fahrenheit The internal temperature of the switch for devices with temperature sensors Alarm Temperature in Celsius and Fahrenheit The internal temperature of the unit for relevant devices that triggers an alarm Defining Idle Session Timeout The Idle Session Timeout configures the time interval during which the HTTP session can remain idle before ...

Page 49: ...hosts by their IP address or name IP Version If the host is identified by its IP address select either IPv4 or IPv6 to indicate that it will be entered in the selected format IPv6 Address Type Select Link Local or Global as the type of IPv6 address to enter Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and c...

Page 50: ...r not Choose to use the default interval or specify your own value Number of Pings The number of times the ping operation is performed Choose to use the default or specify your own value Status Displays whether the ping succeeded or failed STEP 3 Click Activate Ping to ping the host The ping status is displayed and another message is added to the list of messages indicating the result of the ping ...

Page 51: ...nfusion in shared file systems as it is important for the modification times to be consistent regardless of the machine on which the file systems reside For these reasons it is important that the time configured on all of the devices on the network is accurate NOTE The switch supports Simple Network Time Protocol SNTP and when enabled the switch dynamically synchronizes the switch time with time f...

Page 52: ... time from the computer is saved to the Running Configuration file You must copy the Running Configuration to the Startup Configuration in order to enable the device to use the time from the computer after reboot The time after reboot is set during the first WEB login to the device When you configure this feature for the first time if the time was not already set the device sets the time from the ...

Page 53: ...n order for dynamic time zone configuration to take place SNTP Modes The switch can receive the system time from an SNTP server in one of the following ways Client Broadcast Reception passive mode SNTP servers broadcast the time and the switch listens to these broadcasts When the switch is in this mode there is no need to define a Unicast SNTP server Client Broadcast Transmission active mode The s...

Page 54: ...ttings Select the source used to set the system clock Main Clock Source SNTP Servers If you enable this the system time is obtained from an SNTP server To use this feature you must also configure a connection to an SNTP server in the SNTP Interface Settings page Optionally enforce authentication of the SNTP sessions by using the SNTP Authentication page Alternate Clock Source PC via active HTTP HT...

Page 55: ...e For example the Time Zone Offset for Paris is GMT 1 while the Time Zone Offset for New York is GMT 5 Daylight Savings Settings Select how DST is defined Daylight Savings Select to enable Daylight Saving Time Time Set Offset Enter the number of minutes offset from GMT ranging from 1 1440 The default is 60 Daylight Savings Type Click one of the following USA DST is set according to the dates used ...

Page 56: ... Unicast SNTP servers can be configured NOTE To specify a Unicast SNTP server by name you must first configure DNS server s on the switch see the Defining DNS Servers section In order to add a Unicast SNTP server check the box to enable SNTP Client Unicast To add a Unicast SNTP server STEP 1 Click Administration Time Settings SNTP Unicast The SNTP Unicast page opens This page displays the followin...

Page 57: ... this delay using the algorithm described in RFC 2030 STEP 2 To add a Unicast SNTP server enable SNTP Client Unicast STEP 3 Click Add to display the Add SNTP Server page STEP 4 Enter the following parameters Server Definition Select if the SNTP server is going to be identified by its IP address or if you are going to select a well known SNTP server by name from the list NOTE To specify a well know...

Page 58: ... the lowest stratum is considered to be the primary server The server with the next lowest stratum is a secondary server and so forth If the primary server is down the switch polls all servers with the polling setting enabled and selects a new primary server with the lowest stratum Authentication Select the check box to enable authentication Authentication Key ID If authentication is enabled selec...

Page 59: ... server is associated with a key which is used as input together with the response itself to the MD5 function the result of the MD5 is also included in the response packet The SNTP Authentication page enables configuration of the authentication keys that are used when communicating with an SNTP server that requires authentication The authentication key is created on the SNTP server in a separate p...

Page 60: ...D Enter the number used to identify this SNTP authentication key internally Authentication Key Enter the key used for authentication up to eight characters The SNTP server must send this key for the switch to synchronize to it Trusted Key Select to enable the switch to receive synchronization information only from a SNTP server by using this authentication key STEP 6 Click Apply The SNTP Authentic...

Page 61: ...cable tests performed on copper cables by the Virtual Cable Tester VCT VCT performs two types of tests Time Domain Reflectometry TDR technology tests the quality and characteristics of a copper cable attached to a port Cables of up to 140 meters long can be tested These results are displayed in the Test Results block of the Copper Test page DSP based tests are performed on active GE links to measu...

Page 62: ...evice are disrupted To test copper cables attached to ports STEP 1 Click Administration Diagnostics Copper Test The Copper Test page opens STEP 2 Select the port on which to run the test STEP 3 Click Copper Test STEP 4 When the message is displayed click OK to confirm that the link can go down or Cancel to abort the test The following fields are displayed in the Test Results block Last Update Time...

Page 63: ...s NOTE TDR tests cannot be performed when the port speed is 10Mbit Sec Displaying Optical Module Status The Optical Module Status page displays the operating conditions reported by the SFP Small Form factor Pluggable transceiver Some information might not be available for SFPs that do not support the digital diagnostic monitoring standard SFF 8472 MSA compatible SFPs The following FE SFP 100Mbps t...

Page 64: ...is operating Voltage SFP s operating voltage Current SFP s current consumption Output Power Transmitted optical power Input Power Received optical power Transmitter Fault Remote SFP reports signal loss Values are True False and No Signal N S Loss of Signal Local SFP reports signal loss Values are True and False Data Ready SFP is operational Values are True and False Configuring Port and VLAN Mirro...

Page 65: ...AN Mirroring The Port and VLAN Mirroring page opens This page displays the following fields Destination Port Port to which traffic is to be copied the analyzer port Source Interface Interface port or VLAN from which traffic is sent to the analyzer port Type Type of monitoring incoming to the port Rx outgoing from the port Tx or both Status Displays one of the following values Active Both source an...

Page 66: ...s added to the Running Configuration Viewing CPU Utilization and Secure Core Technology This section describes the Secure Core Technology SCT and how to view CPU usage The switch handles the following types of traffic in addition to end user traffic Management traffic Protocol traffic Snooping traffic Excessive traffic burdens the CPU and might prevent normal switch operation The switch uses the S...

Page 67: ...Diagnostics CPU Utilization The CPU Utilization page opens The CPU Input Rate field displays the rate of input frames to the CPU per second The window displays a graph of the CPU utilization The Y axis is percentage of usage and the X axis is the sample number STEP 2 Select the Refresh Rate time period in seconds that passes before the statistics are refreshed A new sample is created for each time...

Page 68: ...le or disable the switch services The switch can be discovered by a network management system or other third party applications By default Bonjour is enabled and runs on the Management VLAN The Bonjour console automatically detects the device and displays it Bonjour in Layer 2 System Mode Bonjour Discovery can only be enabled globally and not on a per port or per VLAN basis The switch advertises t...

Page 69: ... as required by the protocols In LLDP and CDP advertisements are encoded as TLV Type Length Value in the packet The following CDP LLDP configuration notes apply CDP LLDP can be globally enabled or disabled and enabled disabled per port The CDP LLDP capability of a port is relevant only if CDP LLDP is globally enabled If CDP LLDP is globally enabled the switch filters out incoming CDP LLDP packets ...

Page 70: ...ce the switch transmits and receives CDP LLDP packets to and from the interface only if the interface is authenticated and authorized If a port is the target of mirroring then according to CDP LLDP it is considered down NOTE CDP and LLDP are link layer protocols for directly connected CDP LLDP capable devices to advertise themselves and their capabilities In deployments where the CDP LLDP capable ...

Page 71: ...tocol By default the switch terminates and processes all incoming LLDP packets as required by the protocol The LLDP protocol has an extension called LLDP Media Endpoint Discovery LLDP MED which provides and accepts information from media endpoint devices such as VoIP phones and video phones For further information about LLDP MED see LLDP MED LLDP Configuration Workflow Following are examples of ac...

Page 72: ...f LLDP is not enabled select the action to be taken if a packet that matches the selected criteria is received Filtering Delete the packet Flooding Forward the packet to all VLAN members TLV Advertise Interval Enter the rate in seconds at which LLDP advertisement updates are sent or use the default Topology Change System Log Notification Interval Enter the minimum time interval between system log ...

Page 73: ...P MED Port Settings page and the management address TLV of the switch may be configured To define the LLDP port settings STEP 1 Click Administration Discovery LLDP Port Settings The Port Settings page opens This page displays the port LLDP information STEP 2 Select a port and click Edit The Edit LLDP Port Settings page opens This page provides the following fields Interface Select the port to edit...

Page 74: ...hone DOCSIS cable device and station respectively Bits 8 through 15 are reserved 802 3 MAC PHY Duplex and bit rate capability and the current duplex and bit rate settings of the sending device It also indicates whether the current settings are due to auto negotiation or manual configuration 802 3 Link Aggregation Whether the link associated with the port on which the LLDP PDU is transmitted can be...

Page 75: ...a Endpoint Discovery LLDP MED is an extension of LLDP that provides the following additional capabilities to support media endpoint devices Some of the features of the LLDP Med Network Policy are Enables the advertisement and discovery of network polices for real time applications such as voice and or video Device location discovery to allow creation of location databases and in the case of Voice ...

Page 76: ...lly create the VLANs and their port memberships according to the network policies and their associated interfaces In addition an administrator can instruct the switch to automatically generate and advertise a network policy for voice application based on the voice VLAN maintained by the switch Refer the Auto Voice VLAN section for details on how the switch maintains its voice VLAN To define an LLD...

Page 77: ... MED Port Settings Configuring LLDP MED Port Settings The LLDP MED Port Settings page enables the selection of the LLDP MED TLVs and or the network policies to be included in the outgoing LLDP advertisement for the desired interfaces Network Policies are configured using the LLDP MED Network Policy page NOTE If LLDP MED Network Policy for Voice Application LLDP MED Network Policy Page is Auto and ...

Page 78: ...Selected Optional TLVs list Available Network Policies Select the LLDP MED policies to be published by LLDP by moving them to the Selected Network Policies list These were created in the LLDP MED Network Policy page To include one or more user defined network polices in the advertisement you must also select Network Policy from the Available Optional TLVs NOTE The following fields must be entered ...

Page 79: ...hassis ID for example MAC address Chassis ID Identifier of chassis Where the chassis ID subtype is a MAC address the MAC address of the switch is displayed System Name Name of switch System Description Description of the switch in alpha numeric format Supported System Capabilities Primary functions of the device such as Bridge WLAN AP or Router Enabled System Capabilities Primary enabled function ...

Page 80: ...r example the MAC address Chassis ID Identifier of chassis Where the chassis ID subtype is a MAC address the MAC address of the switch is displayed System Name Name of switch System Description Description of the switch in alpha numeric format Supported System Capabilities Primary functions of the device such as Bridge WLAN AP or Router Enabled System Capabilities Primary enabled function s of the...

Page 81: ...a conversion from the Ethernet interfaces collision detection and bit injection into the network for example 100BASE TX full duplex mode 802 3 Details 802 3 Maximum Frame Size The maximum supported IEEE 802 3 frame size 802 3 Link Aggregation Aggregation Capability Indicates whether the interface can be aggregated Aggregation Status Indicates whether the interface is aggregated Aggregation Port ID...

Page 82: ...s offering media streaming capabilities as well as all Class 1 features Endpoint Class 3 Indicates a communications device class offering all Class 1 and Class 2 features plus location 911 Layer 2 switch support and device information management capabilities PoE Device Type Port PoE type for example powered PoE Power Source Port power source PoE Power Priority Port power priority PoE Power Value P...

Page 83: ...cy DSCP Displaying LLDP Neighbors Information The LLDP Neighbors Information page displays information that was received from neighboring devices After timeout based on the value received from the neighbor Time To Live TLV during which no LLDP PDU was received from a neighbor the information is deleted To view the LLDP neighbors information STEP 1 Click Administration Discovery LLDP LLDP Neighbors...

Page 84: ...formation about the port including manufacturer product name and hardware software version System Name Name of system that is published System Description Description of the network entity in alpha numeric format This includes the system name and versions of the hardware operating system and networking software supported by the device The value equals the sysDescr object Supported System Capabilit...

Page 85: ...ll duplex mode 802 3 Power via MDI MDI Power Support Port Class Advertised power support port class PSE MDI Power Support Indicates if MDI power is supported on the port PSE MDI Power State Indicates if MDI power is enabled on the port PSE Power Pair Control Ability Indicates if power pair control is supported on the port PSE Power Pair Power pair control type supported on the port PSE Power Class...

Page 86: ... MED endpoint device class The possible device classes are Endpoint Class 1 Indicates a generic endpoint class offering basic LLDP services Endpoint Class 2 Indicates a media endpoint class offering media streaming capabilities as well as all Class 1 features Endpoint Class 3 Indicates a communications device class offering all Class 1 and Class 2 features plus location 911 Layer 2 switch support ...

Page 87: ...tion Enter the following data structures in hexadecimal as described in section 10 2 4 of the ANSI TIA 1057 standard Civic Civic or street address Coordinates Location map coordinates latitude longitude and altitude ECS ELIN Device s Emergency Call Service ECS Emergency Location Identification Number ELIN Unknown Unknown location information Network Policies Application Type Network policy applica...

Page 88: ...rded Errors Total number of received frames with errors Rx TLVs Discarded Total number of received TLVs that were discarded Unrecognized Total number of received TLVs that were unrecognized Neighbor s Information Deletion Count Number of neighbor ageouts on the interface STEP 2 Click Refresh to view the latest statistics LLDP Overloading LLDP adds information as LLDP and LLDP MED TLVs into the LLD...

Page 89: ... port select it and click Details The LLDP Overloading Details opens This page displays the following information for each TLV sent on the port LLDP Mandatory TLVs Size Bytes Total mandatory TLV byte size Status If the mandatory TLV group is being transmitted or if the TLV group was overloaded LLDP MED Capabilities Size Bytes Total LLDP MED capabilities packets byte size Status If the LLDP MED cap...

Page 90: ...LDP MED 802 3 TLVs packets were sent or if they were overloaded LLDP Optional TLVs Size Bytes Total LLDP MED optional TLVs packets byte size Status If the LLDP MED optional TLVs packets were sent or if they were overloaded LLDP MED Inventory Size Bytes Total LLDP MED inventory TLVs packets byte size Status If the LLDP MED inventory packets were sent or if they were overloaded Total Bytes Total num...

Page 91: ...o proprietary protocol CDP Configuration Workflow The followings is sample workflow in configuring CDP on the switch You can also find additional CDP configuration guidelines in the LLDP CDP section STEP 1 Enter the CDP global parameters using the CDP Properties page STEP 2 Configure CDP per interface using the Interface Setting page STEP 3 If Auto Smartport is to detect the capabilities of CDP de...

Page 92: ...ter is incremented CDP Version Select the version of CDP to use CDP Hold Time Amount of time that CDP packets are held before the packets are discarded measured in multiples of the TLV Advertise Interval For example if the TLV Advertise Interval is 30 seconds and the Hold Multiplier is 4 then the LLDP packets are discarded after 120 seconds The following options are possible Use Default Use the de...

Page 93: ...incoming frame does not match what the local device is advertising STEP 3 Click Apply The LLDP properties are defined Editing CDP Interface Settings Use the Interface Settings page to activate LLDP and remote log server notification per port and to select the TLVs included in LLDP PDUs By setting these properties it is possible to select the types of information to be provided to devices that supp...

Page 94: ...e fields are operational when the switch has been set up to send traps to the management station Syslog Voice VLAN Mismatch Select to enable the option of sending a SYSLOG message when a voice VLAN mismatch is detected This means that the voice VLAN information in the incoming frame does not match what the local device is advertising Syslog Native VLAN Mismatch Select to enable the option of sendi...

Page 95: ...nabled or not Device ID TLV Device ID Type Type of the device ID advertised in the device ID TLV Device ID Device ID advertised in the device ID TLV System Name TLV System Name System name of the device Address TLV Address1 3 IP addresses advertised in the device address TLV Port TLV Port ID Identifier of port advertised in the port TLV Capabilities TLV Capabilities Capabilities advertised in the ...

Page 96: ...trusted Ports If Extended Trust is disabled on the port this fields displays the Layer 2 CoS value meaning an 802 1D 802 1p priority value This is the COS value with which all packets received on an untrusted port are remarked by the device Power TLV Request ID Last power request ID received echoes the Request ID field last received in a Power Requested TLV It is 0 if no Power Requested TLV was re...

Page 97: ... ID Neighbor s device ID System name Neighbor s system name Local Interface Number of the local port to which the neighbor is connected Advertisement Version CDP protocol version Time to Live sec Time interval in seconds after which the information for this neighbor is deleted Capabilities Capabilities advertised by neighbor Platform Information from Platform TLV of neighbor Neighbor Interface Out...

Page 98: ...ect all connected devices if from CDP and if Auto Smartport is enabled change all port types to default Viewing CDP Statistics The CDP Statistics page displays information regarding Cisco Discovery Protocol CDP frames that were sent or received from a port CDP packets are received from devices attached to the switches interfaces and are used for the Smartport feature See Configuring CDP for more i...

Page 99: ...packets received with illegal checksum value Other Errors Number of packets received with errors other than illegal checksums Neighbors Over Maximum Number of times that packet information could not be stored in cache because of lack of room To clear all counters on all interfaces click Clear All Interface Counters To clear all counters on an interface select it and click Clear All Interface Count...

Page 100: ...ol and configure the potential member ports to the desired LAGs by using the LAG Management page By default all LAGs are empty 3 Configure the Ethernet parameters such as speed and auto negotiation for the LAGs by using the LAG Settings page 4 Configure the LACP parameters for the ports that are members or candidates of a dynamic LAG by using the LACP page 5 Configure Green Ethernet and 802 3 Ener...

Page 101: ...ration changes take effect only after the Running Configuration is explicitly saved to the Startup Configuration File using the Copy Save Configuration page and the switch is rebooted STEP 4 To update the port settings select the desired port and click Edit The Edit Port Settings page opens STEP 5 Modify the following parameters Interface Select the port number Port Type Displays the port type and...

Page 102: ...nistrative Port Speed Configure the speed of the port The port type determines which the available speeds You can designate Administrative Speed only when port auto negotiation is disabled Operational Port Speed Displays the current port speed that is the result of negotiation Administrative Duplex Mode Select the port duplex mode This field is configurable only when auto negotiation is disabled a...

Page 103: ...bles the remote port preventing it from sending packets by jamming the signal Flow Control Enable or disable 802 3x Flow Control or enable the auto negotiation of Flow Control on the port only when in Full Duplex mode MDI MDIX the Media Dependent Interface MDI Media Dependent Interface with Crossover MDIX status on the port The options are MDIX Select to swap the port s transmit and receives pairs...

Page 104: ...rs After a LAG is manually created the LACP option cannot be added or removed until the LAG is edited and a member is removed which can be added prior to applying then the LACP button become available for editing Dynamic A LAG is dynamic if LACP is enabled on it The group of ports assigned to dynamic LAG are candidate ports LACP determines which candidate ports are active member ports The non acti...

Page 105: ...t such as state and speed The switch supports four LAGs Every LAG has the following characteristics All ports in a LAG must be of the same media type To add a port to the LAG it cannot belong to any VLAN except the default VLAN Ports in a LAG must not be assigned to another LAG No more than eight ports are assigned to a static LAG and no more than 16 ports can be candidates for a dynamic LAG All t...

Page 106: ...the LAG Assign up to 16 candidates ports to the dynamic LAG by selecting and moving the ports from the Port List to the LAG Members List by using the LAG Management page 2 Configure various aspects of the LAG such as speed and flow control by using the LAG Settings page 3 Set the LACP priority and timeout of the ports in the LAG by using the LACP page Defining LAG Management The LAG Management pag...

Page 107: ...re to be assigned to the LAG from the Port List to the LAG Members list Up to eight ports per static LAG can be assigned and 16 ports can be assigned to a dynamic LAG STEP 3 Click Apply LAG membership is written to the Running Configuration file Configuring LAG Settings The LAG Settings page displays a table of current settings for all LAGs You can configure the settings of selected LAGs and react...

Page 108: ...to negotiation setting Administrative Speed Select the LAG speed Operational LAG Speed Displays the current speed at which the LAG is operating Administrative Advertisement Select the capabilities to be advertised by the LAG The options are Max Capability All LAG speeds and both duplex modes are available 10 Full The LAG advertises a 10 Mbps speed and the mode is full duplex 100 Full The LAG adver...

Page 109: ...ame the local and remote MAC addresses are compared The priority of the device with the lowest MAC address controls candidate port selection to the LAG A dynamic LAG can have up to 16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode When there are more than eight ports in the dynamic LAG the switch on the controlling end of the link uses ...

Page 110: ...ighest priority NOTE The LACP setting is irrelevant on ports that are not members of a dynamic LAG To define the LACP settings STEP 1 Click Port Management Link Aggregation LACP The LACP page opens STEP 2 Enter the LACP System Priority See Configuring LACP STEP 3 Select a port and click Edit The Edit LACP page opens STEP 4 Enter the values for the following fields Interface Select the port number ...

Page 111: ...ping the Administrative status of the port Up Recovery from this mode to full operational mode is fast transparent and no frames are lost This mode is supported on both GE and FE ports Short Reach Mode This feature provides for power savings on a short length of cable After cable length is analyzed the power usage is adjusted for various cable lengths If the cable is shorter than 50 meters the swi...

Page 112: ... monitored The total amount of saved energy can be viewed as a percentage of the power that would have been consumed by the physical interfaces had they not been running in Green Ethernet mode The saved energy displayed is only related to Green Ethernet The amount of energy saved by EEE is not displayed 802 3az Energy Efficient Ethernet Feature This section describes the 802 3az Energy Efficient E...

Page 113: ... to stay in LPI mode the Keep Alive signal must be received continuously from both sides Advertise Capabilities Negotiation 802 3az EEE support is advertised during the Auto Negotiation stage Auto Negotiation provides a linked device with the capability to detect the abilities modes of operation supported by the device at the other end of the link determine common abilities and configure itself fo...

Page 114: ...EE field for the port is not available when the Short Reach Mode option on the port is checked If the port speed on the GE port is changed to 10Mbit 802 3az EEE is disabled This is supported in GE models only 802 3az EEE Configuration Workflow This section describes how to configure the 802 3az EEE feature and view its counters STEP 1 Ensure that auto negotiation is enabled on the port by opening ...

Page 115: ...s To enable Green Ethernet and EEE and view power savings STEP 1 Click Port Management Green Ethernet Properties The Properties page opens STEP 2 Enter the values for the following fields Energy Detect Mode Disabled by default Click the checkbox to enable Short Reach Globally enable or disable Short Reach mode if there are GE ports on the switch NOTE If Short Reach is enabled EEE must be disabled ...

Page 116: ...Negotiation is disabled but the port is at 1GB or higher To define per port Green Ethernet settings STEP 1 Click Port Management Green Ethernet Port Settings The Port Settings page opens The Port Settings page displays the following Global Parameter Status Describes the enabled features For each port the following fields are described Port The port number Energy Detect State of the port regarding ...

Page 117: ...upported on the link partner EEE must be supported on both the local and remote link partners NOTE The window displays the Short Reach Energy Detect and EEE settings for each port however they are not enabled on any port unless they are also enabled globally by using the Properties page To enable Short Reach and EEE globally see Setting Global Green Ethernet Properties STEP 2 Select a Port and cli...

Page 118: ...ort Error Handling Default Configuration Relationships with Other Features and Backwards Compatibility Common Smartport Tasks Configuring Smartport Using The Web based Interface Built in Smartport Macros Overview The Smartport feature provides a convenient way to save and share common configurations By applying the same Smartport macro to multiple interfaces the interfaces share a common set of co...

Page 119: ...and features are described in the following sections Smartport Smartport types and Smartport macros described in this section Voice VLAN and Smartport described in the Voice VLAN section LLDP CDP for Smartport described in the Configuring LLDP and Configuring CDP sections respectively Additionally typical work flows are described in the Common Smartport Tasks section What is a Smartport A Smartpor...

Page 120: ...o called the macro serves to apply the desired configuration The other called the anti macro serves to undo all configuration performed by the macro when that interface happens to become a different Smartport type The following describes the relationship of Smartport types and Auto Smartport Smartport and Auto Smartport Types Smartport Type Supported by Auto Smartport Supported by Auto Smartport b...

Page 121: ...following cases A link down up operation is performed on the interface The switch is restarted All devices attached to the interface have aged out which is defined as the absence of CDP and or LLDP advertisement from the device for a specified time period Unknown If a Smartport macro is applied to an interface and an error occurs the interface is assigned the Unknown status In this case the Smartp...

Page 122: ...e View Macro Source button on the Smartport Type Settings page A macro and the corresponding anti macro are paired together in association with each Smartport type The macro applies the configuration and the anti macro removes it Two Smartport macros are paired by their names as follows macro_name for example printer no_macro_name for example no_printer the anti Smartport macro of Smartport macro ...

Page 123: ...nd the Reset Operation A Smartport macro might fail if there is a conflict between the existing configuration of the interface and a Smartport macro When a Smartport macro fails a SYSLOG message containing the following parameters is sent Port number Smartport type The line number of the failed CLI command in the macro When a Smartport macro fails on an interface the status of the interface is set...

Page 124: ...an manually assign a Smartport type to an interface from the Smartport Interface Settings Page Auto Smartport When a device is detected from an interface the Smartport macro if any that corresponds to the Smartport type of the attaching device is automatically applied Auto Smartport is enabled by default globally and at the interface level In both cases the associated anti macro is run when the Sm...

Page 125: ...e Voice VLAN for more information on enabling Auto Voice VLAN Identifying Smartport Type If Auto Smartport is globally enabled in the Properties page and at an interface in the Interface Settings page the switch applies a Smartport macro to the interface based on the Smartport type of the attaching device Auto Smartport derives the Smartport types of attaching devices based on the CDP and or LLDP ...

Page 126: ...r 0x01 Router TB Bridge 0x02 Wireless Access Point SR Bridge 0x04 Ignore Switch 0x08 Switch Host 0x10 Host IGMP conditional filtering 0x20 Ignore Repeater 0x40 Ignore VoIP Phone 0x80 ip_phone Remotely Managed Device 0x100 Ignore CAST Phone Port 0x200 Ignore Two Port MAC Relay 0x400 Ignore LLDP Capabilities Mapping to Smartport Type Capability Name LLDP Bit Smartport Type Other 1 Ignore Repeater IE...

Page 127: ...is no conflict the matching Smartport type is applied to the interface If one of the devices is a switch the Switch Smartport type is used If one of the devices is an AP the Wireless Access Point Smartport type is used If one of the devices is an IP phone and another device is a host the ip_phone_desktop Smartport type is used If one of the devices is an IP phone desktop and the other is an IP pho...

Page 128: ... attaching device to it ages out the interface goes down or the switch is rebooted Enabling Persistent status on an interface eliminates the device detection delay that otherwise occurs NOTE The persistence of the Smartport types applied to the interfaces are effective between reboots only if the running configuration with the Smartport type applied at the interfaces is saved to the startup config...

Page 129: ...on the switch and to configure a port with Auto Smartport perform the following steps STEP 1 To enable the Auto Smartport feature on the switch open the Smartport Properties page Set Administrative Auto Smartport to Enable or Enable by Voice VLAN STEP 2 Select whether the switch is to process CDP and or LLDP advertisements from connected devices STEP 3 Select which type of devices are to be detect...

Page 130: ...h this procedure you can accomplish the following View the macro source Change parameter defaults Restore the parameter defaults to the factory settings 1 Open the Smartport Smartport Type Settings page 2 Select the Smartport Type 3 Click View Macro Source to view the current Smartport macro that is associated with the selected Smartport Type 4 Click Edit to open a new window in which you can modi...

Page 131: ...TEP 1 In the Interface Settings page select the Port Type equals to checkbox STEP 2 Select Unknown and click Go STEP 3 Click Reset All Unknown Smartports Then reapply the macro as described above TIP The reason that the macro failed might be a conflict with a configuration on the interface made prior to applying the macro most often encountered with security and storm control settings a wrong port...

Page 132: ... Auto Voice VLAN is the default Auto Smartport Device Detection Method Select whether incoming CDP LLDP or both types of packets are used to detect the Smartport type of the attaching device s At least one must be checked in order for Auto Smartport to identify devices Operational CDP Status Displays the operational status of CDP Enable CDP if Auto Smartport is to detect the Smartport type based o...

Page 133: ... which have already been assigned that type by Auto Smartport In this case binding an invalid macro or setting an invalid default parameter value causes all ports of this Smartport type to become unknown STEP 1 Click Smartport Smartport Type Settings The Smartport Type Settings page opens STEP 2 To view the Smartport macro associated with a Smartport type select a Smartport type and click View Mac...

Page 134: ...ng tasks Statically apply a specific Smartport type to an interface with interface specific values for the macro parameters Enable Auto Smartport on an interface Diagnose a Smartport macro that failed upon application and caused the Smartport type to become Unknown Reapply a Smartport macro after it fails for one of the following types of interfaces switch router and AP It is expected that the nec...

Page 135: ...plays the command at which application of the macro failed See the workflow area in Common Smartport Tasks section for troubleshooting tips Proceed to reapply the macro after correcting the problem STEP 3 Resetting all Unknown interfaces to Default type Select the Port Type equals to checkbox Select Unknown and click Go Click Reset All Unknown Smartports Then reapply the macro as described above T...

Page 136: ...n or the switch is rebooted Persistent is applicable only if the Smartport Application of the interface is Auto Smartport Enabling Persistent at an interface eliminates the device detection delay that otherwise occurs Macro Parameters Displays the following fields for up to three parameters in the macro Parameter Name Name of parameter in macro Parameter Value Current value of parameter in macro T...

Page 137: ...ax_hosts macro key description native_vlan The untag VLAN which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses por...

Page 138: ...cast spanning tree portfast auto printer printer macro description printer macro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresse...

Page 139: ...cro keywords native_vlan macro key description native_vlan The untag VLAN which will be configured on the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 sm...

Page 140: ... which will be configured on the port max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadc...

Page 141: ...maximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multica...

Page 142: ...gured on the port Default Values are native_vlan Default VLAN switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_ip_camera no_ip_camera macro desc...

Page 143: ...default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_ip_phone no_ip_phone macro de...

Page 144: ...e untag VLAN which will be configured on the port voice_vlan The voice VLAN ID max_hosts The maximum number of allowed devices on the port Default Values are native_vlan Default VLAN voice_vlan 1 max_hosts 10 the default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresse...

Page 145: ...rol broadcast level no smartport storm control include multicast spanning tree portfast auto switch switch macro description switch macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allow...

Page 146: ...VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan native_vlan smartport storm control broadcast level 10 smartport storm control broadcast enable spanning tree link type point to point no_router no_router macro description No router macro keywords voice_vlan macro key des...

Page 147: ...e configured on the port voice_vlan The voice VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan native_vlan spanning tree link type point to point no_ap no_ap macro description No ap macro keywords voice_vlan macro key description voice_vlan The voice VLAN ID no smartport...

Page 148: ... A PoE switch is PSE Power Sourcing Equipment that delivers electrical power to connected PD Powered Devices over existing copper cables without interfering with the network traffic updating the physical network or modifying the network infrastructure See Switch Models for information concerning PoE support on various models PoE Features PoE provides the following features Eliminates the need to r...

Page 149: ...its class which is the amount of maximum power that the PD consumes Power Consumption After the classification stage completes the PSE provides power to the PD If the PD supports PoE but without classification it is assumed to be class 0 the maximum If a PD tries to consume more power than permitted by the standard the PSE stops supplying power to the port PoE supports two modes Port Limit The max...

Page 150: ... down status of the PoE port link Turns off power delivery to the PoE port Logs the reason for turning off power Generates a trap to a remote log server CAUTION Consider the following when connecting switches capable of supplying PoE The PoE models of the Sx200 Sx300 and Sx500 series switches are PSE Power Sourcing Equipment that are capable of supplying DC power to attaching PD Powered Devices Th...

Page 151: ...iguration to ensure that PDs are not damaged To configure PoE on the switch and monitor current power usage STEP 1 Click Port Management PoE Properties The PoE Properties page opens STEP 2 Enter the values for the following fields Power Mode Select one of the following options Port Limit The maximum power limit per each port is configured by the user Class Limit The maximum power limit per port is...

Page 152: ...ed on the port exceeds the port limit the port power is turned off Class Limit Power is limited based on the class of the connected PD For these settings to be active the system must be in PoE Class Limit mode That mode is configured in the PoE Properties page When the power consumed on the port exceeds the class limit the port power is turned off PoE priority example Given A 48 port switch is sup...

Page 153: ...y Level Select the port priority low high or critical for use when the power supply is low For example if the power supply is running at 99 usage and port 1 is prioritized as high but port 3 is prioritized as low port 1 receives power and port 3 might be denied power Administrative Power Allocation This field is displayed only if the Power Mode set in the PoE Properties page is Port Limit If the P...

Page 154: ...r of times the powered device was denied power Absent Counter Displays the number of times that power was stopped to the powered device because the powered device was no longer detected Invalid Signature Counter Displays the times an invalid signature was received Signatures are the means by which the powered device identifies itself to the PSE Signatures are generated during powered device detect...

Page 155: ...ich they are connected VLAN Description Each VLAN is configured with a unique VID VLAN ID with a value from 1 to 4094 A port on a device in a bridged network is a member of a VLAN if it can send data to and receive data from the VLAN A port is an untagged member of a VLAN if all packets destined for that port into the VLAN have no VLAN tag A port is a tagged member of a VLAN if all packets destine...

Page 156: ...ing is enabled and the ingress port is not a member of the VLAN to which the packet belongs A frame is regarded as priority tagged only if the VID in its VLAN tag is 0 Frames belonging to a VLAN remain within the VLAN This is achieved by sending or forwarding a frame only to egress ports that are members of the target VLAN An egress port may be a tagged or untagged member of a VLAN The egress port...

Page 157: ... provider bridge network where the bridging is based on the S tag VID S VID only The S Tag is preserved while traffic is forwarded through the network service provider s infrastructure and is later removed by an egress device An additional benefit of QinQ is that there is no need to configure customers edge devices QinQ is enabled in the VLAN Management Interface Settings page VLAN Configuration W...

Page 158: ...a port is no longer a member of any VLAN the switch automatically configures the port as an untagged member of the default VLAN A port is no longer a member of a VLAN if the VLAN is deleted or the port is removed from the VLAN When the VID of the default VLAN is changed the switch performs the following on all the ports in the VLAN after saving the configuration and rebooting the switch Removes VL...

Page 159: ...anually or dynamically Ports must always belong to one or more VLANs The 200 Series switch supports up to 256 VLANs including the default VLAN Each VLAN must be configured with a unique VID VLAN ID with a value from 1 to 4094 The switch reserves VID 4095 as the Discard VLAN All packets classified to the Discard VLAN are discarded at ingress and are not forwarded to a port To create a VLAN STEP 1 C...

Page 160: ...gs page displays and enables configuration of VLAN related parameters for all interfaces To configure the VLAN settings STEP 1 Click VLAN Management Interface Settings The Interface Settings page is displayed STEP 2 Select an interface type Port or LAG and click Go Ports or LAGs and their VLAN parameters are displayed STEP 3 To configure a Port or LAG select it and click Edit The Edit Interface Se...

Page 161: ...e Possible values are Admit All The interface accepts all types of frames untagged frames tagged frames and priority tagged frames Admit Tagged Only The interface accepts only tagged frames Admit Untagged Only The interface accepts only untagged and priority frames Ingress Filtering Available only in General mode Select to enable ingress filtering When an interface is ingress filtering enabled the...

Page 162: ...to display and configure the ports within a specific VLAN To map ports or LAGs to a VLAN STEP 1 Click VLAN Management Port to VLAN The Port to VLAN page is displayed STEP 2 Select a VLAN and the interface type Port or LAG and click Go to display or to change the port characteristic with respect to the VLAN The port mode for each port or LAG is displayed with its current port mode Access Trunk or G...

Page 163: ...xcluded from all VLANs except guest and unauthenticated ones In the VLAN to Port page the port is marked with P When the port is authenticated it receives membership in the VLAN in which it was configured To assign a port to one or more VLANs STEP 1 Click VLAN Management Port VLAN Membership The Port VLAN Membership page is displayed STEP 2 Select interface type Port or LAG and click Go The follow...

Page 164: ...a member of any other VLAN enabling this option on the port makes the port part of internal VLAN 4095 a reserved VID Excluded The interface is currently not a member of the VLAN This is the default for all the ports and LAGs when the VLAN is newly created Tagged Select whether the port is tagged This is not relevant for Access ports Untagged Select whether port is untagged This is not relevant for...

Page 165: ...ppropriate configurations UC3xx UC5xx hosted All Cisco phones and VoIP endpoints support this deployment model For this model the UC3xx UC5xx Cisco phones and VoIP endpoints reside in the same voice VLAN The voice VLAN of UC3xx UC5xx defaults to VLAN 100 Third party IP PBX hosted Cisco SBTG CP 79xx SPA5xx phones and SPA8800 endpoints support this deployment model In this model the VLAN used by the...

Page 166: ...in Telephony OUI mode or has Auto Smartports enabled Dynamic Voice VLAN Modes The switch supports two dynamic voice VLAN modes Telephony OUI Organization Unique Identifier mode and Auto Voice VLAN mode The two modes affect how voice VLAN and or voice VLAN port memberships are configured The two modes are mutually exclusive to each other Telephony OUI In Telephony OUI mode the voice VLAN must be a ...

Page 167: ... the voice VLAN information from CDP and LLDP MED advertisements it receives from their neighbor voice systems and switches The switch expects the attaching voice devices to send voice VLAN tagged packets On ports where the voice VLAN is also the native VLAN voice VLAN untagged packets are possible Auto Voice VLAN Auto Smartports CDP and LLDP Defaults By factory defaults CDP LLDP and LLDP MED on t...

Page 168: ...om directly connected neighbor devices If multiple neighbor switches and or routers such as Cisco Unified Communication UC devices are advertising their voice VLAN the voice VLAN from the device with the lowest MAC address is used NOTE If connecting the switch to a Cisco UC device you may need to configure the port on the UC device using the switchport voice vlan command to ensure the UC device ad...

Page 169: ...by applying the corresponding Smartport macro to the port if there is no other devices from the port advertising a conflicting or superior capability If a device advertises itself as a phone the default Smartport macro is phone If a device advertises itself as a phone and host or phone and bridge the default Smartport macro is phone desktop Voice VLAN QoS Voice VLAN can propagate the CoS 802 1p an...

Page 170: ...LAN QoS is applied to candidate ports that have joined the Voice VLAN and to static ports The voice flow is accepted if the MAC address can be learned by the Forwarding Database FDB If there is no free space in FDB no action occurs Voice VLAN Workflows The switch default configuration on Auto Voice VLAN Auto Smartports CDP and LLDP cover most common voice deployment scenarios This section describe...

Page 171: ... they are enabled by default Workflow2 To configure the Telephony OUI Method STEP 1 Open the VLAN Management Voice VLAN Properties page Set Dynamic Voice VLAN to Enable Telephony OUI NOTE If the device is currently in Auto Voice VLAN mode you must disable it before you can enable Telephony OUI STEP 2 Configure Telephony OUI in the Telephony OUI page STEP 3 Configure Telephony OUI VLAN membership f...

Page 172: ... in the Voice VLAN Settings Operational Status block STEP 2 Enter values for the following fields Voice VLAN ID Enter the VLAN that is to be the Voice VLAN NOTE Changes in the voice VLAN ID CoS 802 1p and or DSCP cause the switch to advertise the administrative voice VLAN as a static voice VLAN If the option Auto Voice VLAN Activation triggered by external Voice VLAN is selected then the default v...

Page 173: ...urces STEP 3 Click Apply The VLAN properties are written to the Running Configuration file Displaying Auto Voice VLAN Settings If Auto Voice VLAN mode is enabled use the Auto Voice VLAN page to view the relevant global and interface parameters You can also use this page to manually restart Auto Voice VLAN by clicking Restart Auto Voice VLAN After a short delay this resets the voice VLAN to the def...

Page 174: ... and restart Auto Voice VLAN discovery on all the Auto Voice VLAN enabled switches in the LAN The Voice VLAN Local Table displays voice VLAN configured on the switch as well as any voice VLAN configuration advertised by directly connected neighbor devices It displays the following fields Interface Displays the interface on which voice VLAN configuration was received or configured If N A is display...

Page 175: ...his is not the best local source STEP 3 Click Refresh to refresh the information on the page Configuring Telephony OUI OUIs are assigned by the Institute of Electrical and Electronics Engineers Incorporated IEEE Registration Authority Since the number of IP phone manufacturers is limited and well known the known OUI values cause the relevant frames and the port on which they are seen to be automat...

Page 176: ...s of the phones detected on the ports have aged out STEP 2 Click Apply to update the Running Configuration of the switch with these values The Telephony OUI table is displayed Telephony OUI First six digits of the MAC address that are reserved for OUIs Description User assigned OUI description STEP 3 Click Restore OUI Defaults to delete all of the user created OUIs and leave only the default OUIs ...

Page 177: ...the OUI QoS mode of voice VLAN To configure Telephony OUI on an interface STEP 1 Click VLAN Management Voice VLAN Telephony OUI Interface The Telephony OUI Interface page is displayed The Telephony OUI Interface page displays voice VLAN OUI parameters for all interfaces STEP 2 To configure an interface to be a candidate port of the telephony OUI based voice VLAN click Edit The Edit Interface Setti...

Page 178: ...VLAN Management Voice VLAN Cisco Small Business 200 Series Smart Switch Administration Guide 179 12 ...

Page 179: ...he topology changes so that the data transfer is made possible the links are automatically re activated Loops occur when alternate routes exist between hosts Loops in an extended network can cause switches to forward traffic indefinitely resulting in increased traffic load and reduced network efficiency STP provides a tree topology for any arrangement of switches and interconnecting links by creat...

Page 180: ...s Global Settings The STP Status Global Settings page is displayed STEP 2 Enter the parameters Global Settings Spanning Tree State Enable or disable STP on the switch STP Operation Mode Select an STP mode BPDU Handling Select how Bridge Protocol Data Unit BPDU packets are managed when STP is disabled on the port or the switch BPDUs are used to transmit spanning tree information Filtering Filters B...

Page 181: ...ttempting to redefine its own configuration Forward Delay Set the interval in seconds that a bridge remains in a learning state before forwarding packets For more information refer to Defining Spanning Tree Interface Settings Designated Root Bridge ID The bridge priority concatenated with the MAC address of the switch Root Bridge ID The Root Bridge priority concatenated with the MAC address of the...

Page 182: ...on the port Edge Port Enables or disables Fast Link on the port If Fast Link mode is enabled on a port the port is automatically set to Forwarding state when the port link is up Fast Link optimizes the STP protocol convergence The options are Enable Enables Fast Link immediately Auto Enables Fast Link a few seconds after the interface becomes active This allows STP to resolve loops before enabling...

Page 183: ...addresses Listening The port is in Listening mode The port cannot forward traffic and cannot learn MAC addresses Learning The port is in Learning mode The port cannot forward traffic but it can learn new MAC addresses Forwarding The port is in Forwarding mode The port can forward traffic and learn new MAC addresses Designated Bridge ID Displays the bridge priority and the MAC address of the design...

Page 184: ...ng tested STEP 4 If a link partner is discovered by using STP click Activate Protocol Migration to run a Protocol Migration test This discovers whether the link partner using STP still exists and if so whether it has migrated to RSTP If it still exists as an STP link the device continues to communicate with it by using STP Otherwise if it has been migrated to RSTP the device communicates with it u...

Page 185: ...anning Tree leaves This provides a configuration in which two ports are connected in a loop by a point to point link Backup ports are also used when a LAN has two or more established connections to a shared segment Disabled The port is not participating in Spanning Tree Mode Displays the current Spanning Tree mode Classic STP or RSTP Fast Link Operational Status Displays whether the Fast Link Edge...

Page 186: ...d Spanning Tree Settings Cisco Small Business 200 Series Smart Switch Administration Guide 187 13 Forwarding The port is in Forwarding mode The port can forward traffic and learn new MAC addresses STEP 7 Click Apply The Running Configuration file is updated ...

Page 187: ...t appears in a frame arriving at the switch is added to the Dynamic Address table This MAC address is retained for a configurable period of time If another frame with the same source MAC address does not arrive at the switch before that time period expires the MAC entry is aged deleted from the table When a frame arrives at the switch the switch searches for a corresponding matching destination MA...

Page 188: ...VLAN ID Select the VLAN ID for the port MAC Address Enter the interface MAC address Interface Select an interface port or LAG for the entry Status Select how the entry is treated The options are Permanent The system never removes this MAC address If the static MAC address is saved in the Startup Configuration it is retained after rebooting Delete on reset The static MAC address is deleted when the...

Page 189: ...u entered 300 seconds the aging time is between 300 and 599 seconds STEP 3 Click Apply The aging time is updated Querying Dynamic Addresses To query dynamic addresses STEP 1 Click MAC Address Tables Dynamic Addresses The Dynamic Addresses page opens STEP 2 In the Filter block you can enter the following query criteria VLAN ID Enter the VLAN ID for which the table is queried MAC Address Enter the M...

Page 190: ...ast Router Ports Defining Forward All Multicast Defining Unregistered Multicast Settings Multicast Forwarding Multicast forwarding enables one to many information dissemination Multicast applications are useful for dissemination of information to multiple clients where clients do not require reception of the entire content A typical application is a cable TV like service where clients can join a c...

Page 191: ...n in this section is mostly for IGMP it also describes coverage of MLD where implied These queries reach the switch which in turn floods the queries to the VLAN and also learns the port where there is a Multicast router Mrouter When a host receives the IGMP query message it responds with an IGMP Join message saying that the host wants to receive a specific Multicast stream and optionally from a sp...

Page 192: ...on is the process of listening and responding to Multicast registration protocols The available protocols are IGMP for IPv4 and MLD for IPv6 When IGMP MLD snooping is enabled in a switch on a VLAN it analyzes the IGMP MLD packets it receives from the VLAN connected to the switch and Multicast routers in the network When a switch learns that a host is using IGMP MLD messages to register to receive ...

Page 193: ...234 129 2 3 is mapped to a MAC Multicast group address 01 00 5e 01 02 03 Up to 32 IP Multicast group addresses can be mapped to the same Layer 2 address For IPv6 this is mapped by taking the 32 low order bits of the Multicast address and adding the prefix of 33 33 For example the IPv6 Multicast address FF00 1122 3344 is mapped to Layer 2 Multicast 33 33 11 22 33 44 Defining Multicast Properties Th...

Page 194: ...fic IP Group Address Based on both the destination IP address and the source IP address of the IP packet S G By selecting the forwarding mode you can define the method used by hardware to identify Multicast flow by one of the following options MAC Group Address IP Group Address or Source Specific IP Group Address S G is supported by IGMPv3 and MLDv2 while IGMPv1 2 and MLDv1 support only G which is...

Page 195: ...ng to a specific VLAN ID or a specific MAC address group This data is acquired either dynamically through IGMP MLD snooping or statically by manual entry Add or delete static entries to the MFDB that provide static forwarding information based on MAC destination addresses Display a list of all ports LAGs that are a member of each VLAN ID and MAC address group and enter whether traffic is forwarded...

Page 196: ...select an address and click Details The MAC Group Address Settings page opens The page displays VLAN ID The VLAN ID of the Multicast group MAC Group Address The MAC address of the group STEP 7 Select the port or LAG to be displayed from the Filter Interface Type menu STEP 8 Click Go to display the port or LAG membership STEP 9 Select the way that each interface is associated with the Multicast gro...

Page 197: ...s to Select IPv6 or IPv4 IP Multicast Group Address equals to Define the IP address of the Multicast group to be displayed This is only relevant when the Forwarding mode is S G Source IP Address equals to Define the source IP address of the sending device If mode is S G enter the sender S This together with the IP Group Address is the Multicast group ID S G to be displayed If mode is G enter an to...

Page 198: ... STEP 8 For each interface select its association type The options are as follows Static Attaches the interface to the Multicast group as a static member Forbidden Specifies that this port is forbidden from joining this group on this VLAN None Indicates that the port is not currently a member of this Multicast group on this VLAN This is selected by default until Static or Forbidden is selected STE...

Page 199: ...nd identify the switch as an IGMP Snooping Querier on a VLAN STEP 1 Click Multicast IGMP Snooping The IGMP Snooping page opens STEP 2 Enable or disable the IGMP Snooping status When IGMP Snooping is enabled globally the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic The switch only performs IGMP Snooping if both IGMP snooping and Bridge Mult...

Page 200: ...e members for the group if the switch is the elected querier Operational Last Member Query Counter Displays the operational value of the Last Member Query Counter Last Member Query Interval Enter the Maximum Response Delay to be used if the switch cannot read Max Response Time value from group specific queries sent by the elected querier Operational Last Member Query Interval Displays the Last Mem...

Page 201: ...rts ports on which no stations have registered to receive a specific Multicast group from the forwarding set of an incoming Multicast frame If you enable MLD snooping in addition to the manually configured Multicast groups the result is a union of the Multicast groups and port memberships derived from the manual setup and the dynamic discovery by MLD snooping Only static definitions are preserved ...

Page 202: ...Max Response Interval Enter Query Max Response delay to be used if the switch cannot read the Max Response Time value from General Queries sent by the elected querier Operational Query Max Response Interval Displays the delay used to calculate the Maximum Response Code inserted into the General Queries Last Member Query Counter Enter the Last Member Query Count to be used if the switch cannot deri...

Page 203: ...ery for a IP Multicast group STEP 1 Click Multicast IGMP MLD IP Multicast Group The IGMP MLD IP Multicast Group page opens STEP 2 Set the type of snooping group for which to search IGMP or MLD STEP 3 Enter some or all of following query filter criteria Group Address equals to Defines the Multicast group MAC address or IP address to query Source Address equals to Defines the sender address to query...

Page 204: ... ID for the router ports that are described IP Version equals to Select the IP version that the Multicast router supports Interface Type equals to Select whether to display ports or LAGs STEP 3 Click Go The interfaces matching the query criteria are displayed STEP 4 For each port or LAG select its association type The options are as follows Static The port is statically configured as a Multicast r...

Page 205: ...ges are not forwarded to ports defined as Forward All NOTE The configuration affects only the ports that are members of the selected VLAN To define Forward All Multicast STEP 1 Click Multicast Forward All The Forward All page opens STEP 2 Define the following VLAN ID equals to The VLAN ID the ports LAGs are to be displayed Interface Type equals to Define whether to display ports or LAGs STEP 3 Cli...

Page 206: ...ed Multicast groups Unregistered Multicast frames are usually forwarded to all ports on the VLAN You can select a port to receive or filter unregistered Multicast streams The configuration is valid for any VLAN of which it is a member or will be a member This feature ensures that the customer receives only the Multicast groups requested and not others that may be transmitted in the network To defi...

Page 207: ...efault gateway are configured on the IPv4 Interface page The switch uses the default gateway if configured to communicate with devices that are not in the same IP subnet as the switch By default VLAN 1 is the management VLAN but this can be modified The switch can only be reached at the configured IP address through its management VLAN The factory default setting of the IP address configuration is...

Page 208: ... IP address collisions This rule also applies when the switch reverts to the default IP address The system status LED changes to solid green when a new unique IP address is received from the DHCP server If a static IP address has been set the system status LED also changes to solid green The LED flashes when the switch is acquiring an IP address and is currently using the factory default IP addres...

Page 209: ...wing fields Network Mask Select and enter the IP address mask Prefix Length Select and enter the length of the IPv4 address prefix Administrative Default Gateway Select User Defined and enter the default gateway IP address or select None to remove the selected default gateway IP address from the interface Operational Default Gateway Displays the current default gateway status NOTE If the switch is...

Page 210: ... for example FE80 9C00 876A 130B IPv6 nodes require an intermediary mapping mechanism to communicate with other IPv6 nodes over an IPv4 only network This mechanism called a tunnel enables IPv6 only hosts to reach IPv4 services and enables isolated IPv6 hosts and networks to reach an IPv6 node over the IPv4 infrastructure Tunneling uses the ISATAP mechanism This protocol treats the IPv4 network as ...

Page 211: ...Pv6 is enabled STEP 3 The Add IPv6 Interface page opens STEP 4 Enter the values IPv6 Interface Select a specific port LAG VLAN or ISATAP tunnel Number of DAD Attempts Enter the number of consecutive neighbor solicitation messages that are sent while Duplicate Address Detection DAD is performed on the interface s Unicast IPv6 addresses DAD verifies the uniqueness of a new Unicast IPv6 address befor...

Page 212: ...IPv6 address to an IPv6 Interface STEP 1 Click Administration Management Interface IPv6 Addresses The IPv6 Addresses page opens STEP 2 To filter the table select an interface name and click Go The interface is displayed in the IPv6 Address Table STEP 3 Click Add The Add IPv6 Address page opens STEP 4 Enter values for the fields IPv6 Interface Displays the interface on which the IPv6 address is to ...

Page 213: ...ameter to identify the interface ID portion of the Global IPv6 address by using the EUI 64 format based on a device MAC address STEP 5 Click Apply The Running Configuration file is updated Defining an IPv6 Default Router List The IPv6 Default Router List page enables configuring and viewing the default IPv6 router addresses This list contains the routers that are candidates to become the switch de...

Page 214: ...s resolution is in process Default router has not yet responded Reachable Positive confirmation was received within the Reachable Time Stale Previously known neighboring network is unreachable and no action is taken to verify its reachability until it is necessary to send traffic Delay Previously known neighboring network is unreachable The device is in Delay state for a predefined Delay Time If n...

Page 215: ... ISATAP DNS record is not resolved ISATAP host name to address mapping is searched in the host mapping table When the ISATAP router IPv4 address is not resolved via the DNS process the ISATAP IP interface remains active The system does not have a default router for ISATAP traffic until the DNS process is resolved To configure an IPv6 Tunnel STEP 1 Click Administration Management Interface IPv6 Tun...

Page 216: ...uter solicitation queries The bigger the number the more frequent the queries The default value is 3 The range is 1 20 NOTE The ISATAP tunnel is not operational if the underlying IPv4 interface is not in operation STEP 3 Click Apply The tunnel is written to the Running Configuration file Defining IPv6 Neighbors Information The IPv6 Neighbors page enables configuring and viewing the list of IPv6 ne...

Page 217: ...scovery cache information entry type static or dynamic State Specifies the IPv6 neighbor status The values are Incomplete Address resolution is working The neighbor has not yet responded Reachable Neighbor is known to be reachable Stale Previously known neighbor is unreachable No action is taken to verify its reachability until traffic must be sent Delay Previously known neighbor is unreachable Th...

Page 218: ...redirect messages This could happen when the default router the switch uses is not the router for traffic to which the IPv6 subnets that the switch wants to communicate To view IPv6 routing entries STEP 1 Click Administration Management Interface IPv6 Routes The IPv6 Routes page opens This page displays the following fields IPv6 Address The IPv6 subnet address Prefix Length IP route prefix length ...

Page 219: ...tains both static and dynamic addresses Static addresses are manually configured and do not age out The switch creates dynamic addresses from the ARP packets it receives Dynamic addresses age out after a configured time NOTE The IP MAC address mapping information in the ARP Table is used by the switch to forward traffic originated by the switch To define the ARP tables STEP 1 Click IP Configuratio...

Page 220: ...ick Add The Add ARP Entry page opens STEP 5 Enter the parameters IP Version The IP address format supported by the host Only IPv4 is supported Interface IPv4 interface on the switch There is only one directly connected IP subnet which is always in the management VLAN All the static and dynamic addresses in the ARP Table reside in the management VLAN IP Address Enter the IP address of the local dev...

Page 221: ...by the DHCP server Static The default domain name is user defined N A No default domain name DNS Server Table DNS Server The IP addresses of the DNS servers Up to eight DNS servers can be defined Server State The DNS server state can be either active or inactive There can be only one active server Each static server has a priority a lower value means a higher priority When first time the request i...

Page 222: ...he new DNS server STEP 6 Click Apply The DNS server is written to the Running Configuration file Mapping DNS Hosts The switch saves frequently queried domain names acquired from the DNS servers in a local DNS cache The cache can hold up to 64 static entries 64 dynamic entries and one entry for each IP address configured on the switch by DHCP Name resolution always begins by checking static entries...

Page 223: ... Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface If the IPv6 address type is Link Local select whether it is received through VLAN2 or ISATAP Host Name Enter a domain name up to 158...

Page 224: ...lowing sections Defining Users Configuring RADIUS Configuring Management Access Authentication Defining Management Access Method Configuring TCP UDP Services Protection from attacks directed at the switch CPU is described in the following sections Configuring TCP UDP Services Defining Storm Control Access control of end users to the network through the switch is described in the following sections...

Page 225: ... switch read only or read write or changing the passwords of existing users After adding a user as described below the default user is removed from the system NOTE It is not permitted to delete all users If all users are selected the Delete button is disabled To add a new user STEP 1 Click Administration User Accounts The User Accounts page is displayed This page displays the users defined in the ...

Page 226: ...ting Password Complexity Rules section Confirm Password Enter the password again Password Strength Meter Displays the strength of password The policy for password strength and complexity are configured in the Password Strength page STEP 5 Click Apply The user is added to the Running Configuration file of the switch Setting Password Complexity Rules Passwords are used to authenticate users accessin...

Page 227: ...ee times consecutively Do not repeat or reverse the user s name or any variant reached by changing the case of the characters Do not repeat or reverse the manufacturer s name or any variant reached by changing the case of the characters STEP 4 If the Password Complexity Settings are enabled the following parameters may be configured Minimal Password Length Enter the minimal number of characters re...

Page 228: ...ries Enter the number of transmitted requests that are sent to the RADIUS server before a failure is considered to have occurred Timeout for Reply Enter the number of seconds that the switch waits for an answer from the RADIUS server before retrying the query or switching to the next server Dead Time Enter the number of minutes that elapse before a non responsive RADIUS server is bypassed for serv...

Page 229: ...st priority Key String Enter the key string used for authenticating and encrypting communication between the switch and the RADIUS server This key must match the key configured on the RADIUS server If Use Default is selected the switch attempts to authenticate to the RADIUS server by using the default Key String Timeout for Reply Enter the number of seconds the switch waits for an answer from the ...

Page 230: ...rn cisco avpair shell priv lvl 15 User authentication occurs in the order that the authentication methods are selected If the first authentication method is not available the next selected method is used For example if the selected authentication methods are RADIUS and Local and all configured RADIUS servers are queried in priority order and do not reply the user is authenticated locally If an aut...

Page 231: ...Access profiles determine how to authenticate and authorize users accessing the switch through various access methods Access Profiles can limit management access from specific sources Only users who pass both the active access profile and the management access authentication methods are given management access to the switch There can only be a single access profile active on the switch at one time...

Page 232: ...te an access profile and to add its first rule If the access profile only contains a single rule you are finished To add additional rules to the profile use the Profile Rules page STEP 1 Click Security Mgmt Access Method Access Profiles The Access Profiles page is displayed This page displays all of the access profiles active and inactive STEP 2 To change the active access profile select a profile...

Page 233: ...Select the action attached to the rule The options are Permit Permits access to the switch if the user matches the settings in the profile Deny Denies access to the switch if the user matches the settings in the profile Applies to Interface Select the interface attached to the rule The options are All Applies to all ports VLANs and LAGs User Defined Applies to selected interface Interface Enter th...

Page 234: ...st If the incoming packet matches a rule the action associated with the rule is performed If no matching rule is found within the active access profile the packet is dropped For example you can limit access to the switch from all IP addresses except IP addresses that are allocated to the IT management center In this way the switch can still be managed and has gained another layer of security To ad...

Page 235: ...lect the interface attached to the rule The options are All Applies to all ports VLANs and LAGs User Defined Applies only to the port VLAN or LAG selected Interface Enter the interface number Applies to Source IP Address Select the type of source IP address to which the access profile applies The Source IP Address field is valid for a subnetwork Select one of the following values All Applies to al...

Page 236: ...Services page is displayed STEP 2 Enable or disable the following TCP UDP services on the displayed services HTTP Service Indicates whether the HTTP service is enabled or disabled HTTPS Service Indicates whether the HTTPS service is enabled or disabled The TCP Service Table displays the following fields for each service Service Name Access method through which the switch is offering the TCP servic...

Page 237: ...orts belonging to the relevant VLAN In this way one ingress frame is turned into many creating the potential for a traffic storm Storm protection enables you to limit the number of frames entering the switch and to define the types of frames that are counted towards this limit When a threshold is entered in the system the port discards traffic after that threshold is reached The port remains block...

Page 238: ...torm control is modified and the Running Configuration file is updated Configuring Port Security Network security can be increased by limiting access on a port to users with specific MAC addresses The MAC addresses can be either dynamically learned or statically configured Port security monitors received and learned packets Access to locked ports is limited to users with specific MAC addresses Por...

Page 239: ...he following actions can take place Frame is discarded Frame is forwarded Port is shut down When the secure MAC address is seen on another port the frame is forwarded but the MAC address is not learned on that port In addition to one of these actions you can also generate traps and limit their frequency and number to avoid overloading the devices NOTE Traps are SYSLOG related traps not generated t...

Page 240: ...ing are enabled Secure Delete on Reset Deletes the current dynamic MAC addresses associated with the port after reset New MAC addresses can be learned as Delete On Reset ones up to the maximum addresses allowed on the port Relearning and aging are disabled Max No of Addresses Allowed Enter the maximum number of MAC addresses that can be learned on the port if Limited Dynamic Lock learning mode is ...

Page 241: ...rmitted to send data to the port Otherwise the authenticator discards the supplicant data Authentication of the supplicant is performed by an external RADIUS server through the authenticator The authenticator monitors the result of the authentication In the 802 1x standard a device can be a supplicant and an authenticator at a port simultaneously requesting port access and granting port access How...

Page 242: ...or ports can always send or receive packets to or from unauthenticated VLANs Define 802 1X settings for each port by using the Edit Port Authentication page Note the following You can select the Guest VLAN field to have untagged incoming frames go to the guest VLAN Define host authentication parameters for each port using the Port Authentication page View 802 1X authentication history using the Au...

Page 243: ...s are only possible while the port is in Force Authorized state such as host authentication it is recommended that you change the port control to Force Authorized before making changes When the configuration is complete return the port control to its previous state NOTE A port with 802 1x defined on it cannot become a member of a LAG To define 802 1X authentication STEP 1 Click Security 802 1X Por...

Page 244: ...empts after the specified Reauthentication Period Reauthentication Period Enter the number of seconds after which the selected port is reauthenticated Reauthenticate Now Select to enable immediate port re authentication Authenticator State Displays the defined port authorization state The options are Force Authorized Controlled port state is set to Force Authorized forward traffic NOTE If the port...

Page 245: ...curity cannot be enabled on a port in single host mode Multiple Host 802 1X Multiple hosts can be attached to a single 802 1X enabled port Only the first host must be authorized and then the port is open for all who want to access the network If the host authentication fails or an EAPOL logoff message is received all attached clients are denied access to the network Multiple Sessions Enables the n...

Page 246: ...thentication page is displayed STEP 3 Enter the parameters Interface Enter a port number for which host authentication is enabled Host Authentication Select one of the modes These modes are described above in Defining Host and Session Authentication NOTE The following fields are only relevant if you select Single in the Host Authentication field Single Host Violation Settings Action on Violation S...

Page 247: ...ort Session Time DD HH MM SS Amount of time that the supplicant was logged on the port Authentication Method Method by which the last session was authenticated The options are None No authentication is applied it is automatically authorized RADIUS Supplicant was authenticated by a RADIUS server MAC Address Displays the supplicant MAC address Denial of Service Prevention Denial of Service DoS Preve...

Page 248: ...onitored in the Denial of Service Denial of Service Prevention Security Suite Settings page Details button Denial of Service Security Suite Settings NOTE Before activating DoS Prevention you must unbind all Access Control Lists ACLs or advanced QoS policies that are bound to a port ACL and advanced QoS policies are not active when a port has DoS Protection enabled on it To configure DoS Prevention...

Page 249: ...n may be opened with the default certificate that exists on the device Some browsers generate warnings when using a default certificate since this certificate is not signed by a Certification Authority CA It is best practice to have a certificate signed by a trusted CA To open an HTTPS session with a user created certificate perform the following actions 1 Generate a certificate 2 Request that the...

Page 250: ... date up to which the certificate is valid Certificate Source Specifies whether the certificate was generated by the system Auto Generated or the user User Defined STEP 2 Select an active certificate STEP 3 You can perform one of the following actions by clicking the relevant button Edit Select one of the certificates and enter the following fields for it Regenerate RSA Key Select to regenerate th...

Page 251: ...elect to enable copying in the new RSA key pair Public Key Copy in the RSA public key Private Key Encrypted Select and copy in the RSA private key in encrypted form Private Key Plaintext Select and copy in the RSA private key in plain text form Display Sensitive Data as Encrypted Click this button to display this key as encrypted When this button is clicked the private keys are written to the conf...

Page 252: ... Configuration Files SSD Management Channels Menu CLI and Password Recovery Configuring SSD Introduction SSD protects sensitive data on a device such as passwords and keys permits and denies access to sensitive data encrypted and in plain text based on user credentials and SSD rules and protects configuration files containing sensitive data from being tampered with In addition SSD enables the secu...

Page 253: ...The SSD configuration parameters themselves are sensitive data and are protected under SSD All configuration of SSD is performed through the SSD pages that are only available to users with the correct permissions see SSD Rules SSD Rules SSD rules define the read permissions and default read mode given to a user session on a management channel An SSD rule is uniquely identified by its user and SSD ...

Page 254: ... The channel types supported are Secure Specifies the rule applies only to secure channels Depending on the device it may support some or all of the following secure channels Console port interface SCP SSH and HTTPS Insecure Specifies that this rule applies only to insecure channels Depending on the device it may support some or all of the following insecure channels Telnet TFTP and HTTP Secure XM...

Page 255: ...options exist but some might be rejected depending on the read permission If the user defined read permission for a user is Exclude for example and the default read mode is Encrypted the user defined read permission prevails Exclude Do not allow reading sensitive data Encrypted Sensitive data is presented in encrypted form Plaintext Sensitive data is presented in plaintext form Each management cha...

Page 256: ...aintext By default an SNMPv3 user with privacy and XML over secure channels permissions is considered to be a level 15 user SNMP users on Insecure XML and SNMP SNMPv1 v2 and v3 with no privacy channel are considered as All users There must always be at least one rule with read permission Plaintext Only or Both because only users with those permissions are able to access the SSD pages Changes in th...

Page 257: ...a and are protected under SSD NOTE The user credential in the local authenticated database is already protected by a non SSD related mechanism If a user from a channel issues an action that uses an alternate channel the device applies the read permission and default read mode from the SSD rule that match the user credential and the alternate channel For example if a user logs in via a secure chann...

Page 258: ...read mode of the SSD rule SSD Properties SSD properties are a set of parameters that in conjunction with the SSD rules define and control the SSD environment of a device The SSD environment consists of these properties Controling how the sensitive data is encrypted Controling the strength of security on configuration files Controling how the sensitive data is viewed within the current session Pass...

Page 259: ...mally performs encryption and decryption of sensitive data with the key generated from the local passphrase The local passphrase can be configured to be either the default passphrase or a user defined passphrase By default the local passphrase and default passphrase are identical It can be changed by administrative actions from either the Command Line Interface if available or the web based interf...

Page 260: ...ation File Integrity Control A user can protect a configuration file from being tampered or modified by creating the configuration file with Configuration File Integrity Control It is recommended that Configuration File Integrity Control be enabled when a device uses a user defined passphrase with Unrestricted Configuration File Passprhase Control CAUTION Any modification made to a configuration f...

Page 261: ... the remote configuration files are text based files usually kept for archive records or recovery During copying uploading and downloading a source configuration file a device automatically transforms the source content to the format of the destination file if the two files are of different formats File SSD Indicator When copying the Running or Startup Configuration file into a text based configur...

Page 262: ...agement session Read access of sensitive data in the startup configuration in any forms is excluded if the passphrase in the Startup Configuration file and the local passphrase are different SSD adds the following rules when copying the Backup Mirror and Remote Configuration files to the Startup Configuration file After a device is reset to factory default all of its configurations including the S...

Page 263: ...is accepted Running Configuration File A Running Configuration file contains the configuration currently being used by the device A user can retrieve the sensitive data encrypted or in plaintext from a running configuration file subject to the SSD read permission and the current SSD read mode of the management session The user can change the Running Configuration by copying the Backup or Mirror Co...

Page 264: ...e complete mirror and backup configuration files subject to SSD read permission the current read mode in the session and the file SSD indicator in the source file as follows If there is no file SSD indicator in a mirror or backup configuration file all users are allowed to access the file A user with Both read permission can access all mirror and backup configuration files However if the current r...

Page 265: ...in the auto configuration from a device that contains the configurations The device must be configured and instructed to Encrypt the sensitive data in the file Enforce the integrity of the file content Include the secure authentication configuration commands and SSD rules that properly control and secure the access to devices and the sensitive data If the configuration file was generated with a us...

Page 266: ...allowed to users if their read permissions are Both or Plaintext Only Other users are rejected Sensitive data in the Menu CLI is always displayed as plaintext Password recovery is currently activated from the boot menu and allows the user to log on to the terminal without authentication If SSD is supported this option is only permitted if the local passphrase is identical to the default passphrase...

Page 267: ... Passphrase Type Displays whether the default passphrase or a user defined passphrase is currently being used STEP 2 Enter the following Persistent Settings fields Configuration File Passphrase Control Select an option as described in Configuration File Passphrase Control Configuration File Integrity Control Select to enable this feature See Configuration File Integrity Control STEP 3 Select a Rea...

Page 268: ...ies to all users Channel This defines the security level of the input channel to which the rule applies Select one of the following options Secure Indicates that this rule applies only to secure channels console SSH and HTTPS not including the XML channels Insecure Indicates that this rule applies only to insecure channels Telnet TFTP and HTTP not including the XML channels Secure XML SNMP Indicat...

Page 269: ... subjected to the read permission of the rule The following options exist but some might be rejected depending on the rule s read permission Exclude Do not allow reading the sensitive data Encrypted Sensitive data is presented encrypted Plaintext Sensitive data is presented as plaintext STEP 3 The following actions can be performed Restore to Default Restore a user modified default rule to the def...

Page 270: ...Quality of Service feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment This section covers the following topics QoS Features and Components Configuring QoS General Managing QoS Statistics ...

Page 271: ...s a function of the traffic class to which they belong Other Traffic Class Handling Attribute Applies QoS mechanisms to various classes including bandwidth management QoS Operation When using the QoS feature all traffic of the same class receives the same treatment which consists of a single QoS action of determining the egress queue on the egress port based on the indicated QoS value in the incom...

Page 272: ... into the egress queues based on the their DSCP TC value STEP 5 Designate an egress queue to each CoS 802 1p priority If the switch is in CoS 802 1 trusted mode all incoming packets are put into the designated egress queues according to the CoS 802 1p priority in the packets This is done by using the CoS 802 1p to Queue page STEP 6 Enter bandwidth and rate limits in the following pages a Set egres...

Page 273: ...ore Defaults to restore the factory CoS default setting for this interface STEP 6 Click DSCP Override Table to enter the DSCP values The DSCP Override Table is displayed STEP 7 DSCP In displays the DSCP value of the incoming packet that needs to be re marked to an alternative value Select the new DSCP value to override the incoming value Select Restore Defaults to restore the factory DSCP values S...

Page 274: ...r LAG to display the list of ports or LAGs The list of ports LAGs is displayed QoS State displays whether QoS is enabled on the interface STEP 3 Select an interface and click Edit The Edit QoS Interface Settings is displayed STEP 4 Select the Port or LAG interface STEP 5 Click to enable or disable QoS State for this interface STEP 6 Click Apply The Running Configuration file is updated Configuring...

Page 275: ...ta has been used up and then another queue is serviced It is also possible to assign some of the lower queues to WRR while keeping some of the higher queues in strict priority In this case traffic for the strict priority queues is always sent before traffic from the WRR queues Only after the strict priority queues have been emptied is traffic from the WRR queues forwarded The relative portion from...

Page 276: ...riority assigned to the ingress ports Default Mapping Queues By changing the CoS 802 1p to Queue mapping and the Queue schedule method and bandwidth allocation it is possible to achieve the desired quality of services in a network CoS 802 1p to Queue mapping is applicable only if CoS 802 1p is the trusted mode and the packets belong to flows that are CoS trusted 802 1p Values 0 7 7 being the highe...

Page 277: ...riority egress queue and Queue1 is the lowest priority STEP 3 For each 802 1p priority select the Output Queue to which it is mapped STEP 4 Click Apply 801 1p priority values to queues are mapped and the Running Configuration file is updated Mapping DSCP to Queue The DSCP IP Differentiated Services Code Point to Queue page maps DSCP to egress queues The DSCP to Queue Table determines the egress qu...

Page 278: ...and send The ingress rate limit is the number of bits per second that can be received from the ingress interface Excess bandwidth above this limit is discarded The following values are entered for egress shaping Committed Information Rate CIR sets the average maximum amount of data allowed to be sent on the egress interface measured in bits per second Committed Burst Size CBS is the burst of data ...

Page 279: ...idth beyond the allowed limit STEP 5 Click Apply The bandwidth settings are written to the Running Configuration file Configuring Egress Shaping per Queue In addition to limiting transmission rate per port which is done in the Bandwidth page the switch can limit the transmission rate of selected egressing frames on a per queue per port basis Egress rate limiting is performed by shaping the output ...

Page 280: ...CIR in Kbits per second Kbps CIR is the average maximum amount of data that can be sent Committed Burst Size CBS Enter the maximum burst size CBS in bytes CBS is the maximum burst of data allowed to be sent even if a burst exceeds CIR STEP 6 Click Apply The bandwidth settings are written to the Running Configuration file Managing QoS Statistics From this page you can manage the view queues statist...

Page 281: ...isplays the statistics for Set 1 that contains all interfaces and queues with a high DP Drop Precedence Set 2 Displays the statistics for Set 2 that contains all interfaces and queues with a low DP Interface Queue statistics are displayed for this interface Queue Packets were forwarded or tail dropped from this queue Drop Precedence Lowest drop precedence has the lowest probability of being droppe...

Page 282: ...s are Port Selects the port on the selected unit number for which statistics are displayed All Ports Specifies that statistics are displayed for all ports Queue Select the queue for which statistics are displayed Drop Precedence Enter drop precedence that indicates the probability of being dropped STEP 4 Click Apply The Queue Statistics counter is added and the Running Configuration file is update...

Page 283: ...of Cisco and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Reviews:

No comments

Related manuals for SRW208MP

TC Electronic M300 Service Manual preview
M300
Brand: TC Electronic Pages: 2
VMIC VMICPCI-7755 Product Manual preview
VMICPCI-7755
Brand: VMIC Pages: 126
AMD SB710 User Manual preview
SB710
Brand: AMD Pages: 20
Z Microsystems TranzStor 8X User Manual preview
TranzStor 8X
Brand: Z Microsystems Pages: 51
IBM System Storage DS3200 Overview preview
System Storage DS3200
Brand: IBM Pages: 2
SurfControl 509-8629-00 Setup Manual preview
509-8629-00
Brand: SurfControl Pages: 2
Abocom WR5502 User Manual preview
WR5502
Brand: Abocom Pages: 63
Gemtek Systems WLTFQR-121 User Manual preview
WLTFQR-121
Brand: Gemtek Systems Pages: 51
Kontron CPS3003-SA User Manual preview
CPS3003-SA
Brand: Kontron Pages: 19
RubyTech VS-820S User Manual preview
VS-820S
Brand: RubyTech Pages: 25
ZALMAN CNPS11X Extreme User Manual preview
CNPS11X Extreme
Brand: ZALMAN Pages: 12
BHU NETWORKS BXM2 User Manual preview
BXM2
Brand: BHU NETWORKS Pages: 75
Renesas REJ06B0734-0100 Application Note preview
REJ06B0734-0100
Brand: Renesas Pages: 19
Patton electronics FORESIGHT 6300 User Manual preview
FORESIGHT 6300
Brand: Patton electronics Pages: 145
Paradyne 1740 SHDSL User Manual preview
1740 SHDSL
Brand: Paradyne Pages: 74
LevelOne WBR-3402TX User Manual preview
WBR-3402TX
Brand: LevelOne Pages: 146
JETWAY LI22 Series User Manual preview
LI22 Series
Brand: JETWAY Pages: 63
Xinje VH5 Series User Manual preview
VH5 Series
Brand: Xinje Pages: 76

Brands by name

Popular brands

Load more brands