background image

xStack® DGS-3120 Series Managed Switch Web UI Reference Guide 

 

Chapter 2

 

System Configuration 

Device Information 
System Information Settings 
Port Configuration 
PoE 
Serial Port Settings 
Warning Temperature Settings 
System Log configuration 
Time Range Settings 
Port Group Settings (EI Mode Only) 
Time Settings 
User Accounts Settings 
Command Logging Settings 
Stacking 
 

Device Information 

This window contains the main settings for all the major functions for the Switch. It appears automatically when you 
log on to the Switch. To return to the Device Information window after viewing other windows, click the 

DGS-3120 

Series

 link. 

 

The Device Information window shows the Switch’s MAC Address (assigned by the factory and unchangeable), the 
Boot PROM Version, Firmware Version, Hardware Version, and many other important types of information. This is 
helpful to keep track of PROM and firmware updates and to obtain the Switch’s MAC address for entry into another 
network device’s address table, if necessary. In addition, this window displays the status of functions on the Switch 
to quickly assess their current global status. 

 

Many functions are hyper-linked for easy access to enable quick configuration from this window. 

 

 

Figure 2–1 Device Information window (SI Mode Only) 

 

Summary of Contents for DGS-3120-24PC-EI

Page 1: ......

Page 2: ...orporation is strictly forbidden Trademarks used in this text D Link and the D LINK logo are trademarks of D Link Corporation Microsoft and Windows are registered trademarks of Microsoft Corporation Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products D Link Corporation disclaims any proprietary interest in tra...

Page 3: ...10 PoE System Settings 10 PoE Port Settings 11 Serial Port Settings 13 Warning Temperature Settings 13 System Log configuration 14 System Log Settings 14 System Log Server Settings 15 System Log 16 System Log Trap Settings 16 System Severity Settings 17 Time Range Settings 18 Port Group Settings EI Mode Only 18 Time Settings 19 User Accounts Settings 19 Command Logging Settings 21 Stacking 21 Stac...

Page 4: ...MP Host Table Settings 52 SNMPv6 Host Table Settings EI Mode Only 53 RMON Settings 53 Telnet Settings 54 Web Settings 54 Chapter 4 L2 Features 55 VLAN 55 802 1Q VLAN Settings 60 802 1v Protocol VLAN 63 Asymmetric VLAN Settings 65 GVRP 65 MAC based VLAN Settings 67 Private VLAN Settings 67 PVID Auto Assign Settings 69 Voice VLAN 69 VLAN Trunk Settings 72 Browse VLAN 72 Show VLAN Ports 73 QinQ EI Mo...

Page 5: ...formation 129 LLDP Remote Port Information 130 NLB FDB Settings 131 Chapter 5 L3 Features 132 IPv4 Default Route Settings SI Mode Only 132 IPv4 Static Default Route Settings EI Mode Only 132 IPv4 Route Table 133 IPv6 Static Default Route Settings EI Mode Only 134 IP Forwarding Table 134 Chapter 6 QoS 135 802 1p Settings 136 802 1p Default Priority Settings 136 802 1p User Priority Settings 137 Ban...

Page 6: ...on RADIUS Server Settings 204 RADIUS Accounting Settings 206 RADIUS Authentication 206 RADIUS Account Client 208 IP MAC Port Binding IMPB EI Mode Only 209 IMPB Global Settings 209 IMPB Port Settings 210 IMPB Entry Settings 211 MAC Block List 211 DHCP Snooping 212 MAC based Access Control MAC 213 MAC based Access Control Settings 213 MAC based Access Control Local Settings 215 MAC based Access Cont...

Page 7: ...SH Authentication Method and Algorithm Settings 246 SSH User Authentication List 248 Trusted Host Settings 249 Safeguard Engine Settings 250 Chapter 9 Network Application 253 DHCP 253 DHCP Relay 253 DHCP Local Relay Settings 260 SNTP 260 SNTP Settings 260 Time Zone Settings 261 Flash File System Settings 262 Chapter 10 OAM 265 CFM 265 CFM Settings 265 CFM Port Settings 271 CFM MIPCCM Table 272 CFM...

Page 8: ...P 305 Download Firmware From HTTP 305 Upload Firmware 306 Upload Firmware To TFTP 306 Download Configuration 307 Download Configuration From TFTP 307 Download Configuration From HTTP 308 Upload Configuration 308 Upload Configuration To TFTP 308 Upload Configuration To HTTP 309 Upload Log File 310 Upload Log To TFTP 310 Upload Log To HTTP 310 Reset 311 Reboot System 311 Appendix Section 313 Appendi...

Page 9: ...enu and choose Cancel Used for emphasis May also indicate system messages or prompts appearing on screen For example You have mail Bold font is also used to represent filenames program names and commands For example use the copy command Boldface Typewriter Font Indicates commands and responses to prompts that must be typed exactly as printed in the manual Initial capital letter Indicates a window ...

Page 10: ...re the same as those found in the console program Login to the Web Manager To begin managing the Switch simply run the browser installed on your computer and point it to the IP address you have defined for the device The URL in the address bar should read something like http 123 123 123 123 where the numbers 123 represent the IP address of the Switch NOTE The factory default IP address is 10 90 90...

Page 11: ... and click the hyperlinked menu buttons and subfolders contained within them to display menus Click the D Link logo to go to the D Link website Area 2 Presents a graphical near real time image of the front panel of the Switch This area displays the Switch s ports console and management port showing port activity Some management functions including save reboot download and upload are accessible her...

Page 12: ...gure features regarding the Layer 3 functionality of the Switch QoS In this section the user will be able to configure features regarding the Quality of Service functionality of the Switch ACL In this section the user will be able to configure features regarding the Access Control List functionality of the Switch Security In this section the user will be able to configure features regarding the Sw...

Page 13: ...urn to the Device Information window after viewing other windows click the DGS 3120 Series link The Device Information window shows the Switch s MAC Address assigned by the factory and unchangeable the Boot PROM Version Firmware Version Hardware Version and many other important types of information This is helpful to keep track of PROM and firmware updates and to obtain the Switch s MAC address fo...

Page 14: ...e System Location and System Contact to aid in defining the Switch To view the following window click System Configuration System Information Settings as show below Figure 2 3 System Information Settings window The fields that can be configured are described below Parameter Description System Name Enter a system name for the Switch if so desired This name will identify it in the Switch network Sys...

Page 15: ...used for the configuration here State Toggle the State field to either enable or disable a given port or group of ports Speed Duplex Toggle the Speed Duplex field to select the speed and full duplex half duplex state of the port Auto denotes auto negotiation among 10 100 and 1000 Mbps devices in full or half duplex except 1000 Mbps which is always full duplex The Auto setting allows the port to au...

Page 16: ...e current connection speed will be displayed MDIX Auto Select auto for auto sensing of the optimal type of cabling Normal Select normal for normal cabling If set to normal state the port is in MDI mode and can be connected to a PC NIC using a straight through cable or a port in MDI mode on another switch through a cross over cable Cross Select cross for cross cabling If set to cross state the port...

Page 17: ...ck System Configuration Port Configuration Port Error Disabled as show below Figure 2 6 Port Error Disabled The fields that can be displayed are described below Parameter Description Port Display the port that has been error disabled Port State Describe the current running state of the port whether enabled or disabled Connection Status Display the uplink status of the individual ports whether enab...

Page 18: ...ture occurs under two conditions firstly if the total power consumption exceeds the system power limit and secondly if the per port power consumption exceeds the per port power limit Active circuit protection automatically disables the port if there is a short Other ports will remain active Based on 802 3af at PDs receive power according to the following classification Class Maximum power availabl...

Page 19: ... menu to select a Power Disconnect Method The default Power Disconnect Method is Deny Next Port Both Power Disconnection Methods are described below Deny Next Port After the power limit has been exceeded the next port attempting to power up is denied regardless of its priority If Power Disconnection Method is set to Deny Next Port the system cannot utilize out of its maximum power capacity The max...

Page 20: ...ed Critical High and Low When multiple ports happen to have the same level of priority the port ID will be used to determine the priority The lower port ID has higher priority The setting of priority will affect the order of supplying power Whether the disconnect method is set to deny low priority port the priority of each port will be used by the system to manage the supply of power to ports Powe...

Page 21: ... possible baud rates to choose from 9600 19200 38400 and 115200 For a connection to the Switch using the console port the baud rate must be set to 115200 which is the default setting Auto Logout Select the logout time used for the console interface This automatically logs the user out after an idle period of time as defined Choose from the following options 2 5 10 15 minutes or Never The default s...

Page 22: ...changes made System Log configuration System Log Settings The Switch allows users to choose a method for which to save the switch log to the flash memory of the Switch To view the following window click System Configuration System Log Configuration System Log Settings as show below Figure 2 12 System Log Settings window The fields that can be configured are described below Parameter Description Sy...

Page 23: ...ver Settings SI Mode Only Figure 2 14 System Log Server Settings EI Mode Only The fields that can be configured are described below Parameter Description Server ID Syslog server settings index 1 to 4 Server IPv4 Address The IPv4 address of the Syslog server Server IPv6 Address EI Mode Only The IPv6 address of the Syslog server UDP Port Type the UDP port number used for sending Syslog messages The ...

Page 24: ... log simply tick the All check box Module List When selecting Module List the module name must be manually entered Available modules are MSTP ERROR_LOG CFM_EXT and ERPS Attack Log When selecting Attack Log all attacks will be listed Index A counter incremented whenever an entry to the Switch s history log is made The table displays the last entry highest sequence number first Time Display the time...

Page 25: ...tton to accept the changes made Click the Clear button to clear all the information entered in the fields System Severity Settings The Switch can be configured to allow alerts be logged or sent as a trap to an SNMP agent The level at which the alert triggers either a log entry or a trap message can be set as well Use the System Severity Settings window to set the criteria for alerts The current se...

Page 26: ...9 Time Range Settings window The fields that can be configured are described below Parameter Description Range Name Enter a name of no more than 32 alphanumeric characters that will be used to identify this time range on the Switch This range name will be used in the Access Profile table to identify the access profile and associated rule to be enabled during this time range Hours This parameter is...

Page 27: ... made Click the Delete button to remove the specific entry Time Settings Users can configure the time settings for the Switch To view the following window click System Configuration Time Settings as show below Figure 2 21 Time Settings window The fields that can be configured are described below Parameter Description Date DD MM YYYY Enter the current day month and year to update the system clock T...

Page 28: ...only Read only Factory Reset Read Write No No No User Account Management Add Update Delete User Accounts Read Write No No No View User Accounts Read Write No No No The fields that can be configured are described below Parameter Description User Name Enter a new user name for the Switch Password Enter a new password for the Switch Confirm Password Re type in a new password for the Switch Access Rig...

Page 29: ...bined to be managed by one IP address through Telnet the GUI interface web the console port or through SNMP Each switch of this series has two stacking ports located at the rear of the device which can be used to connect other devices and make them stack together After adding these stacking ports the user may connect these ports together using copper cables also sold separately in one of two possi...

Page 30: ...se roles will be determined first by priority and if the priority is the same the lowest MAC address Once switches have been assembled in the topology desired by the user and powered on the stack will undergo three processes until it reaches a functioning state Initialization State This is the first state of the stack where the runtime codes are set and initialized and the system conducts a periph...

Page 31: ...tabases such as ARP will be cleared as well Static switch configurations still remain in the database of the remaining switches in the stack and those functions will not be affected NOTE If there is a Box ID conflict when the stack is in the discovery phase the device will enter a special standalone topology mode Users can only get device information configure Box IDs save and reboot All stacking ...

Page 32: ...to be configured New Box ID The new box ID of the selected switch in the stack that was selected in the Current Box ID field The user may choose any number between 1 and 6 to identify the switch in the switch stack Auto will automatically assign a box number to the switch in the switch stack Priority 1 63 Displays the priority ID of the Switch The lower the number the higher the priority The box s...

Page 33: ...d to translate IP addresses to MAC addresses To view the following window click Management ARP Static ARP Settings as show below Figure 3 1 Static ARP Settings window The fields that can be configured are described below Parameter Description ARP Aging Time 0 65535 The ARP entry age out time in minutes The default is 20 minutes IP Address The IP address of the ARP entry MAC Address The MAC address...

Page 34: ...he source IP and destination IP are in the same interface To view the following window click Management ARP Proxy ARP Settings as show below Figure 3 2 Proxy ARP Settings window Click the Edit button to re configure the specific entry and select the proxy ARP state of the IP interface By default both the Proxy ARP State and Local Proxy ARP State are disabled ARP Table Users can display current ARP...

Page 35: ...uest packet that is sent by an IP address that match the system s own IP address In this case the system knows that somebody out there uses an IP address that is conflict with the system In order to reclaim the correct host of this IP address the system can send out the gratuitous ARP request packets for this duplicate IP address Gratuitous ARP Learning Normally the system will only learn the ARP ...

Page 36: ...econds 0 means that gratuitous ARP request will not be sent periodically By default the interval time is 0 Click the Apply button located in the Gratuitous ARP Trap Log section to accept the changes made in this section Click the Apply button located in the Gratuitous ARP Periodical Send Interval section to accept the changes made in this section IPv6 Neighbor Settings EI Mode Only The user can co...

Page 37: ...s 10 90 90 90 with a subnet mask of 255 0 0 0 and a default gateway of 0 0 0 0 To view the following window click Management IP Interface System IP Address Settings as show below Figure 3 7 System IP Address Settings window The fields that can be configured are described below Parameter Description Static Allow the entry of an IP address subnet mask and a default gateway for the Switch These field...

Page 38: ... Interface Admin State Use the drop down menu to enable or disable the configuration on this interface If the state is disabled the IP interface cannot be accessed IP Address This field allows the entry of an IPv4 address to be assigned to this IP interface Subnet Mask A Bitmask that determines the extent of the subnet that the Switch is on Should be of the form xxx xxx xxx xxx where each xxx is a...

Page 39: ...Mode Only NOTE To create IPv6 interfaces the user has to create an IPv4 interface then edit it to IPv6 Click the Add button to see the following window Figure 3 10 IPv4 Interface Settings window EI Mode Only The fields that can be configured are described below Parameter Description IP Interface Name Enter the name of the IP interface being created IPv4 Address Enter the IPv4 address used Subnet M...

Page 40: ... down menu to enable or disable IPv4 State Interface Admin State Use the drop down menu to enable or disable the Interface Admin State Click the Apply button to accept the changes made Click the Back button to discard the changes made and return to the previous page Click the IPv6 Edit button to see the following window Figure 3 12 IPv6 Interface Settings window EI Mode Only The fields that can be...

Page 41: ...witch is instructed to receive a configuration file from a TFTP server which will set the Switch to become a DHCP client automatically on boot up To employ this method the DHCP server must be set up to deliver the TFTP server IP address and configuration file name information in the DHCP reply packet The TFTP server must be up and running and hold the necessary configuration file stored in its bas...

Page 42: ...ion file stored in its base directory when the request is received from the Switch Power Saving State Enable or disable the link down power saving mode of each physical port The switch port will go into sleep mode when a port is not connected Length Detection State Enable or disable the length detection power saving mode on the physical ports The switch port will reduce the power feed for shorter ...

Page 43: ...roup can only have one Commander Switch CS A SIM group accepts up to 32 switches numbered 1 32 not including the Commander Switch numbered 0 Members of a SIM group cannot cross a router There is no limit to the number of SIM groups in the same IP subnet broadcast domain however a single switch can only belong to one group If multiple VLANs are configured the SIM group will only utilize the default...

Page 44: ...hich other switches in the group including the CS do not belong To better improve SIM management the DGS 3120 Series switches have been upgraded to version 1 61 in this release Many improvements have been made including Upgrade to v1 61 1 The Commander Switch CS now has the capability to automatically rediscover member switches that have left the SIM group either through a reboot or web malfunctio...

Page 45: ...roup Choosing this option will also enable the Switch to be configured for SIM Group Name Enter a Group Name in this textbox This is optional This name is used to segment switches into different SIM groups Discovery Interval 30 90 The user may set the discovery protocol interval in seconds that the Switch will send out discovery packets Returning information to a Commander Switch will include info...

Page 46: ...ays the number of the physical port on the CS that the MS or CaS is connected to The CS will have no entry in this field Speed Displays the connection speed between the CS and the MS or CaS Remote Port Displays the number of the physical port on the MS or CaS to which the CS is connected The CS will have no entry in this field MAC Address Displays the MAC Address of the corresponding Switch Model ...

Page 47: ...ommander switch Member switch of other group Layer 3 commander switch Layer 2 candidate switch Commander switch of other group Layer 3 candidate switch Layer 2 member switch Unknown device Non SIM devices In the Topology view window the mouse plays an important role in configuration and in viewing device information Setting the mouse cursor over a specific device in the topology window tool tip wi...

Page 48: ... the connection speed between the two devices as shown below Figure 3 20 Port Speed Utilizing the Tool Tip Right clicking on a device will allow the user to perform various functions depending on the role of the Switch in the SIM group and the icon associated with it Right Click Group Icon Figure 3 21 Right Clicking a Group Icon The following options may appear for the user to configure ...

Page 49: ...tch that was right clicked MAC Address Displays the MAC Address of the corresponding Switch Remote Port No Displays the number of the physical port on the MS or CaS that the CS is connected to The CS will have no entry in this field Local Port No Displays the number of the physical port on the CS that the MS or CaS is connected to The CS will have no entry in this field Port Speed Displays the con...

Page 50: ...lapse the group that will be represented by a single icon Expand To expand the SIM group in detail Add to group Add a candidate to a group Clicking this option will reveal the following dialog box for the user to enter a password for authentication from the Candidate Switch before being added to the SIM group Click OK to enter the password or Cancel to exit the dialog box Figure 3 26 Input passwor...

Page 51: ...pology view About Will display the SIM information including the current SIM version Help Figure 3 29 About window Firmware Upgrade This screen is used to upgrade firmware from the Commander Switch to the Member Switch Member Switches will be listed in the table and will be specified by Port port on the CS where the MS resides MAC Address Model Name and Version To specify a certain Switch for firm...

Page 52: ...rotocol SNMP is an OSI Layer 7 Application Layer designed specifically for managing and monitoring network devices SNMP enables network management stations to read and modify the settings of gateways routers switches and other network devices Use SNMP to configure system features for proper operation monitor performance and detect potential problems in the Switch switch group or network Managed de...

Page 53: ...s them to the trap recipient or network manager Typical traps include trap messages for Authentication Failure Topology Change and Broadcast Multicast Storm Traps The Switch in the Management Information Base MIB stores management and counter information The Switch uses the standard MIB II Management Information Base module Consequently values for MIB objects can be retrieved from any SNMP based n...

Page 54: ...gs window The fields that can be configured are described below Parameter Description SNMP Traps Enable this option to use the SNMP Traps feature SNMP Authentication Trap Enable this option to use the SNMP Authentication Traps feature Linkchange Traps Enable this option to use the SNMP Link Change Traps feature Coldstart Traps Enable this option to use the SNMP Cold Start Traps feature Warmstart T...

Page 55: ...State Use the drop down menu to enable or disable the SNMP link change Trap Click the Apply button to accept the changes made SNMP View Table Settings Users can assign views to community strings that define which MIB objects can be accessed by a remote SNMP manager The SNMP Group created with this table maps SNMP users identified in the SNMP User Table to the views created in the previous window T...

Page 56: ...ger can access Click the Apply button to accept the changes made Click the Delete button to remove the specific entry SNMP Community Table Settings Users can create an SNMP community string to define the relationship between the SNMP manager and an agent The community string acts like a password to permit access to the agent on the Switch One or more of the following characteristics can be associa...

Page 57: ...NMP manager is allowed to access on the Switch The view name must exist in the SNMP View Table Access Right Read Only Specify that SNMP community members using the community string created can only read the contents of the MIBs on the Switch Read Write Specify that SNMP community members using the community string created can read from and write to the contents of the MIBs on the Switch Click the ...

Page 58: ...s improvements in the Structure of Management Information SMI and adds some security features SNMPv3 Specify that the SNMP version 3 will be used SNMPv3 provides secure access to devices through a combination of authentication and encrypting packets over the network Security Level The Security Level settings only apply to SNMPv3 NoAuthNoPriv Specify that there will be no authorization and no encry...

Page 59: ...o accept the changes made NOTE The Engine ID length is 10 64 and accepted characters can range from 0 to F SNMP User Table Settings This window displays all of the SNMP User s currently configured on the Switch To view the following window click Management SNMP Settings SNMP User Table Settings as show below Figure 3 40 SNMP User Table Settings window The fields that can be configured are describe...

Page 60: ...ry SNMP Host Table Settings Users can set up SNMP trap recipients for IPv4 To view the following window click Management SNMP Settings SNMP Host Table Settings as show below Figure 3 41 SNMP Host Table Settings window The fields that can be configured are described below Parameter Description Host IP Address Type the IP address of the remote management station that will serve as the SNMP host for ...

Page 61: ...that the SNMP version 3 will be used with a NoAuth NoPriv security level AuthNoPriv To specify that the SNMP version 3 will be used with an Auth NoPriv security level AuthPriv To specify that the SNMP version 3 will be used with an Auth Priv security level Community String SNMP V3 User Name Type in the community string or SNMP V3 user name as appropriate Click the Apply button to accept the change...

Page 62: ...5535 The TCP port number used for Telnet management of the Switch The well known TCP port for the Telnet protocol is 23 Click the Apply button to accept the changes made Web Settings Users can configure the Web settings on the Switch To view the following window click Management Web Settings as show below Figure 3 45 Web Settings window The fields that can be configured are described below Paramet...

Page 63: ...further tailor how priority tagged data packets are handled on your network Using queues to manage priority tagged data allows you to specify its relative priority to suit the needs of your network There may be circumstances where it would be advantageous to group two or more differently tagged packets into the same queue Generally however it is recommended that the highest priority queue Queue 7 ...

Page 64: ...the packet header Ingress port A port on a switch where packets are flowing into the Switch and VLAN decisions must be made Egress port A port on a switch where packets are flowing out of the Switch either to another switch or to an end station and tagging decisions must be made IEEE 802 1Q tagged VLANs are implemented on the Switch 802 1Q VLANs require tagging which enables them to span the entir...

Page 65: ...s indicated by a value of 0x8100 in the EtherType field When a packet s EtherType field is equal to 0x8100 the packet carries the IEEE 802 1Q 802 1p tag The tag is contained in the following two octets and consists of 3 bits of user priority 1 bit of Canonical Format Identifier CFI used for encapsulating Token Ring packets so they can be carried across Ethernet backbones and 12 bits of VLAN ID VID...

Page 66: ...fined on the Switch all ports are then assigned to a default VLAN with a PVID equal to 1 Untagged packets are assigned the PVID of the port on which they were received Forwarding decisions are based upon this PVID in so far as VLANs are concerned Tagged packets are forwarded according to the VID contained within the tag Tagged packets are also assigned a PVID but the PVID is not used to make packe...

Page 67: ... it to its attached network segment If the packet is not tagged with VLAN information the ingress port will tag the packet with its own PVID as a VID if the port is a tagging port The switch then determines if the destination port is a member of the same VLAN has the same VID as the ingress port If it does not the packet is dropped If it has the same VID the packet is forwarded and the destination...

Page 68: ... If Port 10 is not a member of VLAN 2 then the packet will be dropped by the Switch and will not reach its destination If Port 10 is a member of VLAN 2 the packet will go through This selective forwarding feature based on VLAN criteria is how VLANs segment networks The key point being that Port 1 will only transmit on VLAN 2 VLAN Segmentation 802 1Q VLAN Settings The VLAN List tab lists all previo...

Page 69: ... configure Port Display all ports of the Switch for the configuration option Tagged Specify the port as 802 1Q tagging Clicking the radio button will designate the port as tagged Click the All button to select all ports Untagged Specify the port as 802 1Q untagged Clicking the radio button will designate the port as untagged Click the All button to select all ports Forbidden Click the radio button...

Page 70: ...described below Parameter Description VID List Enter a VLAN ID List that can be added deleted or configured Advertisement Enabling this function will allow the Switch to send out GVRP packets to outside sources notifying that they may join the existing VLAN Port List Allows an individual port list to be added or deleted as a member of the VLAN Tagged Specify the port as 802 1Q tagged Use the drop ...

Page 71: ... is used to identify the new Protocol VLAN group Type an alphanumeric string of up to 32 characters Protocol This function maps packets to protocol defined VLANs by examining the type octet within the packet header to discover the type of protocol associated with it Use the drop down menu to toggle between Ethernet II IEEE802 3 SNAP and IEEE802 3 LLC Protocol Value Enter a value for the Group The ...

Page 72: ...o Once this field is specified packets accepted by the Switch that match this priority are forwarded to the CoS queue specified previously by the user Click the corresponding box if you want to set the 802 1p default priority of a packet to the value entered in the Priority 0 7 field which meets the criteria specified previously in this command before forwarding it on to the specified CoS queue Ot...

Page 73: ...ANs are needed An example of when this type of configuration might be required would be if the client was on a distinct IP subnet or if there was some confidentiality related need to segregate traffic between the clients To view this window click L2 Features VLAN Asymmetric VLAN Settings as show below Figure 4 10 Asymmetric VLAN Settings window Click Apply to implement changes GVRP GVRP Global Set...

Page 74: ...the changes made for each individual section NOTE The Leave Time value should be greater than twice the Join Time value The Leave All Time value should be greater than the Leave Time value GVRP Port Settings On this page the user can configure the GVRP port parameters To view the following window click L2 Features VLAN GVRP GVRP Port Settings as show below Figure 4 12 GVRP Port Settings window The...

Page 75: ...ch mean both tagged and untagged frames will be accepted All is enabled by default Click the Apply button to accept the changes made MAC based VLAN Settings Users can create new MAC based VLAN entries search and delete existing entries When a static MAC based VLAN entry is created for a user the traffic from this user will be able to be serviced under the specified VLAN regardless of the authentic...

Page 76: ...mary VLAN will behave as the tagged member of the secondary VLAN A secondary VLAN cannot be specified with advertisement Only the primary VLAN can be configured as a layer 3 interface The private VLAN member port cannot be configured with the traffic segmentation function This window allows the user to configure the private VLAN parameters To view the following window click L2 Features VLAN Privat...

Page 77: ...ettings window Click the Apply button to accept the changes made Voice VLAN Voice VLAN Global Settings Voice VLAN is a VLAN used to carry voice traffic from IP phone Because the sound quality of an IP phone call will be deteriorated if the data is unevenly sent the quality of service QoS for voice traffic shall be configured to ensure the transmission priority of voice packet is higher than normal...

Page 78: ...r will be started The port will be removed from the voice VLAN after expiration of voice VLAN aging timer If the voice traffic resumes during the aging time the aging timer will be reset and stop Log State Used to enable disable sending of issue of voice VLAN log Click the Apply button to accept the changes made for each individual section Voice VLAN Port Settings This page is used to show the por...

Page 79: ...ngs window The fields that can be configured are described below Parameter Description OUI Address User defined OUI MAC address Mask User defined OUI MAC address mask Description The description for the user defined OUI Click the Apply button to accept the changes made Click the Delete All button to remove all the entries listed Click the Edit button to re configure the specific entry Click the De...

Page 80: ... pass through their VLAN trunking port s Refer to the following figure for an illustrated example Figure 4 21 Example of VLAN Trunk Users can combine a number of VLAN ports together to create VLAN trunks To view the following window click L2 Features VLAN VLAN Trunk Settings as show below Figure 4 22 VLAN Trunk Settings window The fields that can be configured are described below Parameter Descrip...

Page 81: ... the Find button To view the following window click L2 Features VLAN Show VLAN Ports as show below Figure 4 24 Show VLAN Ports window Click the View All button to display all the existing entries Enter a page number and click the Go button to navigate to a specific page when multiple pages exist QinQ EI Mode Only Double or Q in Q VLANs allow network providers to expand their VLAN configurations to...

Page 82: ...urce Address SPVLAN TPID Service Provider VLAN Tag 802 1Q CEVLAN Tag TPID Customer VLAN Tag Ether Type Payload Consider the example below Figure 4 25 QinQ example window In this example the Service Provider Access Network switch Provider edge switch is the device creating and configuring Double VLANs Both CEVLANs Customer VLANs 10 and 11 are tagged with the SPVID 100 on the Service Provider Access...

Page 83: ...ave both double and normal VLANs co existing Once the change of VLAN is made all Access Control lists are cleared and must be reconfigured 6 Once Double VLANs are enabled GVRP must be disabled 7 All packets sent from the CPU to the Access ports must be untagged 8 The following functions will not operate when the switch is in Double VLAN mode Guest VLANs Web based Access Control IP Multicast Routin...

Page 84: ...e can be used to add translation relationship between C VLAN and SP VLAN On ingress at UNI port the C VLAN tagged packets will be translated to SP VLAN tagged packets by adding or replacing according the configured rule On egress at this port the SP VLAN tag will be recovered to C VLAN tag or be striped The priority will be the priority in the SP VLAN tag if the inner priority flag is disabled for...

Page 85: ...their respective spanning trees Each switch utilizing the MSTP on a network will have a single MSTP configuration that will have the following three attributes 1 A configuration name defined by an alphanumeric string of up to 32 characters defined in the MST Configuration Identification window in the Configuration Name field 2 A configuration revision number named here as a Revision Level and foun...

Page 86: ...mpliant bridges are sensitive to feedback from other RSTP compliant bridge links Ports do not need to wait for the topology to stabilize before transitioning to a forwarding state In order to allow this rapid transition the protocol introduces two new variables the edge port and the point to point P2P port The edge port is a configurable designation used for a port that is directly connected to a ...

Page 87: ...ith other devices on the bridged LAN The user may choose a time between 6 and 40 seconds The default value is 20 seconds Bridge Hello Time 1 2 The Hello Time can be set from 1 to 2 seconds This is the interval between two transmissions of BPDU packets sent by the Root Bridge to tell all other switches that it is indeed the Root Bridge This field will only appear here when STP or RSTP is selected f...

Page 88: ...eatures Spanning Tree STP Port Settings as show below Figure 4 29 STP Port Settings window It is advisable to define an STP Group to correspond to a VLAN group of ports The fields that can be configured are described below Parameter Description Unit Select the unit you want to configure From Port To Port Select the starting and ending ports to be configured External Cost 0 Auto This defines a metr...

Page 89: ...e STP for the selected group of ports The default is Enabled Forward BPDU Use the pull down menu to enable or disable the flooding of BPDU packets when STP is disabled Edge Choosing the True parameter designates the port as an edge port Edge ports cannot create loops however an edge port can lose edge port status if a topology change creates a potential for a loop An edge port normally should not ...

Page 90: ...d to specify the VID range from configured VLANs set on the Switch Supported VIDs on the Switch range from ID number 1 to 4094 Click the Apply button to accept the changes made for each individual section Click the Edit button to re configure the specific entry Click the Delete button to remove the specific entry STP Instance Settings This window displays MSTIs currently set on the Switch and allo...

Page 91: ...t the unit you want to configure Port Select the port you want to configure Instance ID The MSTI ID of the instance to be configured Enter a value between 0 and 15 An entry of 0 in this field denotes the CIST default MSTI Internal Path Cost This parameter is set to represent the relative cost of forwarding packets to specified ports when an interface is selected within an STP instance Selecting th...

Page 92: ...atic multicast traffic control traffic segmentation and 802 1p default priority configurations must be identical Port locking port mirroring and 802 1X must not be enabled on the trunk group Further the LACP aggregated links must all be of the same speed and should be configured as full duplex The Master Port of the group is to be configured by the user and all configuration options including the ...

Page 93: ...ACP allows for the automatic detection of links in a Port Trunking Group Master Port Choose the Master Port for the trunk group using the drop down menu State Use the drop down menu to toggle between Enabled and Disabled This is used to turn a port trunking group on or off This is useful for diagnostics to quickly isolate a bandwidth intensive network device or to have an absolute backup aggregati...

Page 94: ...d sending LACP control frames This allows LACP compliant devices to negotiate the aggregated link so the group may be changed dynamically as needs require In order to utilize the ability to change an aggregated port group that is to add or subtract ports from the group at least one of the participating devices must designate LACP ports as active Both devices must support LACP Passive LACP ports th...

Page 95: ... associated unicast MAC address resides MAC Address The MAC address to which packets will be statically forwarded This must be a unicast MAC address Port Drop Allows the selection of the port number on which the MAC address entered above resides This option could also drop the MAC address from the unicast static FDB When selecting Port enter the port number in the field The format can be unit ID p...

Page 96: ...namically using GMRP The options are None No restrictions on the port dynamically joining the multicast group When None is chosen the port will not be a member of the Static Multicast Group Click the All button to select all the ports Egress The port is a static member of the multicast group Click the All button to select all the ports Click the Clear All button to clear out all the information en...

Page 97: ...notification Up to 500 entries can be specified Unit Select the unit you want to configure From Port To Port Select the starting and ending ports for MAC notification State Enable MAC Notification for the ports selected using the pull down menu Click the Apply button to accept the changes made for each individual section MAC Address Aging Time Settings Users can configure the MAC Address aging tim...

Page 98: ...he Switch To view the following window click L2 Features FDB MAC Address Table as show below Figure 4 40 MAC Address Table window The fields that can be configured are described below Parameter Description Unit Select the unit you want to configure Port The port to which the MAC address below corresponds VLAN Name Enter a VLAN Name for the forwarding table to be browsed by MAC Address Enter a MAC ...

Page 99: ...ss button to locate a specific entry based on the IP address entered Click the View All Entries button to display all the existing entries Click the Add to IP MAC Port Binding Table to add the specific entry to the IMPB Entry Settings window EI Mode Only L2 Multicast Control IGMP Snooping Internet Group Management Protocol IGMP snooping allows the Switch to recognize IGMP queries and reports sent ...

Page 100: ...able the IGMP Snooping state Max Learning Entry Value Here the user can enter the maximum learning entry value Click the Apply button to accept the changes made for each individual section Click the Edit button to configure the IGMP Snooping Parameters Settings Click the Modify Router Port link to configure the IGMP Snooping Router Port Settings After clicking the Edit button the following page wi...

Page 101: ...he membership is immediately removed when the system receive the IGMP leave message State If the state is enable it allows the switch to be selected as a IGMP Querier sends IGMP query packets It the state is disabled then the switch can not play the role as a querier NOTE that if the Layer 3 router connected to the switch provides only the IGMP proxy function but does not provide the multicast rou...

Page 102: ...en router port will not propagate routing packets out Dynamic Router Port Displays router ports that have been dynamically configured Ports Select the appropriate ports individually to include them in the Router Port configuration Click the Select All button to select all the ports for configuration Click the Clear All button to unselect all the ports for configuration Click the Apply button to ac...

Page 103: ...cast Group IP address and the corresponding MAC address from IGMP packets that pass through the Switch To view the following window click L2 Features L2 Multicast Control IGMP Snooping IGMP Snooping Static Group Settings as show below Figure 4 47 IGMP Snooping Static Group Settings window The fields that can be configured are described below Parameter Description VLAN Name The VLAN Name of the mul...

Page 104: ...ted by D while a Forbidden port is designated by F To view the following window click L2 Features L2 Multicast Control IGMP Snooping IGMP Snooping Router Port as show below Figure 4 49 IGMP Router Port window Enter a VID VLAN ID in the field at the top of the window Click the Find button to locate a specific entry based on the information entered Enter a page number and click the Go button to navi...

Page 105: ...ed VLAN Click the View All button to display all the existing entries Click the Clear All Data Driven button to delete all IGMP snooping groups which is learned by the Data Driven feature of specified VLANs IGMP Snooping Forwarding Table This page displays the switch s current IGMP snooping forwarding table It provides an easy way for user to check the list of ports that the multicast group comes ...

Page 106: ...ribed below Parameter Description VLAN Name The VLAN Name of the multicast group VID List The VLAN ID list of the multicast group Port List The Port List of the multicast group Click the Find button to locate a specific entry based on the information entered Click the View All button to display all the existing entries Click the Packet Statistics link to view the IGMP Snooping Counter Table After ...

Page 107: ...in the ICMP packet header this message is sent by the listening port to the Switch stating that it is interested in receiving multicast data from a multicast address in response to the Multicast Listener Query message 3 Multicast Listener Done Akin to the Leave Group Message in IGMPv2 and labeled as 132 in the ICMPv6 packet header this message is sent by the multicast listening port stating that i...

Page 108: ...Snooping Parameters Settings for a specific entry Click the Modify Router Port link to configure the MLD Snooping Router Port Settings for a specific entry After clicking the Edit button the following page will appear Figure 4 55 MLD Snooping Parameters Settings window The fields that can be configured are described below Parameter Description Query Interval Specify the amount of time in seconds b...

Page 109: ...uerier State This allows the switch to be specified as an MLD Querier sends MLD query packets or a Non Querier does not send MLD query packets Set to enable or disable Fast Done Here the user can enable or disable the fast done feature State Used to enable or disable MLD snooping for the specified VLAN This field is Disabled by default Report Suppression Here the user can enable or disable the rep...

Page 110: ...mit Settings Users can configure the rate limit of the MLD control packet that the switch can process on a specific port or VLAN in this page To view the following window click L2 Features L2 Multicast Control MLD Snooping MLD Snooping Rate Limit Settings as show below Figure 4 57 MLD Snooping Rate Limit Settings window The fields that can be configured are described below Parameter Description Po...

Page 111: ...fter clicking the Edit button the following page will appear Figure 4 59 MLD Snooping Static Group Settings Edit window Click the Select All button to select all the ports for configuration Click the Clear All button to unselect all the ports for configuration Click the Apply button to accept the changes made Click the Back button to discard the changes made and return to the previous page MLD Rou...

Page 112: ...LD Snooping Group as show below Figure 4 61 MLD Snooping Group window The fields that can be configured are described below Parameter Description VLAN Name Click the radio button and enter the VLAN name of the multicast group VID List Click the radio button and enter a VLAN list of the multicast group Port List Specify the port number s used to find a multicast group Group IPv6 Address Enter the g...

Page 113: ...how below Figure 4 62 MLD Snooping Forwarding Table window The fields that can be configured are described below Parameter Description VLAN Name The name of the VLAN for which you want to view MLD snooping forwarding table information VID List The ID of the VLAN for which you want to view MLD snooping forwarding table information Click the Find button to locate a specific entry based on the inform...

Page 114: ...ese multicast VLANs will allow the Switch to forward this multicast traffic as one copy to recipients of the multicast VLAN instead of multiple copies Regardless of other normal VLANs that are incorporated on the Switch users may add any ports to the multicast VLAN where they wish multicast traffic to be sent Users are to set up a source port where the multicast traffic is entering the switch and ...

Page 115: ...Deny coming into the specified switch ports To view the following window click L2 Features L2 Multicast Control Multicast VLAN IGMP Multicast Group Profile Settings as show below Figure 4 65 IGMP Multicast Group Profile Settings window The fields that can be configured are described below Parameter Description Profile Name Enter a name for the IP Multicast Profile Click the Add button to add a new...

Page 116: ...GMP Multicast VLAN Forward Click the radio buttons to enable or disable the IGMP Multicast VLAN Forwarding state VLAN Name Enter the VLAN Name used VID Enter the VID used Remap Priority 0 7 The remap priority value 0 to 7 to be associated with the data traffic to be forwarded on the multicast VLAN None If None is specified the packet s original priority is used The default setting is None Replace ...

Page 117: ...ticast VLAN Click the Select All button to select all the ports or click the Clear All button to unselect all the ports Tagged Member Ports Specify the tagged member port of the multicast VLAN Click the Select All button to select all the ports or click the Clear All button to unselect all the ports Untagged Source Ports Specify the source port or range of source ports as untagged members of the m...

Page 118: ...D multicast group profile on this page To view the following window click L2 Features L2 Multicast Control Multicast VLAN MLD Multicast Group Profile Settings as show below Figure 4 70 MLD Multicast Group Profile Settings window The fields that can be configured are described below Parameter Description Profile Name Enter the MLD Multicast Group Profile name Click the Add button to add a new entry...

Page 119: ...MLD Snooping Multicast Group VLAN Settings as show below Figure 4 72 MLD Snooping Multicast VLAN Settings window The fields that can be configured are described below Parameter Description MLD Multicast VLAN State Click the radio buttons to enable or disable the MLD multicast VLAN state MLD Multicast VLAN Forward Unmatched Click the radio buttons to can enable or disable the MLD multicast VLAN For...

Page 120: ...be replaced by this IP address If none is specified the source IP address will not be replaced Remap Priority 0 7 The remap priority value 0 to 7 to be associated with the data traffic to be forwarded on the multicast VLAN None If None is specified the packet s original priority is used The default setting is None Replace Priority Tick the check box to specify that the packet s priority will be ch...

Page 121: ... Multicast VLAN Group Profile name Click the Add button to add a new entry based on the information entered Click the Delete button to remove the specific entry Click the Show MLD Snooping Multicast VLAN Entries link to view the MLD Snooping Multicast VLAN Settings Multicast Filtering IPv4 Multicast Filtering IPv4 Multicast Profile Settings Users can add a profile to which multicast address s repo...

Page 122: ...move the specific entry After clicking the Group List link the following page will appear Figure 4 76 Multicast Address Group List Settings window The fields that can be configured are described below Parameter Description Profile ID Display the profile ID Profile Name Display the profile name Multicast Address List Enter the multicast address list here Click the Add button to add a new entry base...

Page 123: ...Apply button to accept the changes made Click the Add button to add a new entry based on the information entered Click the Delete button to remove the specific entry Click the Find button to locate a specific entry based on the information entered Enter a page number and click the Go button to navigate to a specific page when multiple pages exist IPv4 Max Multicast Group Settings Users can configu...

Page 124: ...er may set an IPv6 Multicast address or range of IPv6 Multicast addresses to accept reports Permit or deny reports Deny coming into the specified switch ports IPv6 Multicast Profile Settings Users can add delete and configure the IPv6 multicast profile on this page To view the following window click L2 Features Multicast Filtering IPv6 Multicast Filtering IPv6 Multicast Profile Settings as show be...

Page 125: ...y IPv6 Limited Multicast Range Settings Users can configure the ports and VLANs on the Switch that will be involved in the Limited IPv6 Multicast Range To view the following window click L2 Features Multicast Filtering IPv6 Multicast Filtering IPv6 Limited Multicast Range Settings as show below Figure 4 81 IPv6 Limited Multicast Range Settings window The fields that can be configured are described...

Page 126: ...t the appropriate port s or VLAN IDs used for the configuration here Max Group If the checkbox Infinite is not selected the user can enter a Max Group value Infinite Tick the check box to enable or disable the use of the Infinite value Action Use the drop down menu to select the appropriate action for this rule The user can select Drop to initiate the drop action or the user can select Replace to ...

Page 127: ...inistration and maintenance OAM functions and a simple automatic protection switching APS protocol for Ethernet ring networks ERPS provides sub 50ms protection for Ethernet traffic in a ring topology It ensures that there are no loops formed at the Ethernet layer One link within a ring will be blocked to avoid Loop RPL Ring Protection Link When the failure happens protection switching blocks the f...

Page 128: ...VLAN which will be the R APS VLAN Click the Apply button to accept the changes made Click the Find button to find a specific entry based on the information entered Click the View All button to view all the entries configured Click the Edit button to re configure the specific entry Click the Delete button to remove the specific entry Click the Detail Information Click the link to view detailed info...

Page 129: ...c entry Click on the Back button to return to the ERPS settings page After click the Edit button the following window will appear The fields that can be configured are described below Parameter Description R APS VLAN Here the R APS VLAN ID will be displayed Ring Status Specifies to enable or disable the specified ring ...

Page 130: ... the R APS function The default ring MEL is 1 Holdoff Time Specifies the hold off time of the R APS function The default hold off time is 0 milliseconds Guard Time Specifies the guard time of the R APS function The default guard time is 500 milliseconds WTR Time Specifies the WTR time of the R APS function Revertive Specifies the state of the R APS revertive option Current Ring State Here the curr...

Page 131: ...essage TX Hold Multiplier This function calculates the Time to Live for creating and transmitting the LLDP advertisements to LLDP neighbors by changing the multiplier used by an LLDP Switch When the Time to Live for an advertisement expires the advertised data is then deleted from the neighbor Switch s MIB LLDP ReInit Delay The LLDP re initialization delay interval is the minimum time that an LLDP...

Page 132: ... the SNMP trap however it cannot implement traps on SNMP when the notification is disabled Admin Status This function controls the local LLDP agent and allows it to send and receive LLDP frames on the ports This option contains TX RX TX And RX or Disabled TX the local LLDP agent can only transmit LLDP frames RX the local LLDP agent can only receive LLDP frames TX And RX the local LLDP agent can bo...

Page 133: ...cate a specific entry based on the information entered LLDP Basic TLVs Settings TLV stands for Type length value which allows the specific sending information as a TLV element within LLDP packets This window is used to enable the settings for the Basic TLVs Settings An active LLDP port on the Switch always included mandatory data in its outbound advertisements There are four optional data types th...

Page 134: ... disable the System Name option System Description Use the drop down menu to enable or disable the System Description option System Capabilities Use the drop down menu to enable or disable the System Capabilities option Click the Apply button to accept the changes made LLDP Dot1 TLVs Settings LLDP Dot1 TLVs are organizationally specific TLVs which are defined in IEEE 802 1 and used to configure an...

Page 135: ...AN Name or VID List value in the space provided Dot1 TLV VLAN Use the drop down menu to enable or disable and configure the Dot1 TLV VLAN option After enabling this option to the user can select to use either VLAN Name VID List or All in the next drop down menu After selecting this the user can enter either the VLAN Name or VID List value in the space provided Dot1 TLV Protocol Identity Use the dr...

Page 136: ...y and what is the operational MAU type The default state is Disabled Link Aggregation The Link Aggregation option indicates that LLDP agents should transmit Link Aggregation TLV This indicates the current link aggregation status of IEEE 802 3 MACs More precisely the information should include whether the port is capable of doing link aggregation whether the port is aggregated in an aggregated link...

Page 137: ...rently available for populating outbound LLDP advertisements in the local port brief table shown below To view the following window click L2 Features LLDP LLDP Local Port Information as show below Figure 4 92 LLDP Local Port Information window To view the normal LLDP Local Port information page per port click the Show Normal button To view the brief LLDP Local Port information page per port click ...

Page 138: ...window Click the Back button to return to the previous page LLDP Remote Port Information This page displays port information learned from the neighbors The switch receives packets from a remote station but is able to store the information as local To view the following window click L2 Features LLDP LLDP Remote Port Information as show below Figure 4 95 LLDP Remote Port Information window Select a ...

Page 139: ...s own MAC address rather than the shared MAC as the source MAC address of the reply packet The NLB multicast FDB entry will be mutually exclusive with the L2 multicast entry To view this window click L2 Features NLB FDB Settings as shown below Figure 4 97 NLB Multicast FDB Table window The following fields can be set Parameter Description VLAN Name Click the radio button and enter the VLAN of the ...

Page 140: ...Option to choose from are Primary and Backup Click the Apply button to accept the changes made IPv4 Static Default Route Settings EI Mode Only The Switch supports static routing for IPv4 formatted addressing Users can create up to 512 static route entries for IPv4 For IPv4 static routes once a static route has been set the Switch will send an ARP request packet to the next hop router that has been...

Page 141: ...to the table This field may read a number between 1 and 65535 Backup State Each IP address can only have one primary route while other routes should be assigned to the backup state When the primary route failed switch will try the backup routes according to the order learnt by the routing table until route success The field represents the Backup state that the Static and Default Route is configure...

Page 142: ...ackup State Each IP address can only have one primary route while other routes should be assigned to the backup state When the primary route failed the switch will try the backup routes according to the order learnt by the routing table until route success This field represents the backup state for the IPv6 configured This field may be Primary or Backup Click the Apply button to accept the changes...

Page 143: ...euing Advantages of QoS Figure 6 1 Mapping QoS on the Switch The picture above shows the default priority setting for the Switch Class 7 has the highest priority of the seven priority classes of service on the Switch In order to implement QoS the user is required to instruct the Switch to examine the header of a packet to see if it has the proper identifying tag Then the user may forward these tag...

Page 144: ...has the same weight value then each CoS queue has an equal opportunity to send packets just like round robin queuing For weighted round robin queuing if the weight for a CoS is set to 0 then it will continue processing the packets from this CoS until there are no more packets for this CoS The other CoS queues that have been given a nonzero value and depending upon the weight will follow a common w...

Page 145: ...u want to configure From Port To Port Select the starting and ending ports to use Priority Use the drop down menu to select a value from 0 to 7 Click the Apply button to accept the changes made 802 1p User Priority Settings The Switch allows the assignment of a class of service to each of the 802 1p priorities To view the following window click QoS 802 1p Settings 802 1p User Priority Settings as ...

Page 146: ...for all the incoming tagged packets with 802 1p tag Click the Apply button to accept the changes made Bandwidth Control The bandwidth control settings are used to place a ceiling on the transmitting and receiving data rates for any selected port Bandwidth Control Settings The Effective RX TX Rate refers to the actual bandwidth of the switch port if it does not match the configured rate This usuall...

Page 147: ...eld allows the input of the data rate that will be the limit for the selected port The user may choose a rate between 64 and 1024000 Kbits per second Effective RX If a RADIUS server has assigned the RX bandwidth then it will be the effective RX bandwidth The authentication with the RADIUS sever can be per port or per user For per user authentication there may be multiple RX bandwidths assigned if ...

Page 148: ...To Queue Use the drop down menu to select the queue range to use for this configuration Min Rate Specify the packet limit in Kbps that the ports are allowed to receive Tick the No limit check box to have unlimited rate of packets received by the specified queue Max Rate Enter the maximum rate for the queue For no limit select the No Limit option Click the Apply button to accept the changes made NO...

Page 149: ...een exceeded the Switch will shut down the port to all incoming traffic with the exception of STP BPDU packets for a time period specified using the Count Down parameter If a Time Interval parameter times out for a port configured for traffic control and a packet storm continues that port will be placed in Shutdown Forever mode which will cause a warning message to be sent to the Trap Receiver Onc...

Page 150: ... chip to the Traffic Control function These packet counts are the determining factor in deciding when incoming packets exceed the Threshold value The Time Interval may be set between 5 and 600 seconds with a default setting of 5 seconds Threshold 0 255000 Specifies the maximum number of packets per second that will trigger the Traffic Control function to commence The configurable threshold range i...

Page 151: ... Forever mode will be seen as link down in all windows and screens until the user recovers these ports NOTE The minimum granularity of storm control on a GE port is 1pps DSCP DSCP Trust Settings This page is to configure the DSCP trust state of ports When ports are under the DSCP trust mode the switch will insert the priority tag to untagged packets by using the DSCP Map settings instead of the de...

Page 152: ...ne the priority of the packet which will be then used to determine the scheduling queue when the port is in DSCP trust state The DSCP to DSCP mapping is used in the swap of DSCP of the packet when the packet is ingresses to the port The remaining processing of the packet will base on the new DSCP By default the DSCP is mapped to the same DSCP To view the following window click QoS DSCP DSCP Map Se...

Page 153: ...P Priority in the DSCP Map drop down menu DSCP Enter a DSCP value This appears when selecting DSCP Priority in the DSCP DSCP drop down menu Click the Apply button to accept the changes made HOL Blocking Prevention HOL Head of Line Blocking happens when one of the destination ports of a broadcast or multicast packet are busy The switch will hold this packet in the buffer while the other destination...

Page 154: ...is window click QoS Scheduling Settings QoS Scheduling as shown below Figure 6 11 QoS Scheduling window The following parameters can be configured Parameter Description Unit Select the unit you wish to configure From Port To Port Enter the port or port list you wish to configure Class ID Select the Class ID from 0 7 to configure for the QoS parameters Scheduling Mechanism Strict The highest class ...

Page 155: ...t suitable To view this window click QoS Scheduling Settings QoS Scheduling Mechanism as shown below Figure 6 12 QoS Scheduling Mechanism The following parameters can be configured Parameter Description Unit Select the unit you wish to configure From Port To Port Enter the port or port list you wish to configure Scheduling Mechanism Strict The highest class of service is the first to process traff...

Page 156: ...igure 7 1 ACL Configuration Wizard window The fields that can be configured are described below Parameter Description Type Use the drop down menu to select the general ACL Rule types Normal Selecting this option will create a Normal ACL Rule CPU Selecting this option will create a CPU ACL Rule Egress EI Mode Only Selecting this option will create an Egress ACL Rule Profile Name After selecting to ...

Page 157: ...value Replace ToS Precedence Here the user can enter the ToS Precedence value Apply To Use the drop down menu to select and enter the information that this rule will be applied to Ports Enter a port number or a port range VLAN Name Enter a VLAN name VLAN ID Enter a VLAN ID Click the Apply button to accept the changes made NOTE The Switch will use one minimum mask to cover all the terms that user i...

Page 158: ... number and click the Go button to navigate to a specific page when multiple pages exist There are four Add Access Profile windows one for Ethernet or MAC address based profile configuration one for IPv6 address based profile configuration one for IPv4 address based profile configuration and one for packet content profile configuration Add an Ethernet ACL Profile The window shown below is the Add ...

Page 159: ...F FF Destination MAC Mask Enter a MAC address mask for the destination MAC address e g FF FF FF FF FF FF 802 1Q VLAN Selecting this option instructs the Switch to examine the 802 1Q VLAN identifier of each packet header and use this as the full or partial criterion for forwarding 802 1p Selecting this option instructs the Switch to examine the 802 1p priority value of each packet header and use th...

Page 160: ... Action Select Permit to specify that the packets that match the access profile are forwarded by the Switch according to any additional rule added see below Select Deny to specify that the packets that match the access profile are not forwarded by the Switch and will be filtered Select Mirror to specify that packets that match the access profile are mirrored to a port defined in the config mirror ...

Page 161: ...lemented on the Switch Counter Here the user can select the counter By checking the counter the administrator can see how many times that the rule was hit Ports When a range of ports is to be configured the Auto Assign check box MUST be ticked in the Access ID field of this window If not the user will be presented with an error message and the access rule will not be configured VLAN Name Specify t...

Page 162: ...s header 802 1Q VLAN Selecting this option instructs the Switch to examine the 802 1Q VLAN identifier of each packet header and use this as the full or partial criterion for forwarding IPv4 DSCP Selecting this option instructs the Switch to examine the DiffServ Code part of each packet header and use this as the or part of the criterion for forwarding IPv4 Source IP Mask Enter an IP address mask f...

Page 163: ...er may choose between urg urgent ack acknowledgement psh push rst reset syn synchronize fin finish Select UDP to use the UDP port number contained in an incoming packet as the forwarding criterion Selecting UDP requires that you specify a source port mask and or a destination port mask src port mask Specify a UDP port mask for the source port in hex form hex 0x0 0xffff dst port mask Specify a UDP ...

Page 164: ... page will appear Figure 7 11 Add Access Rule IPv4 ACL The fields that can be configured are described below Parameter Description Access ID 1 256 Type in a unique identifier number for this access This value can be set from 1 to 256 Auto Assign Ticking this check box will instruct the Switch to automatically assign an Access ID for the rule being created Action Select Permit to specify that the p...

Page 165: ...t an action priority the packet is sent to the default TC Time Range Name Tick the check box and enter the name of the Time Range settings that has been previously configured in the Time Range Settings window This will set specific times when this access rule will be implemented on the Switch Counter Here the user can select the counter By checking the counter the administrator can see how many ti...

Page 166: ...king this check box will instruct the Switch to examine the class field of the IPv6 header This class field is a part of the packet header that is similar to the Type of Service ToS or Precedence bits field in IPv4 IPv6 Flow Label Ticking this check box will instruct the Switch to examine the flow label field of the IPv6 header This flow label field is used by a source to label sequences of packet...

Page 167: ...4 Access Profile Detail Information window IPv6 ACL Click the Show All Profiles button to navigate back to the Access Profile List Page After clicking the Add View Rules button the following page will appear Figure 7 15 Access Rule List window IPv6 ACL Click the Add Rule button to create a new ACL rule in this profile Click the Back button to return to the previous page Click the Show Details butt...

Page 168: ...st be enabled and a target port must be set Priority 0 7 Tick the corresponding check box to re write the 802 1p default priority of a packet to the value entered in the Priority field which meets the criteria specified previously in this command before forwarding it on to the specified CoS queue Otherwise a packet will have its incoming 802 1p user priority re written to its original value before...

Page 169: ...he user will be presented with an error message and the access rule will not be configured Ticking the All Ports check box will denote all ports on the Switch VLAN Name Specify the VLAN name to apply to the access rule VLAN ID Specify the VLAN ID to apply to the access rule Click the Apply button to accept the changes made Click the Back button to discard the changes made and return to the previou...

Page 170: ...dress in each frame s header Select IPv6 ACL to instruct the Switch to examine the IPv6 address in each frame s header Select Packet Content to instruct the Switch to examine the packet content in each frame s header Packet Content Allows users to examine up to 4 specified offset_chunks within a packet at one time and specifies the frame content offset and mask There are 4 chunk offsets and masks ...

Page 171: ... ACL Click the Show All Profiles button to navigate back to the Access Profile List Page NOTE Address Resolution Protocol ARP is the standard for finding a host s hardware address MAC address However ARP is vulnerable as it can be easily spoofed and utilized to attack a LAN i e an ARP spoofing attack For a more detailed explanation on how ARP protocol works and how to employ D Link s unique Packet...

Page 172: ...ust be enabled and a target port must be set Priority 0 7 Tick the corresponding check box if you want to re write the 802 1p default priority of a packet to the value entered in the Priority field which meets the criteria specified previously in this command before forwarding it on to the specified CoS queue Otherwise a packet will have its incoming 802 1p user priority re written to its original...

Page 173: ... to navigate back to the Access Rule List CPU Access Profile List Due to a chipset limitation and needed extra switch security the Switch incorporates CPU Interface filtering This added feature increases the running security of the Switch by enabling the user to create a list of access rules for packets destined for the Switch s CPU interface Employed similarly to the Access Profile feature previo...

Page 174: ...ete All button to remove all access profiles from this table Click the Show Details button to display the information of the specific profile ID entry Click the Add View Rules button to view or add CPU ACL rules within the specified profile ID Click the Delete button to remove the specific entry There are four Add CPU ACL Profile windows one for Ethernet or MAC address based profile configuration ...

Page 175: ... s header Select IPv6 to instruct the Switch to examine the IP address in each frame s header Select Packet Content Mask to specify a mask to hide the content of the packet header Source MAC Mask Enter a MAC address mask for the source MAC address Destination MAC Mask Enter a MAC address mask for the destination MAC address 802 1Q VLAN Selecting this option instructs the Switch to examine the VLAN...

Page 176: ...he Add View Rules button the following page will appear Figure 7 26 CPU Access Rule List Ethernet ACL Click the Add Rule button to create a new CPU ACL rule in this profile Click the Back button to return to the previous page Click the Show Details button to view more information about the specific rule created Click the Delete Rules button to remove the specific entry Enter a page number and clic...

Page 177: ...ly configured in the Time Range Settings window This will set specific times when this access rule will be implemented on the Switch Ports Ticking the All Ports check box will denote all ports on the Switch Click the Apply button to accept the changes made Click the Back button to discard the changes made and return to the previous page After clicking the Show Details button in the CPU Access Rule...

Page 178: ... s header Select Packet Content Mask to specify a mask to hide the content of the packet header 802 1Q VLAN Selecting this option instructs the Switch to examine the VLAN part of each packet header and use this as the or part of the criterion for forwarding IPv4 DSCP Selecting this option instructs the Switch to examine the DiffServ Code part of each packet header and use this as the or part of th...

Page 179: ...e source port in hex form hex 0x0 0xffff which you wish to filter dst port mask Specify a TCP port mask for the destination port in hex form hex 0x0 0xffff which you wish to filter Select UDP to use the UDP port number contained in an incoming packet as the forwarding criterion Selecting UDP requires that you specify a source port mask and or a destination port mask src port mask Specify a UDP por...

Page 180: ...le IPv4 ACL The fields that can be configured are described below Parameter Description Access ID 1 100 Type in a unique identifier number for this access This value can be set from 1 to 100 Action Select Permit to specify that the packets that match the access profile are forwarded by the Switch according to any additional rule added see below Select Deny to specify that the packets that match th...

Page 181: ...will appear Figure 7 33 CPU Access Rule Detail Information IPv4 ACL Click the Show All Rules button to navigate back to the CPU Access Rule List Adding a CPU IPv6 ACL Profile The window shown below is the Add CPU ACL Profile window for IPv6 To use specific filtering masks in this ACL profile click the packet filtering mask field to highlight it red This will add more filed to the mask After clicki...

Page 182: ...f the IPv6 header This flow label field is used by a source to label sequences of packets such as non default quality of service or real time service packets IPv6 Source Mask The user may specify an IP address mask for the source IPv6 address by checking the corresponding box and entering the IP address mask IPv6 Destination Mask The user may specify an IP address mask for the destination IPv6 add...

Page 183: ...ess profile are not forwarded by the Switch and will be filtered Flow Label Configuring this field in hex form will instruct the Switch to examine the flow label field of the IPv6 header This flow label field is used by a source to label sequences of packets such as non default quality of service or real time service packets Time Range Name Tick the check box and enter the name of the Time Range s...

Page 184: ...can be configured are described below Parameter Description Profile ID 1 5 Here the user can enter a unique identifier number for this profile set This value can be set from 1 to5 Select ACL Type Select profile based on Ethernet MAC Address IPv4 address IPv6 address or packet content mask This will change the menu according to the requirements for the type of profile Select Ethernet to instruct th...

Page 185: ...made and return to the previous page After clicking the Show Details button the following page will appear Figure 7 40 CPU Access Profile Detail Information Packet Content ACL Click the Show All Profiles button to navigate back to the CPU ACL Profile List Page After clicking the Add View Rules button the following page will appear Figure 7 41 CPU Access Rule List Packet Content ACL Click the Add R...

Page 186: ...k the packet from the beginning of the packet to the 15th byte Offset 16 31 Enter a value in hex form to mask the packet from byte 16 to byte 31 Offset 32 47 Enter a value in hex form to mask the packet from byte 32 to byte 47 Offset 48 63 Enter a value in hex form to mask the packet from byte 48 to byte 63 Offset 64 79 Enter a value in hex form to mask the packet from byte 64 to byte 79 Time Rang...

Page 187: ...wn menu to select the Profile ID for the ACL rule finder to identify the rule Unit Select the unit you want to configure Port Enter the port number for the ACL rule finder to identify the rule State Use the drop down menu to select the state Normal Allow the user to find normal ACL rules CPU Allow the user to find CPU ACL rules Egress Allow the user to find Egress ACL rules Click the Find button t...

Page 188: ... marked green if it exceeds the CBS but not the EBS its marked yellow and if it exceeds the EBS its marked red CBS Committed Burst Size Measured in bytes the CBS is associated with the CIR and is used to identify packets that exceed the normal boundaries of packet size The CBS should be configured to accept the biggest IP packet that is expected in the IP flow EBS Excess Burst Size Measured in byt...

Page 189: ...Click the Find button to locate a specific entry based on the information entered Click the Add button to add a new entry based on the information entered Click the View All button to display all the existing entries Click the Delete All button to remove all the entries listed Click the Modify button to re configure the specific entry Click the View button to display the information of the specifi...

Page 190: ...e unit is in kilobyte CBS Specify the Committed Burst Size The unit is in kilobyte EBS Specify the Excess Burst Size The unit is in kilobyte Action Conform This field denotes the green packet flow Green packet flows may have their DSCP field rewritten to a value stated in this field Users may also choose to count green packets by using counter parameter Replace DSCP Packets that are in the green f...

Page 191: ...Access Profile List as shown below Add an Ethernet ACL Profile The window shown below is the Add Egress ACL Profile window for Ethernet To use specific filtering masks in this egress ACL profile click the packet filtering mask field to highlight it red This will add more filed to the mask After clicking the Add ACL Profile button the following page will appear Figure 7 48 Add Egress ACL Profile wi...

Page 192: ...Switch to examine the 802 1p priority value of each packet header and use this as the or part of the criterion for forwarding Ethernet Type Selecting this option instructs the Switch to examine the Ethernet type value in each frame s header Click the Select button to select an ACL type Click the Create button to create a profile Click the Back button to discard the changes made and return to the p...

Page 193: ... box if you want to re write the 802 1p default priority of a packet to the value entered in the Priority field which meets the criteria specified previously in this command before forwarding it on to the specified CoS queue Otherwise a packet will have its incoming 802 1p user priority re written to its original value before being forwarded by the Switch For more information on priority queues Co...

Page 194: ... rule VLAN Name Specify the VLAN name to apply to the access rule VLAN ID Specify the VLAN ID to apply to the access rule Click the Apply button to accept the changes made Click the Back button to discard the changes made and return to the previous page After clicking the Show Details button in the Access Rule List the following page will appear Figure 7 52 Egress Access Rule Detail Information wi...

Page 195: ...er 802 1Q VLAN Selecting this option instructs the Switch to examine the 802 1Q VLAN identifier of each packet header and use this as the full or partial criterion for forwarding IPv4 DSCP Selecting this option instructs the Switch to examine the DiffServ Code part of each packet header and use this as the or part of the criterion for forwarding IPv4 Source IP Mask Enter an IP address mask for the...

Page 196: ...choose between urg urgent ack acknowledgement psh push rst reset syn synchronize fin finish Select UDP to use the UDP port number contained in an incoming packet as the forwarding criterion Selecting UDP requires that you specify a source port mask and or a destination port mask src port mask Specify a UDP port mask for the source port in hex form hex 0x0 0xffff dst port mask Specify a UDP port ma...

Page 197: ...when multiple pages exist After clicking the Add Rule button the following page will appear Figure 7 56 Add Egress Access Rule IPv4 ACL The fields that can be configured are described below Parameter Description Access ID 1 128 Type in a unique identifier number for this access This value can be set from 1 to 128 Auto Assign Ticking this check box will instruct the Switch to automatically assign a...

Page 198: ...ow This will set specific times when this access rule will be implemented on the Switch Counter Here the user can select the counter By checking the counter the administrator can see how many times that the rule was hit Ports When a range of ports is to be configured the Auto Assign check box MUST be ticked in the Access ID field of this window If not the user will be presented with an error messa...

Page 199: ...king this check box will instruct the Switch to examine the class field of the IPv6 header This class field is a part of the packet header that is similar to the Type of Service ToS or Precedence bits field in IPv4 IPv6 TCP Source Port Mask Specify that the rule applies to the range of TCP source ports Destination Port Mask Specify the range of the TCP destination port range IPv6 UDP Source Port M...

Page 200: ...ton to navigate back to the Access Profile List Page After clicking the Add View Rules button the following page will appear Figure 7 60 Egress Access Rule List window IPv6 ACL Click the Add Rule button to create a new ACL rule in this profile Click the Back button to return to the previous page Click the Show Details button to view more information about the specific rule created Click the Delete...

Page 201: ... value entered in the Priority field which meets the criteria specified previously in this command before forwarding it on to the specified CoS queue Otherwise a packet will have its incoming 802 1p user priority re written to its original value before being forwarded by the Switch For more information on priority queues CoS queues and mapping for 802 1p see the QoS section of this manual Replace ...

Page 202: ...to apply to the access rule Click the Apply button to accept the changes made Click the Back button to discard the changes made and return to the previous page After clicking the Show Details button in the Access Rule List the following page will appear Figure 7 62 Egress Access Rule Detail Information IPv6 ACL Click the Show All Rules button to navigate back to the Access Rule List Egress ACL Flo...

Page 203: ... described below Parameter Description Profile ID Here the user can enter the Profile ID for the flow meter Profile Name Here the user can enter the Profile Name for the flow meter Access ID Here the user can enter the Access ID for the flow meter Mode Rate Specify the rate for single rate two color mode Rate Specify the committed bandwidth in Kbps for the flow Burst Size Specify the burst size fo...

Page 204: ...s parameter to enable or disable the packet counter for the specified ACL entry in the green flow Exceed This field denotes the yellow packet flow Yellow packet flows may have excess packets permitted through or dropped Users may replace the DSCP field of these packets by checking its radio button and entering a new DSCP value in the allotted field Counter Use this parameter to enable or disable t...

Page 205: ...ed access control model This is accomplished by using a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN EAPOL packets between the Client and the Server The following figure represents a basic EAPOL packet 802 1X Port Based and Host Based Access Control Figure 8 1 The EAPOL Packet Utilizing this method unauthorized devices are r...

Page 206: ...on information from the Client through EAPOL packets which is the only information allowed to pass through the Authenticator before access is granted to the Client The second purpose of the Authenticator is to verify the information gathered from the Client with the Authentication Server and to then relay that information back to the Client Authenticator Figure 8 4 The Authenticator Three steps mu...

Page 207: ...es by port and set them in a list Each MAC address must be authenticated by the Switch using a remote RADIUS server before being allowed access to the Network The original intent behind the development of 802 1X was to leverage the characteristics of point to point in LANs As any single LAN segment in such infrastructures has no more than two devices attached to it one of which is a Bridge Port Th...

Page 208: ...Global Settings window The fields that can be configured are described below Parameter Description Authentication Mode Choose the 802 1X authenticator mode Disabled Port based or MAC based Authentication Protocol Choose the authenticator protocol Local or RADIUS EAP Forward EAPOL PDU This is a global setting to control the forwarding of EAPOL PDU When 802 1X functionality is disabled globally or f...

Page 209: ... initialization value is used for the awhile timer when timing out the Supplicant Its default value is 30 seconds however if the type of challenge involved in the current exchange demands a different value of timeout for example if the challenge requires an action on the part of the user then the timeout value is adjusted accordingly It can be set by management to any value in the range from 1 to ...

Page 210: ...n requests the identity of the client and begins relaying authentication messages between the client and the authentication server The default setting is Auto Capability This allows the 802 1X Authenticator settings to be applied on a per port basis Select Authenticator to apply the settings to the port When the setting is activated a user must pass the authentication process to gain access to the...

Page 211: ...s 802 1X Guest VLANs These VLANs should have limited access rights and features separate from other VLANs on the network To implement 802 1X Guest VLANs the user must first create a VLAN on the network with limited rights and then enable it as an 802 1X guest VLAN Then the administrator must configure the guest accounts accessing the Switch to be placed in a Guest VLAN when trying to access the Sw...

Page 212: ...uest VLAN Settings as shown below Figure 8 13 Guest VLAN Settings window The fields that can be configured are described below Parameter Description VLAN Name Enter the pre configured VLAN name to create as an 802 1X guest VLAN Port Set the ports to be enabled for the 802 1X guest VLAN Click the All button to select all the ports Click the Apply button to accept the changes made Click the Delete b...

Page 213: ... IPv4 Address EI Mode Only Set the RADIUS server IP address IPv6 Address EI Mode Only Set the RADIUS server IPv6 address Authentication Port Set the RADIUS authentic server s UDP port which is used to transmit RADIUS data between the Switch and the RADIUS server The default port is 1812 Accounting Port Set the RADIUS account server s UDP port which is used to transmit RADIUS accounting statistics ...

Page 214: ...ackets to a remote RADIUS server when 802 1X and WAC port access control events occur on the Switch Shell When enabled the Switch will send informational packets to a remote RADIUS server when a user either logs in logs out or times out on the Switch using the console Telnet or SSH System When enabled the Switch will send informational packets to a remote RADIUS server when system events occur on ...

Page 215: ...missions AccessRetrans The number of RADIUS Access Request packets retransmitted to this RADIUS authentication server AccessAccepts The number of RADIUS Access Accept packets valid or invalid received from this server AccessRejects The number of RADIUS Access Reject packets valid or invalid received from this server AccessChallenges The number of RADIUS Access Challenge packets valid or invalid re...

Page 216: ... is one second The fields that can be configured are described below Parameter Description ServerIndex The identification number assigned to each RADIUS Accounting server that the client shares a secret with InvalidServerAddr The number of RADIUS Accounting Response packets received from unknown addresses Identifier The NAS Identifier of the RADIUS accounting client ServerAddr The IP address of th...

Page 217: ...llows the transmission of data between the layers The primary purpose of IP MAC port binding is to restrict the access to a switch to a number of authorized users Authorized clients can access a switch s port by either checking the pair of IP MAC addresses with the pre configured database or if DHCP snooping has been enabled in which case the switch will automatically learn the IP MAC pairs by sno...

Page 218: ...ttings as shown below Figure 8 20 IMPB Port Settings window The fields that can be configured are described below Parameter Description Unit Select the unit you want to configure From Port To Port Select a range of ports to set for IP MAC port binding ARP Inspection When the ARP inspection function is enabled the legal ARP packets are forwarded while the illegal packets are dropped Disabled Disabl...

Page 219: ... Entry Settings This window is used to create static IP MAC binding port entries and view all IMPB entries on the Switch To view this window click Security IP MAC Port Binding IMPB IMPB Entry Settings as shown below Figure 8 21 IMPB Entry Settings window The fields that can be configured are described below Parameter Description IP Address Enter the IP address to bind to the MAC address set below ...

Page 220: ...nding restrictions Click the View All button to display all the existing entries Click the Delete All button to remove all the entries listed DHCP Snooping DHCP Snooping Maximum Entry Settings Users can configure the maximum DHCP snooping entry for ports on this page To view this window click Security IP MAC Port Binding IMPB DHCP Snooping DHCP Snooping Maximum Entry Settings as shown below Figure...

Page 221: ...decides port access rights while for host based MAC based access control the method determines the MAC access rights A MAC user must be authenticated before being granted access to a network Both local authentication and remote RADIUS server authentication methods are supported In MAC based access control MAC user information in a local database or a RADIUS server database is searched for authenti...

Page 222: ...ch Method Use this drop down menu to choose the type of authentication to be used when authentication MAC addresses on a given port The user may choose between the following methods Local Use this method to utilize the locally set MAC address database as the authenticator for MAC based access control This MAC address list can be configured in the MAC based access control Local Database Settings wi...

Page 223: ...r 1 1000 Enter the maximum user used for this configuration When No Limit is selected there will be no user limit applied to this rule Click the Apply button to accept the changes made for each individual section MAC based Access Control Local Settings Users can set a list of MAC addresses along with their corresponding target VLAN which will be authenticated for the Switch Once a queried MAC addr...

Page 224: ...Control MAC MAC based Access Control Authentication State as shown below Figure 8 29 MAC based Access Control Authentication State window To display MAC based access control Authentication State information enter a port number in the space provided and then click the Find button Click the Clear by Port button to clear all the information linked to the port number entered Click the View All Hosts b...

Page 225: ...s IPIF IP interface or the same subnet as the host PCs subnet As all packets to a virtual IP from authenticated and authenticating hosts will be trapped to the Switch s CPU if the virtual IP is the same as other servers or PCs the hosts on the WAC enabled ports cannot communicate with the server or PC which really own the IP address If the hosts need to access the server or PC the virtual IP canno...

Page 226: ...tations 2 Certain functions exist on the Switch that will filter HTTP packets such as the Access Profile function The user needs to be very careful when setting filter functions for the target VLAN so that these HTTP packets are not denied by the Switch 3 If a RADIUS server is to be used for authentication the user must first establish a RADIUS Server with the appropriate parameters including the ...

Page 227: ... trying to access the network via the switch This RADIUS server must have already been pre assigned by the administrator using the Authentication RADIUS Server Settings window Security RADIUS Authentication RADIUS Server Settings Redirection Path Enter the URL of the website that authenticated users placed in the VLAN are directed to once authenticated Clear Redirection Path The user can enable or...

Page 228: ...n this field Password Enter the password the administrator has chosen for the selected user This field is case sensitive and must be a complete alphanumeric string This field is for administrators who have selected Local as their Web based authenticator Confirmation Retype the password entered in the previous field Click the Apply button to accept the changes made Click the Delete All button to re...

Page 229: ...between 1and 1440 minutes Tick the Infinite check box to indicate the authenticated host will never age out on the port The default value is 1440 minutes 24 hours State Use this drop down menu to enable the configured ports as WAC ports Idle Time 1 1440 If there is no traffic during the Idle Time parameter the host will be moved back to the unauthenticated state Enter a value between 1 and 1440 mi...

Page 230: ...eck box to clear all authenticating users for a port Blocked Tick this check box to clear all blocked users for a port Click the Find button to locate a specific entry based on the information entered Click the Clear by Port button to remove entry based on the port list entered Click the View All Hosts button to display all the existing entries Click the Clear All Hosts button to remove all the en...

Page 231: ...Managed Switch Web UI Reference Guide 223 Figure 8 34 Compound Authentication Settings window SI Mode Only Figure 8 35 Compound Authentication Settings window EI Mode Only The fields that can be configured are described below ...

Page 232: ...d Any MAC 802 1X or WAC if any of the authentication methods pass then access will be granted In this mode MAC 802 1X and WAC can be enabled on a port at the same time In Any MAC 802 1X or WAC mode whether an individual security module is active on a port depends on its system state 802 1X IMPB 802 1X will be verified first and then IMPB will be verified Both authentication methods need to be pass...

Page 233: ...k the Apply button to accept the changes made Click the Delete button to remove the specific entry Once properly configured the Guest VLAN and associated ports will be listed in the lower part of the window Port Security Port Security Settings A given port s or a range of ports dynamic MAC address learning can be locked such that the current source MAC addresses entered into the MAC address forwar...

Page 234: ... for the selected ports Lock Address Mode This pull down menu allows the option of how the MAC address table locking will be implemented on the Switch for the selected group of ports The options are Permanent The locked addresses will only age out after the Switch has been reset DeleteOnTimeout The locked addresses will age out after the aging timer expires DeleteOnReset The locked addresses will ...

Page 235: ...y Port Security VLAN Settings as shown below Figure 8 39 Port Security VLAN Settings window The fields that can be configured are described below Parameter Description VLAN Name Enter the VLAN Name VID List Specify a list of the VLAN be VLAN ID Max Learning Address Specify the maximum number of port security entries that can be learned by this VLAN Click the Apply button to accept the changes made...

Page 236: ...nd button to locate a specific entry based on the information entered Click the Clear button to clear all the entries based on the information entered Click the Show All button to display all the existing entries Click the Clear All button to remove all the entries listed Click the Delete button to remove the specific entry ARP Spoofing Prevention Settings The user can configure the spoofing preve...

Page 237: ...e have three modes drop block and shutdown A BPDU protection enabled port will enter an under attack state when it receives one STP BPDU packet And it will take action based on the configuration Thus BPDU protection can only be enabled on the STP disabled port BPDU protection has a higher priority than the FBPDU setting configured by configure STP command in the determination of BPDU handling That...

Page 238: ...er attack state Block Drop all packets include BPDU and normal packets when the port enters under attack state Shutdown Shut down the port when the port enters under attack state Click the Apply button to accept the changes made for each individual section Loopback Detection Settings The Loopback Detection LBD function is used to detect the loop created by a specific port This feature is used to t...

Page 239: ...llowed in seconds for recovery when a Loopback is detected The Loop detect Recover Time can be set at 0 seconds or 60 to 1000000 seconds Entering 0 will disable the Loop detect Recover Time The default is 60 seconds Unit Select the unit you want to configure From Port Use the drop down menu to select a beginning port number To Port Use the drop down menu to select an ending port number State Use t...

Page 240: ...an application programming interface providing a set of functions that applications use to communicate across networks NetBEUI the NetBIOS Enhanced User Interface was created as a data link layer frame structure for NetBIOS A simple mechanism to carry NetBIOS traffic NetBEUI has been the protocol of choice for small MS DOS and Windows based workgroups NetBIOS no longer lives strictly inside of the...

Page 241: ...ient it is useful when one or more DHCP servers are present on the network and both provide DHCP services to different distinct groups of clients The first time the DHCP filter is enabled it will create both an access profile entry and an access rule per port entry it will also create other access rules These rules are used to block all DHCP server packets In addition to a permit DHCP entry it wil...

Page 242: ...minutes Unit Select the unit you want to configure From Port To Port A consecutive group of ports may be configured starting with the selected port State Choose Enabled to enable the DHCP server screening or Disabled to disable it The default is Disabled Click the Apply button to accept the changes made for each individual section DHCP Offer Permit Entry Settings Users can add or delete permit ent...

Page 243: ...ntication commands via one or more centralized servers The TACACS protocol encrypts all traffic between the Switch and the TACACS daemon using the TCP protocol to ensure reliable delivery In order for the TACACS XTACACS TACACS RADIUS security function to work properly a TACACS XTACACS TACACS RADIUS server must be configured on a device other than the Switch called an Authentication Server Host and...

Page 244: ...CS authentication so must be the host server Enable Admin Users who have logged on to the Switch on the normal user level and wish to be promoted to the administrator level can use this window After logging on to the Switch users will have only user level privileges To gain access to administrator level privileges the user will open this window and will have to enter an authentication password Pos...

Page 245: ...nfigure the maximum number of times the Switch will accept authentication attempts Users failing to be authenticated after the set amount of attempts will be denied access to the Switch and will be locked out of further authentication attempts Command line interface users will have to wait 60 seconds before another authentication attempt Telnet and web users will be disconnected from the Switch Th...

Page 246: ...uthentication Server Group Settings Users can set up Authentication Server Groups on the Switch A server group is a technique used to group TACACS XTACACS TACACS RADIUS server hosts into user defined categories for authentication using method lists The user may define the type of server group by protocol or by previously defined server group The Switch has four built in Authentication Server Group...

Page 247: ...ee built in server groups can only have server hosts running the same TACACS daemon TACACS XTACACS TACACS protocols are separate entities and are not compatible with each other Authentication Server Settings User defined Authentication Server Hosts for the TACACS XTACACS TACACS RADIUS security protocols can be set on the Switch When a user attempts to access the Switch with Authentication Policy e...

Page 248: ...d Click the Apply button to accept the changes made NOTE More than one authentication protocol can be run on the same physical server host but remember that TACACS XTACACS TACACS are separate entities and are not compatible with each other Login Method Lists Settings User defined or default Login Method List of authentication techniques can be configured for users logging on to the Switch The sequ...

Page 249: ...n the Switch none Adding this parameter will require no authentication needed to access the Switch Click the Apply button to accept the changes made Click the Edit button to re configure the specific entry Click the Delete button to remove the specific entry Enable Method Lists Settings Users can set up Method Lists to promote users with user level privileges to Administrator Admin level privilege...

Page 250: ...ble password database on the Switch The local enable password must be set by the user in the next section entitled Local Enable Password none Adding this parameter will require no authentication needed to access the Switch radius Adding this parameter will require the user to be authenticated using the RADIUS protocol from a remote RADIUS server tacacs Adding this parameter will require the user t...

Page 251: ...nd host as they exchange keys in looking for a match and therefore authentication to be accepted to negotiate encryptions on the following level 2 Encryption The second part of the cipher suite that includes the encryption used for encrypting the messages sent between client and host The Switch supports two types of cryptology algorithms Stream Ciphers There are two types of stream ciphers on the ...

Page 252: ...ement Users can download a certificate file for the SSL function on the Switch from a TFTP server The certificate file is a data record used for authenticating devices on the network It contains information on the owner keys for authentication and digital signatures Both the server and the client must have consistent certificate files for optimal use of the SSL function The Switch only supports ce...

Page 253: ...lename of the key file to download This file must have a der extension Ex c pkey der Click the Download button to download the SSL certificate based on the information entered NOTE Certain implementations concerning the function and configuration of SSL are not available on the web based management of this Switch and need to be configured using the command line interface NOTE Enabling the SSL comm...

Page 254: ...ion Timeout Allows the user to set the connection timeout The user may set a time between 120 and 600 seconds The default setting is 120 seconds Authfail Attempts Allows the Administrator to set the maximum number of attempts that a user may try to log on to the SSH Server utilizing the SSH authentication After the maximum number of attempts has been exceeded the Switch will be disconnected and th...

Page 255: ...is parameter is enabled by default Click the Apply button to accept the changes made The fields that can be configured for the Encryption Algorithm are described below Parameter Description 3DES CBC Use the check box to enable or disable the Triple Data Encryption Standard encryption algorithm with Cipher Block Chaining The default is enabled Blow fish CBC Use the check box to enable or disable th...

Page 256: ...described below Parameter Description HMAC RSA Use the check box to enable or disable the HMAC Hash for Message Authentication Code mechanism utilizing the RSA encryption algorithm The default is enabled HMAC DSA Use the check box to enable or disable the HMAC Hash for Message Authentication Code mechanism utilizing the Digital Signature Algorithm DSA encryption The default is enabled Click the Ap...

Page 257: ...SSH user This parameter is only used in conjunction with the Host Based choice in the Auth Mode field Host IP Enter the corresponding IP address of the SSH user This parameter is only used in conjunction with the Host Based choice in the Auth Mode field EI Mode Only Click the Edit button to re configure the specific entry Click the Apply button to accept the changes made NOTE To set the SSH User A...

Page 258: ...oad beyond its capability To alleviate this problem the Safeguard Engine function was added to the Switch s software The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is ongoing thus making it capable to forward essential packets over its network in a limited bandwidth The Safeguard Engine has two operating modes that can ...

Page 259: ... the Switch doubled the time for dropping ARP and IP broadcast packets when consecutive flooding issues were detected at 5 second intervals First stop 5 seconds second stop 10 seconds third stop 20 seconds Once the flooding is no longer detected the wait period for dropping ARP and IP broadcast packets will return to 5 seconds and the process will resume In Fuzzy mode once the Safeguard Engine has...

Page 260: ...rcentage where the Switch leaves the Safeguard Engine state and returns to normal mode Trap Log Use the pull down menu to enable or disable the sending of messages to the device s SNMP agent and switch log once the Safeguard Engine has been activated by a high CPU utilization rate Mode Used to select the type of Safeguard Engine to be activated by the Switch when the CPU utilization reaches a high...

Page 261: ... Application DHCP DHCP Relay DHCP Relay Global Settings as shown below Figure 9 1 DHCP Relay Global Settings window The fields that can be configured are described below Parameter Description DHCP Relay State This field can be toggled between Enabled and Disabled using the pull down menu It is used to enable or disable the DHCP Relay service on the Switch The default is Disabled DHCP Relay Hops Co...

Page 262: ...l drop invalid messages Disabled When the field is toggled to Disabled the relay agent will not check the validity of the packet s option 82 field DHCP Relay Agent Information Option 82 Policy This field can be toggled between Replace Drop and Keep by using the pull down menu It is used to set the Switches policy for handling packets when the DHCP Relay Agent Information Option 82 Check is set to ...

Page 263: ...a packet that contains the option 82 field from a DHCP client and the information checking feature is enabled the Switch drops the packet because it is invalid However in some instances users may configure a client with the option 82 field In this situation disable the information check feature so that the Switch does not remove the option 82 field from the packet Users may configure the action th...

Page 264: ...ort The incoming port number of the DHCP client packet the port number starts from 1 Remote ID sub option format Figure 9 3 Remote ID Sub option Format 1 Sub option type 2 Length 3 Remote ID type 4 Length 5 MAC address The Switch s system MAC address DHCP Relay Interface Settings Users can set up a server by IP address for relaying DHCP information to the Switch The user may enter a previously con...

Page 265: ...CP server at the interface level then the configuration at the interface level has higher priority In this case the DHCP server configured on the VLAN will not be used to forward the DHCP packets To view this window click Network Application DHCP DHCP Relay DHCP Relay VLAN Settings as shown below Figure 9 5 DHCP Relay VLAN Settings window The fields that can be configured are described below Param...

Page 266: ...s no matching server found for the packet based on option 60 the relay servers will be determined by the default relay server setting DHCP Relay Option 60 Settings This option decides whether the DHCP Relay will process the DHCP option 60 or not To view this window click Network Application DHCP DHCP Relay DHCP Relay Option 60 Settings as shown below Figure 9 7 DHCP Relay Option 60 Settings window...

Page 267: ... configure add and delete DHCP relay option 61 parameters To view this window click Network Application DHCP DHCP Relay DHCP Relay Option 61 Settings as shown below Figure 9 8 DHCP Relay Option 61 Settings window The fields that can be configured are described below Parameter Description DHCP Relay Option 61 Default Here the user can select the DHCP Relay Option 61 default action Drop Specify to d...

Page 268: ...n below Figure 9 9 DHCP Local Relay Settings window The fields that can be configured are described below Parameter Description DHCP Local Relay Global State Enable or disable the DHCP Local Relay Global State The default is Disabled VLAN Name This is the VLAN Name that identifies the VLAN the user wishes to apply the DHCP Local Relay operation State Enable or disable the configure DHCP Local Rela...

Page 269: ...nformation will be taken SNTP Poll Interval In Seconds 30 99999 The interval in seconds between requests for updated SNTP information Click the Apply button to accept the changes made Time Zone Settings Users can configure time zones and Daylight Savings Time settings for SNTP To view this window click Network Application SNTP Time Zone Settings as shown below Figure 9 11 Time Zone Settings window...

Page 270: ... DST will start on each year From Day Enter the day of the month DST will start on each year From Time In HH MM Enter the time of day DST will start on each year To Month Enter the month DST will end on each year To Day Enter the day of the month DST will end on each year To Time In HH MM Enter the time of day that DST will end on each year Click the Apply button to accept the changes made Flash F...

Page 271: ...indow Click the Previous button to return to the previous page Click the Create Directory to create a new directory within the file system of the switch Click the Copy button to copy a specific file to the switch Click the Move button to move a specific file within the switch Tick the List Boot Up Files Only option to display only the boot up files Click the Active button to set a specific config ...

Page 272: ...the Apply button to initiate the copy Click the Cancel button the discard the process After clicking the Move button the following page will appear Figure 9 15 Flash File System Settings Move window When moving a file to another place the user must enter the Source and Destination path Click the Apply button to initiate the copy Click the Cancel button the discard the process ...

Page 273: ...domain name MD Index Specifies the maintenance domain index used Level Here the user can select the maintenance domain level MIP This is the control creations of MIPs None Don t create MIPs This is the default value Auto MIPs can always be created on any ports in this MD if that port is not configured with a MEP of this MD For the intermediate switch in a MA the setting must be auto in order for t...

Page 274: ...g the Add MA button the following page will appear Figure 10 2 CFM MA Settings Window The fields that can be configured are described below Parameter Description MA Here the user can enter the maintenance association name MA Index Here the user can enter the maintenance association index VID VLAN Identifier Different MA must be associated with different VLANs Click the Add button to add a new entr...

Page 275: ...V This is the default value Chassis Transmit sender ID TLV with chassis ID information Manage Transmit sender ID TLV with manage address information Chassis Manage Transmit sender ID TLV with chassis ID information and manage address information Defer Inherit the setting configured for the maintenance domain that this MA is associated with This is the default value CCM This is the CCM interval 10m...

Page 276: ...hould be configured in the MA s MEP ID list Port Port number This port should be a member of the MA s associated VLAN MEP Direction This is the MEP direction Inward Inward facing up MEP Outward Outward facing down MEP Click the Add button to add a new entry based on the information entered Click the Back button to discard the changes made and return to the previous page Click the View Detail Click...

Page 277: ...0 6 CFM MEP Information Window Click the Edit button to re configure the specific entry Click the Back button to discard the changes made and return to the previous page After clicking the Edit button the following page will appear Figure 10 7 CFM MEP Information Edit Window ...

Page 278: ... Error CCM Received are sent Xcon CCM Only the fault alarms whose priority is equal to or higher than Cross connect CCM Received are sent None No fault alarm is sent This is the default value Alarm Time This is the time that a defect must exceed before the fault alarm can be sent The unit is in centiseconds the range is 250 1000 The default value is 250 Alarm Reset Time This is the dormant duratio...

Page 279: ...tension LCK Settings Edit Window The fields that can be configured are described below Parameter Description State Specifies to enable or disable the LCK function Period The transmitting interval of LCK PDU The default period is 1 second Options to choose from are 1sec Specifies that the transmitting interval will be set to 1 second 1min Specifies that the transmitting interval will be set to 1 mi...

Page 280: ... Here the user can select the port range used for this configuration State Here the user can enable or disable the state of specific port regarding the CFM configuration Click the Apply button to accept the changes made CFM MIPCCM Table To view this window click OAM CFM CFM MIPCCM Table as shown below Figure 10 11 CFM MIPCCM Table Window CFM Loopback Settings To view this window click OAM CFM CFM ...

Page 281: ... MA Index Select and enter the Maintenance Association index used MAC Address Enter the destination MAC address used here LBMs Number Number of LBMs to be sent The default value is 4 LBM Payload Length The payload length of LBM to be sent The default is 0 LBM Payload Pattern An arbitrary amount of data to be included in a Data TLV along with an indication whether the Data TLV is to be included LBM...

Page 282: ...d MA Index Select and enter the Maintenance Association index used MAC Address Here the user can enter the destination MAC address TTL Link trace message TTL value The default value is 64 PDU Priority The 802 1p priority to be set in the transmitted LTM If not specified it uses the same priority as CCMs sent by the MA Click the Apply button to accept the changes made Click the Find button to locat...

Page 283: ...ay all the CFM packets transmitted and received Click the Find button to locate a specific entry based on the information entered Click the Clear button to clear all the information entered in the fields CFM Fault Table To view this window click OAM CFM CFM Fault Table as shown below Figure 10 15 CFM Fault Table Window The fields that can be configured are described below Parameter Description MD ...

Page 284: ...D and the port number to view Level Here the user can enter the level to view Direction Here the user can enter the direction to view Inward Inward facing up MP Outward Outward facing down MP VID Here the user can enter the VID to view Click the Find button to locate a specific entry based on the information entered Ethernet OAM Ethernet OAM Settings This window is used to configure the Ethernet O...

Page 285: ...ect to disable the remote loopback Start Select to request the peer to change to the remote loopback mode Stop Select to request the peer to change to the normal operation mode Received Remote Loopback Use the drop down menu to configure the client to process or to ignore the received Ethernet OAM remote loopback command Process Select to process the received Ethernet OAM remote loopback command I...

Page 286: ...r Available options are Error Symbol Error Frame Error Frame Period and Error Frame Seconds Critical Link Event Use the drop down menu to select between Dying Gasp and Critical Event Threshold Enter the number of error frame or symbol in the period is required to be equal to or greater than in order for the event to be generated Window Enter the period of error frame or symbol in milliseconds summ...

Page 287: ...d the port number to view Port List Enter a list of ports Tick the All Ports check box to select all ports Click the Find button to locate a specific entry based on the information entered Click the Clear button to clear all the information entered in the fields Ethernet OAM Statistics The window is used to show ports Ethernet OAM statistics information To view this window click OAM Ethernet OAM E...

Page 288: ...to view Port List Enter a list of ports Tick the All Ports check box to select all ports Click the Clear button to clear all the information entered in the fields Cable Diagnostics The cable diagnostics feature is designed primarily for administrators or customer service representatives to verify and test copper cables it can rapidly determine the quality of the cables and the types of error To vi...

Page 289: ...rts must be linked up and running at 1000M speed Cross talk errors detection is not supported on FE ports NOTE The available cable diagnosis length is from 5 to 120 meters NOTE The deviation of cable length detection is 5M for GE ports Open This pair is left open Fault messages Short Two lines of this pair is shorted CrossTalk Lines of this pair is short with lines in other pairs Unknown The diagn...

Page 290: ...as shown below Figure 11 1 CPU Utilization window To view the CPU utilization by port use the real time graphic of the Switch and or switch stack at the top of the web page by simply clicking on a port Click Apply to implement the configured settings The window will automatically refresh with new updated statistics The fields that can be configured are described below Parameter Description Time In...

Page 291: ...On this page the user can view information regarding the DRAM and Flash utilization To view this window click Monitoring Utilization DRAM Flash Utilization as shown below Figure 11 2 DRAM Flash Utilization window Port Utilization Users can display the percentage of the total available bandwidth being used on the port To view this window click Monitoring Utilization Port Utilization as shown below ...

Page 292: ...econds The default value is one second Record Number Select number of times the Switch will be polled between 20 and 200 The default value is 200 Show Hide Check whether or not to display Port Util Click the Apply button to accept the changes made for each individual section Statistics Port Statistics Packets The Web manager allows various packet statistics to be viewed as either a line graph or a...

Page 293: ... Analysis Table window The fields that can be configured are described below Parameter Description Unit Select the unit you want to configure Port Use the drop down menu to choose the port that will display statistics Time Interval Select the desired setting between 1s and 60s where s stands for seconds The default value is one second Record Number Select number of times the Switch will be polled ...

Page 294: ...e for each individual section Click the Clear button to clear all statistics counters on this window Click the View Table Click the link to display the information in a table rather than a line graph View Graphic link to display the information in a line graph rather than a table UMB_Cast RX To select a port to view these statistics for select the port by using the Port pull down menu The user may...

Page 295: ...umber of good packets that were received by a multicast address Broadcast Counts the total number of good packets that were received by a broadcast address Show Hide Check whether or not to display Multicast Broadcast and Unicast Packets Click the Apply button to accept the changes made for each individual section Click the Clear button to clear all statistics counters on this window Click the Vie...

Page 296: ...ackets Analysis window table for Bytes and Packets The fields that can be configured are described below Parameter Description Port Use the drop down menu to choose the port that will display statistics Time Interval Select the desired setting between 1s and 60s where s stands for seconds The default value is one second Record Number Select number of times the Switch will be polled between 20 and ...

Page 297: ...clear all statistics counters on this window Click the View Table Click the link to display the information in a table rather than a line graph View Graphic link to display the information in a line graph rather than a table Errors The Web manager allows port error statistics compiled by the Switch s management agent to be viewed as either a line graph or a table Four windows are offered Received ...

Page 298: ...ackets received that were longer than 1518 octets and less than the MAX_PKT_LEN Internally MAX_PKT_LEN is equal to 1536 Fragment The number of packets less than 64 bytes with either bad framing or an invalid CRC These are normally the result of collisions Jabber Counts invalid packets received that were longer than 1518 octets and less than the MAX_PKT_LEN Internally MAX_PKT_LEN is equal to 1536 D...

Page 299: ... To view this window click Monitoring Statistics Port Statistics Errors Transmitted TX as shown below Figure 11 12 Transmitted TX window for errors Click the View Table link to display the information in a table rather than a line graph Figure 11 13 TX Error Analysis window table The fields that can be configured are described below Parameter Description Unit Select the unit you want to configure ...

Page 300: ...ransmission is inhibited by more than one collision Collision An estimate of the total number of collisions on this network segment Show Hide Check whether or not to display ExDefer CRCError LateColl ExColl SingColl and Collision errors Click the Apply button to accept the changes made for each individual section Click the Clear button to clear all statistics counters on this window Click the View...

Page 301: ...128 255 The total number of packets including bad packets received that were between 128 and 255 octets in length inclusive excluding framing bits but including FCS octets 256 511 The total number of packets including bad packets received that were between 256 and 511 octets in length inclusive excluding framing bits but including FCS octets 512 1023 The total number of packets including bad packe...

Page 302: ... should include incoming traffic Both Click the radio buttons to select whether the port should include both incoming and outgoing traffic None Click the radio buttons to select whether the port should not include any traffic Click the Apply button to accept the changes made NOTE You cannot mirror a fast port onto a slower port For example if you try to mirror the traffic from a 100 Mbps port onto...

Page 303: ...LAN ID Click the Apply button to accept the changes made Click the Add button to add a new entry based on the information entered Click the Modify button to re configure the specific entry Click the Delete button to remove the specific entry After clicking the Modify button the following page will appear Figure 11 18 RSPAN Settings Modify window The fields that can be configured are described belo...

Page 304: ...e architecture and sampling techniques used in the sFlow monitoring system were designed for providing continuous site wide and enterprise wide traffic monitoring of high speed switched and routed networks sFlow Global Settings This window is used to enable or disable the sFlow feature To view this window click Monitoring sFlow sFlow Global Settings as shown below Figure 11 19 sFlow Global Setting...

Page 305: ...The IP address of the analyzer server If not specified or set a 0 address the entry will be inactive Collector Port The destination UDP port for sending the sFlow datagrams If not specified the default value is 6343 Max Datagram Size The maximum number of data bytes that can be packed in a single sample datagram If not specified the default value is 1400 Click the Apply button to accept the change...

Page 306: ... will be sampled from every 5120 packets If set to 0 the sampler is disabled If the rate is not specified its default value is 0 MAX Header Size The maximum number of leading bytes in the packet which has been sampled that will be encapsulated and forwarded to the server If not specified the default value is 128 Click the Apply button to accept the changes made Click the Delete All button to remov...

Page 307: ...nds to or echoes the packets sent from the Switch This is very useful to verify connectivity between the Switch and other nodes on the network To view this window click Monitoring Ping Test as shown below Figure 11 23 Ping Test window SI Mode Only Figure 11 24 Ping Test window EI Mode Only The user may click the Infinite times radio button in the Repeat Pinging for field which will tell the ping p...

Page 308: ...period between 1 and 99 seconds for this Ping message to reach its destination If the packet fails to find the IP address in this specified time the Ping packet will be dropped Click the Start button to initiate the Ping Test After clicking the Start button the following page will appear Figure 11 25 Ping Test Result window Click the Stop button to halt the Ping Test Click the Resume button to res...

Page 309: ... network path between two devices The range for the TTL is 1 to 60 hops Port The port number The value range is from 30000 to 64900 Timeout Defines the timeout period while waiting for a response from the remote device A value of 1 to 65535 seconds can be specified The default is 5 seconds Probe The number of probing The range is from 1 to 9 If unspecified the default value is 1 Click the Start bu...

Page 310: ...nment The device environment feature displays the Switch internal temperature status To view this window click Monitoring Peripheral Device Environment as shown below Figure 11 29 Device Environment window Click the Refresh button to refresh the display table so that new entries will appear ...

Page 311: ... Type drop down menu and enter the File Path in the space provided and click Apply Figure 12 1 Save Configuration window Save Log allows the user to backup the log file of the switch Select Log from the Type drop down menu and click Apply Figure 12 2 Save Log window Save All allows the user to permanently save changes made to the configuration This option will allow the changes to be kept after th...

Page 312: ...rimary Master of the Switch stack Backup Master Display the Unit ID of the Backup Master of the switch stack Box Count Display the number of switches in the switch stack Box ID Display the Switch s order in the stack User Set Box ID can be assigned automatically Auto or can be assigned statically The default is Auto Type Display the model name of the corresponding switch in a stack Exist Denote wh...

Page 313: ...ribed below Parameter Description Unit Use the drop down menu to select a unit for receiving the firmware Select All for all units TFTP Server IP Enter the TFTP server IP address used IPv4 Click the radio button to enter the TFTP server IP address used IPv6 EI Mode Only Click the radio button to enter the TFTP server IPv6 address used Source File Enter the location and name of the Source File Dest...

Page 314: ... File Source File Enter the location of the Source File or click the Browse button to navigate to the firmware file for the download Click Download to initiate the download Upload Firmware The following window is used to upload firmware from the Switch Upload Firmware To TFTP This page allows the user to upload firmware from the Switch to a TFTP Server Figure 12 8 Upload Firmware TFTP window SI Mo...

Page 315: ...following window is used to download the configuration file for the Switch Download Configuration From TFTP This page allows the user to download the configuration file from a TFTP Server to the Switch and updates the switch Figure 12 10 Download Configuration TFTP window SI Mode Only Figure 12 11 Download Configuration TFTP window EI Mode Only The fields that can be configured are described below...

Page 316: ...cribed below Parameter Description Unit Use the drop down menu to select a unit for receiving the configuration file Select All for all units Destination File Enter the location and name of the Destination File Source File Enter the location and name of the Source File or click the Browse button to navigate to the configuration file for the download Click Download to initiate the download Upload C...

Page 317: ...on and name of the Destination File Source File Enter the location and name of the Source File Filter Use the drop down menu to include begin or exclude a filter like SNMP VLAN or STP Select the appropriate Filter action and enter the service name in the space provided Click Upload to initiate the upload Upload Configuration To HTTP This page allows the user to upload the configuration file from t...

Page 318: ...scription TFTP Server IP Enter the TFTP server IP address used IPv4 Click the radio button to enter the TFTP server IP address used IPv6 EI Mode Only Click the radio button to enter the TFTP server IPv6 address used Destination File Enter the location and name of the Destination File Log Type Select the type of log to be transferred Selecting the Common Log option here will upload the common log e...

Page 319: ...ter the factory defaults into the current configuration but do not save this configuration Reset System will return the Switch s configuration to the state it was when it left the factory Reset gives the option of retaining the Switch s User Accounts and History Log while resetting all other configuration parameters to their factory defaults If the Switch is reset using this window and Save Change...

Page 320: ...rent configuration to non volatile RAM before restarting the Switch Selecting the No radio button instructs the Switch not to save the current configuration before restarting the Switch All of the configuration information entered from the last time Save Changes was executed will be lost Click the Reboot button to restart the Switch Figure 12 21 System Rebooting window ...

Page 321: ...ng attacks In the process of ARP PC A will first issue an ARP request to query PC B s MAC address The network structure is shown in Figure 1 Figure 1 In the meantime PC A s MAC address will be written into the Sender H W Address and its IP address will be written into the Sender Protocol Address in the ARP payload As PC B s MAC address is unknown the Target H W Address will be 00 00 00 00 00 00 wh...

Page 322: ...o all ports except the source port port 1 see Figure 2 Figure 2 Figure 3 When PC B replies to the ARP request its MAC address will be written into Target H W Address in the ARP payload shown in Table 3 The ARP reply will be then encapsulated into an Ethernet frame again and sent back to the sender The ARP reply is in a form of Unicast communication Table 3 ARP Payload When PC B replies to the quer...

Page 323: ...MAC address with the IP address of another node such as the default gateway Any traffic meant for that IP address would be mistakenly re directed to the node specified by the attacker Figure 4 IP spoofing attack is caused by Gratuitous ARP that occurs when a host sends an ARP request to resolve its own IP address Figure 4 shows a hacker within a LAN to initiate ARP spoofing attack In the Gratuitou...

Page 324: ...ormation there is a need for further inspections of ARP packets To prevent ARP spoofing attack we will demonstrate here via using Packet Content ACL on the Switch to block the invalid ARP packets which contain faked gateway s MAC and IP binding Configuration The configuration logic is as follows 1 Only if the ARP matches Source MAC address in Ethernet Sender MAC address and Sender IP address in AR...

Page 325: ...t frame which is the pattern for the calculation of packet offset Table 5 A Completed ARP Packet Contained in an Ethernet Frame Command Description Step 1 create access_profile_id 1 profile_name 1 ethernet source_mac FF FF FF FF FF FF ethernet_type Create access profile 1 to match Ethernet Type and Source MAC address Step 2 config access_profile profile_id 1 add access_id 1 ethernet source_mac 01 ...

Page 326: ...xStack DGS 3120 Series Managed Switch Web UI Reference Guide 318 0xA5A offset_chunk_3 0x5A5A0000 Step 5 save Save configuration ...

Page 327: ...e steps to reset the password 2 Power on the Switch After the UART init is loaded to 100 the Switch will allow 2 seconds for the user to press the hotkey Shift 6 to enter the Password Recovery Mode Once the Switch enters the Password Recovery Mode all ports on the Switch will be disabled Boot Procedure V1 00 009 Power On Self Test 100 MAC Address 00 19 5B EC 32 15 H W Version A1 Please Wait Loadin...

Page 328: ...ipaddr are XOR shown in log string which means if user login by console there will no IP information for logging Configuration and log saved to flash Unit unitID Configuration and log saved to flash by console Username username IP ipaddr Informational by console and IP ipaddr are XOR shown in log string which means if user login by console there will no IP information for logging Internal Power fa...

Page 329: ...ion for logging Configuration successfully uploaded Configuration successfully uploaded by console Username username IP ipaddr Informational by console and IP ipaddr are XOR shown in log string which means if user login by console there will no IP information for logging Configuration upload was unsuccessful Configuration upload by console was unsuccessful Username username IP ipaddr Warning by co...

Page 330: ...hanged to master Backup master changed to master Master Unit unitID Informational Slave changed to master Slave changed to master Master Unit unitID Informational Box ID conflict Hot insert failed box ID conflict Unit unitID conflict MAC macaddr and MAC macaddr Critical Console Successful login through Console Unit unitID Successful login through Console Username username Informational There are n...

Page 331: ...anning Tree port role change Instance InstanceID Port unitID portNum old_role new_role Informational Spanning Tree instance created Spanning Tree instance created Instance InstanceID Informational Spanning Tree instance deleted Spanning Tree instance deleted Instance InstanceID Informational Spanning Tree Version changed Spanning Tree version change new version new_version Informational Spanning T...

Page 332: ... local method Login failed through SSH from userIP authenticated by AAA local method Username username Warning Successful login through Console authenticated by AAA none method Successful login through Console authenticated by AAA none method Username username Informational Successful login through Web authenticated by AAA none method Successful login through Web from userIP authenticated by AAA n...

Page 333: ...A local_enable method Username username Warning Successful Enable Admin through Web authenticated by AAA local_enable method Successful Enable Admin through Web from userIP authenticated by AAA local_enable method Username username Informational Enable Admin failed through Web authenticated by AAA local_enable method Enable Admin failed through Web from userIP authenticated by AAA local_enable met...

Page 334: ...er serverIP Username username Warning Enable Admin failed through Web SSL due to AAA server timeout or improper configuration Enable Admin failed through Web SSL from userIP due to AAA server timeout or improper configuration Username username Warning Successful Enable Admin through Telnet authenticated by AAA server Successful Enable Admin through Telnet from userIP authenticated by AAA server se...

Page 335: ...ddr MAC macaddr Port unitID portNum Warning Dynamic IMPB entry is conflict with static ARP Dynamic IMPB entry conflicts with static ARP IP ipaddr MAC macaddr Port unitID portNum Warning Dynamic IMPB entry is conflict with static FDB Dynamic IMPB entry conflicts with static FDB IP ipaddr MAC macaddr Port unitID portNum Warning Dynamic IMPB entry conflicts with static IMPB Dynamic IMPB entry conflic...

Page 336: ...ver Port UnitID portNum recover from BPDU under attacking state manually Informational Monitor Temperature exceeds confidence level Uint unitID Temperature Sensor sensorID enter alarm state current temperature temperature Warning Temperature recovers to normal Uint unitID Temperature Sensor sensorID recovers to normal state current temperature temperature Informational CFM Cross connect is detecte...

Page 337: ... into voice VLAN vid Informational While the port withdraws from the voice VLAN while there is no more voice device detected in the aging interval Port unitID portNum remove from voice VLAN vid Informational ERPS Signal failure detected Signal failure detected on node macaddr Notice Signal failure cleared Signal failure cleared on node macaddr Notice RPL owner conflict RPL owner conflicted on the ...

Page 338: ... MAC based access control host ages out 1 3 6 1 4 1 171 12 35 11 1 0 3 FilterDetectedTrap This trap is sent when an illegal DHCP server is detected The same illegal DHCP server IP address detected is just sent once to the trap receivers within the log ceasing unauthorized duration 1 3 6 1 4 1 171 12 37 100 0 1 SingleIPMSColdStart The commander switch will send swSingleIPMSColdStart notification to...

Page 339: ...ot properly authenticated While all implementations of SNMP entities MAY be capable of generating this trap the snmpEnableAuthenTraps object indicates whether this trap will be generated 1 3 6 1 6 3 1 1 5 5 risingAlarm This trap is an SNMP notification that is generated when a high capacity alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps 1 ...

Reviews: