background image

Table 40: Authentication List Summary Fields (continued)

Field

Description

List Type

The type of list, which is one of the following:

Default – The list is preconfigured on the system. This type of list cannot be
deleted, and only the Method Options are configurable.

Configured – The list has been added by a user.

Access Line

The access method(s) that use the list for authentication. The settings for this
field are configured on the Authentication Selection page.

Click 

Refresh

 to update the information on the screen.

To create a new authentication list, see 

Authentication Server Users

 on page 59. To assign users to a

specific authentication list, see 

User Accounts

 on page 57. To configure the 802.1x port security

users, see 

RADIUS Settings

 on page 284.

Select Authentication List

Use the Select Authentication List Configuration page to associate an authentication list with each CLI-
based access method (console, Telnet, and SSH). Each access method has the following two
authentication lists associated with it:

Login – The authentication list to use for User EXEC-level management access to the CLI. Access at
this level has a limited number of CLI commands available to view or configure the system. The
options available in this menu include the default Login authentication lists as well as any user-
configured Login lists.

Enable – The authentication list to use for Privileged EXEC-level management access to the CLI. In
Privileged EXEC mode, read-write users have access to all CLI commands. The options available in
this menu include the default Enable authentication lists as well as any user-configured Enable lists.

To access this page, click 

System

 > 

AAA

 > 

Authentication Selection

 in the navigation menu.

Table 41

 shows the fields for this page.

Table 41: Select Authentication List Fields

Field

Description

Console

The Login authentication list and the Enable authentication list to apply to users
who attempt to access the CLI by using a connection to the console port.

Telnet

The Login authentication list and the Enable authentication list to apply to users
who attempt to access the CLI by using a Telnet session.

Secure Telnet (SSH)

The Login authentication list and the Enable authentication list to apply to users
who attempt to access the CLI by using a secure shell (SSH) session.

List Name

The name of the authentication list. This field can be configured only when
adding a new authentication list.

Configuring System Information

ExtremeSwitching 200 Series: Administration Guide

66

Summary of Contents for 200 Series

Page 1: ...ExtremeSwitching 200 Series Administration Guide 122041 00 Published May 2017 ...

Page 2: ...mes including any product names mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies owners For additional information on Extreme Networks trademarks please see www extremenetworks com company legal trademarks Software Licensing Some software files have been licensed under certain open source or third pa...

Page 3: ...acing the Stack Member with a New Unit 29 Renumbering Stack Members 30 Moving a Manager to a Different Unit in the Stack 30 Removing a Manager Unit from an Operating Stack 31 Initiating a Warm Failover of the Manager Unit 31 Merging Two Operational Stacks 31 Preconfiguration 32 Chapter 3 Configuring System Information 33 Viewing the Dashboard 33 Viewing ARP Cache 35 Viewing Inventory Information 3...

Page 4: ...Snooping 189 Configuring IPv6 DHCP Snooping 196 Configuring IGMP Snooping 201 Configuring IGMP Snooping Querier 205 Configuring MLD Snooping 208 Configuring MLD Snooping Querier 211 Creating Port Channels 214 Viewing Multicast Forwarding Database Information 218 Multicast VLAN Registration 220 Configuring Protected Ports 223 Configuring Spanning Tree Protocol 224 Mapping 802 1p Priority 236 Config...

Page 5: ... Configuring VLANs 331 Configuring Multiple Spanning Tree Protocol 335 Configuring VLAN Routing 338 Configuring 802 1X Network Access Control 341 Configuring Authentication Tiering 342 Configuring Differentiated Services for VoIP 343 IGMP and MLD Snooping Switches 346 Configuring Port Mirroring 350 Bidirectional Forwarding Detection 351 Glossary 353 Index 369 Table of Contents ExtremeSwitching 200...

Page 6: ... Screen displays This typeface indicates command syntax or represents information as it appears on the screen The words enter and type When you see the word enter in this guide you must type something and then press the Return or Enter key Do not press the Return or Enter key when an instruction simply says type Key names Key names are written with brackets such as Return or Esc If you must press ...

Page 7: ... your country visit www extremenetworks com support contact Email support extremenetworks com To expedite your message enter the product name or model number in the subject line GTAC Knowledge Get on demand and tested resolutions from the GTAC Knowledgebase or create a help case if you need more guidance The Hub A forum for Extreme customers to connect with one another get questions answered share...

Page 8: ...tion Extreme Hardware Software Compatibility and Recommendation Matrices Extreme Networks Pluggable Transceivers Installation Guide Environmental Guidelines for ExtremeSwitching Products Open Source Declarations Some software files have been licensed under certain open source licenses More information is available at www extremenetworks com support policies software licensing Preface ExtremeSwitch...

Page 9: ...ly connected to the network you can manage and monitor the switch remotely through SSH telnet a web browser or an SNMP based network management system You can also continue to manage the switch through the terminal interface via the EIA 232 port Note Some switches provide a Service port an Ethernet port usually located on the back on the switch as a dedicated management port On switches without a ...

Page 10: ...figure network information If the unit has a service port To have the address assigned through DHCP By default the port is configured as a DHCP client If your network has a DHCP server then you need only to connect the switch to your network To use BootP change the protocol by entering serviceport protocol bootp To disable DHCP BootP and manually assign an IPv4 address enter serviceport protocol n...

Page 11: ...POST runs every time the switch is initialized and checks hardware components to determine if the switch is fully operational before completely booting If a critical problem is detected the program flow stops If POST passes successfully a valid executable image is loaded into RAM POST messages are displayed on the terminal and indicate test success or failure To boot the switch perform the followi...

Page 12: ...ng message displays FASTPATH Startup Select startup mode If no selection is made within 5 seconds the FASTPATH Application will start automatically FASTPATH Startup Main Menu 1 Start FASTPATH Application 2 Display Utility Menu Select 1 2 2 FASTPATH Startup Options available 1 Start FASTPATH Application 2 Load Code Update Package 3 Load Configuration 4 Select Serial Speed 5 Retrieve Error Log 6 Era...

Page 13: ...HyperTerminal menu bar 4 From the Transfer menu click Send File The Send File window opens 5 Enter the file path for the file to be downloaded 6 Make sure the protocol is defined per the transfer option selected in step 2 XMODEM YMODEM ZMODEM 7 Click Send The software is downloaded Software downloading takes several minutes The terminal emulation application such as HyperTerminal may display the l...

Page 14: ...38400 6 57600 7 115200 8 Exit without change Note The selected baud rate takes effect immediately 2 The bootup process resumes Retrieve Error Log Use option 5 to retrieve the event log and download it to your ASCII terminal To retrieve the event log from the Utility menu 1 On the Utility menu select 5 and press Enter The following prompt displays Select Mode of Transfer Press T X Y Z for TFTP XMOD...

Page 15: ...kup image from the Utility menu 1 On the Utility menu select 7 and press Enter The following prompt displays Are you SURE you want to delete operational code image2 y n y Operational code deleted Utility menu 2 The bootup process resumes Select Boot Method Use option 8 to select the method used to boot the system FLASH Network or Serial boot The default selection is FLASH To select the boot method...

Page 16: ... 2 x 28F128J3 base 0xfe000000 Iterations remaining 1 Erasing sector 0 Verify sector 0 erased Writing sector 0 Erasing sector 1 Verify sector 1 erased Writing sector 1 Erasing sector 2 Verify sector 2 erased Writing sector 2 Erasing sector 3 Verify sector 3 erased Writing sector 3 Erasing sector 4 Verify sector 4 erased Writing sector 4 Erasing sector 5 Verify sector 5 erased Writing sector 5 Erasi...

Page 17: ...ONF NETCONF Each of the standards based management methods allows you to configure and monitor the components of the software The method you use to manage the system depends on your network size and requirements and on your preference Note Not all components can be managed by each interface This guide describes how to use the web based interface to manage and monitor the system For information abo...

Page 18: ...out of the web interface Each web page contains three main areas device view the navigation menu and the configuration status and options Figure 1 Web Interface Layout Device View The Device View is a Java applet that displays the ports on the switch This graphic appears at the top of each page to provide an alternate way to navigate to port related configuration and monitoring options The graphic...

Page 19: ... interface The navigation menu contains a list of various device features The main items in the navigation menu can be expanded to view all the components under a specific feature or retracted to hide the feature s components The navigation menu consists of a combination of main feature menus submenus and configuration and status pages Click the feature menu such as System or Switching to view the...

Page 20: ... area of the screen displays the fields you use to configure or monitor the switch On pages that contain configuration options you can input information into fields or select options from drop down menus Each page contains access to the HTML based help that explains the fields to configure or view on the page Many pages also contain command buttons Table 3 shows the command buttons that are used t...

Page 21: ... them to be retained across a power cycle reboot Table Sorting Tables shown in the web pages can be sorted in each column To sort a column click at the top of the column to sort by that field For example in the Event Log page clicking on the Event Time column will sort the entries by that field Help Page Access The Help button shown in Figure 4 is always available in the upper right corner of the ...

Page 22: ... by using the web interface use the following steps 1 Select System Users Accounts from the navigation menu on the left side of the web interface 2 From the Accounts menu select Add to create a new user 3 Enter a new user name in the User Name field 4 Enter a new user password in the Password field and then retype it in the Confirm field To use SNMPv3 Authentication for this user set a password of...

Page 23: ...rd you type at the command prompt If there are no additional command keywords or parameters or if additional parameters are optional the following message appears in the output cr Press Enter to execute the command For more information about the CLI see ExtremeSwitching 200 Series Command Reference Guide That guide lists each available command with the following information The command keywords an...

Page 24: ... commands used in this chapter see ExtremeSwitching 200 Series Command Reference Guide Understanding Switch Stacks A switch stack is a set of up to four Ethernet switches connected through their stacking ports One of the switches controls the operation of the stack and is called the stack manager All other switches in the stack are stack members The stack members use stacking technology to behave ...

Page 25: ...ack Membership A switch stack has up to n stack members including the manager connected through their stacking ports A switch stack always has one stack manager A standalone switch is a switch stack with one stack member that also operates as the stack manager You can connect one standalone switch to another to create a switch stack containing two stack members with one of them being the stack man...

Page 26: ...ve the same stack member number Every stack member including a standalone switch retains its member number until you manually change the number or unless the number is already being used by another member in the stack See Renumbering Stack Members on page 30 and Merging Two Operational Stacks on page 31 Stack Member Priority Values You can set the stack member s priority in the range 0 to 15 Note ...

Page 27: ...nfig nvram startup config in Privileged EXEC This will save passwords and all other changes to the device If you do not save the configuration by doing this command all configurations will be lost when a power cycle is performed on the networking device or when the networking device is reset Note After downloading a configuration file to a stack you must perform a configuration save operation from...

Page 28: ...e highly recommend that a redundant link be installed because this provides stack resiliency 3 Identify the unit to be the manager Power this unit up first 4 To set up a stack complete the following steps a Make sure there is a 200 Series image on each box b If the image does not exist or needs to be updated use TFTP or xmodem to perform the update operation 5 Monitor the console port Allow this u...

Page 29: ...st unit in the stack back up to the first unit in the stack at the new position in the ring where the new unit is to be inserted 5 Connect this cable to the new unit following the established order of connections In other words use the redundant stack cable to connect from the first box in the stack to the last 6 Power up the new unit Verify by monitoring the manager unit console port that the new...

Page 30: ...c numbers when they are first installed and configured in the stack if possible 2 If the desired stack unit number for a particular unit is unused a unit can be renumbered simply by using the command switch oldunit id renumber newunit id in Global Config mode 3 Renumbering a non manager unit requires a unit reset for the renumbering to take effect Renumbering a manager unit requires a reset of all...

Page 31: ...he command fails with an error message stating that no standby unit exists If the standby unit is not ready for a warm restart the command fails with a similar error message The move management command triggers a cold restart even if the target unit is the backup unit Merging Two Operational Stacks We recommend using the following procedure for merging two operational stacks 1 Always power off all...

Page 32: ...d show supported switchtype SID To add a new member see Adding a Unit to an Operating Stack on page 29 use Config stack mode Enter the command member unit id 2 Next configure the unit you just defined with configuration commands just as if the unit were physically present 3 Ports for the preconfigured unit come up in detached state and can be seen with the show port all command in Privileged EXEC ...

Page 33: ...MP Traps Managing CPU Traffic Filters Viewing the System Firmware Status Managing Logs Configuring and Searching the Forwarding Database Configuring Power Over Ethernet PoE and PoE Statistics Viewing Device Port Information Configuring and Viewing Device Slot Information Defining SNMP Parameters Viewing System Statistics Using System Utilities Use the features in the System menu to define the swit...

Page 34: ...the device via any of the front panel switch ports Burned In MAC Address The device burned in universally administered media access control MAC address of the base system Service Port IP Address The IP address assigned to the service port The service port provides remote management access to the device Traffic on this port is segregated from operational network traffic on the switch ports and cann...

Page 35: ...ndication of user activity with a smaller time value denoting more recent access to the system Recent Log Entries A brief list of the newest entries recorded in the system log Click Refresh to reload the page and refresh the Dashboard Viewing ARP Cache The ARP Address Resolution Protocol cache is a table maintained locally in each station on a network ARP cache entries are learned by examining the...

Page 36: ...gement Unit Number Unit number that corresponds to the stack manager This field is available only on switches that support stacking System Description The product name of this switch Machine Type The machine type of this switch Machine Model The model within the machine type Serial Number The unique serial number for this switch FRU Number The field replaceable unit number Part Number The manufact...

Page 37: ...tified in this field is the port through which the MAC address can be reached Interface Index The Interface Index of the MIB interface table entry associated with the source port This value helps identify an interface when using SNMP to manage the device Status Information about the entry and why it is in the table which can be one of the following Static The address has been manually configured a...

Page 38: ...Utilization Notification feature is disabled Falling Threshold The CPU Falling utilization threshold in percentage Configuration of this field is optional If configured the Falling threshold value must be equal to or less than the Rising threshold value If not configured it takes the same value as the Rising threshold Falling Threshold Interval The CPU Falling threshold interval in seconds Configu...

Page 39: ...r a successful login the System Description window opens Use this page to configure and view general device information To display the System Description page click System Summary Description in the navigation menu Table 10 System Description Fields Field Description System Description The product name of this switch System Name Enter the name you want to use to identify this switch You may use up...

Page 40: ...gent running on this switch Defining System Information The system parameters are applied and the device is updated Note If you want the switch to retain the new values across a power cycle you must perform a save 1 Open the System Description page 2 Define the following fields System Name System Contact and System Location 3 Scroll to the bottom of the page and click Submit Switch Configuration I...

Page 41: ...lict Detection tool which detects IP address conflicts for IPv4 addresses When a conflict is detected the switch updates the status on the page generates an SNMP Simple Network Management Protocol trap and a logs a message noting the conflict To display this page click System Utilities IP Address Conflict in the navigation menu Table 12 IP Address Conflict Detection Fields Field Description IP Add...

Page 42: ...rd at the factory This MAC address is used for in band connectivity if you choose not to configure a locally administered address IPv6 Fields If the system supports IPv6 these fields display IPv6 configuration information IPv6 Mode Enables or disables IPv6 mode on the interface Service Port Configuration Protocol Specify what the switch should do following power up The factory default is None The ...

Page 43: ...tures to acquire an IPv6 address DHCPv6 Client DUID The client identifier used by the DHCPv6 client if enabled when sending messages to the DHCPv6 server Static IPv6 Addresses Lists the manually configured static IPv6 addresses on the service port interface Use the buttons available in this table to perform the following tasks To add an entry to the list click the plus button to open the Add IPv6 ...

Page 44: ...the device takes no special action as packets are sent Stale More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly While in STALE state the device takes no action until a packet is sent Delay More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forwar...

Page 45: ...dvertisement messages received from one or more DHCPv6 servers to which the client did not respond Received Reply Packets Discarded Number of DHCPv6 reply messages received from one or more DHCPv6 servers to which the client did not respond Malformed Packets Received Number of messages received from one or more DHCPv6 servers that were improperly formatted Total Packets Received Total number of me...

Page 46: ...owing power up Bootp Transmit a BOOTP request DHCP Transmit a DHCP request DHCP Client Identifier The DHCP Client Identifier Option 61 is used by DHCP clients to specify their unique identifier DHCP servers use this value to index their database of address bindings This value is expected to be unique for all clients in an administrative domain The Client Identifier string will be displayed beside ...

Page 47: ...nly if IPv6 Network Configuration Protocol is set to DHCP Change IPv6 Gateway Select the checkbox to configure an IPv6 Address IPv6 Gateway Enter the IPv6 gateway address do not include a prefix Add Delete IPv6 Address Select to add or remove IPv6 Addresses The fields New IPv6 Address and EUI Flag are visible when Add is selected New IPv6 Address Displays when Add IPv6 Address is selected Adds IPv...

Page 48: ...e forward path was functioning properly While in STALE state the device takes no action until a packet is sent Delay More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly A packet was sent within the last DELAY_FIRST_PROBE_TIME seconds If no reachability confirmation is received within DELAY_FIRST_PROBE_TI...

Page 49: ...is enabled the device management interface can be accessed through a web browser using the HTTP protocol Telnet Server Admin Mode Enables or disables the Telnet administrative mode When this mode is enabled the device CLI can be accessed through the telnet port Disabling this mode disconnects all existing telnet connections and shuts down the telnet port in the device Telnet Allow New Sessions Ena...

Page 50: ...tens for requests Existing Telnet login sessions are not affected by a change in this value although establishment of any new Telnet sessions must use the new port number Before changing this value verify that the desired port number is not currently being used by any other service Session Timeout Minutes Specify how many minutes of inactivity should occur on a Telnet session before the session is...

Page 51: ...erial Port Configuration page allows you to change the switch s serial port settings In order for a terminal or terminal emulator to communicate with the switch the serial port settings on both devices must be the same Some settings on the switch cannot be changed To view or configure the serial port settings on the switch click System Management Access Serial in the navigation menu Table 25 Seria...

Page 52: ...on HTTP Configuration Use the HTTP Configuration page to configure the HTTP server settings on the system To access this page click System Management Access HTTP in the navigation menu Table 27 HTTP Configuration Fields Field Description HTTP Admin Mode Enables or disables the Administrative Mode of HTTP The currently configured value is shown when the web page is displayed The default value is En...

Page 53: ...n HTTPS Admin Mode Enables or disables the HTTPS administrative mode When this mode is enabled the device can be accessed through a web browser using the HTTPS protocol TLS Version 1 Enables or disables TLS version 1 0 When this option is enabled communication between the web browser on the administrative system and the web server on the device is sent through TLS 1 0 SSL Version 3 Enables or disa...

Page 54: ... system SSH is a more secure access method than Telnet because it encrypts communication between the administrative system and the device This page also allows you to download or generate SSH host keys for secure CLI based management To access this page click System Management Access SSH in the navigation menu Table 29 SSH Configuration Fields Field Description SSH Admin Mode Enables or disables t...

Page 55: ...to download browse to the location on the remote system and select the file to upload Then click Begin Transfer The Status field provides information about the file transfer Generate Certificate Button Use this button to manually generate an RSA key or DSA key on the device Delete Certificates Button Use this button to delete an RSA key or DSA key that has been downloaded to the device or manually...

Page 56: ...ated Active Profile Currently enabled profile name Packets Filtered The number of packets filtered due to matching a rule in the MACAL Interface The port interface or trunk ID Management Method The types of action will be taken on access control list Permit To allow conditions for the management access list Deny To deny conditions for the management access list In the Add or Edit Profile Rule dial...

Page 57: ...es and click Remove to delete the selected entries Table 31 User Accounts Fields Field Description User Name Enter the name you want to give to the new account You can only enter data in this field when you are creating a new account User names are up to 32 alphanumeric characters in length and are not case sensitive Valid characters include all the alphanumeric characters and the dash and undersc...

Page 58: ...The system supports one Read Write user and five Read Only users 1 From the User menu select Add The screen refreshes 2 Enter a username and password for the new user then re enter the password in the Confirm Password field 3 Click Submit to update the switch with the values on this screen If you want the switch to retain the new values across a power cycle you must perform a save Changing User Ac...

Page 59: ...can create a text file that contains a list of IAS users to add to the database and then download the file to the switch The following script is an example of an IAS user text file that contains three users configure aaa ias user username client 1 password my password1 exit aaa ias user username client 2 password aa5c6c251fe374d5e306c62496c3bcf6 encrypted exit aaa ias user username client 3 passwo...

Page 60: ... Users Sessions in the navigation menu Table 33 Logged in Sessions Fields Field Description ID The unique ID of the session User Name The name that identifies the user account Connection From The administrative system that is the source of the connection For remote connections this field shows the IP address of the administrative system For local connections through the console port this field sho...

Page 61: ... levels read write execute debug at a per component level Task based authorization uses the concept of components tasks to define permission for commands for a given user Users are assigned to User Groups that are in turn associated with Task Groups Each Task Group is then associated with one or more tasks components This feature is supported only for users who are authenticated locally via the we...

Page 62: ...perational Permission The operational task permissions for the user group Read Write Debug Execute Use the buttons to perform the following To add a user group click Add and specify a name for the group To remove a user group select the checkbox for the group you want to remove and click Remove Click Refresh to update the information on the screen Accounting List Configuration Accounting List Use ...

Page 63: ...s field Selected Methods The accounting methods currently configured for the list When multiple methods are in this field the order in which the methods are listed is the order in which the methods will be used If the device is unable to send accounting notifications by using the first method the device attempts to send notifications by using the second method To remove a method from this field se...

Page 64: ...ist records the CLI commands a user executes and when each command is issued To access this page click System AAA Accounting Selection in the navigation menu Complete the following fields in the Accounting Selection tab Table 39 Accounting List Configuration Fields Field Description Terminal The access methods in this section are CLI based Console The Exec accounting list and the Commands accounti...

Page 65: ...et or SSH session Access at this level has a limited number of CLI commands available to view or configure the system Enable Privileged EXEC level management access to the CLI by using a console connection or a telnet or SSH session In Privileged EXEC mode read write users have access to all CLI commands HTTP Management level access to the web based user interface by using HTTP HTTPS Management le...

Page 66: ...commands available to view or configure the system The options available in this menu include the default Login authentication lists as well as any user configured Login lists Enable The authentication list to use for Privileged EXEC level management access to the CLI In Privileged EXEC mode read write users have access to all CLI commands The options available in this menu include the default Ena...

Page 67: ... verify the user s credentials Local Uses the ID and password in the Local User database to verify the user s credentials RADIUS Sends the user s ID and password to the configured RADIUS server to verify the user s credentials TACACS Sends the user s ID and password to the configured TACACS server to verify the user s credentials None No authentication is used IAS Uses the local Internal Authentic...

Page 68: ...xecuted Otherwise the command fails RADIUS When a user is authenticated by the RADIUS server the device downloads a list of permitted denied commands from the RADIUS server The list of authorized commands that are associated with the authenticated user is cached during the user s session If this method is selected the authentication method for the access type must also be RADIUS Local Uses a list ...

Page 69: ...the user fails to be authorized using the first method the device attempts to authorize the user by using the next method in the list No authorization methods can be added after None To remove a method from this field select it and click the left arrow to return it to the Available Methods area Line Password Use the Line Password page to configure line mode passwords To display this page click Sys...

Page 70: ...enter a new password at the next login History The number of previous passwords that are retained to prevent password reuse This helps to ensure that a user does not attempt to reuse the same password too often Lockout Attempts After a user fails to log in this number of times the user is locked out until the password is reset by the administrator Strength Check Enable or disable the password stre...

Page 71: ...click Submit To remove a keyword from the list click the minus button associated with the keyword to remove and confirm the action To remove all keywords from the list click the minus button in the header row and confirm the action If you change any of the parameters click Submit to apply the changes to the system If you want the switch to retain the new values across a power cycle you must save t...

Page 72: ...e TCP source port equal to the TCP destination port UDP Port Enable this option to allow the device to drop packets that have the UDP source port equal to the UDP destination port SIP DIP Enable this option to allow the device to drop packets that have a source IP address equal to the destination IP address SMAC DMAC Enable this option to allow the device to drop packets that have a source MAC add...

Page 73: ...ICMPv6 Size The maximum allowed IPv6 ICMP packet size If ICMP DoS prevention is enabled the switch will drop IPv6 ICMP ping packets that have a size greater than this configured maximum ICMPv6 packet size If you change any of the parameters click Submit to apply the changes to the system If you want the switch to retain the new values across a power cycle you must save the configuration Managing t...

Page 74: ...tons to perform the following tasks To add one or more IP addresses to exclude click Add and specify the IPv4 address or range of addresses in the available fields Then click Submit To remove an excluded address or range of addresses select each entry to remove and click Remove You must confirm the action before the entries are removed Table 50 DHCP Server Excluded Addresses Fields Field Descripti...

Page 75: ...er can assign the client any available IP address within the pool The binding type you select determines the fields that are available to configure Network Base Address Dynamic pools only The network portion of the IP address A DHCP client can be offered any available IP address within the defined network as long as it has not been configured as an excluded address Network Mask Dynamic pools only ...

Page 76: ...apply the changes to the system If you want the switch to retain the new values across a power cycle you must save the configuration Pool Configuration Use the DHCP Pool Configuration page to edit pool settings or to configure additional settings for existing manual and dynamic pools The fields that can be configured depend on the type of binding that is selected To access this page click System A...

Page 77: ...he client Host Mask For manual bindings this field specifies the subnet mask to be statically assigned to a DHCP client You can enter a value in Host Mask or Prefix Length to specify the subnet mask but do not enter a value in both fields Lease Expiration Whether the information the server provides to the client should expire Enable Allows the lease to expire If you select this option you can spec...

Page 78: ...t wants the DHCP server to supply To access this page click System Advanced Configuration DHCP Server Pool Options in the navigation menu If no DHCP pools exist the Pool Options page does not display the fields shown in Table 53 If any DHCP pools are configured on the system this page contains the following fields Table 53 Pool Options Fields Field Description Pool Name Select the DHCP pool to wit...

Page 79: ...ck Submit to apply the changes to the system If you want the switch to retain the new values across a power cycle you must save the configuration Server Statistics Use the DHCP Server Statistics page to view information about the DHCP server bindings and messages To access this page click System Advanced Configuration DHCP Server Statistics in the navigation menu Table 55 Server Statistics Fields ...

Page 80: ...k Clear Server Statistics to reset all counters to zero Conflicts Information Use the Conflicts Information page to view information on hosts that have address conflicts that is when the same IP address is assigned to two or more devices on the network To access this page click System Advanced Configuration DHCP Server Conflicts in the navigation menu Table 56 Conflicts Information Fields Field De...

Page 81: ...name for example if the default domain name is com and the user enters hotmail then hotmail is changed to hotmail com to resolve the name By default no default domain name is configured in the system Retry Number Enter the number of times to retry sending DNS queries The valid values are from 0 to 100 The default value is 2 Response Timeout Enter the number of seconds to allow a DNS server to resp...

Page 82: ...assed since the entry was added to the table When the Elapsed Time reaches the Total Time the entry times out and is removed from the table Dynamic Type The type of address in the entry for example IP or less common X 121 The page includes the following command buttons Click Add Static Entry to load the Host Name IP Mapping Configuration page in order to configure the Host Name IP Mapping entries ...

Page 83: ...sed as the source address Interface The primary IP address of a physical port is used as the source address Loopback The primary IP address of the loopback interface is used as the source address A loopback is always reachable as long as any routing interface is up VLAN The primary IP address of a VLAN routing interface is used as the source address Interface When the selected Type is Interface se...

Page 84: ...mary system failures error 3 The device is experiencing non urgent failures warning 4 The device is experiencing conditions that could lead to system errors if no action is taken notice 5 The device is experiencing normal but significant conditions info 6 The device is providing non critical information debug 7 The device is providing debug level information Non Urgent Messages Severity Configures...

Page 85: ...o on the SMTP server User Name If the Security is TLSv1 this field specifies the user name required to access the mail server Password If the Security is TLSv1 this field specifies the password associated with the configured user name for mail server access When adding or editing the server you must retype the password to confirm that it is entered correctly To remove a configured SMTP server sele...

Page 86: ... the new values across a power cycle you must save the configuration Email Alert To Address Configuration Use the Email Alert To Address Configuration page to configure the email addresses to which alert messages sent To access this page click System Advanced Configuration Email Alerts Address in the navigation menu Use the buttons to perform the following tasks To add an email address to the list...

Page 87: ...essage Interval Specifies the ISDP transmit interval The range is 5 254 Default value is 30 seconds Hold Time Interval The receiving device holds ISDP message during this time period The range is 10 255 Default value is 180 seconds Device ID The Device ID advertised by this device The format of this Device ID is characterized by the value of Device ID Format object Device ID Format Capability Indi...

Page 88: ...DP Hardware Platform for the neighbor Port ID Displays the ISDP port ID string for the neighbor Protocol Version Displays the ISDP Protocol Version for the neighbor Last Time Changed Displays when entry was last modified Clear Button Clears all entries from the table The table is repopulated as ISDP messages are received from neighbors ISDP Interface Configuration From the ISDP Interface Configura...

Page 89: ... received with bad headers ISDP Checksum Error Displays the number of ISDP PDUs that were received with checksum errors ISDP Transmission Failure Displays the number of ISDP PDUs transmission failures Invalid Format ISDP Packets Received Displays the number of ISDP PDUs that were received with an invalid format Table Full Displays the number of times the system tried to add an entry to the ISDP ta...

Page 90: ...rfaces are up when upstream interfaces are down Down Downstream interfaces go down when upstream interfaces are down Creating a link dependency group with the up link action essentially creates a backup link for the dependent link and alleviates the need to implement STP Spanning Tree Protocol to handle the fail over State The group state which can be one of the following Up Link action is up and ...

Page 91: ...ce and click Edit To delete an entry from the list select the checkbox for each entry to delete and click Remove The following table describes the fields available on the Link Local Protocol Filtering Configuration page Table 71 Link Local Protocol Filtering Configuration Field Description Interface Identifies the physical or LAG Link Aggregation Group interface ISDP When enabled the select port b...

Page 92: ...DM Template on the Next Reload Select the template that will become active after the next reboot Dual IPv4 and IPv6 filters subsequent template choices to those that support both IPv4 and IPv6 There is only one such template and it is selected using the keyword default IPv4 Routing default filters subsequent template choices to those that support IPv4 and not IPv6 The default IPv4 only template ma...

Page 93: ... may be taken opportunistically in order to fill these datagrams In order to perform Packet Flow Sampling an sFlow Sampler Instance is configured with a Sampling Rate The Packet Flow sampling process results in the generation of Packet Flow Records In order to perform Counter Sampling the sFlow Poller Instance is configured with a Polling Interval The Counter Sampling process results in the genera...

Page 94: ...s 1 to 65535 Datagram Version The version of sFlow datagrams that should be sent Monitor Session Monitor session to enable sFlow hardware feature Use the Submit button to sent updated data to the switch and cause the changes to take effect on the switch Use the Refresh button to refresh the page with the most current data from the switch Use the Edit button to configure the monitor session for a s...

Page 95: ...m number of seconds between successive samples of the counters associated with this data source Click Refresh to refresh the page with the most current data from the switch sFlow Sampler Configuration The sFlow Agent collects a statistical packet based sampling of the switched flows and sends them to the configured receivers A data source configured to collect flow samples is called a sampler Pack...

Page 96: ... the most current data from the switch Use the buttons to perform the following tasks To add an sFlow sampler instance click Add and complete the required information To edit an existing sFlow sampler instance select the appropriate checkbox or click the row to select the sFlow sampler instance and click Edit Modify the sFlow sampler configuration information as needed To delete an sFlow sampler i...

Page 97: ...e Configuration Fields Field Description Type The type of interface to use as the source interface None The primary IP address of the originating outbound interface is used as the source address Interface The primary IP address of a physical port is used as the source address Loopback The primary IP address of the loopback interface is used as the source address A loopback is always reachable as l...

Page 98: ...ce can poll unicast and broadcast server types for the server time Polling for unicast information is used for polling a server for which the IP address is known SNTP servers that have been configured on the device are the only ones that are polled for synchronization information T1 through T4 are used to determine server time This is the preferred method for synchronizing device time because it i...

Page 99: ...a multicast address has Internet wide scope Port Specifies the local UDP port to listen for responses broadcasts The allowed range is 1 to 65535 The default value is 123 Unicast Poll Interval Specifies the number of seconds between unicast poll requests expressed as a power of two when configured in unicast mode The allowed range is 6 to 10 The default value is 6 Broadcast Poll Interval Specifies ...

Page 100: ...d by the server is not compatible with the version supported by the client Server Unsynchronized The SNTP server is not synchronized with its peers This is indicated via the leap indicator field on the SNTP message Server Kiss Of Death The SNTP server indicated that no further queries were to be sent to this server This is indicated by a stratum field equal to 0 in a message received from a server...

Page 101: ...ion Enter the protocol version number To add an SNTP server select Add from the Server list complete the remaining fields as desired and click Submit The SNTP server is added and is now reflected in the Server list You must perform a save to retain your changes over a power cycle To remove an SNTP server select the IP address of the server to remove from the Server list and then click Remove The e...

Page 102: ...witch SNTP Source Interface Configuration Use the SNTP Source Interface Configuration page to specify the physical or logical interface to use as the SNTP client source interface When an IP address is configured on the source interface this address is used for all SNTP communications between the local SNTP client and the remote SNTP server The IP address of the designated source interface is used ...

Page 103: ... implement time based ACLs The time range is identified by a name and can then be referenced by an ACL rule defined within an ACL Time Range Configuration Use the Time Range Configuration page to create a named time range Each time range can consist of one absolute time entry and or one or more periodic time entries To access this page click System Advanced Configuration Time Ranges Configuration ...

Page 104: ... the name of the time range to which you want to add a time range entry Time Range Entry Select Create New Time Range Entry to add a new entry to a time range To view or delete an existing time range entry select its ID from the menu Time Range Entry ID When creating a new time range entry assign a unique ID number from 1 10 This field does not appear if the entry has already been configured Time ...

Page 105: ...ge entry ends End Month Select the month when the time entry ends End Date Select the day of the month when the time entry ends End Year Select the year when the time entry ends End Time Specify the time when the entry ends The time is based on a 24 hour clock For example 6 00 PM is 18 00 If you change any of the parameters click Submit to apply the changes to the system If you want the switch to ...

Page 106: ...fresh to display the latest information from the router Time Zone Configuration Use the Time Zone Configuration page to manually configure the system clock settings The SNTP client must be disabled to allow manual configuration of the system time and date To access this page click System Advanced Configuration Time Zone Time Zone in the navigation menu Table 87 Time Zone Configuration Fields Field...

Page 107: ...elected the rest of the applicable fields on the page are automatically populated and cannot be edited USA The system clock uses the standard recurring daylight saving time settings used in the United States When this field is selected the rest of the applicable fields on the page are automatically populated and cannot be edited Non Recurring Summer time settings are in effect only between the sta...

Page 108: ... is in effect Click Refresh to display the latest information from the router Click Submit to apply the settings to the running configuration and cause the change to take effect Managing SNMP Traps The pages in the Trap Manager folder allow you to view and configure information about SNMP traps the system generates Trap Log Use the Trap Log page to view the entries in the trap log To access this p...

Page 109: ... authentication failure traps by selecting the corresponding line on the drop down entry field The factory default is enabled Link Up Down Enable or disable activation of link status traps by selecting the corresponding line on the drop down entry field The factory default is enabled Multiple Users Enable or disable activation of multiple user traps by selecting the corresponding line in the drop ...

Page 110: ...to the system If you want the switch to retain the new values across a power cycle you must save the configuration Click Refresh to refresh the page with the most current data from the switch CPU Traffic Filter Configuration Use the CPU Traffic Filter Configuration page to create edit or remove CPU traffic filters and to view summary information about the filters that exist on the device To access...

Page 111: ...onfigured filters are obtained for the packet matching the configured Source Destination IP Mask MAC Address Source Destination MAC address specific filter The statistics and or the traces for configured filters are obtained for the packet matching configured Source Destination MAC address Custom Custom filter The statistics and or the traces for configured filters are obtained for the packet matc...

Page 112: ...e filters are used one filter in each direction Tx Rx or both with condition matching as one many or all If you change any of the parameters click Submit to apply the changes to the system If you want the switch to retain the new values across a power cycle you must save the configuration Click Refresh to refresh the page with the most current data from the switch CPU Traffic Filter Statistics Use...

Page 113: ...iated with the Tx direction Received The counter statistics for all interfaces associated with the Rx direction Click Refresh to refresh the page with the most current data from the switch CPU Traffic Filter Trace Information Use the CPU Traffic Filter Trace Information page to view CPU trace information To access this page click System Advanced Configuration CPU Traffic Filter Trace Information i...

Page 114: ...ation about how to update or change the system images see Using System Utilities on page 157 Dual Image Configuration and Upgrade Use the Dual Image Configuration and Upgrade feature to transfer a new firmware code image to the device select which image to load during the next boot cycle and add a description to each image on the device The device uses the HTTP protocol to transfer the image and t...

Page 115: ...ture enables the configuration of a switch automatically when the device is turned on and during the boot process no configuration file is found in device storage By communicating with a DHCP server AutoInstall obtains an IP address for the switch and an IP address for a TFTP server AutoInstall attempts to download a configuration file from the TFTP server and install in on the switch The DHCP ser...

Page 116: ...guration to be available for the next reboot AutoReboot Mode If this option is selected the switch automatically reboots after a new image is successfully downloaded and makes the downloaded image the active image If this option is not selected the device continues to boot with the current image The downloaded image will not become the active image until the device reboots Retry Count When attempt...

Page 117: ...lures error 3 The device is experiencing non urgent failures warning 4 The device is experiencing conditions that could lead to system errors if no action is taken notice 5 The device is experiencing normal but significant conditions info 6 The device is providing non critical information debug 7 The device is providing debug level information Persistent Log Configuration Admin Mode Enable or disa...

Page 118: ...gency 0 The device is unusable alert 1 Action must be taken immediately critical 2 The device is experiencing primary system failures error 3 The device is experiencing non urgent failures warning 4 The device is experiencing conditions that could lead to system errors if no action is taken notice 5 The device is experiencing normal but significant conditions info 6 The device is providing non cri...

Page 119: ... logging or not Port The UDP port on the logging host to which syslog messages are sent Severity Filter Severity level threshold for log messages All log messages with a severity level at and above the configured level are forwarded to the logging host Transport Mode Transport mode used while sending messages to syslog servers Supported modes are UDP and TLS If TLS is not configured default transp...

Page 120: ... new host or select the IP address of an existing host to configure the host If you are adding a new host enter the IP address of the host in the IP Address field and click Submit The screen refreshes and additional fields appear 2 In the Port field type the port number on the remote host to which logs should be sent 3 Select the severity level of the logs to send to the remote host 4 Click Submit...

Page 121: ...apply the changes to the system If you want the switch to retain the new values across a power cycle you must save the configuration Persistent Log Use the Persistent Log page to view the persistent log messages To access this page click System Log Persistent Log in the navigation menu Table 106 Persistent Log Fields Field Description Log Index The position of the entry within the buffered log fil...

Page 122: ...l traffic for small bursts of time during the congestion condition This can lead to high priority and or network control traffic loss When enabled flow control allows lower speed switches to communicate with higher speed switches by requesting that the higher speed switch refrain from sending packets Transmissions are temporarily halted to prevent buffer overflows MAC Address Aging Interval The MA...

Page 123: ... power available This percentage determines the threshold power Power Management Mode The method by which the PoE controller determines supplied power which can be one of the following Static The power allocated to each port is reserved and is not available to any other port even when less than the maximum allocation is being used Dynamic The power allocated to each port is not reserved Unused pow...

Page 124: ...ol messages User The power limit is user defined overriding the LLDP information When set the Power Limit field is enabled Power Limit The power limit for the port which can be specified This field displays only when Power Limit Type is set to User Detection Type The protocol s that can be used to detect the presence of a PD when connected to a PoE port The IEEE specification 802 3af Dot3af specif...

Page 125: ...l PoE interface information select an entry and click Details The following information describes the fields in the Details window Table 110 PoE Port Entry Details Fields Field Description High Power Whether high power mode is enabled or disabled Max Power If Power Limit Type for the port is set to User user defined this field displays the configured power limit If Power Limit Type is set to Class...

Page 126: ... Counter Number of times an invalid signature was received Signature detection is a stage in detecting the presence of a powered device where a resistance value on the powered device is expected to be found within a particular range Click Refresh to redisplay the page with the current data from the switch Viewing Device Port Information The pages in the Port folder allow you to view and monitor th...

Page 127: ... In half duplex mode the transmissions are one way In other words the port does not send and receive traffic at the same time Speed Full Duplex The port speeds available from the menu depend on the platform on which the 200 Series software is running and which port you select In half duplex mode the transmissions are two way In other words the port can send and receive traffic at the same time Phy...

Page 128: ...t of multicast frames accepted and forwarded by the port If the multicast traffic on the Ethernet port exceeds the configured threshold the system blocks discards the multicast traffic Specifies the multicast storm recovery action to either Shutdown or Trap for specific interface If configured to Shutdown the interface which receives multicast packets at a rate which is above threshold is diagnost...

Page 129: ...enables you to determine the cable connection status on a selected port You can also obtain an estimate of the length of the cable connected to the port if the PHY Physical Interface Transceiver on the ports supports this functionality Note The cable test feature is supported only for copper cable It is not supported for optical fiber cable To access the Port Cable Test page click System Port Cabl...

Page 130: ... the network traffic for analysis by a network analyzer This is done for specific ports of the switch As such many switch ports are configured as source ports and one switch port is configured as a destination port You have the ability to configure how traffic is mirrored on a source port Packets that are received on the source port that are transmitted on a port or are both received and transmitt...

Page 131: ...be port This port receives traffic from all configured source ports None The destination is not configured IP ACL The IP access list ID or name attached to the port mirroring session MAC ACL The MAC access list name attached to the port mirroring session Source The ports or VLAN configured to mirror traffic to the destination You can configure multiple source ports or one source VLAN per session T...

Page 132: ...nterface can be assigned as a LAG member 1 From the Multiple Port Mirroring page click Configure Source to display the Source Configuration page 2 Configure the following fields Table 117 Multiple Port Mirroring Source Configuration Field Description Session ID The port mirroring session ID The number of sessions allowed is platform specific Type The type of interface to use as the source None The...

Page 133: ...e 118 Multiple Port Mirroring Add Source Ports Fields Field Description Session Specifies the monitoring session Source Port Select the unit and port from which traffic is mirrored Up to eight source ports can be mirrored to a destination port Direction Select the type traffic monitored on the source port which can be one of the following Tx and Rx Monitors transmitted and received packets Rx Moni...

Page 134: ...t RVLAN Traffic is mirrored to the VLAN on the system that is configured as the RSPAN VLAN In an RSPAN configuration the destination should be the Remote VLAN on any device that does not have a port connected to the network traffic analyzer Type The type of traffic on the source port or source ports or VLAN that is sent to the specified destination A source VLAN mirrors all received and transmitte...

Page 135: ...mption during periods of low link utilization EEE is defined by IEEE 802 3az EEE enables both the send and receive sides of the link to disable some functionality for power savings when the link is lightly loaded LPI History Whether the device is able to provide historical data about the amount of time it has spent in LPI low power idle mode LLDP Cap Exchg Whether the device is able to exchange in...

Page 136: ... current operational state of Energy Detect mode either Active or Inactive EEE Low Power Idle The administrative mode of LPI Low Power Idle on the interface LPI can reduce power consumption on the interface during periods where no traffic is present on the interface Enabling this mode does not affect link status and should not cause traffic loss Note that LPI mode is available only if the interfac...

Page 137: ...ete and is ready to update transmit LLDP Data Units LLDPDUs containing the EEE TLVs Rx DLL Enabled The status of the EEE capability negotiation on the local interface Rx DLL Ready The DLL ready receive status of the interface This field indicates whether the local interface initialization is complete and is ready to update receive LLDPDUs containing EEE TLVs Green Ethernet Remote Device Status For...

Page 138: ...freshrefreshes the data on the screen with the present state of the data in the switch Table 125 Green Ethernet Statistics Fields Field Description Interface The interface associated with the rest of the data in the row The table includes all interfaces that are enabled for EEE Rx Low Power Idle Event Count The number of times the local interface has entered a low power idle state Rx Low Power Idl...

Page 139: ... some platforms you can manually configure information about slots To access the page click System Slot Configuration in the navigation menu Table 127 lists the fields that display when the slot contains a card Table 127 Slot Configuration Fields Field Description Slot Identifies the slot number Status Whether the slot is empty or full Administrative State Whether the slot is administratively enab...

Page 140: ...lay the page with the current data from the switch Supported Cards The Supported Cards page provides information about the cards that your platform supports To access this page click System Slot Supported Cards in the navigation menu Table 129 Supported Card Fields Field Description Card Index Displays the index assigned to the selected card type Supported Cards The menu contains the list of all c...

Page 141: ...gement Defines key generation key updates and key use The device supports SNMP notification filters based on Object IDs OID OIDs are used by the system to manage device features SNMP v3 supports the following features Security Feature Access Control Traps Authentication or Privacy Keys are modified in the SNMPv3 USM Use the SNMP page to define SNMP parameters To display the SNMP page click System ...

Page 142: ...ue of 255 255 255 255 and use that machine s IP address for Client IP Address Client IP Mask Along with the Client IP Address the Client IP Mask denotes a range of IP addresses from which SNMP clients may use that community to access this device Access Mode Specify the access level for this community Read Only The Community has read only access to the MIB objects configured in the view Read Write ...

Page 143: ...the SNMP management host before resending an inform message Retries The number of times to resend an inform message that is not acknowledged by the SNMP management host Filter The name of the filter for the SNMP management host The filter is configured by using the CLI and defines which MIB objects to include or exclude from the view This field is optional UDP Port The UDP port on the SNMP managem...

Page 144: ...d for authentication but not a DES key password for encryption Auth Priv Authentication and data encryption With this security level users send an MD5 key password for authentication and a DES key password for encryption Timeout Value The number of seconds to wait for an acknowledgment from the SNMP management host before resending an inform message Retries The number of times to resend an inform ...

Page 145: ...click Remove You must confirm the action before the entry is deleted Table 134 Access Control Group Fields Field Description Group Name The name that identifies the SNMP group Context Name The SNMP context associated with the SNMP group and its views A user or a management application specifies the context name to get the performance information from the MIB objects associated with that context na...

Page 146: ...n the navigation menu Use the buttons to perform the following tasks To add a user click Add The Add New SNMP User dialog box opens Specify the new account information in the available fields To remove a user select one or more table entries and click Remove to delete the selected entries Table 135 SNMP User Security Model Fields Field Description Engine ID Each SNMPv3 agent has an engine ID that ...

Page 147: ...s to and from this user This parameter must be specified if the Privacy parameter is not None If you change any of the parameters click Submit to apply the changes to the system If you want the switch to retain the new values across a power cycle you must save the configuration SNMP View Entry Use the SNMP View Entry page to configure SNMP views These SNMP views allow network managers to control a...

Page 148: ...ields Field Description Type The type of interface to use as the source interface None The primary IP address of the originating outbound interface is used as the source address Interface The primary IP address of a physical port is used as the source address Loopback The primary IP address of the loopback interface is used as the source address A loopback is always reachable as long as any routin...

Page 149: ...tal number of packets transmitted or received by the device that were directed to a multicast address Note that this number does not include packets directed to the broadcast address Broadcast Packets The total number of packets transmitted or received by the device that were directed to the broadcast address Note that this number does not include multicast packets Status Current Usage In the FDB ...

Page 150: ...Rx Good The total number of inbound packets received by the interface without errors Rx Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher layer protocol Rx Bcast The total number of good packets received that were directed to the broadcast address Note that this number does not include multicast packets Tx Good The total number of outboun...

Page 151: ...d packets received or transmitted that were between 512 and 1023 octets in length inclusive excluding framing bits but including FCS octets 1024 1518 Octets The total number of packets including bad packets received or transmitted that were between 1024 and 1518 octets in length inclusive excluding framing bits but including FCS octets 1519 1522 Octets The total number of packets including bad pac...

Page 152: ... not increment when the interface is operating in half duplex mode FCS Errors The total number of packets transmitted or received by this interface that had a length excluding framing bits but including FCS octets of between 64 and 1518 octets inclusive but had a bad Frame Check Sequence FCS with an integral number of octets Protocol STP BPDUs The number of STP BPDU Bridge Protocol Data Unit s tra...

Page 153: ...l number of packets received that were longer than 1518 octets excluding framing bits but including FCS octets and had either a bad Frame Check Sequence FCS with an integral number of octets FCS Error or a bad FCS with a non integral number of octets Alignment Error Note that this definition of jabber is different than the definition in IEEE 802 3 section 8 2 1 5 10BASE5 and section 10 3 1 4 10BAS...

Page 154: ...ceived from all DHCPv6 servers Solicit Packets Transmitted Number of DHCPv6 solicit messages the client sent to begin the process of acquiring network information from a DHCPv6 server Request Packets Transmitted Number of DHCPv6 request messages the client sent in response to a DHCPv6 server s advertisement message Renew Packets Transmitted Number of renew messages the DHCPv6 client has sent to th...

Page 155: ...the periodic or absolute time range to use for data collection The time range is configured by using the Time Range Summary and Time Range Entry Summary pages The time range must be configured on the system before the time based statistics can be collected Reporting Methods The methods for reporting the collected statistics at the end of every configured time range interval The available options a...

Page 156: ...ods for all flow based statistics rules click the Edit icon and select one or more methods To reset the field to the default value click the Reset icon The available reporting methods are None The statistics are not reported to the console or an external server They can be viewed only by using the web interface or by issuing a CLI command Console The statistics are displayed on the console E Mail ...

Page 157: ... To access this page click System Statistics Time Based Statistics in the navigation menu Table 145 Time Based Statistics Fields Field Description ID The traffic group name or flow based rule ID associated with the rest of the statistics in the row Interface The interface on which the statistics were reported Counter ID For traffic group statistics this field identifies the type of traffic Counter...

Page 158: ... not be applied to the system after the reset Ping Use the Ping page to tell the switch to send a ping request to a specified IP address You can use this feature to check whether the switch can communicate with a particular network host To access this click System Utilities Ping in the navigation menu Table 147 Ping Fields Field Description Hostname IP Address Enter the IP address or the host name...

Page 159: ...d displays only when Link Local is selected Select an IPv6 interface to initiate the ping Host Name or IPv6 Address Enter the global or link local IPv6 address or the DNS resolvable host name of the station to ping If the ping type is Link Local you must enter a link local address and cannot enter a host name Count Enter the number of ICMP echo request packets to send to the host Interval Enter th...

Page 160: ...aceRoute If the device fails to receive a response for this number of consecutive probes the TraceRoute terminates Interval The number of seconds to wait between sending probes Port The UDP destination port number to be used in probe packets The port number should be a port that the target host is not listening on so that when the probe reaches the destination it responds with an ICMP Port Unreach...

Page 161: ...at was last seen by the device Transfer Use the Transfer page to upload files from the device to a remote system and to download files from a remote system to the device To access this page click System Utilities Transfer in the navigation menu Table 151 Transfer Fields Field Description Transfer Protocol The protocol to use to transfer the file Files can be transferred from the device to a remote...

Page 162: ...lt configuration file to a remote system Error Log Select this option to transfer the system error persistent log which is also known as the event log to a remote system Buffered Log Select this option to transfer the system buffered in memory log to a remote system Image If the selected File Type is Code specify whether to transfer the Active or Backup image to a remote system Server Address Spec...

Page 163: ...ion to transfer an SSH 2 Digital Signature Algorithm DSA key file PEM Encoded to the device Factory Defaults Select this option to transfer the factory default configuration file to a remote system CA Root Certificate Select this option to transfer an CA certificate file to the device This will be used as the root certificate for one of the syslog servers Based on the index number the file will be...

Page 164: ...sword For FTP SCP or SFTP transfers if the server requires authentication specify the password for remote login to the server where the file resides Progress Represents the completion percentage of the file transfer The file transfer begins after you complete the required fields and click the download icon to the right of this field Digital Signature Verification For Code and Startup Configuration...

Page 165: ...TP server FTP Password Password of remote FTP server File Path File path to dump core file to TFTP server NFS mount or USB device sub directory Compression Mode To enable or disable compression mode Switch Chip Registers Dump To enable or disable switch chip register dump in case of an exception The switch chip register dump is taken only for master unit and not for member units Stack IP Address P...

Page 166: ...if the TFTP server can be contacted To access this page click System Utilities Core Dump Test in the navigation menu Table 157 Core Dump Test Fields Field Description Status Displays test status as Ok if test passes and Error if test fails Result Displays detailed error information with logs Configuring System Information ExtremeSwitching 200 Series Administration Guide 166 ...

Page 167: ...p Protection Multiple Registration Protocol Configuration Use the features in the Switching menu to define the switch s capabilities Managing VLANs Adding Virtual LAN VLAN support to a Layer 2 switch offers some of the benefits of both bridging and routing Like a bridge a VLAN switch forwards traffic based on the Layer 2 header which is fast and like a router it partitions the network into logical...

Page 168: ...d to static and that GVRP may therefore remove RSPAN List the status of RSPAN enabled or disabled To add a VLAN click Add and specify a VLAN ID between 2 and 4093 in the available field To configure a name for a VLAN or to convert a dynamic VLAN to a static VLAN select the entry to modify and click Edit Then configure the desired VLAN settings To remove one or more configured VLANs select each ent...

Page 169: ...agging behavior for all the ports in this VLAN which is one of the following Tagged The frames transmitted in this VLAN will include a VLAN ID tag in the Ethernet header Untagged The frames transmitted in this VLAN will be untagged Use the buttons to perform the following tasks To configure settings for one or more interfaces select each interface to configure and click Edit The same settings are ...

Page 170: ...list shows the VLANs to which the port cannot be assigned membership Dynamic VLANs The list of VLANs of which the port became a member as result of the operations of dynamic VLAN protocols When a VLAN is created as a dynamic VLAN any port that is configured as switchport type Trunk or General automatically becomes a member of the VLAN unless the VLAN port is excluded from the VLAN Priority Identif...

Page 171: ...led if the trunk port receives untagged frames it forwards them on the native VLAN with no VLAN tag When disabled if the port receives untagged frames it includes the native VLAN ID in the VLAN tag when forwarding Trunk Allowed VLANs The set of VLANs of which the port can be a member when configured in Trunk mode By default this list contains all possible VLANs even if they have not yet been creat...

Page 172: ...onnected to a network analyzer on a remote device The mirrored traffic is tagged with the RSPAN VLAN ID and transmitted over trunk ports in the RSPAN VLAN To access this page click Switching VLAN RSPAN in the navigation menu Table 163 RSPAN VLAN Configuration Fields Field Description VLAN IDs The VLANs configured on the system that are not currently enabled as Private VLANs To enable a VLAN as a R...

Page 173: ...to apply the changes to the system UDLD Interface Configuration Use the UDLD Interface Configuration page to configure the per port UDLD settings To access this page click Switching UDLD Interface Configuration in the navigation menu Use the buttons to perform the following tasks To configure UDLD settings for one or more interfaces select each interface to configure and click Edit The same settin...

Page 174: ... interface Bidirectional UDLD has detected a bidirectional link Shutdown UDLD has detected a unidirectional link and the port is in a disabled state To clear the disabled state click UDLD Port Reset Undetermined UDLD has not collected enough information to determine the state of the port Unknown The port link has physically gone down but it is not because it was put in a disabled state by the UDLD...

Page 175: ...m isolated ports to promiscuous ports Only one isolated VLAN can be configured per private VLAN Community A secondary VLAN that forwards traffic between ports that belong to the same community and to the promiscuous ports Multiple community VLANs can be configured per private VLAN Unconfigured The VLAN is not configured as a private VLAN Click Refresh to display the latest information from the rou...

Page 176: ...ANs Ctrl click each VLAN to associate with the primary VLAN Click Refresh to display the latest information from the router Private VLAN Interface The private VLAN host interface configuration screen allows you to configure the primary and secondary VLAN IDs for the host association mode It also allows you to configure the port mode for the ports and LAGs that belong to a private VLAN and to confi...

Page 177: ...econdary private VLAN the port is a member of when it is configured to operate in Promiscuous mode The secondary private VLAN is either an isolated or community VLAN Operational Private VLAN The primary and secondary operational private VLANs for the interface The VLANs that are operational depend on the configured mode for the interface and the private VLAN type Click Refresh to display the lates...

Page 178: ...en configure the desired settings To change the Voice VLAN settings select the interface to modify and click Edit To remove the Voice VLAN configuration from one or more ports select each entry to delete and click Remove To display the Voice VLAN Interface page click Switching Voice VLAN Interface Summary Table 170 Voice VLAN Interface Fields Field Description Interface The interface associated wi...

Page 179: ...y is not used disabled the interface remains disabled until an administrator manually enables it The switch supports an interface error disable feature that allows an interface to be automatically placed into a diagnostically disabled state when certain error conditions are detected on that interface When an interface has been placed in a diagnostically disabled state the interface is shut down an...

Page 180: ...ery is available for the following components ARP Inspection BPDU Guard BPDU Rate Limit Broadcast Storm Control Denial Of Service DHCP Dynamic Host Configuration Protocol Rate Limit Keepalive MAC Locking Multicast Storm Control UDLD Unicast Storm Control Recovery Time The auto recovery time interval The auto recovery time interval is common for all components The default value of the timer is 300 ...

Page 181: ...tic disabled interface Click Submit to apply the new configuration and cause the change to take effect These changes will not be retained across a power cycle unless a Save configuration is performed Creating MAC Filters Static MAC filtering allows you to associate a MAC address with a VLAN and set of source ports and destination ports The availability of source and destination port filters is sub...

Page 182: ...the MAC address and VLAN ID combination specified in the filter is transmitted only out of ports in the list To add destination ports to the filter select one or more ports from the Available Port List field Ctrl click to select multiple ports Then use the appropriate arrow icon to add the selected ports to the Source Members field Adding MAC Filters 1 To add a MAC filter click Add from the MAC Fi...

Page 183: ...he destination MAC address in the Ethernet header If the addresses do not match the ARP packet is dropped This check applies only to ARP responses because the target MAC address is unspecified in ARP requests Validate IP When this option is selected DAI drops ARP packets with an invalid IP address The following IP addresses are considered invalid 0 0 0 0 255 255 255 255 All IP multicast addresses ...

Page 184: ... power cycle unless a Save configuration is performed Click Refresh to refresh the page with the most current data from the switch DAI Interface Configuration Use the DAI Interface Configuration page to select the DAI Interface for which information is to be displayed or configured To display this page click Switching Dynamic ARP Inspection Interface Configuration in the navigation menu Table 175 ...

Page 185: ... that exist on the system Sender IP Address The IP address of a system that is permitted to send ARP packets The ARP packet must match on both the Sender IP Address and Sender MAC Address values in the rule to be considered valid Sender MAC Address The MAC address of a system that is permitted to send ARP packets The ARP packet must match on both the Sender IP Address and Sender MAC Address values...

Page 186: ...RP ACL DAI considers the packet to be valid and the packet is forwarded To display this page click Switching Dynamic ARP Inspection ACL Summary in the navigation menu Table 178 Dynamic ARP Inspection ACL Summary Fields Field Description ACL Name The name of the ACL Only the ACLs that appear in this column can be referenced by DNI enabled VLANs Use the buttons to perform the following tasks To add ...

Page 187: ...t did not match the source MAC address in the Ethernet header Bad Dest MAC The number of ARP packets that were dropped by DAI because the target MAC address in the ARP reply packet did not match the destination MAC address in the Ethernet header Invalid IP The number of ARP packets that were dropped by DAI because the sender IP address in the ARP packet or target IP address in the ARP reply packet...

Page 188: ...s for one or more interfaces select each interface to configure and click Edit The same settings are applied to all selected interfaces Table 181 GARP Port Configuration Fields Field Description Interface The interface associated with the rest of the data in the row When configuring one or more interfaces in the Edit GARP Port Configuration window this field identifies the interfaces that are bein...

Page 189: ...authorized DHCP clients DHCP server messages are forwarded only through trusted ports Global DHCP Snooping Configuration Use the Global DCHP Snooping Configuration page to view and configure the global settings for DHCP Snooping To access this page click Switching DCHP Snooping Base Global in the navigation menu Table 182 Global DHCP Snooping Configuration Fields Field Description DHCP Snooping Mo...

Page 190: ...ping appear in the list Click Refresh to refresh the page with the most current data from the switch DHCP Snooping Interface Configuration Use the DHCP Snooping Interface Configuration page to view and configure the DHCP snooping settings for each interface The DHCP snooping feature processes incoming DHCP messages For DHCPRELEASE and DHCPDECLINE messages the feature compares the receive interface...

Page 191: ... enabled the DHCP snooping feature generates a log message when an invalid packet is received and dropped by the interface Rate Limit pps The rate limit value for DHCP packets received on the interface To prevent DHCP packets from being used as a DoS attack when DHCP snooping is enabled the snooping application enforces a rate limit for DHCP packets received on untrusted interfaces If the incoming...

Page 192: ...Switching DCHP Snooping Base Dynamic Bindings in the navigation menu Table 186 DHCP Snooping Dynamic Bindings Fields Field Description Interface The interface on which the DHCP client message was received MAC Address The MAC address associated with the DHCP client that sent the message This is the Key to the binding database VLAN ID The VLAN ID of the client interface IP Address The IP address ass...

Page 193: ...Interface The interface associated with the rest of the data in the row MAC Verify Failures The number of DHCP messages that were dropped because the source MAC address and client hardware address did not match MAC address verification is performed only if it is globally enabled Client Ifc Mismatch The number of packets that were dropped by DHCP snooping because the interface and VLAN on which the...

Page 194: ...th the rest of the data in the row When configuring the settings for one or more interfaces this field identifies each interface that is being configured L2 Relay Mode The administrative mode of Layer 2 relay mode on the interface When enabled the interface can act as a DHCP relay agent and add information that the Layer 3 relay agent and DHCP server need to perform their roles in IP address confi...

Page 195: ...ient s interface number to the Circuit ID sub option of Option 82 in the DHCP request packet This enables the device to reduce the broadcast domain to which the server replies are switched when the broadcast bit is set for DHCP packets When this bit is set the server is required to echo Option 82 in replies Since the circuit id field contains the client interface number the Layer 2 relay agent can...

Page 196: ...ilter harmful DHCPv6 messages and to build a bindings database of MAC address IPv6 address VLAN ID port tuples that are considered authorized You can enable IPv6 DHCP snooping globally and on specific VLANs and configure ports within the VLAN to be trusted or untrusted If a DHCPv6 message arrives on an untrusted port IPv6 DHCP snooping filters messages that are not from authorized DHCPv6 clients D...

Page 197: ...nooping VLAN Configuration Fields Field Description VLAN ID The VLAN ID that is enabled for IPv6 DHCP snooping In the Add IPv6 DHCP Snooping VLAN Configuration window this field lists the VLAN ID of all VLANs that exist on the device DHCP Snooping Mode The current administration mode of IPv6 DHCP snooping for the VLAN Only VLANs that are enabled for IPv6 DHCP snooping appear in the list If you cha...

Page 198: ... The interface is considered to be trusted and forwards DHCPv6 server messages without validation Log Invalid Packets The administrative mode of invalid packet logging on the interface When enabled the IPv6 DHCP snooping feature generates a log message when an invalid packet is received and dropped by the interface Rate Limit pps The rate limit value for DHCPv6 packets received on the interface To...

Page 199: ...ping Dynamic Bindings page to view and clear dynamic bindings in the IPv6 DHCP snooping bindings database The IPv6 DHCP snooping feature uses DHCPv6 messages to build and maintain the bindings database The bindings database includes data for clients only on untrusted ports IPv6 DHCP snooping creates a tentative binding from DHCPv6 SOLICIT and REQUEST messages Tentative bindings tie a client to an ...

Page 200: ...ndings database which is either locally on the device Local or on a remote system Remote Remote IP Address The IP address of the system on which the IPv6 DHCP snooping bindings database will be stored This field is available only if Remote is selected in the Store field Remote File Name The file name of the IPv6 DHCP snooping bindings database in which the bindings are stored This field is availab...

Page 201: ... traditional Ethernet network may be separated into different network segments to prevent placing too many devices onto the same shared media Bridges and switches connect these segments When a packet with a broadcast or multicast destination address is received the switch will forward a copy into each of the remaining network segments in accordance with the IEEE MAC Bridge standard Eventually the ...

Page 202: ... configure Admin Mode Select the interface mode for the selected interface for IGMP Snooping for the switch from the drop down menu The default is disable Group Membership Interval Specify the amount of time you want the switch to wait for a report for a particular group on a particular interface before it deletes that interface from the group The valid range is 2 to 3600 seconds The default is 26...

Page 203: ...ve multicast packets directed to the group address Fast Leave Admin Mode The administrative mode of Fast Leave on the VLAN If Fast Leave is enabled the VLAN can be immediately removed from the Layer 2 forwarding table entry upon receiving an IGMP leave message for a multicast group without first sending out MAC based general queries Group Membership Interval Seconds The number of seconds the VLAN ...

Page 204: ...ts existence can be learned dynamically You can also statically configure one or more VLANs on each interface to act as a multicast router interface which is an interface that faces a multicast router or IGMP querier and receives multicast traffic To access the Multicast Router VLAN Status page click Switching IGMP Snooping Multicast Router VLAN Status in the navigation menu Table 204 IGMP Snoopin...

Page 205: ...ces on the selected port or LAG To disable a VLAN as a multicast router interface click the VLAN ID to select it or Ctrl click to select multiple VLAN IDs Then click the appropriate arrow to move the selected VLAN or VLANs to the VLAN IDs window Click Refresh to refresh the page with the most current data from the switch Configuring IGMP Snooping Querier Use this page to configure the global IGMP ...

Page 206: ...s a multicast querier in the network If you make any changes to this page click Submit to apply the changes to the system Click Refresh to refresh the page with the most current data from the switch VLAN Configuration Use the IGMP Snooping Querier VLAN Configuration page to enable the snooping querier feature on one or more VLANs and to configure per VLAN IGMP snooping querier settings Only VLANs ...

Page 207: ...is value is not configured the VLAN uses the global IGMP snooping querier IP address Click Refresh to refresh the page with the most current data from the switch VLAN Status Use the IGMP Snooping Querier VLAN Status page to view information about the IGMP snooping querier status for all VLANs that have the snooping querier enabled To access this page click Switching IGMP Snooping Querier VLAN Stat...

Page 208: ... the data instead of being flooded to all of the ports in a VLAN This list is constructed by snooping IPv6 multicast control packets Note This feature is available for 220 switches only Global Configuration and Status To access the MLD Snooping Configuration and Status page click Switching MLD Snooping Configuration in the navigation menu Table 209 MLD Snooping Configuration and Status Fields Fiel...

Page 209: ...val Multicast Router Present Expiration Time The number of seconds the interface should wait to receive a query before it is removed from the list of interfaces with multicast routers attached Fast Leave Admin Mode The administrative mode of Fast Leave on the interface If Fast Leave is enabled the interface can be immediately removed from the Layer 2 forwarding table entry upon receiving an MLD le...

Page 210: ... Admin Mode The administrative mode of Fast Leave on the VLAN If Fast Leave is enabled the VLAN can be immediately removed from the Layer 2 forwarding table entry upon receiving an MLD leave message for a multicast group without first sending out MAC based general queries Click Refresh to refresh the page with the most current data from the switch Multicast Router Configuration Use the MLD Snoopin...

Page 211: ...hat are configured with multicast router VLANs appear in the table When adding multicast router VLAN information for an interface use the Interface menu to select the interface on which to enable one or more multicast router VLAN interfaces When editing multicast router VLAN information this field shows the interface that is being configured VLAN IDs The ID of each VLAN configured as enabled as a ...

Page 212: ...t of time the device remains in non querier mode after it has discovered that there is a multicast querier in the network If you make any changes to this page click Submit to apply the changes to the system Click Refresh to refresh the page with the most current data from the switch VLAN Configuration Use the MLD Snooping Querier VLAN Configuration page to enable the MLD snooping querier feature o...

Page 213: ...e VLAN If this value is not configured the VLAN uses the global MLD snooping querier IPv6 address Click Refresh to refresh the page with the most current data from the switch VLAN Status Use the MLD Snooping Querier VLAN Status page to view information about the MLD snooping querier status for all VLANs that have the snooping querier enabled To access this page click Switching MLD Snooping Querier...

Page 214: ...ip after you create a port channel The port channel by default becomes a member of the management VLAN A port channel LAG interface can be either static or dynamic but not both All members of a port channel must participate in the same protocols A static port channel interface does not require a partner system to be able to aggregate its member ports Note If you configure the maximum number of dyn...

Page 215: ...s whether to send traps when link status changes If the status is Enabled traps are sent Members Lists the ports that are members of the Port Channel in Slot Port notation Unit Slot Port for stackable systems There can be a maximum of 8 ports assigned to a Port Channel Active Ports Lists the ports that are actively participating members of this Port Channel in Slot Port notation Unit Slot Port for...

Page 216: ...d which means it does not transmit or process received LAGPDUs The member ports do not transmit LAGPDUs and all the LAGPDUs it may receive are dropped A static port channel interface does not require a partner system to be able to aggregate its member ports Disable The port channel is dynamically maintained The interface transmits and processes LAGPDUs and requires a partner system Local Preferenc...

Page 217: ...nnel interface or port channel member port goes down To access this page click Switching Port Channel Statistics in the navigation menu Table 219 Port Channel Statistics Fields Field Description Interface The port channel or member port physical port associated with the rest of the data in the row Channel Name The port channel name associated with the port channel For a physical port this field id...

Page 218: ...lds Field Description MAC Address The VLAN ID the first two groups of hexadecimal digits and multicast MAC address the last six groups of hexadecimal digits that has been added to the MFDB Component The feature on the device that was responsible for adding the entry to the multicast forwarding database which is one of the following IGMP Snooping A Layer 2 feature that allows the device to dynamica...

Page 219: ... MAC address associated with the entry in the MFDB Type The type of entry which is one of the following Static The entry has been manually added to the MFDB by an administrator Dynamic The entry has been added to the MFDB as a result of a learning process or protocol Entries that appear on this page have been added by using GARP Description A text description of this multicast table entry Interfac...

Page 220: ...223 Multicast Forwarding Database Statistics Fields Field Description MFDB Max Table Entries The maximum number of entries that the multicast forwarding database can hold MFBD Most Entries Since Last Reset The largest number of entries that have been present in the multicast forwarding database since the device was last reset This value is also known as the MFDB high water mark MFDB Current Entrie...

Page 221: ...ent Multicast Groups The current number of membership groups that are statically configured in the MVR database Query Response Time The maximum time to wait for an IGMP membership report on a receiver port before removing the port from the multicast group The query time is specified in tenths of a second If you make any configuration changes click Submit to apply the new settings to the switch Cli...

Page 222: ...es that are members of the MVR group Click Refresh to update the information on the screen with the most current data MVR Interface Status Use the MVR Interface Status page to configure MVR settings on specific interfaces To configure the settings for one or more interfaces select each entry to modify and click Edit The same MVR settings are applied to all selected interfaces To access this page c...

Page 223: ...al number of IGMPv1 Reports successfully transmitted or received by the processor IGMPv2 Reports The total number of IGMPv2 Reports successfully transmitted or received by the processor IGMP Leaves The total number of IGMP Leaves successfully transmitted or received by the processor Packet Failures The total number of packets which failed to get transmitted or received by the processor Click Refre...

Page 224: ...etween end stations avoiding and eliminating loops For information on configuring Common STP see CST Port Configuration on page 227 MSTP Multiple Spanning Tree Protocol supports multiple instances of Spanning Tree to efficiently channel VLAN traffic over different interfaces Each instance of the Spanning Tree behaves in the manner specified in IEEE 802 1w Rapid Spanning Tree RSTP with slight modif...

Page 225: ... same MSTP region must share the same Configuration Name Configuration Revision Level and MST to VLAN mappings Configuration Revision Level The revision number of the MSTP region This number must be the same on all switches that participate in the MSTP region Configuration Digest Key The 16 byte signature of type HMAC MD5 Message Digest algorithm 5 created from the MST Configuration Table a VLAN I...

Page 226: ... has passed since the topology of the spanning tree has changed since the device was last reset Topology Change Count The number of times the topology of the spanning tree has changed Topology Change Whether a topology change is in progress on any port assigned to the CST If a change is in progress the value is True otherwise it is False Designated Root The bridge identifier of the root bridge for...

Page 227: ...traffic and receives but does not send BPDUs During the election process all ports are in the blocking state The port is blocked to prevent network loops Listening The port sends and receives BPDUs and evaluates information to provide a loop free topology This state occurs during network convergence and is the first state in transitioning to the forwarding state Learning The port learns the MAC ad...

Page 228: ...TP are not allowed to influence the STP topology Port ID A unique value that is automatically generated based on the port priority value and the interface index Port Up Time Since Counters Last Cleared The amount of time that the port has been up since the counters were cleared Port Mode The administrative mode of spanning tree on the port Designated Root The bridge ID of the root bridge for the C...

Page 229: ...nfigure the MSTI Multiple Spanning Tree Instances s on the device MSTP allows the creation of MSTIs based upon a VLAN or groups of VLANs Configuring MSTIs creates an active topology with a better distribution of network traffic and an increase in available bandwidth when compared to classic STP Use the buttons to perform the following tasks To configure a new MSTI click Add and specify the desired...

Page 230: ...any configuration changes click Submit to apply the new settings to the switch Click Refresh to update the screen with most recent data MST Port Configuration Use this page to view and configure the Multiple Spanning Tree MST settings for each interface on the device To configure MST settings for an interface and to view additional information about the interface s role in the MST topology first s...

Page 231: ... user traffic Disabled The port is administratively disabled and is not part of the spanning tree Port Priority The priority for the port within the MSTI This value is used in determining which port on a switch becomes the root port when two ports have the same least cost path to the root The port with the lower priority value becomes the root port If the priority values are the same the port with...

Page 232: ...ta units BPDUs transmitted and received on each port To display the Spanning Tree Statistics page click Switching Spanning Tree Statistics in the navigation menu Table 234 Spanning Tree Statistics Fields Field Description Interface The port or LAG associated with the rest of the data in the row STP BPDUs Rx The number of classic STP IEEE 802 1d BPDUs received by the interface STP BPDUs Tx The numb...

Page 233: ...root or standby bridge Hello Time Seconds The interval between sending successive BDPUs Configures the spanning tree hello time interval for the specified VLAN Forward Delay Seconds Configures the spanning tree forward delay time for a specified VLAN This interval is the time spent in listening and learning states before transitioning a port to the forwarding states Max Age Seconds The maximum age...

Page 234: ...dge priority to a lower value to ensure the bridge is the root or standby bridge Hello Time Seconds The interval between sending successive BDPUs Configures the spanning tree hello time interval for the specified VLAN Forward Delay Seconds Configures the spanning tree forward delay time for a specified VLAN This interval is the time spent in listening and learning states before transitioning a por...

Page 235: ...lue to a lower number to prefer a port for forwarding of frames This priority configuration is used when the port is configured as a point to point link type Cost The path cost from the port to the root bridge Table 239 PVSTP PVRSTP Interface Edit Fields Field Description Interface List of physical interfaces and LAGs Priority The port priority configuration is used to allow the operator to select...

Page 236: ... CoS criteria you specify When a packet is queued for transmission in a port the rate at which it is serviced depends on how the queue is configured and possibly the amount of traffic present in the other queues of the port If a delay is necessary packets get held in the queue until the scheduler authorizes the queue for transmission Use the 802 1p Priority Mapping page in the Class of Service fol...

Page 237: ...ote that you can effectively disable dynamic locking by setting the number of allowable dynamic entries to zero Static locking allows you to specify a list of MAC addresses that are allowed on a port The behavior of packets is the same as for dynamic locking only packets with an allowable source MAC address can be forwarded To see the MAC addresses learned on a specific port see Configuring and Se...

Page 238: ...cky Mode The sticky MAC address learning mode which is one of the following Enabled MAC addresses learned or manually configured on this interface are learned in sticky mode A sticky mode MAC address is a MAC address that does not age out and is added to the running configuration If the running configuration is saved to the startup configuration the sticky addresses are saved to persistent storage...

Page 239: ...ames with a source MAC address that has already been learned will be forwarded A dynamically learned MAC address is removed from the MAC address table if the entry ages out the link goes down or the system resets Note that the behavior of a dynamically learned address changes if the sticky mode for the interface is enabled or the address is converted to a static MAC address Operational MAC Limit T...

Page 240: ...rity Dynamic MAC in the navigation menu Table 245 Port Security Dynamic Fields Field Description Interface Select the physical interface or the LAG on which to view the dynamically learned MAC addresses MAC Address This column lists the dynamically learned MAC addresses if any on the selected port VLAN ID Displays the VLAN ID corresponding to the dynamically learned MAC address Managing LLDP The I...

Page 241: ... 1 10 seconds Notification Interval Limits the transmission of notifications The default is 5 seconds and the range is 5 3600 seconds If you make any changes to the page click Submit to apply the new settings to the system LLDP Interface Configuration Use the LLDP Interface Configuration page to specify LLDP parameters that are applied to a specific interface To display this page click Switching L...

Page 242: ... the transmission of management address instance Clear the checkbox to disable management information transmission The default is disabled Use the buttons to perform the following tasks To configure LLDP settings on an interface that does not have any LLDP settings enabled click Add To change the LLDP settings for an interface in the table select the entry to update and click Edit If you clear dis...

Page 243: ...inistrator can configure this information on the Port Description page Click Refresh to update the information on the screen with the most current data After you click Details a window opens and displays additional information about the data the interface transmits in its LLDPDUs The following information describes the additional fields that appear in the LLDP Local Device Information window Table...

Page 244: ...r you click Details a window opens and displays additional information If the interface has received LLDP data from a remote device the window displays detailed information about the device If the interface has not received any LLDPDUs from remote devices the window displays a message indicating that no LLDP data has been received The following information describes the additional fields that appe...

Page 245: ...mation advertised by a particular MAC Service Access Point MSAP has been deleted from the tables associated with the remote systems Total Drops Displays the number of times a complete set of information advertised by a particular MAC Service Access Point MSAP could not be entered into tables associated with the remote systems because of insufficient resources Total Ageouts Displays the number of t...

Page 246: ...ys the total number of LLDP TLVs received on the local ports which are of type 802 3 Click Refresh to update the page with the most current information Click Clear to clear the LLDP statistics of all the interfaces LLDP MED The Link Layer Discovery Protocol Media Endpoint Discovery LLDP MED is an enhancement to LLDP that features Auto discovery of LAN policies such as VLAN Layer 2 Priority and Dif...

Page 247: ...in the navigation menu Table 255 LLDP MED Interface Configuration Fields Field Description Interface Selects the port that you want to configure LLDP MED 802 1AB on You can select All to configure all interfaces on the DUT with the same properties The Interface Configuration page will not be able to display the summary of All interfaces The summary of individual interfaces is visible from the Inte...

Page 248: ...ype transmitted in the TLV The application types are unknown voicesignaling guestvoice guestvoicesignalling softphonevoice videoconferencing streamingvideo videosignalling Each application type that is transmitted has the VLAN ID priority DSCP tagged bit status and unknown bit status A port may transmit one or many such application types This information is displayed only when a network policy TLV...

Page 249: ...ge Class III Communication for example IP Telephone The fourth device is Network Connectivity Device which is typically a device such as a LAN switch or router IEEE 802 1 bridge or IEEE 802 11 wireless access point Network Policy Information This section describes the information in the network policy TLVs received in the LLDP MED frames on this interface Media Application Type The media applicati...

Page 250: ... port on loop detection The Loop Protection feature is not intended for ports that serve as uplinks between spanning tree aware switches Loop Protection feature is designed for unmanaged switches which drop spanning Tree BPDUs This feature detects physical and logical loops between Ethernet ports on a device The feature needs to be enabled globally before enabling it at the interface level for the...

Page 251: ...d on the interface If blank then no loop is detected Loop Count The number of times a loop has occurred on the interface Time of Last Loop The date and time the most recent loop was detected Click Submit to updated the switch The changes take effect but will not be retained across a power cycle unless a save is performed Multiple Registration Protocol Configuration Like 802 1AS Multiple Registrati...

Page 252: ...fic through the network Note MRP framework must be available and enabled in all intermediate devices to ensure that the propagation of the attributes occurs throughout the network With MRP network attributes are declared registered withdrawn and removed completely dynamically without any user intervention This dynamic nature is especially useful in networks where Network attributes are likely to c...

Page 253: ...fect of topology changes and reduce the number of protocol data units PDUs transmitted between devices MSRP Multiple Stream Reservation Protocol MSRP reserves necessary resources in the network to facilitate the end to end flow of time sensitive traffic In a typical network there are multiple Talkers those who transmit streams and multiple Listeners those who receive streams from one or many Talke...

Page 254: ... amount of time to wait for JoinIn messages from other MRV participants after the interface sends a Join message If the amount of time specified in this field passes before the interface receives a JoinIn message the interface resends the Join message Leave Timer The amount of time to wait before the interface deregisters attributes from other MRV participants If the interface receives Join messag...

Page 255: ...with the rest of the data in the row Frames Received Shows number of MVRP frames that have been received on the switch Bad Header Shows number of MVRP frames with bad headers that have been received on the switch Bad Format Shows number of MVRP frames with bad PDUs body formats that have been received on the switch Frames Transmitted Shows number of MVRP frames which that have been transmitted on ...

Page 256: ...ly by using the CLI No web based administrative pages are available for BGP configuration Configuring ARP The ARP Address Resolution Protocol protocol associates a Layer 2 MAC address with a Layer 3 IPv4 address 200 Series software features both dynamic and manual ARP configuration With manual ARP configuration you can statically add entries into the ARP table ARP is a necessary part of the intern...

Page 257: ...he ARP Create page to add an entry to the Address Resolution Protocol table To display this page click Routing ARP Table Summary in the navigation menu The ARP Table displays at the bottom of the page and contains the following fields Use the buttons to perform the following tasks To add a static ARP entry click Add The Add Static ARP Entry dialog box opens Specify the new entry information in the...

Page 258: ...n in the navigation menu Table 264 ARP Table Configuration Fields Field Description Age Time The amount of time in seconds that a dynamic ARP entry remains in the ARP table before aging out Response Time The amount of time in seconds that the device waits for an ARP response to an ARP request that it sends Retries The maximum number of times an ARP request will be retried after an ARP response is ...

Page 259: ... requests ICMP Redirects Select this option to allow the device to send ICMP Redirect messages to hosts An ICMP Redirect message notifies a host when a better route to a particular destination is available on the network segment ICMP Rate Limit Interval To control the ICMP error packets you can specify the number of ICMP error packets that are allowed per burst interval By default the rate limit i...

Page 260: ... to view and click Details To display this page click Routing IP Interface Summary in the navigation menu Table 266 Interface Summary Fields Field Description Interface The interface associated with the rest of the data in the row When viewing details about the routing settings for an interface this field identifies the interface being viewed Status Whether the interface is capable of routing IP p...

Page 261: ...ically configured by an administrator DHCP The IP address has been learned dynamically through DHCP If the method is DHCP but the interface does not have an IP address the interface is unable to acquire an address from a network DHCP server Bandwidth The configured bandwidth on this interface This setting communicates the speed of the interface to higher level protocols Encapsulation Type The link...

Page 262: ...uting To configure routing settings for an interface select it from the menu and then configure the rest of the settings on the page Status Whether the interface is currently capable of routing IP packets Up or cannot route packets Down For the status to be Up the routing mode and administrative mode for the interface must be enabled Additionally the interface must have an IP address and be physic...

Page 263: ...ion is selected network directed broadcasts are forwarded If this option is clear network directed broadcasts are dropped Proxy ARP When this option is selected proxy ARP is enabled and the interface can respond to an ARP request for a host other than itself An interface can act as an ARP proxy if it is aware of the destination and can route packets to the intended host which is on a different sub...

Page 264: ... that can be configured for routing To configure routing settings for an interface select it from the menu and then configure the rest of the settings on the page IP Address The IP address of the loopback interface Subnet Mask The IP subnet mask for the interface also known as the network mask or netmask Secondary IP Address To add a secondary IP address on the interface click the plus symbol in t...

Page 265: ...buffer space Note that this counter does not include any datagrams discarded while awaiting re assembly IpInDelivers The total number of input datagrams successfully delivered to IP user protocols including ICMP IpOutRequests The total number of IP datagrams which local IP user protocols including ICMP supplied to IP in requests for transmission Note that this counter does not include any datagram...

Page 266: ... messages received IcmpInEchos The number of ICMP Echo request messages received IcmpInEchoReps The number of ICMP Echo Reply messages received IcmpInTimestamps The number of ICMP Timestamp request messages received IcmpInTimestampReps The number of ICMP Timestamp Reply messages received IcmpInAddrMasks The number of ICMP Address Mask Request messages received IcmpInAddrMaskReps The number of ICMP...

Page 267: ...g Router Route Table in the navigation menu Table 271 Route Table Fields Field Description Network Address The IP route prefix for the destination Subnet Mask Also referred to as the subnet network mask this indicates the portion of the IP interface address that identifies the attached network Protocol This field tells which protocol created the specified route The possibilities are one of the fol...

Page 268: ...ou are returned to the Configured Routes page 1 Open the Configured Routes page 2 Click Add The Router Route Entry Configuration window opens 3 Next to Route Type select one of the following options from the menu Default Enter the default gateway address in the Next Hop IP Address field Static Enter values for Network Address Subnet Mask Next Hop IP Address and Preference Static Reject Packets to ...

Page 269: ...te is to be a Default route or a Static route 4 Click Submit To remove a configured route click Delete IP Route Summary The IP Route Summary page displays summary information about the entries in the IP routing table To display this page click Routing Router Summary in the navigation menu Table 274 Summary Fields Field Description Connected Routes The total number of connected routes in the IP rou...

Page 270: ...s reserved so that local routes can be installed when a routing interface bounces Unique Next Hops High The number of distinct next hops used among all routes currently in the routing table These include local interfaces for local routes and neighbors for indirect routes Next Hop Groups High The current number of next hop groups in use by one or more routes Each next hop group includes one or more...

Page 271: ...ed to reach each Using RIP routers periodically exchange entire routing tables Note This feature is available for 220 switches only Use the command line interface to configure RIP Refer to Routing Information Protocol Commands in ExtremeSwitching 200 Series Command Reference Guide Configuring Routing ExtremeSwitching 200 Series Administration Guide 271 ...

Page 272: ... components Authenticators Specifies the port that is authenticated before permitting system access Supplicants Specifies host connected to the authenticated port requesting access to the system services Authentication Server Specifies the external server for example the RADIUS Remote Authentication Dial In User Service server that performs the authentication on behalf of the authenticator and ind...

Page 273: ...nticate a client for any reason for example RADIUS access reject from the RADIUS server RADIUS timeout or the client itself is 802 1X unaware the client is authenticated and is undisturbed by the failure condition s The reasons for failure are logged and buffered into the local logging database for tracking purposes EAPOL Flood Mode The administrative mode of the Extensible Authentication Protocol...

Page 274: ...horized The port sends and receives normal traffic without client port based authentication MAC Based This mode allows multiple supplicants connected to the same port to each authenticate individually Each host connected to the port must authenticate separately in order to gain access to the network The hosts are distinguished by their MAC addresses Operating Control Mode The control mode under wh...

Page 275: ...to force the associated interface to restart the authentication process If you change any of the parameters click Submit to apply the changes to the system If you want the switch to retain the new values across a power cycle you must save the configuration Port Access Control Port Configuration Use the Port Access Control Port Configuration page to enable and configure port access control on one o...

Page 276: ...ot provide authentication services to the client Force Authorized The port sends and receives normal traffic without client port based authentication MAC Based This mode allows multiple supplicants connected to the same port to each authenticate individually Each host connected to the port must authenticate separately in order to gain access to the network The hosts are distinguished by their MAC ...

Page 277: ...authorized state and is automatically denied system access Force Authorized The port is placed into an authorized state and does not require client port based authentication to be able to send and receive traffic User Name The name the port uses to identify itself as a supplicant to the authenticator port The menu includes the users that are configured for system management When authenticating the...

Page 278: ...upplicants connected to the same port to each authenticate individually Each host connected to the port must authenticate separately in order to gain access to the network The hosts are distinguished by their MAC addresses Quiet Period The number of seconds that the port remains in the quiet state following a failed authentication exchange Transmit Period The value in seconds of the timer used by ...

Page 279: ...The state can be one of the following Initialize Disconnected Connecting Authenticating Authenticated Aborting Held ForceAuthorized ForceUnauthorized Backend Authentication State The current state of the backend authentication state machine which is the 802 1X process that controls the interaction between the 802 1X client on the local system and the remote authentication server The state can be o...

Page 280: ...upplicant retransmits the authentication request until it is authenticated or has sent the number of messages configured in the Maximum Start Messages field Start Period The amount of time the supplicant port waits for a response from the authenticator port after sending a Start packet If no response is received the supplicant retransmits the Start packet Held Period The amount of time the supplic...

Page 281: ...rames are sent by a supplicant to indicate that it is disconnecting from the network and the interface can return to the unauthorized state This field is displayed only if the interface is configured as an authenticator EAP Response ID Frames Received The total number of EAP Response Identity frames the interface has received EAP Response Identity frames are sent by a supplicant to provide user in...

Page 282: ...Clear Button Resets all statistics counters to 0 for the selected interface or interfaces Click Refresh to update the information on the screen Client Summary This page displays information about supplicant devices that are connected to the local authenticator ports If there are no active 802 1X sessions the table is empty To view additional information about a supplicant select the interface it i...

Page 283: ...s Summary in the navigation menu Table 281 Port Access Control Privileges Summary Fields Field Description Interface The local interface associated with the rest of the data in the row When configuring access information for one or more interfaces this field identifies each interface being configured Users The users that are allowed access to the system through the associated port When configuring...

Page 284: ...device Auth Status The authentication status of the client or port Reason The reason for the successful or unsuccessful authentication Click Refresh to update the information on the screen RADIUS Settings RADIUS servers provide additional security for networks The RADIUS server maintains a user database which contains per user authentication information RADIUS servers provide a centralized authent...

Page 285: ...AS IP address for the RADIUS server To specify an address click the Edit icon and enter the IP address of the NAS in the available field The address should be unique to the NAS within the scope of the RADIUS server The NAS IP address is used only in Access Request packets To reset the NAS IP address to the default value click the Reset icon and confirm the action Use the buttons at the bottom of t...

Page 286: ...icator Shows whether the message authenticator attribute for the selected server is enabled or disabled Click Refresh to update the page with the most current information Server Statistics Use the RADIUS Server Statistics page to view statistical information for each RADIUS server configured on the system To access this page click Security RADIUS Statistics in the navigation menu Table 285 RADIUS ...

Page 287: ...ith the most current information RADIUS Accounting Server Status The RADIUS Accounting Server Status page shows summary information about the RADIUS accounting servers configured on the system To access this page click Security RADIUS Accounting Server in the navigation menu Use the buttons to perform the following tasks To add a RADIUS accounting server to the list of servers the RADIUS client ca...

Page 288: ... this RADIUS accounting server Accounting Requests The number of RADIUS Accounting Request packets sent to this server This number does not include retransmissions Pending Requests The number of RADIUS Accounting Request packets destined for the server that have not yet timed out or received a response Timeouts The number of times a response was not received from the server within the configured t...

Page 289: ...urity RADIUS Source Interface Configuration in the navigation menu Table 288 RADIUS Accounting Statistics Fields Field Description Type The type of interface to use as the source interface None The primary IP address of the originating outbound interface is used as the source address Interface The primary IP address of a physical port is used as the source address Loopback The primary IP address o...

Page 290: ...o edit a configured TACACS server from the list select the entry and click Edit To remove a configured TACACS server from the list select the entry to delete and click Remove You must confirm the action before the entry is deleted Table 290 TACACS Server Summary Fields Field Description Server Specifies the TACACS Server IP address or Hostname Priority Specifies the order in which the TACACS serve...

Page 291: ...IP header of TACACS management protocol packets This allows security devices such as firewalls to identify all source packets coming from a specific device To access this page click Security TACACS Source Interface Configuration in the navigation menu Table 292 TACACS Source Interface Configuration Fields Field Description Type The type of interface to use as the source interface None The primary ...

Page 292: ...n that interface Use the buttons at the bottom of the page to perform the following actions Click Submit to apply the settings to the running configuration and cause the change to take effect These changes will not be retained across a power cycle unless a Save configuration is performed Click Refresh to display the latest information from the switch Click Cancel to cancel the change Authenticatio...

Page 293: ...thenticated using a lower priority method are forced to re authenticate Enabled Priority The methods from the list of authentication method priorities configured on an interface which are administratively enabled in the device Authenticated Clients Number of clients authenticated on an interface Re Authentication Timer Interval in seconds after which an attempt is made to authenticate an unauthori...

Page 294: ...n Manager client authentication attempts and failures per interface To access this page click Security Authentication Manager Statistics in the navigation menu Table 296 Authentication Statistics Fields Field Description Interface The interface associated with the rest of the data in the row Dot1x Attempts The number of attempts made to authenticate a client using the Dot1x authentication method D...

Page 295: ... Indicates client is authorized on the port Unauthorized Indicates client is not authorized on the port Authenticated Method The authentication method used to authenticate a client connected to an interface which can be one of the following Dot1x The port based authentication method MAB MAC Authentication Bypass method that uses the MAC address of the client to determine the kind of network access...

Page 296: ...e of computing routes for one or both IP versions Note CLI commands are not available for all the IPv6 pages Global Configuration Use the IPV6 Network Connectivity page to configure and view IPv6 information on the network interface The network interface is the logical interface that allows remote management of the device via any of the front panel switch ports To enable management of the device o...

Page 297: ...configured static IPv6 addresses on the network interface Use the buttons available in this table to perform the following tasks To add an entry to the list click the plus button to open the Add IPv6 Address dialog and provide the following New IPv6 Address Specify the IPv6 address to add to the interface EUI Flag Select this option to enable the Extended Universal Identifier EUI flag for IPv6 add...

Page 298: ...resence of at least one node which is not QoS capable creates a deficiency in the network path and the performance of the entire packet flow is compromised Configuring Access Control Lists ACL Access Control List s ensure that only authorized users have access to specific resources while blocking off any unwarranted attempts to reach network resources ACLs are used to provide traffic flow control ...

Page 299: ... ACL Configuration Use the IP ACL Configuration page to add or remove IP based ACLs On this menu the interfaces to which an IP ACL applies must be specified as well as whether it applies to inbound or outbound traffic Rules for the IP ACL are specified created using the Access Control List Interface Summary on page 307 To display this page page click QoS Access Control Lists Summary in the navigat...

Page 300: ...thernet frames Rules Used The number of rules currently configured for the ACL Direction Whether the packet is checked against the rules in an ACL when it is received on an interface Inbound or after it has been received routed and is ready to exit an interface Outbound Interface The interface s to which the ACL has been applied VLAN Each VLAN to which the ACL has been applied Access Control List ...

Page 301: ...termines the criteria that can be used to match packets The type also determines which attributes can be applied to matching traffic IPv4 ACLs classify Layer 3 and Layer 4 IPv4 traffic IPv6 ACLs classify Layer 3 and Layer 4 IPv6 traffic and MAC ACLs classify Layer 2 traffic The ACL types are as follows IPv4 Standard Match criteria is based on the source address of IPv4 packets IPv4 Extended Match ...

Page 302: ... allows you to add a rule to the ACL that was selected from the ACL Identifier field The fields available in the window depend on the ACL type The following information describes the fields in this window The Match Criteria tables that apply to IPv4 ACLs IPv6 ACLs and MAC ACLs are described separately Table 301 Add Access Control List Rule Fields Field Description Match Criteria IPv4 ACLs The fiel...

Page 303: ...es which bits in the IP address are used and which bits are ignored A wild card mask of 255 255 255 255 indicates that no bit is important A wildcard of 0 0 0 0 indicates that all of the bits are important Wildcard masking for ACLs operates differently from a subnet mask A wildcard mask is in essence the inverse of a subnet mask With a subnet mask the mask has ones 1 s in the bit positions that ar...

Page 304: ...Type octet in the IP header IP Precedence Matches the IP Precedence value to the rule The IP Precedence field in a packet is defined as the high order three bits of the Service Type octet in the IP header IP TOS Bits Matches on the Type of Service TOS bits in the IP header The IP TOS field in a packet is defined as all eight bits of the Service Type octet in the IP header For example to check for ...

Page 305: ...an Greater Than or Range and specify the port number or keyword TCP port keywords include BGP Domain Echo FTP FTP Data HTTP SMTP Telnet WWW POP2 and POP3 UDP port keywords include Domain Echo NTP RIP SNMP TFTP TIME and WHO ICMP Type IPv6 ACL rule to match on the specified ICMP message type This option is available only if the protocol is ICMPv6 ICMP Code IPv6 ACL rule to match on the specified ICM...

Page 306: ...mat An F means that the bit is not checked and a zero in a bit position means that the data must equal the value given for that bit For example if the MAC address is aa_bb_cc_dd_ee_ff and the mask is 00_00_ff_ff_ff_ff all MAC addresses with aa_bb_xx_xx_xx_xx result in a match where x is any hexadecimal number Destination MAC Address Mask The MAC address to match to an Ethernet frame s destination ...

Page 307: ...face the ACL rule is applied when the time range with specified name becomes active The ACL rule is removed when the time range with specified name becomes inactive Committed Rate Burst Size The allowed transmission rate for frames on the interface Committed Rate and the number of bytes allowed in a temporary traffic burst Burst Rate After you click the Resequence Rules button the Resequence ACL R...

Page 308: ...page to associate one or more ACLs with one or more VLANs on the device Note You can also associate an ACL with a VLAN routing interface To display this page click QoS Access Control Lists VLANs in the navigation menu Use the buttons to perform the following tasks To associate an ACL with a VLAN click Add and configure the settings in the available fields To remove the association between a VLAN a...

Page 309: ...rface on the device The control plane ACLs are applied to management access through the in band production network ports only Inbound traffic on the CPU port is checked against the rules defined within the ACL until a match is found If the traffic does not match any rules within an ACL it is dropped because of the implicit deny all rule at the end of each ACL To display this page click QoS Access ...

Page 310: ... traffic on the interface relative to other ACLs associated with the interface in the same direction When multiple ACLs are applied to the same interface in the same direction the ACL with the lowest sequence number is applied first and the other ACLs are applied in ascending numerical order IPv6 ACL Rules The maximum number of IPv6 rules depends on the following factors also refer to the 200 Seri...

Page 311: ... determines the criteria that can be used to match packets The type also determines which attributes can be applied to matching traffic IPv4 ACLs classify Layer 3 and Layer 4 IPv4 traffic IPv6 ACLs classify Layer 3 and Layer 4 IPv6 traffic and MAC ACLs classify Layer 2 traffic The ACL types are as follows IPv4 Standard Match criteria is based on the source address of the IPv4 packets IPv4 Extended...

Page 312: ...ized above data packets in order to provide better QoS The Auto VoIP feature explicitly matches VoIP streams in Ethernet switches and provides them with a better class of service than ordinary traffic If you enable the Auto VoIP feature on an interface the interface scans incoming traffic for the following call control protocols Session Initiation Protocol SIP H 323 Skinny Client Control Protocol ...

Page 313: ... each entry to delete and click Remove You must confirm the action before the entry is deleted Table 307 OUI Table Summary Fields Field Description Telephony OUI The unique OUI that identifies the device manufacturer or vendor The OUI is specified in three octet values each octet is represented as two hexadecimal digits separated by colons Status Identifies whether the OUI is preconfigured on the ...

Page 314: ...e the protocol based Auto VoIP mode on the interfaces To display this page click QoS Auto VoIP Protocol Based Auto VoIP in the navigation menu Use the buttons to perform the following tasks To configure the settings for one or more interfaces select each entry to modify and click Edit To apply the same settings to all interfaces click Edit All If you change any of the settings on the page click Su...

Page 315: ...ce s being configured Auto VoIP Mode The administrative mode of the Auto VoIP feature on the interface Enable The interface scans incoming traffic for the following call control protocols Session Initiation Protocol SIP H 323 Skinny Client Control Protocol SCCP Disable The interface does not use the Auto VoIP feature to scan for call control protocols Operational Status The operational status of a...

Page 316: ... override the global setting Interface Shaping Rate Sets the limit on how much traffic can leave a port The limit on maximum transmission bandwidth has the effect of smoothing temporary traffic bursts over time so that the transmitted traffic rate is bounded The specified value represents a percentage of the maximum negotiated bandwidth The default value is zero 0 Valid values are 0 to 100 in incr...

Page 317: ...ict Strict priority services traffic with the highest priority on a queue first Queue Management Type Displays the type of queue depth management techniques used for all queues on this interface This is only used if the device supports independent settings per queue Queue Management Type can only be Taildrop The default value is Taildrop All packets on a queue are safe until congestion occurs At t...

Page 318: ...es in the table A policy class instance is a policy that is associated with an existing DiffServ class Policy Attribute Table The current and maximum number of policy attribute entries in the table A policy attribute entry attaches various policy attributes to a policy class instance Service Table The current and maximum number of service entries in the table A service entry associates a DiffServ ...

Page 319: ...tch packets Click Refresh to update the page with the most current data from the switch Diffserv Class Configuration Use the Diffserv Class Configuration page to define the criteria to associate with a DiffServ class As packets are received or transmitted these DiffServ classes are used to classify and prioritize packets Each class can contain multiple match criteria After you select the class to ...

Page 320: ...e The fields to configure the match values appear after you select the match type Each match criteria type can be used only once within a class If a reference class includes the match criteria type it cannot be used as an additional match type within the class and the match criteria type cannot be selected or configured Each match type other than the Reference Class includes an option to match any...

Page 321: ...configure a range a match occurs if a packet s secondary VLAN ID is the same as any secondary VLAN ID within the range After you select this option use the following fields to configure the secondary VLAN match criteria Secondary VLAN ID Start The secondary VLAN ID to match or the secondary VLAN ID with the lowest value within a range of VLANs Secondary VLAN ID End The secondary VLAN ID with the h...

Page 322: ...Length The IPv6 prefix length Destination IPv6 Address Select this option to require the destination IPv6 address in a packet header to match the specified values After you select this option use the following fields to configure the destination IPv6 address match criteria Destination Prefix The destination IPv6 prefix to match Destination Prefix Length The IPv6 prefix length Source L4 Port Select...

Page 323: ...an IP DSCP Value IP DSCP Value The IP DSCP value to match IP Precedence Select this option to require the packet s IP Precedence value to match the number configured in the IP Precedence Value field The IP Precedence field in a packet is defined as the high order three bits of the Service Type octet in the IP header IP TOS Select this option to require the packet s Type of Service ToS bits in the ...

Page 324: ...ed in the Policy field of the dialog window Type The traffic flow direction to which the policy is applied In The policy is specific to inbound traffic Out The policy is specific to outbound traffic direction Member Classes The DiffServ class or classes that have been added to the policy Click Refresh to update the page with the most current data from the switch Diffserv Policy Configuration Use t...

Page 325: ... all packets in a traffic steam with the specified secondary CoS queue number Use the Class of Service field to select the CoS value to mark in the priority field of the 802 1p header in the secondary inner 802 1Q tag of a double VLAN tagged packet If the packet does not already contain this header one is inserted Mark IP DSCP Select this option to mark all packets in the associated traffic stream...

Page 326: ...a rate and two burst sizes resulting in three outcomes conform exceed and violate After you select this option configure the following policing criteria Color Mode The type of color policing used in DiffServ traffic conditioning Color Conform Class For color aware policing packets are metered against the committed information rate CIR and the peak information rate PIR The class definition used for...

Page 327: ...ival of incoming packets for this class Excess Burst Size Kbytes The maximum size of the packet burst that can be accepted to maintain the Peak Rate Kbps Conform Action The action taken on packets that are considered conforming below the police rate Exceed Action The action taken on packets that are considered to exceed the committed burst size but are within the excessive burst size Violate Actio...

Page 328: ...ce Select an interface to associate with a policy Policy In The menu lists all policies configured with a type of In Select the policy to apply to traffic as it enters the interface Policy Out The menu lists all policies configured with a type of Out Select the policy to apply to traffic as it exits the interface Click Refresh to update the page with the most current data from the switch Diffserv ...

Page 329: ...ription Interface The interface associated with the rest of the data in the row The table displays all interfaces that have a DiffServ policy currently attached in a traffic flow direction Direction The traffic flow direction to which the policy is applied In The policy is applied to traffic as it enters the interface Out The policy is applied to traffic as it exits the interface Policy The name o...

Page 330: ...Click Refresh to update the page with the most current data from the switch Configuring Quality of Service ExtremeSwitching 200 Series Administration Guide 330 ...

Page 331: ...tains procedures on how to configure the feature by using the web interface and or CLI and or SNMP Simple Network Management Protocol Note Each configuration example starts from a factory default configuration unless otherwise noted Configuring VLANs Figure 6 shows a switch with four ports configured to handle the traffic for two VLANs Port 1 0 2 handles traffic for both VLANs while port 1 0 1 is ...

Page 332: ... be transmitted tagged from ports that are members of VLAN 2 8 Click Submit 9 Select VLAN 3 from the VLAN ID and Name List 10 Select the Participate option in the VLAN field 11 For ports 1 0 2 1 0 3 and 1 0 4 select Include from the Participation menu to specify that these ports are members of VLAN 3 12 Click Submit 13 Go to the Switching VLAN Port Configuration page 14 From the Interface menu sel...

Page 333: ...or port 1 0 2 assign VLAN3 as the default VLAN Extreme 220 Routing Interface 1 0 2 vlan pvid 3 exit 4 Specify that frames will always be transmitted tagged from ports that are members of VLAN 2 Extreme 220 Routing Config vlan port tagging all 2 exit 5 Assign the ports that will belong to VLAN 3 Port 1 0 2 belongs to both VLANs and port 1 0 1 can never belong to VLAN 3 Extreme 220 Routing Config in...

Page 334: ...h octet within this value specifies a set of eight ports with the first octet specifying ports 1 8 the second octet specifying ports 9 16 and so on Within each octet the most significant bit represents the lowest numbered port and the least significant bit represents the highest numbered port Thus each port of the bridge is represented by a single bit within the value of this object If that bit ha...

Page 335: ... configuration name digest key and revision level are the same for all switches in the region Note The digest key is generated based on the association of VLANs to different instances To ensure the digest key is same the mapping of VLAN to instance must be the same on each switch in the region For example if VLAN 10 is associated with instance 10 on one switch you must associate VLAN 10 and instan...

Page 336: ...AN 10 and VLAN 20 Extreme 220 Routing vlan database vlan 10 vlan 20 exit 2 Enable spanning tree Globally Extreme 220 Routing config spanning tree 3 Create MST instances 10 and 20 spanning tree mst instance 10 spanning tree mst instance 20 4 Associate MST instance 10 to VLAN 10 and MST instance 20 to VLAN 20 spanning tree mst vlan 10 10 spanning tree mst vlan 20 20 5 Change the name so that all the...

Page 337: ...om 4413 broadcomProducts 1 fastPath 1 fastPathSwitching 1 agentConfigGroup 2 agentStpSwitchConfig Group 15 agentStpAdminMode 6 3 Use the agentStpConfigName object in the agentStpSwitchConfigGroup to change the name so that all the bridges that want to be part of the same region can form the region 4 Use the agentStpMstRowStatus object in the agentStpMstTable to create MST instances 10 and 20 5 Use...

Page 338: ...ring VLAN Routing This section provides an example of how to configure 200 Series software to support VLAN routing The configuration of the VLAN router port is similar to that of a physical port The main difference is that after the VLAN has been created you must use the show ip vlan command to determine the VLAN s interface ID so that you can use it in the router configuration commands Figure 7 s...

Page 339: ...ng 10 vlan routing 20 exit 6 View the logical interface IDs assigned to the VLAN routing interfaces Extreme 220 Routing show ip vlan MAC Address used by Routing VLANs 00 00 AA 12 65 12 Logical VLAN ID Interface IP Address Subnet Mask 10 0 4 1 0 0 0 0 0 0 0 0 20 0 4 2 0 0 0 0 0 0 0 0 As the output shows VLAN 10 is assigned ID 0 4 1 and VLAN 20 is assigned ID 0 4 2 7 Enable routing for the switch co...

Page 340: ...e appropriate number of octets to 0 Each octet represents eight ports so for a 48 port switch the first six octets would be zero 5 To enable routing for the VLANs use the agentSwitchIpVlanRoutingStatus object in the agentSwitchIpVlanTable under agentSwitchIpGroup in fastPathRouting to set the value for VLAN 10 and VLAN 20 to CreateAndGo 4 6 Walk the agentSwitchIpVlanIfIndex object to view the logi...

Page 341: ... network resources Using the CLI to configure 802 1X Port Based Access Control 1 Configure the RADIUS authentication server IP address Extreme 220 Config radius server host auth 10 10 10 10 2 Configure the RADIUS authentication server secret key Extreme 220 Config radius server key auth 10 10 10 10 You are prompted and then re prompted to enter the secret key 3 Configure the RADIUS accounting serv...

Page 342: ...countingStatus object to enable RADIUS accounting mode 8 Use the agentUserConfigDefaultAuthenticationList object in agentAuthenticationGroup in the FASTPATH SWITCHING module to set RADIUS as the default login list for dot1x 9 To enable 802 1X authentication on the switch set the dot1xPaeSystemAuthControl object in the IEEE8021 PAE MIB module to enable 1 10 To set the 802 1X mode for port 1 0 1 to ...

Page 343: ...cation Tiering using the CLI 1 Enable Authentication Tiering globally config authentication enable exit 2 Configure the authentication order priority and restart timer on interface 1 0 3 config interface 1 0 3 authentication order dot1x mab captive portal authentication priority captive portal dot1x authentication restart 10000 exit exit Configuring Differentiated Services for VoIP One of the most...

Page 344: ...he switch Extreme 220 Routing config cos queue strict 5 diffserv 2 Create a DiffServ classifier named class_voip and define a single match criterion to detect UDP packets The class type match all indicates that all match criteria defined for the class must be satisfied in order for a packet to be considered a match class map match all class_voip match protocol udp exit Configuration Examples Extre...

Page 345: ...fServ for the switch 2 To set queue 5 on all ports to use strict priority mode use the agentCosQueueSchedulerType in the agentCosQueueTable in the FASTPATH QOS COS MIB module This queue is used for all VoIP packets 3 Use the agentDiffServClassRowStatus object in the agentDiffServClassTable to create two new DiffServ instances Se the value to CreateAndGo 4 4 Use the agentDiffServClassName in the ag...

Page 346: ... Group Management Protocol packets in a subnet and identify ports on which interested IP multicast listeners are present It also identifies the ports on which multicast routers are attached and these are the likely ports on which IP multicast sources are present This section describes how the snooping switch handles IGMP messages addresses considerations for IGMP packet and IP multicast traffic fo...

Page 347: ... the interface that received the IGMP Leave message from the Layer 2 multicast forwarding entry immediately upon processing the message No IGMP Leave query is sent in this scenario Configuring the immediate leave is useful in situations where instantaneous control of group registrations is required which results in better bandwidth control IGMP Packet Forwarding Considerations The snooping switch ...

Page 348: ...00 5E 03 03 03 As a result if a host requests 225 1 1 1 using IGMPv2 or IGMPv1 then it might receive multicast traffic of group 226 1 1 1 as well IGMP Snooping in a Multicast Router IGMP snooping is a Layer 2 feature and is achieved by using the Layer 2 multicast forwarding table However when multicast routing is enabled on a 200 Series switch Layer 2 multicast forwarding entries do not affect mul...

Page 349: ...upmembership interval 250 The following example shows how to configure the group membership interval on VLAN 10 VLAN Config mode console Vlan set igmp groupmembership interval 10 250 The following example shows how to configure the max response interval on an interface Interface Config mode console Interface 1 0 1 set igmp maxresponse 10 The following example shows how to configure the max respons...

Page 350: ...e multicast 01 00 5e 11 22 33 1 Fwd VLAN ID MAC Address Source Type Description Interface Interface 1 01 00 5E 11 22 33 Filter Static Mgmt Config Fwd Fwd 1 0 2 1 0 2 Configuring Port Mirroring Port mirroring is used to monitor the network traffic that a port sends and receives The Port Mirroring feature creates a copy of the traffic that the source port handles and sends it to a destination port T...

Page 351: ... pair of devices transmits BFD packets between them periodically and if one stops receiving peer packets within detection time limit it considers the bidirectional path to have failed It then notifies the application protocol using its services BFD allows each device to estimate how quickly it can send and receive BFD packets to agree with its neighbor upon how fast detection of failure could be d...

Page 352: ...for BFD control packets when the echo function is enabled The slow timer value is used as the new control packet interval while the echo packets use the configured BFD intervals 3 Configure BGP to use BFD for fast detection of faults between neighboring devices A neighboring device IP address Router Config router bgp Router Config router neighbor 172 16 11 6 fall over bfd Router Config router exit...

Page 353: ...o that traffic can be transmitted AS In OSPF Open Shortest Path First an Autonomous System is a connected segment of a network topology that consists of a collection of subnetworks with hosts attached interconnected by a set of routes The subnetworks and the routers are expected to be under the control of a single administration Within an AS routers may use one or more interior routing protocols a...

Page 354: ...e Set CA A Certificate Authority is a trusted third party that generates and signs certificates A CA may be a commercial concern such as GoDaddy or GeoTrust A CA may also be an in house server for certificates used within an enterprise carrier VLAN In STP Spanning Tree Protocol carrier VLAN Virtual LAN s define the scope of the STPD Spanning Tree Domain including the physical and logical ports tha...

Page 355: ... all regions connect to the CIST root through their respective CIST regional roots CIST root bridge In an MSTP Multiple Spanning Tree Protocol environment the bridge with the lowest bridge ID becomes the CIST Common and Internal Spanning Tree root bridge The bridge ID includes the bridge priority and the MAC address The CIST root bridge can be either inside or outside an MSTP region The CIST root ...

Page 356: ...d in Local Area Wireless Network LAWN transmissions where a data signal at the sending station is combined with a higher data rate bit sequence or chipping code that divides the user data according to a spreading ratio The chipping code is a redundant bit pattern for each bit that is transmitted which increases the signal s resistance to interference If one or more bits in the pattern are damaged ...

Page 357: ...ery Protocol is an Extreme Networks proprietary protocol that allows you to detect Layer 2 loops EMISTP Extreme Multiple Instance Spanning Tree Protocol This Extreme Networks proprietary protocol uses a unique encapsulation method for STP Spanning Tree Protocol messages that allows a physical port to belong to multiple STPD Spanning Tree Domain s EPS Ethernet Protection Switching is defined in ITU...

Page 358: ...estination ICV Integrity Check Value is a 4 byte code appended in standard WEP Wired Equivalent Privacy to the 802 11 message Enhanced WPA inserts an 8 byte MIC just before the ICV See MIC Message Integrity Check or Code IETF The Internet Engineering Task Force is a large open international community of network designers operators vendors and researchers concerned with the evolution of the Interne...

Page 359: ...ocol LLC The IEEE 802 2 Logical Link Control protocol provides a link mechanism for upper layer protocols It is the upper sub layer of the Data Link Layer and provides multiplexing mechanisms that make it possible for several network protocols IP IPX to coexist within a multipoint network The LLC header consists of a 1 byte Destination Service Access Point DSAP 1 byte Source Service Access Point S...

Page 360: ...ditional 8 byte code inserted before the standard 4 byte ICV Integrity Check Value appended in by standard WEP Wired Equivalent Privacy to the 802 11 message This greatly increases the difficulty in carrying out forgery attacks Both integrity check mechanisms are calculated by the receiver and compared against the values sent by the sender in the frame If the values match there is assurance that t...

Page 361: ...ls MTU A Maximum Transmission Unit is a configurable parameter that determines the largest packet than can be transmitted by an IP interface without the packet needing to be broken down into smaller units Note Packets that are larger than the configured MTU size are dropped at the ingress port Or if configured to do so the system can fragment the IPv4 packets and reassemble them at the receiving e...

Page 362: ...uthentication Protocol is an IETF Internet Engineering Task Force draft standard to authenticate wireless LAN clients without requiring them to have certificates In PEAP authentication first the user authenticates the authentication server then the authentication server authenticates the user If the first phase is successful the user is then authenticated over the SSL tunnel created in phase one u...

Page 363: ...Very high frequency VHF 30 MHz 300 MHz and Ultra high frequency UHF 300 MHz 3 GHz RFC The IETF Request for Comments describe the definitions and parameters for networking The RFCs are catalogued and maintained on the IETF RFC website www ietf org rfc html RIP This IGP vector distance routing protocol is part of the TCP IP suite and maintains tables of all known destinations and the number of hops ...

Page 364: ... network events to the system log SNTP Simple Network Time Protocol is used to synchronize the system clocks throughout the network An extension of NTP Network Time Protocol SNTP can usually operate with a single server and allows for IPv6 addressing SSH Secure Shell sometimes known as Secure Socket Shell is a UNIX based command interface and protocol of securely gaining access to a remote compute...

Page 365: ...aster nodes of both domains enter the failed state putting their respective secondary ports into the forwarding state If there is a data VLAN spanning both EAPS domains this action forms a loop between the EAPS domains SVL In Shared VLAN Learning two or more VLANs are grouped to share common source address information in the MAC table The common entry in the MAC table is identified by a Filter ID ...

Page 366: ... server console TKIP Temporal Key Integrity Protocol is an enhancement to WEP Wired Equivalent Privacy encryption It uses a set of algorithms to rotate session keys The protocol s enhanced encryption includes a per packet key mixing function a MIC Message Integrity Check or Code an extended initialization vector IV with sequencing rules and a re keying mechanism The encryption keys are changed re ...

Page 367: ...iple VMs VMAN In ExtremeXOS software Virtual MANs are a bi directional virtual data connection that creates a private path through the public network One VMAN is completely isolated from other VMANs the encapsulation allows the VMAN traffic to be switched over Layer 2 infrastructure You implement VMAN using an additional 892 1Q tag and a configurable EtherType this feature is also known as Q in Q ...

Page 368: ...EAP For encryption WPA uses the TKIP Temporal Key Integrity Protocol mechanism which shares a starting key between devices and then changes their encryption key for every packet CA Certificate Authority can also be used Also part of the encryption mechanism are 802 1x for dynamic key distribution and MIC Message Integrity Check or Code WPA requires that all computers and devices have WPA software ...

Page 369: ...efinition 251 MMRP statistics 254 MRP global settings 252 MRP port settings 253 MSRP definition 251 Multiple Registration Protocol 251 O Object ID 141 OID 141 R RADIUS accounting mode 341 S Simple Network Time Protocol 98 SNTP 98 status HTML pages 19 support 7 T talker MSRP 251 technical support contacting 7 Time levels 98 U Unicast 98 User Security Model 141 USM 141 V VLAN database 338 VLAN parti...

Reviews: