manualshive.com logo in svg

ifs NS3562-8P-2S-V2, User Manual

The "ifs NS3562-8P-2S-V2" product offers high-performance networking with 8 PoE ports and 2 SFP uplink ports. To ensure convenience, a Quick Installation Manual is available for download free of charge, allowing users to easily set up and maximize the potential of their device. Simply visit manualshive.com to access the manual.

Share
Download
background image

 

Chapter 4: Web configuration 

NS3562-8P-2S-V2 Industrial Managed Switch User Manual 

199 

services that are available on a host or server, each with a list of hosts or servers 
permitted or denied to use the service. ACLs can generally be configured to control 
inbound traffic and, in this context, they are similar to firewalls. 

ACE is an acronym for Access Control Entry. It describes access permission 
associated with a particular ACE ID.  

There are three ACE frame types (Ethernet Type, ARP, and IPv4) and two ACE actions 
(permit and deny). The ACE also contains many detailed, different parameter options 
that are available for individual applications. 

ACL status 

The Voice VLAN OUI Table page shows the ACL status by different ACL users. Each 
row describes the ACE that is defined. A conflict occurs if a specific ACE is not applied 
to the hardware due to hardware limitations. The maximum number of ACEs is 512 on 
each switch.  

 

The page includes the following fields: 

 

Object 

Description 

User 

Indicates the ACL user. 

Ingress Port 

Indicates the ingress port of the ACE. Values include:  

All

: The ACE matches all ingress ports.  

Port

: The ACE matches a specific ingress port. 

Frame Type 

Indicates the frame type of the ACE. Values are:  

Any

: The ACE matches any frame type.  

EType

: The ACE matches Ethernet Type frames. Note that an Ethernet 

Type based ACE will not get matched by IP and ARP frames.  

ARP

: The ACE matches ARP/RARP frames.  

IPv4

: The ACE matches all IPv4 frames.  

IPv4/ICMP

: The ACE matches IPv4 frames with ICMP protocol.  

IPv4/UDP

: The ACE matches IPv4 frames with UDP protocol.  

IPv4/TCP

: The ACE matches IPv4 frames with TCP protocol.  

IPv4/Other

: The ACE matches IPv4 frames, which are not ICMP/UDP/TCP.  

IPv6

: The ACE matches all IPv6 standard frames. 

Action 

Indicates the forwarding action of the ACE.  

Permit

: Frames matching the ACE may be forwarded and learned.  

Deny

: Frames matching the ACE are dropped. 

Rate Limiter 

Indicates the rate limiter number of the ACE. The allowed range is 1 to 16. 
When 

Disabled

 is shown, the rate limiter operation is disabled. 

Summary of Contents for NS3562-8P-2S-V2

Page 1: ...NS3562 8P 2S V2 Industrial Managed Switch User Manual P N 1073704 EN REV B ISS 13JUL22 ...

Page 2: ...radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense Canada This Class A digital apparatus complies with CAN ICES 003 A NMB 3 A Cet appareil numérique de la classe A est conforme à la norme CAN ICES 003 A NMB 3 A ACMA compliance Notice This is a Class A p...

Page 3: ...Product documentation Please consult the following web link to retrieve the electronic version of the product documentation The manuals are available in several languages ...

Page 4: ......

Page 5: ...irements 32 Management access overview 32 Web management 34 SNMP based network management 34 Chapter 4 Web configuration 36 Main web page 38 System 39 DHCP server 66 UDLD 75 Simple Network Management Protocol SNMP 78 Port management 89 Link aggregation 96 VLAN 104 Spanning Tree Protocol STP 130 Multicast 148 Quality of Service QoS 174 Access Control Lists ACL 198 Authentication 213 Security 254 MA...

Page 6: ...tch operation 333 Address table 333 Learning 333 Forwarding and filtering 333 Store and forward 333 Auto negotiation 334 Chapter 6 PoE overview 335 What is PoE 335 PoE system architecture 335 Chapter 7 Troubleshooting 337 Appendix A Networking connection 338 Glossary 340 ...

Page 7: ...tents Carrier assumes no responsibility for errors or omissions Product Warnings YOU UNDERSTAND THAT A PROPERLY INSTALLED AND MAINTAINED ALARM SECURITY SYSTEM MAY ONLY REDUCE THE RISK OF EVENTS SUCH AS BURGLARY ROBBERY FIRE OR SIMILAR EVENTS WITHOUT WARNING BUT IT IS NOT INSURANCE OR A GUARANTEE THAT SUCH EVENTS WILL NOT OCCUR OR THAT THERE WILL BE NO DEATH PERSONAL INJURY AND OR PROPERTY DAMAGE A...

Page 8: ...ctions Contact your supplier for replacement batteries Warranty Disclaimers CARRIER HEREBY DISCLAIMS ALL WARRANTIES AND REPRESENTATIONS WHETHER EXPRESS IMPLIED STATUTORY OR OTHERWISE INCLUDING ANY IMPLIED WARRANTIES THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE USA only SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU ...

Page 9: ...ed for refer to the data sheet and user documentation For the latest product information contact your local supplier or visit us online at firesecurityproducts com The system should be checked by a qualified technician at least every 3 years and the backup battery replaced as required Advisory messages Advisory messages alert you to conditions or practices that can cause unwanted results The advis...

Page 10: ...ng items The industrial managed switch 1 Quick installation guide 1 3 pin terminal block connector 1 DIN rail kit 1 Wall mounting kit 1 Magnet kit 1 SFP dust proof cap 2 RJ45 dust proof cap 8 If any of these are missing or damaged contact your dealer immediately If possible retain the carton including the original packing materials for repacking the product in case there is a need to return it to ...

Page 11: ...e customer s industrial automation network to enhance system reliability and uptime in harsh factory environments In a certain simple ring network the recovery time of data link can be as fast as 20 ms Convenient and smart ONVIF devices with detection feature The managed switch s ONVIF Support is specifically designed to work with video IP surveillance programs such as TruVision Navigator that can...

Page 12: ...AP crash resulting from buffer overflow PoE schedule for energy saving Under the trend of energy saving worldwide and contributing to environmental protection the industrial managed switch can effectively control the power supply in addition to its capability of provideing high Watt power The PoE schedule function helps you to enable or disable PoE power feeding for each PoE port during specified ...

Page 13: ...ation It adopts the user friendly Front Access design making the installing cable wiring LED monitoring and maintenance of the industrial managed switch placed in an enclosure convenient for technicians It can be installed by fixed wall mounting magnetic wall mounting or DIN rail thereby making its usability more flexible SMTP SNMP trap event alert The industrial managed switch provides an event a...

Page 14: ... as dynamic port link aggregation Q in Q VLAN private VLAN Multiple Spanning Tree Protocol MSTP layer 2 to layer 4 QoS bandwidth control and IGMP MLD snooping The industrial managed switch provides 802 1Q Tagged VLAN and a maximum of 255 VLAN groups are allowed Via aggregation of supporting ports the industrial managed switch allows the operation of a high speed trunk combining multiple ports It e...

Page 15: ... function communication between edge ports can be prevented to guarantee user privacy Flexible and extendable solution The additional four mini GBIC slots built into the industrial managed switch support dual speed 100BASE FX and 1000BASE SX LX SFP Small Form factor Pluggable fiber optic modules meaning the administrator now can flexibly choose the suitable SFP transceiver according to the transmi...

Page 16: ...abit Ethernet RJ45 ports with IEEE 802 3at PoE injector Two 100 1000BASE X mini GBIC SFP slots SFP type auto detection Power over Ethernet Complies with IEEE 802 3at Power over Ethernet Plus end span PSE Up to eight IEEE 802 3af IEEE 802 3at devices powered Supports PoE power up to 30 8 W for each PoE port Auto detects powered device PD Circuit protection prevents power interference between ports ...

Page 17: ...mize the network bandwidth Storm control support Broadcast Multicast Unknown Unicast Supports VLAN IEEE 802 1Q tagged VLAN Up to 255 VLANs groups out of 4094 VLAN IDs Provider bridging VLAN Q in Q support IEEE 802 1ad Private VLAN Edge PVE Protocol based VLAN MAC based VLAN Voice VLAN Supports STP STP IEEE 802 1D Spanning Tree Protocol RSTP IEEE 802 1w Rapid Spanning Tree Protocol MSTP IEEE 802 1s...

Page 18: ... port number Typical network application Strict priority and Weighted Round Robin WRR CoS policies Supports QoS and In Out bandwidth control on each port Traffic policing policies on the switch port DSCP remarking Multicast Supports IGMPv4 snooping v1 v2 and v3 Supports IGMPv6 MLD snooping v1 and v2 Querier mode support IGMP snooping port filtering MLD snooping port filtering Multicast VLAN Regist...

Page 19: ...c switch management SSH SSL and SNMP v3 secure access IPv6 IP address NTP DNS management Built in Trivial File Transfer Protocol TFTP client BOOTP and DHCP for IP address assignment System maintenance Firmware upload download via HTTP TFTP Dual images Reset button for system reboot or reset to factory default DHCP relay DHCP Option 82 User privilege levels control NTP Network Time Protocol Link La...

Page 20: ...dress learning and aging Shared Data Buffer 4 Mbits Flow Control IEEE 802 3x pause frame for full duplex Back pressure for half duplex Jumbo Frame 9 Kb Reset Button 5 seconds System reboot 5 seconds Factory Default Enclosure IP30 aluminum case Installation DIN rail kit wall mount and magnetic wall mount Dimensions W D H 180 24 4 140 mm Weight 681 g Connector Removable 3 pin terminal block for powe...

Page 21: ... 4 PDs 8 Layer 2 Functions Basic Management Interfaces Console Telnet Web browser SNMP v1 v2c Secure Management Interfaces SSH SSL SNMP v3 Port Configuration Port disable enable Auto negotiation 10 100 1000Mbps full and half duplex mode selection Flow control disable enable Power saving mode control Port Status Display each port s speed duplex mode link status flow control status auto negotiation ...

Page 22: ...are static routing Standards Conformance Regulation Compliance FCC Part 15 Class A CE Stability Testing IEC60068 2 32 free fall IEC60068 2 27 shock IEC60068 2 6 vibration Standards Compliance IEEE 802 3 10BASE T IEEE 802 3u 100BASE TX 100BASE FX IEEE 802 3z Gigabit SX LX IEEE 802 3ab Gigabit 1000T IEEE 802 3x flow control and back pressure IEEE 802 3ad port trunk with LACP IEEE 802 1D Spanning Tre...

Page 23: ... V2 Industrial Managed Switch User Manual 19 RFC 1112 IGMP v1 RFC 2236 IGMP v2 Environment Operating Temperature 40 to 75 C Relative Humidity 5 to 95 non condensing Storage Temperature 40 to 85 C Relative Humidity 5 to 95 non condensing ...

Page 24: ...familiarize yourself with its display indicators and ports Front panel illustrations in this chapter display the unit LED indicators Before connecting any network device to the industrial managed switch please read this chapter completely Hardware description The industrial managed switch provides three different running speeds 10Mbps 100Mbps and 1000Mbps and automatically distinguishes the speed ...

Page 25: ...Chapter 2 Installation NS3562 8P 2S V2 Industrial Managed Switch User Manual 21 Physical dimensions Dimensions W x D x H 180 x 24 4 x 140 mm ...

Page 26: ...0 20 30 40 50 70 120 kilometers single mode fiber AC DC power receptacle The industrial managed switch features a strong dual power input system terminal block and DC jack incorporated into customer s automation network to enhance system reliability and uptime 3 pin Terminal Block DC Jack Power Input Range 48 56 VDC 48 56 VDC To install the 3 pin terminal block connector on the wall mount managed ...

Page 27: ...h then reboots and loads the default settings as shown below Default Username admin Default Password admin Default IP address 192 168 0 100 Subnet mask 255 255 255 0 Default Gateway 192 168 0 254 LED indicators The front panel LEDs indicate port link status data activity and system power System LED Color Function PWR Green Lit indicates that the switch has power Blinking indicates the system of th...

Page 28: ...topics and perform the procedures in the order presented Note Ensure that the industrial managed switch is mounted vertically with the air holes on the top and a minimum of three inches above and below the switch to allow for proper air flow This device uses a convection flow of hot air which rises and brings cold air in from the bottom and out of the top of the device Do not mount the switch hori...

Page 29: ...Chapter 2 Installation NS3562 8P 2S V2 Industrial Managed Switch User Manual 25 2 Carefully slide the DIN rail into the track 3 Ensure that the DIN rail is tightly attached to the track ...

Page 30: ...al managed switch on the wall 1 Drill four 8 mm diameter holes in the wall with a horizontal distance of 163 mm between each 2 Install a conductor pipe inside the board hole and flush the edge of the conductor pipe with the wall surface 3 Screw the bolts into the conductor pipe The switch is between the bolts and the conductor pipe as shown below To install the industrial managed switch on a magne...

Page 31: ...t Gigabit Ethernet standard requires Category 5 UTP for 100 Mbps 100BASE TX 10BASE T networks can use Cat 3 4 5 or 1000BASE T use 5 5e 6 UTP see table below Maximum distance is 100 meters 328 feet The 100BASE FX 1000BASE SX LX SFP slot uses an LC connector with optional SFP module The table below provides cable specification details Port Type Cable Type Connector 10BASE T Cat3 4 5 2 pair RJ45 100B...

Page 32: ...ir SFP 1000Base TX S30 RJ RJ 45 1 Cat5e 100M 328 ft 0 to 50 C 32 to 122 F Fast Ethernet 100Base FX S20 2MLC2 LC 2 Multi mode 2 km 1 2 mi 1310 nm 12 20 14 32 0 to 50 C 32 to 122 F S25 2MLC2 LC 2 Multi mode 2 km 1 2 mi 1310 nm 12 20 14 32 40 to 75 C 40 to 167 F Fast Ethernet 100Base LX S20 2SLC20 LC 2 Single Mode 20 km 12 mi 1310 nm 19 15 8 34 0 to 50 C 32 to 122 F S25 2SLC20 LC 2 Single Mode 20 km ...

Page 33: ...ngle Mode 10 km 6 2 mi 1310 nm 18 9 5 3 20 0 to 50 C 32 to 122 F S35 2SLC 10 LC 2 Single Mode 10 km 6 2 mi 1310 nm 18 9 5 3 20 40 to 75 C 40 to 167 F S30 2SLC 30 LC 2 Single Mode 30 km 18 6 mi 1310 nm 18 2 3 23 0 to 50 C 32 to 122 F S35 2SLC 30 LC 2 Single Mode 30 km 18 6 mi 1310 nm 18 2 3 23 40 to 75 C 40 to 167 F Gigabit Ethernet 1000 Base ZX S30 2SLC 70 LC 2 Single Mode 70 km 43 mi 1550 nm 19 1...

Page 34: ...it Note Choose a SFP SFP transceiver that can be operated under 40 to 75 C temperature if the industrial managed switch is working in a 0 to 50 C temperature environment To connect the fiber cable 1 Attach the duplex LC connector on the network cable to the SFP SFP transceiver 2 Connect the other end of the cable to a device with the SFP SFP transceiver installed 3 Check the LNK ACT LED of the SFP...

Page 35: ...trial Managed Switch User Manual 31 Note Never pull out the module without making use of the lever or the push bolts on the module Removing the module with force could damage the module and the SFP SFP module slot of the industrial managed switch ...

Page 36: ... other platforms compatible with TCP IP protocols Workstations must have an Ethernet NIC Network Interface Card installed Serial Port connection Terminal The workstation must have a COM Port DB9 RS 232 or USB to RS 232 converter Ethernet port connection Use standard network UTP cables with RJ45 connectors Workstations must have a web browser and Java runtime environment plug in installed Note We r...

Page 37: ...ndows operating systems Can be accessed from any location Security can be compromised hackers need only know the IP address and subnet mask Web browser Ideal for configuring the switch remotely Compatible with all popular browsers Can be accessed from any location Most visually appealing Security can be compromised hackers need only know the IP address and subnet mask May encounter lag times on po...

Page 38: ...anaged switch You can use a web browser to list and manage the industrial managed switch configuration parameters from one central location just as if you were directly connected to the industrial managed switch s console port Web management requires Microsoft Internet Explorer 11 0 or later SNMP based network management Use an external SNMP based application to configure and manage the managed sw...

Page 39: ...Manual 35 If the SNMP Network Management Station only knows the set community string it can read and write to the MIBs However if it only knows the get community string it can only read MIBs The default get and set community strings for the industrial managed switch are public ...

Page 40: ...e user has to explicitly modify the browser setting to enable Java Applets to use network ports The industrial managed switch can be configured through an Ethernet connection when the manager computer is set to the same IP subnet address as the industrial managed switch For example if the default IP address of the industrial managed switch is 192 168 0 100 then the administrator computer should be...

Page 41: ...ote Before connecting to a TruVision Navigator video surveillance system network the default IP address must be changed to the IP address assigned for TruNav by the network administrator 3 If logged in to the switch via web or console with the default account admin admin a warning message appears to notify the user to change the user name and password Click OK 4 Type a new user name and password i...

Page 42: ...tch s ports The mode can be set to display different information for the ports including Link up or Link down Clicking on the image of a port opens the Port Statistics page Port status is indicated as follows State Disabled Down Link PoE in use RJ45 Ports SFP Ports Main menu Using the web interface you can define system parameters manage and control the industrial managed switch and all its ports ...

Page 43: ...dministrative details of the industrial managed switch Under the System list the following topics are provided to configure and view the system information This list contains the following items System information The System Infomation page provides information on the current device such as the hardware MAC address software version and system uptime ...

Page 44: ...em time and date The system time is obtained through the configured NTP server if present System Uptime The period of time the device has been operational Software Version The software version of the industrial managed switch Software Date The date when the industrial managed switch software was produced Select the Auto refresh check box to refresh the page automatically Automatic refresh occurs e...

Page 45: ...m The following modes are supported No Domain Name No domain name will be used Configured Domain Name Explicitly specify the name of local domain Make sure the configured domain name meets your organization s given domain From any DHCPv6 interfaces The first domain name offered from a DHCPv6 lease to a DHCPv6 enabled interface will be used From this DHCPv6 interface Specify from which DHCPv6 enabl...

Page 46: ... available for input when creating an new interface DHCPv4 Enabled Enable the DHCP client by selecting this check box If this option is enabled the system will configure the IPv4 address and mask of the interface using the DHCPv4 protocol The DHCPv4 client will announce the configured System Name as hostname to provide DNS lookup Fallback The number of seconds for trying to obtain a DHCP lease If ...

Page 47: ...ld may be left blank if IPv6 operation on the interface is not required Mask Length The IPv6 network mask in number of bits prefix length Valid values are between 1 and 128 bits for a IPv6 address The field may be left blank if IPv6 operation on the interface is not required IP Routes Delete Select this option to delete an existing IP route Network The destination IP network or host address of thi...

Page 48: ...ces is supported Click Add Route to add a new IP route A maximum of 32 routes is supported Click Apply to apply changes Click Reset to undo any changes made locally and revert to previously saved values IP status IP status displays the status of the IP protocol layer The status is defined by the IP interfaces the IP routes and the neighbour cache ARP cache status ...

Page 49: ... page automatically Automatic refresh occurs every three seconds Click Refresh to refresh the page automatically This will undo any changes made locally Users configuration This page provides an overview of the current users Close and reopen the browser to log in as another user on the web server After setup is complete click the Apply button and log in to the web interface with the new user name ...

Page 50: ...alid user name is a combination of letters numbers and underscores Password The password of the user The allowed string length is 0 to 32 Password again Type the user password again for confirmation Privilege Level The privilege level of the user The allowed range is 1 to 15 If the privilege level value is 15 it can access all groups i e it is granted full control of the device But other values ne...

Page 51: ...er is added the new user entry appears in the Users Configuration page Note If a password is forgotten after changing the default password press the reset button on the front panel of the industrial managed switch for over 10 seconds and then release it The current settings including VLAN will be erased and the industrial managed switch restores to default mode Privilege levels This page provides ...

Page 52: ... Security Authentication System Access Management Port contains Dot1x port MAC based and the MAC Address Limit ACL HTTPS SSH ARP Inspection and IP source guard IP Everything except ping Port Everything except VeriPHY Diagnostics ping and VeriPHY Maintenance CLI System Reboot System Restore Default System Password Configuration Save Configuration Load and Firmware Load Web Users Privilege Levels an...

Page 53: ...thorization privilege level to have the access to that group Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values NTP configuration Configure NTP on this page NTP is an acronym for Network Time Protocol a network protocol for synchronizing the clocks of computer systems NTP uses UDP data grams as a transport layer You can specify NTP...

Page 54: ...l be lost after system reboot since there is no battery to keep time running Year Allows the user to input year value it supports from 1970 to 2037 only Month Allows the user to input month value 1 to 12 month Day Allows the user to input day value 1 to 31 days Hour Allows the user to input hour value 00 to 23 hours Minute Allows the user to input minute value 0 to 59 minutes Second Allows the use...

Page 55: ...the following fields Object Description Time Zone Lists various Time Zones worldwide Select the appropriate Time Zone from the drop down list and click Save Acronym This is a user configurable acronym up to 16 characters used to identify the time zone Daylight Saving Time This is used to set the clock forward or backward according to the configurations set below for a defined Daylight Saving Time ...

Page 56: ... made locally and revert to previously saved values UPnP UPnP is an acronym for Universal Plug and Play The goals of UPnP are to allow devices to connect seamlessly and to simplify the implementation of networks in home data sharing communications and entertainment and corporate environments for easy installation of computer components Configure UPnP on the UPnP Configuration page This page includ...

Page 57: ...t value is 1 Buttons Click Apply to apply changes Click Reset to undo any changes made locally and revert to previously saved values DHCP relay DHCP Relay is used to forward and to transfer DHCP messages between the clients and the server when they are not on the same subnet domain The DHCP option 82 enables a DHCP relay agent to insert specific information into a DHCP request packets when forward...

Page 58: ...mode operation When enabling DHCP relay information mode operation the agent inserts specific information option82 into a DHCP message when forwarding to DHCP server and removes it from a DHCP message when transferring to DHCP client It only works when DHCP relay operation mode is enabled Disabled Disable DHCP relay information mode operation Relay Information Policy Indicates the DHCP relay infor...

Page 59: ...number of packets received from the server Receive Missing Agent Option The number of packets received without agent information options Receive Missing Circuit ID The number of packets received with the Circuit ID option missing Receive Missing Remote ID The number of packets received with the Remote ID option missing Receive Bad Circuit ID The number of packets in which the Circuit ID option doe...

Page 60: ...f packets received is kept with the relay agent information option Drop Agent Option The number of packets received is dropped with the relay agent information option Buttons Select the Auto refresh check box to refresh the page automatically Automatic refresh occurs every three seconds Click Refresh to immediately refresh the page Click Clear to clear all statistics CPU load This page displays th...

Page 61: ...nformation The page includes the following fields Object Description ID The ID 1 of the system log entry Level The level of the system log entry The following level types are supported Info Information level of the system log Warning Warning level of the system log Error Error level of the system log All All levels Clear Level Clears the system log entry level The following level types are support...

Page 62: ... ending at the last entry currently displayed Click to update the system log entries starting from the last entry currently displayed Click I to update the system log entries ending at the last available entry ID Detailed log The Detailed System Log Information page displays the industrial managed switch system log information details The page includes the following fields Object Description ID Th...

Page 63: ...sage is sent to the syslog server The syslog protocol is based on UDP communication and received on UDP port 514 The syslog server will not send acknowledgments back to sender since UDP is a connectionless protocol and it does not provide acknowledgments The syslog packet is always sent out even if the syslog server does not exist Selections include Enabled Enable remote syslog mode operation Disa...

Page 64: ...ntication is required when an email is sent Authentication User Name Type the user name for the SMTP server if Authentication is Enable Authentication Password Type the password for the SMTP server if Authentication is Enable E mail From Type the sender s email address This address is used for reply emails E mail Subject Type the subject title of the email E mail 1 To E mail 2 To Type the receiver...

Page 65: ...h for fault detection Power Alarm Controls AC DC1 or DC2 or all three for fault detection Port Alarm Controls ports for fault detection Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values Web firmware upgrade Update the industrial managed switch firmware using the Firmware Upload page To open the Firmware Upload page 1 Click System ...

Page 66: ...the image is loaded Otherwise the system won t apply the new firmware and the user has to repeat the firmware upgrade process Save startup configuration This function ensures that the current active configuration can be used after the next reboot After clicking Save Configuration the following screen appears Configuration download The managed switch stores its configuration in a number of text fil...

Page 67: ...e Download Configuration page permits the download of the running config startup config and default config system files to the switch Configuration upload The Upload Configuration page permits the upload of the running config and startup config to the switch If the destination is running config the file will be applied to the switch configuration This can be done in two ways Replace mode The curre...

Page 68: ...e currently active configuration Select the file to activate and click Activate Configuration This initiates the process of completely replacing the existing configuration with that of the selected file Configuration delete The Delete Configuration page permits the deletion of the startup config and default config files which are stored in Flash memory If this is performed and the switch is reboot...

Page 69: ... releases This does not constitute an error The page includes the following fields Object Description Image The flash index name of the firmware image The name of primary preferred image is image the alternate image is named image bk Version The version of the firmware image Date The date when the firmware was produced Buttons Click Activate Alternate Image to use the alternate image This button m...

Page 70: ...ch User Manual Buttons Click Yes to reboot the system Click No to return to the main web page without rebooting the system DHCP server Mode The DHCP Server Mode Configuration page permits setting changes for Global Mode and VLAN Mode The page includes the following fields ...

Page 71: ...ration page Enabled Enable disable DHCP server service to the VLAN Buttons Click Apply to apply changes Click Reset to undo any changes made locally and revert to previously saved values Excluded IP The DHCP Server Excluded IP Configuration page permits exclusion of IP addresses for static IP address devices such as servers or routers The DHCP server will not allocate these excluded IP addresses t...

Page 72: ...lick Add IP Range to add an IP range Click Apply to apply changes Click Reset to undo any changes made locally and revert to previously saved values Pool The DHCP Server Pool Configuration page manages DHCP pools According to the DHCP pool the DHCP server will allocate IP addresses and deliver configuration parameters to the DHCP client Adding a pool and giving it a name creates a new pool with a ...

Page 73: ...one DHCP client Host the pool services for a specific DHCP client identified by client identifier or hardware address If appears it means not defined IP Indicates the network number of the DHCP address pool If appears it means not defined Subnet Mask Indicates the subnet mask of the DHCP address pool If appears it means not defined Lease Time Indicates the lease time of the pool Buttons Click Add ...

Page 74: ...Chapter 4 Web configuration 70 NS3562 8P 2S V2 Industrial Managed Switch User Manual ...

Page 75: ...of IP addresses to service more than one DHCP client Host the pool services for a specific DHCP client identified by client identifier or hardware address IP Indicates the specific network number of the DHCP address pool Subnet Mask DHCP option 1 Specifies the subnet mask of the DHCP address pool Lease Time DHCP option 51 58 and 59 Specifies the lease time that allows the client to request a lease...

Page 76: ...Name Server DHCP option 44 Specifies a list of NBNS name servers listed in order of preference NIS Domain Name DHCP option 40 Specifies the name of the client s NIS domain NIS Server DHCP option 41 Specifies a list of IP addresses indicating NIS servers available to the client Client Identifier DHCP option 61 Specifies the client s unique identifier to be used when the pool is the type of host Sel...

Page 77: ... type and configuration of a DHCP client The DHCP server delivers the corresponding option 43 specific information to the client that sends the option 60 vendor class identifier Vendor 3 Specific Information DHCP option 43 Specifies vendor specific information according to the option 60 vendor class identifier Vendor 4 Class Identifier DHCP option 60 Specifies the identifier to be used by the DHCP...

Page 78: ...an IP address to a client host pool type Expired Binding Number of bindings in which the lease time expired or they are cleared from Automatic Manual type bindings Binding counters Displays the counters of various bindings Object Description Automatic Binding Number of bindings with network type pools Manual Binding Number of bindings that the administrator assigns an IP address to a client host p...

Page 79: ...HCP INFORM messages received DHCP message sent counters Displays the counters of DHCP messages sent by the DHCP server Object Description Offer Number of DHCP OFFER messages sent Ack Number of DHCP ACK messages sent Nak Number of DHCP NAK messages sent Buttons Select the Auto refresh check box to refresh the page automatically Automatic refresh occurs every three seconds Click Refresh to refresh t...

Page 80: ... port state Aggressive In aggressive mode unidirectional detected ports will get shut down To bring back the ports up disable UDLD on the ports Message Interval Configures the period of time between UDLD probe messages on ports that are in the advertisement phase and are determined to be bidirectional The range is from 7 to 90 seconds default value is 7 seconds Currently the default time interval ...

Page 81: ...e Name Local Name of the Device Bidirectional State The current state of the port Neighbor status The page includes the following fields Object Description Port The current port of the neighbor device Device ID The current ID of the neighbor device Link Status The current link status of the neighbor port Device Name Name of the neighbor device Buttons Select the Auto refresh check box to refresh t...

Page 82: ...d abundant disk space At least one NMS must be present in each managed environment Agents Agents are software modules that reside in network elements They collect and store management information such as the number of error packets received by a network element Management information base MIB An MIB is a collection of managed objects residing in a virtual information store Collections of related m...

Page 83: ...ap on this page Trap Source Configuration Configure SNMP trap source on this page System Information The system information is provided here SNMPv3 Communities Configure SNMPv3 communities table on this page SNMPv3 Users Configure SNMPv3 users table on this page SNMPv3 Groups Configure SNMPv3 groups table on this page SNMPv3 Views Configure SNMPv3 views table on this page SNMPv3 Access Configure S...

Page 84: ...th is 0 to 255 and the allowed content is ASCII characters from 33 to 126 Trap Mode Indicates the SNMP trap mode operation Selections include Enabled Enable SNMP trap mode operation Disabled Disable SNMP trap mode operation Trap Version Indicates the SNMP trap supported version Selections include SNMP v1 Set SNMP trap supported version 1 SNMP v2c Set SNMP trap supported version 2c SNMP v3 Set SNMP...

Page 85: ...ontiguous zeros but it can appear only once It can also represent a legally valid IPv4 address For example 192 1 2 34 Trap Destination Port Indicates the SNMP trap destination port The SNMP agent sends an SNMP message via this port The port range is 1 65535 Trap Inform Mode Indicates the SNMP trap inform mode operation Selections include Enabled Enable SNMP trap authentication failure Disabled Dis...

Page 86: ...aracters are permitted as part of a name The first character must be an alpha character And the first or last character must not be a minus sign The allowed string length is 0 to 255 System Location The physical location of this node e g telephone closet 3rd floor The allowed string length is 0 to 255 and the allowed content is the ASCII characters from 32 to 126 Buttons Click Apply to apply chang...

Page 87: ...d excluded An optional flag to indicate a trap is not sent for the given trap source is matched Subset OID The subset OID for the entry The value depends on the trap name type For example the ifIdex is the subset OID of linkUp and linkDown A valid subset OID is one or more digital numbers 0 4294967295 or asterisk which are separated by dots The first character must not begin with an asterisk and t...

Page 88: ...rs from 33 to 126 Community Secret Indicates the community secret access string to permit access using SNMPv1 and SNMPv2c to the SNMP agent The allowed string length is 1 to 32 and the allowed content is ASCII characters from 33 to 126 Source IP Indicates the SNMP access source address A particular range of source addresses can be used to restrict the source subnet when combined with the source ma...

Page 89: ...allowed string length is 1 to 32 and the allowed content is ASCII characters from 33 to 126 Security Level Indicates the security model that this entry should belong to Selections include NoAuth NoPriv None authentication and none privacy Auth NoPriv Authentication and none privacy Auth Priv Authentication and privacy The value of the security level cannot be modified if the entry already exists E...

Page 90: ...col Privacy Password A string identifying the privacy pass phrase The allowed string length is 8 to 32 and the allowed content is the ASCII characters from 33 to 126 Buttons Click Add New Entry to add a new user entry Click Apply to apply changes Click Reset to undo any changes made locally and revert to previously saved values SNMPv3 groups Configure SNMPv3 groups on the SMNPv3 Group Configuratio...

Page 91: ...allowed string length is 1 to 32 and the allowed content is the ASCII characters from 33 to 126 Buttons Click Add New Entry to add a new group entry Click Apply to apply changes Click Reset to undo any changes made locally and revert to previously saved values SNMPv3 views Configure SNMPv3 views table in the SNMPv3 View Configuration page The entry index keys are View Name and OID Subtree The page...

Page 92: ...ccess Configure SNMPv3 access on the SNMPv3 Access Configuration page The entry index keys are Group Name Security Model and Security Level The page includes the following fields Object Description Delete Select Delete to delete the entry It will be deleted during the next save Group Name A string identifies the group name that this entry should belong to The allowed string length is 1 to 32 and t...

Page 93: ...nt is the ASCII characters from 33 to 126 Buttons Click Add New Entry to add a new access entry Click Apply to apply changes Click Reset to undo any changes made locally and revert to previously saved values Port management Use the Port menu to display or configure the industrial managed switch ports This section has the following items Port Configuration Configures port connection settings Port S...

Page 94: ...tting is selected that is what is used The Current Rx column indicates if pause frames on the port are obeyed and the Current Tx column indicates whether pause frames on the port are transmitted The Rx and Tx settings are determined by the result of the last Auto Negotiation Check the configured column to use flow control This setting is related to the setting for Configured Link Speed Maximum Fra...

Page 95: ...e transmissions per port Drops The number of frames discarded due to ingress or egress congestion Filtered The number of received frames filtered by the forwarding process Buttons Click Refresh to refresh the page immediately Click Clear to clear the counters for all ports Select the Auto refresh check box to enable an automatic refresh of the page at regular intervals Port statistics detail The P...

Page 96: ...ansmitted good and bad unicast packets Rx and Tx Multicast The number of received and transmitted good and bad multicast packets Rx and Tx Broadcast The number of received and transmitted good and bad broadcast packets Rx and Tx Pause A count of the MAC Control frames received or transmitted on this port that has an opcode indicating a PAUSE operation Receive and transmit size counters The number ...

Page 97: ...ames are frames that are longer than the configured maximum frame length for this port Transmit error counters Object Description Tx Drops The number of frames dropped due to output buffer congestion Tx Late Exc Coll The number of frames dropped due to excessive or late collisions Buttons Click Refresh to refresh the page immediately Click Clear to clear the counters for all ports Select the Auto ...

Page 98: ...d distance of the current SFP module Temperature C Displays the temperature of the current SFP module Voltage V Displays the voltage of the current SFP module Current mA Displays the Ampere of the current SFP module TX power dBm Displays the TX power of the current SFP module RX power dBm Displays the RX power of the current SFP module Buttons Select the SFP Monitor Event Alert check box The switc...

Page 99: ...e and alter it if necessary To debug network problems selected traffic can be copied or mirrored to a mirror port where a frame analyzer can be attached to analyze the frame flow The industrial managed switch can unobtrusively mirror traffic from any port to a monitor port You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity...

Page 100: ...icates that all ports are selected Mode Select mirror mode Note For a given port a frame is only transmitted once It is therefore not possible to mirror Tx frames on the mirror port Because of this the mode for the selected mirror port is limited to Disabled or Rx only Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values Link aggrega...

Page 101: ...on links Static LAGs Port Trunk Force aggregated selected ports to be a trunk group Link Aggregation Control Protocol LACP LAGs LACP LAGs negotiate aggregated port links with other LACP ports located on a different device If the other device ports are also LACP ports the devices establish a LAG between them The Link Aggregation Control Protocol LACP provides a standardized means for exchanging inf...

Page 102: ...able the link aggregation ports before removing a port link aggregation to avoid creating a data loop It allows a maximum of 10 ports to be aggregated at the same time The industrial managed switch supports Gigabit Ethernet ports up to five groups If the group is defined as a LACP static link aggregationing group then any extra ports selected are placed in a standby mode for redundancy if one of t...

Page 103: ...dress or uncheck it to disable By default the Source MAC Address is enabled Destination MAC Address The Destination MAC Address can be used to calculate the destination port for the frame Select the check box to enable the use of the Destination MAC Address or uncheck it to disable By default the Destination MAC Address is disabled IP Address The IP address can be used to calculate the destination...

Page 104: ...n aggregation or clear the radio button to remove the port from the aggregation By default no ports belong to any aggregation group Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values LACP configuration LACP LAG negotiates aggregated port links with other LACP ports located on a different device LACP allows switches connected to eac...

Page 105: ...ion group while ports with different keys cannot Role The Role shows the LACP activity status The Active selection transmits LACP packets each second while the Passive setting waits for a LACP packet from a partner speak if spoken to Timeout The Timeout controls the period between BPDU transmissions Fast transmits LACP packets each second while the Slow selection provides a wait for 30 seconds bef...

Page 106: ... aggr id Partner System ID The system ID MAC address of the aggregation partner Partner Key The key that the partner has assigned to this aggregation ID Partner Priority The priority of the aggregation partner Last changed The time since this aggregation changed Local Ports Shows which ports are a part of this aggregation for this switch Buttons Click Refresh to to refresh the page immediately Sel...

Page 107: ...that occurs its LACP status is disabled Key The key is assigned to this port Only ports with the same key can aggregate together Aggregation ID The aggregation ID assigned to this aggregation group Partner System ID The partner s system ID MAC address Partner Port The partner s port number connected to this port Partner Priority The partner s port priority Buttons Click Refresh to to refresh the p...

Page 108: ...nt the network into different broadcast domains so that packets are forwarded only between ports within the VLAN Typically a VLAN corresponds to a particular subnet although not necessarily VLAN can enhance performance by conserving bandwidth and improve security by limiting traffic to specific domains A VLAN is a collection of end nodes grouped by logic instead of physical location End nodes that...

Page 109: ...of network nodes into separate broadcast domains VLANs confine broadcast traffic to the originating group and can eliminate broadcast storms in large networks This also provides a more secure and cleaner network environment An IEEE 802 1Q VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLANs help to simplify ne...

Page 110: ...witches through a single physical connection and allows Spanning Tree to be enabled on all ports and work normally Some relevant terms Tagging The act of putting 802 1Q VLAN information into the header of a packet Untagging The act of stripping 802 1Q VLAN information out of the packet header 802 1Q VLAN tags There are four additional octets inserted after the source MAC address as shown in the fo...

Page 111: ...Q ports are also assigned a PVID for use within the switch If no VLANs are defined on the switch all ports are then assigned to a default VLAN with a PVID equal to 1 Untagged packets are assigned the PVID of the port on which they were received Forwarding decisions are based upon this PVID in so far as VLANs are concerned Tagged packets are forwarded according to the VID contained within the tag T...

Page 112: ...ever if you want a port on this switch to participate in one or more VLANs but none of the intermediate network devices nor the host at the other end of the connection supports VLANs then this port should be added to the VLAN as an untagged port Note VLAN tagged frames can pass through VLAN aware or VLAN unaware network interconnection devices but the VLAN tags should be stripped off before passin...

Page 113: ...al managed switch port VLAN This page contains fields for managing ports that are part of a VLAN The port default VLAN ID PVID is also configured on this page All untagged packets arriving to the device are tagged by the port s PVID Managed switch nomenclature IEEE 802 1Q tagged and untagged Every port on an 802 1Q compliant switch can be configured as tagged or untagged Tagged Ports with tagging ...

Page 114: ... s frames when they enter the service provider s network and then stripping the tags when the frames leave the network A service provider s customers may have specific requirements for their internal VLAN IDs and number of VLANs supported VLAN ranges required by different customers in the same service provider network might easily overlap and traffic passing through the infrastructure might be mix...

Page 115: ...a common MAN space without interfering with the VLAN tags All tags use EtherType 0x8100 or 0x88A8 where 0x8100 is used for customer tags and 0x88A8 is used for service provider tags In cases where a given service VLAN only has two member ports on the switch the learning can be disabled for the particular VLAN and can therefore rely on flooding as the forwarding mechanism between the two ports This...

Page 116: ...d frames untagged frames received on the port are discarded By default the field is set to All Link Type Allow 802 1Q Untagged or Tagged VLAN for selected port When adding a VLAN to selected port it tells the switch whether to keep or remove the tag from a frame on egress Untag outgoing frames without VLAN Tagged Tagged outgoing frames with VLAN Tagged Q in Q Mode Sets the industrial managed switc...

Page 117: ...characters or numbers The VLAN name should contain at least one alpha character The VLAN name can be edited for the existing VLAN entries or it can be added to the new entries Port Members A row of check boxes for each port is displayed for each VLAN ID To include a port in a VLAN select a check box To remove or exclude the port from the VLAN deselect a check box By default no ports are members an...

Page 118: ... for VLAN users The page includes the following fields Object Description VLAN ID Indicates the ID of this particular VLAN Port Members The VLAN Membership Status Page shows the current VLAN port members for all VLANs configured by a selected VLAN User selection shall be allowed by a Combo Box When ALL VLAN Users is selected it shall show this information for all the VLAN Users and this is the def...

Page 119: ...es MSTP The 802 1s Multiple Spanning Tree protocol MSTP uses VLANs to create multiple spanning trees in a network which significantly improves network resource utilization while maintaining a loop free environment Buttons Select VLAN Users from the Combined drop down list Select the Auto refresh check box to refresh the page automatically Automatic refresh occurs every three seconds Click Refresh ...

Page 120: ...etermines the packet s behavior at the egress side Buttons Select VLAN Users from the Static drop down list Select the Auto refresh check box to refresh the page automatically Automatic refresh occurs every three seconds Click Refresh to refresh the page immediately Private VLAN The Private VLAN Membership Configuration page allows you to configure private VLAN membership The private VLAN membersh...

Page 121: ...a warning message appears Click OK to discard the incorrect entry or click Cancel to return to the editing and make a correction The private VLAN is enabled when you click Save The Delete button can be used to undo the addition of new Private VLANs Buttons Select Add new Private VLAN from the Static drop down list Select the Auto refresh check box to refresh the page automatically Automatic refres...

Page 122: ...d to promiscuous ports in the private VLAN Ports that can receive traffic from only promiscuous ports in the private VLAN The configuration of promiscuous and isolated ports applies to all private VLANs When traffic comes in on a promiscuous port in a private VLAN the VLAN mask from the VLAN table is applied When traffic comes in on an isolated port the private VLAN mask is applied in addition to ...

Page 123: ...ously saved values Select the Auto refresh check box to refresh the page automatically Automatic refresh occurs every three seconds Click Refresh to refresh the page immediately VLAN setting examples This section covers the following setup scenarios Separate VLAN 802 1Q VLAN Trunk Port Isolate Two Separate 802 1Q VLANs The diagram below shows how the industrial managed switch handles tagged and un...

Page 124: ...l managed switch will tag it with a VLAN Tag 2 PC 2 and PC 3 will receive the packet through Port 2 and Port 3 2 PC 4 PC 5 and PC 6 received no packet 3 While the packet leaves Port 2 it will be stripped away becoming an untagged packet 4 While the packet leaves Port 3 it will remain as a tagged packet with VLAN Tag 2 Tagged packet entering VLAN 2 1 While PC 3 a tagged packet with VLAN Tag 2 enter...

Page 125: ...ate VLAN group Set VLAN Group 1 Default VLAN with VID VLAN ID 1 Add two VLANs VLAN 2 and VLAN 3 VLAN Group 2 with VID 2 VLAN Group 3 with VID 3 2 Assign VLAN member VLAN 2 Port 1 Port 2 and Port 3 VLAN 3 Port 4 Port 5 and Port 6 VLAN 1 All other ports Port 7 Port 24 3 Remove VLAN member for VLAN 1 Remember to remove Port 1 Port 6 from VLAN 1 membership since Port 1 Port 6 has been assigned to VLAN...

Page 126: ... trunking between two 802 1Q aware switches In most cases they are used for Uplink to other switches VLANs are separated at different switches but they need access to other switches within the same VLAN group Setup steps 1 Create a VLAN group Set VLAN Group 1 Default VLAN with VID VLAN ID 1 ...

Page 127: ... 3 member ports 5 Specify Port 8 to be the 802 1Q VLAN trunk port and the trunking port must be a tagged port during egress The Port 7 configuration is shown below Both the VLAN 2 members of Port 1 to Port 3 and VLAN 3 members of Port 4 to Port 6 belong to VLAN 1 But with different PVID settings packets from VLAN 2 or VLAN 3 are not able to access the other VLAN 6 Repeat Steps 1 to 5 by setting up...

Page 128: ...as promiscuous The Port Isolation Configuration page appears 2 Assign VLAN Member VLAN 1 Port 1 Port 2 Port 5 and Port 3 VLAN 2 Port 3 Port 6 The Private VLAN Membership Configuration page appears MAC based VLAN The MAC based VLAN entries can be configured on the MAC based VLAN Membership Configuration page This page allows for adding and deleting MAC based ...

Page 129: ...ng a New MAC based VLAN Click Add New Entry to add a new MAC based VLAN entry An empty row is added to the table and the MAC based VLAN entry can be configured as needed Any unicast MAC address can be configured for the MAC based VLAN entry No broadcast or multicast MAC addresses are allowed Legal values for a VLAN ID are 1 through 4095 The MAC based VLAN entry is enabled when clicking Save A MAC ...

Page 130: ...the following fields Object Description MAC Address Indicates the MAC address VLAN ID Indicates the VLAN ID Port Members Port members of the MAC based VLAN entry Buttons Select the Auto refresh check box to refresh the page automatically Automatic refresh occurs every three seconds Click Refresh to refresh the page immediately IP subnet based VLAN The IP subnet based VLAN entries can be configured...

Page 131: ... VLAN entry To include a port in a IP subnet based VLAN select the check box To remove or exclude the port from the IP subnet based VLAN make sure the box is deselected By default no ports are members and all boxes are deselected Add New Entry Click Add New Entry to add a new IP subnet based VLAN entry An empty row is added to the table and the IP subnet based VLAN entry can be configured as neede...

Page 132: ...criteria for three different frame types For Ethernet Values in the text field when Ethernet is selected as a Frame Type is called etype Values for etype ranges from 0x0600 0xffff For LLC Valid value in this case is comprised of two different sub values a DSAP 1 byte long string 0x00 0xff b SSAP 1 byte long string 0x00 0xff For SNAP A valid value in this case is comprised of two different sub valu...

Page 133: ... empty row is added to the table and Frame Type Value and the Group Name can be configured as needed Click the Delete button to undo the addition of a new entry Buttons Click Add New Entry to add a new MAC based VLAN entry Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values Select the Auto refresh check box to refresh the page automatically...

Page 134: ...selected Adding a New Group to VLAN mapping entry Click the Add New Entry to add a new entry in mapping table An empty row is added to the table and Frame Type Value and the Group Name can be configured as needed Click the Delete button to undo the addition of a new entry Buttons Click Add New Entry to add a new entry in the mapping table Click Save to save changes Click Reset to undo any changes ...

Page 135: ...P performs the following functions Creates a single spanning tree from any combination of switching or bridging elements Creates multiple spanning trees from any combination of ports contained within a single switch in user specified groups Automatically reconfigures the spanning tree to compensate for the failure addition or removal of any element in the tree Reconfigures the spanning tree withou...

Page 136: ... network This propagation delay can result in topology changes where a port that transitioned directly from a blocking state to a forwarding state could create temporary data loops Ports must wait for new network topology information to propagate throughout the network before starting to forward packets They must also wait for the packet lifetime to expire for BPDU packets that were forwarded base...

Page 137: ...te No packets except BPDUs are forwarded from or received by STP enabled ports until the forwarding state is enabled for that port STP parameters STP operation levels The industrial managed switch allows for two levels of operation the switch level and the port level The switch level forms a spanning tree consisting of links between one or more switches The port level constructs a spanning tree co...

Page 138: ...n the learning and listening states waiting for a BPDU that may return the port to the blocking state 15 seconds The following are the user configurable STP parameters for the port or port group level Variable Description Default Value Port Priority A relative priority for each port lower numbers give a higher priority and a greater chance of a given port being elected as the root port 128 Port Co...

Page 139: ...ecome the root bridge If the switch has the lowest bridge identifier it will become the root bridge Forward Delay Timer The forward delay can be from 4 to 30 seconds This is the time any port on the switch spends in the listening state while moving from the blocking state to the forwarding state Note Observe the following formulas when setting the above parameters Max Age _ 2 x Forward Delay 1 sec...

Page 140: ... factory settings and STP will automatically assign root bridges ports and block loop connections Influencing STP to choose a particular switch as the root bridge using the priority setting or influencing STP to choose a particular port to block using the port priority and port cost settings is however relatively straightforward In this example only the default STP values are used The switch with ...

Page 141: ...ng forwarding loops Extension Multiple Spanning Tree Protocol MSTP Defines an extension to RSTP to further develop the usefulness of virtual LANs VLANs This Per VLAN MSTP configures a separate spanning tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree The page includes the following fields Basic settings Object Description Protocol Version Th...

Page 142: ...are in the range of 1 to 10 BPDU s per second Advanced settings Object Description Edge Port BPDU Filtering Controls whether a port explicitly configured as Edge will transmit and receive BPDUs Edge Port BPDU Guard Controls whether a port explicitly configured as Edge will disable itself upon reception of a BPDU The port enters the error disabled state and is removed from the active topology Port ...

Page 143: ...idge ID of this bridge instance Root ID The bridge ID of the currently elected root bridge Root Port The switch port currently assigned the root port role Root Cost Root Path Cost For the root bridge this is zero For all other bridges it is the sum of the port path costs on the least cost path to the root bridge Topology Flag The current state of the topology change flag for this bridge instance T...

Page 144: ...NS3562 8P 2S V2 Industrial Managed Switch User Manual CIST port configuration This STP CIST Port Configuration page permits the user to inspect and change the current STP CIST port configurations The page includes the following fields ...

Page 145: ...the bridge should enable automatic edge detection on the bridge port This allows operEdge to be derived from BPDUs received on the port Restricted Role If enabled causes the port not to be selected as root port for the CIST or any MSTI even if it has the best spanning tree priority vector Such a port will be selected as an alternate port after the root port has been selected If set it can cause a ...

Page 146: ...t path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 Recommended STP path cost range By default the system automatically detects the speed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode When the short path cost method is selected and the default path...

Page 147: ...he user to inspect and change the current STP MSTI bridge instance priority configurations The page includes the following fields Object Description MSTI The bridge instance The CIST is the default instance which is always active Priority Controls the bridge priority Lower numerical values have higher priority The bridge priority plus the MSTI instance number concatenated with the 6 byte MAC addre...

Page 148: ...onfiguration 144 NS3562 8P 2S V2 Industrial Managed Switch User Manual MSTI configuration The MSTI Configuration page permits the user to inspect and change the current STP MSTI bridge instance priority configurations ...

Page 149: ... the VLANs not explicitly mapped VLANs Mapped The list of VLAN s mapped to the MSTI The VLANs must be separated with a comma and or space A VLAN can only be mapped to one MSTI A unused MSTI should be left empty i e not have any VLANs mapped to it Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values MSTI ports configuration The MSTI P...

Page 150: ...path cost incurred by the port The Auto setting sets the path cost as appropriate by the physical link speed using the 802 1D recommended values Using the Specific setting a user defined value can be entered The path cost is used when establishing the active topology of the network Lower path cost ports are chosen as forwarding ports in favor of higher path cost ports Valid values are in the range...

Page 151: ...udes the following fields Object Description Port The switch port number of the logical STP port CIST Role The current STP port role of the ICST port The port role can be one of the following values AlternatePort BackupPort RootPort DesignatedPort CIST State The current STP port state of the CIST port The port state can be one of the following values Disabled Blocking Learning Forwarding Non STP U...

Page 152: ... of legacy STP Configuration BPDU s received transmitted on the port TCN The number of legacy Topology Change Notification BPDU s received transmitted on the port Discarded Unknown The number of unknown Spanning Tree BPDU s received and discarded on the port Discarded Illegal The number of illegal Spanning Tree BPDU s received and discarded on the port Buttons Select the Auto refresh check box to ...

Page 153: ... used to communicate this information IGMP is also used to periodically check the multicast group for members that are no longer active In the case where there is more than one multicast router on a sub network one router is elected as queried This router then keeps track of the membership of the multicast groups that have active members The information received from IGMP is then used to determine...

Page 154: ...Chapter 4 Web configuration 150 NS3562 8P 2S V2 Industrial Managed Switch User Manual Multicast flooding IGMP snooping multicast stream control ...

Page 155: ...the membership of multicast groups on their respective sub networks The following outlines what is communicated between a multicast router and a multicast group member using IGMP A host sends an IGMP report to join a group A host will never send a report when it wants to leave a group for version 1 A host will send a leave report when it wants to leave a group for version 2 Multicast routers send ...

Page 156: ...devices is elected querier and assumes the role of querying the LAN for group members It then propagates the service requests to any upstream multicast switch router to ensure that it will continue to receive the multicast service Note Multicast routers use this information along with a multicast routing protocol such as DVMRP or PIM to support IP multicasting across the Internet IGMP snooping con...

Page 157: ...Snooping is enabled When IGMP snooping is disabled unregistered IPMCv4 traffic flooding is always active IGMP SSM Range SSM Source Specific Multicast range allows the SSM aware hosts and routers run the SSM service model for the groups in the address range Leave Proxy Enable Enable IGMP leave proxy This feature can be used to avoid forwarding unnecessary leave messages to the router side Proxy Ena...

Page 158: ...P router being connected to this port Use this mode when connecting other IGMP multicast servers directly to the non querier industrial managed switch and you don t want the multicast stream to be flooded to the uplink switch through the port that connected to the IGMP querier Fast Leave Enable the fast leave on the port Throtting Enable to limit the number of multicast groups to which a switch po...

Page 159: ... It indicates the IGMP control frame priority level generated by the system These values can be used to prioritize different classes of traffic The allowed range is 0 best effort to 7 highest The default interface priority value is 0 RV Robustness Variable The RV permits tuning for the expected packet loss on a network The allowed range is 1 to 255 The default robustness variable value is 2 QI Que...

Page 160: ... feature fulfills this requirement by restricting access to specified multicast services on a switch port and IGMP throttling limits the number of simultaneous multicast groups a port can join The IGMP Snooping Port Group Filtering Configuration page permits assigning a profile to a switch port that specifies multicast groups that are permitted or denied on the port An IGMP filter profile can cont...

Page 161: ... during the next save Port The logical port for the settings Filtering Group The IP multicast group that will be filtered Buttons Click Add New Filtering Group to add a new entry to the Group Filtering table Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values IGMP snooping status The IGMP Snooping Status page provides IGMP snooping status ...

Page 162: ...ports that are acting as router ports Port Switch port number Status Indicates whether or not the specific port is a router port Buttons Click Refresh to refresh the page immediately Click Clear to clear all statistics counters Select Auto refresh to automatically refresh the page every three seconds IGMP group information Entries in the IGMP group table are shown in the IGMP Snooping Group Inform...

Page 163: ...ntly shown IGMPv3 information Entries in the IGMP SFM Source Filtered Multicast information table are shown on the IGMP SFM Information page The table also contains SSM Source Specific Multicast information The table is sorted first by VLAN ID then by group and then by port number Different source addresses that belong to the same group are treated as a single entry Each page shows up to 99 entrie...

Page 164: ...ddresses for filtering to 128 Type Indicates the type It can be either Allow or Deny Hardware Filter Switch Indicates if the data plane destined to the specific group address from the source IPv4 address can be accomodated by the chip Buttons Select Auto refresh to automatically refresh the page every three seconds Click Refresh to refresh the table starting from the input fields Click I to update...

Page 165: ...fy which ports act as router ports A router port is a port on the Ethernet switch that leads towards the Layer 3 multicast device or MLD querier If an aggregation member port is selected as a router port the whole aggregation acts as a router port Selections are Auto Fix Fone and the default compatibility value is Auto All means all ports will have one specific setting Fast Leave Enable fast leave...

Page 166: ...ween general queries sent by the querier The allowed range is 1 to 31744 seconds The default query interval is 125 seconds QRI Query Response Interval This is the maximum response time used to calculate the maximum resp code inserted into the periodic general queries The allowed range is 0 to 31744 in tenths of seconds The default query response interval is 100 in tenths of seconds 10 seconds LLQI...

Page 167: ...D throttling limits the number of simultaneous multicast groups a port can join The MLD Snooping Port Filtering Profile Configuration page permits assigning a profile to a switch port that specifies multicast groups that are permitted or denied on the port A MLD filter profile can contain one or more or a range of multicast addresses However only one profile can be assigned to a port When enabled ...

Page 168: ...ry will be deleted during the next save Port The logical port for the settings Filtering Group The IP Multicast Group that will be filtered Buttons Click Add New Filtering Group to add a new entry to the Group Filtering table Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values MLD snooping status The MLD Snooping Status page provides MLD sn...

Page 169: ...he ports that are acting as router ports Port Switch port number Status Indicates whether or not the specific port is a router port Buttons Click Refresh to refresh the page immediately Click Clear to clear all statistics counters Select Auto refresh to automatically refresh the page every three seconds MLD group information Entries in the MLD group table are shown in the MLD Snooping Group Inform...

Page 170: ...y currently shown MLDv2 information Entries in the MLD SFM Source Filtered Multicast information table are shown on the IGMP SFM Information page The table also contains SSM Source Specific Multicast information The table is sorted first by VLAN ID then by group and then by port number Different source addresses that belong to the same group are treated as single entry Each page shows up to 99 ent...

Page 171: ...e starting from the input fields Click I to update the table starting from the first entry in the MLD SFM information table Click to update the table starting with the entry after the last entry currently shown MVR Multicast VLAN Registration The MVR feature enables multicast traffic forwarding on the Multicast VLANs In a multicast television application a computer or a network television or a set...

Page 172: ...Chapter 4 Web configuration 168 NS3562 8P 2S V2 Industrial Managed Switch User Manual The MVR Configurations page provides MVR related configuration information ...

Page 173: ...Chapter 4 Web configuration NS3562 8P 2S V2 Industrial Managed Switch User Manual 169 The page includes the following fields ...

Page 174: ...ment address of the IP interface associated with this VLAN When the IPv4 management address is not set the system uses the first available IPv4 management address Otherwise the system uses a pre defined value By default this value is 192 0 2 1 Mode Specify the MVR mode of operation In Dynamic mode default setting MVR allows dynamic MVR membership reports on source ports In Compatible mode MVR memb...

Page 175: ...e multicast data It does not receive data unless it becomes a member of the multicast group by issuing IGMP MLD messages Caution We do not recommend overlapping MVR source ports with management VLAN ports Select the port role by clicking the Role symbol to switch the setting I indicates Inactive S indicates Source R indicates Receiver The default Role is Inactive Immediate Leave Enable the fast le...

Page 176: ...s Received The number of received IGMPv2 leaves and MLDv1 dones respectively Buttons Click Refresh to refresh the page immediately Click Clear to clear all statistics counters Select Auto refresh to automatically refresh the page every three seconds MVR groups information Entries in the MVR group table are shown in the MVR Channels Groups Information page The MVR group table is sorted first by VLA...

Page 177: ...n MVR SFM information Entries in the MVR SFM Source Filtered Multicast information table are shown on the MLD SFM Information page The table also contains SSM Source Specific Multicast information The table is sorted first by VLAN ID then by group and then by port number Different source addresses that belong to the same group are treated as single entry Each page shows up to 99 entries from the M...

Page 178: ...starting from the first entry in the MVR SFM information table Click to update the table starting with the entry after the last entry currently shown Quality of Service QoS Understanding QoS Quality of Service QoS is an advanced traffic prioritization feature that allows you to establish control over network traffic QoS permits the assignment of various grades of network service to different types...

Page 179: ...network Service Level Defines the priority given to a set of classified traffic You can create and modify service levels Policy Comprises a set of rules that are applied to a network so that a network meets the needs of the business That is traffic can be prioritized across a network according to its importance to that particular business type QoS Profile Consists of multiple sets of rules classif...

Page 180: ...000000 when the Unit is kbps or fps and it is restricted to 1 3300 when the Unit is Mbps or kfps Unit Controls the unit of measure for the policer rate as kbps Mbps fps or kfps The default value is kbps Flow Control If flow control is enabled and the port is in flow control mode then pause frames are sent instead of discarding frames Buttons Click Save to save changes Click Reset to undo any chang...

Page 181: ... Click on the port number to configure the shapers For more details refer to Error Reference source not found Error Bookmark not defined Q0 Q7 Shows disabled or actual queue shaper rate e g 800 Mbps Port Shows disabled or actual port shaper rate e g 800 Mbps QoS egress port schedule and shapers The port scheduler and shapers for a specific port are configured on the QoS Egress Port Schedule and Sh...

Page 182: ...e The default value is 17 This value is restricted to 1 100 This parameter only appears if Scheduler Mode is set to Weighted Queue Scheduler Percent Shows the weight in percent for this queue This parameter only appears if Scheduler Mode is set to Weighted Port Shaper Enable Controls whether the port shaper is enabled for this switch port Port Shaper Rate Controls the rate for the port shaper The ...

Page 183: ...t DPL The classified DPL can be overruled by a QCL entry All means all ports will have one specific setting PCP Controls the default PCP value All frames are classified to a PCP value If the port is VLAN aware and the frame is tagged then the frame is classified to the PCP value in the tag Otherwise the frame is classified to the default PCP value All means all ports will have one specific setting...

Page 184: ...on DSCP Based Select DSCP Based to enable DSCP based QoS ingress port classification Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values QoS ingress port tag classification Configure the classification modes for tagged frames on this page ...

Page 185: ...QoS class DP level values when Tag Classification is set to Enabled Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values Click Cancel to return to the previous page Port scheduler The QoS Egress Port Schedulers page provides an overview of the QoS egress port schedulers for all switch ports The page includes the following fields Obje...

Page 186: ...l port for the settings contained in the same row Click on the port number to configure tag remarking For further details refer to QoS egress port tag remarking below Mode Shows the tag remarking mode for this port Classified Use classified PCP DEI values Default Use default PCP DEI values Mapped Use mapped versions of QoS class and DP level QoS egress port tag remarking The QoS Egress Port Tag Re...

Page 187: ... DEI Configuration Controls the default PCP and DEI values used when the mode is set to Default QoS class DP level to PCP DEI Mapping Controls the mapping of the classified QoS class DP level to PCP DEI values when the mode is set to Mapped Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values Click Cancel to return to the previous pa...

Page 188: ...tion window for the specific DSCP All Classify all DSCP Egress Selections for Rewrite are as follows Disable No egress rewrite Enable Rewrite enabled without remapping Remap DP Unaware DSCP from the analyzer is remapped and the frame is remarked with the remapped DSCP value The remapped DSCP value is always taken from the DSCP Translation Egress Remap DP0 table Remap DP Aware DSCP from the analyze...

Page 189: ...ontrols whether a specific DSCP value is trusted Only frames with trusted DSCP values are mapped to a specific QoS class and Drop Precedence Level Frames with untrusted DSCP values are treated as a non IP frame QoS Class QoS Class values can be between 0 7 DPL Drop Precedence Level 0 1 Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved va...

Page 190: ...e following fields Object Description DSCP The maximum number of supported DSCP values is 64 and valid DSCP values range from 0 to 63 Ingress The Ingress side of DSCP can be first translated to new DSCP before using the DSCP for the QoS class and DPL map There are two configuration parameters for DSCP Translation Translate Classify Translate DSCP at the Ingress side can be translated to any of 0 6...

Page 191: ...values will assign to whole DSCP values Select the DSCP value from select menu to which you want to remap DSCP value ranges from 0 to 63 Remap DP1 The Configuration All with available values will assign to whole DSCP values Select the DSCP value from select menu to which you want to remap DSCP value ranges from 0 to 63 Buttons Click Save to save changes Click Reset to undo any changes made locally...

Page 192: ...escribes a QCE that is defined The maximum number of QCEs is 256 on each switch Click on the lowest plus sign to add a new QCE to the list The page includes the following fields Object Description QCE Indicates the index of QCE Port Indicates the list of ports configured with the QCE DMAC Specify the type of Destination MAC addresses for incoming frames Selections include Any All types of Destinat...

Page 193: ... Type 0x600 0xFFFF are allowed LLC Only LLC frames are allowed SNAP Only SNAP frames are allowed IPv4 The QCE only matches IPV4 frames IPv6 The QCE only matches IPV6 frames Action Indicates the classification action taken on the ingress frame if the parameters configured match with the frame s content Action fields include Class Classified QoS class DPL Classified Drop Precedence Level DSCP Classi...

Page 194: ...Chapter 4 Web configuration 190 NS3562 8P 2S V2 Industrial Managed Switch User Manual The page includes the following fields ...

Page 195: ...tions are 0x00 to 0xFF or Any default value Control Address Control Address selections are 0x00 to 0xFF or Any default value SNAP PID PID a k a Ethernet type elections are 0x00 to 0xFFFF or Any default value IPv4 Protocol IP protocol number 0 255 TCP or UDP or Any Source IP Specific Source IP address in value mask format or Any IP and Mask are in the format x y z w where x y z and w are decimal nu...

Page 196: ... QoS Control List Status page shows the QCL status by different QCL users Each row describes the QCE that is defined A conflict occurs if a specific QCE is not applied to the hardware due to hardware limitations The maximum number of QCEs is 256 on each switch The page includes the following fields Object Description User Indicates the QCL user QCE Indicates the index of QCE Port Indicates the lis...

Page 197: ...tus of QCL entries when hardware resources are shared by multiple applications It may happen that resources required to add a QCE may not be available in which case it shows conflict status as Yes otherwise it is always No Conflict can be resolved by releasing the hardware resources required to add the QCL entry by clicking the Resolve Conflict button Buttons Select the QCL status from the Combine...

Page 198: ...f the queue policers are enabled Unit Controls the unit of measure for the queue policer rate as kbps or Mbps This field is only shown if at least one of the queue policers are enabled Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values Storm control configuration Storm control for the switch is configured on the Storm Control Confi...

Page 199: ...nable or disable the storm control status for the given frame type Rate The rate unit is packets per second pps Valid values are 1 2 4 8 16 32 64 128 256 512 1K 2K 4K 8K 16K 32K 64K 128K 256K 512K 1024K 2048K 4096K 8192K 16384K or 32768K Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values QoS statistics The Queuing Counters page pro...

Page 200: ...k Clear to clear the counters for all ports Select the Auto refresh check box to refresh the page automatically Automatic refresh occurs every three seconds Voice VLAN configuration The Voice VLAN Configuration page contains the Voice VLAN feature This enables voice traffic forwarding on the Voice VLAN permitting the switch to classify and schedule network traffic We recommended that there be two ...

Page 201: ...e VLAN port mode Selections include Disabled Disjoin from Voice VLAN Auto Enable auto detect mode It detects if there is a VoIP phone attached to the specific port and configures the Voice VLAN members automatically Forced Force join to Voice VLAN All All ports will have one specific setting Port Security Indicates the Voice VLAN port security mode When the function is enabled all non telephone MA...

Page 202: ...ring length is 0 to 32 Buttons Click Add New Entry to add a new access management entry Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values Access Control Lists ACL ACL is an acronym for Access Control List It is the list table of ACEs containing access control entries that specify individual users or groups permitted or denied to specific ...

Page 203: ...tch The page includes the following fields Object Description User Indicates the ACL user Ingress Port Indicates the ingress port of the ACE Values include All The ACE matches all ingress ports Port The ACE matches a specific ingress port Frame Type Indicates the frame type of the ACE Values are Any The ACE matches any frame type EType The ACE matches Ethernet Type frames Note that an Ethernet Typ...

Page 204: ...ic ACE The specific ACE is not applied to the hardware due to hardware limitations Buttons Select the ACL status from the Combined drop down list Select the Auto refresh check box to refresh the page automatically Automatic refresh occurs every three seconds Click Refresh to refresh the page ACL configuration The Access Control List Configuration page shows the Access Control List ACL which is mad...

Page 205: ...he port redirect operation of the ACE Frames matching the ACE are redirected to the port number The allowed values are Disabled or a specific port number When Disabled is shown the port redirect operation is disabled Counter The counter indicates the number of times the ACE was hit by a frame Modification Buttons Modify each ACE Access Control Entry in the table using the following buttons Inserts...

Page 206: ...y Filter Specify the policy number filter for this ACE Any No policy filter is specified policy filter status is don t care Specific If you want to filter a specific policy with this ACE choose this value Two fields for entering a policy value and bitmask appear Policy Value When Specific is selected for the policy filter you can enter a specific policy value The permitted range is 0 to 255 Policy...

Page 207: ... EVC policer is enabled or disabled The default value is Disabled EVC Policer ID Select which EVC policer ID to apply on this ACE The allowed values are Disabled or the values 1 through 128 Port Redirect Frames that hit the ACE are redirected to the port number specified here The allowed range is the same as the switch port number range Disabled indicates that the port redirect operation is disabl...

Page 208: ...pecific is selected for the DMAC filter you can enter a specific destination MAC address The legal format is xx xx xx xx xx xx or xx xx xx xx xx xx or xxxxxxxxxxxx x is a hexadecimal digit A frame that hits this ACE matches this DMAC value VLAN parameters Object Description 802 1Q Tagged Specify whether frames can hit the action according to the 802 1Q tagged Selections include Any Any value is al...

Page 209: ...ecified Target IP filter is don t care Host Target IP filter is set to Host Specify the target IP address in the Target IP Address field that appears Network Target IP filter is set to Network Specify the target IP address and target IP mask in the Target IP Address and Target IP Mask fields that appear Target IP Address When Host or Network is selected for the target IP filter you can enter a spe...

Page 210: ...IPv4 ICMP protocol frames Extra fields for defining ICMP parameters appear UDP Select UDP to filter IPv4 UDP protocol frames Extra fields for defining UDP parameters will appear TCP Select TCP to filter IPv4 TCP protocol frames Extra fields for defining TCP parameters will appear IP Protocol Value When Specific is selected for the IP protocol value you can enter a specific value The allowed range ...

Page 211: ...e DIP Address field that appears Network Destination IP filter is set to Network Specify the destination IP address and destination IP mask in the DIP Address and DIP Mask fields that appear DIP Address When Host or Network is selected for the destination IP filter you can enter a specific DIP address in dotted decimal notation DIP Mask When Network is selected for the destination IP filter you ca...

Page 212: ...Chapter 4 Web configuration 208 NS3562 8P 2S V2 Industrial Managed Switch User Manual TCP UDP parameters ...

Page 213: ...stination value A field for entering a TCP UDP destination value appears Range To filter a specific range TCP UDP destination filter with this ACE you can enter a specific TCP UDP destination range value A field for entering a TCP UDP destination value appears TCP UDP Destination Number When Specific is selected for the TCP UDP destination filter you can enter a specific TCP UDP destination value ...

Page 214: ...d don t care Ethernet type parameters Ethernet Type parameters can be configured when Ethernet Type is selected as the Frame Type Object Description EtherType Filter Specify the Ethernet type filter for this ACE Any No EtherType filter is specified EtherType filter status is don t care Specific If you want to filter a specific EtherType filter with this ACE you can enter a specific EtherType value...

Page 215: ...fic port number and it can t be set when action is permitted All means all ports will have one specific setting Mirror Specify the mirror operation of this port The allowed values are Enabled Frames received on the port are mirrored Disabled Frames received on the port are not mirrored The default value is Disabled All means all ports will have one specific setting Logging Specify the logging oper...

Page 216: ...of the ACL user module The default value is Enabled All means all ports will have one specific setting Counter Counts the number of frames that match this ACE Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values Click Refresh to refresh the page Any changes made locally are undone Click Clear to clear the counters ACL rate limiter co...

Page 217: ...e authentication server The switch acts as the man in the middle forwarding requests and responses between the supplicant and the authentication server Frames sent between the supplicant and the switch are special 802 1X EAPOL EAP Over LANs frames EAPOL frames encapsulate EAP PDUs RFC3748 Frames sent between the switch and the RADIUS server are RADIUS packets RADIUS packets also encapsulate EAP PD...

Page 218: ...hird party switch or a hub and still require individual authentication and the clients don t need special supplicant software to authenticate The disadvantage is that MAC addresses can be spoofed by malicious users equipment whose MAC address is a valid RADIUS user that can be used by anyone and only the MD5 Challenge method is supported The 802 1X and MAC based authentication configuration consis...

Page 219: ...identity of the client and notifies the switch if the client is authorized to access the LAN and switch services Because the switch acts as the proxy the authentication service is transparent to the client In this release the Remote Authentication Dial In User Service RADIUS security system with Extensible Authentication Protocol EAP extensions is the only supported authentication server which is ...

Page 220: ... followed by one or more requests for authentication information Upon receipt of the frame the client responds with an EAP response identity frame However if the client does not receive an EAP request identity frame from the switch during bootup the client can initiate authentication by sending an EAPOL start frame which prompts the switch to request the client s identity Note If 802 1X is not ena...

Page 221: ...ocol the client initiates the authentication process by sending the EAPOL start frame When no response is received the client sends the request for a fixed number of times Because no response is received the client begins sending frames as if the port is in the authorized state If the client is successfully authenticated receives an accept frame from the authentication server the port state change...

Page 222: ...to right and continues until a method either approves or rejects a user If a remote server is used for primary authentication we recommend configuring secondary authentication as local This permits the management client to log in via the local user database if none of the configured authentication servers are valid Fallback Enable fallback to local authentication by selecting this check box If non...

Page 223: ... but non standard variants overcome security limitations MAC based authentication permits authentication of more than one user on the same port and doesn t require the user to have special 802 1X supplicant software installed on the system The switch uses the MAC address to authenticate against the back end server Intruders can create counterfeit MAC addresses which makes MAC based authentication ...

Page 224: ...Chapter 4 Web configuration 220 NS3562 8P 2S V2 Industrial Managed Switch User Manual The page includes the following fields System configuration ...

Page 225: ... When the NAS module uses the port security module to secure MAC addresses the port security module needs to check for activity on the MAC address in question at regular intervals and free resources if no activity is seen within a given period of time This parameter controls exactly this period and can be set to a number between 10 and 1000000 seconds If reauthentication is enabled and the port is...

Page 226: ...a special VLAN typically with limited network access on which 802 1X unaware clients are placed after a network administrator defined timeout The switch follows a set of rules for entering and leaving the Guest VLAN as listed below The Guest VLAN Enabled check box provides a quick way to globally enable disable Guest VLAN functionality When selected the individual ports ditto setting determines wh...

Page 227: ...Chapter 4 Web configuration NS3562 8P 2S V2 Industrial Managed Switch User Manual 223 Port configuration The table has one row for each port on the selected switch and a number of columns which are ...

Page 228: ...Chapter 4 Web configuration 224 NS3562 8P 2S V2 Industrial Managed Switch User Manual Object Description Port The port number for which the configuration below applies ...

Page 229: ...taining a success or failure indication Besides forwarding this decision to the supplicant the switch uses it to open up or block traffic on the switch port connected to the supplicant Note Suppose two back end servers are enabled and that the server timeout is configured to X seconds using the AAA configuration page and suppose that the first server in the list is currently down but not considere...

Page 230: ...rely a best practices method adopted by the industry In MAC based authentication users are called clients and the switch acts as the supplicant on behalf of clients The initial frame any kind of frame sent by a client is snooped by the switch which in turn uses the client s MAC address as both username and password in the subsequent EAP exchange with the RADIUS server The 6 byte MAC address is con...

Page 231: ...erver when a supplicant is successfully authenticated If present and valid the port s Port VLAN ID will be changed to this VLAN ID the port will be set to be a member of that VLAN ID and the port will be forced into VLAN unaware mode Once assigned all traffic arriving on the port will be classified and switched on the RADIUS assigned VLAN ID If re authentication fails or the RADIUS Access Accept p...

Page 232: ...ll not transmit an EAPOL Success frame when entering the Guest VLAN While in the Guest VLAN the switch monitors the link for EAPOL frames and if one such frame is received the switch immediately takes the port out of the Guest VLAN and starts authenticating the supplicant according to the port mode If an EAPOL frame is received the port will never be able to go back into the Guest VLAN if the Allo...

Page 233: ...a description of possible values Port State The current state of the port Refer to NAS Port State for a description of the individual states Last Source The source MAC address carried in the most recently received EAPOL frame for EAPOL based authentication and the most recently received frame from a new client for MAC based authentication Last ID The user name supplicant identity carried in the mo...

Page 234: ...thentication For MAC based ports it only shows selected back end server RADIUS Authentication Server statistics Use the port drop down menu to select the port details to be displayed The page includes the following fields Port state Object Description Admin State The port s current administrative state Refer to NAS Admin State for a description of possible values Port State The current state of th...

Page 235: ...Chapter 4 Web configuration NS3562 8P 2S V2 Industrial Managed Switch User Manual 231 Port counters ...

Page 236: ...ther than Response Identity frames that have been received by the switch Rx Start dot1xAuthEapolStartFr amesRx The number of EAPOL Start frames that have been received by the switch Rx Logoff dot1xAuthEapolLogoff FramesRx The number of valid EAPOL Logoff frames that have been received by the switch Rx Invalid Type dot1xAuthInvalidEapol FramesRx The number of EAPOL frames that have been received by...

Page 237: ...uration NS3562 8P 2S V2 Industrial Managed Switch User Manual 233 Tx Requests dot1xAuthEapolReqFr amesTx The number of valid EAPOL Request frames other than Request Identity frames that have been transmitted by the switch ...

Page 238: ...nges received from the back end server for this port left most table or client right most table Rx Other Requests dot1xAuthBack endOtherRequestsTo Supplicant 802 1X based Counts the number of times that the switch sends an EAP Request packet following the first to the supplicant Indicates that the back end server chose an EAP method MAC based Not applicable Rx Auth Successe s dot1xAuthBack endAuth...

Page 239: ...e not counted Last Supplicant Client Info Information about the last supplicant client that attempted to authenticate This information is available for the following administrative states Port based 802 1X Single 802 1X Multi 802 1X MAC based Auth Name IEEE Name Description MAC Address dot1xAuthLastEapo lFrameSource The MAC address of the last supplicant client VLAN ID The VLAN ID on which the las...

Page 240: ... the MAC address of the attached client Clicking the link causes the client s back end server counters to be shown in the Selected Counters table If no clients are attached it shows no clients attached VLAN ID This column holds the VLAN ID that the corresponding client is currently secured through the Port Security module State The client can either be authenticated or unauthenticated In the authe...

Page 241: ...forming this action will not clear Last Client This button is available in the following modes Multi 802 1X MAC based Auth X Click Clear This to clear only the currently selected client s counter This button is available in the following modes Multi 802 1X MAC based Auth X Authentication server configuration Configure the authentication servers on the Authentication Server Configuration page ...

Page 242: ...rom continually trying to contact a server that it has already determined as dead Setting the Dead Time to a value greater than 0 zero will enable this feature but only if more than one server has been configured RADIUS authentication accounting server configuration The table has one row for each RADIUS server and a number of columns which are Object Description The RADIUS server number for which ...

Page 243: ...CACS authentication server Secret The secret up to 29 characters long shared between the TACACS authentication server and the switch Buttons Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values RADIUS overview The RADIUS Authentication Accounting Server Overview page provides an overview of the status of the RADIUS servers configurable on th...

Page 244: ...erver is enabled but IP communication is not yet up and running Ready The server is enabled IP communication is up and running and the RADIUS module is ready to accept access or accounting attempts Dead X seconds left Access or accounting attempts were made to this server but it did not reply within the configured timeout The server has temporarily been disabled but will get re enabled when the de...

Page 245: ...s for Server overview page provides detailed statistics for a particular RADIUS server The page includes the following fields RADIUS authentication statistics The statistics map closely to those specified in RFC4668 RADIUS Authentication Client MIB Use the server select box to switch between the back end servers to show details for each ...

Page 246: ...mber of malformed RADIUS Access Response packets received from the server Malformed packets include packets with an invalid length Bad authenticators or Message Authenticator attributes or unknown types are not included as malformed access responses Rx Bad Authenticator s radiusAuthClientEx tBadAuthenticators The number of RADIUS Access Response packets containing invalid authenticators or Message...

Page 247: ...ion NS3562 8P 2S V2 Industrial Managed Switch User Manual 243 Tx Access Retransmissi ons radiusAuthClientEx tAccessRetransmis sions The number of RADIUS Access Request packets retransmitted to the RADIUS authentication server ...

Page 248: ...uthClientEx tPendingRequests The number of RADIUS Access Request packets destined for the server that have not yet timed out or received a response This variable is incremented when an Access Request is sent and decremented due to receipt of an Access Accept Access Reject Access Challenge timeout or retransmission ...

Page 249: ...ientEx tTimeouts The number of authentication timeouts to the server After a timeout the client may retry to the same server send to a different server or give up A retry to the same server is counted as a retransmit as well as a timeout A send to a different server is counted as a Request as well as a timeout ...

Page 250: ... this server but it did not reply within the configured timeout The server has temporarily been disabled but will get re enabled when the dead time expires The number of seconds left before this occurs is displayed in parentheses This state is only reachable when more than one server is enabled Round Trip Time radiusAuthClie ntExtRoundTrip Time The time interval measured in milliseconds between th...

Page 251: ... containing invalid authenticators received from the server Rx Unknown Types radiusAccClientEx tUnknownTypes The number of RADIUS packets of unknown types that were received from the server on the accounting port Rx Packets Dropped radiusAccClientEx tPacketsDropped The number of RADIUS packets that were received from the server on the accounting port and dropped for some other reason Tx Requests r...

Page 252: ... is not yet up and running Ready The server is enabled IP communication is up and running and the RADIUS module is ready to accept accounting attempts Dead X seconds left Accounting attempts were made to this server but it did not reply within the configured timeout The server has temporarily been disabled but will get re enabled when the dead time expires The number of seconds left before this oc...

Page 253: ... up the RADIUS server and assign the client IP address to the industrial managed switch in this case the field in the default IP address of the industrial managed switch with 192 168 0 100 Ensure that the shared secret key is as same as the one you had set at the industrial managed switch s 802 1x system configuration 12345678 in this case 1 Configure the IP Address of remote RADIUS server and sec...

Page 254: ...d secret key should be as same as the key configured on the industrial managed switch 5 Configure ports attribute of 802 1X the same as 802 1X Port Configuration 6 Create user data The establishment of the user data needs to be created on the Radius Server PC For example select Active Directory Users and Computers and create legal user data Windows Server 2003 ...

Page 255: ...Chapter 4 Web configuration NS3562 8P 2S V2 Industrial Managed Switch User Manual 251 7 Right click a user that you created and then type in properties and configure settings ...

Page 256: ... Windows XP has native support for 802 1X The following procedures show how to configure 802 1X Authentication in Windows XP Please note that if you want to change the 802 1x authentication type of a wireless client i e switch to EAP TLS from EAP MD5 you must remove the current existing wireless network from your preferred connection first and add it in again Configuration sample EAP MD5 authentic...

Page 257: ... Select Enable network access control using IEEE 802 1X to enable 802 1x authentication 6 Select MD 5 Challenge from the drop down list box for EAP type 7 Click OK 8 When the client has associated with the industrial managed switch a user authentication notice appears in the system tray Click on the notice to continue ...

Page 258: ...on domain that your account belongs to 10 Click OK to complete the validation process Security This section describes how to control access to the managed switch including user access and management control The Security page contains links to the following main topics Port Limit Control Access Management HTTPs SSH DHCP Snooping ...

Page 259: ...e number of users on a given port A user is identified by a MAC address and VLAN ID If limit control is enabled on a port the limit specifies the maximum number of users on the port If this number is exceeded an action is taken The action can be one of the four different actions as described below The limit control module utilizes a lower layer port security module that manages MAC addresses learn...

Page 260: ...use the shorter requested aging period of all modules that use the functionality The Aging Period can be set to a number between 10 and 10 000 000 seconds To understand why aging may be required consider the following scenario Suppose an end host is connected to a third party switch or hub which in turn is connected to a port on this switch on which Limit Control is enabled The end host will be al...

Page 261: ...Chapter 4 Web configuration NS3562 8P 2S V2 Industrial Managed Switch User Manual 257 Port configuration The table has one row for each port on the selected switch and a number of columns ...

Page 262: ...t 1 MAC addresses are seen on the port shut down the port This implies that all secured MAC addresses will be removed from the port and no new addresses will be learned Even if the link is physically disconnected and reconnected on the port by disconnecting the cable the port will remain shut down There are three ways to re open the port 1 Boot the stack or elect a new master switch 2 Disable and ...

Page 263: ... access management mode operation Delete Check to delete the entry It will be deleted during the next apply VLAN ID Indicates the VLAN ID for the access management entry Start IP address Indicates the start IP address for the access management entry End IP address Indicates the end IP address for the access management entry HTTP HTTPS Indicates the host can access the switch from the HTTP HTTPS in...

Page 264: ...kets The received packets number from the interface under access management mode is enabled Allow Packets The allowed packets number from the interface under access management mode is enabled Discard Packets The discarded packets number from the interface under access management mode is enabled Buttons Click Refresh to refresh the page immediately Click Auto refresh to to refresh the page automati...

Page 265: ...isabled Disable HTTPS redirect mode operation Buttons Click Apply to apply changes Click Reset to undo any changes made locally and revert to previously saved values SSH Configure SSH on the SSH Configuration page This page shows the Port Security status Port Security is a module with no direct configuration Configuration comes indirectly from other user modules When a user module has enabled port...

Page 266: ...direct configuration Configuration comes indirectly from other user modules When a user module has enabled port security on a port the port is set up for software based learning In this mode frames from unknown MAC addresses are passed on to the port security module which in turn asks all user modules whether to allow this new MAC address to forward or block it For a MAC address to be set in the f...

Page 267: ...dules that may request Port Security services Object Description User Module Name The full name of a module that may request port security services Abbr A one letter abbreviation of the user module This is used in the Users column in the port status table Port status The table has one row for each port on the selected switch in the switch and a number of columns which are ...

Page 268: ...ministratively re opened on the Limit Control configuration web page MAC Count Current Limit The two columns indicate the number of currently learned MAC addresses forwarding as well as blocked and the maximum number of MAC addresses that can be learned on the port respectively If no user modules are enabled on the port the Current column will show a dash If the Limit Control user module is not en...

Page 269: ... has decided to block this MAC address it will stay in the blocked state until the hold time measured in seconds expires If all user modules have decided to allow this MAC address to forward and aging is enabled the Port Security module will periodically check that this MAC address still forwards traffic If the age period measured in seconds expires and no frames have been seen the MAC address wil...

Page 270: ...Chapter 4 Web configuration 266 NS3562 8P 2S V2 Industrial Managed Switch User Manual Configure DHCP Snooping on the DHCP Snooping Configuration page ...

Page 271: ...o any changes made locally and revert to previously saved values Snooping table The Dynamic DHCP Snooping Table page displays the dynamic IP assigned information after DHCP Snooping mode is disabled All DHCP clients that obtained the dynamic IP address from the DHCP server will be listed in this table except for local VLAN interface IP addresses Entries in the Dynamic DHCP snooping Table are shown...

Page 272: ...oth Global Mode and Port Mode on a given port are enabled will IP Source Guard be enabled on this port Max Dynamic Clients Specify the maximum number of dynamic clients that can be learned on given ports This value can be 0 1 2 and unlimited If the port mode is enabled and the value of max dynamic client is equal 0 it only allows the forwarding of IP packets that are matched in static entries on t...

Page 273: ... Source Guard table Click Apply to apply changes Click Reset to undo any changes made locally and revert to previously saved values Dynamic IP source guard table Entries in the Dynamic IP Source Guard Table are shown on this page The Dynamic IP Source Guard Table is sorted first by port then by VLAN ID then by IP address and then by IP mask Navigating the dynamic IP source guard table Each page sh...

Page 274: ...Object Description Port The port number for which the status applies Click the port number to see the status for this particular port VLAN ID The VLAN ID of the entry MAC Address The MAC address of the entry IP Address The IP address of the entry Buttons Click Auto refresh to refresh the page automatically Automatic refresh occurs every three seconds Click Refresh to refresh the displayed table st...

Page 275: ...ed under Check VLAN The default setting of Check VLAN is disabled When Check VLAN is set to Disabled the log type of ARP Inspection refers to the port setting When Check VLAN is set to Enabled the log type of ARP Inspection will refer to the VLAN setting Possible modes are Enabled Enable check VLAN operation Disabled Disable check VLAN operation When the Global Mode and Port Mode on a given port a...

Page 276: ... port for the settings VLAN ID The VLAN ID for the settings MAC Address Allowed Source MAC address in ARP request packets IP Address Allowed Source IP address in ARP request packets Buttons Click Add New Entry to add a new entry to the Static ARP inspection table Click Apply to apply changes Click Reset to undo any changes made locally and revert to previously saved values Dynamic ARP inspection t...

Page 277: ...r the next lookup When the end is reached the text no more entries is shown in the displayed table Use the I button to start over The page includes the following fields Object Description Port The port number for which the status applies Click the port number to see the status for this particular port VLAN ID The VLAN ID of the entry MAC Address The MAC address of the entry IP Address The IP addre...

Page 278: ... address of the equipment sending the frame The SMAC address is used by the switch to automatically update the MAC table with these dynamic MAC addresses Dynamic entries are removed from the MAC table if no frame with the corresponding SMAC address have been seen after a configurable age time MAC table configuration The MAC Address Table is configured on the MAC Address Table Configuration page Se...

Page 279: ... MAC entries are learned all other frames are dropped Note Make sure that the link used for managing the switch is added to the Static Mac Table before changing to secure learning mode otherwise the management link is lost and can only be restored by using another non secure port or by connecting to the switch via the serial interface Static MAC table configuration The static entries in the MAC ta...

Page 280: ... beginning of the MAC Table The first entry displayed will be the one with the lowest VLAN ID and the lowest MAC address found in the MAC Table The Start from MAC address and VLAN input fields allow the user to select the starting point in the MAC Table Clicking the Refresh button updates the displayed table starting from that or the closest next MAC Table match In addition the two input fields wi...

Page 281: ...iscover basic information about neighboring devices on the local broadcast domain LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device Advertised information is represented in Type Length Value TLV format according to the IEEE 802 1ab standard and can include details such as device identification capabilities and configuration settings LLDP als...

Page 282: ...Hold multiplied by Tx Interval seconds Valid values are restricted to 2 10 times TTL in seconds is based on the following rule Transmission Interval Holdtime Multiplier 65536 Therefore the default TTL is 4 30 120 seconds Tx Delay If some configuration is changed e g the IP address a new LLDP frame is transmitted but the time between the LLDP frames will always be at least the value of Tx Delay sec...

Page 283: ...Select LLDP mode Rx only The switch will not send out LLDP information but LLDP information from neighbor units is analyzed Tx only The switch will drop LLDP information received from neighbors and will send out LLDP information Disabled The switch will not send out LLDP information and will drop LLDP information received from neighbors Enabled The switch will send out LLDP information and will an...

Page 284: ...ll CDP frames are terminated by the switch Note When CDP awareness on a port is disabled the CDP information isn t removed immediately but gets removed when the hold time is exceeded Port Description Optional TLV When selected the port description is included in LLDP information transmitted System Name Optional TLV When selected the system name is included in LLDP information transmitted System De...

Page 285: ... the application layers on top of the protocol in order to achieve these related properties Initially a Network Connectivity Device will only transmit LLDP TLVs in an LLDPDU Only after an LLDP MED Endpoint Device is detected will an LLDP MED capable Network Connectivity Device start to advertise LLDP MED TLVs in outgoing LLDPDUs on the associated port The LLDP MED application will temporarily spee...

Page 286: ...presenting altitude in a form more relevant in buildings which have different floor to floor dimensions An altitude of 0 0 is meaningful even outside a building and represents ground level at the given latitude and longitude Inside a building 0 0 represents the floor level associated with ground level at the main entrance Map Datum The Map Datum used for the coordinates given in this option WGS84 ...

Page 287: ...ple Apt 42 Floor Floor Example 4 Room no Room number Example 450F Place type Place type Example Office Postal community name Postal community name Example Leonia P O Box Post office box P O BOX Example 12345 Additional code Additional code Example 1320300003 Emergency call service Emergency Call Service e g E911 and others such as defined by TIA or NENA Object Description Emergency Call Service Em...

Page 288: ...d user identity or port configuration It should be noted that LLDP MED is not intended to run on links other than between network connectivity devices and endpoints and therefore does not need to advertise the multitude of network policies that frequently run on an aggregated link interior to the LAN Object Description Delete Select this check box to delete the policy It will be deleted during the...

Page 289: ...ised in the video conferencing application policy Tag Tag indicates if the specified application type is using a tagged or an untagged VLAN Untagged indicates that the device is using an untagged frame format and as such does not include a tag header as defined by IEEE 802 1Q 2003 In this case both the VLAN ID and the Layer 2 priority fields are ignored and only the DSCP value has relevance Tagged...

Page 290: ...t Description Port The port on which the LLDP frame was received Device Type LLDP MED Devices are comprised of two primary Device Types Network Connectivity Devices and Endpoint Devices LLDP MED Network Connectivity Device Definition LLDP MED Network Connectivity Devices as defined in TIA 1057 provide access to the IEEE 802 based LAN infrastructure for LLDP MED Endpoint Devices An LLDP MED Network...

Page 291: ...for the previous Generic Endpoint Class Class I and are extended to include aspects related to media streaming Example product categories expected to adhere to this class include but are not limited to voice media gateways conference bridges media servers etc Discovery services defined in this class include media type specific network layer policy discovery LLDP MED Communication Endpoint Class II...

Page 292: ...edia Policy Policy indicates that an Endpoint Device wants to explicitly advertise that the policy is required by the device Can be either Defined or Unknown Unknown The network policy for the specified application type is currently unknown Defined The network policy is defined TAG TAG is indicating whether the specified application type is using a tagged or an untagged VLAN Can be Tagged or Untag...

Page 293: ...he port on which the LLDP frame was received Chassis ID The identification of the neighbor s LLDP frames Port ID The identification of the neighbor port Port Description The port description advertised by the neighbor unit System Name The name advertised by the neighbor unit System Capabilities System Capabilities describes the neighbor unit s capabilities The possible capabilities are 1 Other 2 R...

Page 294: ...ounters for the currently selected switch The page includes the following fields Global counters Object Description Neighbor entries were last changed Shows the time when the last entry was last deleted or added It also shows the time elapsed since the last change was detected Total Neighbors Entries Added Shows the number of new entries added since switch reboot Total Neighbors Entries Deleted Sh...

Page 295: ... information known as TLVs TLV is short for Type Length Value If a TLV is malformed it is counted and discarded TLVs Unrecognized The number of well formed TLVs but with an unknown type value Org Discarded The number of organizationally TLVs received Age Outs Each LLDP frame contains information about how long time the LLDP information is valid age out time If no new LLDP frame is received within ...

Page 296: ...ress The destination IP Address Ping Length The payload size of the ICMP packet Values range from 2 bytes to 1452 bytes Note Be sure the target IP address is within the same network subnet of the industrial managed switch otherwise the correct gateway IP address must be set up Buttons Click Start to transmit ICMP packets Click New Ping to re start diagnostics with ping IPv6 ping The ICMPv6 Ping pa...

Page 297: ...ons Click Start to transmit ICMP packets Click New Ping to re start diagnostics with ping Remote IP ping test This Remote ICMP Ping Test page allows you to issue ICMP PING packets to troubleshoot IP connectivity issues on a special port After clicking Test five ICMP packets are transmitted and the sequence number and roundtrip time are displayed upon reception of a reply The page refreshes automat...

Page 298: ...lt Display the ping result Buttons Click Ping to start the ping process Click Save to save changes Click Reset to undo any changes made locally and revert to previously saved values Click Clear to clear the IP address and the result of the ping value Cable diagnostics The VeriPHY Cable Diagnostics page is used for running cable diagnostics Click Start to run the diagnostics This will take approxim...

Page 299: ...cable diagnostic function If the link is established in 100BASE TX or 10BASE T the cable diagnostics cause the link to drop while the diagnostics are running This may require the following steps Select the Auto Refresh check box Click the Fresh button 45 seconds after the cable diagnostic function has started After the diagnostics are finished the link is re established and the following functions...

Page 300: ...on This section describes the enable loop protection function that provides loop protection to prevent broadcast loops in the industrial managed switch Loop protection configuration The Loop Protection Configuration page allows the user to inspect and change the current loop protection configurations ...

Page 301: ...re 0 to 604800 seconds seven days A value of zero keeps a port disabled until the next device restart Port configuration Object Description Port The switch port number Enable Controls loop protection enable disable on this switch port Action Configures the action performed when a loop is detected on a port Selections include Shutdown Port Shutdown Port and Log or Log Only Tx Mode Controls if the p...

Page 302: ...tions and interfaces enabling communication between SNMP management terminals and remote monitors RMON provides a highly efficient method to monitor actions inside the subnets The MID of RMON consists of 10 groups The switch supports the most frequently used groups Statistics Maintain basic usage and error statistics for each subnet monitored by the agent History Record periodical statistic sample...

Page 303: ...tPkts The number of broadcast and multicast packets delivered to a higher layer protocol InDiscards The number of inbound packets that are discarded when the packets are normal InErrors The number of inbound packets that contained errors preventing them from being deliverable to a higher layer protocol InUnknownProtos The number of inbound packets that were discarded because of an unknown or unsup...

Page 304: ...rm when the first value is larger than the rising threshold or less than the falling threshold default Rising Threshold Rising threshold value 2147483648 2147483647 Rising Index Rising event index 1 65535 Falling Threshold Falling threshold value 2147483648 2147483647 Falling Index Falling event index 1 65535 Buttons Click Add New Entry to add a new community entry Click Save to save changes Click...

Page 305: ...pling period Startup Alarm The alarm that may be sent when this entry is first set to valid Rising Threshold Rising threshold value Rising Index Rising event index Falling Threshold Falling threshold value Falling Index Falling event index Buttons Click Refresh to refresh the page immediately Click the Auto refresh check box to refresh the page automatically Automatic refresh occurs every three se...

Page 306: ... of inbound packets that are discarded when the packets are normal Community Specify the community when trap is sent The string length is from 0 to 127 default is public Event Last Time Indicates the value of sysUpTime at the time this event entry last generated an event Buttons Click Add New Entry to add a new community entry Click Save to save changes Click Reset to undo any changes made locally...

Page 307: ...e last entry currently displayed RMON history configuration Configure RMON History on the RMON History Configuration page The entry index key is ID The page includes the following fields Object Description Delete Select to delete the entry It will be deleted during the next save ID Indicates the index of the entry The range is from 1 to 65535 Data Source Indicates the port ID to be monitored If in...

Page 308: ...ces Octets The total number of octets of data including those in bad packets received on the network Pkts The total number of packets including bad packets broadcast packets and multicast packets received Broadcast The total number of good packets received that were directed to the broadcast address Multicast The total number of good packets received that were directed to a multicast address CRC E...

Page 309: ...g from the first entry in the alarm table i e the entry with the lowest ID Click to update the table starting with the entry after the last entry currently displayed RMON statistics configuration Configure the RMON Statistics table on the RMON Statistics Configuration page The entry index key is ID The page includes the following fields Object Description Delete Select to delete the entry It will ...

Page 310: ... in bad packets received on the network Pkts The total number of packets including bad packets broadcast packets and multicast packets received Broadcast The total number of good packets received that were directed to the broadcast address Multicast The total number of good packets received that were directed to a multicast address CRC Errors The total number of packets received that had a length ...

Page 311: ...ly displayed Ring ITU T G 8032 Ethernet Ring Protection Switching ERPS is a link layer protocol applied on Ethernet loop protection to provide sub 50 ms protection and recovery switching for Ethernet traffic in a ring topology ERPS provides a faster redundant recovery than Spanning Tree topology The action is similar to STP or RSTP but the algorithms between them are not the same In the ring topol...

Page 312: ...Chapter 4 Web configuration 308 NS3562 8P 2S V2 Industrial Managed Switch User Manual MEP configuration Maintenance entity point instances are configured in the Maintenance Entity Point page ...

Page 313: ...rection Ingress This is an ingress down MEP monitoring ingress traffic on the Residence Port Egress This is an egress up MEP monitoring egress traffic on the Residence Port Residence Port The port where MEP is monitoring See Direction Level The MEG level of this MEP Flow Instance The MEP is related to this flow See Domain Tagged VID Port MEP An outer C S tag depending on VLAN port type is added wi...

Page 314: ... Instance Click Help when on the MEP web page Tagged VID Click Help when on the MEP web page This MAC Click Help when on the MEP web page Instance configuration Object Description Level Click Help when on the MEP web page Format This is the configuration of the two possible Maintenance Association Identifier formats ITU ICC This is defined by ITU ICC can be a maximum of six characters MEG id can b...

Page 315: ...indicating that the server layer is indicating Signal Fail aBLK The consequent action of blocking service frames in this flow is active aTSF The consequent action of indicating Trail Signal Fail protection is active Delete Select this check box to mark a Peer MEP for deletion in the next save operation Peer MEP ID This value will become an expected MEP ID in a received CCM See cMEP Unicast Peer MA...

Page 316: ...mplemented on SW based CCM Frame Rate has to be the same APS protocol Object Description Enable Automatic Protection Switching protocol information transportation based on transmitting receiving R APS L APS PDU can be enabled disabled APS must be enabled to support ERPS ELPS implementing APS This is only valid with one peer MEP configured Priority The priority to be inserted as PCP bits in TAG if ...

Page 317: ...al Fail reporting MEP As only one SF MEP is associated with the interconnected sub ring without a virtual channel it is configured as 0 for such ring instances 0 in this field indicates that no Port 1 SF MEP is associated with this instance Port 0 APS MEP The Port 0 APS PDU handling MEP Port 1 APS MEP The Port 1 APS PDU handling MEP As only one APS MEP is associated with the interconnected sub rin...

Page 318: ...age includes the following fields Instance data Object Description ERPS ID The ID of the protection group Port 0 Click Help when on the ERPS web page Port 1 Click Help when on the ERPS web page Port 0 SF MEP Click Help when on the ERPS web page Port 1 SF MEP Click Help when on the ERPS web page Port 0 APS MEP Click Help when on the ERPS web page Port 1 APS MEP Click Help when on the ERPS web page ...

Page 319: ... 10 seconds in steps of 100 ms Version ERPS Protocol Version v1 or v2 Revertive In revertive mode after the conditions causing a protection switch has cleared the traffic channel is restored to the working transport entity i e blocked on the RPL In non revertive mode the traffic channel continues to use the RPL if it has not failed after a protection switch condition has cleared VLAN Config VLAN c...

Page 320: ...ning WTR timeout in milliseconds RPL Un blocked APS is received on the working flow No APS Received RAPS PDU is not received from the other end Port 0 Block Status Block status for Port 0 both traffic and R APS block status R APS channel is never blocked on sub rings without a virtual channel Port 1 Block Status Block status for Port 1 both traffic and R APS block status R APS channel is never blo...

Page 321: ...ng fields Instance data Object Description All Switch Numbers Set all the switch numbers for the ring group The default number is 3 and maximum number is 30 Number ID The switch where you are requesting ERPS Port Configures the port number for the MEP VLAN Set the ERPS VLAN Buttons Click Next to configure ERPS Click Set to save changes Click Save Topology to show the ring topology ...

Page 322: ...ype VLAN Group Switch 1 Port 1 1 None 3001 Port 2 2 Owner 3001 Switch 2 Port 1 4 None 3001 Port 2 3 Neighbor 3001 Switch 3 Port 1 6 None 3001 Port 2 5 None 3001 The scenario is described as follows 1 Disable the DHCP client and set a proper static IP for switch 1 2 and 3 In this example switch 1 is 192 168 0 101 switch 2 is 192 168 0 102 and switch 3 is 192 168 0 103 2 On switch 1 2 and 3 disable ...

Page 323: ...tch 2 1 Connect a PC directly to switch 2 Do not connect to port 1 or 2 2 Log in to switch 2 and select Ring Ring Wizard 3 Set All Switch Number 3 and Number ID 2 Click Next to set the ERPS configuration for switch 2 4 Set MEP3 Port 2 MEP4 Port 1 and VLAN ID 3001 Click Set to save the ERPS configuration for switch 2 Set ERPS configuration on switch 3 1 Connect a PC directly to switch 3 Do not conn...

Page 324: ...MEP2 MEP3 Switch 1 Port 2 Switch 2 Port 2 MEP4 MEP5 Switch 2 Port 1 Switch 3 Port 2 MEP1 MEP6 Switch 1 Port 1 Switch 3 Port 1 Power over Ethernet PoE Providing up to 8 16 PoE in line power interfaces the industrial managed switch can easily build a power central controlled IP phone system IP camera system and Access Point AP group for the enterprise For example 8 16 cameras APs can be installed fo...

Page 325: ...N Access Points Museums airports hotels campuses factories warehouses etc can install APs in any location 10 12 Watts IP Surveillance Enterprises museums campuses hospitals banks etc can install IP cameras regardless of installation location without the need to install AC sockets 3 12 Watts PoE Splitter PoE splitters split the PoE 52 VDC over the Ethernet cable into a 5 12 VDC power output It free...

Page 326: ...le power provided by the PSU The system may include a PSU capable of supplying less power than the total potential power consumption of all the PoE ports in the system To keep the majority of the ports active power management is implemented The PSU input power consumption is monitored by measuring voltage and current and is equal to the system s aggregated power consumption The power management co...

Page 327: ...ceeds the amount of power that the power supply can deliver Note In this mode the port power is not turned on if the PD requests more available power Consumption mode The ports are shut down in this mode when the actual power consumption for all ports exceeds the amount of power that the power supply can deliver or if the actual power consumption for a given port exceeds the reserved power for tha...

Page 328: ...PoE port provided power to the PDs For NS3562 8P 2S V2 the available max value is 240 depends on power input Temperature Threshold Sets the temperature protection threshold value If the system temperature is over this value then the system lowers the total PoE power budget automatically PoE Usage Threshold Sets the PoE power budget limitation Buttons Click Save to save changes Click Reset to undo ...

Page 329: ... Optional 12 95 to 25 50 W or to 30 8 W High power Port configuration Inspect and configure the current PoE port settings on the PoE Ethernet Configuration page The page includes the following fields Object Description PoE Mode There are three PoE modes Enable Enables the PoE function Disable Disables the PoE function Schedule Enables the PoE function in schedule mode Schedule Indicates the schedu...

Page 330: ...total power consumption is over the total power budget In this case the port with the lowest priority is turned off and power is provided to the port with higher priority Power Allocation Limits the port PoE supply Watts The per port maximum value must less than 30 8W and total port values must less than the power reservation value After a power overload has been detected the port automatically sh...

Page 331: ...ent Used mA Shows how much current the PD is currently using Priority Shows the port s priority configured by the user Port Status Shows the port s status AF AT Mode Displays per PoE ports operating in 802 3af or 802 3at mode Total Shows the total power and current usage of all PDs Buttons Select the Auto refresh check box to enable an automatic refresh of the page at regular intervals Click Refre...

Page 332: ...it will reduce the chance of powered device crash resulting from buffer overflow Power over Ethernet schedule configuration Define the PoE schedule and schedule power recycling on the PoE Schedule page Click the Add New Rule button to start setting the PoE schedule function Click Apply after creating a schedule for the selected profile Then go to the PoE Port Configuration page and select Schedule...

Page 333: ...t schedule to work at the same time use this function and do not use the Reboot Only function This function permits the administrator to reboot the PoE device at the indicated time as required Reboot Only Permits a reboot of the PoE function according to the PoE reboot schedule Note that if the administrator enables this function the PoE schedule will not set the time to a profile This function on...

Page 334: ...that supports the PoE LLDP function the PD s PoE information appears in the LLDP Neighbor PoE Information page PoE alive check configuration The industrial managed switch can be configured to monitor a connected PD s status in real time via ping action After the PD stops working and does not respond the industrial managed switch restarts PoE port power so that the PD is once again recognized and w...

Page 335: ... reset Action Set the action to be applied if the PD does not respond Action selections are as follows PD Reboot The system resets the PoE port that connected the PD Reboot Alarm The system resets the PoE port and issues an alarm message via syslog SMTP Alarm The system issues an alarm message via syslog SMTP Reboot Time 30 180s Set the PoE device rebooting time This is useful due to the different...

Page 336: ...ter 4 Web configuration 332 NS3562 8P 2S V2 Industrial Managed Switch User Manual Port identification Configure each port response time for TruVision Navigator in the port identification Configuration page ...

Page 337: ... it checks the destination address as well as the source address learning The industrial managed switch will look up the address table for the destination address If not found this packet will be forwarded to all the other ports except the port that this packet comes from These ports will transmit this packet to the network it is connected to If found and the destination address is located at a di...

Page 338: ...rning function of the industrial managed switch the source address and corresponding port number of each incoming and outgoing packet are stored in a routing table This information is subsequently used to filter packets whose destination address is on the same segment as the source address This confines network traffic to its respective domain and reduces the overall load on the network The indust...

Page 339: ...pates in the cable The updated IEEE 802 3at 2009 PoE standard also known as PoE or PoE plus provides up to 25 5 W of power The 2009 standard prohibits a powered device from using all four pairs for power The 802 3af 802 3at standards define two types of source equipment Mid Span A mid span device is placed between a legacy switch and the powered device PD Mid span taps the unused wire pairs 4 5 an...

Page 340: ...r can be supplied from the auxiliary port with the auxiliary port sometimes acting as backup power in case of PoE supplied power failure How power is transferred through the cable A standard CAT5 Ethernet cable has four twisted pairs but only two of these are used for 10BASE T and 100BASE TX The specification allows two options for using these cables for power The spare pairs are used The diagram ...

Page 341: ...poor Also check the in out rate of the port The managed switch doesn t connect to the network 1 Check the LNK ACT LED on the industrial managed switch 2 Try another port on the industrial managed switch 3 Make sure the cable is installed properly 4 Make sure the cable is the right type 5 Turn off the power After a while turn on power again The 1000BASE T port link LED illuminates but the traffic i...

Page 342: ...ed pair cable or at a wiring panel while not expressly forbidden is beyond the scope of this standard 10 100Mbps 10 100BASE TX When connecting the industrial managed switch to another Fast Ethernet switch a bridge or a hub a straight or crossover cable is necessary Each port of the industrial managed switch supports auto MDI Media Dependent Interface MDI X Media Dependent Interface Cross detection...

Page 343: ...sover cable connection Straight Cable SIDE 1 SIDE 2 SIDE 1 1 White Orange 2 Orange 3 White Green 4 Blue 5 White Blue 6 Green 7 White Brown 8 Brown 1 White Orange 2 Orange 3 White Green 4 Blue 5 White Blue 6 Green 7 White Brown 8 Brown SIDE 2 Crossover Cable SIDE 1 SIDE 2 SIDE 1 1 White Orange 2 Orange 3 White Green 4 Blue 5 White Blue 6 Green 7 White Brown 8 Brown 1 White Green 2 Green 3 White Ora...

Page 344: ...ble of ACEs containing access control entries that specify individual users or groups permitted or denied to specific traffic objects such as a process or a program Each accessible traffic object contains an identifier to its ACL The privileges determine if there are specific traffic object access rights In networking the ACL refers to a list of service ports or network services that are available...

Page 345: ...p text for each specific port property ACL Rate Limiters This page can be used to configure the rate limiters There can be 15 different rate limiters each ranging from 1 1024K packets per second The Ports and Access Control List web pages can be used to assign a Rate Limiter ID to the ACE s or ingress port s AES Advanced Encryption Standard The encryption key protocol is applied in 802 1i standard...

Page 346: ...ing and decrypting deciphering binary coded information Encrypting data converts it to an unintelligible form called cipher Decrypting cipher converts the data back to its original form called plaintext The algorithm described in this standard specifies both enciphering and deciphering operations which are based on a binary number called a key DHCP Dynamic Host Configuration Protocol It is a proto...

Page 347: ...The Remote ID is 6 bytes in length and the value is equal to the DHCP relay agent s MAC address DHCP Snooping DHCP snooping is used to block an intruder on the untrusted ports of the switch device when it tries to intervene by injecting a bogus DHCP reply packet into a legitimate conversation between the DHCP client and server DNS Domain Name System It stores and associates many types of informati...

Page 348: ...e multicast groups are in use simultaneously H HTTP Hypertext Transfer Protocol It is a protocol that used to transfer or convey information on the World Wide Web WWW HTTP defines how messages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands For example entering a URL in a browser actually sends an HTTP command to the web server di...

Page 349: ...tion fails With 802 1X access to all switch ports can be centrally controlled from a server which means that authorized users can use the same credentials for authentication from any point within the network IGMP Internet Group Management Protocol It is a communications protocol used to manage the membership of Internet Protocol multicast groups IGMP is used by IP hosts and adjacent multicast rout...

Page 350: ...It helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host L LACP LACP is an IEEE 802 3ad standard protocol The Link Aggregation Control Protocol allows bundling several physical ports together to form a single logical port LLDP Link Layer Discovery Protocol is an IEEE 802 1ab standard protocol The LLDP specified in this standard allows stations attached...

Page 351: ...ally defined in RFC 1321 The MD5 Message Digest Algorithm Mirroring For debugging network problems or monitoring network traffic the switch system can be configured to mirror frames from multiple ports to a mirror port In this context mirroring a frame is the same as copying the frame Both incoming source and outgoing destination frames can be mirrored to the mirror port MLD Multicast Listener Dis...

Page 352: ... clocks of computer systems NTP uses UDP datagrams as the transport layer O OAM Operation Administration and Maintenance It is a protocol described in ITU T Y 1731 used to implement carrier Ethernet functionality MEP functionality like CC and RDI is based on this Optional TLVs A LLDP frame contains multiple TLVs For some TLVs it is configurable if the switch includes the TLV in the LLDP frame Thes...

Page 353: ...otocol is Internet Message Access Protocol IMAP IMAP provides the user with more capabilities for retaining email on the server and for organizing it in folders on the server IMAP can be thought of as a remote file server POP and IMAP deal with the receiving of email and are not to be confused with the Simple Mail Transfer Protocol SMTP You send email with SMTP and a mail handler receives it on th...

Page 354: ...ding queuing scheduling and congestion control guarantees to the frame according to what was configured for that specific QoS class There is a one to one mapping between QoS class queue and priority A QoS class of 0 zero has the lowest priority R RARP Reverse Address Resolution Protocol It is a protocol that is used to obtain an IP address for a given hardware address such as an Ethernet address R...

Page 355: ...ocol It is a text based protocol that uses the Transmission Control Protocol TCP and provides a mail service modeled on the FTP file transfer service SMTP transfers mail messages between systems and notifications regarding incoming mail SNAP SubNetwork Access Protocol SNAP It is a mechanism for multiplexing on networks using IEEE 802 2 LLC more protocols than can be distinguished by the 8 bit 802 ...

Page 356: ... time clock synchronized IEEE 1588 T TACACS Terminal Acess Controller Access Control System Plus It is a networking protocol that provides access control for routers network access servers and other networked computing devices via one or more centralized servers TACACS provides separate authentication authorization and accounting services Tag Priority Tag Priority is a 3 bit field storing the prio...

Page 357: ...tain multiple pieces of information Each of these pieces of information is known as a TLV TKIP Temporal Key Integrity Protocol It is used in WPA to replace WEP with a new encryption algorithm TKIP comprises the same encryption engine and RC4 algorithm defined for WEP The key used for encryption in TKIP is 128 bits and changes the key used for each packet U UDP User Datagram Protocol It is a commun...

Page 358: ...Q in Q switching Ports connected to subscribers are VLAN unaware members of one VLAN and set up with this unique Port VLAN ID Ports connected to the service provider are VLAN aware members of multiple VLANs and set up to tag all frames Untagged frames received on a subscriber port are forwarded to the provider port with a single VLAN tag Tagged frames received on a subscriber port are forwarded to...

Page 359: ... of WPA is based on a Draft 3 of the IEEE 802 11i standard WPA Radius Wi Fi Protected Access Radius 802 1X authentication server WPA was designed to enhance the security of wireless networks There are two flavors of WPA enterprise and personal Enterprise is meant for use with an IEEE 802 1X authentication server which distributes different keys to each user Personal WPA utilizes less scalable pre ...

Reviews:

No comments

Related manuals for NS3562-8P-2S-V2

Hama 11800 Operating Instruction preview
11800
Brand: Hama Pages: 5
3Com SuperStack 3 4900 Datasheet preview
SuperStack 3 4900
Brand: 3Com Pages: 2
Eaton TRIPP LITE Series Quick Start Manual preview
TRIPP LITE Series
Brand: Eaton Pages: 8
vantiva COM3000 Installation Manual preview
COM3000
Brand: vantiva Pages: 58
Control 4 C4-SW120277 Series Installation Manual preview
C4-SW120277 Series
Brand: Control 4 Pages: 4
IOGear MicroHub GUH274W3 (Portuguese) Manual Do Usuário preview
MicroHub GUH274W3
Brand: IOGear Pages: 1
Grizzly H8239 Instructions preview
H8239
Brand: Grizzly Pages: 2
Kramer XL 1204V2 Specifications preview
XL 1204V2
Brand: Kramer Pages: 2
Topex multiSwitch User Manual preview
multiSwitch
Brand: Topex Pages: 170
SUCO 0140 Series Operating Instructions preview
0140 Series
Brand: SUCO Pages: 2
Crestron CLW-SW1/4RF Operation Manual preview
CLW-SW1/4RF
Brand: Crestron Pages: 36
Grizzly G8988 Instructions preview
G8988
Brand: Grizzly Pages: 2
nedis VMAT3482AT Manual preview
VMAT3482AT
Brand: nedis Pages: 24
Lantech IPES-5208T-X Series User Manual preview
IPES-5208T-X Series
Brand: Lantech Pages: 39
Festo SMT-8-...-B Series Manual preview
SMT-8-...-B Series
Brand: Festo Pages: 2
ATEN VS-201 User Manual preview
VS-201
Brand: ATEN Pages: 9
Tvone 1T-MX-3344 Instruction Manual preview
1T-MX-3344
Brand: Tvone Pages: 11
Korenix JetNet 5428G-20SFP Series Quick Installation Manual preview
JetNet 5428G-20SFP Series
Brand: Korenix Pages: 2

Brands by name

Popular brands

Load more brands