LevelOne GEL-1061 User Manual Download Page 224 | Manualshive

Page: 224 / 500

background image

Chapter 12

| Security Measures

AAA (Authentication, Authorization and Accounting)

– 224 –

Note:

The priority of execution for the filtering commands is Port Security, Port

Authentication, Network Access, Web Authentication, Access Control Lists, IP
Source Guard, and then DHCP Snooping.

AAA (Authentication, Authorization and Accounting)

The authentication, authorization, and accounting (AAA) feature provides the main
framework for configuring access control on the switch. The three security
functions can be summarized as follows:

◆

Authentication — Identifies users that request access to the network.

◆

Authorization — Determines if users can access specific services.

◆

Accounting — Provides reports, auditing, and billing for services that users
have accessed on the network.

The AAA functions require the use of configured RADIUS or servers in the
network. The security servers can be defined as sequential groups that are applied
as a method for controlling user access to specified services. For example, when the
switch attempts to authenticate a user, a request is sent to the first server in the
defined group, if there is no response the second server will be tried, and so on. If at
any point a pass or fail is returned, the process stops.

The switch supports the following AAA features:

◆

Accounting for IEEE 802.1X authenticated users that access the network
through the switch.

◆

Accounting for users that access management interfaces on the switch through
the console and Telnet.

◆

Accounting for commands that users enter at specific CLI privilege levels.

◆

Authorization of users that access management interfaces on the switch
through the console and Telnet.

To configure AAA on the switch, you need to follow this general process:

1.

Configure RADIUS and server access parameters. See

Local/Remote Logon Authentication” on page 225

.

2.

Define RADIUS and server groups to support the accounting and
authorization of services.

«
...
222
223
224
225
226
...
»

Summary of Contents for GEL-1061

Page 1: ...t L2 Managed Gigabit Switch 2 x SFP GEP 1061 10 Port L2 Managed Gigabit PoE Switch 2 x SFP 802 3at PoE 125W GEL 2861 28 Port L2 Managed Gigabit Switch 4 x SFP User Manual V2 0 Digital Data Communicati...

Page 2: ...nd 2 Gigabit SFP Ports GEP 1061 10 Port L2 Managed Gigabit PoE Switch with 8 10 100 1000BASE T RJ 45 802 3 af at PoE Ports and 2 Gigabit SFP Ports PoE Power Budget 125 W GEL 2861 Managed Gigabit Switc...

Page 3: ...s key features It also describes the switch s web browser interface For information on the command line interface refer to the CLI Reference Guide The guide includes these sections Section I Getting S...

Page 4: ...r attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Warning Alerts you to a potential hazard that c...

Page 5: ...otocol 34 System Defaults 35 Section II Web Configuration 39 2 Using the Web Interface 41 Connecting to the Web Interface 41 Navigating the Web Browser Interface 42 Dashboard 42 Home Page 44 Configura...

Page 6: ...ime 83 Configuring the Console Port 85 Configuring Telnet Settings 87 Displaying CPU Utilization 88 Configuring CPU Guard 89 Displaying Memory Utilization 90 Resetting the System 91 4 Interface Config...

Page 7: ...AN Groups 149 Mapping Protocol Groups to Interfaces 150 Configuring MAC based VLANs 152 6 Address Table Settings 155 Configuring MAC Address Learning 155 Setting Static Addresses 157 Changing the Agin...

Page 8: ...10 Attaching a Policy Map to a Port 214 11 VoIP Traffic Configuration 217 Overview 217 Configuring VoIP Traffic 218 Configuring Telephony OUI 219 Configuring VoIP Traffic Ports 220 12 Security Measure...

Page 9: ...ort to an Access Control List 277 Showing ACL Hardware Counters 278 ARP Inspection 279 Configuring Global Settings for ARP Inspection 280 Configuring VLAN Settings for ARP Inspection 282 Configuring I...

Page 10: ...P Interface Civic Address 327 Displaying LLDP Local Device Information 329 Displaying LLDP Remote Device Information 333 Displaying Device Statistics 341 Power over Ethernet 343 Setting the Switch s O...

Page 11: ...ast Data 410 Displaying Multicast Groups Discovered by IGMP Snooping 411 Displaying IGMP Snooping Statistics 412 Filtering and Throttling IGMP Groups 416 Enabling IGMP Filtering and Throttling 416 Con...

Page 12: ...the Switch s IP Address IP Version 4 451 Configuring the IPv4 Default Gateway 451 Configuring IPv4 Interface Settings 452 Setting the Switch s IP Address IP Version 6 455 Configuring the IPv6 Default...

Page 13: ...Contents 13 Using System Logs 480 C License Information 481 The GNU General Public License 481 Glossary 485 Index 493...

Page 14: ...Contents 14...

Page 15: ...ing the System Clock 76 Figure 14 Setting the Polling Interval for SNTP 77 Figure 15 Configuring NTP 78 Figure 16 Specifying SNTP Time Servers 79 Figure 17 Adding an NTP Time Server 80 Figure 18 Showi...

Page 16: ...unks 114 Figure 46 Adding Static Trunks Members 114 Figure 47 Configuring Connection Parameters for a Static Trunk 115 Figure 48 Showing Information for Static Trunks 115 Figure 49 Configuring Dynamic...

Page 17: ...VLANs 152 Figure 81 Showing the Interface to Protocol Group Mapping 152 Figure 82 Configuring MAC Based VLANs 154 Figure 83 Showing MAC Based VLANs 154 Figure 84 Configuring MAC Address Learning 156 F...

Page 18: ...194 Figure 115 Setting the Queue Mode Strict 196 Figure 116 Setting the Queue Mode WRR 196 Figure 117 Setting the Queue Mode Strict and WRR 197 Figure 118 Setting the Trust Mode 199 Figure 119 Configu...

Page 19: ...ccounting Sessions 237 Figure 150 Configuring AAA Authorization Methods 239 Figure 151 Showing AAA Authorization Methods 239 Figure 152 Configuring AAA Authorization Methods for Exec Service 240 Figur...

Page 20: ...Configuring Port Authentication 292 Figure 188 Configuring Global Settings for 802 1X Port Authentication 293 Figure 189 Configuring Interface Settings for 802 1X Port Authenticator 297 Figure 190 Sh...

Page 21: ...18 Configuring Global Settings for SNMP 350 Figure 219 Configuring the Local Engine ID for SNMP 351 Figure 220 Configuring a Remote Engine ID for SNMP 352 Figure 221 Showing Remote Engine IDs for SNMP...

Page 22: ...Configuring Interface Settings for LBD 392 Figure 258 Multicast Filtering Concept 393 Figure 259 Configuring General Settings for IGMP Snooping 399 Figure 260 Configuring a Static Interface for a Mult...

Page 23: ...e Route to a Network Device 434 Figure 289 Displaying ARP Entries 435 Figure 290 Configuring General Settings for DNS 438 Figure 291 Configuring a List of Domain Names for DNS 439 Figure 292 Showing t...

Page 24: ...igure 310 Showing IPv6 Neighbors 466 Figure 311 Showing IPv6 Statistics IPv6 470 Figure 312 Showing IPv6 Statistics ICMPv6 471 Figure 313 Showing IPv6 Statistics UDP 471 Figure 314 Showing Reported MT...

Page 25: ...alues to Internal PHB Drop Values 200 Table 14 Default Mapping of CoS CFI to Internal PHB Drop Precedence 202 Table 15 Dynamic QoS Profiles 244 Table 16 HTTPS System Support 251 Table 17 ARP Inspectio...

Page 26: ...tatements 444 Table 31 Options 55 and 124 Statements 444 Table 32 Show IPv6 Neighbors display description 465 Table 33 Show IPv6 Statistics display description 467 Table 34 Show MTU display descriptio...

Page 27: ...ion provides an overview of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes...

Page 28: ...Section I Getting Started 28...

Page 29: ...A password Telnet SSH Web HTTPS General Security Measures AAA ARP Inspection DHCP Snooping with Option 82 relay information DoS Protection IP Source Guard Port Authentication IEEE 802 1X Port Security...

Page 30: ...e port Telnet or a web browser User names and passwords can be configured locally or can be verified via a remote authentication server i e RADIUS or TACACS Port based authentication is also supported...

Page 31: ...ngestion and prevent the loss of packets when port buffer thresholds are exceeded The switch supports flow control based on the IEEE 802 3x standard now incorporated in IEEE 802 3 2002 Rate Limiting T...

Page 32: ...ancy check CRC This prevents bad frames from entering the network and wasting bandwidth To avoid dropping frames on congested ports the switch provides 12 Mbits for frame buffering This buffer can que...

Page 33: ...adjacent ports within the same VLAN and allowing you to limit the total number of VLANs that need to be configured Use protocol VLANs to restrict traffic to specified interfaces based on protocol type...

Page 34: ...nated VLAN The switch uses IGMP Snooping and Query for IPv4 and MLD Snooping and Query for IPv6 to manage multicast group registration Link Layer Discovery Protocol LLDP is used to discover basic info...

Page 35: ...ts 1 Parity none Local Console Timeout 600 seconds Authentication and Security Measures Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privi...

Page 36: ...l Broadcast Enabled 64 kbits sec Multicast Disabled Unknown Unicast Disabled Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled RSTP Defaults RSTP standard Edge Ports Auto LLD...

Page 37: ...s Multicast Filtering IGMP Snooping Layer 2 Snooping Enabled Querier Disabled MLD Snooping Layer 2 IPv6 Snooping Enabled Querier Disabled IGMP Proxy Reporting Disabled System Log Status Enabled Messag...

Page 38: ...Chapter 1 Introduction System Defaults 38...

Page 39: ...ks on page 61 Interface Configuration on page 95 VLAN Configuration on page 139 Address Table Settings on page 155 Spanning Tree Algorithm on page 165 Congestion Control on page 189 Class of Service o...

Page 40: ...Section II Web Configuration 40...

Page 41: ...nitial Switch Configuration in the CLI Reference Guide 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords...

Page 42: ...d for the administrator is admin The administrator has full access privileges to configure any parameters in the web interface The default user name and password for guest access is guest The guest on...

Page 43: ...Chapter 2 Using the Web Interface Navigating the Web Browser Interface 43 Note You can open a connection to the vendor s web site by clicking on the Level 1 logo...

Page 44: ...L 2861 Gigabit Ethernet switch Other than the difference in port count and support for PoE there are no significant differences Therefore most of the screen display examples are based on the GEP 1061...

Page 45: ...up or down Duplex i e half or full duplex or Flow Control i e with or without flow control Figure 3 Front Panel Indicators Saves current configuration settings Displays help for the selected page Ref...

Page 46: ...ss Sets the IPv4 address for management access 452 Show Address Shows the IPv4 address for management access 452 IPv6 Configuration 455 Configure Global Sets an IPv6 default gateway for traffic with n...

Page 47: ...nnection parameters 87 CPU Utilization Displays information on CPU utilization 88 CPU Guard Sets the CPU utilization watermark and threshold 89 Memory Status Shows memory utilization parameters 90 Res...

Page 48: ...arameters for link aggregation group members on the remote side 115 Show Information 121 Counters Displays statistics for LACP protocol messages 121 Internal Displays configuration settings and operat...

Page 49: ...er interface 144 Edit Member by Interface Range Specifies VLAN attributes per interface range 144 Protocol 148 Configure Protocol 149 Add Creates a protocol group specifying supported protocols 149 Sh...

Page 50: ...gorithm 183 Configure Global 183 Add Configures initial VLAN and priority for an MST instance 183 Modify Configures the priority or an MST instance 183 Show Configures global settings for an MST insta...

Page 51: ...0 Modify Modifies the name of a policy map 210 Add Rule Sets the boundary parameters used for monitoring inbound traffic and the action to take for conforming and non conforming traffic 210 Show Rule...

Page 52: ...ethods applied to specific interfaces 231 Statistics Shows basic accounting information recorded for user sessions 231 Authorization Enables authorization of requested services 237 Configure Method 23...

Page 53: ...TCAM Shows utilization parameters for TCAM 262 Add Adds an ACL based on IP or MAC address filtering 264 Show Shows the name and type of configured ACLs 264 Add Rule Configures packet filtering based...

Page 54: ...ts the trust mode for an interface 304 Show Information Displays the DHCP Snooping binding information 306 IP Source Guard Filters IP traffic based on static entries in the IP Source Guard table or dy...

Page 55: ...isplays statistics for remote devices on a selected port or trunk 341 PoE Power over Ethernet 343 PSE Power sourcing equipment 343 Configure Global Set the maximum PoE power budget for the switch powe...

Page 56: ...gure Notify Filter Add Creates an SNMP notification log 372 Show Shows the configured notification logs 372 Show Statistics Shows the status of SNMP communications 374 RMON Remote Monitoring 376 Confi...

Page 57: ...s Resolution Protocol cache 434 Show Information Shows entries in the Address Resolution Protocol ARP cache 435 IP Service 437 DNS Domain Name Service 437 General 437 Configure Global Enables DNS look...

Page 58: ...terface 404 Configure Port Configures the interface to drop IGMP query packets or all multicast data packets 410 Configure Trunk Configures the interface to drop IGMP query packets or all multicast da...

Page 59: ...424 Show Current Multicast Router Displays ports attached to a neighboring multicast router either through static or dynamic configuration 424 MLD Member 426 Add Static Member Statically assigns multi...

Page 60: ...Chapter 2 Using the Web Interface Navigating the Web Browser Interface 60...

Page 61: ...erating software or configuration files and set the system start up files Setting the System Clock Sets the current time manually or through specified NTP or SNTP servers Configuring the Console Port...

Page 62: ...of device type System Object ID MIB II object ID for switch s network management subsystem System Up Time Length of time the management agent has been up System Name Name assigned to the switch system...

Page 63: ...ion Serial Number The serial number of the switch Number of Ports Number of built in ports Hardware Version Hardware version of the main board Main Power Status Displays the status of the internal pow...

Page 64: ...r trunks Compared to standard Ethernet frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields Usage Guidel...

Page 65: ...icast Filtering Services This switch does not support the filtering of individual multicast addresses based on GMRP GARP Multicast Registration Protocol Traffic Classes This switch provides mapping of...

Page 66: ...egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration on page 139 Max Supported VLAN Numbers The maximum number of VLANs supported on this switch Max Supported VLAN ID The max...

Page 67: ...for a user name and password configured on the remote server Note that Anonymous is set as the default user name The reset command will not be accepted during copy operations to flash memory Parameter...

Page 68: ...cfg can be copied to a file server or management station but cannot be used as the destination file name on the switch Web Interface To copy firmware files 1 Click System then File 2 Select Copy from...

Page 69: ...rameters are displayed Copy Type The copy operation includes this option Running Config Copies the current configuration settings to a local file on the switch Destination File Name Copy to the curren...

Page 70: ...e System File Set Start Up page to specify the firmware or configuration file to use for system initialization Web Interface To set a file to use for system initialization 1 Click System then File 2 S...

Page 71: ...to automatically download an operation code file when a file newer than the currently installed one is discovered on the file server After the file is transferred from the server and successfully writ...

Page 72: ...e file is stored as LEVEL 1 xx61 bix or even LeveL 1 xx61 bix on a case sensitive server then the switch requesting gel 1061 series bix will not be upgraded because the server does not recognize the r...

Page 73: ...pgrade file can be found Nested directory structures are accepted The directory name must be separated from the host and in nested directory structures from the parent directory with a prepended forwa...

Page 74: ...directory relative to the TFTP root The following examples demonstrate the URL syntax for an FTP server at IP address 192 168 0 1 with various user name password and file location options presented f...

Page 75: ...tarted Flash programming completed The switch will now restart Setting the System Clock Simple Network Time Protocol SNTP allows the switch to set its internal clock based on periodic updates from a t...

Page 76: ...switch Hours Sets the hour Range 0 23 Minutes Sets the minute value Range 0 59 Seconds Sets the second value Range 0 59 Month Sets the month Range 1 12 Day Sets the day of the month Range 1 31 Year Se...

Page 77: ...b Interface To set the polling interval for SNTP 1 Click System then Time 2 Select Configure General from the Step list 3 Select SNTP from the Maintain Type list 4 Modify the polling interval if requi...

Page 78: ...ts for a time update from NTP servers Fixed 1024 seconds Web Interface To set the clock maintenance type to NTP 1 Click System then Time 2 Select Configure General from the Step list 3 Select NTP from...

Page 79: ...Specifying SNTP Time Servers Specifying NTP Time Servers Use the System Time Configure Time Server Add NTP Server page to add the IP address for up to 50 NTP time servers Parameters The following par...

Page 80: ...ange 1 65535 Web Interface To add an NTP time server to the server list 1 Click System then Time 2 Select Configure Time Server from the Step list 3 Select Add NTP Server from the Action list 4 Enter...

Page 81: ...ys can be configured on the switch Range 1 65535 Key Context An MD5 authentication key string The key string can be up to 32 case sensitive printable ASCII characters no spaces NTP authentication key...

Page 82: ...Parameters The following parameters are displayed Predefined Configuration A drop down box provides access to the 80 predefined time zone configurations Each choice indicates it s offset from UTC and...

Page 83: ...ers are displayed in the web interface General Configuration Summer Time in Effect Shows if the system time has been adjusted Status Shows if summer time is set to take effect during the specified per...

Page 84: ...e To specify a time corresponding to your local time when summer time is in effect you must indicate the number of minutes your summer time zone deviates from your regular time zone Offset Summer time...

Page 85: ...timeout interval the connection is terminated for the session Range 10 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input i...

Page 86: ...e connected to the serial port Range 9600 19200 38400 57600 or 115200 baud Default 115200 baud Note The password for the console connection can only be configured through the CLI see the password comm...

Page 87: ...in Timeout Sets the interval that the system waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 10 3...

Page 88: ...required 3 Click Apply Figure 24 Telnet Connection Settings Displaying CPU Utilization Use the System CPU Utilization page to display information on CPU utilization Parameters The following parameter...

Page 89: ...already in the buffer until usage time falls below the low watermark Range 40 100 Default 90 Low Watermark If packet flow has been stopped after exceeding the high watermark normal flow will be restor...

Page 90: ...the minimum threshold before the alarm is terminated and then exceed the maximum threshold again before another alarm is triggered Current Threshold Shows the configured threshold in packets per seco...

Page 91: ...red in non volatile memory See Saving the Running Configuration to a Local File on page 69 Parameters The following parameters are displayed System Reload Information Reload Settings Displays informat...

Page 92: ...Range 01 31 MM The month at which to reload Range 01 12 YYYY The year at which to reload Range 1970 2037 HH The hour at which to reload Range 00 23 MM The minute at which to reload Range 00 59 Regular...

Page 93: ...Chapter 3 Basic Management Tasks Resetting the System 93 5 When prompted confirm that you want reset the switch Figure 28 Restarting the Switch Immediately Figure 29 Restarting the Switch In...

Page 94: ...Chapter 3 Basic Management Tasks Resetting the System 94 Figure 30 Restarting the Switch At Figure 31 Restarting the Switch Regularly...

Page 95: ...ters for optical transceivers which support DDM Configuring Transceiver Thresholds Configures thresholds for alarm and warning messages for optical transceivers which support DDM Trunk Configuration C...

Page 96: ...ard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk If not used the success of the link process cannot be guaranteed whe...

Page 97: ...n and IEEE 802 3 2005 formally IEEE 802 3x for full duplex operation Default Autonegotiation enabled Advertised capabilities for 1000BASE T 10half 10full 100half 100full 1000full 1000BASE SX LX ZX SFP...

Page 98: ...rtise or manually fix the speed duplex mode and flow control Parameters Except for the trap command refer to Configuring by Port List on page 96 for more information on command usage and a description...

Page 99: ...rface label Admin Shows if the port is enabled or disabled Oper Status Indicates if the link is Up or Down Shutdown Reason Shows the reason this interface has been shut down if applicable Some of the...

Page 100: ...d to identify potential problems with the switch such as a faulty port or unusually heavy loading RMON statistics provide access to a broad range of statistics including a total count of different fra...

Page 101: ...of packets delivered by this sub layer to a higher sub layer which were addressed to a broadcast address at this sub layer Transmitted Broadcast Packets The total number of packets that higher level...

Page 102: ...t utilization Received Packets The total number of packets bad broadcast and multicast received Broadcast Packets The total number of good packets received that were directed to the broadcast address...

Page 103: ...atistics 1 Click Interface Port Chart 2 Select the statistics mode to display Interface Etherlike RMON or All 3 If Interface Etherlike RMON statistics mode is chosen select a port from the drop down l...

Page 104: ...Trunk History page to display statistical history for the specified interfaces Command Usage For a description of the statistics displayed on these pages see Showing Port or Trunk Statistics on page 1...

Page 105: ...take Show Details Mode Status Shows the sample parameters Current Entry Shows current statistics for the specified port and named sample Input Previous Entries Shows statistical history for ingress tr...

Page 106: ...how from the Action menu 3 Select an interface from the Port or Trunk list Figure 38 Showing Entries for History Sampling To show the configured parameters for a sampling entry 1 Click Interface Port...

Page 107: ...rent interval of a sample entry 1 Click Interface Port Statistics or Interface Trunk Statistics 2 Select Show Details from the Action menu 3 Select Current Entry from the options for Mode 4 Select an...

Page 108: ...ying Transceiver Data Use the Interface Port Transceiver page to display identifying information and operational for optical transceivers which support Digital Diagnostic Monitoring DDM Parameters The...

Page 109: ...ta Configuring Transceiver Thresholds Use the Interface Port Transceiver page to configure thresholds for alarm and warning messages for optical transceivers which support Digital Diagnostic Monitorin...

Page 110: ...ning message when the high threshold is crossed Low Warning Sends a warning message when the low threshold is crossed Low Alarm Sends an alarm message when the low threshold is crossed The configurabl...

Page 111: ...al transceivers 1 Click Interface Port Transceiver 2 Select a port from the scroll down list 3 Set the switch to send a trap based on default or manual settings 4 Set alarm and warning thresholds if m...

Page 112: ...ther ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on t...

Page 113: ...twork be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface Parameters...

Page 114: ...4 Select a trunk identifier 5 Set the unit and port for an additional trunk member 6 Click Apply Figure 46 Adding Static Trunks Members To configure connection parameters for a static trunk 1 Click I...

Page 115: ...r Static Trunks Configuring a Dynamic Trunk Use the Interface Trunk Dynamic pages to set the administrative key for an aggregation group enable LACP on a port configure protocol parameters for local a...

Page 116: ...i e it has a null value of 0 the operational value of this key is set to the same value as the port admin key used by the interfaces that joined the group see the show lacp internal command in the CL...

Page 117: ...n group LAG membership and to identify this device to other switches during LAG negotiations System MAC Address The device MAC address assigned to each trunk Configure Aggregation Port General Port Po...

Page 118: ...with the maximum number of allowed port members and LACP is subsequently enabled on another port using a higher priority than an existing member the newly configured port will replace an existing port...

Page 119: ...Configure from the Action list 4 Click General 5 Enable LACP on the required ports 6 Click Apply Figure 51 Enabling LACP on a Port To configure LACP parameters for group members 1 Click Interface Tru...

Page 120: ...p list 3 Select Show Member from the Action list 4 Select a Trunk Figure 53 Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk 1 Click Interface Trunk Dynamic 2...

Page 121: ...yed Table 7 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Ma...

Page 122: ...on Port Show Information Internal page to display the configuration settings and operational state for the local side of a link aggregation Parameters These parameters are displayed Table 8 LACP Inter...

Page 123: ...of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be dis...

Page 124: ...ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port nu...

Page 125: ...Trunk Load Balance page to set the load distribution method used among ports in aggregated links Command Usage This command applies to all static and dynamic trunks on the switch To ensure that the s...

Page 126: ...switch trunk links where traffic through the switch is received from and destined for many different hosts Source IP Address All traffic with the same source IP address is output on the same link in a...

Page 127: ...er keeping the MAC interface powered up even if no link connection exists When using power savings mode the switch checks for energy on the circuit to determine if there is a link partner If none is d...

Page 128: ...60 meters Parameters These parameters are displayed Port Power saving mode only applies to the Gigabit Ethernet ports using copper media Range 1 8 24 Power Saving Status Adjusts the power provided to...

Page 129: ...ation port on this switch remote port mirroring as described in Configuring Remote Port Mirroring on page 130 Monitor port speed should match or exceed source port speed otherwise traffic may be dropp...

Page 130: ...Use the Interface RSPAN page to mirror traffic from remote switches for analysis at a destination port on the local switch This feature also called Remote Switched Port Analyzer RSPAN carries traffic...

Page 131: ...port1 Then specify the source port s and the traffic type to monitor Rx Tx or Both 3 Set up all intermediate switches on the RSPAN configuration page entering the mirror session the switch s role Inte...

Page 132: ...ng will still not be re started on the RSPAN uplink ports IEEE 802 1X RSPAN and 802 1X are mutually exclusive functions When 802 1X is enabled globally RSPAN uplink ports cannot be configured even tho...

Page 133: ...of the RSPAN VLAN Ports cannot be manually assigned to an RSPAN VLAN through the VLAN Static page Nor can GVRP dynamically add port members to an RSPAN VLAN Also note that the VLAN Static Show page w...

Page 134: ...e Configuration Configuring Remote Port Mirroring 134 Figure 65 Configuring Remote Port Mirroring Source Figure 66 Configuring Remote Port Mirroring Intermediate Figure 67 Configuring Remote Port Mirr...

Page 135: ...link ports used by other clients allowing different clients to share access to their uplink ports where security is less likely to be compromised Enabling Traffic Segmentation Use the Interface Traffi...

Page 136: ...anning tree protocol A port cannot be configured in both an uplink and downlink list A port can only be assigned to one traffic segmentation session A downlink port can only communicate with an uplink...

Page 137: ...the direction to uplink or downlink Default Uplink Interface Displays a list of ports or trunks Port Port Identifier Range 1 10 28 Trunk Trunk Identifier Range 1 8 Web Interface To configure the memb...

Page 138: ...c Segmentation 138 To show the members of the traffic segmentation group 1 Click Interface Traffic Segmentation 2 Select Configure Session from the Step list 3 Select Show from the Action list Figure...

Page 139: ...An IEEE 802 1Q VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLANs help to simplify network management by allo...

Page 140: ...ffic for one or more VLANs and any intermediate network devices or the host at the other end of the connection supports VLANs Then assign ports on the other VLAN aware network devices along the path t...

Page 141: ...y isolate user groups or subnets However you should use IEEE 802 3 tagged VLANs with GVRP whenever possible to fully automate VLAN registration Forwarding Tagged Untagged Frames If you want to create...

Page 142: ...nables or disables the specified VLAN Remote VLAN Reserves this VLAN for RSPAN see Configuring Remote Port Mirroring on page 130 Modify VLAN ID ID of configured VLAN 1 4094 VLAN Name Name of the VLAN...

Page 143: ...ngs for VLAN groups 1 Click VLAN Static 2 Select Modify from the Action list 3 Select the identifier of a configured VLAN 4 Modify the VLAN name or operational status as required 5 Enable the L3 Inter...

Page 144: ...are connected to 802 1Q VLAN compliant devices or untagged they are not connected to any VLAN aware devices Or configure a port as forbidden to prevent the switch from automatically adding it to a VL...

Page 145: ...Ns for which it is not a member these frames will be flooded to all other ports except for those VLANs explicitly forbidden on this port If ingress filtering is enabled and a port receives frames tagg...

Page 146: ...unk Range Displays a list of ports Range 1 8 Note The PVID acceptable frame type and ingress filtering parameters for each interface within the specified range must be configured on either the Edit Me...

Page 147: ...LAN Members by Interface To configure static members by interface range 1 Click VLAN Static 2 Select Edit Member by Interface Range from the Action list 3 Set the Interface type to display as Port or...

Page 148: ...ired protocol When a frame is received at a port its VLAN membership can then be determined based on the protocol type being used by the inbound packets Command Usage To configure protocol based VLANs...

Page 149: ...affic which matches IP Protocol Ethernet Frames is mapped to the VLAN VLAN 1 that has been configured with the switch s administrative IP IP Protocol Ethernet traffic must not be mapped to another VLA...

Page 150: ...roup to a VLAN for each interface that will participate in the group Command Usage When creating a protocol based VLAN only assign interfaces using this configuration screen If you assign interfaces u...

Page 151: ...p ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID VLAN to which matching protocol traffic is forwarded Range 1 4094 Priority The priority assigned to untagged ingre...

Page 152: ...Mapping Configuring MAC based VLANs Use the VLAN MAC Based page to configure VLAN based on MAC addresses The MAC based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC...

Page 153: ...i e it cannot be 101 or 001 A mask for the MAC address 00 50 6e 00 5f b1 translated into binary MAC 00000000 01010000 01101110 00000000 01011111 10110001 could be 11111111 11xxxxxx xxxxxxxx xxxxxxxx x...

Page 154: ...nfiguration Configuring MAC based VLANs 154 Figure 82 Configuring MAC Based VLANs To show the MAC addresses mapped to a VLAN 1 Click VLAN MAC Based 2 Select Show from the Action list Figure 83 Showing...

Page 155: ...ap when a dynamic MAC address is added or removed Configuring MAC Address Learning Use the MAC Address Learning Status page to enable or disable MAC address learning on an interface Command Usage When...

Page 156: ...ty Status see Configuring Port Security on page 289 is enabled on the same interface Parameters These parameters are displayed Interface Displays a list of ports or trunks Port Port Identifier Range 1...

Page 157: ...not be written to the address table Static addresses will not be removed from the address table when a given interface link is down A static address cannot be learned on another port until the address...

Page 158: ...m the Action list 3 Specify the VLAN the port or trunk to which the address will be assigned the MAC address and the time to retain this entry 4 Click Apply Figure 85 Configuring Static MAC Addresses...

Page 159: ...eb Interface To set the aging time for entries in the dynamic address table 1 Click MAC Address Dynamic 2 Select Configure Aging from the Action list 3 Modify the aging status if required 4 Specify a...

Page 160: ...terface Indicates a port or trunk Type Shows that the entries in this table are learned Values Learned or Security the last of which indicates Port Security Life Time Shows the time to retain the spec...

Page 161: ...ries for a specific MAC address all the entries in a VLAN or all the entries associated with a port or trunk Web Interface To clear the entries in the dynamic address table 1 Click MAC Address Dynamic...

Page 162: ...es the interval between issuing two consecutive traps Range 1 3600 seconds Default 1 second Configure Interface Port Port Identifier Range 1 10 28 MAC Notification Trap Enables MAC authentication trap...

Page 163: ...o enable MAC address traps at the interface level 1 Click MAC Address MAC Notification 2 Select Configure Interface from the Step list 3 Enable MAC notification traps for the required ports 4 Click Ap...

Page 164: ...Chapter 6 Address Table Settings Issuing MAC Address Traps 164...

Page 165: ...etwork and provide backup links which automatically take over when a primary link goes down The spanning tree algorithms supported by this switch include these versions STP Spanning Tree Protocol IEEE...

Page 166: ...ed when a node or port fails and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs MSTP When using STP or RSTP it may be difficult to...

Page 167: ...TI tree to maintain connectivity among each of the VLANs MSTP maintains contact with the global network because each instance is treated as an RSTP node in the Common Spanning Tree CST Configuring Loo...

Page 168: ...nually released from discard mode This is only available if the interface is configured for manual release mode Action Sets the response for loopback detection to shut down the interface Default Shutd...

Page 169: ...VLANs we recommend selecting the MSTP option Rapid Spanning Tree Protocol3 RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting...

Page 170: ...back detection is disabled Spanning Tree Type Specifies the type of spanning tree used on this switch STP Spanning Tree Protocol IEEE 802 1D i e when this option is selected the switch will use RSTP s...

Page 171: ...ned to each interface Long Specifies 32 bit based values that range from 1 200 000 000 This is the default Short Specifies 16 bit based values that range from 1 65535 Transmission Limit The maximum tr...

Page 172: ...omatic detection of point to point link types both of which allow a port to directly transition to the forwarding state Configuration Settings for MSTP Max Instance Numbers The maximum number of MSTP...

Page 173: ...Modify any of the required attributes Note that the parameters displayed for the spanning tree types STP RSTP MSTP varies as described in the preceding section 5 Click Apply Figure 96 Configuring Glo...

Page 174: ...tems Bridge ID A unique identifier for this bridge consisting of the bridge priority the MST Instance ID 0 for the Common Spanning Tree when spanning tree type is set to MSTP and MAC address where the...

Page 175: ...rmation from the Action list Figure 99 Displaying Global Settings for STA Configuring Interface Settings for STA Use the Spanning Tree STA Configure Interface Configure page to configure RSTP and MSTP...

Page 176: ...assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 Admin Path Cost This parameter is used by the STA to determine the best pa...

Page 177: ...ed Then even if the path cost of i2 on SW3 is configured changed to 0 these ports will still have the same root path cost and it will be impossible for i2 to become the root port just by changing its...

Page 178: ...rcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device Default Auto Enabled Manually configures a port as an Edge Po...

Page 179: ...e specified interval Range 30 86400 seconds Default Disabled BPDU Guard Auto Recovery Interval The time to wait before re enabling an interface Range 30 86400 seconds Default 300 seconds BPDU Filter B...

Page 180: ...port STA Status Displays current state of this port within the Spanning Tree Discarding Port receives STA configuration messages but does not forward packets Learning Port has transmitted configuratio...

Page 181: ...status of the LAN segment attached to this interface This parameter is determined by manual configuration or by auto detection as described for Admin Link Type in STA Port Configuration on page 175 Op...

Page 182: ...port number in that order and as applicable to the role under question Web Interface To display interface settings for STA 1 Click Spanning Tree STA 2 Select Configure Interface from the Step list 3 S...

Page 183: ...MSTI Region page 169 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions...

Page 184: ...the MST instance identifier and the initial VLAN member Additional member can be added using the Spanning Tree MSTP Configure Global Add Member page If the priority is not specified the default value...

Page 185: ...e priority for an MSTP Instance 5 Click Apply Figure 106 Modifying the Priority for an MST Instance To display global settings for MSTP 1 Click Spanning Tree MSTP 2 Select Configure Global from the St...

Page 186: ...ect an MST instance from the MST ID list 5 Enter the VLAN group to add to the instance in the VLAN ID field Note that the specified member does not have to be a configured VLAN 6 Click Apply Figure 10...

Page 187: ...same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree...

Page 188: ...face from the Step list 3 Select Configure from the Action list 4 Enter the priority and path cost for an interface 5 Click Apply Figure 110 Configuring MSTP Interface Settings To display MSTP paramet...

Page 189: ...ived or transmitted on an interface Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network Packets that exceed the acceptable amount of traffic...

Page 190: ...erly configured If there is too much traffic on your network performance can be severely degraded or everything can come to complete halt You can protect your network from traffic storms by setting a...

Page 191: ...control for broadcast traffic Status Enables or disables storm control Default Disabled Rate Threshold level in packets per second Range 500 262142 pps Default 500 pps Resolution Indicates the resolut...

Page 192: ...Chapter 8 Congestion Control Storm Control 192...

Page 193: ...s This section describes how to configure the default priority for untagged frames set the queue mode set the weights assigned to each queue and map class of service tags to queues Setting the Default...

Page 194: ...tting the Default Port Priority Selecting the Queue Mode Use the Traffic Priority Queue page to set the queue mode for the egress queues on any interface The switch can be set to service the queues ba...

Page 195: ...ed queue mode applies to all interfaces Parameters These parameters are displayed Queue Mode Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queue...

Page 196: ...eighted queue mode is selected the queue weight can be modified if required 4 If the queue mode that uses a combination of strict and weighted queueing is selected the queues which are serviced first...

Page 197: ...es are enabled the priorities are mapped to a Class of Service value by the switch and the traffic then sent to the corresponding output queue Because different priority information may be contained i...

Page 198: ...ority processing if the packet is tagged For an untagged packet the default port priority see page 193 is used for priority processing If the QoS mapping mode is set to CoS and the ingress packet type...

Page 199: ...different kinds of forwarding Command Usage Enter per hop behavior and drop precedence for any of the DSCP values 0 63 This map is only used when the priority mapping mode is set to DSCP see page 198...

Page 200: ...p10 0 1 2 3 4 5 6 7 8 9 0 0 0 0 1 0 0 0 3 0 0 0 1 0 0 0 3 1 0 1 1 1 1 0 1 3 1 0 1 1 1 0 1 3 2 0 2 1 2 0 2 3 2 2 0 2 1 2 0 2 3 3 0 3 1 3 0 3 3 3 0 3 1 3 3 0 3 3 4 0 4 1 4 0 4 3 4 0 4 1 4 0 4 3 4 5 0 5...

Page 201: ...le 14 on page 202 Enter up to eight CoS CFI paired values per hop behavior and drop precedence If a packet arrives with a 802 1Q header but it is not an IP packet then the CoS CFI to PHB Drop Preceden...

Page 202: ...dence used in controlling traffic congestion Range 0 Green 3 Yellow 1 Red Web Interface To map CoS CFI values to internal PHB drop precedence 1 Click Traffic Priority CoS to DSCP 2 Select Configure fr...

Page 203: ...f Service Layer 3 4 Priority Settings 203 To show the CoS CFI to internal PHB drop precedence map 1 Click Traffic Priority CoS to DSCP 2 Select Show from the Action list Figure 122 Showing CoS to DSCP...

Page 204: ...Chapter 9 Class of Service Layer 3 4 Priority Settings 204...

Page 205: ...ies different kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to pa...

Page 206: ...configured to monitor the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to a...

Page 207: ...ntrol list Any type of ACL can be specified including standard or extended IPv4 IPv6 ACLs and MAC ACLs IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence value Range 0 7 IPv6 DSCP A DSCP v...

Page 208: ...Showing Class Maps To edit the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Spe...

Page 209: ...a Class Map 209 Figure 125 Adding Rules to a Class Map To show the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Show Rule from the Action list Fi...

Page 210: ...ucket is by specified by the committed rate option Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698 The behavior of the meter is specified in terms of its mode a...

Page 211: ...ering functions Set CoS Configures the service provided to ingress traffic by setting an internal CoS value for a matching packet as specified in rule settings for a class map Range 0 7 See Table 14 D...

Page 212: ...nfigure Policy from the Step list 3 Select Add from the Action list 4 Enter a policy name 5 Enter a description 6 Click Apply Figure 127 Configuring a Policy Map To show the configured policy maps 1 C...

Page 213: ...list 3 Select Add Rule from the Action list 4 Select the name of a policy map 5 Click on the Action field and set the CoS or per hop behavior for matching packets to specify the quality of service to...

Page 214: ...rface page to bind a policy map to a port Command Usage First define a class map define a policy map and then bind the service policy to the required interface Parameters These parameters are displaye...

Page 215: ...Chapter 10 Quality of Service Attaching a Policy Map to a Port 215 5 Click Apply Figure 131 Attaching a Policy Map to a Port...

Page 216: ...Chapter 10 Quality of Service Attaching a Policy Map to a Port 216...

Page 217: ...acket delays packet loss and jitter This is best achieved by assigning all VoIP traffic to a single Voice VLAN The use of a Voice VLAN has several advantages It provides security by isolating the VoIP...

Page 218: ...ode see Adding Static Members to VLANs on page 144 Parameters These parameters are displayed Auto Detection Status Enables the automatic detection of VoIP traffic on switch ports Default Disabled Voic...

Page 219: ...ers are displayed Telephony OUI Specifies a MAC address range to add to the list Format xx xx xx xx xx xx Mask Identifies a range of MAC addresses Setting a mask of FF FF FF 00 00 00 identifies all de...

Page 220: ...oIP Traffic Ports Use the Traffic VoIP Configure Interface page to configure ports for VoIP traffic you need to set the mode Auto or Manual specify the discovery method to use and set the traffic prio...

Page 221: ...ffic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address OUI numbers are assigned to vendors and form the first three octets of a device MAC address M...

Page 222: ...ise if the VoIP Mode is Disabled or set to Manual the remaining age will display NA Web Interface To configure VoIP traffic settings for a port 1 Click Traffic VoIP 2 Select Configure Interface from t...

Page 223: ...ovide a secure shell for secure Telnet access ACL Access Control Lists provide packet filtering for IP frames based on address protocol Layer 4 protocol port number or TCP control code ARP Inspection...

Page 224: ...be defined as sequential groups that are applied as a method for controlling user access to specified services For example when the switch attempts to authenticate a user a request is sent to the firs...

Page 225: ...nst the authentication database stored on the local switch If a remote authentication server is used you must specify the authentication sequence Then specify the corresponding parameters for the remo...

Page 226: ...n a central server to control access to RADIUS aware or TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege...

Page 227: ...bal Provides globally applicable RADIUS settings Server Index Specifies one of five RADIUS servers that may be configured The switch attempts authentication using the listed sequence of servers The pr...

Page 228: ...the request Range 1 65535 Default 5 Authentication Retries Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Set Key Mark this box to se...

Page 229: ...ver from the Step list 3 Select RADIUS or TACACS server type 4 Select Global to specify the parameters that apply globally to all specified servers or select a specific Server Index to specify the par...

Page 230: ...ADIUS or TACACS server groups to use for accounting and authorization 1 Click Security AAA Server 2 Select Configure Group from the Step list 3 Select Add from the Action list 4 Select RADIUS or TACAC...

Page 231: ...e configured accounting methods the methods applied to specific interfaces and basic accounting information recorded for user sessions Command Usage AAA authentication through a RADIUS or TACACS serve...

Page 232: ...up names radius and tacacs specifies all configured RADIUS and TACACS hosts see Configuring Local Remote Logon Authentication on page 225 Any other group name refers to a server group configured on th...

Page 233: ...les apply This field is null if the accounting method and associated server group has not been assigned to an interface Show Information Statistics User Name Displays a registered user name Accounting...

Page 234: ...d from the Step list 3 Select Add from the Action list 4 Select the accounting type 802 1X Command Exec 5 Specify the name of the accounting method and server group name 6 Click Apply Figure 143 Confi...

Page 235: ...to specific interfaces console commands entered at specific privilege levels and local console Telnet or SSH connections 1 Click Security AAA Accounting 2 Select Configure Service from the Step list 3...

Page 236: ...Accounting Service for Command Service Figure 147 Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified...

Page 237: ...3 Click Statistics Figure 149 Displaying Statistics for AAA Accounting Sessions Configuring AAA Authorization Use the Security AAA Authorization page to enable authorization of requested services and...

Page 238: ...Remote Logon Authentication on page 225 Any other group name refers to a server group configured on the TACACS Group Settings page Authorization is only supported for TACACS servers Configure Service...

Page 239: ...Select Configure Method from the Step list 3 Specify the name of the authorization method and server group name 4 Click Apply Figure 150 Configuring AAA Authorization Methods To show the authorizatio...

Page 240: ...Select Configure Service from the Step list 3 Enter the required authorization method 4 Click Apply Figure 152 Configuring AAA Authorization Methods for Exec Service To display a the configured author...

Page 241: ...evel 0 7 provide the same default access to a limited number of commands which display the current status of the switch as well as several database clear and reset functions These commands are equival...

Page 242: ...words Password Specifies the user password Range 0 32 characters case sensitive Confirm Password Re type the string entered in the previous field to ensure no errors were made The switch will not chan...

Page 243: ...enticating the MAC address of each host that attempts to connect to a switch port Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully...

Page 244: ...switch port for an authenticated user The Filter ID attribute attribute 11 can be configured on the RADIUS server to pass the following QoS information Multiple profiles can be specified in the Filter...

Page 245: ...uration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access While a...

Page 246: ...ing the maximum MAC count and enabling dynamic VLAN or dynamic QoS assignments Parameters These parameters are displayed Guest VLAN Specifies the VLAN to be assigned to the port when 802 1X Authentica...

Page 247: ...ned to the default untagged VLAN When the dynamic VLAN assignment status is changed on a port all authenticated addresses mapped to that port are cleared from the secure MAC address table MAC Filter I...

Page 248: ...are displayed Filter ID Adds a filter rule for the specified filter Range 1 64 MAC Address The filter rule will check ingress packets against the entered MAC address or range of MAC addresses as defin...

Page 249: ...tion on the secure MAC entries can be displayed and selected entries can be removed from the table Parameters These parameters are displayed Query By Specifies parameters to use in the MAC address que...

Page 250: ...ecurity Network Access 2 Select Show Information from the Step list 3 Use the sort key to display addresses based MAC address interface or attribute 4 Restrict the displayed addresses by entering a sp...

Page 251: ...tps device port_number When you start HTTPS the connection is established in this way The client authenticates the server using the server s digital certificate The client and server negotiate a set o...

Page 252: ...e site certificate When you log onto the web interface using HTTPS for secure access a Secure Sockets Layer SSL certificate appears for the switch By default the certificate that the web browser displ...

Page 253: ...urce File Name Name of certificate file stored on the TFTP server Private Key Source File Name Name of private key file stored on the TFTP server Private Password Password stored in the private key fi...

Page 254: ...SH also encrypts all data transfers passing between the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered Note You need to install an...

Page 255: ...the User Accounts page as described on page 241 The clients are subsequently authenticated using these keys The current firmware only accepts public key files based on standard UNIX format as shown in...

Page 256: ...lient s private key corresponds to an authorized public key and the client is authenticated Authenticating SSH v2 Clients a The client first queries the switch to determine if DSA public key authentic...

Page 257: ...e 1 120 seconds Default 120 seconds Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authen...

Page 258: ...generate the host key pair i e public and private keys Range RSA Version 1 DSA Version 2 Both Default Both The SSH server uses RSA or DSA for key exchange when the client first establishes a connectio...

Page 259: ...blic key authentication mechanism If the user s public key does not exist on the switch SSH will revert to the interactive password authentication mechanism to complete authentication Parameters These...

Page 260: ...ey 1 Click Security SSH 2 Select Configure User Key from the Step list 3 Select Copy from the Action list 4 Select the user name and the public key type from the respective drop down boxes input the T...

Page 261: ...s packets against the conditions in an ACL one by one A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match the packet is accepte...

Page 262: ...ound down to the end of the list the traffic is denied For this reason frequently hit entries should be placed at the top of the list There is an implied deny for traffic that is not explicitly permit...

Page 263: ...n the TCAM List Unit Stack unit identifier Device Memory chip used for indicated pools Pool Rule slice or call group Each slice has a fixed number of rules that are used for the specified features Tot...

Page 264: ...ts based on the source or destination IPv4 address as well as the protocol type and protocol port number If the TCP protocol is specified then you can also filter packets based on the TCP control code...

Page 265: ...CL 2 Select Configure ACL from the Step list 3 Select Add from the Action list 4 Fill in the ACL Name field and select the ACL type 5 Click Apply Figure 169 Creating an ACL To show a list of ACLs 1 Cl...

Page 266: ...ource IP Address Source IP address Source Subnet Mask A subnet mask containing four integers from 0 to 255 each separated by a period The mask uses 1 bits to indicate match and 0 bits to indicate igno...

Page 267: ...de all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and Subnet Mask fields Options Any Host IP Default Any Sou...

Page 268: ...8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the following flags set SYN flag valid use control code 2 control bit mask 2...

Page 269: ...d page to configure a Standard IPv6ACL Parameters These parameters are displayed Type Selects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action A...

Page 270: ...the address Range 0 128 bits Time Range Name of a time range Web Interface To add rules to a Standard IPv6 ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the...

Page 271: ...ss must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number...

Page 272: ...ayload RFC 2406 51 Authentication RFC 2402 60 Destination Options RFC 2460 Time Range Name of a time range Web Interface To add rules to an Extended IPv6 ACL 1 Click Security ACL 2 Select Configure AC...

Page 273: ...in any combination of permit or deny rules Source Destination Address Type Use Any to include all possible addresses Host to indicate a specific MAC address or MAC to specify an address range with the...

Page 274: ...value Range 0 7 where 7 is the highest priority CoS Bit Mask CoS bitmask Range 0 7 Time Range Name of a time range Web Interface To add rules to a MAC ACL 1 Click Security ACL 2 Select Configure ACL f...

Page 275: ...hing the selected type Action An ACL can contain any combination of permit or deny rules Packet Type Indicates an ARP request ARP response or either type Range IP Request Response Default IP Source De...

Page 276: ...address Log Logs a packet when it matches the access control entry Web Interface To add rules to an ARP ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the A...

Page 277: ...appropriate ACLs Parameters These parameters are displayed Type Selects the type of ACLs to bind to a port Port Port identifier Range 1 10 28 ACL ACL used for ingress packets Time Range Name of a time...

Page 278: ...meters These parameters are displayed Port Port identifier Range 1 10 28 Type Selects the type of ACL Direction Displays statistics for ingress or egress traffic Query Displays statistics for selected...

Page 279: ...man in the middle attacks This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to th...

Page 280: ...ARP Inspection configuration of any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will only become a...

Page 281: ...the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses If multiple identical invalid ARP packets are received consecutively on the sam...

Page 282: ...9 Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Use the Security ARP Inspection Configure VLAN page to enable ARP inspection for any VLAN and to specify t...

Page 283: ...CL Name Allows selection of any configured ARP ACLs Default None Static When an ARP ACL is selected and static mode also selected the switch only performs ARP Inspection and bypasses validation agains...

Page 284: ...d will always be forwarded while those arriving on untrusted interfaces are subject to all configured ARP inspection tests Packet Rate Limit Sets the maximum number of ARP packets that can be processe...

Page 285: ...xceeding the ARP Inspection rate limit Dropped ARP packets in the process of ARP inspection rate limit Count of ARP packets exceeding and dropped by ARP rate limiting ARP packets dropped by additional...

Page 286: ...s are displayed Web Interface To display the ARP Inspection log 1 Click Security ARP Inspection 2 Select Show Information from the Step list 3 Select Show Log from the Action list Table 18 ARP Inspect...

Page 287: ...event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five differe...

Page 288: ...s of a range End IP Address The end address of a range Web Interface To create a list of IP addresses authorized for management access 1 Click Security IP Filter 2 Select Add from the Action list 3 Se...

Page 289: ...vice with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message Comma...

Page 290: ...bled on a port that port cannot be set as an RSPAN uplink port Also when a port is configured as an RSPAN uplink port source port or destination port port security cannot be enabled on that port Param...

Page 291: ...an invalid address is detected on a port and set the maximum number of MAC addresses allowed on the port 3 Click Apply Figure 186 Configuring Port Security Configuring 802 1X Port Authentication Netwo...

Page 292: ...e The RADIUS server verifies the client credentials and responds with an accept or reject packet If authentication is successful the switch allows the client to access the network Otherwise non EAP tr...

Page 293: ...her comparable client software Configuring 802 1X Global Settings Use the Security Port Authentication Configure Global page to configure IEEE 802 1X port authentication The 802 1X protocol must be en...

Page 294: ...e and as a supplicant on other ports by the setting the control mode to Force Authorized on this page and enabling the PAE supplicant on the Supplicant configuration page Parameters These parameters a...

Page 295: ...ter the Max Request Count has been exceeded before attempting to acquire a new client Range 1 65535 seconds Default 60 seconds Tx Period Sets the time period during an authentication session that the...

Page 296: ...efault setting Guest VLAN All traffic for the port is assigned to a guest VLAN The guest VLAN must be separately configured See Configuring VLAN Groups on page 142 and mapped on each port See Configur...

Page 297: ...ing initialize reauthenticate Web Interface To configure port authenticator settings for 802 1X 1 Click Security Port Authentication 2 Select Configure Interface from the Step list 3 Modify the authen...

Page 298: ...cator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received...

Page 299: ...mation to a DHCP server This information can be useful in tracking an IP address back to a physical port Rx EAP LenError The number of EAPOL frames that have been received by this Supplicant in which...

Page 300: ...via DHCP snooping Filtering rules are implemented as follows If the global DHCP snooping is disabled all DHCP packets are forwarded If DHCP snooping is enabled globally and also enabled on the VLAN w...

Page 301: ...ting malicious network attacks from attached clients on DHCP services such as IP Spoofing Client Identifier Spoofing MAC Address Spoofing and Address Exhaustion DHCP Snooping must be enabled for Optio...

Page 302: ...ields in circuit ID CID and remote ID RID in Option 82 information Default Enabled DHCP Snooping Information Option Remote ID Specifies the MAC address IP address or arbitrary identifier of the reques...

Page 303: ...gs for DHCP Snooping DHCP Snooping VLAN Configuration Use the Security DHCP Snooping Configure VLAN page to enable or disable DHCP snooping on specific VLANs Command Usage When DHCP snooping is enable...

Page 304: ...a VLAN Configuring Ports for DHCP Snooping Use the Security DHCP Snooping Configure Interface page to configure switch ports as trusted or untrusted Command Usage A trusted interface is an interface...

Page 305: ...on Mode Specifies the default string VLAN Unit Port or an arbitrary string Default VLAN Unit Port Value An arbitrary string inserted into the circuit identifier field Range 1 32 characters Web Interfa...

Page 306: ...which this entry is bound Interface Port or trunk to which this entry is bound Store Writes all dynamically learned snooping entries to flash memory This function can be used to store the currently l...

Page 307: ...a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address 255 255 255 255 all of which uses a spoofed source address of the intended victim Th...

Page 308: ...interfaces based on manually configured entries in the IP Source Guard table or dynamic entries in the DHCP Snooping table when enabled see DHCP Snooping on page 299 IP source guard can be used to pre...

Page 309: ...table Filtering rules are implemented as follows If DHCP snooping is disabled see page 302 IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC o...

Page 310: ...erface ACL Table 1 5 Default 5 MAC Table 1 32 Default 16 This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table including both dynamic entrie...

Page 311: ...he binding table Static bindings are processed as follows A valid static IP source guard entry will be added to the binding table in ACL mode if one of the following conditions is true If there is no...

Page 312: ...or C Port The port to which a static entry is bound Specify a physical port number or list of port numbers Separate nonconsecutive port numbers with a comma and no spaces or use a hyphen to designate...

Page 313: ...Action list Figure 198 Configuring Static Bindings for IPv4 Source Guard Displaying Information for Dynamic IPv4 Source Guard Bindings Use the Security IP Source Guard Dynamic Binding page to display...

Page 314: ...ort to which this entry is bound IP Address IP address corresponding to the client Type Entry types include DHCP Snooping or BOOTP Snooping Web Interface To display the binding table for IP Source Gua...

Page 315: ...the local switch or discovery of information about neighboring devices on the local broadcast domain Power over Ethernet7 Sets the priority and power budget for each port Simple Network Management Pro...

Page 316: ...hat are logged to flash or RAM memory The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM Parameters These parameters are displayed System Log Status Ena...

Page 317: ...ommand Log Status Records the commands executed from the CLI including the execution time and information about the CLI user including the user name user interface console port telnet or SSH and user...

Page 318: ...s are displayed Remote Log Status Enables disables the logging of debug or error messages to the remote logging process Default Disabled Logging Facility Sets the facility type for remote logging of s...

Page 319: ...e Logging of Error Messages Sending Simple Mail Transfer Protocol Alerts Use the Administration Log SMTP page to alert system administrators of problems by sending SMTP Simple Mail Transfer Protocol e...

Page 320: ...t messages You can specify up to five recipients Server IP Address Specifies a list of up to three recipient SMTP servers IPv4 or IPv6 addresses may be specified The switch attempts to connect to the...

Page 321: ...Timing Attributes Use the Administration LLDP Configure Global page to set attributes for general functions such as globally enabling LLDP on the switch setting the message ageout time and setting th...

Page 322: ...changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a notification are included in the transmission An SNMP agent should th...

Page 323: ...Enabled This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section Trap notifications include informati...

Page 324: ...hrough the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier VID associated with the management address reported by this TLV Port Description The...

Page 325: ...ch includes information about auto negotiation support capabilities and operational Multistation Access Unit MAU type Default Enabled PoE8 Power over Ethernet capabilities including whether or not PoE...

Page 326: ...ssages including the country and the device type Country The two letter ISO 3166 country code in capital ASCII letters Example DK DE or US Device entry refers to The type of device to which the locati...

Page 327: ...s such as the city street number building and room information The address location is specified as a type and value pair with the civic address type defined in RFC 4776 The following table describes...

Page 328: ...ange 1 32 characters Web Interface To specify the physical location of the attached device 1 Click Administration LLDP 2 Select Configure Interface from the Step list 3 Select Add CA Type from the Act...

Page 329: ...mation Parameters These parameters are displayed General Settings Chassis Type Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several w...

Page 330: ...address for the CPU or for the port sending this advertisement Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions appl...

Page 331: ...the interface LLDP MED Capabilities Network Policy Location Identification Extended Power via MDI PSE Extended Power via MDI PD Inventory Web Interface To display LLDP information for the local devic...

Page 332: ...tocols Link Layer Discovery Protocol 332 Figure 208 Displaying Local Device Information for LLDP General Figure 209 Displaying Local Device Information for LLDP Port Figure 210 Displaying Local Device...

Page 333: ...ch Range 1 10 28 Remote Index Index of remote device attached to this port Local Port The local port to which a remote LLDP capable device is attached Chassis Type Identifies the chassis containing th...

Page 334: ...ocol VLANs configured on this interface whether the given port associated with the remote system supports port based protocol VLANs and whether the port based protocol VLANs are enabled on the given p...

Page 335: ...eans that the spare pairs only are in use Remote Power MDI Supported Shows whether MDI power is supported on the given port associated with the remote system Remote Power Pair Controllable Indicates w...

Page 336: ...ty 9 Device Class Any of the following categories of endpoint devices Class 1 The most basic class of endpoint devices Class 2 Endpoint devices that supports media stream capabilities Class 3 Endpoint...

Page 337: ...in IEEE 802 1Q A value of zero indicates that the port is using priority tagged frames meaning that only the IEEE 802 1D priority level is significant and the default PVID of the ingress port is used...

Page 338: ...rimary Power Source Backup Power Source Power conservation mode Power Value The total power in watts required by a PD device from a PSE device or the total power a PSE device is capable of sourcing ov...

Page 339: ...port 1 Click Administration LLDP 2 Select Show Remote Device Information from the Step list 3 Select Port Port Details Trunk or Trunk Details 4 When the next page opens select a port on this switch a...

Page 340: ...Chapter 13 Basic Administration Protocols Link Layer Discovery Protocol 340 Figure 212 Displaying Remote Device Information for LLDP Port Details...

Page 341: ...display statistics for LLDP capable devices attached to the switch and for LLDP protocol messages transmitted or received on all local interfaces Parameters These parameters are displayed General Sta...

Page 342: ...TLV Frames Invalid A count of all LLDPDUs received with one or more detectable errors Frames Received Number of LLDP PDUs received Frames Sent Number of LLDP PDUs transmitted TLVs Unrecognized A count...

Page 343: ...switch that is authenticated by a PoE signature from the connected device Detection and authentication prevent damage to non compliant devices prior to IEEE 802 3af The switch s power management enabl...

Page 344: ...ty settings are used to control the supplied power PoE Maximum Allocation Power Sets a power budget for the switch Range 50000 740000 milliwatts Default 125000 milliwatts Compatible Mode Allows the sw...

Page 345: ...causes an 802 3at PD to respond as a Class 4 device and draw Class 4 current Afterwards the switch exchanges information with the PD such as duty cycle peak and average power needs All the RJ 45 ports...

Page 346: ...all of the ports port priority defaults to Port 1 Port 2 Port 3 Port 24 with available power being supplied in that sequence If priority is not set for any ports and PoE consumption exceeds the maxim...

Page 347: ...s for proper operation in a network environment as well as to monitor them to evaluate performance or detect potential problems Managed devices supporting SNMP contain software which runs locally on t...

Page 348: ...e following table shows the security models and levels available and the system default settings Note The predefined default groups and view can be deleted from the system You can then define customiz...

Page 349: ...se the Administration SNMP Configure Engine page to change the local engine ID If you want to change the default engine ID it must be changed before configuring other parameters 4 Use the Administrati...

Page 350: ...SNMPv3 packets Command Usage A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SN...

Page 351: ...ngine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and a user on the remote host Command Usage SNMP passwords are localized using th...

Page 352: ...3 Select Add Remote Engine from the Action list 4 Enter an ID of a least 9 hexadecimal characters and the IP address of the remote host 5 Click Apply Figure 220 Configuring a Remote Engine ID for SNM...

Page 353: ...bject identifier of a branch within the MIB tree is included or excluded from the SNMP view Add OID Subtree View Name Lists the SNMP views configured in the Add View page Range 1 32 characters OID Sub...

Page 354: ...Select Show View from the Action list Figure 223 Showing SNMP Views To add an object identifier to an existing SNMP view of the switch s MIB database 1 Click Administration SNMP 2 Select Configure Vie...

Page 355: ...iews Figure 225 Showing the OID Subtree Configured for SNMP Views Configuring SNMPv3 Groups Use the Administration SNMP Configure Group page to add an SNMPv3 group which can be used to set the access...

Page 356: ...encryption used in SNMP communications This is the default security level AuthNoPriv SNMP communications use authentication but the data is not encrypted AuthPriv SNMP communications use both authent...

Page 357: ...that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state but not from the notPre...

Page 358: ...hen a broadcast storm is detected as normal traffic this trap is fired swAtcBcastStormTcApplyTrap 1 3 6 1 4 1 22426 43 103 2 1 0 72 When ATC is activated this trap is fired swAtcBcastStormTcReleaseTra...

Page 359: ...to memoryUtiFallingThreshold dhcpRougeServerAttackTrap 1 3 6 1 4 1 22426 43 103 2 1 0 114 This trap is sent when receiving a DHCP packet from a rouge server macNotificationTrap 1 3 6 1 4 1 22426 43 10...

Page 360: ...03 2 1 0 213 This trap is sent when CPU utilization rises above the high watermark the first time or when CPU utilization rises from below the low watermark to above the high watermark cpuGuardRelease...

Page 361: ...re Group from the Step list 3 Select Add from the Action list 4 Enter a group name assign a security model and level and then select read write and notify views 5 Click Apply Figure 226 Creating an SN...

Page 362: ...s to the SNMP protocol Range 1 32 characters case sensitive Default strings public Read Only private Read Write Access Mode Specifies the access rights for the community string Read Only Authorized ma...

Page 363: ...with a specific security level and assigned to a group The SNMPv3 group restricts users to a specific read write and notify view Parameters These parameters are displayed User Name The name of user co...

Page 364: ...lable Privacy Password A minimum of eight plain text characters is required Web Interface To configure a local SNMPv3 user 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Sele...

Page 365: ...User from the Step list 3 Select Show SNMPv3 Local User from the Action list Figure 231 Showing Local SNMPv3 Users To change a local SNMPv3 local user group 1 Click Administration SNMP 2 Select Chang...

Page 366: ...n page 351 Parameters These parameters are displayed User Name The name of user connecting to the SNMP agent Range 1 32 characters Group Name The name of the SNMP group to which the user is assigned R...

Page 367: ...to identify the source of SNMPv3 inform messages sent from the local switch If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv then an authentication protocol and...

Page 368: ...However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deci...

Page 369: ...receive notification message i e the targeted recipient Version Specifies whether to send notifications as SNMP v1 v2c or v3 traps Notification Type Traps Notifications are sent as trap messages Infor...

Page 370: ...ange 0 255 Default 3 Local User Name The name of a local user which is used to identify the source of SNMPv3 trap messages sent from the local switch Range 1 32 characters If an account for the specif...

Page 371: ...onfigure trap managers 1 Click Administration SNMP 2 Select Configure Trap from the Step list 3 Select Add from the Action list 4 Fill in the required parameters based on the selected SNMP version 5 C...

Page 372: ...Configure Notify Filter Add page to create an SNMP notification log Command Usage Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notif...

Page 373: ...rmation recorded in a notification log and the entry aging time can only be configured using SNMP from a network management station When a trap host is created using the Administration SNMP Configure...

Page 374: ...units Parameters The following counters are displayed SNMP packets input The total number of messages delivered to the SNMP entity from the transport service Bad SNMP version errors The total number...

Page 375: ...pted and processed or generated by the SNMP protocol entity SNMP packets output The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service Too big error...

Page 376: ...it can automatically notify the network administrator of a failure and provide historical information about the event If it cannot connect to the management agent it will continue to perform any speci...

Page 377: ...nes the MIB variable plus the etherStatsIndex For example 1 3 6 1 2 1 16 1 1 1 6 1 denotes etherStatsBroadcastPkts plus the etherStatsIndex of 1 Interval The polling interval Range 1 31622400 seconds...

Page 378: ...monitored variables reaching or crossing below the falling threshold If there is no corresponding entry in the event control table then no event will be generated Range 0 65535 Owner Name of the perso...

Page 379: ...take when an alarm is triggered The response can include logging the alarm or sending a message to a trap manager Alarms and corresponding events provide a way of immediately responding to critical ne...

Page 380: ...1 and v2c hosts Although the community string can be set on this configuration page it is recommended that it be defined on the SNMP trap configuration page see Setting Community Access Strings on pag...

Page 381: ...les Use the Administration RMON Configure Interface Add History page to collect statistics on a physical interface to monitor network utilization packet types and errors A historical record of activit...

Page 382: ...using the Add page this index will not appear in the Show nor Show Details page for the port to which is normally assigned For example if control entry 15 is assigned to port 5 this index entry will...

Page 383: ...he name of the owner for this entry 7 Click Apply Figure 246 Configuring an RMON History Sample To show configured RMON history samples 1 Click Administration RMON 2 Select Configure Interface from th...

Page 384: ...ch can subsequently be used to monitor the network for common errors and overall traffic rates Command Usage If statistics collection is already enabled on an interface the entry must be deleted befor...

Page 385: ...om the Action list 4 Click Statistics 5 Select a port from the list as the data source 6 Enter an index number and the name of the owner for this entry 7 Click Apply Figure 249 Configuring an RMON Sta...

Page 386: ...d RMON Statistical Samples To show collected RMON statistical samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show Details from the Action list 4 Select a...

Page 387: ...take effect if the current time is within the absolute time range and one of the periodic time ranges A maximum of eight rules can be configured for a time range Parameters These parameters are displa...

Page 388: ...Name of a Time Range To show a list of time ranges 1 Click Administration Time Range 2 Select Show from the Action list Figure 253 Showing a List of Time Ranges To configure a rule for a time range 1...

Page 389: ...led a control frame is transmitted on the participating ports and the switch monitors inbound traffic to see if the frame is looped back Usage Guidelines The default settings for the control frame tra...

Page 390: ...me Specifies the interval to wait before the switch automatically releases an interface from shutdown state Range 60 1 000 000 seconds Default 60 seconds When the loopback detection mode is changed an...

Page 391: ...oopback condition Detect Sends an SNMP trap message when a loopback condition is detected None Does not send an SNMP trap for loopback detection or recovery Recover Sends an SNMP trap message when the...

Page 392: ...displayed Interface Displays a list of ports or trunks Port Port Identifier Range 1 10 28 Trunk Trunk Identifier Range 1 8 Admin State Manually enables or disables an interface Default Enabled Operat...

Page 393: ...k and any hosts that want to receive the multicast register with their local multicast switch router Although this approach reduces the network overhead required by a multicast server the broadcast tr...

Page 394: ...work segments where no node has expressed interest in receiving a specific multicast service For switches that do not support multicast routing or where multicast routing is already enabled on other s...

Page 395: ...e Configuring IGMP Snooping and Query Parameters on page 396 Static IGMP Router Interface If IGMP snooping cannot locate the IGMP querier you can manually designate a known IGMP querier i e a multicas...

Page 396: ...see Unregistered Data Flooding in the Command Attributes section IGMP Querier A router or multicast enabled switch can periodically ask their hosts if they want to receive multicast traffic If there i...

Page 397: ...hanism is used to delete all of the currently learned multicast channels When a new uplink port starts up the switch sends unsolicited reports for all currently learned channels out the new uplink por...

Page 398: ...ion Unregistered Data Flooding Floods unregistered multicast traffic into the attached VLAN Default Disabled Once the table used to store multicast entries for IGMP snooping and multicast routing is f...

Page 399: ...onfigures the IGMP report query version used by IGMP snooping Versions 1 3 are all supported and versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the...

Page 400: ...MP Snooping must be enabled globally on the switch see Configuring IGMP Snooping and Query Parameters on page 396 before a multicast router port can take effect Parameters These parameters are display...

Page 401: ...attached to the multicast router 4 Click Apply Figure 260 Configuring a Static Interface for a Multicast Router To show the static interfaces attached to a multicast router 1 Click Multicast IGMP Sno...

Page 402: ...lly assign a multicast service to an interface Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages see Configuring IGMP Snooping and Query Parameters on page...

Page 403: ...ion list 3 Select the VLAN that will propagate the multicast service specify the interface attached to a multicast service through an IGMP enabled switch or multicast router and enter the multicast IP...

Page 404: ...ing and multicast routing devices MRD is used to discover which interfaces are attached to multicast routers allowing IGMP enabled devices to determine where to send multicast source and group members...

Page 405: ...ace is administratively disabled The router is gracefully shut down Advertisement and Termination messages are sent to the All Snoopers multicast address Solicitation messages are sent to the All Rout...

Page 406: ...this time out is set to Last Member Query Interval Robustness Variable fixed at 2 as defined in RFC 2236 If immediate leave is enabled the switch assumes that only one host is connected to the interfa...

Page 407: ...ages sent to downstream hosts and in report and leave messages sent upstream from the multicast router port If a proxy query address is not configured the switch will use the VLAN s IP address as the...

Page 408: ...ping proxy reporting is enabled page 396 or IGMP querier is enabled page 396 Last Member Query Count The number of IGMP proxy group specific or group and source specific query messages that are sent o...

Page 409: ...igure and update the required parameters 4 Click Apply Figure 265 Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping 1 Click Multicast IGMP Snooping Interface 2 Selec...

Page 410: ...specified interface If this switch is acting as a Querier this prevents it from being affected by messages received from another Querier Multicast Data Drop Configures an interface to stop multicast...

Page 411: ...ulticast group address Group Address IP multicast group address with subscribers directly attached or downstream from the switch or a static multicast group assigned to this interface Interface A down...

Page 412: ...local querier is assumed to have expired Self Querier Uptime Time local querier has been up General Query Received The number of general queries received on this interface General Query Sent The numbe...

Page 413: ...report leave or query was dropped Packets may be dropped due to invalid format rate limiting packet content not allowed or IGMP group report received Join Success The number of times a multicast grou...

Page 414: ...g and Query for IPv4 414 Figure 269 Displaying IGMP Snooping Statistics Query To display IGMP snooping protocol related statistics for a VLAN 1 Click Multicast IGMP Snooping Statistics 2 Select Show V...

Page 415: ...igure 270 Displaying IGMP Snooping Statistics VLAN To display IGMP snooping protocol related statistics for a port 1 Click Multicast IGMP Snooping Statistics 2 Select Show Port Statistics from the Act...

Page 416: ...file If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum num...

Page 417: ...the start and end of the range Parameters These parameters are displayed Add Profile ID Creates an IGMP profile Range 1 4294967295 Access Mode Sets the access mode of the profile either permit or den...

Page 418: ...and set its access mode 5 Click Apply Figure 273 Creating an IGMP Filtering Profile To show the IGMP filter profiles 1 Click Multicast IGMP Snooping Filter 2 Select Configure Profile from the Step li...

Page 419: ...formation Figure 276 Showing the Groups Assigned to an IGMP Filtering Profile Configuring IGMP Filtering and Throttling for Interfaces Use the Multicast IGMP Snooping Filter Configure Interface page t...

Page 420: ...t the same time Range 1 511 Default 511 Current Multicast Groups Displays the current multicast groups the interface has joined Throttling Action Mode Sets the action to take when the maximum number o...

Page 421: ...ets include MLDv2 query and report messages as well as MLDv1 report and done messages Remember that IGMP Snooping and MLD Snooping are independent functions and can therefore both function at the same...

Page 422: ...e multicast groups they have joined Query Max Response Time The maximum response time advertised in MLD general queries Range 5 25 seconds Default 10 seconds This attribute controls how long the host...

Page 423: ...he parent VLAN Default Disabled If MLD immediate leave is not used a multicast router or querier will send a group specific query message when an MLD group leave message is received The router querier...

Page 424: ...current multicast groups Command Usage MLD Snooping must be enabled globally on the switch see Configuring MLD Snooping and Query Parameters on page 421 before a multicast router port can take effect...

Page 425: ...Select the VLAN for which to display this information Figure 281 Showing Static Interfaces Attached an IPv6 Multicast Router To show all the interfaces attached to a multicast router 1 Click Multicas...

Page 426: ...ly be forwarded to ports within that VLAN Parameters These parameters are displayed VLAN Specifies the VLAN which is to propagate the multicast service Range 1 4094 Multicast IPv6 Address The IP addre...

Page 427: ...3 Select the VLAN for which to display this information Figure 284 Showing Static Interfaces Assigned to an IPv6 Multicast Service To display information about all IPv6 multicast groups MLD Snooping o...

Page 428: ...ress to a minimum set such that all nodes listening states are respected In Include mode the router only uses the request list indicating that the reception of packets sent to the specified multicast...

Page 429: ...Pv4 429 Web Interface To display known MLD multicast groups 1 Click Multicast MLD Snooping Group Information 2 Select the port or trunk and then select a multicast service assigned to that interface F...

Page 430: ...Chapter 14 Multicast Filtering MLD Snooping Snooping and Query for IPv4 430...

Page 431: ...e IP Address Alias or IPv4 IPv6 address of the host Probe Count Number of packets to send Range 1 16 Packet Size Number of bytes in a packet Range 32 512 bytes for IPv4 0 1500 bytes for IPv6 The actua...

Page 432: ...faces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the delimiter For example FE80 7272 1 identifies...

Page 433: ...ses the first router to discard the datagram and return an error message The trace function then sends several probe messages at each subsequent TTL level and displays the round trip time for each mes...

Page 434: ...his way with each routing device mapping the destination IP address to the MAC address of the next hop toward the recipient until the packet is delivered to the final destination If there is no entry...

Page 435: ...e and also cache the MAC of the source device s IP address Displaying Dynamic or Local ARP Entries Use the Tools ARP page to display dynamic or local entries in the ARP cache The ARP cache contains st...

Page 436: ...Chapter 15 IP Tools Address Resolution Protocol 436...

Page 437: ...to other name servers on the network When a client device designates this switch as a DNS server the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switc...

Page 438: ...re Global from the Action list 3 Enable domain lookup and set the default domain name 4 Click Apply Figure 290 Configuring General Settings for DNS Configuring a List of Domain Names Use the IP Servic...

Page 439: ...age 440 If all name servers are deleted DNS will automatically be disabled Parameters These parameters are displayed Domain Name Name of the host Do not include the initial dot that separates the host...

Page 440: ...e server is specified the servers are queried in the specified sequence until a response is received or the end of the list is reached with no response If all name servers are deleted DNS will automat...

Page 441: ...Service DNS Static Host Table Add page to manually configure static entries in the DNS table that are used to map domain names to IP addresses Command Usage Static entries may be used for local device...

Page 442: ...ic Host Table 2 Select Show from the Action list Figure 296 Showing Static Entries in the DNS Table Displaying the DNS Cache Use the IP Service DNS Cache page to display entries in the DNS cache that...

Page 443: ...namic Host Configuration Protocol DHCP can dynamically allocate an IP address and other configuration information to network clients when they boot up If a subnet does not already include a BOOTP or D...

Page 444: ...information the DHCP client request sent by this switch includes a parameter request list asking for this information Besides the client request also includes a vendor class identifier that allows the...

Page 445: ...devices including DHCP option 82 information DHCP provides an option for sending information about its DHCP clients to the DHCP server specifically the interface on the relay server through which the...

Page 446: ...fied DHCP server addresses are not located in the same network segment with this switch specify the default router through which this switch can reach other IP subnetworks see Configuring the IPv4 Def...

Page 447: ...which it was received If the RID in the DHCP reply packet matches that configured on the switch it then removes the Option 82 information from the packet and sends it on as follows If the DHCP packet...

Page 448: ...relay agent itself inserts the relay agent s address and unicasts the packet to the DHCP server DHCP Sub option Format Specifies whether or not to use the sub type and sub length fields in the circuit...

Page 449: ...ed under the ip dhcp dynamic provision command in the CLI Reference Guide By default the parameters for DHCP option 66 67 are not carried by the reply sent from the DHCP server To ask for a DHCP reply...

Page 450: ...Chapter 16 IP Services Dynamic Host Configuration Protocol 450 Figure 301 Enabling Dynamic Provisioning via DHCP...

Page 451: ...Version 4 This section describes how to configure an IPv4 interface for management access over the network This switch supports both IPv4 and IPv6 and can be managed through either of these address ty...

Page 452: ...to obtain an address from a BOOTP or DHCP server or manually configure a static IP address Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Anything other than this fo...

Page 453: ...ses a secondary address all other routers switches in that segment must also use a secondary address from the same network or subnet address space IP Address IP Address of the VLAN Valid IP addresses...

Page 454: ...igured VLAN and set IP Address Mode to BOOTP or DHCP 5 Click Apply to save your changes 6 Then click Restart DHCP to immediately request a new address IP will be enabled but will not function until a...

Page 455: ...ystem IP 2 Select Configure Interface from the Step list 3 Select Show Address from the Action list 4 Select an entry from the VLAN list Figure 305 Showing the Configured IPv4 Address for an Interface...

Page 456: ...r the switch Parameters These parameters are displayed Default Gateway Sets the IPv6 address of the default next hop router to use when no routing information is known about an IPv6 address An IPv6 de...

Page 457: ...he paths to active neighbors The key parameters used to facilitate this process are the number of attempts made to verify whether or not a duplicate address exists on the same network segment and the...

Page 458: ...U value in cases where the link MTU is not otherwise well known IPv6 routers do not fragment IPv6 packets forwarded from other routers However traffic originating from an end station connected to an I...

Page 459: ...ations When a non default value is configured the specified interval is used both for router advertisements and by the router itself ND Reachable Time The amount of time that a remote IPv6 node is con...

Page 460: ...used only for other configuration settings Neighboring routers are configured to advertise non link local address prefixes from which IPv6 hosts derive stateless addresses This combination is known as...

Page 461: ...e 457 will also automatically generate a link local unicast address The prefix length for a link local address is fixed at 64 bits and the host portion of the default address is based on the modified...

Page 462: ...pe configured for this interface Global Configures an IPv6 global unicast address with a full IPv6 address including the network prefix and host address bits followed by a forward slash and a decimal...

Page 463: ...s resulting in a modified EUI 64 interface identifier of 2A 9F 18 FF FE 1C 82 35 This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single devic...

Page 464: ...r the same types as used by link local unicast addresses including all nodes FF02 1 all routers FF02 2 and solicited nodes FF02 1 FFXX XXXX as described below A node is also required to compute and jo...

Page 465: ...e state to invalid dis associates the interface identified with this entry from the indicated mapping RFC 4293 Reachable Positive confirmation was received within the last ReachableTime interval that...

Page 466: ...g packets if necessary for transmission through small packet networks ICMPv6 Internet Control Message Protocol for Version 6 addresses is a network layer protocol that transmits message packets to rep...

Page 467: ...ot a valid address to be received at this entity This count includes invalid addresses e g 0 and unsupported addresses e g addresses with unallocated prefixes For entities which are not IPv6 routers a...

Page 468: ...The number of output IPv6 datagrams for which no problem was encountered to prevent their transmission to their destination but which were discarded e g for lack of buffer space Note that this counter...

Page 469: ...rts received by the interface ICMPv6 Transmitted Output The total number of ICMP messages which this interface attempted to send Note that this counter includes all those counted by icmpOutErrors Dest...

Page 470: ...Listener Discovery Version 2 Reports The number of MLDv2 reports sent by the interface UDP Statistics Input The total number of UDP datagrams delivered to UDP users No Port Errors The total number of...

Page 471: ...Chapter 17 IP Configuration Setting the Switch s IP Address IP Version 6 471 Figure 312 Showing IPv6 Statistics ICMPv6 Figure 313 Showing IPv6 Statistics UDP...

Page 472: ...parameters are displayed Web Interface To show the MTU reported from other devices 1 Click System IPv6 Configuration 2 Select Show MTU from the Action list Figure 314 Showing Reported MTU Values Tabl...

Page 473: ...473 Section III Appendices This section provides additional information and includes these items Software Specifications on page 475 Troubleshooting on page 479 License Information on page 481...

Page 474: ...Section III Appendices 474...

Page 475: ...1000 Mbps at full duplex SFP Flow Control Full Duplex IEEE 802 3 2005 Half Duplex Back pressure Storm Control Broadcast multicast or unknown unicast traffic throttled above a critical threshold Port...

Page 476: ...Snooping Layer 2 IPv6 IP Routing ARP CIDR Classless Inter Domain Routing Additional Features BOOTP Client DHCP Client Option 82 LLDP Link Layer Discover Protocol RMON Remote Monitoring groups 1 2 3 9...

Page 477: ...ink Aggregation Control Protocol LACP Full duplex flow control ISO IEC 8802 3 IEEE 802 3ac VLAN tagging ARP RFC 826 DHCP Client RFC 2131 HTTPS ICMP RFC 792 IGMP RFC 1112 IGMPv2 RFC 2236 IGMP Proxy RFC...

Page 478: ...II RFC 1213 NTP RFC 1305 P Bridge MIB RFC 2674P Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Power Ethernet MIB RFC 3621 Private MIB Q Bridge MIB RFC 2674Q Quality of Service M...

Page 479: ...onnecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting ag...

Page 480: ...Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set...

Page 481: ...ou have the freedom to distribute copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use piec...

Page 482: ...under the terms of Section 1 above provided that you also meet all of these conditions a You must cause the modified files to carry prominent notices stating that you changed the files and the date o...

Page 483: ...parties are not compelled to copy the source along with the object code 5 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt other...

Page 484: ...which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Pro...

Page 485: ...ound robin service to enforce priority service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port numbe...

Page 486: ...t used by IPv6 to identify the host portion of the network address The interface identifier in EUI compatible addresses is based on the link layer MAC address of an interface Interface identifiers use...

Page 487: ...Rapid Spanning Tree Protocol RSTP which reduces the convergence time for network topology changes to about 10 of that required by the older IEEE 802 1D STP standard Now incorporated in IEEE 802 1D 20...

Page 488: ...lt but may be configured differently to suit the requirements for specific network applications LACP Link Aggregation Control Protocol Allows ports to automatically negotiate a trunked link with LACP...

Page 489: ...group NTP Network Time Protocol provides the mechanisms to synchronize time across the network The time servers operate in a hierarchical master slave configuration in order to synchronize local clock...

Page 490: ...based on periodic updates from a Network Time Protocol NTP server Updates can be requested from a specific NTP server or can be received via broadcasts sent by NTP servers SSH Secure Shell is a secure...

Page 491: ...w or just unnecessary UTC Universal Time Coordinate UTC is a time scale that couples Greenwich Mean Time based solely on the Earth s rotation rate with highly accurate atomic time The UTC does not hav...

Page 492: ...Glossary 492...

Page 493: ...RP ACL 275 ARP inspection 279 ACL filter 282 additional validation criteria 281 ARP ACL 283 enabling globally 281 trusted ports 284 authentication MAC address authentication 243 MAC configuring ports...

Page 494: ...s 211 setting PHB for matching packets 211 DNS default domain name 437 displaying the cache 442 domain name list 437 enabling lookup 437 name server list 437 static entries IPv4 441 Domain Name Servic...

Page 495: ...ing 395 immediate leave IGMP snooping 406 immediate leave MLD snooping 423 importing user public keys 259 ingress filtering 145 IP address BOOTP DHCP 452 setting 451 IP filter for management access 28...

Page 496: ...Management Information Bases MIBs 477 matching class settings classifying QoS traffic 207 memory status 90 utilization showing 90 mirror port configuring 129 configuring local traffic 129 configuring...

Page 497: ...ts port 345 port priority 346 power savings configuring 127 enabling per port 127 priority default port ingress 193 private key 254 problems troubleshooting 479 protocol migration 179 protocol VLANs 1...

Page 498: ...keys for clients 259 generating host key pair 258 server configuring 256 timeout 257 SSL replacing certificate 252 STA 165 BPDU auto recovery 179 BPDU filter 179 BPDU flooding 170 176 BPDU shutdown 1...

Page 499: ...bers 144 creating 142 description 139 displaying port members by interface 147 displaying port members by interface range 148 displaying port members by VLAN index 146 dynamic assignment 246 egress mo...

Page 500: ...E052016 ST R02 150200001416A...

Reviews:

No comments

Related manuals for GEL-1061

Brand: LEGRAND Pages: 2

MyPower S2300-28TC-AC

Brand: Maipu Pages: 31

Brand: BERNSTEIN Pages: 3

Brand: Accton Technology Pages: 523

Brand: Steren Pages: 13

Brand: Wyrestorm Pages: 4

Brand: Vagner Pool Pages: 5

Brand: J-Tech Digital Pages: 12

3 x 4 SWITCH PLUS

Brand: W2IIHY Pages: 28

Brand: Linksys Pages: 2

Brand: ATEN Pages: 9

IP Power 9258 DS

Brand: Aviosys Pages: 37

Brand: Conceptronic Pages: 28

Cutler-Hammer NTV Series

Brand: Eaton Pages: 28

MiniView G-CS12

Brand: IOGear Pages: 18

Champion KD-4X4XC

Brand: Key Digital Pages: 8

Brand: Zigen Pages: 72

NIVOMAG MK-21 Series

Brand: NIVELCO Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands