manualshive.com logo in svg

LevelOne GTL-2881, User Manual

The LevelOne GTL-2881 User Manual is readily available for free download from our website. This comprehensive manual provides detailed step-by-step instructions for setting up and operating the LevelOne GTL-2881 product. Access it now at manualshive.com to enhance your user experience with this exceptional product.

Share
Download
background image

Chapter 12

  |  Security Measures

Configuring 802.1X Port Authentication

–  350  –

Configuring

Port Supplicant

Settings for 802.1X

Use the Security > Port Authentication (Configure Interface – Supplicant) page to 
configure 802.1X port settings for supplicant requests issued from a port to an 
authenticator on another device. When 802.1X is enabled and the control mode is 
set to Force-Authorized (see 

“Configuring Port Authenticator Settings for 802.1X” 

on page 345

), you need to configure the parameters for the client supplicant 

process if the client must be authenticated through another device in the network.

Command Usage

When devices attached to a port must submit requests to another 
authenticator on the network, configure the Identity Profile parameters on the 
Configure Global page (see 

“Configuring 802.1X Global Settings” on page 344

which identify this switch as a supplicant, and configure the supplicant 
parameters for those ports which must authenticate clients through the 
remote authenticator on this configuration page. When PAE supplicant mode is 
enabled on a port, it will not respond to dot1x messages meant for an 
authenticator.

This switch can be configured to serve as the authenticator on selected ports 
by setting the Control Mode to Auto on the Authenticator configuration page, 
and as a supplicant on other ports by the setting the control mode to Force-
Authorized on that configuration page and enabling the PAE supplicant on the 
Supplicant configuration page.

Parameters

These parameters are displayed:

Port

 – Port number.

PAE Supplicant

 – Enables PAE supplicant mode. (Default: Disabled)

If the attached client must be authenticated through another device in the 
network, supplicant status must be enabled. 

Supplicant status can only be enabled if PAE Control Mode is set to “Force-
Authorized” on this port (see 

“Configuring Port Authenticator Settings for 

802.1X” on page 345

).

PAE supplicant status cannot be enabled if a port is a member of trunk or LACP 
is enabled on the port.

Authentication Period

 – The time that a supplicant port waits for a response 

from the authenticator. (Range: 1-65535 seconds; Default: 30 seconds)

Held Period

 – The time that a supplicant port waits before resending its 

credentials to find a new an authenticator. (Range: 1-65535 seconds; 
Default: 30 seconds)

Start Period

 – The time that a supplicant port waits before resending an 

EAPOL start frame to the authenticator. (Range: 1-65535 seconds; Default: 30 
seconds) 

Summary of Contents for GTL-2881

Page 1: ...ite Managed Gigabit Switch 2 x SFP 2 x SFP Optional Modules GTL 2882 28 Port Stackable Layer 3 Lite Managed Gigabit Fiber Switch 2 x SFP 2 x SFP Optional Modules User Manual V1 0 Digital Data Communications Asia Co Ltd http www level1 com ...

Page 2: ...ASE T RJ 45 Ports 2 10 Gigabit SFP Ports and Optional Module with 2 10 Gigabit SFP Ports GTL 2882 Layer Layer 3 Lite Stackable Gigabit Ethernet Fiber Switch with 22 SFP Ports 2 10 100 1000BASE T RJ 45 SFP Ports 2 10 Gigabit SFP Ports and Optional Module with 2 10 Gigabit SFP Ports E112016 ST R01 ...

Page 3: ... s key features It also describes the switch s web browser interface For information on the command line interface refer to the CLI Reference Guide The guide includes these sections Section I Getting Started Includes an introduction to switch management and the basic settings required to access the management interface Section II Web Configuration Includes all management options available through ...

Page 4: ...wing conventions are used throughout this guide to show information Note Emphasizes important information or calls your attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Revision History This section summarizes the changes in each revision of this guide November 2016 Revision This is the first vers...

Page 5: ...ost Multipath Load Balancing 42 Address Resolution Protocol 42 Operation Administration and Maintenance 42 System Defaults 43 Section II Web Configuration 47 2 Using the Web Interface 49 Connecting to the Web Interface 49 Navigating the Web Browser Interface 50 Home Page 50 Configuration Options 51 Panel Display 51 Main Menu 52 3 Basic Management Tasks 71 Displaying System Information 72 ...

Page 6: ... Configuring NTP 87 Configuring Time Servers 88 Setting the Time Zone 92 Configuring Summer Time 93 Configuring the Console Port 95 Configuring Telnet Settings 97 Displaying CPU Utilization 98 Displaying Memory Utilization 99 Stacking 100 Setting the Master Unit 100 Enabling Stacking Ports 101 Renumbering the Stack 102 Resetting the System 103 4 Interface Configuration 107 Port Configuration 108 C...

Page 7: ... VLAN Trunking 149 5 VLAN Configuration 153 IEEE 802 1Q VLANs 153 Configuring VLAN Groups 156 Adding Static Members to VLANs 159 Configuring Dynamic VLAN Registration 163 IEEE 802 1Q Tunneling 166 Enabling QinQ Tunneling on the Switch 170 Creating CVLAN to SPVLAN Mapping Entries 172 Adding an Interface to a QinQ Tunnel 173 Protocol VLANs 175 Configuring Protocol VLAN Groups 175 Mapping Protocol Gr...

Page 8: ...ettings for MSTP 219 8 Congestion Control 221 Rate Limiting 221 Storm Control 222 Automatic Traffic Control 224 Setting the ATC Timers 225 Configuring ATC Thresholds and Responses 227 9 Class of Service 231 Layer 2 Queue Settings 231 Setting the Default Priority for Interfaces 231 Selecting the Queue Mode 232 Mapping CoS Values to Egress Queues 235 Layer 3 4 Priority Settings 238 Setting Priority ...

Page 9: ...ace Settings for Web Authentication 288 Network Access MAC Address Authentication 289 Configuring Global Settings for Network Access 291 Configuring Network Access for Ports 292 Configuring Port Link Detection 294 Configuring a MAC Address Filter 295 Displaying Secure MAC Address Information 297 Configuring HTTPS 299 Configuring Global Settings for HTTPS 299 Replacing the Default Secure site Certi...

Page 10: ...ing 802 1X Port Authentication 342 Configuring 802 1X Global Settings 344 Configuring Port Authenticator Settings for 802 1X 345 Configuring Port Supplicant Settings for 802 1X 350 Displaying 802 1X Statistics 352 DoS Protection 354 IPv4 Source Guard 357 Configuring Ports for IPv4 Source Guard 357 Configuring Static Bindings for IPv4 Source Guard 359 Displaying Information for Dynamic IPv4 Source ...

Page 11: ...twork Management Protocol 405 Configuring Global Settings for SNMP 407 Setting the Local Engine ID 408 Specifying a Remote Engine ID 409 Setting SNMPv3 Views 411 Configuring SNMPv3 Groups 413 Setting Community Access Strings 419 Configuring Local SNMPv3 Users 420 Configuring Remote SNMPv3 Users 423 Specifying Trap Managers 426 Creating SNMP Notification Logs 430 Showing SNMP Statistics 432 Remote ...

Page 12: ...ing Delay Measure Requests 498 Displaying Local MEPs 500 Displaying Details for Local MEPs 501 Displaying Local MIPs 503 Displaying Remote MEPs 504 Displaying Details for Remote MEPs 505 Displaying the Link Trace Cache 507 Displaying Fault Notification Settings 508 Displaying Continuity Check Errors 509 OAM Configuration 510 Enabling OAM on Local Ports 510 Displaying Statistics for OAM Messages 51...

Page 13: ...ery for IPv6 554 Configuring MLD Snooping and Query Parameters 554 Setting Immediate Leave Status for MLD Snooping per Interface 556 Specifying Static Interfaces for an IPv6 Multicast Router 557 Assigning Interfaces to IPv6 Multicast Services 559 Showing MLD Snooping Groups and Source List 561 Multicast VLAN Registration for IPv4 562 Configuring MVR Global Settings 564 Configuring MVR Domain Setti...

Page 14: ...ervices 621 Domain Name Service 621 Configuring General DNS Service Parameters 621 Configuring a List of Domain Names 622 Configuring a List of Name Servers 624 Configuring Static DNS Host to Address Entries 625 Displaying the DNS Cache 626 Dynamic Host Configuration Protocol 627 Specifying a DHCP Client Identifier 627 Configuring DHCP Relay Service 629 Configuring the PPPoE Intermediate Agent 630...

Page 15: ...iew 651 Configuring the Routing Information Protocol 652 Configuring General Protocol Settings 653 Clearing Entries from the Routing Table 656 Specifying Network Interfaces 657 Specifying Passive Interfaces 659 Specifying Static Neighbors 660 Configuring Route Redistribution 661 Specifying an Administrative Distance 663 Configuring Network Interfaces for RIP 664 Displaying RIP Interface Settings 6...

Page 16: ...ment Interface 679 Using System Logs 680 C License Statement GPL Code Statement 681 Written Offer for GPL LGPL Source Code 681 The GNU General Public License 681 How to Apply These Terms to Your New Programs 685 Notification of Compliance 686 Glossary 689 Index 697 ...

Page 17: ...etting the Polling Interval for SNTP 87 Figure 14 Configuring NTP 88 Figure 15 Specifying SNTP Time Servers 89 Figure 16 Adding an NTP Time Server 90 Figure 17 Showing the NTP Time Server List 90 Figure 18 Adding an NTP Authentication Key 91 Figure 19 Showing the NTP Authentication Key List 92 Figure 20 Setting the Time Zone 93 Figure 21 Configuring Summer Time 95 Figure 22 Console Port Settings 9...

Page 18: ...splaying Transceiver Data 124 Figure 46 Configuring Transceiver Thresholds 126 Figure 47 Performing Cable Tests 128 Figure 48 Configuring Static Trunks 129 Figure 49 Creating Static Trunks 130 Figure 50 Adding Static Trunks Members 131 Figure 51 Configuring Connection Parameters for a Static Trunk 131 Figure 52 Showing Information for Static Trunks 132 Figure 53 Configuring Dynamic Trunks 132 Figu...

Page 19: ...gure 80 Showing Dynamic VLANs Registered on the Switch 166 Figure 81 Showing the Members of a Dynamic VLAN 166 Figure 82 QinQ Operational Concept 167 Figure 83 Enabling QinQ Tunneling 171 Figure 84 Configuring CVLAN to SPVLAN Mapping Entries 173 Figure 85 Showing CVLAN to SPVLAN Mapping Entries 173 Figure 86 Adding an Interface to a QinQ Tunnel 174 Figure 87 Configuring Protocol VLANs 176 Figure 8...

Page 20: ...14 Configuring Global Settings for STA STP 205 Figure 115 Configuring Global Settings for STA RSTP 205 Figure 116 Configuring Global Settings for STA MSTP 206 Figure 117 Displaying Global Settings for STA 207 Figure 118 Determining the Root Port 209 Figure 119 Configuring Interface Settings for STA 211 Figure 120 STA Port Roles 213 Figure 121 Displaying Interface Settings for STA 214 Figure 122 Cr...

Page 21: ... a Class Map 249 Figure 151 Configuring a Policy Map 257 Figure 152 Showing Policy Maps 257 Figure 153 Adding Rules to a Policy Map 258 Figure 154 Showing the Rules for a Policy Map 259 Figure 155 Attaching a Policy Map to a Port 260 Figure 156 Configuring a Voice VLAN 263 Figure 157 Configuring an OUI Telephony List 264 Figure 158 Showing an OUI Telephony List 264 Figure 159 Configuring Port Sett...

Page 22: ...rk Access 294 Figure 184 Configuring Link Detection for Network Access 295 Figure 185 Configuring a MAC Address Filter for Network Access 296 Figure 186 Showing the MAC Address Filter Table for Network Access 297 Figure 187 Showing Addresses Authenticated for Network Access 298 Figure 188 Configuring HTTPS 300 Figure 189 Downloading the Secure Site Certificate 302 Figure 190 Configuring the SSH Se...

Page 23: ...Configuring Interface Settings for 802 1X Port Authenticator 349 Figure 223 Configuring Interface Settings for 802 1X Port Supplicant 351 Figure 224 Showing Statistics for 802 1X Port Authenticator 353 Figure 225 Showing Statistics for 802 1X Port Supplicant 354 Figure 226 Protecting Against DoS Attacks 356 Figure 227 Setting the Filter Type for IPv4 Source Guard 359 Figure 228 Configuring Static ...

Page 24: ...e 253 Displaying LLDP Device Statistics General 405 Figure 254 Displaying LLDP Device Statistics Port 405 Figure 255 Configuring Global Settings for SNMP 408 Figure 256 Configuring the Local Engine ID for SNMP 409 Figure 257 Configuring a Remote Engine ID for SNMP 410 Figure 258 Showing Remote Engine IDs for SNMP 410 Figure 259 Creating an SNMP View 412 Figure 260 Showing SNMP Views 412 Figure 261...

Page 25: ...itch Cluster 446 Figure 290 Configuring a Cluster Members 447 Figure 291 Showing Cluster Members 447 Figure 292 Showing Cluster Candidates 448 Figure 293 Managing a Cluster Member 449 Figure 294 ERPS Ring Components 450 Figure 295 Ring Interconnection Architecture Multi ring Ladder Network 452 Figure 296 Setting ERPS Global Status 454 Figure 297 Sub ring with Virtual Channel 463 Figure 298 Sub rin...

Page 26: ...Figure 326 Showing the Link Trace Cache 508 Figure 327 Showing Settings for the Fault Notification Generator 509 Figure 328 Showing Continuity Check Errors 510 Figure 329 Enabling OAM for Local Ports 513 Figure 330 Displaying Statistics for OAM Messages 514 Figure 331 Displaying the OAM Event Log 515 Figure 332 Displaying Status of Remote Interfaces 516 Figure 333 Running a Remote Loop Back Test 5...

Page 27: ...ing 557 Figure 361 Configuring a Static Interface for an IPv6 Multicast Router 558 Figure 362 Showing Static Interfaces Attached an IPv6 Multicast Router 558 Figure 363 Showing Current Interfaces Attached an IPv6 Multicast Router 558 Figure 364 Assigning an Interface to an IPv6 Multicast Service 560 Figure 365 Showing Static Interfaces Assigned to an IPv6 Multicast Service 560 Figure 366 Showing C...

Page 28: ... Configuring a Static IPv4 Address 599 Figure 396 Configuring a Dynamic IPv4 Address 600 Figure 397 Showing the Configured IPv4 Address for an Interface 601 Figure 398 Configuring the IPv6 Default Gateway 602 Figure 399 Configuring General Settings for an IPv6 Interface 607 Figure 400 Configuring RA Guard for an IPv6 Interface 608 Figure 401 Configuring an IPv6 Address 610 Figure 402 Showing Confi...

Page 29: ...aying ARP Statistics 647 Figure 431 Configuring Static Routes 648 Figure 432 Displaying Static Routes 648 Figure 433 Displaying the Routing Table 650 Figure 434 Configuring RIP 652 Figure 435 Configuring General Settings for RIP 656 Figure 436 Clearing Entries from the Routing Table 657 Figure 437 Adding Network Interfaces to RIP 658 Figure 438 Showing Network Interfaces Using RIP 659 Figure 439 S...

Page 30: ...Figures 30 Figure 450 Showing RIP Peer Information 669 Figure 451 Resetting RIP Statistics 670 ...

Page 31: ...Priority Mapping 235 Table 14 CoS Priority Levels 236 Table 15 Mapping Internal Per hop Behavior to Hardware Queues 236 Table 16 Default Mapping of DSCP Values to Internal PHB Drop Values 240 Table 17 Default Mapping of CoS CFI to Internal PHB Drop Precedence 242 Table 18 Dynamic QoS Profiles 290 Table 19 HTTPS System Support 299 Table 20 ARP Inspection Statistics 336 Table 21 ARP Inspection Log 3...

Page 32: ...ation State 511 Table 35 Remote Loopback Status 517 Table 36 Show IPv6 Neighbors display description 612 Table 37 Show IPv6 Statistics display description 614 Table 38 Show MTU display description 619 Table 39 Options 60 66 and 67 Statements 627 Table 40 Options 55 and 124 Statements 628 Table 41 Address Resolution Protocol 642 Table 42 ARP Statistics 646 Table 43 Troubleshooting Chart 679 ...

Page 33: ...tion provides an overview of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these chapters Introduction on page 35 ...

Page 34: ...Section I Getting Started 34 ...

Page 35: ...EEE 802 1X MAC address filtering SNMP v1 2c Community strings SNMP version 3 MD5 or SHA password Telnet SSH Web HTTPS General Security Measures AAA ARP Inspection DHCP Snooping with Option 82 relay information DoS Protection IP Source Guard PPPoE Intermediate Agent Port Authentication IEEE 802 1X Port Security MAC address filtering Access Control Lists Supports up to 512 ACLs 2048 rules per ACL an...

Page 36: ...efault port priority traffic class map queue scheduling IP Precedence or Differentiated Services Code Point DSCP Qualify of Service Supports Differentiated Services DiffServ Link Layer Discovery Protocol Used to discover basic information about neighboring devices Switch Clustering Supports up to 36 member switches in a cluster Connectivity Fault Management Connectivity monitoring using continuity...

Page 37: ... or TACACS Port based authentication is also supported via the IEEE 802 1X protocol This protocol uses Extensible Authentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then uses the EAP between the switch and the authentication server to verify the client s right to access the network via an authentication server i e RADIUS or TACACS server Other authentica...

Page 38: ...ly set up or dynamically configured using Link Aggregation Control Protocol LACP IEEE 802 3 2005 The additional ports dramatically increase the throughput across any connection and provide redundancy by taking over the load if a port in the trunk should fail The switch supports up to 16 trunks per switch and 32 per stack Storm Control Broadcast multicast and unknown unicast storm suppression preve...

Page 39: ...the connection Rapid Spanning Tree Protocol RSTP IEEE 802 1w This protocol reduces the convergence time for network topology changes to about 3 to 5 seconds compared to 30 seconds or more for the older IEEE 802 1D STP standard It is intended as a complete replacement for STP but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP compliant mo...

Page 40: ...s use the same internal VLAN IDs This is accomplished by inserting Service Provider VLAN SPVLAN tags into the customer s frames when they enter the service provider s network and then stripping the tags when the frames leave the network Traffic Prioritization This switch prioritizes each packet based on the required level of service using eight priority queues with strict priority Weighted Round R...

Page 41: ...d with static routing and Routing Information Protocol RIP Static Routing Traffic is automatically routed between any IP interfaces configured on the switch Routing to statically configured hosts or subnet addresses is provided based on next hop entries specified in the static routing table RIP This protocol uses a distance vector approach to routing Routes are determined on the basis of minimizin...

Page 42: ...uting decisions and the corresponding MAC addresses to forward packets from one hop to the next Either static or dynamic entries can be configured in the ARP cache Proxy ARP allows hosts that do not support routing to determine the MAC address of a device on another network or subnet When a host sends an ARP request for a remote network the switch checks to see if it has the best route If it does ...

Page 43: ... LLDP intended for managing endpoint devices such as Voice over IP phones and network switches The LLDP MED TLVs advertise information such as network policy power inventory and device location details The LLDP and LLDP MED information can be used by SNMP applications to simplify troubleshooting enhance network management and maintain an accurate network topology System Defaults The switch s syste...

Page 44: ...ed SSH Disabled Port Security Disabled IP Filtering Disabled DHCP Snooping Disabled IP Source Guard Disabled all ports Web Management HTTP Server Enabled HTTP Port Number 80 HTTP Secure Server Enabled HTTP Secure Server Port 443 SNMP SNMP Agent Enabled Community Strings public read only private read write Traps Authentication traps enabled Link up down events enabled SNMP V3 View defaultview Group...

Page 45: ...ult VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode Egress Mode Hybrid GVRP global Disabled GVRP port interface Disabled QinQ Tunneling Disabled Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Queue Weight Queue 0 1 2 3 4 5 6 7 Weight 1 2 4 6 8 10 12 14 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled IP Settings Ma...

Page 46: ...abled Querier Disabled Multicast VLAN Registration Disabled IGMP Proxy Reporting Disabled IGMP Layer 3 IGMP Proxy Layer 3 Disabled Disabled System Log Status Enabled Messages Logged to RAM Levels 0 7 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Enabled but no server defined SNTP Clock Synchronization Disabled Switch Clustering Status Disabled Commander Disabled Table 2 S...

Page 47: ... page 71 Interface Configuration on page 107 VLAN Configuration on page 153 Address Table Settings on page 187 Spanning Tree Algorithm on page 197 Congestion Control on page 221 Class of Service on page 231 Quality of Service on page 245 VoIP Traffic Configuration on page 261 Security Measures on page 267 Basic Administration Protocols on page 377 Multicast Filtering on page 525 IP Configuration o...

Page 48: ...Section II Web Configuration 48 Unicast Routing on page 651 ...

Page 49: ...nitial Switch Configuration in the CLI Reference Guide 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Configuring User Accounts on page 284 3 After you enter a user name and password you will have access to the system configuration program Note You are allowed ...

Page 50: ...ord for the administrator is admin The administrator has full access privileges to configure any parameters in the web interface The default user name and password for guest access is guest The guest only has read access for most configuration parameters Refer to Configuring User Accounts on page 284 for more details Home Page When your web browser connects with the switch s web agent the home pag...

Page 51: ...isplay The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up or down Duplex i e half or full duplex or Flow Control i e with or without flow control Figure 2 Front Panel Indicators NOTE If stacking is enabled stacking ports 25 26 are not displayed on the panel graphic Table 3 Web Page Configuration Buttons B...

Page 52: ... found on the server 81 Time 85 Configure General Manual Manually sets the current time 86 SNTP Configures SNTP polling interval 87 NTP Configures NTP authentication parameters 87 Configure Time Server Configures a list of SNTP servers 88 Configure SNTP Server Sets the IP address for SNTP time servers 88 Add NTP Server Adds NTP time server and index of authentication key 89 Show NTP Server Shows l...

Page 53: ...eters for optical transceivers which support Digital Diagnostic Monitoring DDM and configures thresholds for alarm and warning messages for optical transceivers which support DDM 123 124 Cable Test Performs cable diagnostics for selected port to diagnose any cable faults short open etc and report the cable length 126 Trunk 128 Static 129 Configure Trunk 129 Add Creates a trunk along with the first...

Page 54: ...rts in aggregated links 142 Green Ethernet Adjusts the power provided to ports based on the length of the cable used to connect to other devices 144 RSPAN Mirrors traffic from remote switches for analysis at a destination port on the local switch 114 Traffic Segmentation 146 Configure Global Enables traffic segmentation globally 146 Configure Session Configures the uplink and down link ports for a...

Page 55: ...ped to each VLAN 177 IP Subnet 179 Add Maps IP subnet traffic to a VLAN 179 Show Shows IP subnet to VLAN mapping 179 MAC Based 181 Add Maps traffic with specified source MAC address to a VLAN 181 Show Shows source MAC address to VLAN mapping 181 Mirror 183 Add Mirrors traffic from one or more source VLANs to a target port 183 Show Shows mirror list 183 Translation 185 Add Maps VLAN IDs between the...

Page 56: ...Multiple Spanning Tree Algorithm 214 Configure Global 214 Add Configures initial VLAN and priority for an MST instance 214 Modify Configures the priority or an MST instance 214 Show Configures global settings for an MST instance 214 Add Member Adds VLAN members for an MST instance 214 Show Member Adds or deletes VLAN members for an MST instance 214 Show Information Displays MSTP values used for th...

Page 57: ...SCP mapping list 242 PHB to Queue 235 Add Maps internal per hop behavior values to hardware queues 235 Show Shows the PHB to Queue mapping list 235 DiffServ 245 Configure Class 246 Add Creates a class map for a type of traffic 246 Show Shows configured class maps 246 Modify Modifies the name of a class map 246 Add Rule Configures the criteria used to classify ingress traffic 246 Show Rule Shows th...

Page 58: ...onfigure Global Specifies the interval at which the local accounting service updates information to the accounting server 275 Configure Method 275 Add Configures accounting for various service types 275 Show Shows the accounting settings used for various service types 275 Configure Service Sets the accounting method applied to specific interfaces for 802 1X CLI command privilege levels for the con...

Page 59: ...nd the response i e send trap or shut down port 294 Configure MAC Filter 295 Add Specifies MAC addresses exempt from authentication 295 Show Shows the list of exempt MAC addresses 295 Show Information Shows the authenticated MAC address list 297 HTTPS Secure HTTP 299 Configure Global Enables HTTPs and specifies the UDP port to use 299 Copy Certificate Replaces the default secure site certificate 3...

Page 60: ... validation of additional address components and sets the log rate for packet inspection 331 Configure VLAN Enables ARP inspection on specified VLANs 333 Configure Interface Sets the trust mode for ports and sets the rate limit for packet inspection 335 Show Information 336 Show Statistics Displays statistics on the inspection process 336 Show Log Shows the inspection log list 337 IP Filter 338 Ad...

Page 61: ...nables IPv6 source guard and selects filter type per port 363 Static Binding 365 Add Adds a static addresses to the source guard binding table 365 Show Shows static addresses in the source guard binding table 365 Dynamic Binding Displays the source guard binding table for a selected interface 368 Administration 377 Log 378 System 378 Configure Global Stores error messages in local memory 378 Show ...

Page 62: ...B 411 Show View Shows configured SNMP v3 views 411 Add OID Subtree Specifies a part of the subtree for the selected view 411 Show OID Subtree Shows the subtrees assigned to each view 411 Configure Group 413 Add Adds a group with access policies for assigned users 413 Show Shows configured groups and access policies 413 Configure User Add Community Configures community strings and access mode 419 S...

Page 63: ...442 Show Details History Shows sampled data for each entry in the history group 439 Statistics Shows sampled data for each entry in the history group 442 Cluster 444 Configure Global Globally enables clustering for the switch sets Commander status 445 Configure Member Adds switch Members to the cluster 446 Show Member Shows cluster switch member managed switch members 448 ERPS Ethernet Ring Protec...

Page 64: ... a static list of remote MEPs for comparison against the MEPs learned through continuity check messages 492 Show Shows list of configured remote maintenance end points 492 Transmit Link Trace Sends link trace messages to isolate connectivity faults by tracing the path through a network to the designated target node 494 Transmit Loopback Sends loopback messages to isolate connectivity faults by req...

Page 65: ...mation Displays UDLD neighbor information including neighbor state expiration time and protocol intervals 523 IP 597 General Routing Interface Add Address Configures an IP interface for a VLAN 597 Show Address Shows the IP interfaces assigned to a VLAN 597 Ping Sends ICMP echo request packets to another node on the network 639 Trace Route Shows the route packets take to the specified destination 6...

Page 66: ...ion unit MTU cache for destinations that have returned an ICMP packet too big message along with an acceptable MTU to this switch 619 IP Service 621 DNS Domain Name Service 621 General 621 Configure Global Enables DNS lookup defines the default domain name appended to incomplete host names 621 Add Domain Name Defines a list of domain names that can be appended to incomplete host names 622 Show Dom...

Page 67: ...ached to a neighboring multicast router 532 Show Static Multicast Router Displays ports statically configured as attached to a neighboring multicast router 532 Show Current Multicast Router Displays ports attached to a neighboring multicast router either through static or dynamic configuration 532 IGMP Member 534 Add Static Member Statically assigns multicast addresses to the selected VLAN 534 Sho...

Page 68: ...ghboring multicast router 557 Show Current Multicast Router Displays ports attached to a neighboring multicast router either through static or dynamic configuration 557 MLD Member 559 Add Static Member Statically assigns multicast addresses to the selected VLAN 559 Show Static Member Shows multicast addresses statically configured on the selected VLAN 559 Show Current Member Shows multicast addres...

Page 69: ...igure Profile 583 Add Configures multicast stream addresses 583 Show Shows multicast stream addresses 583 Associate Profile 583 Add Maps an address profile to a domain 583 Show Shows addresses profile to domain mapping 583 Configure Interface ConfiguresMVR interfacetypeandimmediateleavemode alsodisplays MVR operational and active status 586 Configure Port Configures MVR attributes for a port 586 C...

Page 70: ...661 Add Imports external routing information from other routing domains that is protocols into the autonomous system 661 Show Shows the external routing information to be imported from other routing domains 661 Distance 663 Add Defines an administrative distance for external routes learned from other routing protocols 663 Show Shows the administrative distances assigned to external routes learned ...

Page 71: ...upgrade operating software or configuration files and set the system start up files Setting the System Clock Sets the current time manually or through specified NTP or SNTP servers Configuring the Console Port Sets console port connection parameters Configuring Telnet Settings Sets Telnet connection parameters Displaying CPU Utilization Displays information on CPU utilization Displaying Memory Uti...

Page 72: ... of device type System Object ID MIB II object ID for switch s network management subsystem System Up Time Length of time the management agent has been up System Name Name assigned to the switch system System Location Specifies the system location System Contact Administrator responsible for the system Web Interface To configure general system information 1 Click System General 2 Specify the syste...

Page 73: ...are Version Hardware version of the main board Main Power Status Displays the status of the internal power supply Redundant Power Status Displays the status of the redundant power supply Management Software Information Role Shows that this switch is operating as Master or Slave EPLD Version Version number of EEPROM Programmable Logic Device Loader Version Version number of loader code Diagnostics ...

Page 74: ...or trunks Compared to standard Ethernet frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields Usage Guidelines To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the netw...

Page 75: ...ticast Filtering Services This switch does not support the filtering of individual multicast addresses based on GMRP GARP Multicast Registration Protocol Traffic Classes This switch provides mapping of user priorities to multiple traffic classes Refer to Class of Service on page 231 Static Entry Individual Port This switch allows static filtering for unicast and multicast addresses Refer to Settin...

Page 76: ... maximum number of VLANs supported on this switch Max Supported VLAN ID The maximum configurable VLAN identifier supported on this switch GMRP GARP Multicast Registration Protocol GMRP allows network devices to register end stations with multicast groups This switch does not support GMRP it uses the Internet Group Management Protocol IGMP to provide automatic multicast filtering Web Interface To v...

Page 77: ...ew file as the startup file Command Usage When logging into an FTP server the interface prompts for a user name and password configured on the remote server Note that Anonymous is set as the default user name The reset command will not be accepted during copy operations to flash memory Parameters The following parameters are displayed Copy Type The firmware copy operation includes these options FT...

Page 78: ...s limited only by available flash memory space Note The file Factory_Default_Config cfg can be copied to a file server or management station but cannot be used as the destination file name on the switch Web Interface To copy firmware files 1 Click System then File 2 Select Copy from the Action list 3 Select FTP Upload HTTP Upload or TFTP Upload as the file transfer method 4 If FTP or TFTP Upload i...

Page 79: ...e subsequently set as the startup file Parameters The following parameters are displayed Copy Type The copy operation includes this option Running Config Copies the current configuration settings to a local file on the switch Destination File Name Copy to the currently designated startup file or to a new file The file name should not contain slashes or the leading letter of the file name should no...

Page 80: ... the System Reset menu Setting the Start Up File Use the System File Set Start Up page to specify the firmware or configuration file to use for system initialization Web Interface To set a file to use for system initialization 1 Click System then File 2 Select Set Start Up from the Action list 3 Mark the operation code or configuration file to be used at startup 4 Then click Apply Figure 9 Setting...

Page 81: ... to automatically download an operation code file when a file newer than the currently installed one is discovered on the file server After the file is transferred from the server and successfully written to the file system it is automatically set as the startup file and the switch is rebooted Usage Guidelines If this feature is enabled the switch searches the defined URL once during the bootup se...

Page 82: ...grade file is stored as Level1 L3lite bix or even level1 L3lite bix on a case sensitive server then the switch requesting level1 L3lite bix will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal A notable exception in the list of case sensitive Unix like operating systems is Mac OS X which by default is case insensitive Please che...

Page 83: ...structures are accepted The directory name must be separated from the host and in nested directory structures from the parent directory with a prepended forward slash The forward slash must be the last character of the URL ftp username password host filedir ftp Defines FTP protocol for the server connection username Defines the user name for the FTP connection If the user name is omitted then anon...

Page 84: ... password and file location options presented ftp 192 168 0 1 The user name and password are empty so anonymous will be the user name and the password will be blank The image file is in the FTP root directory ftp switches upgrade 192 168 0 1 The user name is switches and the password is upgrade The image file is in the FTP root ftp switches upgrade 192 168 0 1 switches opcode The user name is swit...

Page 85: ... restart Setting the System Clock Simple Network Time Protocol SNTP allows the switch to set its internal clock based on periodic updates from a time server SNTP or NTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries You can also manually set the clock If the clock is not set manually or via SNTP the switch will only record t...

Page 86: ... switch Hours Sets the hour Range 0 23 Minutes Sets the minute value Range 0 59 Seconds Sets the second value Range 0 59 Month Sets the month Range 1 12 Day Sets the day of the month Range 1 31 Year Sets the year Range 1970 2037 Web Interface To manually set the system clock 1 Click System then Time 2 Select Configure General from the Step list 3 Select Manual from the Maintain Type list 4 Enter t...

Page 87: ...eb Interface To set the polling interval for SNTP 1 Click System then Time 2 Select Configure General from the Step list 3 Select SNTP from the Maintain Type list 4 Modify the polling interval if required 5 Click Apply Figure 13 Setting the Polling Interval for SNTP Configuring NTP Use the System Time Configure General NTP page to configure NTP authentication and show the polling interval at which...

Page 88: ...sts for a time update from NTP servers Fixed 1024 seconds Web Interface To set the clock maintenance type to NTP 1 Click System then Time 2 Select Configure General from the Step list 3 Select NTP from the Maintain Type list 4 Enable authentication if required 5 Click Apply Figure 14 Configuring NTP Configuring Time Servers Use the System Time Configure Time Server pages to specify the IP address ...

Page 89: ...5 Specifying SNTP Time Servers Specifying NTP Time Servers Use the System Time Configure Time Server Add NTP Server page to add the IP address for up to 50 NTP time servers Parameters The following parameters are displayed NTP Server IP Address Adds the IPv4 or IPv6 address for up to 50 time servers The switch will poll the specified time servers for updates when the clock maintenance type is set ...

Page 90: ...Range 1 65535 Web Interface To add an NTP time server to the server list 1 Click System then Time 2 Select Configure Time Server from the Step list 3 Select Add NTP Server from the Action list 4 Enter the IP address of an NTP time server and specify the index of the authentication key if authentication is required 5 Click Apply Figure 16 Adding an NTP Time Server To show the list of configured NTP...

Page 91: ...eys can be configured on the switch Range 1 65535 Key Context An MD5 authentication key string The key string can be up to 32 case sensitive printable ASCII characters no spaces NTP authentication key numbers and values must match on both the server and client Web Interface To add an entry to NTP authentication key list 1 Click System then Time 2 Select Configure Time Server from the Step list 3 S...

Page 92: ...e Parameters The following parameters are displayed Predefined Configuration A drop down box provides access to the 80 predefined time zone configurations Each choice indicates it s offset from UTC and lists at least one major city or location covered by the time zone User defined Configuration Allows the user to define all parameters of the local time zone Direction Configures the time zone to be...

Page 93: ...ters are displayed in the web interface General Configuration Summer Time in Effect Shows if the system time has been adjusted Status Shows if summer time is set to take effect during the specified period Name Name of the time zone while summer time is in effect usually an acronym Range 1 30 characters Mode Selects one of the following configuration modes The Mode option can only be managed when t...

Page 94: ...ne To specify a time corresponding to your local time when summer time is in effect you must indicate the number of minutes your summer time zone deviates from your regular time zone Offset Summer time offset from the regular time zone in minutes Range 1 120 minutes From Start time for summer time offset To End time for summer time offset Web Interface To specify summer time settings 1 Click SNTP ...

Page 95: ... timeout interval the connection is terminated for the session Range 10 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 60 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the numbe...

Page 96: ...ce connected to the serial port Range 9600 19200 38400 57600 or 115200 baud Default 115200 baud Note The password for the console connection can only be configured through the CLI see the password command in the CLI Reference Guide Note Password checking can be enabled or disabled for logging in to the console connection see the login command in the CLI Reference Guide You can select authenticatio...

Page 97: ...gin Timeout Sets the interval that the system waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 10 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is termi...

Page 98: ...s required 3 Click Apply Figure 23 Telnet Connection Settings Displaying CPU Utilization Use the System CPU Utilization page to display information on CPU utilization Parameters The following parameters are displayed Time Interval The interval at which to update the displayed utilization rate Options 1 5 10 30 60 seconds Default 1 second CPU Utilization CPU utilization over specified interval Web ...

Page 99: ...ge to display memory utilization parameters Parameters The following parameters are displayed Free Size The amount of memory currently free for use Used Size The amount of memory allocated to active processes Total The total amount of system memory Web Interface To display memory utilization 1 Click System then Memory Status Figure 25 Displaying Memory Utilization ...

Page 100: ...utton page prior to rebooting the switch If the stack has not been initialized the master button must be disabled on all other units in the stack and those units rebooted If the stack has been initialized and this page is used to configure a new stack master then the master button on the old master unit must be disabled before rebooting the stack After the newly configured stack master has been re...

Page 101: ...hanges to the start up configuration file Parameters The following parameters are displayed Status Enables stacking on the 10G ports When the configured status is different from the current status the switch must be rebooted to activate the configured status Default Disabled Current Status Shows the currently effective status Stacking Up Port Shows the port which must be connected to next switch u...

Page 102: ... file maps configuration settings to each switch in the stack based on the unit identification number You should therefore remember to save the current configuration after renumbering the stack For a line topology the stack is numbered from top to bottom with the first unit in the stack designated at unit 1 For a ring topology the Master unit is taken as the top of the stack and is numbered as uni...

Page 103: ...t March 9 12 00 00 2012 Remaining Time 0 days 2 hours 46 minutes 5 seconds Reloading switch regularly time 12 00 everyday Refresh Refreshes reload information Changes made through the console or to system time may need to be refreshed to display the current settings Cancel Cancels the current settings shown in this field System Reload Configuration Reset Mode Restarts the switch immediately or at ...

Page 104: ...H The hour at which to reload Range 00 23 MM The minute at which to reload Range 00 59 Period Daily Every day Weekly Day of the week at which to reload Range Sunday Saturday Monthly Day of the month at which to reload Range 1 31 Web Interface To restart the switch 1 Click System then Reset 2 Select the required reset mode 3 For any option other than to reset immediately fill in the required parame...

Page 105: ...Chapter 3 Basic Management Tasks Resetting the System 105 Figure 29 Restarting the Switch Immediately Figure 30 Restarting the Switch In ...

Page 106: ...Chapter 3 Basic Management Tasks Resetting the System 106 Figure 31 Restarting the Switch At Figure 32 Restarting the Switch Regularly ...

Page 107: ...m Displaying Transceiver Data Displays identifying information and operational parameters for optical transceivers which support DDM Configuring Transceiver Thresholds Configures thresholds for alarm and warning messages for optical transceivers which support DDM Cable Test Performs cable diagnostics on the specified port Trunk Configuration Configures static or dynamic trunks Saving Power Adjusts...

Page 108: ...ndard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk If not used the success of the link process cannot be guaranteed when connecting to other types of switches The Speed Duplex mode is fixed at 1000full on 1000BASE SFP ports1 and 10Gfull on the 10GBASE SFP ports When auto negotiation is enabled the attributes which c...

Page 109: ...et by autonegotiation and the mode is fixed at Full Duplex Only applies to combination RJ 45 SFP ports 23 24 on the GEL 2882 Autonegotiation Port Capabilities Allows auto negotiation to be enabled disabled When auto negotiation is enabled you need to specify the capabilities to be advertised When auto negotiation is disabled you can force the settings for speed mode and flow control The following ...

Page 110: ...R SFP 10Gfull Speed Duplex Allows you to manually set the port speed and duplex mode i e with auto negotiation disabled Flow Control Allows automatic or manual selection of flow control Default Enabled Web Interface To configure port connection parameters 1 Click Interface Port General 2 Select Configure by Port List from the Action List 3 Modify the required interface settings 4 Click Apply Figur...

Page 111: ...lick Interface Port General 2 Select Configure by Port Range from the Action List 3 Enter a range of ports to which your configuration changes apply 4 Modify the required interface settings 5 Click Apply Figure 34 Configuring Connections by Port Range Displaying Connection Status Use the Interface Port General Show Information page to display the current connection status including link state spee...

Page 112: ...k Interface Port General 2 Select Show Information from the Action List Figure 35 Displaying Port Information Configuring Local Port Mirroring Use the Interface Port Mirror page to mirror traffic from any source port to a target port for real time analysis You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusiv...

Page 113: ...d for mirroring of VLAN traffic or packets based on a MAC address the matching packets will not be sent to target port specified for port mirroring The destination port cannot be a trunk or trunk member port Note that Spanning Tree BPDU packets are not mirrored to the target port Parameters These parameters are displayed Source Port The port whose traffic will be monitored Target Port The port tha...

Page 114: ...rror traffic from remote switches for analysis at a destination port on the local switch This feature also called Remote Switched Port Analyzer RSPAN carries traffic generated on the specified source ports for each session over a user specified VLAN dedicated to that RSPAN session in all participating switches Monitored traffic from one or more sources is copied onto the RSPAN VLAN through IEEE 80...

Page 115: ...hen specify the source port s and the traffic type to monitor Rx Tx or Both 3 Set up all intermediate switches on the RSPAN configuration page entering the mirror session the switch s role Intermediate the RSPAN VLAN and the uplink port s 4 Set up the destination switch on the RSPAN configuration page by specifying the mirror session the switch s role Destination the destination port3 whether or n...

Page 116: ...n the RSPAN uplink ports IEEE 802 1X RSPAN and 802 1X are mutually exclusive functions When 802 1X is enabled globally RSPAN uplink ports cannot be configured even though RSPAN source and destination ports can still be configured When RSPAN uplink ports are enabled on the switch 802 1X cannot be enabled globally Port Security If port security is enabled on any port that port cannot be set as an RS...

Page 117: ... RSPAN VLAN Ports cannot be manually assigned to an RSPAN VLAN through the VLAN Static page Nor can GVRP dynamically add port members to an RSPAN VLAN Also note that the VLAN Static Show page will not display any members for an RSPAN VLAN but will only show configured RSPAN VLAN identifiers Type Specifies the traffic type to be mirrored remotely Options Rx Tx Both Destination Port Specifies the de...

Page 118: ... Interface Configuration Port Configuration 118 Figure 40 Configuring Remote Port Mirroring Source Figure 41 Configuring Remote Port Mirroring Intermediate Figure 42 Configuring Remote Port Mirroring Destination ...

Page 119: ...from being deliverable to a higher layer protocol Transmitted Errors The number of outbound packets that could not be transmitted because of errors Received Unicast Packets The number of subnetwork unicast packets delivered to a higher layer protocol Transmitted Unicast Packets The total number of packets that higher level protocols requested be transmitted to a subnetwork unicast address includin...

Page 120: ...unt of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check This count does not include frames received with frame too long or frame too short error SQE Test Errors A count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface Carrier Sense Errors The number of times that the carrier s...

Page 121: ...ctets and were otherwise well formed 64 Bytes Packets The total number of packets including bad packets received and transmitted that were 64 octets in length excluding framing bits but including FCS octets 65 127 Byte Packets 128 255 Byte Packets 256 511 Byte Packets 512 1023 Byte Packets 1024 1518 Byte Packets 1519 1536 Byte Packets The total number of packets including bad packets received and ...

Page 122: ...how a chart of port statistics 1 Click Interface Port Chart 2 Select the statistics mode to display Interface Etherlike RMON or All 3 If Interface Etherlike RMON statistics mode is chosen select a port from the drop down list If All ports statistics mode is chosen select the statistics type to display ...

Page 123: ...to display identifying information and operational for optical transceivers which support Digital Diagnostic Monitoring DDM Parameters These parameters are displayed Port Port number General Information on connector type and vendor related parameters DDM Information Information on temperature supply voltage laser bias current laser power and received optical power ...

Page 124: ...tional parameters for optical transceivers 1 Click Interface Port Transceiver 2 Select a port from the scroll down list Figure 45 Displaying Transceiver Data Configuring Transceiver Thresholds Use the Interface Port Transceiver page to configure thresholds for alarm and warning messages for optical transceivers which support Digital Diagnostic Monitoring DDM This page also displays identifying inf...

Page 125: ...meters are supported High Alarm Sends an alarm message when the high threshold is crossed High Warning Sends a warning message when the high threshold is crossed Low Warning Sends a warning message when the low threshold is crossed Low Alarm Sends an alarm message when the low threshold is crossed The configurable ranges are Temperature 128 00 128 00 C Voltage 0 00 6 55 Volts Current 0 00 131 00 m...

Page 126: ...rface To configure threshold values for optical transceivers 1 Click Interface Port Transceiver 2 Select a port from the scroll down list 3 Set the switch to send a trap based on default or manual settings 4 Set alarm and warning thresholds if manual configuration is used 5 Click Apply Figure 46 Configuring Transceiver Thresholds Performing Cable Diagnostics Use the Interface Port Cable Test page ...

Page 127: ...rted This message is displayed for any Gigabit Ethernet ports linked up at a speed lower than 1000 Mbps or for any 10G Ethernet ports Impedance mismatch Terminating impedance is not in the reference range Ports are linked down while running cable diagnostics Parameters These parameters are displayed Port Switch port identifier Type Displays media type GE Gigabit Ethernet Other SFP SFP Link Status ...

Page 128: ...ross the stack The switch supports both static trunking and dynamic Link Aggregation Control Protocol LACP Static trunks have to be manually configured at both ends of the link and the switches must comply with the Cisco EtherChannel standard On the other hand LACP configured ports can automatically negotiate a trunked link with LACP configured ports on another device You can configure any number ...

Page 129: ...oth ends of a connection must be configured as trunk ports When configuring static trunks on switches of different types they must be compatible with the Cisco EtherChannel standard The ports at both ends of a trunk must be configured in an identical manner including communication mode i e speed duplex mode and flow control VLAN assignments and CoS settings Any of the Gigabit ports on the front pa...

Page 130: ... the ports and also disconnect the ports before removing a static trunk via the configuration interface Parameters These parameters are displayed Trunk ID Trunk identifier Range 1 16 Member The initial trunk member Use the Add Member page to configure additional members Unit Unit identifier Range 1 Port Port identifier Range 1 28 Web Interface To create a static trunk 1 Click Interface Trunk Stati...

Page 131: ... port for an additional trunk member 6 Click Apply Figure 50 Adding Static Trunks Members To configure connection parameters for a static trunk 1 Click Interface Trunk Static 2 Select Configure General from the Step list 3 Select Configure from the Action list 4 Modify the required interface settings Refer to Configuring by Port List on page 108 for a description of the parameters 5 Click Apply Fi...

Page 132: ... Dynamic Trunks Command Usage To avoid creating a loop in the network be sure you enable LACP before connecting the ports and also disconnect the ports before disabling LACP If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID If more than ...

Page 133: ...e Configure Aggregation Port Actor Partner used by the interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 If the port channel admin key is set to a non default value the operational key is based upon LACP PDUs received from the partner and the channel admin key is reset to the default value The trunk identifier will also be changed by...

Page 134: ...ational key is determined by the port s link speed 1000f 4 100f 3 10f 2 and copied to the admin key System Priority LACP system priority is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 System priority is combined with the switch s MAC address to form the LAG identifier This identifier is us...

Page 135: ...The command attributes have the same meaning as those used for the port actor Web Interface To configure the admin key for a dynamic trunk 1 Click Interface Trunk Dynamic 2 Select Configure Aggregator from the Step list 3 Set the Admin Key and timeout mode for the required LACP group 4 Click Apply Figure 54 Configuring the LACP Aggregator Admin Key To enable LACP for a port 1 Click Interface Trunk...

Page 136: ...elect Configure Aggregation Port from the Step list 3 Select Configure from the Action list 4 Click Actor or Partner 5 Configure the required settings 6 Click Apply Figure 56 Configuring LACP Parameters on a Port To show the active members of a dynamic trunk 1 Click Interface Trunk Dynamic 2 Select Configure Trunk from the Step list 3 Select Show Member from the Action list ...

Page 137: ...arameters for a dynamic trunk 1 Click Interface Trunk Dynamic 2 Select Configure Trunk from the Step list 3 Select Configure from the Action list 4 Modify the required interface settings See Configuring by Port List on page 108 for a description of the interface settings 5 Click Apply Figure 58 Configuring Connection Settings for a Dynamic Trunk ...

Page 138: ...p list 3 Select Show Information from the Action list 4 Click Counters Table 7 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by thi...

Page 139: ...d LACPDU information Admin State Oper State Administrative or operational values of the actor s state parameters Expired The actor s receive machine is in the expired state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distributio...

Page 140: ...list 4 Click Internal 5 Select a group member from the Port list Figure 61 Displaying LACP Port Internal Information Aggregation The system considers this link to be aggregatable i e a potential candidate for aggregation Long timeout Periodic transmission of LACPDUs uses a slow transmission rate LACP Activity Activity control value with regard to this link 0 Passive 1 Active Table 8 LACP Internal ...

Page 141: ...meter Description Partner Admin System ID LAG partner s system ID assigned by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Cur...

Page 142: ...his mode works best for switch to router trunk links where traffic through the switch is destined for many different hosts Do not use this mode for switch to server trunk links where the destination IP address is the same for all traffic Destination MAC Address All traffic with the same destination MAC address is output on the same link in a trunk This mode works best for switch to switch trunk li...

Page 143: ...k This mode works best for switch to switch trunk links where traffic through the switch is received from many different hosts Parameters These parameters are displayed for the load balance mode Destination IP Address Load balancing based on destination IP address Destination MAC Address Load balancing based on destination MAC address Source and Destination IP Address Load balancing based on sourc...

Page 144: ...ry entering Sleep Mode In this mode the low power energy detection circuit continuously checks for energy on the cable If none is detected the MAC interface is also powered down to save additional energy If energy is detected the switch immediately turns on both the transmitter and receiver functions and powers up the MAC interface Power saving when there is a link partner Traditional Ethernet con...

Page 145: ...ength of the cable used to connect to other devices Only sufficient power is used to maintain connection requirements Default Enabled on Gigabit Ethernet RJ 45 ports Web Interface To enable power savings 1 Click Interface Green Ethernet 2 Mark the Enabled check box for a port 3 Click Apply Figure 64 Enabling Power Savings ...

Page 146: ...plink ports used by other clients allowing different clients to share access to their uplink ports where security is less likely to be compromised Enabling Traffic Segmentation Use the Interface Traffic Segmentation Configure Global page to enable traffic segmentation Parameters These parameters are displayed Status Enables port based traffic segmentation Default Disabled Uplink to Uplink Mode Spe...

Page 147: ...panning tree protocol A port cannot be configured in both an uplink and downlink list A port can only be assigned to one traffic segmentation session A downlink port can only communicate with an uplink port in the same session Therefore if an uplink port is not configured for a session the assigned downlink ports will not be able to communicate with any other ports Table 10 Traffic Segmentation Fo...

Page 148: ...ng the direction to uplink or downlink Default Uplink Interface Displays a list of ports or trunks Port Port Identifier Range 1 28 Trunk Trunk Identifier Range 1 16 Web Interface To configure the members of the traffic segmentation group 1 Click Interface Traffic Segmentation 2 Select Configure Session from the Step list 3 Select Add from the Action list 4 Enter the session ID set the direction to...

Page 149: ...e or more intermediate switches which pass traffic for VLAN groups to which they do not belong The following figure shows VLANs 1 and 2 configured on switches A and B with VLAN trunking being used to pass traffic for these VLAN groups across switches C D and E Figure 68 Configuring VLAN Trunking Without VLAN trunking you would have to configure VLANs 1 and 2 on all intermediate switches C D and E ...

Page 150: ...ding on the selected STA mode If both VLAN trunking and ingress filtering are disabled on an interface packets with unknown VLAN tags will still be allowed to enter this interface and will be flooded to all other ports where VLAN trunking is enabled In other words VLAN trunking will still be effectively enabled for the unknown VLAN Parameters These parameters are displayed Interface Displays a lis...

Page 151: ...Chapter 4 Interface Configuration VLAN Trunking 151 Figure 69 Configuring VLAN Trunking ...

Page 152: ...Chapter 4 Interface Configuration VLAN Trunking 152 ...

Page 153: ...service provider IEEE 802 1Q VLANs In large networks routers are used to isolate broadcast traffic for each subnet into separate domains This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains VLANs confine broadcast traffic to the originating group and can eliminate broadcast storms in large networks This also provide...

Page 154: ...riority tagging Assigning Ports to VLANs Before enabling VLANs for the switch you must first assign each port to the VLAN group s in which it will participate By default all ports are assigned to VLAN 1 as untagged ports Add a port as a tagged port if you want it to carry traffic for one or more VLANs and any intermediate network devices or the host at the other end of the connection supports VLAN...

Page 155: ...to fully automate VLAN registration Automatic VLAN Registration GVRP GARP VLAN Registration Protocol defines a system whereby the switch can automatically learn the VLANs to which each end station should be assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join ...

Page 156: ...ort on the switch is therefore capable of passing tagged or untagged frames When forwarding a frame from this switch along a path that contains any VLAN aware devices the switch should include VLAN tags When forwarding a frame from this switch along a path that does not contain any VLAN aware devices including the destination host the switch must first strip off the VLAN tag before forwarding the ...

Page 157: ...atus Enables or disables the specified VLAN L3 Interface Sets the interface to support Layer 3 configuration and reserves memory space required to maintain additional information about this interface type This parameter must be enabled before you can assign an IP address to a VLAN see Setting the Switch s IP Address IP Version 4 on page 597 Show VLAN ID ID of configured VLAN VLAN Name Name of the ...

Page 158: ... Figure 72 Creating Static VLANs To modify the configuration settings for VLAN groups 1 Click VLAN Static 2 Select Modify from the Action list 3 Select the identifier of a configured VLAN 4 Modify the VLAN name or operational status as required 5 Enable the L3 Interface field to specify that a VLAN will be used as a Layer 3 interface 6 Click Apply Figure 73 Modifying Settings for Static VLANs ...

Page 159: ... ports as tagged if they are connected to 802 1Q VLAN compliant devices or untagged they are not connected to any VLAN aware devices Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol Parameters These parameters are displayed Edit Member by VLAN VLAN ID of configured VLAN 1 4094 Interface Displays a list of ports or trunks Port Port ...

Page 160: ...ember Default Disabled Ingress filtering only affects tagged frames If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member these frames will be flooded to all other ports except for those VLANs explicitly forbidden on this port If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member these frames wil...

Page 161: ...nder the earlier section for Edit Member by VLAN except for the items shown below Port Range Displays a list of ports Range 1 28 Trunk Range Displays a list of ports Range 1 16 Note The PVID acceptable frame type and ingress filtering parameters for each interface within the specified range must be configured on either the Edit Member by VLAN or Edit Member by Interface page Web Interface To confi...

Page 162: ...s by VLAN Index To configure static members by interface 1 Click VLAN Static 2 Select Edit Member by Interface from the Action list 3 Select a port or trunk configure 4 Modify the settings for any interface as required 5 Click Apply Figure 76 Configuring Static VLAN Members by Interface ...

Page 163: ...terface page 6 Click Apply Figure 77 Configuring Static VLAN Members by Interface Range Configuring Dynamic VLAN Registration Use the VLAN Dynamic page to enable GVRP globally on the switch or to enable GVRP and adjust the protocol timers per interface Parameters These parameters are displayed Configure General GVRP Status GVRP defines a way for switches to exchange VLAN information in order to re...

Page 164: ...erval a port waits before leaving a VLAN group This time should be set to more than twice the join time This ensures that after a Leave or LeaveAll message has been issued the applicants can rejoin before the port actually leaves the group Range 60 3000 centiseconds Default 60 centiseconds LeaveAll The interval between sending out a LeaveAll query message for VLAN group participants and the port l...

Page 165: ...Enable or disable GVRP 4 Click Apply Figure 78 Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk 1 Click VLAN Dynamic 2 Select Configure Interface from the Step list 3 Set the Interface type to display as Port or Trunk 4 Modify the GVRP status or timers for any interface 5 Click Apply Figure 79 Configuring GVRP for an Interface ...

Page 166: ... VLAN Members from the Action list Figure 81 Showing the Members of a Dynamic VLAN IEEE 802 1Q Tunneling IEEE 802 1Q Tunneling QinQ is designed for service providers carrying traffic for multiple customers across their networks QinQ tunneling is used to maintain customer specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs This is accomplis...

Page 167: ... network Each customer requires a separate SPVLAN but this VLAN supports all of the customer s internal VLANs The QinQ tunnel uplink port that passes traffic from the edge switch into the service provider s metro network must also be added to this SPVLAN The uplink port can be added to multiple SPVLANs to carry inbound traffic for different customers onto the service provider s network When a doub...

Page 168: ...After successful source and destination lookup the ingress process sends the packet to the switching process with two tags If the incoming packet is untagged the outer tag is an SPVLAN tag and the inner tag is a dummy tag 8100 0000 If the incoming packet is tagged the outer tag is an SPVLAN tag and the inner tag is a CVLAN tag 3 After packet classification through the switching process the packet ...

Page 169: ...ated as a double tagged packet If a single tagged packet has 0x8100 as its TPID and port TPID is not 0x8100 a new VLAN tag is added and it is also treated as double tagged packet 5 If the destination address lookup fails the packet is sent to all member ports of the outer tag s VLAN 6 After packet classification the packet is written to memory for processing as a single tagged or double tagged pac...

Page 170: ...inQ tunnel access port to Access mode see Adding an Interface to a QinQ Tunnel on page 173 4 Configure the QinQ tunnel access port to join the SPVLAN as an untagged member see Adding Static Members to VLANs on page 159 5 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port see Adding Static Members to VLANs on page 159 6 Configure the QinQ tunnel uplink port to Uplink mode see ...

Page 171: ...ntaining any other ethertype are looked upon as untagged frames and assigned to the native VLAN of that port The specified ethertype only applies to ports configured in Uplink mode see Adding an Interface to a QinQ Tunnel on page 173 If the port is in normal mode the TPID is always 8100 If the port is in Access mode received packets are processes as untagged packets Avoid using well known ethertyp...

Page 172: ...her than relying on standard service paths and priority queuing QinQ VLAN mapping can be used to further enhance service by defining a set of differentiated service pathways to follow across the service provider s network for traffic arriving from specified inbound customer VLANs Note that all customer interfaces should be configured as access interfaces that is a user to network interface and ser...

Page 173: ...ot1q tunnel service match cvid command in the CLI Reference Guide Adding an Interface to a QinQ Tunnel Follow the guidelines under Enabling QinQ Tunneling on the Switch in the preceding section to set up a QinQ tunnel on the switch Then use the VLAN Tunnel Configure Interface page to set the tunnel mode for any participating interface Command Usage Use the Configure Global page to set the switch t...

Page 174: ...AN membership mode of the port None The port operates in its normal VLAN mode This is the default Access Configures QinQ tunneling for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network Uplink Configures QinQ tunneling for an uplink port to another device within the service provider network Web Interface To add an interface to a QinQ ...

Page 175: ...nfiguring VLAN Groups on page 156 Although not mandatory we suggest configuring a separate VLAN for each major protocol running on your network Do not add port members at this time 2 Create a protocol group for each of the protocols you want to assign to a VLAN using the Configure Protocol Add page 3 Then map the protocol for each interface to the appropriate VLAN using the Configure Interface Add...

Page 176: ...ing Protocol VLAN rule via the console Alternately the switch can be power cycled however all unsaved configuration changes will be lost Web Interface To configure a protocol group 1 Click VLAN Protocol 2 Select Configure Protocol from the Step list 3 Select Add from the Action list 4 Select an entry from the Frame Type list 5 Select an entry from the Protocol Type list 6 Enter an identifier for t...

Page 177: ...n a frame enters a port that has been assigned to a protocol VLAN it is processed in the following manner If the frame is tagged it will be processed according to the standard rules applied to tagged frames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the...

Page 178: ...t 3 Select Add from the Action list 4 Select a port or trunk 5 Enter the identifier for a protocol group 6 Enter the corresponding VLAN to which the protocol traffic will be forwarded 7 Set the priority to assign to untagged ingress frames 8 Click Apply Figure 89 Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk 1 Click VLAN Protocol 2 Select Configure In...

Page 179: ...eiving port s VLAN ID PVID Command Usage Each IP subnet can be mapped to only one VLAN ID An IP subnet consists of an IP address and a mask The specified VLAN need not be an existing VLAN When an untagged frame is received by a port the source IP address is checked against the IP subnet to VLAN mapping table and if an entry is found the corresponding VLAN ID is assigned to the frame If no mapping ...

Page 180: ...subnet to a VLAN 1 Click VLAN IP Subnet 2 Select Add from the Action list 3 Enter an address in the IP Address field 4 Enter a mask in the Subnet Mask field 5 Enter the identifier in the VLAN field Note that the specified VLAN need not already be configured 6 Enter a value to assign to untagged frames in the Priority field 7 Click Apply Figure 91 Configuring IP Subnet VLANs To show the configured ...

Page 181: ...an be mapped to only one VLAN ID Configured MAC addresses cannot be broadcast or multicast addresses When MAC based IP subnet based or protocol based VLANs are supported concurrently priority is applied in this sequence and then port based VLANs last Parameters These parameters are displayed MAC Address A source MAC address which is to be mapped to a specific VLAN The MAC address must be specified...

Page 182: ...the highest priority Default 0 Web Interface To map a MAC address to a VLAN 1 Click VLAN MAC Based 2 Select Add from the Action list 3 Enter an address in the MAC Address field and a mask to indicate a range of addresses if required 4 Enter an identifier in the VLAN field Note that the specified VLAN need not already be configured 5 Enter a value to assign to untagged frames in the Priority field ...

Page 183: ... enabled they must use the same target port When VLAN mirroring and port mirroring are both enabled the target port can receive a mirrored packet twice once from the source mirror port and again from the source mirrored VLAN The target port receives traffic from all monitored source VLANs and can become congested Some mirror traffic may therefore be dropped from the target port When mirroring VLAN...

Page 184: ... port that receives the mirrored traffic from the source VLAN Range 1 28 Web Interface To configure VLAN mirroring 1 Click VLAN Mirror 2 Select Add from the Action list 3 Select the source VLAN and select a target port 4 Click Apply Figure 95 Configuring VLAN Mirroring To show the VLANs to be mirrored 1 Click VLAN Mirror 2 Select Show from the Action list Figure 96 Showing the VLANs to Mirror ...

Page 185: ...Port 1 and set the Old VLAN to 10 and the New VLAN to 100 to map VLAN 10 to VLAN 100 for upstream traffic entering port 1 and VLAN 100 to VLAN 10 for downstream traffic leaving port 1 as shown below Figure 97 Configuring VLAN Translation The maximum number of VLAN translation entries is 8 per port and up to 96 for the system However note that configuring a large number of entries may degrade the p...

Page 186: ...lation 2 Select Add from the Action list 3 Select a port and enter the original and new VLAN IDs 4 Click Apply Figure 98 Configuring VLAN Translation To show the mapping entries for VLANs translation 1 Click VLAN Translation 2 Select Show from the Action list 3 Select a port Figure 99 Showing the Entries for VLAN Translation ...

Page 187: ... a target port MAC Notification Traps Issue trap when a dynamic MAC address is added or removed Configuring MAC Address Learning Use the MAC Address Learning Status page to enable or disable MAC address learning on an interface Command Usage When MAC address learning is disabled the switch immediately stops learning new MAC addresses on the specified interface Only incoming traffic with source add...

Page 188: ...ity Status see Configuring Port Security on page 340 is enabled on the same interface Parameters These parameters are displayed Interface Displays a list of ports or trunks Port Port Identifier Range 1 28 Trunk Trunk Identifier Range 1 16 Status The status of MAC address learning Default Enabled Web Interface To enable or disable MAC address learning 1 Click MAC Address Learning Status 2 Set the l...

Page 189: ... not be written to the address table Static addresses will not be removed from the address table when a given interface link is down A static address cannot be learned on another port until the address is removed from the table Parameters These parameters are displayed Add Static Address VLAN ID of configured VLAN Range 1 4094 Interface Port or trunk associated with the device assigned a static ad...

Page 190: ...m the Action list 3 Specify the VLAN the port or trunk to which the address will be assigned the MAC address and the time to retain this entry 4 Click Apply Figure 101 Configuring Static MAC Addresses To show the static addresses in MAC address table 1 Click MAC Address Static 2 Select Show from the Action list Figure 102 Displaying Static MAC Addresses ...

Page 191: ...eb Interface To set the aging time for entries in the dynamic address table 1 Click MAC Address Dynamic 2 Select Configure Aging from the Action list 3 Modify the aging status if required 4 Specify a new aging time 5 Click Apply Figure 103 Setting the Address Aging Time Displaying the Dynamic Address Table Use the MAC Address Dynamic Show Dynamic MAC page to display the MAC addresses learned by mo...

Page 192: ...terface Indicates a port or trunk Type Shows that the entries in this table are learned Values Learned or Security the last of which indicates Port Security Life Time Shows the time to retain the specified address Web Interface To show the dynamic address table 1 Click MAC Address Dynamic 2 Select Show Dynamic MAC from the Action list 3 Select the Sort Key MAC Address VLAN or Interface 4 Enter the...

Page 193: ...tries for a specific MAC address all the entries in a VLAN or all the entries associated with a port or trunk Web Interface To clear the entries in the dynamic address table 1 Click MAC Address Dynamic 2 Select Clear Dynamic MAC from the Action list 3 Select the method by which to clear the entries i e All MAC Address VLAN or Interface 4 Enter information in the additional fields required for clea...

Page 194: ...ffic the target port must be included in the same VLAN as the source port when using MSTP see Spanning Tree Algorithm on page 197 When mirroring VLAN traffic see Configuring VLAN Mirroring on page 183 or packets based on a source MAC address the target port cannot be set to the same target ports as that used for port mirroring see Configuring Local Port Mirroring on page 112 When traffic matches t...

Page 195: ...tion pages to send SNMP traps i e SNMP notifications when a dynamic MAC address is added or removed Parameters These parameters are displayed Configure Global MAC Notification Traps Issues a trap when a dynamic MAC address is added or removed Default Disabled MAC Notification Trap Interval Specifies the interval between issuing two consecutive traps Range 1 3600 seconds Default 1 second Configure ...

Page 196: ...ation 2 Select Configure Global from the Step list 3 Configure MAC notification traps and the transmission interval 4 Click Apply Figure 108 Issuing MAC Address Traps Global Configuration To enable MAC address traps at the interface level 1 Click MAC Address MAC Notification 2 Select Configure Interface from the Step list 3 Enable MAC notification traps for the required ports 4 Click Apply Figure ...

Page 197: ...network and provide backup links which automatically take over when a primary link goes down The spanning tree algorithms supported by this switch include these versions STP Spanning Tree Protocol IEEE 802 1D RSTP Rapid Spanning Tree Protocol IEEE 802 1w MSTP Multiple Spanning Tree Protocol IEEE 802 1s STP STP uses a distributed algorithm to select a bridging device STP compliant switch bridge or ...

Page 198: ...sed when a node or port fails and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs MSTP When using STP or RSTP it may be difficult to maintain a stable path between all VLAN members Frequent changes in the tree structure can easily isolate some of the group members MSTP which is based on RSTP for fast convergence is designed to su...

Page 199: ...MSTI tree to maintain connectivity among each of the VLANs MSTP maintains contact with the global network because each instance is treated as an RSTP node in the Common Spanning Tree CST Configuring Loopback Detection Use the Spanning Tree Loopback Detection page to configure loopback detection on an interface When loopback detection is enabled and a port or trunk receives it s own BPDU the detect...

Page 200: ...leased from discard mode This is only available if the interface is configured for manual release mode Action Sets the response for loopback detection to block user traffic or shut down the interface Default Block Shutdown Interval The duration to shut down the interface Range 60 86400 seconds Default 60 seconds If an interface is shut down due to a detected loopback and the release mode is set to...

Page 201: ... VLANs we recommend selecting the MSTP option Rapid Spanning Tree Protocol5 RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below STP Mode If the switch receives an 802 1D BPDU i e STP BPDU after a port s migration delay timer expires the switch assumes it...

Page 202: ...rotocol IEEE 802 1D i e when this option is selected the switch will use RSTP set to STP forced compatibility mode RSTP Rapid Spanning Tree IEEE 802 1w RSTP is the default MSTP Multiple Spanning Tree IEEE 802 1s Priority Bridge priority is used in selecting the root device root port and designated port The device with the highest priority becomes the STA root device However if all devices have the...

Page 203: ...1 65535 Transmission Limit The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages Range 1 10 Default 3 When the Switch Becomes Root Hello Time Interval in seconds at which the root device transmits a configuration message Default 2 Minimum 1 Maximum The lower of 10 or Max Message Age 2 1 Maximum Age The maximum...

Page 204: ...umber of MSTP instances to which this switch can be assigned Configuration Digest An MD5 signature key that contains the VLAN ID to MST ID mapping table In other words this key is a mapping of all VLANs to the CIST Region Revision6 The revision for this MSTI Range 0 65535 Default 0 Region Name6 The name for this MSTI Maximum length 32 characters Default switch s MAC address Max Hop Count The maxim...

Page 205: ...Chapter 7 Spanning Tree Algorithm Configuring Global Settings for STA 205 5 Click Apply Figure 114 Configuring Global Settings for STA STP Figure 115 Configuring Global Settings for STA RSTP ...

Page 206: ...the preceding section except for the following items Bridge ID A unique identifier for this bridge consisting of the bridge priority the MST Instance ID 0 for the Common Spanning Tree when spanning tree type is set to MSTP and MAC address where the address is taken from the switch system Designated Root The priority and MAC address of the device in the Spanning Tree that this switch has accepted a...

Page 207: ...re Global from the Step list 3 Select Show Information from the Action list Figure 117 Displaying Global Settings for STA Configuring Interface Settings for STA Use the Spanning Tree STA Configure Interface Configure page to configure RSTP and MSTP attributes for specific interfaces including port priority path cost link type and edge port You may use a different priority or path cost for ports of...

Page 208: ... 240 in steps of 16 Admin Path Cost This parameter is used by the STA to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Note that path cost takes precedence over port priority Range 0 for auto configuration 1 65535 for the short path cost method7 1 200 000 000 for the long pat...

Page 209: ... just by changing its path cost on SW3 For RSTP mode the root port can be determined simply by adjusting the path cost of i1 on SW2 However for MSTP mode it is impossible to achieve this only by changing the path cost because external path cost is not added in the same region and the regional root for i1 is SW1 but for i2 is SW2 Admin Link Type The link type attached to this interface Point to Poi...

Page 210: ...interface cannot function as an edge port until the loopback state is released If an interface is in forwarding state and its role changes the interface cannot continue to function as an edge port even if the edge delay time has expired If the port does not receive any BPDUs after the edge delay timer expires its role changes to designated port and it immediately enters forwarding state see Displa...

Page 211: ...e port is set to enabled or auto Migration If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to forced STP compatible mode However you can also use the Protocol Migration button to manually re check the appropriate BPDU format RSTP or STP compatible to send on the selected interfaces Default Di...

Page 212: ... Port forwards packets and continues learning addresses The rules defining port status are A port on a network segment with no other STA compliant bridging device is always forwarding If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment the port with the smaller ID forwards packets and the other is discarding All ports are discarding ...

Page 213: ...logy that is the best port connecting a non root bridge to the root bridge i e root port connecting a LAN through the bridge to the root bridge i e designated port is the MSTI regional root i e master port or is an alternate or backup port that may provide connectivity if other bridges bridge ports or LANs fail or are removed The role is set to disabled i e disabled port if a port has no role with...

Page 214: ...affic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance By default all VLANs are assigned to the Internal Spanning Tree MST Instance 0 that connects all bridges and LANs within the MST region This switch supports up to 33 instances You should try to group VLANs which cover the same gener...

Page 215: ...rameters are displayed MST ID Instance identifier to configure Range 0 4094 VLAN ID VLAN to assign to this MST instance Range 1 4094 Priority The priority of a spanning tree instance Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 Default 32768 Web Interface To create instances for MSTP 1 Click Spanning Tree MSTP 2 Se...

Page 216: ...guring Multiple Spanning Trees 216 Figure 122 Creating an MST Instance To show the MSTP instances 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show from the Action list Figure 123 Displaying MST Instances ...

Page 217: ...he priority for an MSTP Instance 5 Click Apply Figure 124 Modifying the Priority for an MST Instance To display global settings for MSTP 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show Information from the Action list 4 Select an MST ID The attributes displayed on this page are described under Displaying Global Settings for STA on page 206 Figure 125 Displayin...

Page 218: ...lect an MST instance from the MST ID list 5 Enter the VLAN group to add to the instance in the VLAN ID field Note that the specified member does not have to be a configured VLAN 6 Click Apply Figure 126 Adding a VLAN to an MST Instance To show the VLAN members of an MSTP instance 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show Member from the Action list Figur...

Page 219: ... same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 Admin MST...

Page 220: ...rface from the Step list 3 Select Configure from the Action list 4 Enter the priority and path cost for an interface 5 Click Apply Figure 128 Configuring MSTP Interface Settings To display MSTP parameters for a port or trunk 1 Click Spanning Tree MSTP 2 Select Configure Interface from the Step list 3 Select Show Information from the Action list Figure 129 Displaying MSTP Interface Settings ...

Page 221: ...tion allows the network manager to control the maximum rate for traffic received or transmitted on an interface Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network Packets that exceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured with this feature the...

Page 222: ...igned or properly configured If there is too much traffic on your network performance can be severely degraded or everything can come to complete halt You can protect your network from traffic storms by setting a threshold for broadcast multicast or unknown unicast traffic Any packets exceeding the specified threshold will then be dropped Command Usage Broadcast Storm Control is enabled by default...

Page 223: ...Indicates the port type 1000BASE T 10GBASE SFP or 1000BASE SFP used in the GTL 2882 or when this transceiver type is used in an SFP port Unknown Unicast Specifies storm control for unknown unicast traffic Multicast Specifies storm control for multicast traffic Broadcast Specifies storm control for broadcast traffic Status Enables or disables storm control Default Enabled for broadcast storm contro...

Page 224: ...adcast or multicast traffic The control response for either of these traffic types is the same as shown in the following diagrams Figure 132 Storm Control by Limiting the Traffic Rate The key elements of this diagram are described below Alarm Fire Threshold The highest acceptable traffic rate When ingress traffic exceeds the threshold ATC sends a Storm Alarm Fire Trap and logs it When traffic exce...

Page 225: ...e the same as that described in the preceding diagram except that automatic release of the control response is not provided When traffic control is applied you must manually re enable the port Functional Limitations Automatic storm control is a software level control function Traffic storms can also be controlled at the hardware level using Port Broadcast Control or Port Multicast Control as descr...

Page 226: ...ds Broadcast Release Timer The time at which to release the control response after ingress traffic has fallen beneath the lower threshold for broadcast storms Range 1 900 seconds Default 900 seconds Multicast Apply Timer The interval after the upper threshold has been exceeded at which to apply the control response to multicast storms Range 1 300 seconds Default 300 seconds Multicast Release Timer...

Page 227: ...larm Clear Threshold Rate limiting is discontinued only after the traffic rate has fallen beneath the Alarm Clear Threshold lower threshold and the release timer has expired This is the default response Shutdown The port is administratively disabled A port disabled by automatic traffic control can only be manually re enabled using the Manual Control Release attribute Auto Release Control Automatic...

Page 228: ... Sends a trap when traffic exceeds the upper threshold for automatic storm control Default Disabled Trap Storm Clear Sends a trap when traffic falls beneath the lower threshold after a storm control response has been triggered Default Disabled Trap Traffic Apply Sends a trap when traffic exceeds the upper threshold for automatic storm control and the apply timer expires Default Disabled Trap Traff...

Page 229: ...Chapter 8 Congestion Control Automatic Traffic Control 229 Figure 135 Configuring ATC Interface Attributes ...

Page 230: ...Chapter 8 Congestion Control Automatic Traffic Control 230 ...

Page 231: ...gs This section describes how to configure the default priority for untagged frames set the queue mode set the weights assigned to each queue and map class of service tags to queues Setting the Default Priority for Interfaces Use the Traffic Priority Default Priority page to specify the default port priority for each interface on the switch All untagged packets entering the switch are tagged with ...

Page 232: ...etting the Default Port Priority Selecting the Queue Mode Use the Traffic Priority Queue page to set the queue mode for the egress queues on any interface The switch can be set to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before the lower priority queues are serviced or Weighted Round Robin WRR queuing which specifies a schedulin...

Page 233: ...ied queue mode applies to all interfaces Parameters These parameters are displayed Queue Mode Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queues before servicing lower priority queues This ensures that the highest priority packets are always serviced first ahead of all other traffic WRR Weighted Round Robin shares bandwidth at the egress po...

Page 234: ...weighted queue mode is selected the queue weight can be modified if required 4 If the queue mode that uses a combination of strict and weighted queueing is selected the queues which are serviced first must be specified by enabling strict mode parameter in the table 5 Click Apply Figure 137 Setting the Queue Mode Strict Figure 138 Setting the Queue Mode WRR ...

Page 235: ...f Service CoS priority tagged traffic by using eight priority queues for each port with service schedules based on strict priority Weighted Round Robin WRR or a combination of strict and weighted queuing Up to eight separate traffic priorities are defined in IEEE 802 1p Default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown in Table 13 The following ...

Page 236: ...ameters are displayed Port Specifies a port PHB Per hop behavior or the priority used for this router hop Range 0 7 where 7 is the highest priority Queue Output queue buffer Range 0 7 where 7 is the highest CoS priority queue Web Interface To map internal PHB to hardware queues 1 Click Traffic Priority PHB to Queue 2 Select Configure from the Action list Table 14 CoS Priority Levels Priority Level...

Page 237: ...lue and the assigned output queue the mapping done on this page can effectively determine the service priority for different traffic classes 5 Click Apply Figure 140 Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map 1 Click Traffic Priority PHB to Queue 2 Select Show from the Action list 3 Select a port Figure 141 Showing CoS Values to Egress Queue Mapping ...

Page 238: ...lues are used to determine the hardware queues used for egress traffic not to replace the priority values These defaults are designed to optimize priority services for the majority of network applications It should not be necessary to modify any of the default settings unless a queuing problem occurs with a particular application Setting Priority Processing to DSCP or CoS The switch allows a choic...

Page 239: ...y DSCP to DSCP page to map DSCP values in incoming packets to per hop behavior and drop precedence values for internal priority processing The DSCP is six bits wide allowing coding for up to 64 different forwarding behaviors The DSCP replaces the ToS bits but it retains backward compatibility with the three precedence bits so that non DSCP compliant ToS enabled devices will not conflict with the D...

Page 240: ...lling traffic congestion Range 0 Green 3 Yellow 1 Red Table 16 Default Mapping of DSCP Values to Internal PHB Drop Values ingress dscp1 ingress dscp10 0 1 2 3 4 5 6 7 8 9 0 0 0 0 1 0 0 0 3 0 0 0 1 0 0 0 3 1 0 1 1 1 1 0 1 3 1 0 1 1 1 0 1 3 2 0 2 1 2 0 2 3 2 2 0 2 1 2 0 2 3 3 0 3 1 3 0 3 3 3 0 3 1 3 3 0 3 3 4 0 4 1 4 0 4 3 4 0 4 1 4 0 4 3 4 5 0 5 1 5 0 5 3 5 0 5 1 6 0 5 3 6 0 6 1 5 6 0 6 3 6 0 6 1 6...

Page 241: ... Select Configure from the Action list 3 Select a port 4 Set the PHB and drop precedence for any DSCP value 5 Click Apply Figure 143 Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB drop precedence map 1 Click Traffic Priority DSCP to DSCP 2 Select Show from the Action list 3 Select a port Figure 144 Showing DSCP to DSCP Internal Mapping ...

Page 242: ...the original packet are not modified by this command The internal DSCP consists of three bits for per hop behavior PHB which determines the queue to which a packet is sent and two bits for drop precedence namely color which is used to control traffic congestion Parameters These parameters are displayed Port Specifies a port CoS CoS value in ingress packets Range 0 7 CFI Canonical Format Indicator ...

Page 243: ...ap CoS CFI values to internal PHB drop precedence 1 Click Traffic Priority CoS to DSCP 2 Select Configure from the Action list 3 Select a port 4 Set the PHB and drop precedence for any of the CoS CFI combinations 5 Click Apply Figure 145 Configuring CoS to DSCP Internal Mapping ...

Page 244: ...ce Layer 3 4 Priority Settings 244 To show the CoS CFI to internal PHB drop precedence map 1 Click Traffic Priority CoS to DSCP 2 Select Show from the Action list 3 Select a port Figure 146 Showing CoS to DSCP Internal Mapping ...

Page 245: ...cies different kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the same class Class information can be assigned by end hosts or switches or routers along the path Priority can then be assigned based on a general policy or a detailed examination of the p...

Page 246: ...he policy rule can also be configured to monitor the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to assign a policy map to a specific interface Note Up to 200 classes can be included in a policy map Configuring a Class Map A class map is used for matching packets to a specif...

Page 247: ...L can be specified including standard or extended IPv4 IPv6 ACLs and MAC ACLs IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence value Range 0 7 IPv6 DSCP A DSCP value contained in an IPv6 packet Range 0 63 VLAN ID A VLAN Range 1 4094 CoS A CoS value Range 0 7 Source Port A source port Range 1 28 Web Interface To configure a class map 1 Click Traffic DiffServ 2 Select Configure Class f...

Page 248: ...st Figure 148 Showing Class Maps To edit the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Specify type of traffic for this class based on an access list DSCP or IP Precedence value VLAN CoS value or source port You can specify up to 16 items to match when assigning ingress traffi...

Page 249: ... a Class Map 249 Figure 149 Adding Rules to a Class Map To show the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Show Rule from the Action list Figure 150 Showing the Rules for a Class Map ...

Page 250: ...committed burst size burst rate and the action to take for conforming and non conforming traffic Policing is based on a token bucket where bucket depth that is the maximum burst before the bucket overflows is specified by the burst field BC and the average rate tokens are removed from the bucket is specified by the rate option CIR Action may be taken for traffic conforming to the maximum throughpu...

Page 251: ...d Tc is decremented by B down to the minimum value of 0 else if Te t B 0 the packets is yellow and Te is decremented by B down to the minimum value of 0 else the packet is red and neither Tc nor Te is decremented When a packet of size B bytes arrives at time t the following happens if srTCM is configured to operate in Color Aware mode If the packet has been precolored as green and Tc t B 0 the pac...

Page 252: ...havior of the meter is specified in terms of its mode and two token buckets P and C which are based on the rates PIR and CIR respectively The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC The token buckets P and C are initially at time 0 full that is the token count Tp 0 BP and the token count Tc 0 BC Thereafter the token count Tp is incremented by one P...

Page 253: ... packets The PHB label is composed of five bits three bits for per hop behavior and two bits for the color scheme used to control queue congestion with the srTCM and trTCM metering functions Set CoS Configures the service provided to ingress traffic by setting an internal CoS value for a matching packet as specified in rule settings for a class map Range 0 7 See Table 17 Default Mapping of CoS CFI...

Page 254: ...ervice level Violate Specifies whether the traffic that exceeds the maximum rate CIR will be dropped or the DSCP service level will be reduced Set IP DSCP Decreases DSCP priority for out of conformance traffic Range 0 63 Drop Drops out of conformance traffic srTCM Police Meter Defines the committed information rate CIR or maximum throughput committed burst size BC or burst rate and excess burst si...

Page 255: ...el will be reduced Set IP DSCP Decreases DSCP priority for out of conformance traffic Range 0 63 Drop Drops out of conformance traffic trTCM Police Meter Defines the committed information rate CIR or maximum throughput peak information rate PIR and their associated burst sizes committed burst size BC or burst rate and peak burst size BP and the action to take for traffic conforming to the maximum ...

Page 256: ...nformation rate CIR and peak burst size BP will be transmitted without any change to the DSCP service level Transmit Transmits in conformance traffic without any change to the DSCP service level Exceed Specifies whether traffic that exceeds the committed information rate CIR or committed burst size BC but is within the peak information rate PIR will be dropped or the DSCP service level will be red...

Page 257: ...Configure Policy from the Step list 3 Select Add from the Action list 4 Enter a policy name 5 Enter a description 6 Click Add Figure 151 Configuring a Policy Map To show the configured policy maps 1 Click Traffic DiffServ 2 Select Configure Policy from the Step list 3 Select Show from the Action list Figure 152 Showing Policy Maps ...

Page 258: ... behavior for matching packets to specify the quality of service to be assigned to the matching traffic class Use one of the metering options to define parameters such as the maximum throughput and burst rate Then specify the action to take for conforming traffic the action to tack for traffic in excess of the maximum rate but within the peak information rate or the action to take for a policy vio...

Page 259: ...ort Use the Traffic DiffServ Configure Interface page to bind a policy map to a port Command Usage First define a class map define a policy map and then bind the service policy to the required interface Parameters These parameters are displayed Port Specifies a port Ingress Applies the selected rule to ingress traffic Egress Applies the selected rule to egress traffic Web Interface To bind a polic...

Page 260: ...ce Attaching a Policy Map to a Port 260 3 Check the box under the Ingress or Egress field to enable a policy map for a port 4 Select a policy map from the scroll down box 5 Click Apply Figure 155 Attaching a Policy Map to a Port ...

Page 261: ...packet delays packet loss and jitter This is best achieved by assigning all VoIP traffic to a single Voice VLAN The use of a Voice VLAN has several advantages It provides security by isolating the VoIP traffic from other data traffic End to end QoS policies and high priority can be applied to VoIP VLAN traffic across the network guaranteeing the bandwidth it needs VLAN isolation also protects agai...

Page 262: ...mode see Adding Static Members to VLANs on page 159 Parameters These parameters are displayed Auto Detection Status Enables the automatic detection of VoIP traffic on switch ports Default Disabled Voice VLAN Sets the Voice VLAN ID for the network Only one Voice VLAN is supported and it must already be created on the switch Range 1 4094 Voice VLAN Aging Time The time after which a port is removed f...

Page 263: ...ters are displayed Telephony OUI Specifies a MAC address range to add to the list Format xx xx xx xx xx xx Mask Identifies a range of MAC addresses Setting a mask of FF FF FF 00 00 00 identifies all devices with the same OUI the first three octets Other masks restrict the MAC address range Setting a mask of FF FF FF FF FF FF specifies a single MAC address Format xx xx xx xx xx xx or xxxxxxxxxxxx D...

Page 264: ...VoIP Traffic Ports Use the Traffic VoIP Configure Interface page to configure ports for VoIP traffic you need to set the mode Auto or Manual specify the discovery method to use and set the traffic priority You can also enable security filtering to ensure that only VoIP traffic is forwarded on the Voice VLAN Command Usage All ports are set to VLAN hybrid mode by default Prior to enabling VoIP for a...

Page 265: ...affic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address OUI numbers are assigned to vendors and form the first three octets of a device MAC address MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device LLDP Uses LLDP IEEE 802 1AB to discover VoIP devices attached...

Page 266: ...wise if the VoIP Mode is Disabled or set to Manual the remaining age will display NA Web Interface To configure VoIP traffic settings for a port 1 Click Traffic VoIP 2 Select Configure Interface from the Step list 3 Configure any required changes to the VoIP settings each port 4 Click Apply Figure 159 Configuring Port Settings for a Voice VLAN ...

Page 267: ...ss Configure MAC authentication intrusion response dynamic VLAN assignment and dynamic QoS assignment HTTPS Provide a secure web connection SSH Provide a secure shell for secure Telnet access ACL Access Control Lists provide packet filtering for IP frames based on address protocol Layer 4 protocol port number or TCP control code ARP Inspection Security feature that validates the MAC Address bindin...

Page 268: ...etwork Authorization Determines if users can access specific services Accounting Provides reports auditing and billing for services that users have accessed on the network The AAA functions require the use of configured RADIUS or TACACS servers in the network The security servers can be defined as sequential groups that are applied as a method for controlling user access to specified services For ...

Page 269: ...passwords manually configured on the switch Remote authentication uses a remote access authentication server based on RADIUS or TACACS protocols to verify management access Command Usage By default management access is always checked against the authentication database stored on the local switch If a remote authentication server is used you must specify the authentication sequence Then specify the...

Page 270: ...thentication Dial in User Service RADIUS and Terminal Access Controller Access Control System Plus TACACS are logon authentication protocols that use software running on a central server to control access to RADIUS aware or TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user that requir...

Page 271: ... Message Digest 5 TLS Transport Layer Security or TTLS Tunneled Transport Layer Security Parameters These parameters are displayed Configure Server RADIUS Global Provides globally applicable RADIUS settings Server Index Specifies one of five RADIUS servers that may be configured The switch attempts authentication using the listed sequence of servers The process ends when a server either approves o...

Page 272: ...mber of seconds the switch waits for a reply from the TACACS server before it resends the request Range 1 65535 Default 5 Authentication Retries Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Set Key Mark this box to set or modify the encryption key Authentication Key Encryption key used to authenticate logon access for client Enclo...

Page 273: ...rver from the Step list 3 Select RADIUS or TACACS server type 4 Select Global to specify the parameters that apply globally to all specified servers or select a specific Server Index to specify the parameters that apply to a specific server 5 To set or modify the authentication key mark the Set Key box enter the key and then confirm it 6 Click Apply Figure 162 Configuring Remote Authentication Ser...

Page 274: ...RADIUS or TACACS server groups to use for accounting and authorization 1 Click Security AAA Server 2 Select Configure Group from the Step list 3 Select Add from the Action list 4 Select RADIUS or TACACS server type 5 Enter the group name followed by the index of the server to use for each priority level 6 Click Apply Figure 164 Configuring AAA Server Groups ...

Page 275: ...he configured accounting methods the methods applied to specific interfaces and basic accounting information recorded for user sessions Command Usage AAA authentication through a RADIUS or TACACS server must be enabled before accounting is enabled Parameters These parameters are displayed Configure Global Periodic Update Specifies the interval at which the local accounting service updates informat...

Page 276: ...oup names radius and tacacs specifies all configured RADIUS and TACACS hosts see Configuring Local Remote Logon Authentication on page 269 Any other group name refers to a server group configured on the Security AAA Server Configure Group page Configure Service Accounting Type Specifies the service as 802 1X Command or Exec as described in the preceding section 802 1X Method Name Specifies a user ...

Page 277: ...ules apply This field is null if the accounting method and associated server group has not been assigned to an interface Show Information Statistics User Name Displays a registered user name Accounting Type Displays the accounting service Interface Displays the receive port number through which this user accessed the switch Time Elapsed Displays the length of time this entry has been active Web In...

Page 278: ...od from the Step list 3 Select Add from the Action list 4 Select the accounting type 802 1X Command Exec 5 Specify the name of the accounting method and server group name 6 Click Apply Figure 167 Configuring AAA Accounting Methods To show the accounting method applied to various service types and the assigned server group 1 Click Security AAA Accounting 2 Select Configure Method from the Step list...

Page 279: ... to specific interfaces console commands entered at specific privilege levels and local console Telnet or SSH connections 1 Click Security AAA Accounting 2 Select Configure Service from the Step list 3 Select the accounting type 802 1X Command Exec 4 Enter the required accounting method 5 Click Apply Figure 169 Configuring AAA Accounting Service for 802 1X Service ...

Page 280: ... Accounting Service for Command Service Figure 171 Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types 1 Click Security AAA Accounting 2 Select Show Information from the Step list 3 Click Summary ...

Page 281: ... 3 Click Statistics Figure 173 Displaying Statistics for AAA Accounting Sessions Configuring AAA Authorization Use the Security AAA Authorization page to enable authorization of requested services and also to display the configured authorization methods and the methods applied to specific interfaces Command Usage This feature performs authorization to determine if a user is allowed to run an Exec ...

Page 282: ...tion is only supported for TACACS servers Configure Service Authorization Type Specifies the service as Exec indicating administrative authorization for local console Telnet or SSH connections Console Method Name Specifies a user defined method name to apply to console connections VTY Method Name Specifies a user defined method name to apply to Telnet and SSH connections Show Information Authoriza...

Page 283: ...applied to the EXEC service type and the assigned server group 1 Click Security AAA Authorization 2 Select Configure Method from the Step list 3 Select Show from the Action list Figure 175 Showing AAA Authorization Methods To configure the authorization method applied to local console Telnet or SSH connections 1 Click Security AAA Authorization 2 Select Configure Service from the Step list 3 Enter...

Page 284: ...page to control management access to the switch based on manually configured user names and passwords Command Usage The default guest name is guest with the password guest The default administrator name is admin with the password admin The guest only has read access for most configuration parameters However the administrator has write access for all parameters governing the onboard agent You shoul...

Page 285: ...d in the CLI Reference Guide Any privilege level can access all of the commands assigned to lower privilege levels For example privilege level 8 can access all commands assigned to privilege levels 7 0 according to default settings and to any other commands assigned to levels 7 0 using the privilege command described in the CLI Reference Guide Password Type Specifies the following options No Passw...

Page 286: ...k in situations where 802 1X or Network Access authentication are infeasible or impractical The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates use...

Page 287: ... where required under the Configure Interface menu Session Timeout Configures how long an authenticated session stays active before it must re authenticate itself Range 300 3600 seconds Default 3600 seconds Quiet Period Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts Range 1 180 seconds Default 60 seconds Login ...

Page 288: ...host Remaining Session Time Indicates the remaining time until the current authorization session for the host expires Apply Enables web authentication if the Status box is checked Revert Restores the previous configuration settings Re authenticate Ends all authenticated web sessions for selected host IP addresses in the Authenticated Host List and forces the users to re authenticate Web Interface ...

Page 289: ...ss authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server While authentication for a MAC address is in progress all traffic is blocked until authentication is c...

Page 290: ... and t a tagged VLAN The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user The Filter ID attribute attribute 11 can be configured on the RADIUS server to pass the following QoS information Multiple profiles can be specified in the Filter ID attribute by using a semicolon to separate each profile For example the attribute service po...

Page 291: ...n the authenticated port When the last user logs off on a port with a dynamic QoS assignment the switch restores the original QoS configuration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access While a port has an assigned dynamic QoS profile any manual QoS configur...

Page 292: ...receives the MAC address packet Range 120 1000000 seconds Default 1800 seconds Web Interface To configure aging status and reauthentication time for MAC address authentication 1 Click Security Network Access 2 Select Configure Global from the Step list 3 Enable or disable aging for secure addresses and modify the reauthentication time as required 4 Click Apply Figure 182 Configuring Global Setting...

Page 293: ...n and switchort mode is set to Hybrid See Adding Static Members to VLANs on page 159 Dynamic VLAN Enables dynamic VLAN assignment for an authenticated port When enabled any VLAN identifiers returned by the RADIUS server through the 802 1X authentication process are applied to the port providing the VLANs have already been created on the switch GVRP is not used to create the VLANs Default Enabled T...

Page 294: ...ss authentication on a port set the maximum number of secure addresses supported the guest VLAN to use when MAC Authentication or 802 1X Authentication fails and the dynamic VLAN and QoS assignments 5 Click Apply Figure 183 Configuring Interface Settings for Network Access Configuring Port Link Detection Use the Security Network Access Configure Interface Link Detection page to send an SNMP trap a...

Page 295: ... Access 2 Select Configure Interface from the Step list 3 Click the Link Detection button 4 Modify the link detection status trigger condition and the response for any port 5 Click Apply Figure 184 Configuring Link Detection for Network Access Configuring a MAC Address Filter Use the Security Network Access Configure MAC Filter page to designate specific MAC addresses or MAC address ranges as exem...

Page 296: ... of MAC addresses defined by the MAC bit mask If you omit the mask the system will assign the default mask of an exact match Range 000000000000 FFFFFFFFFFFF Default FFFFFFFFFFFF Web Interface To add a MAC address filter for MAC authentication 1 Click Security Network Access 2 Select Configure MAC Filter from the Step list 3 Select Add from the Action list 4 Enter a filter ID MAC address and option...

Page 297: ...hese parameters are displayed Query By Specifies parameters to use in the MAC address query Sort Key Sorts the information displayed based on MAC address port interface or attribute MAC Address Specifies a specific MAC address Interface Specifies a port interface Attribute Displays static or dynamic addresses Authenticated MAC Address List MAC Address The authenticated MAC address Interface The po...

Page 298: ...2 Select Show Information from the Step list 3 Use the sort key to display addresses based MAC address interface or attribute 4 Restrict the displayed addresses by entering a specific address in the MAC Address field specifying a port in the Interface field or setting the address type to static or dynamic in the Attribute field 5 Click Query Figure 187 Showing Addresses Authenticated for Network A...

Page 299: ...art HTTPS the connection is established in this way The client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar...

Page 300: ...re site certificate When you log onto the web interface using HTTPS for secure access a Secure Sockets Layer SSL certificate appears for the switch By default the certificate that the web browser displays will be associated with a warning that the site is not recognized as a secure site This is because the certificate has not been signed by an approved certification authority If you want this warn...

Page 301: ...ource File Name Name of certificate file stored on the TFTP server Private Key Source File Name Name of private key file stored on the TFTP server Private Password Password stored in the private key file This password is used to verify authorization for certificate use and is verified when downloading the certificate to the switch Confirm Password Re type the string entered in the previous field t...

Page 302: ...SSH also encrypts all data transfers passing between the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered Note You need to install an SSH client on the management station to access the switch for management via the SSH protocol Note The switch supports both SSH Version 1 5 and 2 0 clients Command Usage The SSH server on this switc...

Page 303: ... the User Accounts page as described on page 284 The clients are subsequently authenticated using these keys The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA Version 1 key 1024 35 134108168560989392104094492015542534763164192187295892114317388005553616163105 1775940838686311092912322268285192543746031009371877211996963178...

Page 304: ...client s private key corresponds to an authorized public key and the client is authenticated Authenticating SSH v2 Clients a The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable b If the specified algorithm is supported by the switch it notifies the client to proceed with the authentication process Otherwise it rejects the requ...

Page 305: ...ge 1 120 seconds Default 120 seconds Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process Range 1 5 times Default 3 Server Key Size Specifies the SSH server key size Range 512 896 bits Default 768 The server key is a private key that is never shared outside the switch The...

Page 306: ... generate the host key pair i e public and private keys Range RSA Version 1 DSA Version 2 Both Default Both The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption Note The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for...

Page 307: ...ublic key authentication mechanism If the user s public key does not exist on the switch SSH will revert to the interactive password authentication mechanism to complete authentication Parameters These parameters are displayed User Name This drop down box selects the user who s public key you wish to manage Note that you must first create users on the User Accounts page see Configuring User Accoun...

Page 308: ...key 1 Click Security SSH 2 Select Configure User Key from the Step list 3 Select Copy from the Action list 4 Select the user name and the public key type from the respective drop down boxes input the TFTP server IP address and the public key source file name 5 Click Apply Figure 193 Copying the SSH User s Public Key To display or clear the SSH user s public key 1 Click Security SSH 2 Select Config...

Page 309: ...ss packets against the conditions in an ACL one by one A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match the packet is accepted Command Usage The following restrictions apply to ACLs The maximum number of ACLs is 512 The maximum number of rules per system is 2048 rules An ACL can have up to 2048 rules However due to resourc...

Page 310: ...ocess the ACEs If no matches are found down to the end of the list the traffic is denied For this reason frequently hit entries should be placed at the top of the list There is an implied deny for traffic that is not explicitly permitted Also note that a single entry ACL with only one deny entry has the effect of denying all traffic You should therefore use at least one permit statement in an ACL ...

Page 311: ...th day and year at which to start or end Periodic Specifies a periodic interval Start To Specifies the days of the week hours and minutes at which to start or end Web Interface To configure a time range 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select Add from the Action list 4 Enter the name of a time range 5 Click Apply Figure 195 Setting the Name of a Time Range To...

Page 312: ...figure Time Range from the Step list 3 Select Add Rule from the Action list 4 Select the name of time range from the drop down list 5 Select a mode option of Absolute or Periodic 6 Fill in the required parameters for the selected mode 7 Click Apply Figure 197 Add a Rule to a Time Range To show the rules configured for a time range 1 Click Security ACL 2 Select Configure Time Range from the Step li...

Page 313: ...ntrol Lists ACLs IP Source Guard filter rules Quality of Service QoS processes QinQ MAC based VLANs VLAN translation or traps For example when binding an ACL to a port each rule in an ACL will use two PCEs and when setting an IP Source Guard filter rule for a port the system will also use two PCEs Parameters These parameters are displayed Total Policy Control Entries The number policy control entr...

Page 314: ...packets based on the source IPv4 address IP Extended IPv4 ACL mode filters packets based on the source or destination IPv4 address as well as the protocol type and protocol port number If the TCP protocol is specified then you can also filter packets based on the TCP control code IPv6 Standard IPv6 ACL mode filters packets based on the source IPv6 address IPv6 Extended IPv6 ACL mode filters packet...

Page 315: ...ACL 2 Select Configure ACL from the Step list 3 Select Add from the Action list 4 Fill in the ACL Name field and select the ACL type 5 Click Apply Figure 200 Creating an ACL To show a list of ACLs 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Show from the Action list Figure 201 Showing a List of ACLs ...

Page 316: ...Source IP Address Source IP address Source Subnet Mask A subnet mask containing four integers from 0 to 255 each separated by a period The mask uses 1 bits to indicate match and 0 bits to indicate ignore The mask is bitwise ANDed with the specified source IP address and compared with the address for each IP packet entering the port s to which this ACL has been assigned Time Range Name of a time ra...

Page 317: ...ude all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and Subnet Mask fields Options Any Host IP Default Any Source Destination IP Address Source or destination IP address Source Destination Subnet Mask Subnet mask for source or destination address See the description for Subnet Mask on page 316 Source Destina...

Page 318: ...it and 0 means to ignore a bit The following bits may be specified 1 fin Finish 2 syn Synchronize 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the following flags set SYN flag valid use control code 2 control bit mask 2 Both SYN and ACK valid use control code 18 control bit mask 18 SYN valid and ACK invalid ...

Page 319: ...rameters are displayed Type Selects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action An ACL can contain any combination of permit or deny rules Source Address Type Specifies the source IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IPv6 Prefix to specify a range of addresse...

Page 320: ...ge Name of a time range Web Interface To add rules to a Standard IPv6 ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select IPv6 Standard from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the source address type Any Host or IPv6 prefix 8 If you select Host enter a specific ...

Page 321: ...sing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields Source Destination Prefix Length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address Range 0 128 bits for the source p...

Page 322: ...e Action list 4 Select IPv6 Extended from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any or IPv6 prefix 8 If you select Host enter a specific address If you select IPv6 prefix enter a subnet address and prefix length 9 Set any other required criteria such as DSCP or next header type 10 Click Apply Figure 205 Config...

Page 323: ... Source Destination Bit Mask Hexadecimal mask for source or destination MAC address Packet Format This attribute includes the following packet types Any Any Ethernet packet type Untagged eth2 Untagged Ethernet II packets Untagged 802 3 Untagged Ethernet 802 3 packets Tagged eth2 Tagged Ethernet II packets Tagged 802 3 Tagged Ethernet 802 3 packets VID VLAN ID Range 1 4094 VID Bit Mask VLAN bit mas...

Page 324: ... Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any Host or MAC 8 If you select Host enter a specific address e g 11 22 33 44 55 66 If you select MAC enter a base address and a hexadecimal bit mask for an address range 9 Set any other required criteria such as VID Ethernet type or packet format 10 Click Apply Figure 206 Co...

Page 325: ...ost to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and Mask fields Options Any Host IP Default Any Source Destination IP Address Source or destination IP address Source Destination IP Subnet Mask Subnet mask for source or destination address See the description for Subnet Mask on page 316 Source Destination MAC Address Type Use Any to...

Page 326: ...sk for an address range 10 Enable logging if required 11 Click Apply Figure 207 Configuring a ARP ACL Binding a Port to an Access Control List After configuring ACLs use the Security ACL Configure Interface Configure page to bind the ports that need to filter traffic to the appropriate ACLs Only one access list IPv4 IPv6 or MAC can be assigned to an ingress or egress port Parameters These paramete...

Page 327: ... options 5 Select a port 6 Select the name of an ACL from the ACL list 7 Click Apply Figure 208 Binding a Port to an ACL Configuring ACL Mirroring After configuring ACLs use the Security ACL Configure Interface Add Mirror page to mirror traffic matching an ACL from one or more source ports to a target port for real time analysis You can then attach a logic analyzer or RMON probe to the target port...

Page 328: ...ify the ACL and the destination port to which matching traffic will be mirrored Parameters These parameters are displayed Port Port identifier ACL ACL used for ingress packets Web Interface To bind an ACL to a port 1 Click Security ACL 2 Select Configure Interface from the Step list 3 Select Add Mirror from the Action list 4 Select a port 5 Select the name of an ACL from the ACL list 6 Click Apply...

Page 329: ...ess traffic Query Displays statistics for selected criteria ACL Name The ACL bound this port Action Shows if action is to permit or deny specified packets Rules Shows the rules for the ACL bound to this port Time Range Name of a time range Hit Shows the number of packets matching this ACL 9 Clear Counter Clears the hit counter for the specified ACL Web Interface To show statistics for ACL hardware...

Page 330: ...alid ARP packets are dropped ARP Inspection determines the validity of an ARP packet based on valid IP to MAC address bindings stored in a trusted database the DHCP snooping binding database see DHCP Snooping Global Configuration on page 371 This database is built by DHCP snooping if it is enabled on globally on the switch and on the required VLANs ARP Inspection can also validate ARP packets agai...

Page 331: ...n Use the Security ARP Inspection Configure General page to enable ARP inspection globally for the switch to validate address information in each packet and configure logging Command Usage ARP Inspection Validation By default ARP Inspection Validation is disabled Specifying at least one of the following validations enables ARP Inspection Validation globally Any combination of the following checks ...

Page 332: ... will be replaced with the newest entry Parameters These parameters are displayed ARP Inspection Status Enables ARP Inspection globally Default Disabled ARP Inspection Validation Enables extended ARP Inspection Validation if any of the following options are enabled Default Disabled Dst MAC Validates the destination MAC address in the Ethernet header against the target MAC address in the body of AR...

Page 333: ... to use Command Usage ARP Inspection VLAN Filters ACLs By default no ARP Inspection ACLs are configured and the feature is disabled ARP Inspection ACLs are configured within the ARP ACL configuration page see page 325 ARP Inspection ACLs can be applied to any configured VLAN ARP Inspection uses the DHCP snooping bindings database for the list of valid IP to MAC address bindings ARP ACLs take prece...

Page 334: ...lso selected the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings database When an ARP ACL is selected but static mode is not selected the switch first performs ARP Inspection and then validation against the DHCP Snooping Bindings database Default Disabled Web Interface To configure VLAN settings for ARP Inspection 1 Click Security ARP Inspection 2 Sel...

Page 335: ...nd will always be forwarded while those arriving on untrusted interfaces are subject to all configured ARP inspection tests Packet Rate Limit Sets the maximum number of ARP packets that can be processed by CPU per second on trusted or untrusted ports Range 0 2048 Default 15 Setting the rate limit to 0 means that there is no restriction on the number of ARP packets that can be processed by the CPU ...

Page 336: ...exceeding the ARP Inspection rate limit Dropped ARP packets in the process of ARP inspection rate limit Count of ARP packets exceeding and dropped by ARP rate limiting ARP packets dropped by additional validation IP Count of ARP packets that failed the IP address test ARP packets dropped by additional validation Dst MAC Count of packets that failed the destination MAC address test Total ARP packet...

Page 337: ...rs are displayed Web Interface To display the ARP Inspection log 1 Click Security ARP Inspection 2 Select Show Information from the Step list 3 Select Show Log from the Action list Table 21 ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen Port The port where this packet was seen Src IP Address The source IP address in the packet Dst IP Address The destination IP...

Page 338: ... event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When enterin...

Page 339: ...ss of a range End IP Address The end address of a range Web Interface To create a list of IP addresses authorized for management access 1 Click Security IP Filter 2 Select Add from the Action list 3 Select the management interface to filter Web SNMP Telnet All 4 Enter the IP addresses or range of addresses that are allowed management access to an interface 5 Click Apply Figure 217 Creating an IP A...

Page 340: ...evice with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message Command Usage The default maximum number of MAC addresses allowed on a secure port is zero that is disabled To use port security you must configure the maximum number of addresses allowed on a port To con...

Page 341: ...ty is enabled on a port that port cannot be set as an RSPAN uplink port Also when a port is configured as an RSPAN uplink port source port or destination port port security cannot be enabled on that port Parameters These parameters are displayed Port Port identifier Security Status Enables or disables port security on a port Default Disabled Port Status The operational status Secure Down Port secu...

Page 342: ... an invalid address is detected on a port and set the maximum number of MAC addresses allowed on the port 3 Click Apply Figure 219 Configuring Port Security Configuring 802 1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC Although this automatic configuration and access is a desirable feature it also allows unauthorized p...

Page 343: ...te The RADIUS server verifies the client credentials and responds with an accept or reject packet If authentication is successful the switch allows the client to access the network Otherwise non EAP traffic on the port is blocked or assigned to a guest VLAN based on the intrusion action setting In multi host mode only one host connected to a port needs to pass authentication for all other hosts to...

Page 344: ...e is functioning as intermediate node in the network and does not need to perform dot1x authentication EAPOL Pass Through can be enabled to allow the switch to forward EAPOL frames from other switches on to the authentication servers thereby allowing the authentication process to still be carried out by switches located on the edge of the network When this device is functioning as an edge switch b...

Page 345: ...page to configure 802 1X port settings for the switch as the local authenticator When 802 1X is enabled you need to configure the parameters for the authentication process that runs between the client and the switch i e authenticator as well as the client identity lookup process that runs between the switch and authentication server Command Usage When the switch functions as a local authenticator ...

Page 346: ...t is not authorized or port is not connected Control Mode Sets the authentication mode to one of the following options Auto Requires a dot1x aware client to be authorized by the authentication server Clients that are not dot1x aware will be denied access Force Authorized Forces the port to grant access to all clients either dot1x aware or otherwise This is the default setting Force Unauthorized Fo...

Page 347: ...out for EAP request frames other than EAP request identity frames If dot1x authentication is enabled on a port the switch will initiate authentication when the port link state comes up It will send an EAP request identity frame to the client to request its identity followed by one or more requests for authentication information It may also send other EAP request frames to the client during an acti...

Page 348: ...ne State Current state including initialize disconnected connecting authenticating authenticated aborting held force_authorized force_unauthorized Reauth Count Number of times connecting state is re entered Current Identifier Identifier sent in each EAP Success Failure or Request packet by the Authentication Server Backend State Machine State Current state including request response success fail t...

Page 349: ...re port authenticator settings for 802 1X 1 Click Security Port Authentication 2 Select Configure Interface from the Step list 3 Click Authenticator 4 Modify the authentication settings for each port as required 5 Click Apply Figure 222 Configuring Interface Settings for 802 1X Port Authenticator ...

Page 350: ...or an authenticator This switch can be configured to serve as the authenticator on selected ports by setting the Control Mode to Auto on the Authenticator configuration page and as a supplicant on other ports by the setting the control mode to Force Authorized on that configuration page and enabling the PAE supplicant on the Supplicant configuration page Parameters These parameters are displayed P...

Page 351: ... 1X unaware Range 1 65535 Default 3 Authenticated Shows whether or not the supplicant has been authenticated Web Interface To configure port authenticator settings for 802 1X 1 Click Security Port Authentication 2 Select Configure Interface from the Step list 3 Click Supplicant 4 Modify the supplicant settings for each port as required 5 Click Apply Figure 223 Configuring Interface Settings for 80...

Page 352: ...icator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid Tx EAP Req Id The number of EAP Req Id frames that have been transmitted by this Authenticator Tx EAP Req Oth The number of EAP...

Page 353: ...ch the Packet Body Length field is invalid Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Supplicant Tx EAPOL Start The number of EAPOL Start frames that have been transmitted by this Supplicant Tx EAPOL Logoff ThenumberofEAPOLLogoffframesthathave been transmittedby this Supplicant Tx EAP Req Id The number of EAP Req Id frames that have been transmitted by...

Page 354: ... general DoS attacks are implemented by either forcing the target to reset to consume most of its resources so that it can no longer provide its intended service or to obstruct the communication media between the intended users and the target so that they can no longer communicate adequately This section describes how to protect against DoS attacks Parameters These parameters are displayed Echo Ch...

Page 355: ...igured TCP packets which contain SYN synchronize and FIN finish flags If the target s TCP port is closed the target replies with a TCP RST reset packet If the target TCP port is open it simply discards the TCP SYN FIN scan Default Enabled TCP Xmas Scan A so called TCP XMAS scan message is used to identify listening TCP ports This scan uses a series of strangely configured TCP packets which contain...

Page 356: ... 139 NetBIOS casing it to lock up and display a Blue Screen of Death This did not cause any damage to or change data on the computer s hard disk but any unsaved data would be lost Microsoft made patches to prevent the WinNuke attack but the OOB packets Default Disabled WinNuke Attack Rate Maximum allowed rate Range 64 2000 kbits second Default 1000 kbits second Web Interface To protect against DoS...

Page 357: ...hbor Command Usage Filter Type Setting source guard mode to SIP Source IP or SIP MAC Source IP and MAC enables this function on the selected port Use the SIP option to check the VLAN ID source IP address and port number against all entries in the binding table Use the SIP MAC option to check these same parameters plus the source MAC address If no matching entry is found the packet is dropped Note ...

Page 358: ...uard filtering on the port SIP Enables traffic filtering based on IP addresses stored in the binding table SIP MAC Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table Filter Table Sets the source guard learning model to search for addresses in the ACL binding table or the MAC address binding table Default ACL binding table Max Binding Entry T...

Page 359: ... infinite lease time When source guard is enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configured in the source guard binding table An entry with same MAC address and a diferent VLAN ID cannot be added to the binding table Static bindings are processed as follows A valid static IP source guard entry will be added to the binding table in ACL m...

Page 360: ...ge 1 4094 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C Add Configure MAC Table MAC Address A valid unicast MAC address VLAN ID of a configured VLAN or a range of VLANs Range 1 4094 IP Address A valid unicast IP address including classful types A B or C Port The port to which a static entry is bound Specify a physical port number or...

Page 361: ... Step list 3 Select Add from the Action list 4 Enter the required bindings for each port 5 Click Apply Figure 228 Configuring Static Bindings for IPv4 Source Guard To display static bindings for IP Source Guard 1 Click Security IP Source Guard Static Binding 2 Select Configure ACL Table or Configure MAC Table from the Step list 3 Select Show from the Action list Figure 229 Displaying Static Bindin...

Page 362: ...ss A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C Dynamic Binding List VLAN VLAN to which this entry is bound MAC Address Physical address associated with the entry Interface Port to which this entry is bound IP Address IP address corresponding to the client Lease Time The time for which this IP address is leased to the client Web Interface To d...

Page 363: ...ess stored in the binding table IPv6 Source Guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall and therefore may be subject to traffic attacks caused by a host trying to use the IPv6 address of a neighbor Command Usage Setting source guard mode to SIP Source IP enables this function on the selected port Use the SIP option to check the ...

Page 364: ...is found in the binding table and the entry type is static IPv6 source guard binding dynamic ND snooping binding or dynamic DHCPv6 snooping binding the packet will be forwarded If IP source guard is enabled on an interface for which IPv6 source bindings dynamically learned via ND snooping or DHCPv6 snooping or manually configured are not yet configured the switch will drop all IPv6 traffic on that...

Page 365: ... a lower value precedence is given to deleting entries learned through DHCPv6 snooping ND snooping and then manually configured IPv6 source guard static bindings until the number of entries in the binding table reaches the newly configured maximum number of allowed bindings Web Interface To set the IPv6 Source Guard filter for ports 1 Click Security IPv6 Source Guard Port Configuration 2 Set the r...

Page 366: ...s an entry with same MAC address and IPv6 address and the type of the entry is either a dynamic ND snooping binding or DHCPv6 snooping binding then the new entry will replace the old one and the entry type will be changed to static IPv6 source guard binding Only unicast addresses are accepted for static bindings Parameters These parameters are displayed Add Port The port to which a static entry is...

Page 367: ...tatic bindings for IPv6 Source Guard 1 Click Security IPv6 Source Guard Static Configuration 2 Select Add from the Action list 3 Enter the required bindings for each port 4 Click Apply Figure 232 Configuring Static Bindings for IPv6 Source Guard To display static bindings for Iv6 Source Guard 1 Click Security IPv6 Source Guard Static Configuration 2 Select Show from the Action list Figure 233 Disp...

Page 368: ...AC address IPv6 Address A valid global unicast IPv6 address Dynamic Binding List VLAN VLAN to which this entry is bound MAC Address Physical address associated with the entry Interface Port to which this entry is bound IPv6 Address IPv6 address corresponding to the client Type Shows the entry type DHCP Dynamic DHCPv6 binding stateful address ND Dynamic Neighbor Discovery binding stateless address ...

Page 369: ...nooping is used to filter DHCP messages received on a non secure interface from outside the network or fire wall When DHCP snooping is enabled globally and enabled on a VLAN interface DHCP messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped Table entries are only learned for trusted interfaces An entry is added or removed dynamically to t...

Page 370: ...f MAC address verification is disabled However if MAC address verification is enabled then the packet will only be forwarded if the client s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header If the DHCP packet is not a recognizable type it is dropped If a DHCP packet from a client passes the filtering criteria above it will only be forwarded to...

Page 371: ... with information indicating the local interface over which the switch received the DHCP client request including the port and VLAN ID This allows DHCP client server exchange messages to be forwarded between the server and client without having to flood them to the entire VLAN If DHCP Snooping Information Option 82 is enabled on the switch information may be inserted into a DHCP request packet rec...

Page 372: ...ess of the switch s CPU This attribute can be encoded in Hexadecimal or ASCII IP Address Inserts an IP address in the remote ID sub option for the DHCP snooping agent i e the IP address of the management interface This attribute can be encoded in Hexadecimal or ASCII string An arbitrary string inserted into the remote identifier field Range 1 32 characters DHCP Snooping Information Option Policy S...

Page 373: ... untrusted ports within the VLAN When the DHCP snooping is globally disabled DHCP snooping can still be configured for specific VLANs but the changes will not take effect until DHCP snooping is globally re enabled When DHCP snooping is globally enabled and DHCP snooping is then disabled on a VLAN all dynamic bindings learned for this VLAN are removed from the binding table Parameters These paramet...

Page 374: ... that is configured to receive messages from outside the network or fire wall When DHCP snooping is enabled both globally and on a VLAN DHCP packet filtering will be performed on any untrusted ports within the VLAN When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Set all ports connected to DHCP servers within the local...

Page 375: ... circuit ID information and an arbitrary string if required 5 Click Apply Figure 237 Configuring the Port Mode for DHCP Snooping Displaying DHCP Snooping Binding Information Use the IP Service DHCP Snooping Show Information page to display entries in the binding table Parameters These parameters are displayed MAC Address Physical address associated with the entry IP Address IP address correspondin...

Page 376: ...ese entries will be restored to the snooping table when the switch is reset However note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid Clear Removes all dynamically learned snooping entries from flash memory Web Interface To display the binding table for DHCP Snooping 1 Click IP Service DHCP Snooping 2 Select Show Information from th...

Page 377: ...stics or events which can be subsequently retrieved through SNMP Switch Clustering Configures centralized management by a single unit over a group of switches connected to the same local network Ethernet Ring Protection Switching ERPS Configures a protection switching mechanism and protocol for Ethernet layer network rings Connectivity Fault Management CFM This protocol provides proactive connecti...

Page 378: ...that are logged to flash or RAM memory The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM Parameters These parameters are displayed System Log Status Enables disables the logging of debug or error messages to the logging process Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the speci...

Page 379: ...ower is turned off and then on through the power source Web Interface To configure the logging of error messages to system memory 1 Click Administration Log System 2 Select Configure Global from the Step list 3 Enable or disable system logging set the level of event messages to be logged to flash memory and RAM 4 Click Apply Figure 239 Configuring Settings for System Memory Logs To show the error ...

Page 380: ...emote logging of syslog messages There are eight facility types specified by values of 16 to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages see RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to proce...

Page 381: ... Mail Transfer Protocol email messages when triggered by logging events of a specified level The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients Parameters These parameters are displayed SMTP Status Enables disables the SMTP function Default Enabled Severity Sets the syslog severity threshold level see table on page 378 used to trigger aler...

Page 382: ...spond For host name to IP address translation to function properly host name lookup must be enabled Configuring General DNS Service Parameters on page 621 and one or more DNS servers specified see Configuring a List of Name Servers on page 624 or Configuring Static DNS Host to Address Entries on page 625 Web Interface To configure SMTP alert messages 1 Click Administration Log SMTP 2 Enable SMTP s...

Page 383: ... Timing Attributes Use the Administration LLDP Configure Global page to set attributes for general functions such as globally enabling LLDP on the switch setting the message ageout time and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB Parameters These parameters are displayed LLDP Enables LLDP globally on the switch Default Enabled Transmis...

Page 384: ...t changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a notification are included in the transmission An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss MED Fast Start Count Config...

Page 385: ... Enabled This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section Trap notifications include information about state changes in the LLDP MIB IEEE 802 1AB the LLDP MED MIB ANSI TIA 1057 or vendor specific LLDP EXT DOT1 and LLDP EXT DOT3 MIBs For information on defining SNMP trap destinations see Speci...

Page 386: ...through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier VID associated with the management address reported by this TLV Port Description The port description is taken from the ifDescr object in RFC 2863 which includes information about the manufacturer the product name and the version of the interface hardware software Default Enabled Sy...

Page 387: ...iguration Status The MAC PHY configuration and status which includes information about auto negotiation support capabilities and operational Multistation Access Unit MAU type Default Enabled MED TLVs Configures general information included in the MED TLV field of advertised messages Capabilities This option advertises LLDP MED TLV capabilities allowing Media Endpoint and Connectivity Devices to ef...

Page 388: ... closest to client Location of client This is the default Web Interface To configure LLDP interface attributes 1 Click Administration LLDP 2 Select Configure Interface from the Step list 3 Select Configure General from the Action list 4 Select an interface from the Port or Trunk list 5 Set the LLDP transmit receive mode specify whether or not to send SNMP trap messages and select the information t...

Page 389: ...c address location as long as the total does not exceed 250 characters Parameters These parameters are displayed CA Type Descriptor of the data civic address value Range 0 255 CA Value Description of a location Range 1 32 characters Web Interface To specify the physical location of the attached device 1 Click Administration LLDP 2 Select Configure Interface from the Step list 3 Select Add CA Type ...

Page 390: ...air 6 Click Apply Figure 245 Configuring the Civic Address for an LLDP Interface To show the physical location of the attached device 1 Click Administration LLDP 2 Select Configure Interface from the Step list 3 Select Show CA Type from the Action list 4 Select an interface from the Port or Trunk list Figure 246 Showing the Civic Address for an LLDP Interface ...

Page 391: ...in this system System Name A string that indicates the system s administratively assigned name see Displaying System Information on page 72 System Description A textual description of the network entity This field is also displayed by the show system command System Capabilities Supported The capabilities that define the primary function s of the system Table 25 Chassis ID Subtype ID Basis Referenc...

Page 392: ...r the port or trunk from which this LLDPDU was transmitted Interface Details The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port of the trunk Local Port Trunk Local interface on this switch Port Trunk ID Type There are several ways in which a port may be identified A port ID subtype is used to indicate how the por...

Page 393: ...f capabilities that define the primary function s of the interface LLDP MED Capabilities Network Policy Location Identification Extended Power via MDI PSE Extended Power via MDI PD Inventory Web Interface To display LLDP information for the local device 1 Click Administration LLDP 2 Select Show Local Device Information from the Step list 3 Select General Port Port Details Trunk or Trunk Details Fi...

Page 394: ... s ports which are advertising information through LLDP or to display detailed information about an LLDP enabled device connected to a specific port on the local switch Parameters These parameters are displayed Port Local Port The local port to which a remote LLDP capable device is attached Chassis ID An octet string indicating the specific identifier for the particular chassis in this system Port...

Page 395: ...ndicates the port s description If RFC 2863 is implemented the ifDescr object should be used for this field Port ID A string that contains the specific identifier for the port from which this LLDPDU was transmitted System Capabilities Supported The capabilities that define the primary function s of the system See Table 26 System Capabilities on page 391 System Capabilities Enabled The primary func...

Page 396: ... system supports auto negotiation Remote Port Auto Neg Adv Capability The value bitmap of the ifMauAutoNegCapAdvertisedBits object defined in IETF RFC 3636 which is associated with a port on the remote system Remote Port Auto Neg Status Shows whether port auto negotiation is enabled on a port associated with the remote system Table 28 Remote Port Auto Negotiation Advertised Capability Bit Capabili...

Page 397: ...air selection can be controlled for sourcing power on the given port associated with the remote system Remote Power Classification This classification is used to tag different terminals on the Power over LAN network according to their power consumption Devices such as IP telephones WLAN access points and others will be classified according to their power requirements Port Details 802 3 Extension T...

Page 398: ...orts the IEEE 802 1AB and MED extensions defined by this Standard and can relay IEEE 802 frames via any method Supported Capabilities The supported set of capabilities that define the primary function s of the port LLDP MED Capabilities Network Policy Location Identification Extended Power via MDI PSE Extended Power via MDI PD Inventory Current Capabilities The set of capabilities that define the ...

Page 399: ...ntification10 Location Data Format Any of these location ID data formats Coordinate based LCI11 Defined in RFC 3825 includes latitude resolution latitude longitude resolution longitude altitude type altitude resolution altitude and datum Civic Address LCI11 Includes What Country code CA type CA length and CA value What is described as the field entry Device entry refers to under Configuring LLDP I...

Page 400: ...point device Software Revision The software revision of the end point device Manufacture Name The manufacturer of the end point device Asset ID The asset identifier of the end point device End point devices are typically assigned asset identifiers to facilitate inventory management and assets tracking Firmware Revision The firmware revision of the end point device Serial Number The serial number o...

Page 401: ...Chapter 13 Basic Administration Protocols Link Layer Discovery Protocol 401 Figure 250 Displaying Remote Device Information for LLDP Port ...

Page 402: ...Chapter 13 Basic Administration Protocols Link Layer Discovery Protocol 402 Figure 251 Displaying Remote Device Information for LLDP Port Details ...

Page 403: ...o display statistics for LLDP capable devices attached to the switch and for LLDP protocol messages transmitted or received on all local interfaces Parameters These parameters are displayed General Statistics on Remote Devices Neighbor Entries List Last Updated The time the LLDP neighbor entry list was last updated New Neighbor Entries Count The number of LLDP neighbors for which the remote TTL ha...

Page 404: ... TLV Frames Invalid A count of all LLDPDUs received with one or more detectable errors Frames Received Number of LLDP PDUs received Frames Sent Number of LLDP PDUs transmitted TLVs Unrecognized A count of all TLVs not recognized by the receiving LLDP local agent TLVs Discarded A count of all LLDPDUs received and then discarded due to insufficient memory space missing or out of sequence attributes ...

Page 405: ...ed to configure these devices for proper operation in a network environment as well as to monitor them to evaluate performance or detect potential problems Managed devices supporting SNMP contain software which runs locally on the device and is referred to as an agent A defined set of variables known as managed objects is maintained by the SNMP agent and used to manage the device These objects are...

Page 406: ...nown as views The switch has a default view all MIB objects and default groups defined for security models v1 and v2c The following table shows the security models and levels available and the system default settings Note The predefined default groups and view can be deleted from the system You can then define customized groups and views for the SNMP clients that require access Table 29 SNMPv3 Sec...

Page 407: ...Use the Administration SNMP Configure Engine page to change the local engine ID If you want to change the default engine ID it must be changed before configuring other parameters 4 Use the Administration SNMP Configure View page to specify read and write access views for the switch MIB tree 5 Use the Administration SNMP Configure User page to configure SNMP user groups with the required security m...

Page 408: ...gine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets Command Usage A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users Paramete...

Page 409: ...rst specify the engine identifier for the SNMP agent on the remote device where the user resides The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and a user on the remote host Command Usage SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remo...

Page 410: ...ration SNMP 2 Select Configure Engine from the Step list 3 Select Add Remote Engine from the Action list 4 Enter an ID of a least 9 hexadecimal characters and the IP address of the remote host 5 Click Apply Figure 257 Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs 1 Click Administration SNMP 2 Select Configure Engine from the Step list 3 Select Show Remote Engine from t...

Page 411: ...object identifier of a branch within the MIB tree is included or excluded from the SNMP view Add OID Subtree View Name Lists the SNMP views configured in the Add View page Range 1 32 characters OID Subtree Adds an additional object identifier of a branch within the MIB tree to the selected View Wild cards can be used to mask a specific portion of the OID string Range 1 64 characters Type Indicates...

Page 412: ... Select Show View from the Action list Figure 260 Showing SNMP Views To add an object identifier to an existing SNMP view of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Add OID Subtree from the Action list 4 Select a view name from the list of existing views and specify an additional OID subtree in the switch s MIB database to be includ...

Page 413: ...views Figure 262 Showing the OID Subtree Configured for SNMP Views Configuring SNMPv3 Groups Use the Administration SNMP Configure Group page to add an SNMPv3 group which can be used to set the access policy for its assigned users restricting them to specific read write and notify views You can use the pre defined default groups or create new groups to map a set of SNMP users to SNMP views Paramet...

Page 414: ...r encryption used in SNMP communications This is the default security level AuthNoPriv SNMP communications use authentication but the data is not encrypted AuthPriv SNMP communications use both authentication and encryption Read View The configured view for read access Range 1 32 characters Write View The configured view for write access Range 1 32 characters Notify View The configured view for no...

Page 415: ... that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state but not from the notPresent state This other state is indicated by the included value of ifOperStatus linkUp 1 3 6 1 6 3 1 1 5 4 A linkUp trap signifies that the SNMP entity acting in an agent role has detected that the if...

Page 416: ...p 1 3 6 1 4 1 22426 10 11 24 2 1 0 91 This trap will be sentwhen an interface is shutdown because of BPDU guard swLoopbackDetectionTrap 1 3 6 1 4 1 22426 10 11 24 2 1 0 95 This trap is sent when loopback BPDUs have been detected networkAccessPortLinkDetectionTrap 1 3 6 1 4 1 22426 10 11 24 2 1 0 96 This trap is sent when a networkAccessPortLinkDetection event is triggered dot1agCfmMepUpTrap 1 3 6 ...

Page 417: ...serAuthenticationFailureTrap 1 3 6 1 4 1 22426 10 11 24 2 1 0 199 This trap will be triggered if authentication fails userAuthenticationSuccessTrap 1 3 6 1 4 1 22426 10 11 24 2 1 0 200 This trap will be triggered if authentication is successful loginTrap 1 3 6 1 4 1 22426 10 11 24 2 1 0 201 This trap is sent when user logs in logoutTrap 1 3 6 1 4 1 22426 10 11 24 2 1 0 202 This trap is sent when u...

Page 418: ...ure Group from the Step list 3 Select Add from the Action list 4 Enter a group name assign a security model and level and then select read write and notify views 5 Click Apply Figure 263 Creating an SNMP Group To show SNMP groups 1 Click Administration SNMP 2 Select Configure Group from the Step list 3 Select Show from the Action list Figure 264 Showing SNMP Groups ...

Page 419: ...ss to the SNMP protocol Range 1 32 characters case sensitive Default strings public Read Only private Read Write Access Mode Specifies the access rights for the community string Read Only Authorized management stations are only able to retrieve MIB objects Read Write Authorized management stations are able to both retrieve and modify MIB objects Web Interface To set a community access string 1 Cli...

Page 420: ... unique name Users must be configured with a specific security level and assigned to a group The SNMPv3 group restricts users to a specific read write and notify view Parameters These parameters are displayed User Name The name of user connecting to the SNMP agent Range 1 32 characters Group Name The name of the SNMP group to which the user is assigned Range 1 32 characters Security Model The user...

Page 421: ...m use for data privacy only 56 bit DES is currently available Privacy Password A minimum of eight plain text characters is required Web Interface To configure a local SNMPv3 user 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Add SNMPv3 Local User from the Action list 4 Enter a name and assign it to a group If the security model is set to SNMPv3 and the security le...

Page 422: ...users 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Show SNMPv3 Local User from the Action list Figure 268 Showing Local SNMPv3 Users To change a local SNMPv3 local user group 1 Click Administration SNMP 2 Select Change SNMPv3 Local User Group from the Action list 3 Select the User Name 4 Enter a new group name ...

Page 423: ...es The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and the remote user See Specifying Trap Managers on page 426 and Specifying a Remote Engine ID on page 409 Parameters These parameters are displayed User Name The name of user connecting to the SNMP agent Range 1 32 characters Group Name The name of the SNMP group t...

Page 424: ... Privacy Password A minimum of eight plain text characters is required Web Interface To configure a remote SNMPv3 user 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Add SNMPv3 Remote User from the Action list 4 Enter a name and assign it to a group Enter the IP address to identify the source of SNMPv3 inform messages sent from the local switch If the security mode...

Page 425: ...Management Protocol 425 Figure 270 Configuring Remote SNMPv3 Users To show remote SNMPv3 users 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Show SNMPv3 Remote User from the Action list Figure 271 Showing Remote SNMPv3 Users ...

Page 426: ...raffic You should consider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable the SNMP agent page 407 2 Create a view with the required notification messages page 411 3 Configure the group matching the community string specified on the Configure Trap Add page to include the required notify view page 413 4...

Page 427: ...s only available for version 2c and 3 hosts Default traps are used Timeout The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds Retry times The maximum number of times to resend an inform message if the recipient does not acknowledge receipt Range 0 255 Default 3 Community String Specifies a valid community...

Page 428: ...will be automatically generated Remote User Name The name of a remote user which is used to identify the source of SNMPv3 inform messages sent from the local switch Range 1 32 characters If an account for the specified user has not been created page 423 one will be automatically generated UDP Port Specifies the UDP port number used by the trap manager Default 162 Security Level When trap version 3...

Page 429: ...sic Administration Protocols Simple Network Management Protocol 429 5 Click Apply Figure 272 Configuring Trap Managers SNMPv1 Figure 273 Configuring Trap Managers SNMPv2c Figure 274 Configuring Trap Managers SNMPv3 ...

Page 430: ...ndividual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost and applications can poll the log to verify that they have not missed any important Notifications If notification logging is not configured when the switch reboots some SNMP traps such as warm start cannot be logged To avoid this pro...

Page 431: ...ally It is not sent to a remote device This remote host parameter is only required to complete mandatory fields in the SNMP Notification MIB Filter Profile Name Notification log profile name Range 1 32 characters Web Interface To create an SNMP notification log 1 Click Administration SNMP 2 Select Configure Notify Filter from the Step list 3 Select Add from the Action list 4 Fill in the IP address...

Page 432: ...h represented an SNMP operation which was not allowed by the SNMP community named in the message Encoding errors The total number of ASN 1 or BER errors encountered by the SNMP entity when decoding received SNMP messages Number of requested variables The total number of MIB objects which have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get Request ...

Page 433: ...ues errors The total number of SNMP PDUs which were delivered to or generated by the SNMP protocol entity and for which the value of the error status field is badValue General errors The total number of SNMP PDUs which were delivered to or generated by the SNMP protocol entity and for which the value of the error status field is genErr Response PDUs The total number of SNMP Get Response PDUs which...

Page 434: ...lly send a trap message to the management agent which can then respond to the event if so configured Configuring RMON Alarms Use the Administration RMON Configure Global Add Alarm page to define specific criteria that will generate response events Alarms can be set to test data over any specified time interval and can monitor absolute or changing values such as a statistical counter reaching a spe...

Page 435: ...y in the event control table then no event will be generated Range 0 65535 Falling Threshold If the current value is less than or equal to the falling threshold and the last sample value was greater than this threshold then an alarm will be generated After a falling event has been generated another such event will not be generated until the sampled value has risen above the falling threshold reach...

Page 436: ...e Monitoring 436 Figure 279 Configuring an RMON Alarm To show configured RMON alarms 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Show from the Action list 4 Click Alarm Figure 280 Showing Configured RMON Alarms ...

Page 437: ... entry Range 1 65535 Type Specifies the type of event to initiate None No event is generated Log Generates an RMON log entry when the event is triggered Log messages are processed based on the current configuration settings for event logging see System Log Configuration on page 378 Trap Sends a trap message to all configured trap managers see Specifying Trap Managers on page 426 Log and Trap Logs ...

Page 438: ... list 4 Click Event 5 Enter an index number the type of event to initiate the community string to send with trap messages the name of the person who created this event and a brief description of the event 6 Click Apply Figure 281 Configuring an RMON Event To show configured RMON events 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Show from the Action list 4 Cli...

Page 439: ...collection is already enabled on an interface the entry must be deleted before any changes can be made The information collected for each sample includes input octets packets broadcast packets multicast packets undersize packets oversize packets fragments jabbers CRC alignment errors collisions drop events and network utilization For a description of the statistics displayed on the Show Details pa...

Page 440: ...nterface To periodically sample statistics on a port 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Add from the Action list 4 Click History 5 Select a port from the list as the data source 6 Enter an index number the sampling interval the number of buckets to use and the name of the owner for this entry 7 Click Apply Figure 283 Configuring an RMON History Sam...

Page 441: ...ory Figure 284 Showing Configured RMON History Samples To show collected RMON history samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show Details from the Action list 4 Select a port from the list 5 Click History Figure 285 Showing Collected RMON History Samples ...

Page 442: ... octets packets broadcast packets multicast packets undersize packets oversize packets CRC alignment errors jabbers fragments collisions drop events and frames of various sizes Parameters These parameters are displayed Port The port number on the switch Index Index to this entry Range 1 65535 Owner Name of the person who created this entry Range 1 127 characters Web Interface To enable regular sam...

Page 443: ...ect Configure Interface from the Step list 3 Select Show from the Action list 4 Select a port from the list 5 Click Statistics Figure 287 Showing Configured RMON Statistical Samples To show collected RMON statistical samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show Details from the Action list 4 Select a port from the list 5 Click Statistics ...

Page 444: ...t or the web interface to communicate directly with the Commander through its IP address and then use the Commander to manage Member switches through the cluster s internal IP addresses Clustered switches must be in the same Ethernet broadcast domain In other words clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members thr...

Page 445: ...network IP subnet Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander Parameters These parameters are displayed Cluster Status Enables or disables clustering on the switch Default Disabled Commander Status Enables or disables the switch as a cluster Commander Default Disabled IP Pool An internal IP address ...

Page 446: ...didate 4 Click Apply Figure 289 Configuring a Switch Cluster Cluster Member Configuration Use the Administration Cluster Configure Member Add page to add Candidate switches to the cluster as Members Parameters These parameters are displayed Member ID Specify a Member ID number for the selected Candidate switch Range 1 36 MAC Address Select a discovered switch MAC address from the Candidate Table o...

Page 447: ...tep list 3 Select Add from the Action list 4 Select one of the cluster candidates discovered by this switch or enter the MAC address of a candidate 5 Click Apply Figure 290 Configuring a Cluster Members To show the cluster members 1 Click Administration Cluster 2 Select Configure Member from the Step list 3 Select Show from the Action list Figure 291 Showing Cluster Members ...

Page 448: ...r Parameters These parameters are displayed Member ID The ID number of the Member switch Range 1 36 Role Indicates the current status of the switch in the cluster IP Address The internal cluster IP address assigned to the Member switch MAC Address The MAC address of the Member switch Description The system description string of the Member switch Operate Remotely manage a cluster member Web Interfa...

Page 449: ...t a lower cost and than that provided by SONET or EAPS rings ERPS is more economical than EAPS in that only one physical link is required between each node in the ring However since it can tolerate only one break in the ring it is not as robust as EAPS ERPS supports up to 255 nodes in the ring structure ERPS requires a higher convergence time when more that 16 nodes are used but should always run ...

Page 450: ... state but it remains connected in a logical topology When the failed link recovers the traffic is kept blocked on the nodes adjacent to the recovered link The nodes adjacent to the recovered link transmit R APS NR no request message indicating they have no local request When the RPL owner receives an R APS NR message it starts the Wait To Recover WTR timer Once WTR timer expires the RPL owner blo...

Page 451: ... respectively There is no restriction on which ring link on an ring may be set as the RPL For example the RPL of ERP1 could be set as the link between ring node C and D Ring nodes C and D that are common to both ERP1 and ERP2 are called interconnection nodes The ring link between the interconnection nodes are controlled and protected by the ring it belongs to In the example for the Normal Conditio...

Page 452: ...connectivity among all ring nodes until the failure is recovered 4 Configure ERPS timers Configure Domain Configure Details Set the Guard timer to prevent ring nodes from receiving outdated R APS messages the Hold off timer to filter out intermittent link faults and the WTR timer to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure 5 Configure the ERP...

Page 453: ...apply to ERPS The switch supports up to six ERPS rings each ring must have one Control VLAN and at most 255 Data VLANs Ring ports can not be a member of a trunk nor an LACP enabled port Dynamic VLANs are not supported as protected data ports Exclusive use of STP or ERPS on any port The switch takes about 350 ms to detect link up on 1000Base T copper ports so the convergence time on this port type ...

Page 454: ...N and one or more protected Data VLANs must be configured and the global ERPS function enabled on the switch see ERPS Global Configuration on page 453 before a ring can start running Once enabled the RPL owner node and non owner node state machines will start and the ring will enter the active state Limitations When configuring a ring port note that these ports cannot be part of a spanning tree no...

Page 455: ...ype Shows node type as None RPL Owner or RPL Neighbor Revertive Shows if revertive or non revertive recovery is selected W E Shows information on the west and east ring port for this node West Port Shows the west ring port for this node East Port Shows the east ring port for this node Interface The port or trunk which is configured as a ring port Port State The operational state Blocking The trans...

Page 456: ...the global ERPS function should be enabled see ERPS Global Configuration on page 453 the east and west ring ports configured on each node the RPL owner specified and the control VLAN configured Once enabled the RPL owner node and non owner node state machines will start and the ring will enter idle state if no signal failures are detected Version Specifies compatibility with the following ERPS ver...

Page 457: ...156 add the ring ports for the east and west interface as tagged members to this VLAN see Adding Static Members to VLANs on page 159 and then use this parameter to add it to the ring The following restrictions are recommended to avoid creating a loop in the network or other problems which may occur under some situations The Control VLAN must not be configured as a Layer 3 interface with an IP addr...

Page 458: ...t is set as being connected to the RPL Note that is not mandatory to declare a RPL neighbor Revertive Sets the method of recovery to Idle State through revertive or non revertive mode Default Enabled Revertive behavior allows the switch to automatically return the RPL from Protection state to Idle state through the exchange of protocol messages Non revertive behavior for Protection Forced Switch F...

Page 459: ...eptance of the R APS NR RB message causes all ring nodes to unblock any blocked non RPL link that does not have an SF condition If it is an R APS NR RB message without a DNF do not flush indication all ring nodes flush the FDB Recovery with Non revertive Mode In non revertive operation the ring does not automatically revert when all ring links and ring nodes have recovered and no external requests...

Page 460: ...mer expires in the absence of any other higher priority request the RPL Owner Node initiates reversion by blocking the traffic channel over the RPL transmitting an R APS NR RB message over both ring ports informing the ring that the RPL is blocked and flushes the FDB d The acceptance of the R APS NR RB message causes all ring nodes to unblock any blocked non RPL that does not have an SF condition ...

Page 461: ...RB message or when another higher priority request is received If the ring node where the Manual Switch was cleared receives an R APS NR message with a Node ID higher than its own Node ID it unblocks any ring port which does not have an SF condition and stops transmitting R APS NR message on both ring ports Recovery with revertive mode is handled as follows a The RPL Owner Node upon reception of a...

Page 462: ...cal port on a secondary ring must be the west port In other words if a domain has two physical ring ports this ring can only be a major ring not a secondary ring or sub domain which can have only one physical ring port The major domain therefore cannot be set if the east port is already configured Node ID A MAC address unique to the ring node The MAC address must be specified in the format xx xx x...

Page 463: ...al RAPS messages of the sub ring being transported over the virtual channel into the interconnected network can be uniquely distinguished from those of other interconnected ring R APS messages This can be achieved by for example by using separate VIDs for the virtual channels of different sub rings Note that the R APS virtual channel requires a certain amount of bandwidth to forward R APS messages...

Page 464: ...must be configured as 1 If this command is disabled the following strings are used as the node identifier ERPSv1 01 19 A7 00 00 01 ERPSv2 01 19 A7 00 00 Ring ID Propagate TC Enables propagation of topology change messages from a secondary ring to the primary ring Default Disabled When a secondary ring detects a topology change it can pass a message about this event to the major ring When the major...

Page 465: ... when it enters the protection state It does not use the normal procedure of waiting to receive an R APS NR no request message from nodes adjacent to the recovered link Instead it waits to see if the non standard health check packets loop back If they do indicating that the fault has been resolved the RPL will be blocked After blocking the RPL the owner node will still transmit an R APS NR RB ring...

Page 466: ...process When recovering from an FS or MS command the delay timer must be long enough to receive any latent remote FS or MS commands This delay timer called the WTB timer is defined to be 5 seconds longer than the guard timer This is enough time to allow a reporting ring node to transmit two R APS messages and allow the ring to identify the latent condition This delay timer is activated on the RPL ...

Page 467: ... is allowed transmission reception and forwarding of R APS messages is allowed Unknown The interface is not in a known state Local SF Shows if a signal fault exists on a link to the local node Local FS Shows if a forced switch command was issued on this interface Local MS Shows if a manual switch command was issued on this interface MEP Specifies the CCM MEPs used to monitor the link on a ring nod...

Page 468: ...meters for a ring 1 Click Administration ERPS 2 Select Configure Domain from the Step list 3 Select Configure Details from the Action list 4 Configure the ERPS parameters for this node Note that spanning tree protocol cannot be configured on the ring ports nor can these ports be members of a static or dynamic trunk And the control VLAN must be unique for each ring Adjust the protocol timers as req...

Page 469: ...net Ring Protection Switching 469 Figure 301 Creating an ERPS Ring To show the configured ERPS rings 1 Click Administration ERPS 2 Select Configure Domain from the Step list 3 Select Show from the Action list Figure 302 Showing Configured ERPS Rings ...

Page 470: ...he R APS FS message informs other ring nodes of the FS command and that the traffic channel is blocked on one ring port c A ring node accepting an R APS FS message without any local higher priority requests unblocks any blocked ring port This action subsequently unblocks the traffic channel over the RPL d The ring node accepting an R APS FS message without any local higher priority requests stops ...

Page 471: ...tate because the FS command can only be cleared at node where the FS command was issued This results in an unrecoverable FS condition When performing a maintenance procedure e g replacing upgrading on a ring node or a ring link it is recommended that FS commands be issued at the two adjacent ring nodes instead of directly issuing a FS command at the ring node under maintenance in order to avoid fa...

Page 472: ... the ring node was in Idle state before the manual switch command was issued the ring node flushes its local FDB d A ring node accepting an R APS MS message without any local higher priority requests unblocks any blocked ring port which does not have an SF condition This action subsequently unblocks the traffic channel over the RPL e A ring node accepting an R APS MS message without any local high...

Page 473: ...steps are required to make a ring operating in non revertive mode return to Idle state from forced switch or manual switch state 1 Issue a Clear command to remove the forced switch command on the node where a local forced switch command is active 2 Issue a Clear command on the RPL owner node to trigger the reversion The Clear command will also stop the WTR and WTB delay timers and reset their valu...

Page 474: ...cross check messages which are used to verify a static list of remote maintenance points located on other devices in the same maintenance association against those found through continuity check messages Fault verification is supported using loop back messages and fault isolation with link trace messages Fault notification is also provided by SNMP alarms which are automatically generated by mainte...

Page 475: ...Domain with DSAPs located on the domain boundary and Internal Service Access Points ISAPs inside the domain through which frames may pass between the DSAPs Figure 304 Single CFM Maintenance Domain The figure below shows four maintenance associations contained within a hierarchical structure of maintenance domains At the innermost level there are two operator domains which include access points mar...

Page 476: ...d when a known MEP stops sending CCMs or a remote MEP configured in a static list does not come up Configuration errors such as a cross connect between different MAs are indicated when a CCM is received with an incorrect MA identifier or maintenance level Loopback messages are used for fault verification These messages can be sent using the MAC address of any destination MEP within the same MA If ...

Page 477: ... static list of MEPs assigned to other devices within the same maintenance association using the Remote MEP List see Configuring Remote Maintenance End Points This allows CFM to automatically verify the functionality of these remote end points by cross checking the static list configured on this device against information learned through continuity check messages 5 Enable CFM globally on the switc...

Page 478: ...maximum delay that a device waits for remote MEPs to come up before starting the cross check operation Range 1 65535 seconds Default 10 seconds This parameter sets the time to wait for a remote MEP to come up and the switch starts cross checking the list of statically configured remote MEPs in the local maintenance domain Configure Remote MEP page see Configuring Remote Maintenance End Points agai...

Page 479: ...nds a trap if this device receives a CCM with the same source MAC address and MPID as its own indicating that a forwarding loop exists Connectivity Check MEP Down Sends a trap if this device loses connectivity with a remote maintenance end point MEP or connectivity has been restored to a remote MEP which has recovered from an error condition Connectivity Check MEP Up Sends a trap if a remote MEP i...

Page 480: ...n CFM 2 Select Configure Global from the Step list 3 Before enabling CFM processing on the switch first configure the required CFM domains maintenance associations and static MEPs Then set the delay time to wait for a remote MEP comes up before the switch starts cross checking the end points learned through CCMs against those stored in the static list 4 Adjust the parameters for the link trace cac...

Page 481: ...eleased and all CFM frames entering that interface are forwarded as normal data traffic Web Interface To enable CFM on an interface 1 Click Administration CFM 2 Select Configure Interface from the Step list 3 Select Port or Trunk 4 Enable CFM on the required interface 5 Click Apply Figure 307 Configuring Interfaces for CFM Configuring CFM Maintenance Domains Use the Administration CFM Configure MD...

Page 482: ...fault or Explicit and the MIP creation state machine is invoked as defined in IEEE 802 1ag The default option allows MIPs to be created for all interconnection points within an MA regardless of the domain s level in the maintenance hierarchy e g customer provider or operator While the explicit option only generates MIPs within an MA if its associated domain is not at the bottom of the maintenance ...

Page 483: ...fault is resolved Only the highest priority defect currently detected is reported in the fault alarm Priority levels include the following options Parameters These parameters are displayed Creating a Maintenance Domain MD Index Domain index Range 1 65535 Table 32 Remote MEP Priority Levels Priority Level Level Name Description 1 allDef All defects 2 macRemErrXcon DefMACstatus DefRemoteCCM DefError...

Page 484: ...e 1 65535 MEP Archive Hold Time The time that data from a missing MEP is retained in the continuity check message CCM database before being purged Range 1 65535 minutes Default 100 minutes A change to the hold time only applies to entries stored in the database after this attribute is changed MEP Fault Notify Lowest Priority The lowest priority defect that is allowed to generate a fault alarm Rang...

Page 485: ...domains 1 Click Administration CFM 2 Select Configure MD from the Step list 3 Select Show from the Action list Figure 309 Showing Maintenance Domains To configure detailed settings for maintenance domains 1 Click Administration CFM 2 Select Configure MD from the Step list 3 Select Configure Details from the Action list 4 Select an entry from the MD Index 5 Specify the MEP archive hold and MEP faul...

Page 486: ... Maintenance End Points on page 490 An MA must be defined before any associated DSAPs or remote MEPs can be assigned see Configuring Remote Maintenance End Points on page 492 Multiple domains at the same maintenance level cannot have an MA on the same VLAN see Configuring CFM Maintenance Domains on page 481 Before removing an MA first remove the MEPs assigned to it see Configuring Maintenance End ...

Page 487: ...to be used Parameters These parameters are displayed Creating a Maintenance Association MD Index Domain index Range 1 65535 MA Index MA identifier Range 1 2147483647 MA Name MA name Range 1 4315 alphanumeric characters Each MA name must be unique within the CFM domain Primary VLAN Service VLAN ID Range 1 4094 This is the VLAN through which all CFM functions are executed for this MA MIP Creation Ty...

Page 488: ...mote MEPs that exist on other devices inside the maintenance association using the Remote MEP List see Configuring Remote Maintenance End Points These remote MEPs are used in the cross check operation to verify that all endpoints in the specified MA are operational The cross check start delay which sets the maximum delay this device waits for a remote MEP to come up before starting the cross check...

Page 489: ...Click Apply Figure 311 Creating Maintenance Associations To show the configured maintenance associations 1 Click Administration CFM 2 Select Configure MA from the Step list 3 Select Show from the Action list 4 Select an entry from the MD Index list Figure 312 Showing Maintenance Associations To configure detailed settings for maintenance associations 1 Click Administration CFM 2 Select Configure M...

Page 490: ...rvice Access Points DSAPs must be configured at the domain boundary to provide management access for each maintenance association Command Usage CFM elements must be configured in the following order 1 maintenance domain at the same level as the MEP to be configured see Configuring CFM Maintenance Domains 2 maintenance association within the domain see Configuring CFM Maintenance Associations and 3...

Page 491: ... and transmits CFM messages towards and receives them from the direction of the physical medium Interface Indicates a port or trunk Web Interface To configure a maintenance end point 1 Click Administration CFM 2 Select Configure MEP from the Step list 3 Select Add from the Action list 4 Select an entry from MD Index and MA Index 5 Specify the MEPs assigned to each MA set the MEP identifier the dir...

Page 492: ...ommand Usage All MEPs that exist on other devices inside a maintenance association should be statically configured to ensure full connectivity through the cross check process Remote MEPs can only be configured if local domain service access points DSAPs have already been created see Configuring Maintenance End Points at the same maintenance level and in the same MA DSAPs are MEPs that exist on the...

Page 493: ...onfigure a remote maintenance end point 1 Click Administration CFM 2 Select Configure Remote MEP from the Step list 3 Select Add from the Action list 4 Select an entry from MD Index and MA Index 5 Specify the remote MEPs which exist on other devices within the same MA 6 Click Apply Figure 316 Configuring Remote Maintenance End Points To show the configured remote maintenance end points 1 Click Adm...

Page 494: ...e target MEP LTMs are sent as multicast CFM frames and forwarded from MIP to MIP with each MIP generating a link trace reply up to the point at which the LTM reaches its destination or can no longer be forwarded LTMs are used to isolate faults However this task can be difficult in an Ethernet environment since each node is connected through multipoint links Fault isolation is even more challenging...

Page 495: ... remote MEP that is the target of a link trace message This address can be entered in either of the following formats xx xx xx xx xx xx or xxxxxxxxxxxx TTL The time to live of the link trace message Range 0 255 hops Web Interface To transmit link trace messages 1 Click Administration CFM 2 Select Transmit Link Trace from the Step list 3 Select an entry from MD Index and MA Index 4 Specify the sour...

Page 496: ...successful restoration or initiation of connectivity The receiving maintenance point should respond to the loop back message with a loopback reply The point from which the loopback message is transmitted i e a local DSAP and the target maintenance point must be within the same MA If the continuity check database does not have an entry for the specified maintenance point an error message will be di...

Page 497: ...x xx or xxxxxxxxxxxx Count The number of times the loopback message is sent Range 1 1024 Packet Size The size of the loopback message Range 64 1518 bytes Default 64 bytes Web Interface To transmit loopback messages 1 Click Administration CFM 2 Select Transmit Loopback from the Step list 3 Select an entry from MD Index and MA Index 4 Specify the source MEP the target MEP using either its MEP identi...

Page 498: ...formation with TxTimeStampf copied from the DM request information RxTimeStampf Timestamp at the time of receiving a frame with DM request information and TxTimeStampb Timestamp at the time of transmitting a frame with DM reply information Frame Delay RxTimeStampb TxTimeStampf TxTimeStampb RxTimeStampf The MEP can also make two way frame delay variation measurements based on its ability to calcula...

Page 499: ...meout to wait for a response Range 1 5 seconds Default 5 seconds Web Interface To transmit delay measure messages 1 Click Administration CFM 2 Select Transmit Delay Measure from the Step list 3 Select an entry from MD Index and MA Index 4 Specify the source MEP the target MEP using either its MEP identifier or MAC address set the number of times the delay measure message is to be sent the interval...

Page 500: ...tch and transmits CFM messages towards and receives them from the direction of the physical medium Up indicates that the MEP faces inward toward the switch cross connect matrix and transmits CFM messages towards and receives them from the direction of the internal bridge relay mechanism Primary VLAN Service VLAN ID Interface Physical interface of this entry either a port or trunk CC Status Shows a...

Page 501: ...h the MEP faces on the Bridge port up or down Interface The port to which this MEP is attached CC Status Shows if the MEP will generate CCM messages MAC Address MAC address of the local maintenance point If a CCM for the specified remote MEP has never been received or the local MEP record times out the address will be set to the initial value of all Fs Defect Condition Shows the defect detected on...

Page 502: ...nformation following the detection of defect conditions Web Interface To show detailed information for the MEPs configured on this device 1 Click Administration CFM 2 Select Show Information from the Step list 3 Select Show Local MEP Details from the Action list 4 Select an entry from MD Index and MA Index 5 Select a MEP ID Figure 322 Showing Detailed Information on Local MEPs ...

Page 503: ...ntenance Domains Parameters These parameters are displayed MD Name Maintenance domain name Level Authorized maintenance level for this domain MA Name Maintenance association name Primary VLAN Service VLAN ID Interface Physical interface of this entry either a port or trunk Web Interface To show information for the MIPs discovered by the CFM protocol 1 Click Administration CFM 2 Select Show Informa...

Page 504: ... identifier MA Name Maintenance association name Level Authorized maintenance level for this domain Primary VLAN Service VLAN ID MEP Up Indicates whether or not this MEP is functioning normally Remote MAC Address MAC address of the remote maintenance point If a CCM for the specified remote MEP has never been received or the remote MEP record times out the address will be set to the initial value o...

Page 505: ...for this domain MAC Address MAC address of this MEP entry Primary VLAN Service VLAN ID Incoming Port Port to which this remote MEP is attached CC Lifetime Length of time to hold messages about this MEP in the CCM database Age of Last CC Message Length of time the last CCM message about this MEP has been in the CCM database Frame Loss Percentage of transmitted frames lost CC Packet Statistics The n...

Page 506: ...me external event Not Present Some component of the interface is missing isLowerLayerDown The interface is down due to state of the lower layer interfaces Crosscheck Status Shows if crosscheck function has been enabled Web Interface To show detailed information for remote MEPs 1 Click Administration CFM 2 Select Show Information from the Step list 3 Select Show Remote MEP Details from the Action l...

Page 507: ...n MEP that has another Down MEP at a higher MD level on the same bridge port that is causing the bridge port s MAC_Operational parameter to be false IngBlocked The ingress port can be identified but the target data frame was not forwarded when received on this port due to active topology management i e the bridge port is not in the forwarding state IngVid The ingress port is not in the member set ...

Page 508: ...Notification Generator page to display configuration settings for the fault notification generator Parameters These parameters are displayed MEP ID Maintenance end point identifier MD Name Maintenance domain name MA Name Maintenance association name Highest Defect The highest defect that will generate a fault alarm This is disabled by default Lowest Alarm The lowest defect that will generate a fau...

Page 509: ...r was recorded Remote MAC MAC address of remote MEP Reason Error types include LEAK MA x is associated with a specific VID list17 one or more of the VIDs in this MA can pass through the bridge port no MEP is configured facing outward down on any bridge port for this MA and some other MA y at a higher maintenance level and associated with at least one of the VID s also in MA x does have a MEP confi...

Page 510: ...owing Continuity Check Errors OAM Configuration The switch provides OAM Operation Administration and Maintenance remote management tools required to monitor and maintain the links to subscriber CPEs Customer Premise Equipment This section describes functions including enabling OAM for selected ports loopback testing and displaying remote device information Enabling OAM on Local Ports Use the Admin...

Page 511: ... 34 OAM Operation State State Description Disabled OAM is disabled on this interface via the OAM Admin Status Link Fault The link has detected a fault or the interface is not operational Passive Wait This value is returned only by OAM entities in passive mode and indicates the OAM entity is waiting to see if the peer device is OAM capable Active Send Local This value is used by active mode devices...

Page 512: ...ink event occurs the local OAM entity this switch sends an Event Notification OAMPDU to the remote OAM entity The Errored Frame Event TLV includes the number of errored frames detected during the specified period Status Enables reporting of errored frame link events Default Enabled Window Size The period of time in which to check the reporting threshold for errored frame link events Range 10 65535...

Page 513: ... display statistics for the various types of OAM messages passed across each port Parameters These parameters are displayed Port Port identifier Range 1 28 Clear Clears statistical counters for the selected ports OAMPDU Message types transmitted and received by the OAM protocol including Information OAMPDUs unique Event OAMPDUs Loopback Control OAMPDUs and Organization Specific OAMPDUs ...

Page 514: ...urs no matter whether the location is local or remote this information is entered in OAM event log When the log system becomes full older events are automatically deleted to make room for new entries The time of locally generated events can be accurately retrieved from the sysUpTime variable For remotely generated events the time of an event is indicated by the reception of an Event Notification O...

Page 515: ...upported by the OAM peer If supported this indicates that the OAM entity supports the transmission of OAMPDUs on links that are operating in unidirectional mode where traffic flows in one direction only Some newer physical layer devices support the optional ability to encode and transmit data while one direction of the link is non operational This function allows OAM remote fault indication during...

Page 516: ...cted to a peer OAM device capable of entering into OAM remote loop back mode During a remote loop back test the remote OAM entity loops back every frame except for OAMPDUs and pause frames OAM remote loopback can be used for fault localization and link performance testing Statistics from both the local and remote DTE can be queried and compared at any time during loop back testing To perform a loo...

Page 517: ...e percentage of packets for which there was no response Web Interface To initiate a loop back test to the peer device attached to the selected port 1 Click Administration OAM Remote Loop Back 2 Select Remote Loopback Test from the Action list Table 35 Remote Loopback Status State Description No Loopback Operating in normal mode with no loopback in progress Initiating Loopback The local OAM entity ...

Page 518: ... back testing for each port for which this information is available Parameters These parameters are displayed Port Port identifier Range 1 28 Packets Transmitted The number of loop back frames transmitted during the last loop back test on this interface Packets Received The number of loop back frames received during the last loop back test on this interface Loss Rate The percentage of packets tran...

Page 519: ...for your specific environment The shutdown mode may also need to be changed once you determine what kind of packets are being looped back General loopback detection provided by the commands described in this section and loopback detection provided by the spanning tree protocol cannot both be enabled at the same time If loopback detection is enabled for the spanning tree protocol general loopback d...

Page 520: ...a fixed value of Mfast 7 seconds If the link is instead deemed bidirectional the curve will use Mfast for the first four subsequent message transmissions and then transition to an Mslow value for all other steady state transmissions Mslow is the value configured by this command Detection Interval Sets the amount of time the switch remains in detection state after discovering a neighbor Range 5 255...

Page 521: ...eters These parameters are displayed Port Port identifier Range 1 28 UDLD Enables UDLD on a port Default Disabled UDLD requires that all the devices connected to the same LAN segment be running the protocol in order for a potential mis configuration to be detected and for prompt corrective action to be taken Whenever a UDLD device learns about a new neighbor or receives a resynchronization request...

Page 522: ...or the same extended period of time as that mentioned above for normal mode and subsequently fails repeated last resort attempts to re establish communication with the other end of the link This mode of operation assumes that loss of communication with the neighbor is a meaningful network event in itself and a symptom of a serious connectivity problem Because this type of detection can be event le...

Page 523: ...yed Port Port identifier Range 1 28 Entry Table entry number uniquely identifying the neighbor device discovered by UDLD on a port interface Device ID Device identifier of neighbor sending the UDLD packet Port ID The physical port the UDLD packet is sent from Device Name The device name of this neighbor Neighbor State Link status of neighbor device Values unknown neighborsEchoIsEmpty bidirectional...

Page 524: ...tration Protocols UDLD Configuration 524 Web Interface To display UDLD neighbor information 1 Click Administration UDLD Show Information 2 Select an interface from the Port list Figure 337 Displaying UDLD Neighbor Information ...

Page 525: ...or IPv6 Configures a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security and data isolation Overview Multicasting is used to support real time applications such as video conferencing or streaming audio A multicast server does not have to establish a separate connection with each client It merely broadcasts its service to the netw...

Page 526: ...e that it will continue to receive the multicast service The purpose of IP multicast filtering is to optimize a switched network s performance so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers switches instead of flooding traffic to all ports in the subnet VLAN You can also configure a single network wide multicast VLAN shared by hosts...

Page 527: ...s in the Exclude list and forwarded from all other available sources Note When the switch is configured to use IGMPv3 snooping the snooping version may be downgraded to version 2 or version 1 depending on the version of the IGMP query packets detected on each VLAN Note IGMP snooping will not function unless a multicast router port is enabled on the switch This can accomplished in one of two ways A...

Page 528: ...switch forwards multicast traffic only to the ports that request it This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance Command Usage IGMP Snooping This switch can passively snoop on IGMP Query and Report packets transferred between IP multicast routers switches and IP multicast host groups to identify the IP multicast group members It si...

Page 529: ...y when the last member leaves a multicast group and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device When proxy reporting is disabled all IGMP reports received by the switch are forwarded natively to the upstream multicast routers TCN Flood Enables flooding of multicast traffic if a spanning tree topology change ...

Page 530: ...this solicitation it floods it to all ports in the VLAN where the spanning tree change occurred When an upstream multicast router receives this solicitation it immediately issues an IGMP general query A query solicitation can be sent whenever the switch notices a topology change even if it is not the root bridge in spanning tree Router Alert Option Discards any IGMPv2 v3 packets that do not includ...

Page 531: ...nnels via the new upstream interface This command only applies when proxy reporting is enabled Router Port Expire Time The time the switch waits after the previous querier stops before it considers it to have expired Range 1 65535 Recommended Range 300 500 seconds Default 300 IGMP Snooping Version Sets the protocol version for compatibility with other devices on the network This is the IGMP Versio...

Page 532: ...runk on the switch the interface and a specified VLAN can be manually configured to join all the current multicast groups supported by the attached router This can ensure that multicast traffic is passed to all the appropriate interfaces within the switch Command Usage IGMP Snooping must be enabled globally on the switch see Configuring IGMP Snooping and Query Parameters on page 528 before a multi...

Page 533: ...ry is static or dynamic Expire Time until this dynamic entry expires Web Interface To specify a static interface attached to a multicast router 1 Click Multicast IGMP Snooping Multicast Router 2 Select Add Static Multicast Router from the Action list 3 Select the VLAN which will forward all the corresponding multicast traffic and select the port or trunk attached to the multicast router 4 Click Ap...

Page 534: ...elect Current Multicast Router from the Action list 3 Select the VLAN for which to display this information Ports in the selected VLAN which are attached to a neighboring multicast router switch are displayed Figure 342 Showing Current Interfaces Attached a Multicast Router Assigning Interfaces to Multicast Services Use the Multicast IGMP Snooping IGMP Member Add Static Member page to statically a...

Page 535: ...is to propagate the multicast service Range 1 4094 Interface Activates the Port or Trunk scroll down list Port or Trunk Specifies the interface assigned to a multicast group Multicast IP The IP address for a specific multicast service Web Interface To statically assign an interface to a multicast service 1 Click Multicast IGMP Snooping IGMP Member 2 Select Add Static Member from the Action list 3 ...

Page 536: ... this information Figure 344 Showing Static Interfaces Assigned to a Multicast Service To show the all interfaces attached to a multicast router 1 Click Multicast IGMP Snooping Multicast Router 2 Select Current Multicast Router from the Action list 3 Select the VLAN for which to display this information Ports in the selected VLAN which are attached to a neighboring multicast router switch are disp...

Page 537: ...r multicast routers is insufficient due to query suppression MRD therefore provides a standardized way to identify multicast routers without relying on any particular multicast routing protocol Note The default values recommended in the MRD draft are implemented in the switch Multicast Router Discovery uses the following three message types to discover multicast routers Multicast Router Advertisem...

Page 538: ...of packet is only forwarded to known multicast routing ports Parameters These parameters are displayed VLAN ID of configured VLANs Range 1 4094 IGMP Snooping Status When enabled the switch will monitor network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic This is referred to as IGMP Snooping Default Enabled When IGMP snooping is enabled globally...

Page 539: ...n IGMPv2 v3 leave message is received But will check if there are other hosts joining the multicast group Only when all hosts on that port leave the group will the member port be deleted Multicast Router Discovery MRD is used to discover which interfaces are attached to multicast routers Default Disabled General Query Suppression Suppresses general queries except for ports attached to downstream m...

Page 540: ...ries Range 2 31744 seconds Default 125 seconds An IGMP general query message is sent by the switch at the interval specified by this attribute When this message is received by downstream hosts all receivers build an IGMP report for the multicast groups they have joined This attribute applies when the switch is serving as the querier page 528 or as a proxy host when IGMP snooping proxy reporting is...

Page 541: ...es a null IP address of 0 0 0 0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier but is only proxying these messages as defined in RFC 4541 The switch also uses a null address in IGMP reports sent to upstream ports Many hosts do not implement RFC 4541 and therefore do not understand query messages with the source address of ...

Page 542: ...ry for IPv4 542 Figure 346 Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping 1 Click Multicast IGMP Snooping Interface 2 Select Show VLAN Information from the Action list Figure 347 Showing Interface Settings for IGMP Snooping ...

Page 543: ...e specified interface If this switch is acting as a Querier this prevents it from being affected by messages received from another Querier Multicast Data Drop Configures an interface to stop multicast services from being forwarded to users attached to the downstream port i e the interfaces specified by this command Web Interface To drop IGMP query packets or multicast data packets 1 Click Multicas...

Page 544: ...p Address IP multicast group address with subscribers directly attached or downstream from the switch or a static multicast group assigned to this interface Interface A downstream port or trunk that is receiving traffic for the specified multicast group This field may include both dynamically and statically configured multicast router ports Up Time Time that this multicast group has been known Exp...

Page 545: ...local querier is assumed to have expired Self Querier Uptime Time local querier has been up General Query Received The number of general queries received on this interface General Query Sent The number of general queries sent from this interface Specific Query Received The number of specific queries received on this interface Specific Query Sent The number of specific queries sent from this interf...

Page 546: ...a report leave or query was dropped Packets may be dropped due to invalid format rate limiting packet content not allowed or IGMP group report received Join Success The number of times a multicast group was successfully joined Group The number of IGMP groups active on this interface Output Statistics Report The number of IGMP membership reports sent from this interface Leave The number of leave me...

Page 547: ...ng and Query for IPv4 547 Figure 350 Displaying IGMP Snooping Statistics Query To display IGMP snooping protocol related statistics for a VLAN 1 Click Multicast IGMP Snooping Statistics 2 Select Show VLAN Statistics from the Action list 3 Select a VLAN ...

Page 548: ...Figure 351 Displaying IGMP Snooping Statistics VLAN To display IGMP snooping protocol related statistics for a port 1 Click Multicast IGMP Snooping Statistics 2 Select Show Port Statistics from the Action list 3 Select a Port Figure 352 Displaying IGMP Snooping Statistics Port ...

Page 549: ...ofile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is set...

Page 550: ...r the start and end of the range Parameters These parameters are displayed Add Profile ID Creates an IGMP profile Range 1 4294967295 Access Mode Sets the access mode of the profile either permit or deny Default Deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set to deny IGMP join reports are...

Page 551: ...e and set its access mode 5 Click Apply Figure 354 Creating an IGMP Filtering Profile To show the IGMP filter profiles 1 Click Multicast IGMP Snooping Filter 2 Select Configure Profile from the Step list 3 Select Show from the Action list Figure 355 Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile 1 Click Multicast IGMP Snooping Filter 2 Sele...

Page 552: ...nformation Figure 357 Showing the Groups Assigned to an IGMP Filtering Profile Configuring IGMP Filtering and Throttling for Interfaces Use the Multicast IGMP Snooping Filter Configure Interface page to assign and IGMP filter profile to interfaces on the switch or to throttle multicast traffic by limiting the maximum number of multicast groups an interface can join at the same time Command Usage I...

Page 553: ...t the same time Range 1 1024 Default 1024 Current Multicast Groups Displays the current multicast groups the interface has joined Throttling Action Mode Sets the action to take when the maximum number of multicast groups for the interface has been exceeded Default Deny Deny The new multicast group join report is dropped Replace The new multicast group replaces an existing group Throttling Status I...

Page 554: ...kets include MLDv2 query and report messages as well as MLDv1 report and done messages Remember that IGMP Snooping and MLD Snooping are independent functions and can therefore both function at the same time Configuring MLD Snooping and Query Parameters Use the Multicast MLD Snooping General page to configure the switch to forward multicast traffic intelligently Based on the MLD query and report me...

Page 555: ...he multicast groups they have joined Query Max Response Time The maximum response time advertised in MLD general queries Range 5 25 seconds Default 10 seconds This attribute controls how long the host has to respond to an MLD Query message before the switch deletes the group if it is the last member Router Port Expiry Time The time the switch waits after the previous querier stops before it consid...

Page 556: ...the parent VLAN Default Disabled If MLD immediate leave is not used a multicast router or querier will send a group specific query message when an MLD group leave message is received The router querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period If MLD immediate leave is enabled the switch assumes that only one host is connected ...

Page 557: ...e current multicast groups Command Usage MLD Snooping must be enabled globally on the switch see Configuring MLD Snooping and Query Parameters on page 554 before a multicast router port can take effect Parameters These parameters are displayed VLAN Selects the VLAN which is to propagate all IPv6 multicast traffic coming from the attached multicast router Range 1 4094 Interface Activates the Port o...

Page 558: ...3 Select the VLAN for which to display this information Figure 362 Showing Static Interfaces Attached an IPv6 Multicast Router To show all the interfaces attached to a multicast router 1 Click Multicast MLD Snooping Multicast Router 2 Select Current Multicast Router from the Action list 3 Select the VLAN for which to display this information Ports in the selected VLAN which are attached to a neigh...

Page 559: ...nly be forwarded to ports within that VLAN Parameters These parameters are displayed VLAN Specifies the VLAN which is to propagate the multicast service Range 1 4094 Multicast IPv6 Address The IP address for a specific multicast service Interface Activates the Port or Trunk scroll down list Port or Trunk Specifies the interface assigned to a multicast group Type Show Current Member Shows if this m...

Page 560: ... 3 Select the VLAN for which to display this information Figure 365 Showing Static Interfaces Assigned to an IPv6 Multicast Service To display information about all IPv6 multicast groups MLD Snooping or multicast routing must first be enabled on the switch To show all of the interfaces statically or dynamically assigned to an IPv6 multicast service 1 Click Multicast MLD Snooping MLD Member 2 Selec...

Page 561: ...dress to a minimum set such that all nodes listening states are respected In Include mode the router only uses the request list indicating that the reception of packets sent to the specified multicast address is requested only from those IP source addresses listed in the hosts source list In Exclude mode the router uses both the request list and exclude list indicating that the reception of packet...

Page 562: ...ce provider s network Any multicast traffic entering an MVR VLAN is sent to all attached subscribers This protocol can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN This makes it possible to support common multicast services over a wide part of the network without having to use any multicast routing proto...

Page 563: ...s you can statically bind the multicast group to the participating interfaces see Assigning Static MVR Multicast Groups to Interfaces on page 572 Although MVR operates on the underlying mechanism of IGMP snooping the two features operate independently of each other One can be enabled or disabled without affecting the behavior of the other However if IGMP snooping and MVR are both enabled MVR react...

Page 564: ...ces which require MVR proxy service When the source port receives report and leave messages it only forwards them to other source ports When receiver ports receive any query messages they are dropped When changes occurring in the downstream MVR groups are learned by the receiver ports through report and leave messages an MVR state change report is created and sent to the upstream source port which...

Page 565: ... multicast streams are sent to all source ports on the switch and to all receiver ports that have elected to receive data on that multicast address This is the default setting Dynamic When dynamic mode is enabled the switch only forwards multicast streams which the source port has dynamically joined In other words both the receiver port and source port must subscribe to a multicast group before a ...

Page 566: ...ons in the MVR environment are satisfied Running status is Active as long as MVR is enabled the specified MVR VLAN exists and a source port with a valid link has been configured see Configuring MVR Interface Status on page 570 MVR Current Learned Groups The number of MVR groups currently assigned to this domain Forwarding Priority The CoS priority assigned to all multicast traffic forwarded into t...

Page 567: ...t have registered to receive data from that multicast group The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224 0 0 x IGMP snooping and MVR share a maximum number of 1024 groups Any multicast streams received in excess of this limitation will be flooded to all ports in the associa...

Page 568: ... MVR 2 Select Configure Profile from the Step list 3 Select Add from the Action list 4 Enter the name of a group profile to be assigned to one or more domains and specify a multicast group that will stream traffic to participating hosts 5 Click Apply Figure 371 Configuring an MVR Group Address Profile To show the configured MVR group address profiles 1 Click Multicast MVR 2 Select Configure Profil...

Page 569: ...m the Action list 4 Select a domain from the scroll down list and enter the name of a group profile 5 Click Apply Figure 373 Assigning an MVR Group Address Profile to a Domain To show the MVR group address profiles assigned to a domain 1 Click Multicast MVR 2 Select Associate Profile from the Step list 3 Select Show from the Action list Figure 374 Showing the MVR Group Address Profiles Assigned to...

Page 570: ...ote that VLAN membership for MVR receiver ports cannot be set to access mode see Adding Static Members to VLANs on page 159 One or more interfaces may be configured as MVR source ports A source port is able to both receive and send data for configured MVR groups or for groups which have been statically assigned see Assigning Static MVR Multicast Groups to Interfaces on page 572 All source ports mu...

Page 571: ...ps to Interfaces on page 572 Non MVR An interface that does not participate in the MVR VLAN This is the default type Forwarding Status Shows if MVR traffic is being forwarded or discarded MVR Status Shows the MVR status MVR status for source ports is Active if MVR is globally enabled on the switch MVR status for receiver ports is Active only if there are subscribers receiving multicast traffic fro...

Page 572: ...5 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224 0 0 x Only IGMP version 2 or 3 hosts can issue multicast join or leave messages If MVR must be configured for an IGMP version 1 host the multicast groups must be statically assigned The MVR VLAN cannot be specified as the receiver VLAN for static bindings Parameters These p...

Page 573: ...lect an MVR domain 5 Select a VLAN and interface to receive the multicast stream and then enter the multicast group address 6 Click Apply Figure 376 Assigning Static MVR Groups to an Interface To show the static MVR groups assigned to an interface 1 Click Multicast MVR 2 Select Configure Static Group Member from the Step list 3 Select Show from the Action list 4 Select an MVR domain 5 Select the p...

Page 574: ...ay be different from the MVR VLAN if the group address has been statically assigned Port Shows the interfaces with subscribers for multicast services provided through the MVR VLAN Up Time Time this service has been forwarded to attached clients Expire Time before this entry expires if no membership report is received from currently active or new clients Count The number of multicast services curre...

Page 575: ...tifier Range 1 16 Query Statistics Querier IP Address The IP address of the querier on this interface Querier Expire Time The time after which this querier is assumed to have expired General Query Received The number of general queries received on this interface General Query Sent The number of general queries sent from this interface Specific Query Received The number of specific queries received...

Page 576: ...ce Drop The number of times a report leave or query was dropped Packets may be dropped due to invalid format rate limiting packet content not allowed or MVR group report received Join Success The number of times a multicast group was successfully joined Group The number of MVR groups active on this interface Output Statistics Report The number of IGMP membership reports sent from this interface Le...

Page 577: ...or IPv4 577 Web Interface To display statistics for MVR query related messages 1 Click Multicast MVR 2 Select Show Statistics from the Step list 3 Select Show Query Statistics from the Action list 4 Select an MVR domain Figure 379 Displaying MVR Statistics Query ...

Page 578: ...r IPv4 578 To display MVR protocol related statistics for a VLAN 1 Click Multicast MVR 2 Select Show Statistics from the Step list 3 Select Show VLAN Statistics from the Action list 4 Select an MVR domain 5 Select a VLAN Figure 380 Displaying MVR Statistics VLAN ...

Page 579: ...rt Multicast VLAN Registration for IPv6 MVR6 functions in a manner similar to that described for MRV see Multicast VLAN Registration for IPv4 on page 562 Command Usage General Configuration Guidelines for MVR6 1 Enable MVR6 for a domain on the switch and select the MVR VLAN see Configuring MVR6 Domain Settings on page 582 2 Create an MVR6 profile by specifying the multicast groups that will stream...

Page 580: ... source port performs only the host portion of MVR by sending summarized membership reports and automatically disables MVR router functions Receiver ports are known as downstream or router interfaces These interfaces perform the standard MVR router functions by maintaining a database of all MVR subscriptions on the downstream interface Receiver ports must therefore be configured on all downstream ...

Page 581: ...ameters set by a profile or to only forward multicast streams which the source port has dynamically joined Always Forward By default the switch forwards any multicast streams within the address range set by a profile and bound to a domain The multicast streams are sent to all source ports on the switch and to all receiver ports that have elected to receive data on that multicast address This is th...

Page 582: ... as members of the MVR6 VLAN see Adding Static Members to VLANs on page 159 but MVR6 receiver ports should not be manually configured as members of this VLAN Default 1 MVR6 Running Status Indicates whether or not all necessary conditions in the MVR6 environment are satisfied Running status is Active as long as MVR6 is enabled the specified MVR6 VLAN exists and a source port with a valid link has b...

Page 583: ...Step list 3 Select a domain from the scroll down list 4 Enable MVR6 for the selected domain select the MVR6 VLAN set the forwarding priority to be assigned to all ingress multicast traffic and set the source IP address for all control packets sent upstream as required 5 Click Apply Figure 383 Configuring Domain Settings for MVR6 Configuring MVR6 Group Address Profiles Use the Multicast MVR6 Config...

Page 584: ...re Profile Profile Name The name of a profile containing one or more MVR6 group addresses Range 1 21 characters Start IPv6 Address Starting IP address for an MVR6 multicast group This parameter must be a full IPv6 address including the network prefix and host address bits End IPv6 Address Ending IP address for an MVR6 multicast group This parameter must be a full IPv6 address including the network...

Page 585: ...cast MVR6 2 Select Configure Profile from the Step list 3 Select Show from the Action list Figure 385 Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain 1 Click Multicast MVR6 2 Select Associate Profile from the Step list 3 Select Add from the Action list 4 Select a domain from the scroll down list and enter the name of a group profile 5 Click Apply ...

Page 586: ... immediate leave function Command Usage A port configured as an MVR6 receiver or source port can join or leave multicast groups configured under MVR6 A port which is not configured as an MVR receiver or source port can use MLD snooping to join or leave multicast groups using the standard rules for multicast filtering see MLD Snooping Snooping and Query for IPv6 on page 554 Receiver ports can belon...

Page 587: ...ed up leave latency but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface Immediate leave does not apply to multicast groups which have been statically assigned to a port Parameters These parameters are displayed Domain ID An independent multicast domain Range 1 5 Port Trunk Interface identifier ...

Page 588: ...6 1 Click Multicast MVR6 2 Select Configure Interface from the Step list 3 Select an MVR6 domain 4 Click Port or Trunk 5 Set each port that will participate in the MVR6 protocol as a source port or receiver port and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached 6 Click Apply Figure 388 Configuring Interface Settings for MVR6 Assigning Static MVR6 M...

Page 589: ...re displayed Domain ID An independent multicast domain Range 1 5 Interface Port or trunk identifier VLAN VLAN identifier Range 1 4094 Group IPv6 Address Defines a multicast service sent to the selected port Multicast groups must be assigned from the MVR6 group range configured on the Configure General page Web Interface To assign a static MVR6 group to an interface 1 Click Multicast MVR6 2 Select ...

Page 590: ...arameters These parameters are displayed Domain ID An independent multicast domain Range 1 5 Group IPv6 Address Multicast groups assigned to the MVR6 VLAN VLAN The VLAN through which the service is received Note that this may be different from the MVR6 VLAN if the group address has been statically assigned Port Indicates the source address of the multicast service or displays an asterisk if the gr...

Page 591: ...ect an MVR6 domain Figure 391 Displaying MVR6 Receiver Groups Displaying MVR6 Statistics Use the Multicast MVR6 Show Statistics pages to display MVR6 protocol related statistics for the specified interface Parameters These parameters are displayed Domain ID An independent multicast domain Range 1 5 VLAN VLAN identifier Range 1 4094 Port Port identifier Range 1 28 Trunk Trunk identifier Range 1 16 ...

Page 592: ...ce G Query The number of general query messages received on this interface G S S Query The number of group specific or group and source specific query messages received on this interface Drop The number of times a report leave or query was dropped Packets may be dropped due to invalid format rate limiting packet content not allowed or MVR6 group report received Join Success The number of times a m...

Page 593: ... IPv6 593 Web Interface To display statistics for MVR6 query related messages 1 Click Multicast MVR6 2 Select Show Statistics from the Step list 3 Select Show Query Statistics from the Action list 4 Select an MVR6 domain Figure 392 Displaying MVR6 Statistics Query ...

Page 594: ...IPv6 594 To display MVR6 protocol related statistics for a VLAN 1 Click Multicast MVR6 2 Select Show Statistics from the Step list 3 Select Show VLAN Statistics from the Action list 4 Select an MVR6 domain 5 Select a VLAN Figure 393 Displaying MVR6 Statistics VLAN ...

Page 595: ...IPv6 595 To display MVR6 protocol related statistics for a port 1 Click Multicast MVR6 2 Select Show Statistics from the Step list 3 Select Show Port Statistics from the Action list 4 Select an MVR6 domain 5 Select a Port Figure 394 Displaying MVR6 Statistics Port ...

Page 596: ...Chapter 14 Multicast Filtering Multicast VLAN Registration for IPv6 596 ...

Page 597: ... For information on configuring the switch with an IPv6 address see Setting the Switch s IP Address IP Version 6 on page 601 Use the IP General Routing Interface Add Address page to configure an IPv4 address for the switch An IPv4 address is obtained via DHCP by default for VLAN 1 To configure a static address you need to change the switch s default settings to values that are compatible with your...

Page 598: ...ddress DHCP BOOTP responses can include the IP address subnet mask and default gateway Default DHCP IP Address Type Specifies a primary or secondary IP address An interface can have only one primary IP address but can have many secondary IP addresses In other words secondary addresses need to be specified if more than one IP subnet can be accessed through this interface For initial configuration s...

Page 599: ...bnet mask 4 Click Apply Figure 395 Configuring a Static IPv4 Address To obtain an dynamic IPv4 address through DHCP BOOTP for the switch 1 Click IP General Routing Interface 2 Select Add Address from the Action list 3 Select any configured VLAN and set IP Address Mode to BOOTP or DHCP 4 Click Apply to save your changes 5 Then click Restart DHCP to immediately request a new address IP will be enabl...

Page 600: ... specific period of time If the address expires or the switch is moved to another network segment you will lose management access to the switch In this case you can reboot the switch or submit a client request to restart DHCP service via the CLI If the address assigned by DHCP is no longer functioning you will not be able to renew the IP settings via the web interface You can only restart DHCP ser...

Page 601: ...ible over IPv6 for all devices attached to the same local subnet Management traffic using this kind of address cannot be passed by any router outside of the subnet A link local address is easy to set up and may be useful for simple networks or basic troubleshooting tasks However to connect to a larger network with multiple segments the switch must be configured with a global unicast address A link...

Page 602: ...an still define a static route page 647 to ensure that traffic to the designated address or subnet passes through a preferred gateway An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch An IPv6 address must be configured according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit...

Page 603: ...used to facilitate this process are the number of attempts made to verify whether or not a duplicate address exists on the same network segment and the interval between neighbor solicitations used to verify reachability information Parameters These parameters are displayed VLAN Mode VLAN ID of a configured VLAN which is to be used for management access or as a standard interface for a subnet By de...

Page 604: ...TU value in cases where the link MTU is not otherwise well known IPv6 routers do not fragment IPv6 packets forwarded from other routers However traffic originating from an end station connected to an IPv6 router may be fragmented All devices on the same physical medium must use the same MTU in order to operate correctly IPv6 must be enabled on an interface before the MTU can be set If an IPv6 addr...

Page 605: ...rations When a non default value is configured the specified interval is used both for router advertisements and by the router itself ND Reachable Time The amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred Range 0 3600000 milliseconds Default 30000 milliseconds is used for neighbor discovery operations 0 milliseconds is advertise...

Page 606: ...own as DHCPv6 stateless autoconfiguration in which a DHCPv6 server does not assign stateful addresses to IPv6 hosts but does assign stateless configuration settings RA Guard Mode Interface Shows port or trunk configuration page RA Guard Blocks incoming Router Advertisement and Router Redirect packets Default Disabled IPv6 Router Advertisements RA convey information that enables nodes to auto confi...

Page 607: ...Add IPv6 Address page Set the MTU size the maximum number of duplicate address detection messages the neighbor solicitation message interval and the amount of time that a remote IPv6 node is considered reachable 6 Click Apply Figure 399 Configuring General Settings for an IPv6 Interface To configure RA Guard for the switch 1 Click IP IPv6 Configuration 2 Select Configure Interface from the Action ...

Page 608: ...lly generate a link local unicast address The prefix length for a link local address is fixed at 64 bits and the host portion of the default address is based on the modified EUI 64 Extended Universal Identifier form of the interface identifier i e the physical MAC address Alternatively you can manually configure the link local address by entering the full address with a network prefix in the range...

Page 609: ...ures an IPv6 global unicast address with a full IPv6 address including the network prefix and host address bits followed by a forward slash and a decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address EUI 64 Extended Universal Identifier Configures an IPv6 address for an interface using an EUI 64 interface ID in the...

Page 610: ...64 interface identifier of 2A 9F 18 FF FE 1C 82 35 This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single device as long as those interfaces are attached to different subnets Link Local Configures an IPv6 link local address The address prefix must be in the range of FE80 FEBF You can configure only one link local address per interface The ...

Page 611: ...er the same types as used by link local unicast addresses including all nodes FF02 1 all routers FF02 2 and solicited nodes FF02 1 FFXX XXXX as described below A node is also required to compute and join the associated solicited node multicast addresses for every unicast and anycast address it is assigned IPv6 addresses that differ only in the high order bits e g due to multiple high order prefixe...

Page 612: ... state to invalid dis associates the interface identified with this entry from the indicated mapping RFC 4293 Reachable Positive confirmation was received within the last ReachableTime interval that the forward path to the neighbor was functioning While in Reachable state the device takes no special action when sending packets Stale More than the ReachableTime interval has elapsed since the last p...

Page 613: ...ackets if necessary for transmission through small packet networks ICMPv6 Internet Control Message Protocol for Version 6 addresses is a network layer protocol that transmits message packets to report errors in processing IPv6 packets ICMP is therefore an integral part of the Internet Protocol ICMP messages may be used to report various situations such as when a datagram cannot reach its destinati...

Page 614: ...not a valid address to be received at this entity This count includes invalid addresses e g 0 and unsupported addresses e g addresses with unallocated prefixes For entities which are not IPv6 routers and therefore do not forward datagrams this counter includes datagrams discarded because the destination address was not a local address Unknown Protocols The number of locally addressed datagrams rec...

Page 615: ... The number of output IPv6 datagrams for which no problem was encountered to prevent their transmission to their destination but which were discarded e g for lack of buffer space Note that this counter would include datagrams counted in ipv6IfStatsOutForwDatagrams if any such packets met this discretionary discard criterion No Routes The number of input datagrams discarded because no route could b...

Page 616: ...orts received by the interface ICMPv6 Transmitted Output The total number of ICMP messages which this interface attempted to send Note that this counter includes all those counted by icmpOutErrors Destination Unreachable Messages The number of ICMP Destination Unreachable messages sent by the interface Packet Too Big Messages The number of ICMP Packet Too Big messages sent by the interface Time Ex...

Page 617: ...istener Discovery Version 2 Reports The number of MLDv2 reports sent by the interface UDP Statistics Input The total number of UDP datagrams delivered to UDP users No Port Errors The total number of received UDP datagrams for which there was no application at the destination port Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an app...

Page 618: ...Chapter 15 IP Configuration Setting the Switch s IP Address IP Version 6 618 Figure 405 Showing IPv6 Statistics ICMPv6 Figure 406 Showing IPv6 Statistics UDP ...

Page 619: ...e parameters are displayed Web Interface To show the MTU reported from other devices 1 Click IP IPv6 Configuration 2 Select Show MTU from the Action list Figure 407 Showing Reported MTU Values Table 38 Show MTU display description Field Description MTU Adjusted MTU contained in the ICMP packet too big message returned from this destination and now used for all traffic sent along this path Since Ti...

Page 620: ...Chapter 15 IP Configuration Setting the Switch s IP Address IP Version 6 620 ...

Page 621: ... resolve host names into IP addresses by forwarding DNS queries to the switch and waiting for a response You can manually configure entries in the DNS table used for mapping domain names to IP addresses configure default domain names or specify one or more name servers to use for domain name to address translation Configuring General DNS Service Parameters Use the IP Service DNS General Configure ...

Page 622: ...nfiguring a List of Domain Names Use the IP Service DNS General Add Domain Name page to configure a list of domain names to be tried in sequential order Command Usage Use this page to define a list of domain names that can be appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation If there is no domain list the default domain name is used s...

Page 623: ... the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters Web Interface To create a list domain names 1 Click IP Service DNS 2 Select Add Domain Name from the Action list 3 Enter one domain name at a time 4 Click Apply Figure 409 Configuring a List of Domain Names for DNS To show the list domain names 1 Click IP Service DNS 2 Select Show Domai...

Page 624: ...r the end of the list is reached with no response If all name servers are deleted DNS will automatically be disabled This is done by disabling the domain lookup status Parameters These parameters are displayed Name Server IP Address Specifies the IPv4 or IPv6 address of a domain name server to use for name to address resolution Up to six IP addresses can be added to the name server list Web Interf...

Page 625: ...onnected directly to the attached network or for commonly used resources located elsewhere on the network Parameters These parameters are displayed Host Name Name of a host device that is mapped to one or more IP addresses Range 1 127 characters IP Address IPv4 or IPv6 address es associated with a host name Web Interface To configure static entries in the DNS table 1 Click IP Service DNS Static Ho...

Page 626: ...ia multiple IP addresses If more than one IP address is associated with a host name via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target device Parameters These parameters are displayed No The entry number for each resource record Flag The flag is always 4 indicating a cache entry and therefore unreliable Type...

Page 627: ...r a VLAN interface Command Usage The class identifier is used identify the vendor class and configuration of the switch to the DHCP server which then uses this information to decide on how to service the client or the type of information to return The general framework for this DHCP option is set out in RFC 2132 Option 60 This information is used to convey configuration settings or other identific...

Page 628: ...cimal but the format used by both the client and server must be the same Parameters These parameters are displayed VLAN ID of configured VLAN Vendor Class ID The following options are supported when the check box is marked to enable this feature Default The default string is the model number Text A text string Range 1 32 characters Hex A hexadecimal value Range 1 64 characters Web Interface To con...

Page 629: ...HCP relay agent i e this switch This switch then passes the DHCP response received from the server to the client Figure 417 Layer 3 DHCP Relay Service Command Usage You must specify the IP address for at least one active DHCP server Otherwise the switch s DHCP relay agent will not be able to forward client requests to a DHCP server Up to five DHCP servers can be specified in order of preference DH...

Page 630: ...PPoE Intermediate Agent Configure Global page to enable the PPPoE IA on the switch set the access node identifier and set the generic error message Command Usage When PPPoE IA is enabled the switch inserts a tag identifying itself as a PPPoE IA residing between the attached client requesting network access and the ports connected to broadband remote access servers BRAS The switch extracts access l...

Page 631: ...estination MAC address of these PPPoE discovery packets These messages are forwarded to all trusted ports designated on the Configure Interface page Operational Access Node Identifier The configured access node identifier Generic Error Message An error message notifying the sender that the PPPoE Discovery packet was too large Range 0 127 Default PPPoE Discover packet too large to process Try reduc...

Page 632: ...ip off vendor specific tags which carry subscriber and line identification information in PPPoE Discovery packets received from an upstream PPPoE server before forwarding them to a user Circuit ID String identifying the circuit identifier or interface on this switch to which the user is connected Range 1 10 ASCII characters Default Unit Port VLAN ID or 0 Trunk ID VLAN ID The PPPoE server extracts ...

Page 633: ...he Step list 3 Select Port or Trunk interface type 4 Enable PPPoE IA on an interface set trust status enable vendor tag stripping if required and set the circuit ID and remote ID 5 Click Apply Figure 420 Configuring Interface Settings for PPPoE Intermediate Agent g Showing PPPoE IA Statistics Use the IP Service PPPoE Intermediate Agent Show Statistics page to show statistics on PPPoE IA protocol m...

Page 634: ...active discovery messages Response from untrusted Response from an interface which not been configured as trusted Request towards untrusted Request sent to an interface which not been configured as trusted Malformed Corrupted PPPoE message Web Interface To show statistics for PPPoE IA protocol messages 1 Click IP Service PPPoE Intermediate Agent 2 Select Show Statistics from the Step list 3 Select...

Page 635: ...works However when the switch is first booted default routing can only forward traffic between local IP interfaces As with all traditional routers static and dynamic routing functions must first be configured to work Initial Configuration By default all ports belong to the same VLAN and the switch provides only Layer 2 functionality To segment the attached network first create VLANs for each uniqu...

Page 636: ...hop count Decrementing the time to live Verifying and recalculating the Layer 3 checksum If the destination node is on the same subnetwork as the source network then the packet can be transmitted directly without the help of a router However if the MAC address is not yet known to the switch an Address Resolution Protocol ARP packet with the destination IP address is broadcast to get the destinatio...

Page 637: ... destination VLAN to find out the destination MAC address After the MAC address is discovered the packet is reformatted and sent out to the destination The reformat process includes decreasing the Time To Live TTL field of the IP header recalculating the IP header checksum and replacing the destination MAC address with either the MAC address of the destination node or that of the next hop router W...

Page 638: ...is attached and the router s host number on that network In other words a router interface address defines the network segment that is connected to that interface and allows you to send IP packets to or from the router You can specify the IP subnets connected directly to this router by manually assigning an IP address to each VLAN or using BOOTP or DHCP to dynamically assign an address To specify ...

Page 639: ...l DNS Service Parameters on page 621 and one or more DNS servers specified see Configuring a List of Name Servers on page 624 or Configuring Static DNS Host to Address Entries on page 625 Probe Count Number of packets to send Range 1 16 Packet Size Number of bytes in a packet Range 32 512 bytes for IPv4 0 1500 bytes for IPv6 The actual packet size will be eight bytes larger than the size specified...

Page 640: ...ing a Network Device Using the Trace Route Function Use the IP General Trace Route page to show the route packets take to the specified destination Parameters These parameters are displayed Destination IP Address IPv4 IPv6 address of the host IPv4 Max Failures The maximum number of failures before which the trace route is terminated Fixed 5 IPv6 Max Failures The maximum number of failures before w...

Page 641: ...ge If the timer goes off before a response is returned the trace function prints a series of asterisks and the Request Timed Out message A long sequence of these messages terminating only when the maximum timeout has been reached may indicate this problem with the target device The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifyi...

Page 642: ...ination IP address in the message However if it does match they write their own hardware address into the destination MAC address field and send the message back to the source hardware address When the source device receives a reply it writes the destination IP address and corresponding MAC address into its cache and forwards the IP traffic on to the next hop As long as this entry has not timed ou...

Page 643: ...blish the MAC address Proxy ARP Enables or disables Proxy ARP for specified VLAN interfaces allowing a non routing device to determine the MAC address of a host on another subnet or network Default Disabled End stations that require Proxy ARP must view the entire network as a single network These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network ...

Page 644: ...tatic entries in the ARP cache A static entry may need to be used if there is no response to an ARP broadcast message For example some applications may not respond to ARP requests or the response arrives too late causing network operations to time out Static entries will not be aged out or deleted when power is reset You can only remove a static entry via the configuration interface Static entries...

Page 645: ...Configure Static Address from the Step List 3 Select Add from the Action List 4 Enter the IP address and the corresponding MAC address 5 Click Apply Figure 427 Configuring Static ARP Entries To display static entries in the ARP cache 1 Click IP ARP 2 Select Configure Static Address from the Step List 3 Select Show from the Action List Figure 428 Displaying Static ARP Entries ...

Page 646: ... Select Show Information from the Step List 3 Click ARP Addresses Figure 429 Displaying ARP Entries Displaying ARP Statistics Use the IP ARP Show Information ARP Statistics page to display statistics for ARP messages crossing all interfaces on this router Parameters These parameters are displayed Web Interface To display ARP statistics 1 Click IP ARP 2 Select Show Information from the Step List Ta...

Page 647: ...ll number of stable routes to ensure network accessibility Command Usage Up to 512 static routes can be configured If an administrative distance is defined for a static route and the same destination can be reached through a dynamic route at a lower administration distance then the dynamic route will be used If both static and dynamic paths have the same lowest cost the first route stored in the r...

Page 648: ...the static route Note that the default administrative distances used by the dynamic unicast routing protocols is 110 for 120 for RIP Range 1 255 Default 1 Web Interface To configure static routes 1 Click IP Routing Static Routes 2 Select Add from the Action List 3 Enter the destination address subnet mask and next hop router 4 Click Apply Figure 431 Configuring Static Routes To display static rout...

Page 649: ...uting Information Base RIB which holds all routing information received from routing peers The FIB contains unique paths only It does not contain any secondary paths A FIB entry consists of the minimum amount of information necessary to make a forwarding decision on a particular packet The typical components within a FIB entry are a network prefix a router i e VLAN interface and next hop informati...

Page 650: ...ing the Routing Table 650 Protocol The protocol which generated this route information Options Local Static RIP OSPF Others Web Interface To display the routing table 1 Click IP Routing Routing Table Figure 433 Displaying the Routing Table ...

Page 651: ... on the network to learn consistent tables of next hop links which lead to relevant subnets OSPFv2 Dynamic Routing Protocols OSPF overcomes all the problems of RIP It uses a link state routing protocol to generate a shortest path tree then builds up its routing table based on this tree OSPF produces a more stable network because the participating routers act on network changes predictably and simu...

Page 652: ...ison reverse Propagate routes back to an interface port from which they have been acquired but set the distance vector metrics to infinity This provides faster convergence Triggered updates Whenever a route gets changed broadcast an update message after waiting for a short random delay but without waiting for the periodic cycle RIP 2 is a compatible upgrade to RIP RIP 2 adds useful capabilities fo...

Page 653: ...well as the RIP send and receive versions used on specific interfaces page 664 Parameters These parameters are displayed Global Settings RIP Routing Process Enables RIP routing globally RIP must also be enabled on each network interface which will participate in the routing process as described under Specifying Network Interfaces on page 657 Default Disabled Global RIP Version Specifies a RIP vers...

Page 654: ... screen the default metric sets the metric value to be used for all imported external routes RIP Max Prefix Sets the maximum number of RIP routes which can be installed in the routing table Range 1 736 Default 736 Default Information Originate Generates a default external route into the local RIP autonomous system Default Disabled A default route is set for every Layer 3 interface where RIP is ena...

Page 655: ... that a route is declared dead The route is marked inaccessible i e the metric set to infinite and advertised as unreachable However packets are still forwarded on this route Range 90 360 seconds Default 180 seconds Garbage Collection After the timeout interval expires the router waits for an interval specified by the garbage collection timer before removing this entry from the routing table This ...

Page 656: ...leting the entire RIP network redistribute connected routes using the Routing Protocol RIP Redistribute screen page 661 to make the RIP network a connected route To delete the RIP routes learned from neighbors but keep the RIP network intact clear RIP types from the routing table Parameters These parameters are displayed Clear Route By Type Clears entries from the RIP routing table based on the fo...

Page 657: ...Protocol RIP General 2 Select Clear Route from the Action list 3 When clearing routes by type select the required type from the drop down list When clearing routes by network enter a valid network address and prefix length 4 Click Apply Figure 436 Clearing Entries from the Routing Table Specifying Network Interfaces Use the Routing Protocol RIP Network Add page to specify the network interfaces th...

Page 658: ...ork portion of the address This mask identifies the network address bits used for the associated routing entries By VLAN Adds a Layer 3 VLAN to the RIP routing process The VLAN must be configured with an IP address Range 1 4094 Web Interface To add a network interface to RIP 1 Click Routing Protocol RIP Network 2 Select Add from the Action list 3 Add an interface that will participate in RIP 4 Cli...

Page 659: ... the attached subnet will still continue to be advertised to other interfaces and updates from other routers on the specified interface will continue to be received and processed This feature can be used in conjunction with the static neighbor feature described in the next section to control the routing updates sent to specific neighbors Parameters These parameters are displayed VLAN VLAN interfac...

Page 660: ...ecifically for point to point links rather than relying on broadcast or multicast messages generated by the RIP protocol This feature can be used in conjunction with the passive interface feature described in the preceding section to control the routing updates sent to specific neighbors Parameters These parameters are displayed IP Address IP address of a static neighboring router with which to ex...

Page 661: ...into this autonomous system Parameters These parameters are displayed Protocol The type of routes that can be imported include Connected Imports routes that are established automatically just by enabling IP on an interface Static Static routes will be imported into this routing domain OSPF External routes will be imported from the Open Shortest Path First protocol into this routing domain Metric M...

Page 662: ... an imported route the maximum number of hops allowed within a RIP domain However using a low metric can increase the possibility of routing loops For example this can occur if there are multiple redistribution points and the router learns about the same external network with a better metric from a redistribution point other than that derived from the original source Web Interface To import extern...

Page 663: ...ble protocol The administrative distance is applied to all routes learned for the specified network Parameters These parameters are displayed Distance Administrative distance for external routes External routes are routes for which the best path is learned from a neighbor external to the local RIP autonomous system Routes with a distance of 255 are not installed in the routing table Range 1 255 IP...

Page 664: ...rface that participates in the RIP routing process Command Usage Specifying Receive and Send Protocol Types Specify the protocol message type accepted that is RIP version and the message type sent that is RIP version or compatibility mode for each RIP interface Setting the RIP Receive Version or Send Version for an interface overrides the global setting specified in the RIP General Settings screen...

Page 665: ...rs Malicious or unwanted protocol messages can be easily propagated throughout the network if no authentication is required RIPv2 supports authentication using a simple password or MD5 key encryption When a router is configured to exchange authentication messages it will insert the password into all transmitted protocol packets and check all received packets to ensure that they contain the authori...

Page 666: ...e The default depends on the setting for the Global RIP Version See Configuring General Protocol Settings on page 653 Authentication Type Specifies the type of authentication required for exchanging RIPv2 protocol messages Default No Authentication No Authentication No authentication is required Simple Password Requires the interface to exchange routing information with other routers based on an a...

Page 667: ...ault setting None No loopback prevention method is employed If a loop occurs without using any prevention method the hop count for a route may be gradually incremented to infinity that is 16 before the route is deemed unreachable Web Interface To network interface settings for RIP 1 Click Routing Protocol RIP Interface 2 Select Add from the Action list 3 Select a Layer 3 VLAN interface to particip...

Page 668: ... address of RIP router interface Auth Type The type of authentication used for exchanging RIPv2 protocol messages Send Version The RIP version to sent on this interface Receive Version The RIP version accepted on this interface Rcv Bad Packets Number of bad RIP packets received Rcv Bad Routes Number of bad routes received Send Updates Number of route changes Web Interface To display RIP interface ...

Page 669: ...ets were received from this peer Rcv Bad Packets Number of bad RIP packets received from this peer Rcv Bad Routes Number of bad routes received from this peer Web Interface To display information on neighboring RIP routers 1 Click Routing Protocol RIP Statistics 2 Select Show Peer Information from the Action list Figure 450 Showing RIP Peer Information Resetting RIP Statistics Use the Routing Prot...

Page 670: ...Chapter 18 Unicast Routing Configuring the Routing Information Protocol 670 Figure 451 Resetting RIP Statistics ...

Page 671: ... Section III Appendices This section provides additional information and includes these items Software Specifications on page 673 Troubleshooting on page 679 License Statement GPL Code Statement on page 681 ...

Page 672: ...Section III Appendices 672 ...

Page 673: ...f full duplex 1000 Mbps at full duplex 1000BASE SX LX ZX 1000 Mbps at full duplex SFP18 SFP 10GBASE SR LR ER 10 Gbps at full duplex SFP Flow Control Full Duplex IEEE 802 3 2005 Half Duplex Back pressure Storm Control Broadcast multicast or unknown unicast traffic throttled above a critical threshold Port Mirroring 10 sessions one or more source ports to one destination port Rate Limits Input Outpu...

Page 674: ...Serv19 supports class maps policy maps and service policies Multicast Filtering IGMP Snooping Layer 2 IPv4 MLD Snooping Layer 2 IPv6 IGMP Layer 3 Multicast VLAN Registration IPv4 IPv6 IP Routing Static routes CIDR Classless Inter Domain Routing RIP RIPv2 RIP RIPv2 OSPFv2 OSPFv3 BGPv4 unicast routing PIM SM PIM DM PIMv6 multicast routing VRRP Virtual Router Redundancy Protocol Additional Features B...

Page 675: ...pport IEEE 802 1AB Link Layer Discovery Protocol IEEE 802 1D 2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802 1p Priority tags IEEE 802 1Q VLAN IEEE 802 1v Protocol based VLANs IEEE 802 1X Port Authentication IEEE 802 3 2005 Ethernet Fast Ethernet Gigabit Ethernet 10 Gigabit Ethernet Link Aggregation Co...

Page 676: ...Pv3 RFC DRAFT 2273 2576 3410 3411 3413 3414 3415 SNTP RFC 2030 SSH Version 2 0 TELNET RFC 854 855 856 TFTP RFC 1350 VRRP RFC 3768 Management Information Bases Bridge MIB RFC 1493 Differentiated Services MIB RFC 3289 DNS Resolver MIB RFC 1612 ERPS MIB ITU T G 8032 Entity MIB RFC 2737 Ether like MIB RFC 2665 Extended Bridge MIB RFC 2674 Extensible SNMP Agents MIB RFC 2742 Forwarding Table MIB RFC 20...

Page 677: ...ling IEEE 802 1ad Provider Bridges Quality of Service MIB RADIUS Accounting Server MIB RFC 2621 RADIUS Authentication Client MIB RFC 2619 RIP1 MIB RFC 1058 RIP2 MIB RFC 2453 RIP2 Extension RFC1724 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 partial implementation SNMP Community MIB RFC 3584 SNMP Framework MIB RFC 3411 SNMP MPD MIB RFC 3412 SNMP Target MIB SNMP Notification MIB RFC...

Page 678: ...Appendix A Software Specifications Management Information Bases 678 ...

Page 679: ...connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configured on the management station Be sure y...

Page 680: ...6 Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set up your terminal emulation software so that it can capture all console output to a file Then enter the show tech support command to record all system settings in this file 9 Contact your distributor ...

Page 681: ... distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU General Public License for more details IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LI...

Page 682: ...w that what they have is not the original so that any problems introduced by others will not reflect on the original authors reputations Finally any free program is threatened constantly by software patents We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses in effect making the program proprietary To prevent this we have made it clear that an...

Page 683: ...ntent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition mere aggregation of another work not based on the Program with the Program or with a work based on the Program on a volume of a storage or distribution medium does not b...

Page 684: ... and any other pertinent obligations then as a consequence you may not distribute the Program at all For example if a patent license would not permit royalty free redistribution of the Program by all those who receive copies directly or indirectly through you then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program If any portion of...

Page 685: ...LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD...

Page 686: ...y be called something other than show w and show c they could even be mouse clicks or menu items whatever suits your program You should also get your employer if you work as a programmer or your school if any to sign a copyright disclaimer for the program if necessary Here is a sample alter the names Yoyodyne Inc hereby disclaims all copyright interest in the program Gnomovision which makes passes...

Page 687: ...Appendix C License Statement GPL Code Statement Notification of Compliance 687 For GNU General Public License GPL related information please visit http global level1 com downloads php action init ...

Page 688: ...Appendix C License Statement GPL Code Statement Notification of Compliance 688 ...

Page 689: ...quired level of service and then placing them in the appropriate output queue Data is transmitted from the queues using weighted round robin service to enforce priority service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number IP Precedence bit or DSCP priority bit DHCP Dynamic Host Control Pro...

Page 690: ...at used by IPv6 to identify the host portion of the network address The interface identifier in EUI compatible addresses is based on the link layer MAC address of an interface Interface identifiers used in global unicast and other IPv6 address types are 64 bits long and may be constructed in the EUI 64 format The modified EUI 64 format interface ID is derived from a 48 bit link layer address by in...

Page 691: ...he Rapid Spanning Tree Protocol RSTP which reduces the convergence time for network topology changes to about 10 of that required by the older IEEE 802 1D STP standard Now incorporated in IEEE 802 1D 2004 IEEE 802 1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication IEEE 802 3ac Defines frame extensions for VLAN tagg...

Page 692: ...nother device Layer 2 Data Link layer in the ISO 7 Layer Data Communications Protocol This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses Layer 3 Network layer in the ISO 7 Layer Data Communications Protocol This layer handles the routing functions for data moving from one open system to another Link Aggregation See Port Trunk LLDP Li...

Page 693: ...services by using a common VLAN for distribution while still preserving security and data isolation for subscribers residing in both the MVR VLAN and other standard groups NTP Network Time Protocol provides the mechanisms to synchronize time across the network The time servers operate in a hierarchical master slave configuration in order to synchronize local clocks within the subnet and to nationa...

Page 694: ... RIP 2 is a compatible upgrade to RIP It adds useful capabilities for subnet routing authentication and multicast transmissions RMON Remote Monitoring RMON provides comprehensive network monitoring capabilities It eliminates the polling required in standard SNMP and can set alarms on a variety of traffic conditions including specific error types RSTP Rapid Spanning Tree Protocol RSTP reduces the c...

Page 695: ...s UDP packets are delivered just like IP packets connection less datagrams that may be discarded before reaching their targets UDP is useful when TCP would be too complex too slow or just unnecessary UTC Universal Time Coordinate UTC is a time scale that couples Greenwich Mean Time based solely on the Earth s rotation rate with highly accurate atomic time The UTC does not have daylight saving time...

Page 696: ...Glossary 696 ...

Page 697: ...xtended 314 321 IPv6 Standard 314 319 MAC 314 323 time range 310 Address Resolution Protocol See ARP address table 187 aging time 191 aging time displaying 191 aging time setting 191 ARP configuration 642 description 642 proxy 642 statistics 646 ARP ACL 325 ARP inspection 330 ACL filter 333 additional validation criteria 332 ARP ACL 334 enabling globally 332 trusted ports 335 ATC 224 control respo...

Page 698: ... CFM 509 continuity check messages CFM 465 474 476 477 CoS 231 configuring 231 default mapping to internal values 242 enabling 238 layer 3 4 priorities 238 priorities mapping to internal values 242 queue mapping 235 queue mode 232 queue weights assigning 233 CoS CFI to PHB drop precedence 242 CPU status 98 utilization showing 98 cross check message CFM 474 477 cross check start delay CFM 478 CVLAN...

Page 699: ...0 293 dynamic VLAN assignment 289 293 E edge port STA 209 213 encryption DSA 306 307 RSA 306 307 engine ID 408 409 ERPS configuration guidelines 452 control VLAN 457 domain configuration 454 domain enabling 456 global configuration 453 guard timer 466 hold off timer 465 major domain 462 MEG level 457 node identifier 462 propagate topology change 464 ring configuration 454 ring enabling 456 status ...

Page 700: ... with proxy reporting 528 immediate leave IGMP snooping 538 immediate leave MLD snooping 556 importing user public keys 307 ingress filtering 160 IP address BOOTP DHCP 598 setting 597 IP filter for management access 338 IP routing 635 651 configuring interfaces 638 unicast protocols 638 IP source guard ACL table learning mode 358 configuring static entries 359 learning mode ACL table or MAC table ...

Page 701: ...loop back messages CFM 474 476 496 loopback detection STA 199 M MAC address authentication 289 ports configuring 292 reauthentication 292 MAC address mirroring 194 main menu web interface 52 maintenance association CFM 474 486 maintenance domain CFM 474 475 481 maintenance end point CFM 475 477 482 486 490 500 501 maintenance intermediate point CFM 475 482 503 maintenance level CFM 475 476 mainten...

Page 702: ...2 proxy switching 580 receiver groups displaying 590 robust value for proxy switching 581 setting interface type 587 setting multicast domain 587 setting multicast groups 583 specifying a domain 587 specifying a VLAN 582 static binding 588 static binding group to port 588 statistics displaying 591 using immediate leave 588 N network access authentication 289 dynamic QoS assignment 293 dynamic VLAN...

Page 703: ... 254 255 QoS policy peak information rate 255 Quality of Service See QoS query interval IGMP snooping 540 query response interval IGMP snooping 540 queue weight assigning to CoS 233 R RADIUS logon authentication 271 settings 271 rate limit port 221 setting 221 remote engine ID 408 remote logging 380 remote maintenance end point CFM 477 486 492 501 504 505 restarting the system 103 at scheduled tim...

Page 704: ...uthentication retries 305 configuring 302 downloading public keys for clients 307 generating host key pair 306 server configuring 304 timeout 305 SSL replacing certificate 300 STA 197 BPDU filter 211 BPDU flooding 202 208 BPDU shutdown 210 detecting loopbacks 199 edge port 209 213 global settings configuring 201 global settings displaying 206 interface settings configuring 207 interface settings d...

Page 705: ...4 V VLAN trunking 149 VLANs 153 183 802 1Q tunnel mode 174 acceptable frame type 160 adding static members 159 creating 156 description 153 displaying port members by interface 162 displaying port members by interface range 163 displaying port members by VLAN index 162 dynamic assignment 293 egress mode 159 ingress filtering 160 interface configuration 159 IP subnet based 179 MAC based 181 mirrori...

Page 706: ...GTL 2881 GTL 2882 E112016 ST R01 ...

Reviews:

No comments

Related manuals for GTL-2881

Brightlink 16x16 Manual preview
16x16
Brand: Brightlink Pages: 33
CyberData 4-Port PoweredUSB 2.0 Hub 011006 Quick Reference Manual preview
4-Port PoweredUSB 2.0 Hub 011006
Brand: CyberData Pages: 4
Labgear 28574LAB User Manual preview
28574LAB
Brand: Labgear Pages: 4
ATEN ALTUSCN KH1508I User Manual preview
ALTUSCN KH1508I
Brand: ATEN Pages: 173
König KNVMA3444 Instruction preview
KNVMA3444
Brand: König Pages: 8
Black Box ServSwitch KV1510A User Manual preview
ServSwitch KV1510A
Brand: Black Box Pages: 16
A-Neuvideo ANI-3AUTOHDMI Instruction Manual preview
ANI-3AUTOHDMI
Brand: A-Neuvideo Pages: 16
Black Box SW045A-FFF Manual preview
SW045A-FFF
Brand: Black Box Pages: 9
Cabletron Systems MMAC-Plus 9T125-24 Supplementary Manual preview
MMAC-Plus 9T125-24
Brand: Cabletron Systems Pages: 36
Ruby Tech GS-2224L User Manual preview
GS-2224L
Brand: Ruby Tech Pages: 301
HDTV Supply HDTVCV0702HDS User Manual preview
HDTVCV0702HDS
Brand: HDTV Supply Pages: 15
enbrighten 58433 Manual preview
58433
Brand: enbrighten Pages: 2
Seastar Solutions pro-trim PT1000 Installation Manual preview
pro-trim PT1000
Brand: Seastar Solutions Pages: 2
Smart-M DVNET-4Duo User Manual preview
DVNET-4Duo
Brand: Smart-M Pages: 2
Lex PowerGATE LELTS-1 Series Installation Instructions & User Manual preview
PowerGATE LELTS-1 Series
Brand: Lex Pages: 12
3onedata IES2010 Series Quick Installation Manual preview
IES2010 Series
Brand: 3onedata Pages: 2
Shenzhen Kinan Technology KVM-1708A User Manual preview
KVM-1708A
Brand: Shenzhen Kinan Technology Pages: 27
Belkin F1DA208Z User Manual preview
F1DA208Z
Brand: Belkin Pages: 43

Brands by name

Popular brands

Load more brands