Home
/
NETGEAR
/
FS728TP - ProSafe 24 Port 10/100 Smart Switch
/
Software Administration Manual

NETGEAR FS728TP - ProSafe 24 Port 10/100 Smart Switch, Software Administration Manual

Share

Page: 174 / 261

NETGEAR FS728TP - ProSafe 24 Port 10/100 Smart Switch Software Administration Manual Download Page 174

174

|

Chapter 5: Managing Device Security

FS728TP Smart Switch Software Administration Manual

Configuring Access Control Lists

Access Control Lists (ACLs) ensure that only authorized users have access to specific
resources while blocking off any unwarranted attempts to reach network resources. ACLs are
used to provide traffic flow control, restrict contents of routing updates, decide which types of
traffic are forwarded or blocked, and above all provide security for the network. FS728TP
Smart Switch software supports IPv4 and MAC ACLs.

Note:

The FS728TP Smart Switch does not support mixed ACLs on same

interface. In other words, you can bind MAC ACLs

or

IP ACLs to an

interface, but you cannot bind both ACL types to an interface.

To configure an ACL, first create an IPv4-based or MAC-based ACL ID. Then, create a rule
and assign it to a unique ACL ID. Next, define the rules, which can identify protocols, source,
and destination IP and MAC addresses, and other packet-matching criteria. Finally, use the
ID number to assign the ACL to a port or to a LAG.

The Security



ACL folder contains links to the following features:

•

Basic:

•

MAC ACL

on page

174

•

MAC Rules

on page

175

•

MAC Binding Configuration

on page

177

•

MAC Binding Table

on page

178

•

Advanced:

•

IP ACL

on page

179

•

IP Rules

on page

181

•

IP Extended Rule

on page

182

•

IP Binding Configuration

on page

185

•

IP Binding Table

on page

187

MAC ACL

A MAC ACL consists of a set of rules which are matched sequentially against a packet. When
a packet meets the match criteria of a rule, the specified rule action (Permit/Deny) is taken
and the additional rules are not checked for a match.

There are multiple steps involved in defining a MAC ACL and applying it to the switch:

1.

Use the

MAC ACL

page to create the ACL ID.

2.

Use the

MAC Rules

page to create rules for the ACL.

3.

Use the

MAC Binding Configuration

page to assign the ACL by its ID number to a port.

«
...
172
173
174
175
176
...
»

Summary of Contents for FS728TP - ProSafe 24 Port 10/100 Smart Switch

Page 1: ...December 2010 202 10670 01 v1 0 350 East Plumeria Drive San Jose CA 95134 USA FS728TP Smart Switch Software Administration Manual ...

Page 2: ...EAR the NETGEAR logo ReadyNAS ProSafe Smart Control Center Auto Uplink X RAID2 and NeoTV are trademarks or registered trademarks of NETGEAR Inc Microsoft Windows Windows NT and Vista are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions To improve internal design operational funct...

Page 3: ...19 Configuration Upload and Download 20 Firmware Upgrade 22 Viewing and Managing Tasks 24 Understanding the User Interfaces 25 Using the Web Interface 25 Using SNMP 29 Interface Naming Convention 30 Chapter 2 Configuring System Information Management 32 System Information 32 IP Configuration 33 Time 35 Denial of Service 40 DNS 43 Green Ethernet Configuration 46 PoE 47 PoE Configuration 47 PoE Port...

Page 4: ...82 VLAN Membership Configuration 83 Port VLAN ID Configuration 84 Voice VLAN 87 Voice VLAN Properties 87 Voice VLAN Port Setting 88 Voice VLAN OUI 89 Spanning Tree Protocol 91 STP Switch Configuration 91 CST Configuration 93 CST Port Configuration 95 CST Port Status 96 Rapid STP 98 MST Configuration 98 MST Port Configuration 100 STP Statistics 102 Multicast 104 IGMP Snooping 104 IGMP Snooping Quer...

Page 5: ...ng Management Access 153 HTTP Configuration 153 Secure HTTP Configuration 154 Certificate Download 155 Access Profile Configuration 157 Access Rule Configuration 158 Port Authentication 160 802 1X Configuration 160 Port Authentication 161 Port Summary 165 Traffic Control 166 MAC Filter Configuration 166 MAC Filter Summary 168 Storm Control 168 Port Security Configuration 170 Port Security Interfac...

Page 6: ...211 Multiple Port Mirroring 211 Chapter 7 Maintenance Reset 214 Device Reboot 214 Factory Default 214 Upload File From Switch 216 TFTP File Upload 216 HTTP File Upload 217 Download File To Switch 219 TFTP File Download 219 HTTP File Download 221 File Management 223 Dual Image Configuration 223 Dual Image Status 224 Troubleshooting 226 Ping 226 Traceroute 227 Chapter 8 Help Online Help 229 Support ...

Page 7: ... 239 Access Control Lists ACLs 240 MAC ACL Example Configuration 240 Standard IP ACL Example Configuration 242 Differentiated Services DiffServ 243 Class 243 DiffServ Traffic Classes 244 Creating Policies 244 DiffServ Example Configuration 245 802 1X 247 802 1X Example Configuration 248 MSTP 250 MSTP Example Configuration 251 Appendix C Notification of Compliance Index ...

Page 8: ...FS728TP Smart Switch Software Administration Manual 8 Table of Contents ...

Page 9: ... features Chapter 4 Configuring Quality of Service describes how to manage the Access Control Lists ACLs and how to configure Differentiated Services and Class of Service features Chapter 5 Managing Device Security contains information about configuring switch security information such as port access control and RADIUS server settings Chapter 6 Monitoring the System describes how to view a variety...

Page 10: ...ntrol Center utility This chapter contains the following sections Switch Management Interface on page 11 Connecting the Switch to the Network on page 12 Switch Discovery in a Network with a DHCP Server on page 13 Switch Discovery in a Network without a DHCP Server on page 15 Configuring the Network Settings on the Administrative System on page 16 Web Access on page 18 Smart Control Center Utilitie...

Page 11: ...re all switch features such as VLANs QoS and ACLs by using the Web based management interface NETGEAR provides the Smart Control Center utility with this product This program runs under Microsoft Windows XP Windows 2000 or Windows Vista and provides a front end that discovers the switches on your network segment L2 broadcast domain When you power up your switch for the first time use the Smart Con...

Page 12: ...matically assigned network information For more information see Switch Discovery in a Network with a DHCP Server on page 13 Static assignment through the Smart Control Center If you connect the switch to a network that does not have a DHCP server you can use the Smart Control Center to assign a static IP address subnet mask and default gateway For more information see Switch Discovery in a Network...

Page 13: ...address to your switch Use the Smart Control Center to discover the IP address automatically assigned to the switch To install the switch in a network with a DHCP server use the following steps 1 Connect the switch to a network with a DHCP server 2 Power on the switch by connecting its power cord 3 Install the Smart Control Center on your computer 4 Start the Smart Control Center 5 Click Discover ...

Page 14: ...b browser without using the Smart Control Center 7 Select your switch by clicking the line that displays the switch then click the Web Browser Access button The Smart Control Center displays a login window similar to the following figure Use your Web browser to manage your switch The default password is password Then use this page to proceed to management of the switch covered in Using the Web Int...

Page 15: ...ing network 2 Power on the switch by connecting its power cord 3 Install the Smart Control Center on your computer 4 Start the Smart Control Center 5 Click Discover for the Smart Control Center to find your FS728TP switch The utility broadcasts Layer 2 discovery packets within the broadcast domain to discover the switch You should see a screen similar to Figure 1 on page 13 6 Select the switch the...

Page 16: ... the network information on the switch you can connect directly to the switch from an administrative system such as a PC or laptop computer The IP address of the administrative system must be in the same subnet as the default IP address on the switch For most networks this means you must change the IP address of the administrative system to be on the same subnet as the default IP address of the sw...

Page 17: ...he 192 168 0 0 network such as 192 168 0 200 The IP address must be different from that of the switch but within the same subnet 3 Click OK To configure a static address on the switch 1 Use a straight through cable to connect the Ethernet port on the administrative system directly to any port on the FS728TP 2 Open a Web browser on your PC and connect to the management interface as described in Web...

Page 18: ...FS728TP management interface from your administrative system for Web access to be available If you used the Smart Control Center to set up the IP address and subnet mask either with or without a DHCP server use that IP address in the address field of your Web browser If you did not change the IP address of the switch from the default value enter 192 168 0 239 into the address field Clicking Web Br...

Page 19: ... for the selected device Configure Device Allows you to modify network information for the switch including the IP address DHCP client mode system name and location For more information about this feature see Configuring the Device Change Password Allows you to set a new password for the device For more information about this feature see Changing the Switch Password Configuring the Device To modif...

Page 20: ...guration file from the switch to an administrative system You can download a saved configuration file from the administrative system to the switch The configuration file you download to the switch overwrites the running configuration on the switch Configuration upload and download is useful if you want to save a copy of the current switch configuration Upload Configuration before you make changes ...

Page 21: ...lick the Maintenance tab and select the device with the configuration to restore 2 Click Download Configuration 3 From the Select a Configuration window that appears navigate to and select the configuration file to download to the switch 4 Click Open Optionally you can schedule a different date and time to download the configuration file To delay the download process clear the Run Now check box an...

Page 22: ...ade the firmware using the TFTP Download and HTTP Download features mentioned in this book See HTTP File Upload on page 217 To upgrade your firmware 1 Click the Maintenance tab and then click the Firmware link directly below the tabs see Figure 1 on page 13 2 Select the switch to upgrade and click Download Firmware By default the firmware is downloaded to primary storage and will be become the act...

Page 23: ...tion The scheduled firmware download appears in the Tasks list 5 Enter the switch password to continue downloading the firmware 6 Click Apply to download the firmware and upgrade the switch with the new image 7 When the process is complete the switch automatically reboots Note Click the Tasks tab to view status information about the firmware upgrade WARNING It is important that you do not power of...

Page 24: ...scheduled to take place at a later time You can also delete or reschedule selected tasks The following figure shows the Tasks page The following list describes the command buttons that are specific to the Tasks page Delete Task Remove a completed or schedule task from the list Reschedule Change the scheduled date and time for a pending firmware upgrade Select Range Select all tasks that occurred o...

Page 25: ...witch Software Administration Manual describes how to use the Web based interface to manage and monitor the system Using the Web Interface To access the switch by using a Web browser the browser must meet the following software requirements HTML version 4 0 or later HTTP version 1 1 or later Java Runtime Environment 1 6 or later Use the following procedures to log on to the Web interface 1 Open a ...

Page 26: ...ab appear as links directly under the tabs The feature links in the blue bar change according to the navigation tab that is selected The configuration pages for each feature are available as links in the page menu on the left side of the page Some items in the menu expand to reveal multiple configuration pages as Figure 4 on page 27 shows When you click a menu item that includes multiple configura...

Page 27: ...nfiguration and monitoring options The graphic also provides information about device ports current configuration and status table information and feature components The Device View is available from the System Device View page The port coloring indicates whether a port is currently active Green indicates that the port is enabled red indicates that an error has occurred on the port or red indicate...

Page 28: ...iew or configure to see a menu that displays statistics and configuration options Click the menu option to access the page that contains the configuration or monitoring options If you click the graphic but do not click a specific port the main menu appears as the following figure shows This menu contains the same option as the navigation tabs at the top of the page ...

Page 29: ...The main object for interface configuration is in SWITCHING MIB which is a private MIB Some interface configurations also involve objects in the public MIB IF MIB SNMP is enabled by default The System Management System Information Web page which is the page that displays after a successful login displays the information you need to configure an SNMP manager to access the switch Any user can connec...

Page 30: ...nterfaces by using the software The following table describes the naming convention for all interfaces available on the switch Interface Description Example Physical The physical ports include Fast Ethernet and Gigabit Ethernet interfaces and are numbered sequentially starting from one e1 e2 e3 g1 g2 g3 Link Aggregation Group LAG LAG interfaces are logical interfaces that are only used for bridgin...

Page 31: ...m Information 2 Use the features in the System tab to define the switch s relationship to its environment The System tab contains links to the following features Management on page 32 PoE on page 47 SNMP on page 53 LLDP on page 58 Services DHCP Filtering on page 70 ...

Page 32: ...on From the Management link you can access the following pages System Information on page 32 IP Configuration on page 33 Time on page 35 Denial of Service on page 40 DNS on page 43 Green Ethernet Configuration on page 46 System Information After a successful login the System Information page displays Use this page to configure and view general device information To display the System Information p...

Page 33: ...n Use the IP Configuration page to configure network information for the management interface which is the logical interface used for in band connectivity with the switch through any of the switch s front panel ports The configuration parameters associated with the switch s network interface do not affect the configuration of the front panel ports through which traffic is switched or routed To acc...

Page 34: ...owing network information IP Address The IP address of the network interface The factory default value is 192 168 0 239 Each part of the IP address must start with a number other than zero For example IP addresses 001 100 192 6 and 192 001 10 3 are not valid Subnet Mask The IP subnet mask for the interface The factory default value is 255 255 255 0 Default Gateway The default gateway for the IP in...

Page 35: ... the switch Time FS728TP Smart Switch software supports the Simple Network Time Protocol SNTP You can also set the system time manually SNTP assures accurate network device clock time synchronization up to the millisecond Time synchronization is performed by a network SNTP server FS728TP Smart Switch software operates only as an SNTP client and cannot provide time services to other systems Time so...

Page 36: ...the IP address is known SNTP servers that have been configured on the device are the only ones that are polled for synchronization information T1 through T4 are used to determine server time This is the preferred method for synchronizing device time because it is the most secure method If this method is selected SNTP information is accepted only from SNTP servers defined on the device using the SN...

Page 37: ...ield select SNTP When the Clock Source is set to SNTP the Date and Time fields are grayed out disabled The switch gets the date and time from the network 2 Use the menu to select the Coordinated Universal Time UTC time zone in which the switch is located expressed as the number of hours 3 Click Apply to send the updated configuration to the switch Configuration changes take effect immediately 4 Cl...

Page 38: ...rver is not valid Version Not Supported The SNTP version supported by the server is not compatible with the version supported by the client Server Unsynchronized The SNTP server is not synchronized with its peers This is indicated via the leap indicator field on the SNTP message Server Kiss Of Death The SNTP server indicated that no further queries were to be sent to this server This is indicated ...

Page 39: ...ity Servers with lowest numbers have priority Version Enter the protocol version number The range is 1 4 2 Click Add 3 Repeat the previous steps to add additional SNTP servers You can configure up to three SNTP servers 4 To removing an SNTP server select the check box next to the configured server to remove and then click Delete The entry is removed and the device is updated 5 To change the settin...

Page 40: ...ate and time UTC that the response from this server was used to update the system clock Last Attempt Time Specifies the local date and time UTC that this SNTP server was last queried Last Attempt Status Specifies the status of the last SNTP request to this server If no packet has been received from this server a status of Other is displayed Other None of the following enumeration values Success Th...

Page 41: ...of Service Auto DoS Configuration To configure the Auto DoS feature 1 Select a radio button to enable or disable Auto DoS Disable Auto DoS is disabled default Enable Auto DoS is enabled 2 Click Apply to send the updated configuration to the switch Configuration changes occur immediately 3 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of...

Page 42: ...Min TCP Hdr Size The factory default is Disable Denial of Service Min TCP Hdr Size Specify the Min TCP Hdr Size allowed If First Fragment DoS prevention is enabled the switch will drop packets that have a TCP header smaller than this configured Min TCP Hdr Size The factory default is 20 bytes Denial of Service TCP Fragment Enable or disable this option by selecting the appropriate radio button Ena...

Page 43: ... ICMP packet size The factory default is Disable Denial of Service Max ICMP Size Specify the Max ICMP packet size allowed If ICMP DoS prevention is enabled the switch will drop ICMP ping packets that have a size greater then this configured Max ICMP packet size The factory default is 512 bytes 2 If you change any of the DoS settings click Apply to apply the changes to the switch 3 Click Cancel to ...

Page 44: ...e DNS server to which the switch sends DNS queries enter an IP address in standard IPv4 dot notation in the DNS Server Address and click Add The server appears in the list below You can specify up to eight DNS servers The precedence is set in the order created 4 To remove a DNS server from the list select the check box next to the server you want to remove and click Delete If no DNS server is spec...

Page 45: ...en click Apply 6 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch The Dynamic Host Configuration table shows host name to IP address entries that the switch has learned The following table describes the dynamic host fields Click Refresh to refresh the table with the most current data from the switch Click Clear to delete Dyna...

Page 46: ... To configure the Green Ethernet feature 1 Enable or disable the Auto Power Down Mode Enable When the port link is down the PHY will automatically go down for a short period of time and then wake up to check link pulses This allows the port to continue to perform auto negotiation while consuming less power when no link partner is present Disable Provide full power to the PHY even if no link partne...

Page 47: ... to ensure that the FS728TP power budget is used effectively From the PoE link under the System tab you can view and configure PoE settings for the switch and for ports e1 e24 From the PoE link you can access the following pages PoE Configuration on page 47 PoE Port Configuration on page 48 Timer Global Configuration on page 50 Timer Schedule Configuration on page 51 PoE Configuration Use the PoE ...

Page 48: ...age to configure per port PoE settings To display the PoE Port Configuration page click System PoE Advanced PoE Port Configuration To configure PoE Port settings 1 Select the check box next to the port to configure You can select multiple ports to apply the same setting to the selected interfaces Select the check box in the heading row to apply the same settings to all interfaces Field Description...

Page 49: ... and Legacy Select this option to use both Legacy and IEEE 802 3af 2point methods to detect PDs 802 3af 4point and Legacy Select this option to use both Legacy and IEEE 802 3af 2point methods to detect PDs Class View the class of the PD connected to the port The class defines the range of power a PD is drawing from the system The class is defined as 0 0 44 12 95W 1 0 44 3 83W 2 3 84 6 48W 3 6 49 1...

Page 50: ...and reset the data on the screen to the latest value of the switch 5 Click Refresh to update the screen with the current information Timer Global Configuration Use the Timer Global Configuration page to create or remove timers and to control the administrative status of the feature Timers control when power can and cannot be delivered to the port Use the following general steps to add a timer to a...

Page 51: ...ete 4 To enable or disable the timer feature select the appropriate radio button and click Apply 5 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch Timer Schedule Configuration Use the Timer Schedule Configuration page to configure when the power to a port is turned off For example you can specify that the power is turned off...

Page 52: ... Global Configuration page 2 Specify the time to turn off power The time range is from 00 00 to 23 59 3 Specify the day to turn off power by clicking the calendar icon and selecting the date 4 If required specify the end date by clicking the calendar icon and selecting the date 5 If required use the Recurrence Pattern and Daily Mode fields to customize the power shutdown schedule 6 Click Apply to ...

Page 53: ...gs Community Configuration To display this page click System SNMP SNMP V1 V2 Community Configuration By default two SNMP Communities exist Private with Read Write privileges and status set to Enable Public with Read Only privileges and status set to Enable These are well known communities Use this page to change the defaults or to add other communities Only the communities that you define using th...

Page 54: ...ation IP Mask value of 255 255 255 255 and use that machine s IP address for Client Address Management Station IP Mask Specify the subnet mask to associate with the management station IP address Community String Specify a community name A valid entry is a case sensitive string of up to 16 characters Access Mode Specify the access level for this community by selecting Read Write or Read Only from t...

Page 55: ... s status from the menu Enable Send traps to the receiver Disable Do not send traps to the receiver 2 To modify information about an existing SNMP recipient select the check box next to the recipient change the desired fields and then click Apply Configuration changes take effect immediately 3 To delete a recipient select the check box next to the recipient and click Delete 4 Click Cancel to cance...

Page 56: ...m the Link Up Down field enable or disable activation of link status traps by selecting the corresponding button The factory default is Enable 3 From the Spanning Tree field enable or disable activation of spanning tree traps by selecting the corresponding button The factory default is Enable 4 If you make any changes to this page click Apply to send the updated configuration to the switch Configu...

Page 57: ... will be unable to access the SNMP data from an SNMP browser MD5 or SHA The user login password will be used as SNMPv3 authentication password and you must therefore specify a password The password must be eight characters in length 2 In the Encryption Protocol field choose whether to encrypt SNMPv3 packets transmitted by the switch None Do not encrypt the contents of SNMPv3 packets transmitted fr...

Page 58: ...ely per port By default both transmit and receive are disabled on all ports The application is responsible for starting each transmit and receive state machine appropriately based on the configured status and operational state of the port The Link Layer Discovery Protocol Media Endpoint Discovery LLDP MED is an enhancement to LLDP with the following features Auto discovery of LAN policies such as ...

Page 59: ...nsmission of notifications The default is 5 seconds and the range is 5 3600 seconds 2 To change the LLDP MED properties in the Fast Start Duration field specify the number of LLDP packets sent when the LLDP MED Fast Start mechanism is initialized which occurs when a new endpoint device links with the LLDP MED network connectivity device The default value is 3 and the range is from 1 10 3 Click App...

Page 60: ...ce The possible field values are Stop Advertise Do not advertise the management IP address from the interface Auto Advertise Advertise the current IP address of the device as the management IP address Notification When notifications are enabled LLDP interacts with the Trap Manager to notify subscribers of remote data change statistics The default is Disabled Optional TLV s Enable or disable the tr...

Page 61: ... network policy information that displays on the screen Field Description Network Policy Number Specifies the policy number Application Specifies the media application type associated with the policy which can be one of the following Unknown Voice Guest Voice Guest Voice Signaling Softphone Voice Video Conferencing Streaming Video Video Signaling A port can receive multiple application types The a...

Page 62: ...tatus field enable or disable the LLDP MED mode for the selected interface 3 From the Notification field specify whether the port should send a topology change notification if a device is connected or removed 4 From the Transmit Optional TLVs field specify whether the port should transmit optional type length values TLVs in the LLDP PDU frames If enabled the following LLDP MED TLVs are transmitted...

Page 63: ...k System Advanced LLDP Local Information The following table describes the LLDP local information that displays for each port Click Refresh to refresh the page with the most current data from the switch To view additional details about a port click the name of the port in the Interface column of the Port Information table Field Description Interface Select the interface with the information to dis...

Page 64: ... the number that identifies the port MAC PHY Details Auto Negotiation Supported Specifies whether the interface supports port speed auto negotiation The possible values are True or False Auto Negotiation Enabled Displays the port speed auto negotiation support status The possible values are True enabled or False disabled Auto Negotiation Advertised Capabilities Displays the port speed auto negotia...

Page 65: ...lays the MED capabilities enabled on the port Current Capabilities Displays the TLVs advertised by the port Device Class Network Connectivity indicates the device is a network connectivity device Network Policies Application Type Specifies the media application type associated with the policy VLAN ID Specifies the VLAN ID associated with the policy VLAN Type Specifies whether the VLAN associated w...

Page 66: ...the Media Service Access Point MSAP entry number for the remote device Local Port Displays the interface on the local system that received LLDP information from a remote system Chassis ID Subtype Identifies the type of data displayed in the Chassis ID field on the remote system Chassis ID Identifies the remote 802 LAN device s chassis Port ID Subtype Identifies the type of data displayed in the re...

Page 67: ...Description Specifies the description of the selected port associated with the remote system System Capabilities Specifies the system capabilities of the remote system Managed Addresses Address SubType Specifies the type of the management address Address Specifies the advertised management address of the remote system Interface SubType Specifies the port subtype Interface Number Identifies the por...

Page 68: ...ys the port s power priority PoE Power Value Displays the port s power value Hardware Revision Displays the hardware version advertised by the remote device Firmware Revision Displays the firmware version advertised by the remote device Software Revision Displays the software version advertised by the remote device Serial Number Displays the serial number advertised by the remote device Model Name...

Page 69: ...the remote device VLAN ID Specifies the VLAN ID associated with the policy VLAN Type Specifies whether the VLAN associated with the policy is tagged or untagged User Priority Specifies the priority associated with the policy DSCP Specifies the DSCP associated with a particular policy type LLDP Unknown TLVs Type Displays the unknown TLV type field Value Displays the unknown TLV value field Field De...

Page 70: ...port The port that has the authorized DHCP server should be configured as a trusted port Any DHCP responses received on a trusted port are forwarded All other ports should be configured as untrusted Any DHCP or BootP responses received are discarded From the Services link you can access the following pages DHCP Filtering Configuration on page 70 Interface Configuration on page 71 DHCP Filtering Co...

Page 71: ...ort click PORTS 2 To configure DHCP filtering settings for a Link Aggregation Group LAG click LAGS 3 To configure DHCP filtering settings for both physical ports and LAGs click ALL 4 Select the check box next to the port or LAG to configure You can select multiple ports and LAGs to apply the same setting to the selected interfaces Select the check box in the heading row to apply the same settings ...

Page 72: ...72 Chapter 2 Configuring System Information FS728TP Smart Switch Software Administration Manual ...

Page 73: ...features in the Switching tab to define Layer 2 features The Switching tab contains links to the following features Ports on page 74 Link Aggregation Groups on page 77 VLANs on page 82 Voice VLAN on page 87 Spanning Tree Protocol on page 91 Multicast on page 104 Forwarding Database on page 116 ...

Page 74: ...gure settings for both physical ports and LAGs click ALL 4 Select the check box next to the port or LAG to configure You can select multiple ports and LAGs to apply the same setting to the selected interfaces Select the check box in the heading row to apply the same settings to all interfaces 5 Configure or view the settings Description Enter the description string to be attached to a port The str...

Page 75: ...Enable Specifies that the system sends a trap when the link status changes Disable Specifies that the system does not send a trap when the link status changes Maximum Frame Size Specifies the maximum Ethernet frame size the interface supports The size includes the Ethernet header CRC and payload Any change to the maximum frame size is immediately applied to all interfaces MAC Address Displays the ...

Page 76: ...IEEE 802 3x flow control on the system The factory default is Disable Enable The switch sends pause packets if the port buffers become full Disable The switch does not send pause packets if the port buffers become full 2 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 3 If you change the mode click Apply to apply the changes...

Page 77: ...pate in the same protocols A static port channel interface does not require a partner system to be able to aggregate its member ports Static LAGs are supported When a port is added to a LAG as a static member it neither transmits nor receives LAGPDUs The FS728TP Smart Switch supports four LAGs From the LAGs link you can access the following pages LAG Configuration on page 77 LAG Membership on page...

Page 78: ...that form the LAG port channel will not be released The factory default is Enable STP Mode Select the Spanning Tree Protocol Administrative Mode associated with the LAG LAG Type Specifies whether the LAG is configured as a Static or LACP port When the LAG is static it does not transmit or process received LAGPDUs for example the member ports do not transmit LAGPDUs and all the LAGPDUs it may recei...

Page 79: ... disable the following 4 Click the orange bar to display the ports 5 Click the box below each port to include in the LAG The following figure shows an example of how to configure LAG1 with ports e1 e4 as members 6 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 7 If you make any changes to this page click Apply to send the u...

Page 80: ...of the links on which link aggregation is enabled A higher value indicates a lower priority You can change the value of the parameter globally by specifying a priority from 0 65535 The default value is 32768 2 Click Refresh to reload the page and display the most current information 3 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the...

Page 81: ... Note You cannot select ports that are not participating in a LAG 2 Configure the LACP Priority value for the selected port The field range is 0 255 The default value is 128 3 Configure the administrative LACP Timeout value The default value is Long Long Specifies a long timeout value Short Specifies a short timeout value 4 Click Cancel to cancel the configuration on the screen and reset the data ...

Page 82: ...ogical function instead of physical location Each VLAN in a network has an associated VLAN ID which appears in the IEEE 802 1Q tag in the Layer 2 header of packets transmitted on a VLAN An end station may omit the tag or the VLAN portion of the tag in which case the first switch port to receive the packet may either reject it or insert a tag using its default VLAN ID A given port may handle traffi...

Page 83: ...e will always be Static 2 To delete a VLAN select the check box next to the VLAN ID and click Delete You cannot delete the default VLAN 3 To modify settings for a VLAN select the check box next to the VLAN ID change the desired information and then click Apply Configuration changes occur immediately 4 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the la...

Page 84: ...ure ports e6 e7 and e8 are being added as tagged members to VLAN 2 5 Use the Group Operations field to select all the ports and configure them Possible values are Untag All Select all the ports on which all frames transmitted from this VLAN will be untagged All the ports will be included in the VLAN Tag All Select the ports on which all frames transmitted for this VLAN will be tagged All the ports...

Page 85: ...k box in the heading row to apply the same settings to all interfaces 5 Configure the PVID to assign to untagged or priority tagged frames received on this port 6 Specify how you want the port to handle untagged and priority tagged frames Whichever you select VLAN tagged frames will be forwarded in accordance with the IEEE 802 1Q VLAN standard The factory default is Admit All VLAN Only The port wi...

Page 86: ...signed to untagged packets arriving at the port Possible values are 0 7 9 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 10 If you make any changes to this page click Apply to send the updated configuration to the switch Configuration changes take place immediately ...

Page 87: ...VLAN 1 From the Voice VLAN Status field enable or disable Voice VLAN on the switch If the switch does not handle traffic from IP phones the status should be disabled 2 From the Voice VLAN ID field select the VLAN to use for voice traffic on the switch The VLAN must already exist on the switch For information about how to create VLANs see VLAN Configuration on page 82 3 From the Class of Service fi...

Page 88: ...heck box next to the port to configure You can select multiple check boxes to apply the same setting to all selected ports 2 From the Voice VLAN Mode menu specify whether to enable or disable Voice VLAN on the selected port 3 From the Voice VLAN Security menu specify whether to enable or disable Voice VLAN security on the selected port 4 Click Cancel to cancel the configuration on the screen and r...

Page 89: ...The switch comes preconfigured with the following OUIs 00 01 E3 SIEMENS 00 03 6B CISCO1 00 12 43 CISCO2 00 0F E2 H3C 00 60 B9 NITSUKO 00 D0 1E PINTEL 00 E0 75 VERILINK 00 E0 BB 3COM 00 04 0D AVAYA1 00 1B 4F AVAYA2 You can select an existing OUI or add a new OUI and description to identify the IP phones on the network To display the Voice VLAN OUI page click Switching Voice VLAN Advanced OUI ...

Page 90: ...be in the format AA BB CC 2 To delete an OUI prefix from the list select the check box next to the OUI prefix and click Delete 3 To modify information for an entry in the OUI list select the check box next to the OUI prefix update the OUI prefix or description and then click Apply 4 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the s...

Page 91: ...e full duplex connectivity and ports which are connected to end stations resulting in rapid transitioning of the port to Forwarding state and the suppression of Topology Change Notification These features are represented by the parameters pointtopoint and edgeport MSTP is compatible to both RSTP and STP It behaves appropriately to STP and RSTP bridges A MSTP bridge can be configured to behave enti...

Page 92: ...sion level Configuration Name Name used to identify the configuration currently being used It may be up to 32 alphanumeric characters Configuration Revision Level Number used to identify the configuration currently being used The values allowed are between 0 and 65535 The default value is 0 4 Specify the BPDU Flooding status for all ports or for individual ports When this feature is enabled BPDU p...

Page 93: ...e Count The number of times the topology has changed for the CST Topology Change The value of the topology change parameter for the switch indicating if a topology change is in progress on any port assigned to the CST The value is either True or False Designated Root The bridge identifier of the root bridge It is made up from the bridge priority and the base MAC address of the bridge Root Path Cos...

Page 94: ... for the Common and Internal Spanning Tree CST which indicates the amount of time in seconds a bridge waits before implementing a topological change The valid range is 6 40 and the value must be less than or equal to 2 Bridge Forward Delay 1 and greater than or equal to 2 Bridge Hello Time 1 The default value is 20 Bridge Hello Time secs Specifies the switch Hello time for the Common and Internal ...

Page 95: ... Port Configuration Use the Spanning Tree CST Port Configuration page to configure Common Spanning Tree CST and Internal Spanning Tree on a specific port on the switch To display the Spanning Tree CST Port Configuration page click Switching STP Advanced CST Port Configuration To configure CST port settings 1 To configure CST settings for a physical port click PORTS 2 To configure CST settings for ...

Page 96: ...ty is set to the priority is automatically set to the next lowest priority that is a multiple of 16 For example if you set a value between 0 and 15 the priority is set to 0 If you specify a number between 16 and 31 the priority is set to 16 External Port Path Cost Set the External Path Cost to a new value for the specified port in the spanning tree It takes a value in the range of 0 200000000 Port...

Page 97: ...articipating in the STP topology Ports with a lower cost are less likely to be blocked if STP detects loops Designated Bridge Bridge Identifier of the bridge with the Designated Port It is made up using the bridge priority and the base MAC address of the bridge Designated Port Port Identifier on the Designated Bridge that offers the lowest cost to the LAN It is made up from the port priority and t...

Page 98: ...n page to configure Multiple Spanning Tree MST on the switch To display the Spanning Tree MST Configuration page click Switching STP Advanced MST Configuration Field Description Interface The physical or port channel interfaces associated with VLANs associated with the CST Role Each MST Bridge Port that is enabled is assigned a Port Role for each spanning tree The port role will be one of the foll...

Page 99: ...iple of 4096 the priority is automatically set to the next lowest priority that is a multiple of 4096 For example if the priority is attempted to be set to any value between 0 and 4095 it will be set to 0 The default priority is 32768 The valid range is 0 61440 VLAN ID The menu contains all VLANs configured on the switch Select a VLAN to associate with the MST instance 2 To delete an MST instance ...

Page 100: ...ted MST instance It is made up using the bridge priority and the base MAC address of the bridge Time Since Topology Change Displays the total amount of time since the topology of the selected MST instance last changed The time is displayed in hour minute second format for example 5 hours 10 minutes and 4 seconds Topology Change Count Displays the total number of times topology has changed for the ...

Page 101: ...t to 16 It takes a value in the range of 0 240 Port Path Cost Set the Path Cost to a new value for the specified port in the selected MST instance It takes a value in the range of 0 200000000 6 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 7 If you make any configuration changes click Apply to send the updated configuratio...

Page 102: ...MAC addresses Learning The port is currently in the learning mode The port cannot forward traffic however it can learn new MAC addresses Forwarding The port is currently in the forwarding mode The port can forward traffic and learn new MAC addresses Port Role Each MST Bridge Port that is enabled is assigned a Port Role for each spanning tree The port role will be one of the following values Root P...

Page 103: ...ysical or port channel interface to view its statistics STP BPDUs Received Number of STP BPDUs received at the selected port STP BPDUs Transmitted Number of STP BPDUs transmitted from the selected port RSTP BPDUs Received Number of RSTP BPDUs received at the selected port RSTP BPDUs Transmitted Number of RSTP BPDUs transmitted from the selected port MSTP BPDUs Received Number of MSTP BPDUs receive...

Page 104: ...each of the remaining network segments in accordance with the IEEE MAC Bridge standard Eventually the packet is made accessible to all nodes connected to the network This approach works well for broadcast packets that are intended to be seen or processed by all connected nodes In the case of multicast packets however this approach could lead to less efficient use of network bandwidth particularly ...

Page 105: ...der of all IGMP messages for the Router Alert option ToS and TTL The packet is dropped if the check fails Disable The IGMP IP header is not checked for the Router Alert option ToS or TTL 3 Choose whether to block unknown multicast addresses Enable Packets with unknown multicast MAC address in the destination field will be dropped Disable Packets with unknown destination multicast MAC addresses are...

Page 106: ...r a physical port click PORTS 2 To configure IGMP Snooping settings for a Link Aggregation Group LAG click LAGS Field Description Multicast Control Frame Count Displays the number of multicast control frames that have been processed by the CPU Interfaces Enabled for IGMP Snooping Lists the interfaces currently enabled for IGMP Snooping To enable interfaces for IGMP snooping see IGMP Snooping Inter...

Page 107: ...ending a query on an interface because it did not receive a report for a particular group on that interface Enter a value greater or equal to 1 and less than the Host Timeout in seconds The default is 10 seconds MRouter Timeout Specify the amount of time you want the switch to wait to receive a query on an interface before removing it from the list of interfaces with multicast routers attached Ent...

Page 108: ...affic is prevented from going to parts of the network where that traffic is unnecessary Field Description MAC Address A multicast MAC address for which the switch has forwarding and or filtering information The format is 6 two digit hexadecimal numbers that are separated by colons for example 01 00 5e 45 67 89 VLAN ID A VLAN ID for which the switch has forwarding and filtering information Type Thi...

Page 109: ...le The following table describes the fields in the MFDB Table Field Description MAC Address The MAC Address to which the multicast MAC address is related To search by MAC address enter the address with the MFDB table entry you want displayed Enter six two digit hexadecimal numbers separated by colons for example 00 0f 43 67 89 AB and then click Go If the address exists that entry will be displayed...

Page 110: ...erface The list of interfaces that are designated for forwarding Fwd and filtering Flt for the selected address Forwarding Interfaces The resultant forwarding list is derived from combining all the forwarding interfaces and removing the interfaces that are listed as the static filtering interfaces Field Description Max MFDB Table Entries Displays the maximum number of entries that the Multicast Fo...

Page 111: ...out MAC based general queries to the interface You should enable fast leave admin mode only on VLANs where only one host is connected to each layer 2 LAN port This prevents the inadvertent dropping of the other hosts that were connected to the same layer 2 LAN port but were still interested in receiving multicast traffic directed to that group Also fast leave processing is supported only with IGMP...

Page 112: ...value of the switch IGMP Snooping Querier IGMP snooping requires that one central switch or router periodically query all end devices on the network to announce their multicast memberships This central device is the IGMP querier The IGMP query responses known as IGMP reports keep the switch updated with the current multicast group membership on a port by port basis If the switch does not receive u...

Page 113: ...y the snooping querier The Query Interval must be a value in the range of 1 1800 seconds The default value is 60 5 In the Querier Expiry Interval field specify the time interval in seconds after which the last querier information is removed The Querier Expiry Interval must be a value in the range of 60 300 seconds The default value is 60 6 Click Cancel to cancel the configuration on the screen and...

Page 114: ...e querier in that VLAN The other querier moves to non querier state Snooping Querier VLAN Address Specify the Snooping Querier IP Address to be used as the source address in periodic IGMP queries sent on the specified VLAN 2 Click Apply to apply the new settings to the switch Configuration changes take effect immediately 3 To disable Snooping Querier on a VLAN select the VLAN ID and click Delete 4...

Page 115: ...a better querier numerically lower in the VLAN it moves to non querier mode Non Querier The snooping switch is in non querier mode in the VLAN If the querier expiry interval timer expires the snooping switch moves into querier mode Disabled The snooping querier is not operational on the VLAN The snooping querier moves to disabled mode when IGMP snooping is not operational on the VLAN when the quer...

Page 116: ...warding and or filtering information This information is used by the transparent bridging function in determining how to propagate a received frame Use the search function of the MAC Address Table page to display information about the entries in the table To access this page click Switching Address Table Basic Address Table To search for an entry in the MAC Address Table 1 Use the Search By field ...

Page 117: ... which are never aged out and dynamically learned entries which are removed if they are not updated within a given time To access the Configuration page click Switching Address Table Advanced Dynamic Addresses Field Description VLAN ID Specifies the VLAN ID on which the IGMP Snooping Querier is administratively enabled and for which VLAN exists in the VLAN database MAC Address A unicast MAC addres...

Page 118: ...he factory default is 300 Note IEEE 802 1D recommends a default of 300 seconds which is the factory default 2 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 3 Click Apply to apply to send the updated configuration to the switch Configuration changes take effect immediately Static MAC Address Use the Static MAC Address Confi...

Page 119: ...ce associated with the MAC address d Click Add 2 To delete a static MAC address select the check box next to the entry and click Delete 3 To modify the settings for a static MAC address select the check box next to the entry update the desired values and click Apply 4 Click Refresh to reload the page and display the latest MAC address learned on a specific port 5 Click Cancel to cancel the configu...

Page 120: ...120 Chapter 3 Configuring Switching Information FS728TP Smart Switch Software Administration Manual ...

Page 121: ...nds on how the queue is configured and possibly the amount of traffic present in the other queues of the port If a delay is necessary packets get held in the queue until the scheduler authorizes the queue for transmission As queues become full packets have no place to be held for transmission and get dropped by the switch QoS is a means of providing consistent predictable data delivery by distingu...

Page 122: ... to trust one of the packet fields 802 1p or IP DSCP or to not trust any packet s priority designation untrusted mode If the port is set to a trusted mode it uses a mapping table appropriate for the trusted field being used This mapping table indicates the CoS queue to which the packet should be forwarded on the appropriate egress port s Of course the trusted field must exist in the packet for the...

Page 123: ...iority queues For information about mapping IEEE 802 1p priorities to the switch hardware priority queues see 802 1p to Queue Mapping on page 126 DSCP The six most significant bits of the DiffServ field are called the Differentiated Services Code Point DSCP bits For information about mapping DSCP values to the switch hardware priority queues see DSCP to Queue Mapping on page 127 3 Click Cancel to ...

Page 124: ...EEE 802 1p are p0 to p7 The QoS setting lets you map each of the eight priority levels to one of eight internal hardware priority queues from 0 lowest priority to 7 highest priority DSCP The six most significant bits of the DiffServ field are called the Differentiated Services Code Point DSCP bits 6 Specify the Interface Shaping Rate This rate specifies the maximum bandwidth allowed typically used...

Page 125: ...splay the Interface Queue Configuration page click the QoS CoS tab and then click the Advanced Interface Queue Configuration link To configure CoS queue settings for an interface 1 To configure CoS queue settings for a physical port click PORTS 2 To configure CoS queue settings for a Link Aggregation Group LAG click LAGS 3 To configure CoS queue settings for both physical ports and LAGs click ALL ...

Page 126: ...e dropped 6 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 7 If you make changes to the page click Apply to apply the changes to the system 802 1p to Queue Mapping The 802 1p to Queue Mapping page also displays the Current 802 1p Priority Mapping table To display the 801 p to Queue Mapping page click QoS CoS Advanced 802 1p...

Page 127: ...e or video The values in each drop down menu represent the traffic class The traffic class is the hardware queue for a port Higher traffic class values indicate a higher queue position Before traffic in a lower queue is sent it must wait for traffic in higher queues to be sent 3 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switc...

Page 128: ...lass is the hardware queue for a port Higher traffic class values indicate a higher queue position Before traffic in a lower queue is sent it must wait for traffic in higher queues to be sent Valid range is 0 7 2 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 3 If you make changes to the page click Apply to apply the change...

Page 129: ...d Services menu page must first be used to define the following categories and their criteria 1 Class Create classes and define class criteria 2 Policy Create policies associate classes with policies and define policy statements 3 Service Add a policy to an inbound interface Packets are classified and processed based on defined criteria The classification criteria is defined by a class The process...

Page 130: ...ble The DiffServ configuration is retained and can be changed but it is not active 2 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 3 If you make changes to the page click Apply to apply the changes to the system The following table describes the information displayed in the Status table on the DiffServ Configuration page F...

Page 131: ...he class type and click Add The switch supports only the Class Type value All which means all the various match criteria defined for the class should be satisfied for a packet match All signifies the logical AND of all the match criteria 2 To rename an existing class select the check box next to the configured class update the name and click Apply 3 To remove a class click the check box beside the...

Page 132: ...Service FS728TP Smart Switch Software Administration Manual To configure the class match criteria 1 Click the class name for an existing class The class name is a hyperlink The following figure shows the configuration fields for the class ...

Page 133: ...ion IP Address Requires a packet s destination port IP address to match the address listed here In the IP Address field enter a valid destination IP address in dotted decimal format Destination Mask Enter a valid subnet mask to determine which bits in the IP address are significant This is not a wildcard mask Destination L4 Port Requires a packet s TCP UDP destination port to match the port you se...

Page 134: ...sting DiffServ class to associate with the policy and click Add The available policy type is In which indicates the type is specific to inbound traffic This field is not configurable 2 To rename an existing policy or add a new member class to the policy select the check box next to the configured class update the fields and click Apply 3 To remove a policy click the check box beside the policy the...

Page 135: ...Chapter 4 Configuring Quality of Service 135 FS728TP Smart Switch Software Administration Manual To configure the policy attributes 1 Click the name of the policy ...

Page 136: ...u Simple Policy Use this attribute to establish the traffic policing style for the specified class The simple form of the policy command uses a single data rate and burst size resulting in two outcomes confirm and violate 4 If you select the Simple Policy attribute you can configure the following fields Color Mode Color Aware mode requires the existence of one or more color classes that are valid ...

Page 137: ...re immediately dropped Violate Action Determines what happens to packets that are considered non conforming above the police rate Select one of the following actions Send default These packets are presented unmodified by DiffServ to the system forwarding element Drop default These packets are immediately dropped 5 Click Cancel to cancel the configuration on the screen and reset the data on the scr...

Page 138: ... box in the heading row to apply the same settings to all interfaces 5 To activate a policy for the selected interface s select the policy from the Policy In menu and then click Apply 6 To remove a policy from the selected interface s select None from the Policy In menu and then click Apply 7 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest valu...

Page 139: ...ch service statistics display which is always In Policy Name Displays the policy associated with the selected interface Operational Status Displays the operational status of this service interface which is either Up or Down Discarded Packets Displays the total number of packets discarded for all class instances in this service policy for any reason due to DiffServ treatment This is the overall cou...

Page 140: ...140 Chapter 4 Configuring Quality of Service FS728TP Smart Switch Software Administration Manual ...

Page 141: ...o configure management security settings for port user and server security The Security tab contains links to the following features Management Security Settings on page 142 Configuring Management Access on page 153 Port Authentication on page 160 Traffic Control on page 166 Configuring Access Control Lists on page 174 ...

Page 142: ...nge the login password To display the page click Security Management Security User Configuration Change Password To change the login password for the management interface 1 Specify the current password in the Old Password The entered password will be displayed in asterisks Passwords are 1 20 alphanumeric characters in length and are case sensitive 2 Enter the new password It will not display as it...

Page 143: ... contains per user authentication information The switch passes information to the configured RADIUS server which can authenticate a user name and password before authorizing use of the network RADIUS servers provide a centralized authentication method for Web Access Access Control Port 802 1X The RADIUS folder contains links to the following features Global Configuration on page 143 RADIUS Server...

Page 144: ...l user interfaces will be blocked until the RADIUS application returns a response 2 In the Timeout Duration field specify the timeout value in seconds for request retransmissions Consideration to maximum delay time should be given when configuring RADIUS max retransmit and RADIUS timeout If multiple RADIUS servers are configured the max retransmit value on each will be exhausted before the next se...

Page 145: ... configured In the Secret field type the shared secret text string used for authenticating and encrypting all RADIUS communications between the switch and the RADIUS server This secret must match the RADIUS encryption From the Active menu specify whether the server is a Primary or Secondary server From the Message Authenticator menu enable or disable the message authenticator attribute for the sel...

Page 146: ...server Access Accepts The number of RADIUS Access Accept packets including both valid and invalid packets that were received from this server Access Rejects The number of RADIUS Access Reject packets including both valid and invalid packets that were received from this server Access Challenges The number of RADIUS Access Challenge packets including both valid and invalid packets that were received...

Page 147: ...5535 3 From the Secret Configured menu select Yes to add a RADIUS secret in the next field You must select Yes before you can configure the RADIUS secret After you add the RADIUS accounting server this field indicates whether the shared secret for this server has been configured 4 In the Secret field type the shared secret to use with the specified accounting server 5 From the Accounting Mode menu...

Page 148: ...nse and the Accounting Request that matched it from this RADIUS accounting server Accounting Requests The number of RADIUS Accounting Request packets sent to this server This number does not include retransmissions Accounting Retransmissions The number of RADIUS Accounting Request packets retransmitted to this server Accounting Responses Displays the number of RADIUS packets received on the accoun...

Page 149: ... Configuration link To configure global TACACS settings 1 In the Key String field specify the authentication and encryption key for TACACS communications between the FS728TP and the TACACS server The valid range is 0 128 characters The key must match the key configured on the TACACS server 2 In the Connection Timeout field specify the maximum number of seconds allowed to establish a TCP connection...

Page 150: ...er Address field is only available when Add is selected in the TACACS Server IP Address field After you add one or more TACACS servers additional fields appear on the TACACS Server Configuration page 2 In the Priority field specify the order in which the TACACS servers are used A value of 0 is the highest priority 3 In the Port field specify the authentication port number through which the TACACS ...

Page 151: ...s to validate switch or port access for the admin user Note Admin is the only user on the system and is assigned to a preconfigured list named defaultList which you cannot delete To access the Authentication List page click Security Management Security and then click the Authentication List link To change the authentication method for the defaultList 1 Select the check box next to the defaultList ...

Page 152: ... switch attempts user authentication Method 2 None The authentication method is unspecified This option is only available for Method 2 and Method 3 3 Use the menu in the 2 column to select the authentication method if any that should appear second in the selected authentication login list This is the method that will be used if the first method times out If you select a method that does not time o...

Page 153: ... system To access the HTTP Configuration page click the Security tab then click Access and then click the HTTP HTTP Configuration link To configure the HTTP server settings 1 Enable or disable the Web Java Mode This applies to both secure and un secure HTTP connections The currently configured value is shown when the Web page is displayed The default value is Enable 2 In the HTTP Session Soft Time...

Page 154: ...iguration on the screen and reset the data on the screen to the latest value of the switch 6 If you make changes to the page click Apply to apply the changes to the system Secure HTTP Configuration Secure HTTP enables the transmission of HTTP over an encrypted Secure Sockets Layer SSL or Transport Layer Security TLS connection When you manage the switch by using a Web interface secure HTTP can hel...

Page 155: ... is 5 minutes The currently configured value is shown when the Web page is displayed 6 In the HTTPS Session Hard Timeout field specify the number of hours an HTTPS session can remain active regardless of session activity The value must be in the range of 1 168 hours The default value is 24 hours The currently configured value is shown when the Web page is displayed 7 In the Maximum Number of HTTPS...

Page 156: ...iffie Hellman Strong Encryption Parameter File PEM Encoded 2 In the TFTP Server IP field specify the address of the TFTP server The address can be an IP address in standard x x x x format or a hostname The hostname must start with a letter of the alphabet Make sure that the software image or other file to be downloaded is available on the TFTP server 3 In the Remote File Name field specify the nam...

Page 157: ...ess the Access Profile Configuration page click Security Access and then click the Access Control Access Profile Configuration link To configure an Access Profile 1 In the Access Profile Name field specify the name of the access profile to be added The maximum length is 32 characters 2 To activate an access profile select the Activate Profile check box You cannot add rules to an active profile 3 T...

Page 158: ... Security Access and then click the Access Control Access Rule Configuration link Field Description Rule Type Identifies the action the rule takes which is either Permit or Deny Service Type Displays the type of service to allow or prohibit from accessing the switch management interface SNMP HTTP HTTPS Source IP Address Displays the IP Address of the client that may or may not originate management...

Page 159: ...llow or prohibit from accessing the switch management interface SNMP HTTP HTTPS Source IP Address Specify the IP Address of the client originating the management traffic Mask Specify the subnet mask associated with the IP address The subnet mask is a standard subnet mask and not an inverse wildcard mask that you use with IP ACLs Priority Configure priority to the rule The rules are validated again...

Page 160: ...ifies the port that is authenticated before permitting system access Supplicants Specifies the host connected to the authenticated port requesting access to the system services Authentication Server Specifies the external server for example the RADIUS server that performs the authentication on behalf of the authenticator and indicates whether the user is authorized to access system services From t...

Page 161: ...ed users 2 Select the appropriate radio button in the Guest VLAN field to enable or disable the guest VLAN supplicant mode Enabled When no 802 1X supplicant is authenticated on a port the port still provides limited network access as determined by a guest VLAN configured on the authentication server Disabled A guest VLAN cannot be used for unauthorized ports 3 Click Cancel to cancel the configurat...

Page 162: ...tiple check boxes to apply the same settings to the selected ports or select the check box in the heading row to apply the same settings to all ports 2 For the selected port s specify the following settings Port Control Defines the port authorization state The control mode is only set if the link status of the port is link up The possible field values are Auto Automatically detects the mode of the...

Page 163: ...ime that the switch remains in the quiet state following a failed authentication exchange The possible field range is 0 65535 The field value is in seconds The field default is 60 seconds Resending EAP This input field allows you to configure the transmit period for the selected port The transmit period is the value in seconds of the timer used by the authenticator state machine on the specified p...

Page 164: ...f the backend authentication state machine Possible values are as follows Request Response Success Fail Timeout Initialize Idle EAPOL Flood Mode This field is used to enable or disable the EAPOL Flood mode per Interface The default value is Disable 3 Click Apply to send the updated screen to the switch and cause the changes to occur on the switch and the changes will be saved 4 Click Initialize to...

Page 165: ...ink status of the port is link up The possible field values are Auto Automatically detects the mode of the interface Force Authorized Places the interface into an authorized state without being authenticated The interface sends and receives normal traffic without client port based authentication Force Unauthorized Denies the selected interface system access by moving the interface into unauthorize...

Page 166: ...otected Ports Membership on page 173 MAC Filter Configuration Use the MAC Filter Configuration page to create MAC filters that limit the traffic allowed into and out of specified ports on the system To display the MAC Filter Configuration page click Security Traffic Control and then click the MAC Filter MAC Filter Configuration link Reauthentication Enabled Displays if reauthentication is enabled ...

Page 167: ... 01 80 C2 00 00 0F 01 80 C2 00 00 20 to 01 80 C2 00 00 21 FF FF FF FF FF FF d Click the orange bar under the Source Port Members heading to display the available ports Select the port s to include in the inbound filter If a packet with the MAC address and VLAN ID you specify is received on a port that is not in the list it will be dropped e Click the orange bar under the Destination Port Members h...

Page 168: ...ponses can overload network resources and or cause the network to time out The switch measures the incoming broadcast multicast unknown unicast packet rate per port and discards packets when the rate exceeds the defined value Storm control is enabled per interface by defining the packet type and the rate at which the packets are transmitted To display the Storm Control page click Security Traffic ...

Page 169: ...e dropped Multicast If the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold the traffic will be dropped Broadcast If the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold the traffic will be dropped 3 When the selected Ingress Control Mode is an option other than Disable select Enable or Disable from t...

Page 170: ...enable or disable port security on the switch 2 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 3 If you change the mode click Apply to apply the change to the system The Port Security Violation table shows information about violations that occurred on ports that are enabled for port security The following table describes th...

Page 171: ... zero Static locking allows you to specify a list of MAC addresses that are allowed on a port The behavior of packets is the same as for dynamic locking only packets with an allowable source MAC address can be forwarded To display the Port Security Interface Configuration page click Security Traffic Control and then click the Port Security Interface Configuration link To configure port security se...

Page 172: ...screen to the latest value of the switch 7 If you make changes to the page click Apply to apply the changes to the system Security MAC Address Use the Security MAC Address page to convert a dynamically learned MAC address to a statically locked address To display the Security MAC Address page click Security Traffic Control and then click the Port Security Security MAC Address link To convert learn...

Page 173: ...link To configure protected ports 1 Click the orange bar to display the available ports 2 Click the box below each port to configure as a protected port Protected ports are marked with an X No traffic forwarding is possible between two protected ports 3 Click Refresh to refresh the page with the most current data from the switch 4 Click Cancel to cancel the configuration on the screen and reset th...

Page 174: ...CL ID Next define the rules which can identify protocols source and destination IP and MAC addresses and other packet matching criteria Finally use the ID number to assign the ACL to a port or to a LAG The Security ACL folder contains links to the following features Basic MAC ACL on page 174 MAC Rules on page 175 MAC Binding Configuration on page 177 MAC Binding Table on page 178 Advanced IP ACL o...

Page 175: ...n alphabetic character Each configured ACL displays the following information Rules Displays the number of rules currently configured for the MAC ACL Direction Displays the direction of packet traffic affected by the MAC ACL which can be Inbound or blank 2 To delete a MAC ACL select the check box next to the Name field then click Delete 3 To change the name of a MAC ACL select the check box next t...

Page 176: ...les so if Match Every is True the other rules on the screen are not available CoS Requires a packet s class of service CoS to match the CoS value listed here Enter a CoS value between 0 7 to apply this criteria Destination MAC Requires an Ethernet frame s destination port MAC address to match the address listed here Enter a MAC address in this field The valid format is xx xx xx xx xx xx Destinatio...

Page 177: ...alid format is xx xx xx xx xx xx A MAC mask of 00 00 00 00 00 00 matches a single MAC address VLAN Requires a packet s VLAN ID to match the ID listed here Enter the VLAN ID to apply this criteria The valid range is 1 4093 3 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 4 To delete a rule select the check box associated wit...

Page 178: ...han the highest sequence number currently in use for this interface and direction will be used The valid range is 1 4294967295 3 Click the appropriate orange bar to expose the available ports or LAGs To add the selected ACL to a port or LAG click the box directly below the port or LAG number so that an X appears in the box To remove the selected ACL from a port or LAG click the box directly below ...

Page 179: ...t is received the packet is dropped ACLs are composed of access control entries ACE or rules that consist of the filters that determine traffic classifications Use the IP ACL Configuration page to add or remove IP based ACLs To display the IP ACL page click Security ACL then click the Advanced IP ACL link Field Description Interface Displays the interface to which the MAC ACL is bound Direction Sp...

Page 180: ...d ACL which allows you to permit or deny specific types of layer 3 or layer 4 traffic from a source IP address to a destination IP address This type of ACL provides more granularity and filtering capabilities than the standard IP ACL Each configured ACL displays the following information Rules Displays the number of rules currently configured for the IP ACL Type Identifies the ACL as either a stan...

Page 181: ...or an IP ACL 1 To add an IP ACL rule select the ACL ID to add the rule to complete the fields described in the following list and click Add Rule ID Specify a number from 1 10 to identify the IP ACL rule You can create up to 10 rules for each ACL Action Selects the ACL forwarding action which is one of the following Permit Forwards packets which meet the ACL criteria Deny Drops packets which meet t...

Page 182: ...heck box associated with the rule and then click Delete 3 To update an IP ACL rule select the check box associated with the rule update the desired fields and then click Apply You cannot modify the Rule ID of an existing IP rule 4 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 5 If you change any of the settings on the page...

Page 183: ...he ACL ID to add the rule to select the check box in the Extended ACL Rule table and click Add The page displays the extended ACL Rule Configuration fields 2 Configure the new rule Rule ID Specify a number from 1 10 to identify the IP ACL rule You can create up to 10 rules for each ACL Action Selects the ACL forwarding action which is one of the following ...

Page 184: ...mple to apply the rule to all hosts in the 192 168 1 0 24 subnet you type 0 0 0 255 in the Source IP Mask field This field is required when you configure a source IP address Src L4 Port Requires a packet s TCP UDP source port to match the port listed here Click Complete one of the following fields Source L4 Keyword Select the desired L4 keyword from a list of source ports on which the rule can be ...

Page 185: ...specifies the bit positions that are used for comparison against the IP TOS field in a packet The TOS Mask value is a two digit hexadecimal number from 00 to ff representing an inverted i e wildcard mask The zero valued bits in the TOS Mask denote the bit positions in the TOS Bits value that are used for comparison against the IP TOS field of a packet For example to check for an IP TOS value havin...

Page 186: ...ed access list using that sequence number If the sequence number is not specified by the user a sequence number that is one greater than the highest sequence number currently in use for this interface and direction will be used The valid range is 1 4294967295 3 Click the appropriate orange bar to expose the available ports or LAGs To add the selected ACL to a port or LAG click the box directly bel...

Page 187: ...ck box next to the interface and click Delete Field Description Interface Displays the interface to which the IP ACL is bound Direction Specifies the packet filtering direction for ACL The only valid direction is Inbound which means the IP ACL rules are applied to traffic entering the port ACL Type Displays the type of ACL assigned to selected interface and direction ACL ID Displays the ACL Number...

Page 188: ...188 Chapter 5 Managing Device Security FS728TP Smart Switch Software Administration Manual ...

Page 189: ...es available from the Monitoring tab to view a variety of information about the switch and its ports and to configure how the switch monitors events The Monitoring tab contains links to the following features Ports on page 190 System Logs on page 203 Port Mirroring on page 211 ...

Page 190: ... received on the switch From the Ports link you can access the following pages Switch Statistics on page 190 Port Statistics on page 192 Port Detailed Statistics on page 193 EAP Statistics on page 200 Cable Test on page 201 Switch Statistics The Switch Statistics page displays detailed statistical information about the traffic the switch handles To access the Switch Statistics page click Monitorin...

Page 191: ...ld be to free up buffer space Octets Transmitted The total number of octets transmitted out of the interface including framing characters Packets Transmitted Without Errors The total number of packets transmitted out of the interface Unicast Packets Transmitted The total number of packets that higher level protocols requested be transmitted to a subnetwork unicast address including those that were...

Page 192: ...tistics on the switch To access the Port Summary page click Monitoring Ports and then click the Port Statistics link Most VLAN Entries Ever Used The largest number of VLANs that have been active on this switch since the last reboot Static VLAN Entries The number of presently active VLAN entries on this switch that have been created statically Dynamic VLAN Entries The number of presently active VLA...

Page 193: ...etailed Statistics The Port Detailed Statistics figure shows some but not all of the fields on the page Field Description Interface Lists the ports on the system Total Packets Received Without Errors The total number of packets received that were without errors Packets Received With Error The number of inbound packets that contained errors preventing them from being deliverable to a higher layer p...

Page 194: ...d with this port on an adapter Port Type For most ports this field is blank Otherwise the possible values are Mirrored Indicates that the port has been configured as a monitoring port and is the source port in a port mirroring session For additional information about port monitoring and probe ports see Multiple Port Mirroring on page 211 Probe Indicates that the port has been configured as a monit...

Page 195: ...in the network default Disable The port is administratively down and does not participate in the network LACP Mode Selects the Link Aggregation Control Protocol administration state Enable Specifies that the port is allowed to participate in a port channel LAG which is the default mode Disable Specifies that the port cannot participate in a port channel LAG Physical Mode Indicates the port speed a...

Page 196: ...f greater precision is desired the etherStatsPkts and etherStatsOctets objects should be sampled before and after a common interval Packets Received 64 Octets The total number of packets including bad packets received that were 64 octets in length excluding framing bits but including FCS octets Packets Received 65 127 Octets The total number of packets including bad packets received that were betw...

Page 197: ...umber of packets received that were less than 64 octets in length with GOOD CRC excluding framing bits but including FCS octets Alignment Errors The total number of packets received that had a length excluding framing bits but including FCS octets of between 64 and 1518 octets inclusive but had a bad Frame Check Sequence FCS with a non integral number of octets Rx FCS Errors The total number of pa...

Page 198: ... of packets including bad packets transmitted that were between 128 and 255 octets in length inclusive excluding framing bits but including FCS octets Packets Transmitted 256 511 Octets The total number of packets including bad packets transmitted that were between 256 and 511 octets in length inclusive excluding framing bits but including FCS octets Packets Transmitted 512 1023 Octets The total n...

Page 199: ... Collision Frames A count of the number of successfully transmitted frames on a particular interface for which transmission is inhibited by more than one collision Excessive Collision Frames A count of frames for which transmission on a particular interface fails due to excessive collisions Port Membership Discards The number of frames discarded on egress for this port due to egress filtering bein...

Page 200: ...yed on the screen Field Description Ports Specifies the interface which is polled for statistics Frames Received Displays the number of valid EAPOL frames received on the port Frames Transmitted Displays the number of EAPOL frames transmitted through the port Start Frames Received Displays the number of EAPOL Start frames received on the port Logoff Frames Received Displays the number of EAPOL Log...

Page 201: ... Test Use the Cable Test page to display information about the cables connected to switch ports To display the Cable Test page click the Monitoring Ports tab and then click the Cable Test link Length Error Frames Received Displays the number of EAPOL frames with an invalid Packet Body Length received on this port Response ID Frames Received Displays the number of EAP Respond ID frames that have be...

Page 202: ...le is disconnected or there is a faulty connector Short there is an electrical short in the cable Cable Test Failed The cable status could not be determined The cable may in fact be working Unknown The test has not been performed Cable Length The estimated length of the cable in meters The length is displayed as a range between the shortest estimated length and the longest estimated length Unknown...

Page 203: ...ty includes filtering of messages logged or forwarded based on severity and generating component The Monitoring Logs tab contains links to the following folders Memory Logs on page 203 FLASH Log Configuration on page 205 Server Log Configuration on page 207 Trap Logs on page 208 Event Logs on page 210 Memory Logs The in memory log stores messages in memory based upon the settings for message compo...

Page 204: ...fer is full the system stops logging new messages and preserves all existing log messages 3 If you change the buffered log settings click Apply to apply the changes to the system and the changes will be saved The Memory Log table also appears on the Memory Log page The rest of the page displays the Memory Log messages The format of the log message is the same for messages that are displayed for th...

Page 205: ... the page to perform the following actions Click Clear to clear the messages out of the buffered log in the memory Click Refresh to update the page with the latest messages in the log Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch FLASH Log Configuration The FLASH log is a log that is stored in persistent storage which mean...

Page 206: ...og is saved to the device Alert 1 The second highest warning level An alert log is saved if there is a serious device malfunction such as all device features being down Action must be taken immediately Critical 2 The third highest warning level A critical log is saved if a critical device malfunction occurs for example two device ports are not functioning while the rest of the device ports remain ...

Page 207: ...ring Logs tab and then click the Server Log link To configure local log server settings 1 Use the radio buttons in the Admin Status field to determine whether to send log messages to the remote syslog hosts configured on the switch Enable Messages will be sent to all configured hosts syslog collectors or relays using the values configured for each host Disable Stops logging to all syslog hosts Dis...

Page 208: ...us device malfunction such as all device features being down Critical 2 The third highest warning level A critical log is saved if a critical device malfunction occurs for example two device ports are not functioning while the rest of the device ports remain functional Error 3 A device error has occurred such as if a port is offline Warning 4 The lowest level of a device warning Notice 5 Provides ...

Page 209: ... reboot Trap Log Capacity The maximum number of traps stored in the log If the number of traps exceeds the capacity the entries will overwrite the oldest entries Number of Traps Since Log Last Viewed The number of traps that have occurred since the traps were last displayed Displaying the traps by any method such as terminal interface display Web display or upload file from switch will cause this ...

Page 210: ...ribes the Event Log information displayed on the screen Use the buttons at the bottom of the page to perform the following actions Click Clear to clear the messages out of the Event Log Click Refresh to refresh the data on the screen and display the most current information Field Description Entry The number of the entry within the event log The most recent entry is first Type Specifies the type o...

Page 211: ... received packet the copied packet is VLAN tagged or untagged as it was received on the source port If the mirror is copying a transmitted packet the copied packet is VLAN tagged or untagged as it is being transmitted on the source port Use the Multiple Port Mirroring page to define port mirroring sessions To access the Multiple Port Mirroring page click Monitoring Port Mirroring To configure Port...

Page 212: ...gs to the system If the port is configured as a source port the Mirroring Port field value is Mirrored 5 To delete a mirrored port select the check box next to the mirrored port and then click Delete 6 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch ...

Page 213: ...able from the Maintenance tab to help you manage the switch The Maintenance tab contains links to the following features Reset on page 214 Upload File From Switch on page 216 Download File To Switch on page 219 File Management on page 223 Troubleshooting on page 226 ...

Page 214: ...ch resets immediately The management interface is not available until the switch completes the boot cycle After the switch resets the login screen appears Factory Default Use the Factory Default page to reset the system configuration to the factory default values Note If you reset the switch to the default configuration the IP address is reset to 192 168 0 239 and the DHCP client is enabled If you...

Page 215: ...pter 7 Maintenance 215 FS728TP Smart Switch Software Administration Manual To reset the switch to the factory default settings 1 Select the check box on the page 2 Click Apply The switch resets immediately ...

Page 216: ... File Upload To upload a file from the switch to the TFTP server 1 Use the File Type menu to specify the type of file you want to upload Code Uploads a stored code image Text Configuration Uploads the text configuration file which can be used as a backup copy or to download and apply to another switch Error Log Uploads the system error persistent log sometimes referred to as the event log Buffered...

Page 217: ... name For a code transfer use an stk file extension 7 Select the Start File Transfer check box to initiate the file upload 8 Click Apply to begin the file transfer The last row of the table displays information about the progress of the file transfer The page refreshes automatically until the file transfer completes or fails HTTP File Upload Use the HTTP File Upload page to upload files of various...

Page 218: ... working configuration from a device edit it offline to personalize it for another similar device for example change the device name serial number IP address and download it to that device 2 If you are uploading an FS728TP image Code select the image on the switch to upload to the management system This field is visible only when Code is selected as the File Type 3 Click Apply A window appears to ...

Page 219: ...mation To access the TFTP File Download page click Maintenance Download TFTP File Download Before you download a file to the switch the following conditions must be true The file to download from the TFTP server is on the server in the appropriate directory The file is in the correct format The switch has a path to the TFTP server To download a file to the switch from a TFTP server 1 From the File...

Page 220: ... the File Type Note It is recommended that you not overwrite the active image The system will display a warning that you are trying to overwrite the active image 3 From the Server Address Type filed specify the format for the address you type in the TFTP Server Address field IPv4 Indicates the TFTP server address is an IP address in dotted decimal format DNS Indicates the TFTP server address is a ...

Page 221: ...ive image This is a safety feature for faults occurring during the boot upgrade process Text Configuration A text based configuration file enables you to edit a configured text file startup config offline as needed without having to translate the contents for the switch to understand The most common usage of text based configuration is to upload a working configuration from a device edit it offlin...

Page 222: ... display a warning that you are trying to overwrite the active image 3 Click Browse to open a file upload window to locate the file you want to download 4 Click Cancel to cancel the operation on the screen and reset the data on the screen to the latest value of the switch 5 Click the Apply button to initiate the file download Note After a file transfer is started please wait until the page refresh...

Page 223: ...e not load a configuration file created by the newer software version When a configuration file created by the newer software version is discovered by the system running an older version of the software the system will display an appropriate warning to the user Use the Dual Image Configuration page to set the boot image configure an image description or delete an image To display the Dual Image Co...

Page 224: ... reset the data on the screen to the latest value of the switch 6 Click Apply to apply the settings to the switch Dual Image Status You can use the Dual Image Status page to view information about the system images on the device To display the Dual Image Status page click Maintenance File Management Dual Image Dual Image Status The following table describes the information on the Dual Image Status...

Page 225: ...r change the system images see File Management on page 223 Current active Displays the currently active image on this switch Next active Displays the image to be used on the next restart of this switch Image1 Description Displays the description associated with the image1 code file Image2 Description Displays the description associated with the image2 code file Field Description ...

Page 226: ...ss field specify the IP address or the hostname of the station you want the switch to ping The initial value is blank This information is not retained across a power cycle 2 Optionally configure the following settings Count Specify the number of pings to send The valid range is 1 15 Interval Specify the number of seconds between pings sent The valid range is 1 60 Size Specify the size of the ping ...

Page 227: ... to discover the route to a host on the network 1 In the Hostname IP Address field specify the IP address or the hostname of the station you want the switch to ping The initial value is blank This information is not retained across a power cycle 2 Optionally configure the following settings Probes Per Hop Specify the number of times each hop should be probed The valid range is 1 10 MaxTTL Specify ...

Page 228: ...t in probe packets The valid range is 1 65535 Size Specify the size of probe packets The valid range is 0 65507 3 Click Cancel to cancel the operation on the screen and reset the data on the screen to the latest value of the switch 4 Click Apply to initiate the traceroute The results display in the TraceRoute area ...

Page 229: ...tab contains a link to Online Help Online Help The Online Help includes the following pages Support on page 229 User Guide on page 230 Support Use the Support page to connect to the Online Support site at netgear com To access the Support page click Help Support To connect to the NETGEAR support site for the FS728TP click Apply ...

Page 230: ...de Use the User Guide page to access the FS728TP Smart Switch Software Administration Manual the guide you are now reading that is available on the NETGEAR Website To access the User Guide page click Help User Guide To access to the User Guide that is available online click Apply ...

Page 231: ...Chapter 8 Help 231 FS728TP Smart Switch Software Administration Manual ...

Page 232: ...t Ethernet RJ 45 ports Two 1000M Gigabit Ethernet combo ports RJ 45 supports auto sensing for 10 100 1000M speed on RJ45 and 1000M on SFP1000M SFP Gigabit Ethernet ports PoE Ports 1 24 IEEE 802 3af Alternative A MDI X Flash memory size 16 MB SRAM size and type 64 MB DDR Feature Value Switching capacity Non Blocking Full WireSpeed on all packet sizes Forwarding method Store and Forward Packet forwa...

Page 233: ...g aggregation 8 Pre configured 802 1D spanning tree 1 Disabled 802 1w RSTP 1 Disabled 802 1s spanning tree 3 instances Disabled Static 802 1Q tagging 128 VID 1 Member ports 28 Learning process Supports Static and dynamic MAC entries Dynamic learning is enabled by default PoE 24 Enabled Feature Sets Supported Default Storm control All ports Disabled Jumbo frame All ports Disabled Max 2032 bytes Fea...

Page 234: ...ses allowed Port MAC lock down All ports Disabled Feature Sets Supported Default Boot code update 1 N A DHCP manual IP 1 DHCP enabled 192 168 0 239 Default gateway 1 192 168 0 254 System name configuration 1 NULL Configuration save restore 1 N A Firmware upgrade 1 N A Restore defaults 1 Web and front panel button N A Dual image support 1 Enabled Factory reset 1 N A Feature Sets Supported Default M...

Page 235: ...ntrol Center N A Enabled Statistics N A N A Feature Sets Supported Default IGMP snooping v1 v2 All ports Disabled Configurations upload download 1 N A EAPoL flooding All ports Disabled BPDU flooding All ports Disabled Static multicast groups 8 Disabled Filter multicast control 1 Disabled Feature Sets Supported Default ...

Page 236: ...236 Appendix A Hardware Specifications and Default Values FS728TP Smart Switch Software Administration Manual ...

Page 237: ...Examples B This chapter contains information about how to configure the following features Virtual Local Area Networks VLANs on page 238 Access Control Lists ACLs on page 240 Differentiated Services DiffServ on page 243 802 1X on page 247 MSTP on page 250 ...

Page 238: ...mmunicate most frequently with each other can be grouped into common VLANs regardless of physical location Each group s traffic is contained largely within the VLAN reducing extraneous traffic and improving the efficiency of the whole network They are easy to manage The addition of nodes as well as moves and other changes can be dealt with quickly and conveniently from a management interface rathe...

Page 239: ...llows For the default VLAN with VLAN ID 1 specify the following members port 7 U and port 8 U For the VLAN with VLAN ID 10 specify the following members port 1 U port 2 U and port 3 T For the VLAN with VLAN ID 20 specify the following members port 4 U port 5 T and port 6 U 3 In the Port PVID Configuration screen see Port VLAN ID Configuration on page 84 specify the PVID for ports e1 and e4 so that...

Page 240: ...cket is based on whether or not the packet matches the specified criteria Traffic filtering requires the following two basic steps 1 Create an access list definition The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded Additionally you can assign traffic that matches the criteria to a particular queue or redirect the traffi...

Page 241: ...erface and direction 4 The MAC Binding Table displays the interface and MAC ACL binding information See MAC Binding Table on page 178 The ACL named Sales_ACL looks for Ethernet frames with destination and source MAC addresses and MAC masks defined in the rule Also the frame must be tagged with VLAN ID 2 which is the Sales department VLAN The CoS value of the frame must be 0 which is the default va...

Page 242: ...ion about IP ACL rules see IP Rules on page 181 3 Click Add 4 From the IP Rules screen create a second rule for IP ACL 1 with the following settings Rule ID 2 Action Permit Match Every True 5 Click Add 6 From the IP Binding Configuration page assign ACL ID 1 to the Ethernet ports 2 3 and 4 and assign a sequence number of 1 See IP Binding Configuration on page 185 By default this IP ACL is bound on...

Page 243: ...e If one node is unable to meet the necessary timing requirements this creates a deficiency in the network path and the performance of the entire packet flow is compromised There are two basic types of QoS Integrated Services network resources are apportioned based on request and are reserved resource reservation according to network management policy RSVP for example Differentiated Services netwo...

Page 244: ...face These service levels are defined by configuring BA classes for each Creating Policies Use DiffServ policies to associate a collection of classes that you configure with one or more QoS policy statements The result of this association is referred to as a policy From a DiffServ perspective there are two types of policies Traffic Conditioning Policy a policy applied to a DiffServ traffic class S...

Page 245: ...em based on the DiffServ policy being created See the Statistics section of this document for more details Assigning QoS Queue directs traffic stream to the specified QoS queue This allows a traffic classifier to specify which one of the supported hardware queues are used for handling packets belonging to the class Redirecting forces classified traffic stream to a specified egress port physical or...

Page 246: ... 9 From the Service Configuration screen select the check box next to interfaces g7 and g8 to attach the policy to these interfaces and then click Apply See Service Configuration on page 137 All UDP packet flows destined to the 192 12 2 0 network with an IP source address from the 192 12 1 0 network that have a Layer 4 Source port of 4567 and Destination port of 4568 from this switch on ports 7 an...

Page 247: ...n server and the supplicant the system that requests authentication as well as between the authenticator and the authentication server The FS728TP Smart Switch supports a guest VLAN which allows unauthenticated users to have limited access to the network resources Note You can use QoS features to provide rate limiting on the guest VLAN to limit the network resources the guest VLAN provides Another...

Page 248: ...Authenticator PAE controls the authorized unauthorized state of the controlled Port depending on the outcome of the RADIUS based authentication process 802 1X Example Configuration This example shows how to configure the switch so that 802 1X based authentication is required on the ports in a corporate conference room e1 e8 These ports are available to visitors and need to be authenticated before ...

Page 249: ...are several additional settings that you can configure For example the EAPOL Flood Mode field allows you to enable the forwarding of EAPoL frames when 802 1X is disabled on the device 6 From the RADIUS Server Configuration screen configure a RADIUS server with the following settings Server Address 192 168 10 23 Secret Configured Yes Secret secret123 Active Primary For more information see RADIUS C...

Page 250: ...aths each based on an independent Multiple Spanning Tree Instance MSTI within Multiple Spanning Tree MST Regions composed of LANs and or MSTP Bridges These Regions and the other Bridges and LANs are connected into a single Common Spanning Tree CST IEEE DRAFT P802 1s D13 MSTP connects all Bridges and LANs with a single Common and Internal Spanning Tree CIST The CIST supports the automatic determina...

Page 251: ...eved by 1 Ensuring that the allocation of VIDs to FIDs is unambiguous 2 Ensuring that each FID supported by the Bridge is allocated to exactly one Spanning Tree Instance The combination of VID to FID and then FID to MSTI allocation defines a mapping of VIDs to spanning tree instances represented by the MST Configuration Table With this allocation we ensure that every VLAN is assigned to one and on...

Page 252: ...tch MAC address 4 From the CST Configuration screen set the Bridge Priority value for each of the three switches to force Switch 1 to be the root bridge Switch 1 4096 Switch 2 12288 Switch 3 20480 Note Bridge priority values are multiples of 4096 If you do not specify a root bridge and all switches have the same Bridge Priority value the switch with the lowest MAC address is elected as the root br...

Page 253: ...wing settings MST ID 2 Priority 49152 VLAN ID 500 12 Click Add In this example assume that Switch 1 has become the Root bridge for the MST instance 1 and Switch 2 has become the Root bridge for MST instance 2 Switch 3 has hosts in the Sales department ports e1 e2 and e3 and in the HR department ports e4 and e5 Switches 1 and 2 also have hosts in the Sales and Human Resources departments The hosts ...

Page 254: ... for Interference VCCI Statement This equipment is in the Class A category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV rece...

Page 255: ...enevatele teistele asjakohastele sätetele English Hereby NETGEAR Inc declares that this Radiolan is in compliance with the essential requirements and other relevant provisions of Directive 1999 5 EC Español Spanish Por medio de la presente NETGEAR Inc declara que el Radiolan cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999 5 CE Ελλ...

Page 256: ...evanti li hemm fid Dirrettiva 1999 5 EC Magyar Hungarian Alulírott NETGEAR Inc nyilatkozom hogy a Radiolan megfelel a vonatkozó alapvetõ követelményeknek és az 1999 5 EC irányelv egyéb elõírásainak Polski Polish Niniejszym NETGEAR Inc oświadcza że Radiolan jest zgodny z zasadniczymi wymogami oraz pozostałymi stosownymi postanowieniami Dyrektywy 1999 5 EC Português Portuguese NETGEAR Inc declara qu...

Page 257: ...adio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following methods Reorient or relocate the receiving antenna Increase the separation between the equipment and the receiver Connect the equipment into an electrical outlet on a circuit different from that which the radio receiver i...

Page 258: ...dress 117 Dynamic Host 45 Global 104 Green Ethernet 46 HTTP 153 IGMP Snooping 104 LACP 80 LACP Port 81 LAG 77 LLDP 58 MAC Filter 166 Management Access 153 MST Port 100 Network Settings on the Administrative System 16 password 142 Policy 134 Port Security 170 Port VLAN ID 85 RADIUS 143 Global 143 Secure HTTP 154 SNMP v3 User 57 SNTP Server 38 Standard IP ACL Example 242 STP 91 TACACS 148 Time 36 Tr...

Page 259: ...77 logical 30 naming convention 30 physical 30 queue configuration 125 IP address administrative system 16 switch 12 33 IP DSCP 122 Mapping 127 L LACP port configuration 81 LAG VLAN 77 LAGPDUs 77 LAGs 77 Membership 78 Static 77 LLDP 58 Local Information 63 neighbors information 65 packets 59 port settings 59 LLDP MED 58 M MAC 33 64 97 104 ACL 174 bridge identifier 100 CPU Management Interface 30 d...

Page 260: ...onfiguration 38 server status 39 SSL 154 storm control 168 STP 91 example configuration 250 Status 91 Stratum 0 35 1 35 2 35 T T1 36 T2 36 T3 36 T4 36 TACACS folder 149 settings 149 technical support 2 Time configure through SNTP 37 UTC 37 time 35 clock source 37 levels 35 local 37 zone 37 TraceRoute 227 trademarks 2 traffic control 166 trap flags 55 manager 55 U Unicast 36 upload configuration 21...

Page 261: ...Index 261 FS728TP Smart Switch Software Administration Manual ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands