manualshive.com logo in svg

NETGEAR GS716Tv2 - ProSafe Gigabit Managed Switch, Admin Manual, Page: 174 / 246

Share
Download
NETGEAR GS716Tv2 - ProSafe Gigabit Managed Switch Admin Manual Download Page 174

GS716Tv2 and GS724Tv3 Software Administration Manual

5-48

Managing Device Security

v1.0, July 2009

2.

To add an IP ACL, enter an ACL ID in the appropriate field, and then click 

Add

.

3.

To delete an IP ACL, select the check box associated withe ACL ID, and then click 

Delete

The 

Delete

 button only appears if a configured IP ACL is selected.

4.

Click 

Cancel 

to cancel the configuration on the screen and reset the data on the screen to the 

latest value of the switch.

IP Rules

Use the IP Rules page to define rules for IP-based standard ACLs. The access list definition 
includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. 

To display the IP Rules page:

Table

 

5-34. IP ACL Configuration Fields

 

Field

Description

IP ACL

Enter an ACL ID. The ID is an integer in the following range:
• 1–99: Creates an IP Standard ACL, which allows you to permit or 

deny traffic from a source IP address.

• 100–199: Creates an IP Extended ACL, which allows you to permit or 

deny specific types of layer 3 or layer 4 traffic from a source IP 
address to a destination IP address. This type of ACL provides more 
granularity and filtering capabilities than the standard IP ACL.

Rules

Shows the number of rules currently configured for the IP ACL.

Type

Identifies the ACL as either a standard or extended IP ACL.

Note: 

There is an implicit “deny all” rule at the end of an ACL list. This means that if an 

ACL is applied to a packet and if none of the explicit rules match, then the final 
implicit “deny all” rule applies and the packet is dropped.

Summary of Contents for GS716Tv2 - ProSafe Gigabit Managed Switch

Page 1: ...202 10484 01 July 2009 NETGEAR Inc 350 E Plumeria Drive San Jose CA 95134 USA GS716Tv2 and GS724Tv3 Software Administration Manual...

Page 2: ...ficate of the Manufacturer Importer It is hereby certified that the Gigabit Smart Switch has been suppressed in accordance with the conditions set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 Th...

Page 3: ...become the cause of radio interference Read instructions for correct handling Product and Publication Details Model Number GS716T and GS724T Publication Date July 2009 Product Family GS716T GS724T Ser...

Page 4: ...v1 0 July 2009 iv...

Page 5: ...rk 1 1 Switch Management Interface 1 2 SmartWizard Discovery in a Network with a DHCP Server 1 3 SmartWizard Discovery in a Network without a DHCP Server 1 4 Manually Assigning Network Parameters 1 5...

Page 6: ...2 15 SNMP V1 V2 2 16 Community Configuration 2 17 Trap Configuration 2 19 Trap Flags 2 20 SNMP v3 User Configuration 2 21 LLDP 2 23 LLDP Configuration 2 23 LLDP Port Settings 2 24 Local Information 2...

Page 7: ...abase Information 3 35 IGMP Snooping Table 3 36 MFDB Table 3 37 MFDB Statistics 3 39 IGMP Snooping VLAN Configuration 3 40 Configuring IGMP Snooping Queriers 3 42 IGMP Snooping Querier Configuration 3...

Page 8: ...uration 5 19 Access Rule Configuration 5 21 Port Authentication 5 22 802 1X Configuration 5 23 Port Authentication 5 24 Port Summary 5 28 Traffic Control 5 30 MAC Filter Configuration 5 30 MAC Filter...

Page 9: ...ing Port Mirroring 6 23 Multiple Port Mirroring 6 23 Chapter 7 Maintenance Reset 7 1 Rebooting the Switch 7 1 Reset Configuration to Defaults 7 2 Upload File From Switch 7 3 Uploading Files 7 5 Downlo...

Page 10: ...guration Examples Virtual Local Area Networks VLANs B 1 VLAN Example Configuration B 2 Access Control Lists ACLs B 4 MAC ACL Example Configuration B 5 Standard IP ACL Example Configuration B 6 802 1X...

Page 11: ...it will function in a network using its remaining factory default parameters However a greater level of configuration anywhere from the basic up to the maximum possible will give your network the full...

Page 12: ...the GS716T GS724T switch Appendix B Configuration Examples on page B 1 contains examples of how to configure various features on the GS716T GS724T switch such as VLAN and Access Control List ACL conf...

Page 13: ...notice may result in personal injury or death GS716Tv2 and GS724Tv3 Software Administration Manual xiii v1 0 July 2009 Scope This manual is written for the Smart Switch according to these specificatio...

Page 14: ...ML Each page in the HTML version of the manual is dedicated to a major topic Select File Print from the browser menu to print the page contents Printing from PDF Your computer must have the free Adobe...

Page 15: ...icon in the upper left of your browser window Revision History Tip If your printer supports printing two pages on a single sheet of paper you can save paper and printer ink by selecting this feature...

Page 16: ...GS716Tv2 and GS724Tv3 Software Administration Manual xvi v1 0 July 2009...

Page 17: ...work The switch comes up with a default IP address of 192 168 0 239 and DHCP is enabled by default To access the switch over a network you must first configure it with network information an IP addres...

Page 18: ...tches on your network segment When you power up your switch for the first time the SmartWizard Discovery utility enables you to configure its basic network parameters without prior knowledge of the IP...

Page 19: ...mputer 4 Start the SmartWizard Discovery utility 5 Click Discover for the SmartWizard Discovery utility to find your GS716T or GS724T switch You should see a screen similar to the one shown in Figure...

Page 20: ...d to management of the switch covered in Using the Web Interface on page 1 9 SmartWizard Discovery in a Network without a DHCP Server This section describes how to set up your switch in a network with...

Page 21: ...IP is 192 168 0 239 3 Install the SmartWizard Discovery utility on your computer 4 Start the SmartWizard Discovery utility 5 Click Discover for the SmartWizard Discovery utility to find your GS716T o...

Page 22: ...gh they do not appear in the Windows view You need Windows Administrator privileges to change these settings To modify your NIC settings 1 On your PC access the MS Windows operating system TCP IP Prop...

Page 23: ...age of improvements and additional features as they become available The upgrade procedure and the required equipment are described below This procedure assumes that you have downloaded or otherwise o...

Page 24: ...pgrade Password Enter your password then click Apply the default password is password Start Upgrade Shows upgrading in progress 3 Click Start to begin loading the upgrade The system software is automa...

Page 25: ...ize and requirements and on your preference The GS716Tv2 and GS724Tv3 Software Administration Manual describes how to use the Web based interface to manage and monitor the system Using the Web Interfa...

Page 26: ...GS716Tv2 and GS724Tv3 Software Administration Manual 1 10 Getting Started v1 0 July 2009 3 After the system authenticates you the System Information page displays Figure 1 6...

Page 27: ...rious device functions When you select a tab its hierarchical tree view is on the left side of the Web interface The tree view contains a list of various device features The branches in the navigation...

Page 28: ...Each page contains access to the HTML based help that explains the fields and configuration options for the page Many pages also contain command buttons Table 1 2 shows the following command buttons...

Page 29: ...ation and feature components The Device View is available from the System Device View page The port coloring indicates whether a port is currently active Green indicates that the port is enabled red i...

Page 30: ...online help pages are context sensitive For example if the IP Addressing page is open the help topic for that page displays if you click Help Figure 1 7 on page 1 11 shows the location of the Help lin...

Page 31: ...ryption settings for the SNMPv3 admin profile by using the Web interface 1 Navigate to the System SNMP SNMPv3 User Configuration page 2 To enable authentication select an Authentication Protocol optio...

Page 32: ...ical interfaces Logical Interface Represents a logical interface This is applicable for a LAG port channel interface which is represented as l1 l2 and so on Table 1 4 Types of Interface Interface Desc...

Page 33: ...onnectivity on page 2 3 Time on page 2 5 Denial of Service on page 2 13 Green Ethernet Configuration on page 2 15 SNMP V1 V2 on page 2 16 SNMP v3 User Configuration on page 2 21 LLDP on page 2 23 Syst...

Page 34: ...switch You may use up to 31 alphanumeric characters The factory default is blank System Contact Enter the contact person for this switch You may use up to 31 alphanumeric characters The factory defau...

Page 35: ...band connectivity with the switch via any of the switch s front panel ports The configuration parameters associated with the switch s network interface do not affect the configuration of the front pa...

Page 36: ...ectivity Fields Field Description IP Address The IP address of the network interface The factory default value is 192 168 0 239 Note Each part of the IP address must start with a number other than zer...

Page 37: ...as the time source for example a GPS system Stratum 1 A server that is directly linked to a Stratum 0 time source is used Stratum 1 time servers provide primary network time standards Stratum 2 The ti...

Page 38: ...figuration page 1 Click System Management Time SNTP Global Configuration in the navigation menu 2 Use the Time option to set the time locally on the switch Select the Clock Source as Local by checking...

Page 39: ...witch is located expressed as the number of hours The options in the Time Zone menu specify the time difference from UTC time zone 4 Click Apply to send the updated configuration to the switch Configu...

Page 40: ...agement Time SNTP Global Configuration in the navigation menu Time Specifies the duration of the box in hours minutes and seconds since the last reboot Time Zone When using SNTP NTP time servers to up...

Page 41: ...request timed out without receiving a response from the SNTP server Bad Date Encoded The time provided by the SNTP server is not valid Version Not Supported The SNTP version supported by the server i...

Page 42: ...s take effect immediately SNTP Server Configuration Use the SNTP Server Configuration page to view and modify information for adding and modifying Simple Network Time Protocol SNTP servers To display...

Page 43: ...ely SNTP Server Status The SNTP Server Status page displays status information about the SNTP servers configured on your switch To access the SNTP Server Status page Table 2 5 SNTP Server Configuratio...

Page 44: ...of the last SNTP request to this server If no packet has been received from this server a status of Other is displayed Other None of the following enumeration values Success The SNTP operation was su...

Page 45: ...dress First Fragment TCP Header size is smaller than the configured value TCP Fragment IP Fragment Offset 1 TCP Flag TCP Flag SYN set and Source Port 1024 or TCP Control Flags 0 and TCP Sequence Numbe...

Page 46: ...disable this option by selecting the corresponding line on the pulldown entry field Enabling First Fragment DoS prevention causes the switch to drop packets that have a TCP header smaller than the co...

Page 47: ...gs SYN and FIN set The factory default is disabled Denial of Service L4 Port Enable or disable this option by selecting the corresponding line on the pulldown entry field Enabling L4 Port DoS preventi...

Page 48: ...to the following pages Community Configuration on page 2 17 Trap Configuration on page 2 19 Trap Flags on page 2 20 Figure 2 8 Table 2 8 Green Ethernet Configuration Fields Field Description Auto Pow...

Page 49: ...vileges and status set to Enable Public with Read Only privileges and status set to Enable These are well known communities Use this page to change the defaults or to add other communities Only the co...

Page 50: ...MP clients may use that community to access this device If either Management Station IP or Management Station IP Mask value is 0 0 0 0 access is allowed from any IP address Otherwise every client s ad...

Page 51: ...lete the currently selected receiver configuration Cancel Cancel the configuration on the screen Reset the data on the screen to the latest value of the switch Apply Sends the updated configuration to...

Page 52: ...MP V1 V2 Trap Flags Community String Enter the community string for the SNMP trap packet to be sent to the trap manager This may be up to 16 characters and is case sensitive Status Select the receiver...

Page 53: ...n and reset the data on the screen to the latest value of the switch SNMP v3 User Configuration This is the configuration for SNMP v3 To access this page 1 Click System SNMP SNMP V3 User Configuration...

Page 54: ...ou select None The user will be unable to access the SNMP data from an SNMP browser MD5 or SHA The user login password will be used as SNMPv3 authentication password and you must therefore specify a p...

Page 55: ...cessed by stations implementing the receive function The transmit and receive functions can be enabled disabled separately per port By default both transmit and receive are disabled on all ports The a...

Page 56: ...tree Figure 2 13 Table 2 15 LLDP Configuration Fields Field Description LLDP Properties TLV Advertised Interval Specifies the interval at which frames are transmitted The default is 30 seconds and the...

Page 57: ...ransmitting LLDP PDUs on the selected ports Rx Only Enable only receiving LLDP PDUs on the selected ports Tx and Rx Enable both transmitting and receiving LLDP PDUs on the selected ports Disabled Do n...

Page 58: ...er to notify subscribers of remote data change statistics The default is disabled Optional TLV s Enable or disable the transmission of optional type length value TLV information from the interface The...

Page 59: ...btype Identifies the type of data displayed in the Chassis ID field Chassis ID Identifies the 802 LAN device s chassis System Name Identifies the system name associated with the remote device To confi...

Page 60: ...ame of the port in the Interface column of the Port Information table A popup window displays information for the selected port Port Description Identifies the user defined description of the port To...

Page 61: ...ies Displays the port speed auto negotiation capabilities such as 1000BASE T half duplex mode or 100BASE TX full duplex mode Operational MAU Type Displays the Medium Attachment Unit MAU type The MAU p...

Page 62: ...Field Description MSAP Entry Displays the Media Service Access Point MSAP entry number for the remote device Local Port Shows the interface on the local system that received LLDP information from a r...

Page 63: ...Information 2 31 v1 0 July 2009 3 To view more information about the remote device click the link in the MSAP Entry field A popup window displays information for the selected port 4 Click Refresh to...

Page 64: ...GS716Tv2 and GS724Tv3 Software Administration Manual 2 32 Configuring System Information v1 0 July 2009...

Page 65: ...n page 3 42 Searching and Configuring the Forwarding Database on page 3 47 Configuring and Viewing Device Port Information The pages on the Ports tab allows you to view and monitor the physical port i...

Page 66: ...port For additional information about port monitoring see Chapter 6 Monitoring the System LAG Indicates that the port is a member of a Link Aggregation trunk For more information see LAG Membership o...

Page 67: ...an 10m PHYs are placed in low power mode nominal power Disable The port is administratively down and does not participate in Green Ethernet mode Physical Status Indicates the physical port s speed and...

Page 68: ...ng that the higher speed switch refrains from sending packets Transmissions are temporarily halted to prevent buffer overflows To display the Flow Control page 1 Click Switching Ports and then click t...

Page 69: ...s A static port channel interface does not require a partner system to be able to aggregate its member ports Static LAGs are supported When a port is added to a LAG as a static member it neither trans...

Page 70: ...efault is Disable Admin Mode Select Enable or Disable from the menu When the LAG port channel is disabled no traffic will flow and LAGPDUs will be dropped but the links that form the LAG port channel...

Page 71: ...onfiguration to the switch Configuration changes take effect immediately LAG Membership Use the LAG Membership page to group one or more full duplex Ethernet links to be aggregated together to form a...

Page 72: ...figuration in the navigation tree 2 Click Refresh to reload the page and display the most current information Port Selection Table Select the ports as members of this LAG Current Members Displays the...

Page 73: ...uration in the navigation tree 2 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 3 If you make any changes to this page click...

Page 74: ...it is connected both belong to the same VLAN Each VLAN in a network has an associated VLAN ID which appears in the IEEE 802 1Q tag in the Layer 2 header of packets transmitted on a VLAN An end station...

Page 75: ...new VLAN You can only enter data in this field when you are creating a new VLAN The range of the VLAN ID is 1 4093 VLAN Name Use this optional field to specify a name for the VLAN It can be up to 32 a...

Page 76: ...tion changes take effect immediately VLAN Membership Configuration Use this page to configure VLAN Port Membership for a particular VLAN You can select the Group operation through this page To display...

Page 77: ...e this field to select all the ports and configure them Possible values are Untag All Select all the ports on which all frames transmitted from this VLAN will be untagged All the ports will be include...

Page 78: ...onfiguration in the navigation tree Untagged Tagged Port Members Click Untagged Port Members or Tagged Port Members to see the port list and use it to add the ports you selected to this VLAN Each port...

Page 79: ...ntagged or priority tagged frames received on this port The factory default is 1 Acceptable Frame Types Specify how you want the port to handle untagged and priority tagged frames Whichever you select...

Page 80: ...slight modifications in the working but not the end effect chief among the effects is the rapid transitioning of the port to Forwarding The difference between the RSTP and the traditional STP IEEE 80...

Page 81: ...Port Configuration on page 3 27 STP Statistics on page 3 31 STP Switch Configuration Status The Spanning Tree Switch Configuration Status page contains fields for enabling STP on the switch To display...

Page 82: ...Protocol IEEE 802 1s Configuration Name Name used to identify the configuration currently being used It may be up to 32 alphanumeric characters Configuration Revision Level Number used to identify th...

Page 83: ...number of times the topology has changed for the CST Topology Change The value of the topology change parameter for the switch indicating if a topology change is in progress on any port assigned to t...

Page 84: ...ally set to the next lowest priority that is a multiple of 4096 For example if the priority is attempted to be set to any value between 0 and 4095 it will be set to 0 The default priority is 32768 Bri...

Page 85: ...d CST Port Configuration in the navigation tree Bridge Forward Delay secs Specifies the switch forward delay time which indicates the amount of time in seconds a bridge remains in a listening and lear...

Page 86: ...is Disable Port State The Forwarding state of this port Path Cost Set the Path Cost to a new value for the specified port in the common and internal spanning tree It takes a value in the range of 1 20...

Page 87: ...tus Use the Spanning Tree CST Port Status page to display Common Spanning Tree CST and Internal Spanning Tree on a specific port on the switch To display the Spanning Tree CST Port Status page 1 Click...

Page 88: ...base MAC address of the bridge Designated Cost Displays cost of the port participating in the STP topology Ports with a lower cost are less likely to be blocked if STP detects loops Designated Bridge...

Page 89: ...rface The physical or port channel interfaces associated with VLANs associated with the CST Role Each MST Bridge Port that is enabled is assigned a Port Role for each spanning tree The port role will...

Page 90: ...ID This is only visible when the select option of the MST ID select box is selected The ID of the MST being created Valid values for this are between 1 and 4094 Priority Specifies the bridge priority...

Page 91: ...e selected or unselected for reconfiguring the association of VLANs to MST instances Bridge Identifier The bridge identifier for the selected MST instance It is made up using the bridge priority and t...

Page 92: ...Advanced MST Port Configuration in the navigation tree Figure 3 17 and Figure 3 18 show the left and right portions of the Web page Figure 3 17 Figure 3 18 Note If no MST instances have been configur...

Page 93: ...e of 16 For example if you set a value between 0 and 15 the priority is set to 0 If you specify a number between 16 and 31 the priority is set to 16 Port Path Cost Set the Path Cost to a new value for...

Page 94: ...port is currently in the learning mode The port cannot forward traffic however it can learn new MAC addresses Forwarding The port is currently in the forwarding mode The port can forward traffic and...

Page 95: ...the latest STP statistics information Figure 3 20 Table 3 18 Spanning Tree Statistics Fields Field Description Interface Select a physical or port channel interface to view its statistics STP BPDUs R...

Page 96: ...well for broadcast packets that are intended to be seen or processed by all connected nodes In the case of multicast packets however this approach could lead to less efficient use of network bandwidth...

Page 97: ...Shows the number of multicast control frames that have been processed by the CPU Interfaces Enabled for IGMP Snooping Lists the interfaces currently enabled for IGMP Snooping To enable interfaces for...

Page 98: ...figuration Use the IGMP Snooping Interface Configuration page to configure IGMP snooping settings on specific interfaces To access the IGMP Snooping Interface Configuration page 1 Click Switching Mult...

Page 99: ...rwarded only to the ports that are members of that multicast group The Switching Multicast folder contains links to the following pages Host Timeout Specify the amount of time you want the switch to w...

Page 100: ...Forwarding Database that were created for IGMP snooping To access the IGMP Snooping Table page 1 Click Switching Multicast IGMP Snooping IGMP Snooping Table in the navigation tree Figure 3 23 Table 3...

Page 101: ...try consists of a MAC address Entries may contain data for more than one protocol To access the MFDB Table page 1 Click Switching Multicast IGMP Snooping MFDB Table in the navigation tree Type This di...

Page 102: ...If the address exists that entry will be displayed An exact match is required VLAN ID The VLAN ID to which the multicast MAC address is related Component This is the component that is responsible for...

Page 103: ...e MFDB table To access the MFDB Statistics page 1 Click Switching Multicast IGMP Snooping MFDB Statistics in the navigation tree Interface The list of interfaces that are designated for forwarding Fwd...

Page 104: ...on the system Table 3 23 Multicast Forwarding Database Statistics Fields Field Description Max MFDB Table Entries Shows the maximum number of entries that the Multicast Forwarding Database table can h...

Page 105: ...immediately remove the layer 2 LAN interface from its forwarding table entry upon receiving an IGMP leave message for that multicast group without first sending out MAC based general queries to the i...

Page 106: ...rt where the end device is located These pages enable you to configure and display information on IGMP snooping queriers on the network and separately on VLANs The IGMP Snooping Querier folder contain...

Page 107: ...r Admin Mode Select the administrative mode for IGMP Snooping for the switch from the menu The default is Disable Snooping Querier Address Specify the Snooping Querier Address to be used as source add...

Page 108: ...take effect immediately IGMP Snooping Querier VLAN Configuration Use this page to configure IGMP queriers for use with VLANs on the network To access this page 1 Click Switching Multicast IGMP Snoopin...

Page 109: ...s Use this page to view the operational state and other information for IGMP snooping queriers for VLANs on the network To access this page Querier Election Participate Mode Enable or disable Querier...

Page 110: ...end out periodic queries with a time interval equal to the configured querier query interval If the snooping switch sees a better querier numerically lower in the VLAN it moves to non querier mode Non...

Page 111: ...has forwarding and or filtering information This information is used by the transparent bridging function in determining how to propagate a received frame To access this page 1 Click Switching Addres...

Page 112: ...and for which VLAN exists in the VLAN database MAC Address A unicast MAC address for which the switch has forwarding and or filtering information The format is a six byte MAC address with each byte s...

Page 113: ...ng database The forwarding database contains static entries which are never aged out and dynamically learned entries which are removed if they are not updated within a given time To access the Configu...

Page 114: ...Switching Address Table Advanced Address Table in the navigation tree You can search for MAC Addresses by VLAN ID MAC Address or interface Search by VLAN ID Select VLAN ID from the menu and enter the...

Page 115: ...e switch has forwarding and or filtering information The MAC address is in the format of 6 two digit hexadecimal numbers that are separated by colons For example 00 0f 5e 45 67 89 is the MAC Address I...

Page 116: ...tatic MAC Address in the navigation tree 2 Click Refresh to reload the page and display the latest MAC address learned on a specific port 3 Enter a new static MAC address in the field select the VLAN...

Page 117: ...from the port and apply the new settings to the system The screen refreshes and the MAC address no longer appears in the table on the page 5 Click Cancel to cancel the configuration on the screen and...

Page 118: ...GS716Tv2 and GS724Tv3 Software Administration Manual 3 54 Configuring Switching Information v1 0 July 2009...

Page 119: ...by the switch QoS is a means of providing consistent predictable data delivery by distinguishing between packets that have strict timing requirements from those that are more tolerant of delay Packets...

Page 120: ...the mapping table to be of any use so there are default actions performed when this is not the case These actions involve directing the packet to a specific CoS level configured for the ingress port a...

Page 121: ...Field Description Global Select the Global option to apply the same trust mode to all CoS configurable interfaces Global Trust Mode Specifies whether or not all interfaces trust a particular packet m...

Page 122: ...check box next to an individual port to apply a trust mode or rate to a specific interface Interface Trust Mode Specifies whether or not an interface or all interfaces if all interfaces are selected t...

Page 123: ...The configuration process is simplified by allowing each CoS queue parameter to be configured globally or per port A global configuration change is automatically applied to all ports in the system To...

Page 124: ...s of 1 Scheduler Type Selects the type of queue processing from the drop down menu Options are Weighted and Strict Defining on a per queue basis allows the user to create the desired service character...

Page 125: ...CoS configurable interfaces Select an individual interface from the menu to override the global settings for 802 1p priority mapping on a per interface basis 802 1p Priority This row contains traffic...

Page 126: ...e switch 3 If you make changes to the page click Apply to apply the changes to the system Figure 4 5 Table 4 5 IP DSCP Mapping Configuration Fields Field Description DSCP Lists the DSCP values to whic...

Page 127: ...s Control Lists Management Security Settings From the Management Security Settings page you can configure the login password Remote Authorization Dial In User Service RADIUS settings Terminal Access C...

Page 128: ...nt created by the user The entered password will be displayed in asterisks Passwords are one to 20 alphanumeric characters in length and are case sensitive New Password Enter the optional new or chang...

Page 129: ...hentication method for Web Access Access Control Port 802 1X The RADIUS folder contains links to the following features Global Configuration on page 5 3 Server Configuration on page 5 5 Accounting Ser...

Page 130: ...ore the next server is attempted A retransmit will not occur until the configured timeout value on that server has passed without a response from the RADIUS server Therefore the maximum delay in recei...

Page 131: ...he RADIUS server to add To modify settings for a RADIUS server that is already configured on the switch select the check box next to the server address Authentication Port Identifies the authenticatio...

Page 132: ...a second between the most recent Access Reply Access Challenge and the Access Request that matched it from this RADIUS authentication server Access Requests The number of RADIUS Access Request packet...

Page 133: ...ver Configuration page Bad Authenticators The number of RADIUS Access Response packets containing invalid authenticators or signature attributes received from this server Pending Requests The number o...

Page 134: ...able 5 5 RADIUS Accounting Server Configuration Fields Field Description Accounting Server Address Enter the IP address of the RADIUS accounting server to add Port Identifies the authentication port t...

Page 135: ...ns The number of RADIUS Accounting Request packets retransmitted to this server Accounting Responses Displays the number of RADIUS packets received on the accounting port from this server Malformed Ac...

Page 136: ...orization session starts using the authenticated user name The TACACS server checks the user privileges The TACACS protocol ensures network security through encrypted protocol exchanges between the de...

Page 137: ...ith which the switch can communicate To display the TACACS Server Configuration page 1 Click Security Management Security and then click the TACACS Server Configuration link Table 5 7 TACACS Configura...

Page 138: ...S Configuration Fields Field Description TACACS Server Use the list to select the IP address of the TACACS server to view or configure If fewer than five RADIUS servers are configured on the system th...

Page 139: ...drop down menu and then click Delete Authentication List Configuration Use the Authentication List page to configure the default login list A login list specifies one or more authentication methods t...

Page 140: ...red ID and password will be used for authentication Since the local method does not time out if you select this option as the first method no other method will be tried even if you have specified more...

Page 141: ...The Security Access tab contains the following folders HTTP Configuration on page 5 15 Secure HTTP Configuration on page 5 16 Certificate Download on page 5 18 Access Profile Configuration on page 5 1...

Page 142: ...ration Fields Field Description Java Mode This select field is used to Enable or Disable the Web Java Mode This applies to both secure and un secure HTTP connections The currently configured value is...

Page 143: ...rsion 3 0 The currently configured value is shown when the Web page is displayed The default value is Enable TLS Version 1 Enables or Disables Transport Layer Security Version 1 0 The currently config...

Page 144: ...be true The file to download from the TFTP server is on the server in the appropriate directory The file is in the correct format The switch has a path to the TFTP server HTTPS Session Hard Timeout Se...

Page 145: ...ption File Type Select the type of SSL certificate to download which can be one of the following SSL Trusted Root Certificate PEM File SSL Trusted Root Certificate File PEM Encoded SSL Server Certific...

Page 146: ...e added Maximum length is 32 characters Activate Profile Select the check box to activate an access profile DeActivate Profile Select the check box to deactivate an access profile Remove Profile Selec...

Page 147: ...o configure the rules about what systems can access the GS716T and GS724T Web interface and what protocols are allowed To access the Access Rule Configuration page 1 Click Security Access and then cli...

Page 148: ...on Rule Type Select Permit to allow access to the switch administrative pages for traffic that meets the criteria you configure for the rule Any traffic that does not meet the rules is denied Select D...

Page 149: ...e the RADIUS server that performs the authentication on behalf of the authenticator and indicates whether the user is authorized to access system services The Port Authentication folder contains links...

Page 150: ...and then click the Advanced Port Authentication link Table 5 17 Port Access Control Port Configuration Fields Field Description Port Based Authentication State Select Enable or Disable 802 1X adminis...

Page 151: ...GS716Tv2 and GS724Tv3 Software Administration Manual Managing Device Security 5 25 v1 0 July 2009 Figure 5 15 Figure 5 16...

Page 152: ...ntication The Guest VLAN timeout must be a value in the range of 1 300 The default value is 90 Periodic Reauthentication Use this field to enable or disable reauthentication of the supplicant for the...

Page 153: ...trol direction for the specified port The control direction dictates the degree to which protocol exchanges take place between Supplicant and Authenticator This affects whether the unauthorized contro...

Page 154: ...y for the action to occur 4 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value of the switch 5 Click Apply to send the updated screen to the sw...

Page 155: ...tomatically detects the mode of the interface Force Authorized Places the interface into an authorized state without being authenticated The interface sends and receives normal traffic without client...

Page 156: ...urity MAC Address on page 5 37 Protected Ports Membership on page 5 38 MAC Filter Configuration Use the MAC Filter Configuration page to create MAC filters that limit the traffic allowed into and out...

Page 157: ...Address The MAC address of the filter in the format 00 01 1A B2 53 4D You can only change this field when you have selected the Create Filter option You cannot define filters for these MAC addresses 0...

Page 158: ...hat are configured on the system To display the MAC Filter Summary page 1 Click Security Traffic Control and then click the MAC Filter MAC Filter Summary link 2 Click Refresh to update the page with t...

Page 159: ...ge responses can overload network resources and or cause the network to time out The switch measures the incoming broadcast multicast unknown unicast packet rate per port and discards packets when the...

Page 160: ...L2 unicast destination lookup failure traffic ingressing on an interface increases beyond the configured threshold the traffic will be dropped Multicast If the rate of L2 multicast traffic ingressing...

Page 161: ...rface Configuration A MAC address can be defined as allowable by one of two methods dynamically or statically Both methods are used concurrently when a port is locked Figure 5 21 Table 5 24 Port Secur...

Page 162: ...ely disable dynamic locking by setting the number of allowable dynamic entries to zero Static locking allows you to specify a list of MAC addresses that are allowed on a port The behavior of packets i...

Page 163: ...Use the Security MAC Address page to convert a dynamically learned MAC address to a statically locked address To display the Security MAC Address page 1 Click Security Traffic Control and then click...

Page 164: ...cted You need read write access privileges to modify the configuration Figure 5 23 Table 5 27 Port Security Settings Fields Field Description Convert Dynamic Address to Static Select the check box to...

Page 165: ...Lists Access Control Lists ACLs ensure that only authorized users have access to specific resources while blocking off any unwarranted attempts to reach network resources ACLs are used to provide tra...

Page 166: ...C Binding Table on page 5 45 Advanced IP ACL on page 5 47 IP Rules on page 5 48 IP Extended Rule on page 5 50 IP Binding Configuration on page 5 54 IP Binding Table on page 5 56 MAC ACL A MAC ACL cons...

Page 167: ...Add 3 To delete a MAC ACL select the check box next to the Name field then click Delete 4 Click Cancel to cancel the configuration on the screen and reset the data on the screen to the latest value o...

Page 168: ...lt deny all rule is the last rule of every list To display the MAC Rules page 1 Click Security ACL then click the Basic MAC Rules link Figure 5 26 Table 5 31 MAC ACL Rule Configuration Fields Field De...

Page 169: ...zero in a bit position means that the data must equal the value given for that bit For example if the MAC address is aa bb cc dd ee ff and the mask is 00 00 ff ff ff ff all MAC addresses with aa bb x...

Page 170: ...e of the switch 5 To change a rule select the check box associated with the rule change the desired fields and click Apply MAC Binding Configuration When an ACL is bound to an interface all the rules...

Page 171: ...es are applied to traffic entering the port Sequence Number An optional sequence number may be specified to indicate the order of this access list relative to other access lists already assigned to th...

Page 172: ...ACL Rule Configuration Fields Field Description Interface Shows the interface to which the MAC ACL is bound Direction Specifies the packet filtering direction for ACL The only valid direction is Inbou...

Page 173: ...ACL rule that says port number 20 can receive TCP packets However if a UDP packet is received the packet is dropped ACLs are composed of access control entries ACE or rules that consist of the filter...

Page 174: ...ay the IP Rules page Table 5 34 IP ACL Configuration Fields Field Description IP ACL Enter an ACL ID The ID is an integer in the following range 1 99 Creates an IP Standard ACL which allows you to per...

Page 175: ...en and reset the data on the screen to the latest value of the switch 5 If you change any of the settings on the page click Apply to send the updated configuration to the switch Configuration changes...

Page 176: ...d here Enter an IP Address in the appropriate field using dotted decimal notation The address you enter is compared to a packet s source IP Address Source IP Mask Specifies the source IP address wildc...

Page 177: ...ACL rule select the ACL ID to add the rule to and then click Add The Extended ACL Rules configuration page displays as shown in Figure 5 32 on page 5 52 3 To delete an IP rule select the check box as...

Page 178: ...a packet matches the rule s criteria Possible values are Permit Forwards packets which meet the ACL criteria Deny Drops packets which meet the ACL criteria Egress Queue Specifies the hardware egress...

Page 179: ...for the bit positions that are not used In contrast a wildcard mask has 0 s in a bit position that must be checked A 1 in a bit position of the ACL mask indicates the corresponding bit can be ignored...

Page 180: ...umber If the destination L4 keyword is Other enter a user defined Port ID by which packets are matched to the rule Service Type Select one of the following three Match fields to use in matching packet...

Page 181: ...may be specified to indicate the order of this access list relative to other access lists already assigned to this interface and direction A lower number indicates higher precedence order If a sequen...

Page 182: ...reen to the latest value of the switch Figure 5 34 Table 5 38 IP ACL Binding Table Fields Field Description Interface Shows the interface to which the IP ACL is bound Direction Specifies the packet fi...

Page 183: ...n page 6 1 Viewing Port Statistics on page 6 4 Managing Logs on page 6 14 Configuring Port Mirroring on page 6 23 Switch Statistics The pages in the Switch Statistics folder contain a variety of infor...

Page 184: ...by the processor Unicast Packets Received The number of subnetwork unicast packets delivered to a higher layer protocol Multicast Packets Received The total number of packets received that were direct...

Page 185: ...discarded or not sent Transmit Packets Discarded The number of outbound packets which were chosen to be discarded even though no errors had been detected in order to prevent their being delivered to...

Page 186: ...bout the number and type of traffic transmitted from and received on the switch Port Statistics on page 6 4 Port Detailed Statistics on page 6 5 EAP Statistics on page 6 12 Port Statistics The Port St...

Page 187: ...tailed Statistics page Table 6 2 Port Statistics Fields Field Description Interface Lists the ports on the system Total Packets Received Without Errors The total number of packets received that were w...

Page 188: ...s field is blank Otherwise the possible values are Mirrored Indicates that the port has been configured as a monitoring port and is the source port in a port mirroring session For additional informati...

Page 189: ...defined in IEEE 802 1D Disabled Blocking Listening Learning Forwarding Broken Admin Mode Shows the port control administration state Enable The port can participate in the network default Disable The...

Page 190: ...octets in length inclusive excluding framing bits but including FCS octets Packets RX and TX 1522 Octets The total number of packets including bad packets received or transmitted that are in excess o...

Page 191: ...es not include multicast packets Total Packets Received with MAC Errors The total number of inbound packets that contained errors preventing them from being deliverable to a higher layer protocol Jabb...

Page 192: ...le that tree is being modified Reserved Address Discards The number of frames discarded that are destined to an IEEE 802 1 reserved address and are not supported by the system Broadcast Storm Recovery...

Page 193: ...smitted by this port to its segment Unicast Packets Transmitted The total number of packets that higher level protocols requested be transmitted to a subnetwork unicast address including those that we...

Page 194: ...ds The number of frames discarded on egress for this port due to egress filtering being enabled STP BPDUs Received Number of STP BPDUs received at the selected port STP BPDUs Transmitted Number of STP...

Page 195: ...he number of EAPOL Log off frames that have been received on the port Last Frame Version Displays the protocol version number attached to the most recently received EAPOL frame Last Frame Source Displ...

Page 196: ...or long term archival storage Local and remote configuration of the logging capability includes filtering of messages logged or forwarded based on severity and generating component The Monitoring Logs...

Page 197: ...Prevents the system from logging messages Behavior Indicates the behavior of the log when it is full Wrap When the buffer is full the oldest log messages are deleted as the system logs new messages St...

Page 198: ...he message was generated by component MSTP running in thread id 2110 The message was generated on Aug 24 05 34 05 by line 318 of file mstp_api c This is the 237th message logged Messages logged to a c...

Page 199: ...er the system startup log or the system operation log stores a message received by the log subsystem that meets the storage criteria but not both In other words on system startup if the startup log is...

Page 200: ...include Error Critical Alert and Emergency The default severity level is Alert 1 The severity can be one of the following levels Emergency 0 The highest level warning level If the device is down or n...

Page 201: ...us Specifies whether to send log messages to the remote syslog hosts configured on the switch Enable Messages will be sent to all configured hosts syslog collectors or relays using the values configur...

Page 202: ...pecify the port in the text field Severity Filter Use the menu to select the severity of the logs to send to the logging host Logs with the selected severity level and all logs of greater severity are...

Page 203: ...ble 6 11 Trap Log Statistics Field Description Number of Traps Since Last Reset The number of traps that have occurred since the switch last reboot Trap Log Capacity The maximum number of traps stored...

Page 204: ...ted log is saved in flash memory the switch will be reset The log can hold at least 2 000 entries and is erased when an attempt is made to add an entry after it is full The event log is preserved acro...

Page 205: ...port The packet that is copied to the destination port is in the same format as the original packet on the wire This means that if the mirror is copying a received packet the copied packet is VLAN ta...

Page 206: ...estination port field Select Enable from the Session Mode menu and then click Apply Figure 6 10 Table 6 14 Multiple Port Mirroring Fields Field Description Source Port Lists all the ports on the syste...

Page 207: ...e From Switch on page 7 3 Download File To Switch on page 7 5 File Management on page 7 10 Troubleshooting on page 7 13 Reset The Reset menu contains links to the following options Rebooting the Switc...

Page 208: ...creen to the latest value of the switch 3 Click Apply to send the updated configuration to the switch Configuration changes take place immediately Reset Configuration to Defaults Use the Factory Defau...

Page 209: ...Click Cancel to cancel the operation on the screen and reset the data on the screen to the latest value of the switch 3 Click Apply to restore the factory default settings The action occurs immediate...

Page 210: ...o as the event log Buffered Log Retrieves the system buffered in memory log Trap Log Retrieves the system trap records The default is Error Log Image Name Specify the code image to upload either image...

Page 211: ...dress fields 4 Click the Start File Transfer check box and then click Apply 5 Click Cancel to cancel the operation on the screen and reset the data on the screen to the latest value of the switch Down...

Page 212: ...age to download device software the image file the configuration files and SSL files from a TFTP server to the switch You can also download files via HTTP See HTTP File Download on page 7 8 for additi...

Page 213: ...e change the device name serial number IP address and download it to that device SSL Trusted Root Certificate PEM File SSL Trusted Root Certificate File PEM Encoded SSL Server Certificate PEM File SSL...

Page 214: ...sure that the software image or other file to be downloaded is available on the TFTP server 4 Complete the Server Address Type TFTP Server IP Address and Remote File Name full path without TFTP server...

Page 215: ...hoose this option to update the switch s configuration If the file has errors the update will be stopped SSL Trusted Root Certificate PEM File SSL Trusted Root Certificate File PEM Encoded SSL Server...

Page 216: ...ation on page 7 10 Viewing the Dual Image Status on page 7 12 Dual Image Configuration The system running an older software version will ignore not load a configuration file created by the newer softw...

Page 217: ...Bootcode 4 Click Refresh to reload the page and display the most current information 5 Click Delete Image to remove the selected image from permanent storage on the switch You cannot delete the active...

Page 218: ...the device To display the Dual Image Status page 1 Click Maintenance File Management Dual Image Dual Image Status in the navigation menu Figure 7 7 Table 7 5 Dual Image Status Fields Field Descriptio...

Page 219: ...ks to the following options Ping on page 7 13 TraceRoute on page 7 14 Ping Use the Ping page to tell the switch to send a Ping request to a specified IP address You can use this feature to check wheth...

Page 220: ...ply to the ping is not received you will see Reply From IP Host Destination Unreachable Tx x Rx 0 Min Max Avg RTT 0 0 0 msec TraceRoute You can use the TraceRoute utility to discover the paths that a...

Page 221: ...of times each hop should be probed The valid range is 1 10 MaxTTL Enter the maximum time to live for a packet in number of hops The valid range is 1 255 InitTTL Enter the initial time to live for a p...

Page 222: ...GS716Tv2 and GS724Tv3 Software Administration Manual 7 16 Maintenance v1 0 July 2009...

Page 223: ...alue Interfaces 14G 2 Combo G ports with SFP on GS716T 22G 2 Combo G ports with SFP on GS724T PoE N A Flash memory size 16 MB SRAM size and type 64 MB DDR Table A 2 Switch Performance Feature Value Sw...

Page 224: ...Disabled Port trunking aggregation 6 Pre configured 802 1D spanning tree 1 Disabled 802 1w RSTP 1 Disabled 802 1s spanning tree 3 instances Disabled Static 802 1Q tagging 2 Port Trunking on GS716T 4...

Page 225: ...with 20 rules for HTTP HTTPS SNMP access to allow deny an IP address subnet All IP addresses allowed Port MAC lock down 16 on GS716T 24 on GS724T per port Disabled Table A 6 Traffic Control Feature Se...

Page 226: ...Features Feature Sets Supported Default IGMP snooping v1 v2 16 on GS716T 24 on GS724T per port Disabled Configurations upload download 1 N A EAPoL flooding 16 on GS716T 24 on GS724T per port Disabled...

Page 227: ...LAN is a local area network with a definition that maps workstations on some basis other than geographic location for example by department type of user or primary application To enable traffic to flo...

Page 228: ...rt has a default VLAN ID setting that is user configurable the default setting is 1 The default VLAN ID setting for each port can be changed in the Port PVID Configuration screen See Port VLAN ID Conf...

Page 229: ...N ID Configuration on page 3 14 specify the PVID for ports g1 and g4 so that packets entering these ports are tagged with the port VLAN ID Port g1 PVID 10 Port g4 PVID 20 4 With the VLAN configuration...

Page 230: ...e internal network The added packet processing required by the ACL feature does not affect switch performance That is ACL processing occurs at wire speed Access lists are a sequential collection of pe...

Page 231: ...iple ports as members instead of binding an ACL to each port MAC ACL Example Configuration The following example shows how to create a MAC based ACL that permits Ethernet traffic from the Sales depart...

Page 232: ...ined in the rule Also the frame must be tagged with VLAN ID 2 which is the Sales department VLAN The CoS value of the frame must be 0 which is the default value for Ethernet frames Frames that match t...

Page 233: ...Rules screen create a rule for IP ACL 2 with the following settings Rule ID 2 Action Permit Match Every True 5 Click Add 6 From the IP Binding Configuration page assign ACL ID 1 to the interface gigab...

Page 234: ...g devices attached to a LAN port that has point to point connection characteristics and of preventing access to that port in cases in which the authentication and authorization process fails In this c...

Page 235: ...s authorized to access services on that controlled port A Port Access Entity PAE is able to adopt one of two distinct roles within an access control interaction 1 Authenticator A Port that enforces au...

Page 236: ...menu select Unauthorized The Port Control setting for all other ports where authentication is not needed should be Auto or Authorized When the Port Control setting is Authorized the port is unconditi...

Page 237: ...must be configured to allow access on the Guest VLAN MSTP Spanning Tree Protocol STP runs on bridged networks to help eliminate loops If a bridge loop occurs the network can become flooded with traff...

Page 238: ...classified as belonging to any given VLAN thus simply and fully connects all LANs and networking devices throughout the network though frames belonging to different VLANs can take different paths with...

Page 239: ...CIST is also an instance of spanning tree with a MSTID of 0 An instance may occur that has no VIDs allocated to it but every VLAN must be allocated to one of the other instances of spanning tree The p...

Page 240: ...Spanning Tree State option see STP Switch Configuration Status on page 3 17 Use the default values for the rest of the STP configuration settings By default the STP Operation Mode is MSTP and the Con...

Page 241: ...Fast Link enabled transition directly to the Forwarding state 8 Click Apply You can use the CST Port Status screen to view spanning tree information about each port 9 From the MST Configuration scree...

Page 242: ...rom Switch 2 use VLAN 500 MST instance 2 to communicate with the hosts on Switch 3 directly Likewise hosts of Switch 1 use VLAN 300 MST instance 1 to communicate with the hosts on Switch 3 directly Th...

Page 243: ...CP Port 3 9 LAG 3 5 LLDP 2 23 MAC Filter 5 30 Management Access 5 15 MST Port 3 27 Network Settings on the Administrative System 1 6 password 5 2 Port Security 5 34 Port VLAN ID 3 14 QoS 4 1 RADIUS 5...

Page 244: ...8 IEEE 802 1w 3 16 3 18 IEEE 802 1X 5 3 IEEE 802 3 flow control 3 4 IEEE 802 3x 3 4 IGMP 3 32 Informational 6 18 6 20 Interface Queue Configuration 4 5 IP DSCP 4 2 Mapping 4 8 ipaddr 1 15 L LACP Port...

Page 245: ...ddress 5 37 server HTTP 5 15 Simple Network Time Protocol 2 5 slot port 1 16 SmartWizard Discovery in a Network with a DHCP Server 1 3 in a Network without a DHCP Server 1 4 Utilities 1 6 utility 1 2...

Page 246: ...ly 2009 Local 2 6 UTC 2 7 Zone 2 6 Time Zone 2 8 TraceRoute 7 14 Traffic Control 5 30 Trap Flags 2 20 Manager 2 20 U Unicast 2 5 upload a file 7 5 upload configuration 7 3 V VLAN 3 10 ID 3 10 managing...

Reviews:

No comments