manualshive.com logo in svg

Ubiquiti ES-24-250W, Administration Manual

Share
Download
Ubiquiti ES-24-250W Administration Manual Download Page 271

270

Configuration Examples

EdgeSwitch

 Administration Guide

 Ubiquiti Networks, Inc.

Configuring 802.1X Network Access Control

This example configures a single RADIUS server used for authentication and accounting at 10.10.10.10. The 
shared secret is configured to be secret. The switch is configured to require that the 802.1X access method is 
through a RADIUS server. IEEE 802.1X port-based access control is enabled for the system, and interface 0/1 
is configured to be in force-authorized mode because this is where the RADIUS server and protected network 
resources are located.

Authentication Server

(RADIUS)

Authenticator Switch

LAN

Supplicant

24V

Switch with 802.1X Network Access Control

If a user, or supplicant, attempts to communicate via the switch on any interface except interface 0/1, the 
system challenges the supplicant for login credentials. The system encrypts the provided information and 
transmits it to the RADIUS server. If the RADIUS server grants access, the system sets the 802.1X port state of 
the interface to authorized, and the supplicant is able to access network resources.

Using the CLI to Configure 802.1X Port-Based Access Control

1.  Configure the RADIUS authentication server IP address.

(UBNT EdgeSwitch) #config 

 

radius server host auth 10.10.10.10

2.  Configure the RADIUS authentication server secret.

 

radius server key auth 10.10.10.10 

   secret 

   secret

3.  Configure the RADIUS accounting server IP address.

 

radius server host acct 10.10.10.10

4.  Configure the RADIUS accounting server secret.

 

radius server key acct 10.10.10.10 

   secret 

   secret

5.  Enable RADIUS accounting mode.

 

radius accounting mode

6.  Set IEEE 802.1X to use RADIUS as the AAA method. 

 

aaa authentication dot1x default radius

7.  Enable 802.1X authentication on the switch. 

 

  dot1x system-auth-control

Summary of Contents for ES-24-250W

Page 1: ...User Interface for PoE Switches Models ES 24 250W ES 24 500W ES 48 500W ES 48 750W Administration Guide...

Page 2: ...nfiguration and Status Fields 12 Table Filtering 14 Help Page Access 14 User Defined Fields 14 Using the Command Line Interface 15 Chapter 2 Configuring Power over Ethernet 16 Chapter 3 Configuring Sy...

Page 3: ...tics 61 Email Alert Subject Configuration 62 Email Alert To Address Configuration 63 Viewing Device Port Information 64 Port Summary 64 Port Description 66 Cable Test 67 Mirroring 68 Configuring a Por...

Page 4: ...r Pool Options 104 DHCP Server Bindings Information 106 DHCP Server Statistics 107 DHCP Server Conflicts Information 108 Configuring Time Ranges 109 Time Range Configuration 109 Time Range Entry Confi...

Page 5: ...ific Multicast 145 IGMP Snooping VLAN Status 146 IGMP Snooping Multicast Router Configuration 147 IGMP Snooping Multicast Router VLAN Status 148 IGMP Snooping Multicast Router VLAN Configuration 149 C...

Page 6: ...184 Chapter 5 Configuring Routing 186 Configuring ARP 187 ARP Table 188 ARP Table Configuration 189 Configuring Global IP Settings 190 Routing IP Configuration 190 Routing IP Interface Summary 192 Ro...

Page 7: ...ol Lists 229 Access Control List Summary 230 Access Control List Configuration 231 Access Control List Interface Summary 235 Access Control List VLAN Summary 236 Configuring Auto VoIP 237 Auto VoIP Gl...

Page 8: ...P 261 Using the CLI to Configure MSTP 263 Configuring VLAN Routing 264 Using the CLI to Configure VLAN Routing 264 Configuring Policy Based Routing 266 Configuring Policy Based Routing Using the CLI 2...

Page 9: ...System Information on page 19 describes how to configure administrative features such as SNMP system users and port information Chapter 4 Configuring Switching Information on page 126 describes how t...

Page 10: ...s used throughout this document Typographical Conventions Convention Indicates Example Bold User selection User entered text Select VLAN 2 from the VLAN ID list Click Submit enter 3 to assign VLAN 3 a...

Page 11: ...em depends on your network size and requirements and on your preference This guide describes how to use the EdgeSwitch UI to manage and monitor the system For information about how to manage and monit...

Page 12: ...text specific help page or log out of the system Device View Logout Button Navigation Menu Configuration and Status Fields Command Button Help Page Access EdgeSwitch UI Page Layout Device View The Dev...

Page 13: ...t Navigation Menu The navigation menu located at the top right of each UI page lists the device s main features PoE System Switching Routing Security and QoS You can access each feature s UI pages usi...

Page 14: ...he following illustration Page Selection Tabs Page Selection Tabs on System Resource Configuration Page Configuration and Status Fields The main area of the screen displays fields that you use to conf...

Page 15: ...DHCP lease Remove Deletes the selected entries Reset Resets a field to its default value Submit Sends the updated configuration to the switch Configuration changes take effect immediately but changes...

Page 16: ...string that row is displayed in the table Matching is not case sensitive Enter filter string here Filtering the Contents of a Table Help Page Access The Help icon appears in the upper right corner of...

Page 17: ...n mark at the command prompt To display the available command keywords or parameters enter a question mark after each word you type at the command prompt If there are no additional command keywords or...

Page 18: ...Ethernet Fields Field Description Interface The interface slot port for which PoE information is displayed PoE Mode The PoE mode on the interface Off PoE is disabled for the interface 54V auto Standar...

Page 19: ...wing tasks To edit an interface s PoE settings select the interface click Edit and make the changes as needed Then click Submit to apply the settings Click Refresh to refresh the page with the most cu...

Page 20: ...age 21 Viewing the Dual Image Status on page 22 Viewing System Resources on page 23 Defining General Device Information on page 25 Basic Switch Configuration on page 52 Managing Logs on page 53 Config...

Page 21: ...by a device as is typical of a router either a single ARP cache is used for all interfaces or a separate cache is maintained per interface While the latter approach is useful when network addressing...

Page 22: ...Fields Field Description System Description The product name of this switch Machine Type The hardware platform of this switch Machine Model The product model number Serial Number The unique serial nu...

Page 23: ...l Image Status page click System Firmware Status in the navigation menu Dual Image Status Dual Image Status Fields Field Description Active Displays the version of the active code file Backup Displays...

Page 24: ...em Resource Status Fields Field Description Memory Usage section Free Memory Displays the available free memory on the switch Alloc Memory Displays the allocated memory for the switch Task ID Displays...

Page 25: ...uration of this field is optional If configured the falling threshold value must be equal to or less than the rising threshold value If not configured it takes the same value as the rising threshold F...

Page 26: ...ptions on page 31 HTTP Configuration on page 31 Secure HTTP Configuration on page 32 SSH Configuration on page 33 Telnet Session Configuration on page 34 User Accounts on page 35 Authentication Server...

Page 27: ...ess The IP Address assigned to the network interface The network interface is the logical interface that allows remote management of the device via any of the front panel switch ports To change the IP...

Page 28: ...ss that was last found to be in conflict If multiple conflicts are detected only the most recent occurrence is displayed This field is displayed only if a conflict has been detected since the switch w...

Page 29: ...01 10 3 are not valid Subnet Mask The IP subnet mask for the interface The factory default value is 0 0 0 0 Default Gateway The default gateway for the IP interface The factory default value is 0 0 0...

Page 30: ...default gateway for the IPv6 network interface Use the buttons to perform the following Click this button to change the field s setting Click this button to reset the field to the default value Stati...

Page 31: ...device is a router False The neighbor device is not a router Neighbor State Specifies the state of the neighbor cache entry Following are the states for dynamic entries in the IPv6 neighbor discovery...

Page 32: ...lowing tasks Click Submit to apply the settings immediately to the running configuration Click Refresh to refresh the page with the most current data from the switch To retain the changes across the s...

Page 33: ...ge click System Management Access HTTPS in the navigation menu Secure HTTP Configuration Secure HTTP Configuration Fields Field Description HTTPS Admin Mode Used to Enable or Disable the HTTPS adminis...

Page 34: ...b browser and the embedded web server on the device Click this button to delete an SSL certificate button available only if an SSL certificate is present on the device Use the buttons to perform the f...

Page 35: ...field provides information about the file transfer Click to manually generate an RSA key on the device Click to delete an RSA key downloaded to the device or manually generated on the device DSA Key S...

Page 36: ...option to permit new Telnet sessions until the maximum number allowed is reached Clear this option to disable new Telnet sessions but existing sessions are not disconnected Use the buttons to perform...

Page 37: ...unts page also provides the capability to add edit and remove user accounts To add a user click Add The Add new user dialog box opens specify the new account information in the available fields and cl...

Page 38: ...ion to encrypt the password before it is stored on the device Authentication Server Users Use the Auth Server Users page to add and remove users from the local authentication server user database For...

Page 39: ...To change the password information for an existing user select the user to update click Edit configure the settings and click Submit to apply the changes To delete a user from the database select each...

Page 40: ...IP address of the administrative system Idle Time Shows the amount of time in hours minutes and seconds that the logged on user has been inactive Session Time Shows the amount of time in hours minute...

Page 41: ...to view and configure the accounting lists for users who access the command line interface CLI to manage and monitor the device Accounting lists are used to record user activity on the device The devi...

Page 42: ...t select it and click Use the buttons to perform the following tasks To configure a new accounting list click Add configure the settings in the Add New Accounting List dialog box and then click Submit...

Page 43: ...TTP Use the buttons to perform the following tasks If you make changes to the page click Submit to apply the changes to the running configuration Click Refresh to refresh the page with the most curren...

Page 44: ...thod Options are configurable Configured The list has been added by a user Access Line The access method s that use the list for authentication The settings for this field are configured on the Authen...

Page 45: ...this page click System AAA Authentication Selection in the navigation menu Authentication Selection The following table shows the fields for the Authentication Selection page Authentication Selection...

Page 46: ...for the corresponding Line Mode in this field This must be the same value entered in the Line Password field Be sure the password conforms to the allowed number of characters The password characters...

Page 47: ...it The password characters are not displayed on the page but are disguised in a browser specific manner Use the buttons to perform the following tasks If you make changes to the page click Submit to a...

Page 48: ...ssword Repetition means the same character occurring in succession anywhere in the password such as 11 or EEEE Maximum Number of Consecutive Characters Specifies the maximum number of characters belon...

Page 49: ...Result Last Password Result Fields Field Description Last Result Displays information about the last User Line Enable password configuration result If the field is blank no passwords have been configu...

Page 50: ...Configuration Fields Field Description TCP Settings These options help prevent the device and the network from attacks that exploit the TCP header size or the information in the TCP or UDP headers of...

Page 51: ...ckets that have a TCP header smaller than this configured value ICMP Settings These options help prevent the device and the network from attacks that involve issues with the ICMP echo request packets...

Page 52: ...f you reach the end of the line the text wraps to the next line The line might not wrap at the same location in the CLI To create a line break carriage return in the message press Enter on the keyboar...

Page 53: ...l traffic loss When enabled flow control allows lower speed or congested switches to communicate with higher speed switches by sending a PAUSE frame to request that the higher speed switch refrain fro...

Page 54: ...ing of messages logged or forwarded based on severity and generating component The in memory log stores messages in memory based upon the settings for message component and severity On stackable syste...

Page 55: ...en Notice 5 The device is experiencing normal but significant conditions Info 6 The device is providing non critical information Debug 7 The device is providing debug level information Persistent Log...

Page 56: ...el associated with the log entry The severity can be one of the following Emergency 0 The device is unusable Alert 1 Action must be taken immediately Critical 2 The device is experiencing primary syst...

Page 57: ...ry with the most recent entry listed first lowest number Type The incident category that indicates the cause of the log entry EVENT ERROR etc Filename The EdgeSwitch source code filename identifying t...

Page 58: ...t warning level An alert log is saved if there is a serious device malfunction such as all device features being down Critical 2 The third highest warning level A critical log is saved if a critical d...

Page 59: ...type of interface to use as the source interface None The primary IP address of the originating outbound interface is used as the source address Interface The primary IP address of a physical port is...

Page 60: ...associated with the log entry The severity can be one of the following Emergency 0 The device is unusable Alert 1 Action must be taken immediately Critical 2 The device is experiencing primary system...

Page 61: ...ncritical messages to the SMTP Server For example if set to 30 the noncritical messages are sent every 30 minutes Urgent Messages Severity Configures the urgent severity level s for log messages urgen...

Page 62: ...lerts that the device sends Port The TCP port that email alerts are sent to on the SMTP server Security The type of authentication to use with the mail server which can be TLSv1 SMTP over SSL or None...

Page 63: ...nt The number of email alert messages successfully sent since the counters were cleared or the system was reset Number of Emails Failed The number of email alert messages that failed to be sent since...

Page 64: ...igure the subject line Urgent or Nonurgent Email Subject Specify the text to be displayed in the subject of the email alert message Remove To reset the email alert subject to the default value select...

Page 65: ...he type of message for which you want to specify a recipient address Urgent or Nonurgent To Address Specify the email address to which the selected type of messages are sent Use the buttons to perform...

Page 66: ...nd probe ports see Mirroring on page 69 Probe The port is configured as a monitoring port and is the destination port in a port mirroring session For more information on port monitoring and probe port...

Page 67: ...m sends a trap when the link status changes Disable The system does not send a trap when the link status changes Maximum Frame Size The maximum Ethernet frame size the interface supports or is configu...

Page 68: ...hen the MIB object type PortList is used to manage the switch in SNMP Interface Index The interface index object value assigned by the IF MIB This value is used to identify the interface when managing...

Page 69: ...rs If the cable length cannot be determined Unknown is displayed This field shows the range between the shortest estimated length and the longest estimated length Note This field displays a value only...

Page 70: ...rroring page to define port mirroring sessions To access the Multiple Port Mirroring page click System Port Mirroring in the navigation menu Multiple Port Mirroring Multiple Port Mirroring Fields Fiel...

Page 71: ...ring page click Configure Source to display the Source Configuration dialog box 2 Configure the fields shown in the table below Multiple Port Mirroring Source Configuration Fields Field Description Se...

Page 72: ...k traffic analyzer Remote VLAN The VLAN that is configured as the RSPAN VLAN Port Click the drop down box to select the port to which traffic is mirrored If the Type is Remote VLAN the selected port i...

Page 73: ...ity Model USM is defined for SNMPv3 and includes Authentication Provides data integrity and data origin authentication Privacy Protects against disclosure of message content Cipher Bock Chaining CBC i...

Page 74: ...he client and identifies the access the user may connect with Security Name Identifies the Security entry that associates Communities and Groups for a specific access type Group Name Identifies the Gr...

Page 75: ...n a certain event has occurred on the device The message is not acknowledged by the SNMP management host SNMP Version The version of SNMP to use which is either SNMPv1 or SNMPv2 Timeout Value The numb...

Page 76: ...ty Auth No Priv Authentication but no data encryption With this security level users send SNMP messages that use an MD5 key password for authentication but not a DES key password for encryption Auth P...

Page 77: ...up Fields Field Description Group Name The name that identifies the SNMP group Context Name The SNMP context associated with the SNMP group and its views A user or a management application specifies t...

Page 78: ...box enter the settings and then click Submit to apply the changes To remove one or more SNMP groups select each entry to delete click Remove and confirm the deletion Click Refresh to refresh the page...

Page 79: ...uthentication Method parameter is not set to None DES DES protocol will be used None No privacy protocol will be used Authentication Key Specifies the password used to generate the key to be used in e...

Page 80: ...a tunnel interface is used as the source address Interface When the selected Type is Interface select the physical port to use as the source interface VLAN ID When the selected Type is VLAN select the...

Page 81: ...out Errors The total number of packets including unicast broadcast and multicast packets successfully transmitted or received by the processor Packets Discarded The number of outbound Transmit column...

Page 82: ...in the MAC address table or VLAN database that have been dynamically learned by the device Total Entries Deleted The number of VLANs that have been created and then deleted since the last reboot This...

Page 83: ...ceived that were directed to the broadcast address Note that this number does not include multicast packets Tx Good The total number of outbound packets transmitted by the interface to its Ethernet se...

Page 84: ...Statistics The Port Detailed Statistics page displays a variety of per port traffic statistics To access the Port Detailed page click System Statistics System Port Detailed in the navigation menu The...

Page 85: ...ad packets received or transmitted that were between 4096 and 9216 octets in length inclusive excluding framing bits but including FCS octets Basic section Unicast Packets The Transmit column shows th...

Page 86: ...packets that contained errors preventing them from being delivered to a higher layer protocol Overruns The total number of frames discarded as this port was overloaded with incoming packets and could...

Page 87: ...DHCPv6 advertisement messages received from one or more DHCPv6 servers to which the client did not respond Received Reply Packets Discarded Number of DHCPv6 reply messages received from one or more DH...

Page 88: ...r time based reporting so it is important to configure the system clock manually or through SNTP before using this feature To access the page click System Statistics Time Based Group in the navigation...

Page 89: ...the group Use the buttons to perform the following tasks To add a set of time based traffic group statistics to collect click Add configure the desired settings and then click Submit to apply the cha...

Page 90: ...interfaces is checked against the rule When you click Add the Time Based Flow Configuration dialog box opens and allows you to configure a rule for traffic flow statistics The match conditions are opt...

Page 91: ...erface on which the statistics were reported Counter Id For traffic group statistics this field identifies the type of traffic Counter Value For traffic group statistics this field shows the number of...

Page 92: ...click System Utilities System Reset in the navigation menu System Reset Click Reset to initiate the system reset If you have not saved the changes that you submitted since the last system reset the c...

Page 93: ...et to IP Address Interface The interface to use when sending the Echo requests packets This field is enabled when the Source option is set to Interface Status Displays the results of the ping Results...

Page 94: ...mber of ICMP echo request packets to send to the host Interval Enter the number of seconds to wait between sending ping packets Size The size of the ping packet in bytes Changing the size allows you t...

Page 95: ...ot saved as part of the device configuration To access the TraceRoute page click System Utilities TraceRoute in the navigation menu TraceRoute Traceroute Fields Field Description Host Name or IP Addre...

Page 96: ...raceroute which can be Not Started The traceroute has not been initiated since viewing the page In Progress The traceroute has been initiated and is running Stopped The traceroute was interrupted by c...

Page 97: ...ration in the system Click Clear History to reset the IP address conflict detection status information that was last seen by the device Click Refresh to refresh the data on the screen with the present...

Page 98: ...ts Select this option to transfer the factory default configuration file to a remote system Error Log Select this option to transfer the system error persistent log which is also known as the event lo...

Page 99: ...rmation to encrypt authenticate and validate HTTPS sessions SSL Server Certificate PEM File Select this option to transfer an SSL Server Certificate file PEM Encoded to the device SSL DH Weak Encrypti...

Page 100: ...TFTP server option 66 Either the TFTP address or name is specified not both in most network configurations If a TFTP hostname is given a DNS server is required to translate the name to an IP address T...

Page 101: ...age If this option is cleared you must explicitly save the downloaded configuration in non volatile memory for the configuration to be available for the next reboot AutoReboot Mode If this option is s...

Page 102: ...mber of Traps Since Last Reset The number of traps generated since the trap log entries were last cleared Number of Traps Since Log Last Viewed The number of traps that have occurred since the traps w...

Page 103: ...cted this option enables activation of link status traps by selecting the corresponding line on the pulldown entry field This feature is enabled by default Multiple Users When selected this option ena...

Page 104: ...ns for clients Conflict Logging Mode Used to Enable or Disable the logging mode for IP address conflicts When enabled the system stores information IP address conflicts that are detected by the DHCP s...

Page 105: ...lds Field Description Pool Name Select the pool to configure The menu includes all pools that have been configured on the device Type of Binding Specifies the type of binding for the pool The options...

Page 106: ...utton to configure the Next Server Address field Click this button to reset the field to the default value Default Router DNS Server NetBIOS Server To configure settings for one or more default router...

Page 107: ...the default value Bootfile Name The name of the default boot image that the client should attempt to download from a specified boot server Use the buttons as follows Click this button to configure th...

Page 108: ...to view information about the IP address bindings in the DHCP server database To access the DHCP Server Bindings page click System Advanced Configuration DHCP Server Bindings in the navigation menu D...

Page 109: ...Shows the number of DHCPRELEASE messages received by the DHCP server DHCPINFORM Shows the number of DHCPINFORM messages received by the DHCP server DHCPOFFER Shows the number of DHCPOFFER messages se...

Page 110: ...ARP The DHCP client detected the conflict by broadcasting an ARP request to the address specified in the DHCP offer message sent by the server If the client receives a reply to the ARP request it decl...

Page 111: ...on Admin Mode Used to Enable or Disable the Time Range administrative mode When enabled actions with subscribed components are performed for existing time range entries Time Range Name The unique ID o...

Page 112: ...rts For an absolute entry indicates the time day month and year that the entry begins If this field is blank the absolute entry became active when it was configured For a periodic entry indicates the...

Page 113: ...ive To select multiple days press and hold CTRL and select each desired start day Starting Time of Day Specify the time of day that the entry becomes active by entering the information in the field or...

Page 114: ...r of seconds to allow a DNS server to respond to a request before a retry Range is 0 to 3600 Default is 3 Domain List The domain names that have added to the DNS client s domain list If a DNS query th...

Page 115: ...ers is 63 IP Address The IPv4 or IPv6 address associated with the configured Host Name For Static entries specify the IP Address after you click Add You can specify either an IPv4 or an IPv6 address D...

Page 116: ...f interface to use as the source interface None The primary IP address of the originating outbound interface is used as the source address Interface The primary IP address of a physical port is used a...

Page 117: ...types for the server time Polling for Unicast information is used for polling a server for which the IP address is known SNTP servers that have been configured on the device are the only ones that are...

Page 118: ...uttons as follows Click this button to change the field s setting Click this button to reset the field to the default value Unicast Poll Interval Specifies the interval in seconds between unicast poll...

Page 119: ...s Success The SNTP operation was successful and the system time was updated Request Timed Out A directed SNTP request timed out without a response from the SNTP server Bad Date Encoded The time provid...

Page 120: ...ntered a hostname Port Enter a port number from 1 to 65535 The default is 123 Priority Enter a priority from 1 to 3 with 1 being the highest priority The switch will attempt to use the highest priorit...

Page 121: ...ersion Not Supported The SNTP version supported by the server is not compatible with the version supported by the client Server Unsynchronized The SNTP server is not synchronized with its peers This i...

Page 122: ...primary IP address of a tunnel interface is used as the source address Interface When the selected Type is Interface select the physical port to use as the source interface VLAN ID When the selected T...

Page 123: ...either been manually configured or not configured at all Time Zone This section contains information about the time zone and offset Zone The acronym that represents the time zone Offset The offset in...

Page 124: ...owing time zone settings Offset The system clock s offset from UTC which is also known as Greenwich Mean Time GMT Zone The acronym that represents the time zone This field is not validated against an...

Page 125: ...ing time Used in some countries around the world summer time is the practice of temporarily advancing clocks during the summer months Typically clocks are adjusted forward one or more hours near the s...

Page 126: ...he desired month and click the date Starting Time and Day The time in hours and minutes to start summer time on the specified day End Date The day month and year that summer time ends To change the da...

Page 127: ...n page 135 Configuring DHCP Snooping on page 137 Configuring IGMP Snooping on page 144 Configuring IGMP Snooping Querier on page 151 Creating Port Channels on page 154 Viewing Multicast Forwarding Dat...

Page 128: ...avigation menu VLAN Status VLAN Status Fields Field Description VLAN ID The VLAN Identifier VID of the VLAN The range of the VLAN ID is 1 to 4093 VLAN ID 1 is reserved for the default VLAN which is al...

Page 129: ...ly when the Participation mode is Auto Detect The Status is one of the following Include The port is a member of the selected VLAN Exclude The port is not a member of the selected VLAN Participation T...

Page 130: ...ntifies the physical interface associated with the rest of the data in the row Port VLAN ID The VLAN ID assigned to untagged or priority tagged frames received on this port This value is also known as...

Page 131: ...nal Usage Configuration page click Switching VLAN Internal Usage in the navigation menu VLAN Internal Usage VLAN Internal Usage Fields Field Description Base VLAN ID The first VLAN ID to be assigned t...

Page 132: ...rameters for all interfaces to the factory default values To access the Reset VLAN Configuration page click Switching VLAN Reset in the navigation menu Reset VLAN Configuration To reset the VLAN confi...

Page 133: ...e is disabled by default To display the Voice VLAN Configuration page click Switching Voice VLAN Configuration Voice VLAN Configuration Voice VLAN Configuration Fields Field Description Voice VLAN Adm...

Page 134: ...802 1p priority value None Use the settings configured on the IP phone to send untagged voice traffic Untagged Send untagged voice traffic Disable Operationally disables the Voice VLAN feature on the...

Page 135: ...ess to fully identify the frames to filter Source Members The port s included in the inbound filter If a frame with the MAC address and VLAN ID specified by the filter arrives on a port in the Source...

Page 136: ...Mode The administrative mode of GMRP on the system When set to Enable GMRP can help control the flooding of multicast traffic by keeping track of group membership information GMRP is similar to IGMP...

Page 137: ...ol to be active on the interface When disabled the protocol will not be active on the interface and the GARP timers have no effect Join Timer Centisecs The amount of time between the transmission of G...

Page 138: ...or DHCP snooping When enabled the device checks packets that are received on untrusted interface to verify that the MAC address and the DHCP client hardware address match If the addresses do not match...

Page 139: ...the changes across the switch s next power cycle click System Configuration Storage Save DHCP Snooping Interface Configuration Use this page to view and configure the DHCP snooping settings for each i...

Page 140: ...abled The interface is considered trusted and forwards DHCP server messages without validation Log Invalid Packets The administrative mode of invalid packet logging on the interface If enabled the DHC...

Page 141: ...he MAC address associated with the DHCP client This is the Key to the binding database VLAN ID The ID of the VLAN the client is authorized to use IP Address The IP address of the client Use the button...

Page 142: ...s as a reply to the DHCP Inform messages received on trusted ports To access the DHCP Snooping Dynamic Bindings page click Switching DHCP Snooping Base Dynamic Bindings in the navigation menu DHCP Sno...

Page 143: ...either locally on the device Local or on a remote system Remote Remote IP Address The IP address of the system on which the DHCP snooping bindings database will be stored This field is available only...

Page 144: ...e dropped because the source MAC address and client hardware address did not match MAC address verification is performed only if it is globally enabled Client Ifc Mismatch The number of packets that w...

Page 145: ...head to filter packets addressed to unrequested group addresses they are unable to transmit new packets onto the shared media for the period of time that the multicast packet is flooded The problem of...

Page 146: ...The amount of time in seconds that the interface should wait after sending a query if it does not receive a report for a particular group on that interface The value must be greater or equal to 1 and...

Page 147: ...ooping Source Specific Multicast IGMP Snooping Source Specific Multicast Fields Field Description VLAN ID VLAN on which the IGMP v3 report is received Group The IPv4 multicast group address Interface...

Page 148: ...me Seconds The number of seconds the VLAN should wait after sending a query if does not receive a report for a particular group The specified value should be less than the Group Membership Interval Mu...

Page 149: ...on in the navigation menu IGMP Snooping Multicast Router Configuration IGMP Snooping Multicast Router Configuration Fields Field Description Interface Select the physical or LAG interface to display M...

Page 150: ...nterface The interface associated with the rest of the data in the row Only interfaces that are configured with multicast router VLANs appear in the table VLAN IDs The ID of the VLAN configured as ena...

Page 151: ...LAN IDs The VLANs configured on the system that are not currently enabled as multicast router interfaces on the selected port or LAG To enable a VLAN as a multicast router interface click the VLAN ID...

Page 152: ...ion Admin Mode The administrative mode for the IGMP snooping querier on the device When set to Enable the IGMP snooping querier sends out periodic IGMP queries that trigger IGMP report messages from t...

Page 153: ...ier in the VLAN If the snooping querier finds that the other querier source IP address is lower than its own address it stops sending periodic queries If the snooping querier wins the election because...

Page 154: ...to the configured querier query interval If the snooping switch sees a better querier numerically lower in the VLAN it moves to non querier mode Non Querier The snooping switch is in non querier mode...

Page 155: ...ion group LAG The switch can treat the port channel as if it were a single link To access the page click Switching Port Channel Summary in the navigation menu Port Channel Summary Port Channel Summary...

Page 156: ...orithm used to distribute traffic load among the physical ports of the port channel while preserving the per flow packet order The packet attributes that the load balancing algorithm can use to determ...

Page 157: ...terface type which is either Port Channel logical link aggregation group or Member Port physical port Flap Count The number of times the interface has gone down The counter for a member port is increm...

Page 158: ...VLAN ID associated with the entry in the MFDB MAC Address The multicast MAC address that has been added to the MFDB Component The feature on the device that was responsible for adding the entry to th...

Page 159: ...manually added to the MFDB by an administrator Dynamic The entry has been added to the MFDB as a result of a learning process or protocol Entries that appear on this page have been added by using GARP...

Page 160: ...rm the action before the counters are reset Click Refresh to refresh the page with the most current data from the switch To retain the changes across the switch s next power cycle click System Configu...

Page 161: ...roup Name This is the configured name of the protected ports group Protected Ports The ports that are members of the protected ports group When adding a port to a protected ports group the Available I...

Page 162: ...opriately to STP and RSTP bridges A MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge Note For two bridges to be in the same region the force version should be 802 1S a...

Page 163: ...ID to MST ID mapping Configuration Format Selector The version of the configuration format being used in the exchange of BPDUs Use the buttons to perform the following tasks If you make any configura...

Page 164: ...the bridge priorities for multiple bridges are equal the bridge with the lowest MAC address is elected as the root bridge Time Since Topology Change The amount of time that has passed since the topol...

Page 165: ...e least cost path to the root bridge on its segment Alternate A blocked port that has an alternate path to the root bridge Backup A blocked port that has a redundant path to the same network segment a...

Page 166: ...t will flood the received BPDU to all the ports on the switch that are similarly disabled for spanning tree BPDU Guard Effect Shows the status Disabled or Enabled of BPDU Guard Effect on the interface...

Page 167: ...op Inconsistent State Displays True if the interface is currently in a loop inconsistent state otherwise displays False An interface transitions to a loop inconsistent state if loop guard is enabled a...

Page 168: ...bridge Time Since Topology Change The amount of time that has passed since the topology of the MSTI has changed Designated Root The bridge identifier of the root bridge for the MST instance The identi...

Page 169: ...o the root bridge on its segment Alternate A blocked port that has an alternate path to the root bridge Backup A blocked port that has a redundant path to the same network segment as another port on t...

Page 170: ...able or Enable on the port Designated Root The bridge ID of the root bridge for the MST instance Designated Cost The path cost offered to the LAN by the designated port Designated Bridge The bridge ID...

Page 171: ...IEEE 802 1w BPDUs received by the interface RSTP BPDUs Tx The number of RSTP BPDUs sent by the interface MSTP BPDUs Rx The number of MSTP IEEE 802 1s BPDUs received by the interface MSTP BPDUs Tx The...

Page 172: ...the data in the table shows which traffic class is mapped to the priority value Incoming frames containing the designated 802 1p priority value are mapped to the corresponding traffic class in the de...

Page 173: ...ort The behavior of packets is the same as for dynamic locking only packets with an allowable source MAC address can be forwarded To see the MAC addresses learned on a specific port see Basic Switch C...

Page 174: ...number includes all dynamically learned MAC addresses that have been converted to static MAC addresses Sticky Mode The sticky MAC address learning mode which is one of the following Enabled MAC addre...

Page 175: ...ace associated with the rest of the data in the row When adding a static MAC address entry use the Interface menu to select the interface to associate with the permitted MAC address Static MAC Address...

Page 176: ...namic addresses to static addresses use the Interface menu to select the interface to associate with the MAC addresses Dynamic MAC Address The MAC address that was learned on the device An address is...

Page 177: ...rt If all the remote entries on the switch are filled up the new neighbors are ignored In case of multiple VOIP devices on a single interface the 802 1ab component sends the Voice VLAN configuration t...

Page 178: ...atus on the interface If the notify mode is enabled the interface sends SNMP notifications when a link partner device is added or removed Optional TLV s Select each check box next to the type length v...

Page 179: ...DP 802 1AB data in the row When viewing the details for an interface this field identifies the interface that is being viewed Port ID The port identifier which is the physical address associated with...

Page 180: ...PDUs from remote devices Note If the interface has not received any LLDPDUs from remote devices a message indicates that no LLDP data has been received Chassis ID Subtype The type of information used...

Page 181: ...ystems because the information timelines interval has expired Interface Identifies the interfaces Transmit Total Displays the total number of LLDP frames transmitted by the LLDP agent on the correspon...

Page 182: ...rks Inc Use the buttons to perform the following tasks Click Refresh to update the page with the most current information Click Clear to clear the LLDP statistics of all the interfaces To retain the c...

Page 183: ...otocol Data Units PDUs that will be transmitted when the protocol is enabled The range is from 1 to 10 The default value is 3 Device Class Specifies local device s MED Classification The following thr...

Page 184: ...he interface Notification Status Indicates whether LLDP MED topology change notifications are enabled or disabled on the interface Operational Status Indicates whether the interface will transmit TLVs...

Page 185: ...cation type that is transmitted has the VLAN ID priority DSCP tagged bit status and unknown bit status A port may transmit one or many such application types This information is displayed only when a...

Page 186: ...rence Bridge Class III Communication for example IP Telephone The fourth device is Network Connectivity Device which is typically a device such as a LAN switch or router IEEE 802 1 bridge or IEEE 802...

Page 187: ...remote device Information The text description of the location information included in the subtype Extended PoE Indicates whether the remote device is advertised as a PoE device Device Type If the rem...

Page 188: ...it does then the silicon searches the host table for a matching destination IP address If an entry is found then the packet is routed to the host If there is not a matching entry then the switch perfo...

Page 189: ...fields regardless of whether it is an ARP request or response Thus when an ARP request is broadcast to all stations on a LAN segment or virtual LAN VLAN every recipient has the opportunity to store t...

Page 190: ...with the device through this interface Type The ARP entry type Dynamic An ARP entry that has been learned by the router Gateway A dynamic ARP entry that has the IP address of a routing interface Local...

Page 191: ...vice waits for an ARP response to an ARP request that it sends Retries The maximum number of times an ARP request will be retried after an ARP response is not received The number includes the initial...

Page 192: ...ion menu Routing IP Configuration Routing IP Configuration Fields Field Description Routing Mode The administrative mode of routing on the device The options are as follows Enable The device can act a...

Page 193: ...ce The default distance preference for local routes Maximum Next Hops The maximum number of hops supported by the switch This is a read only value Maximum Routes The maximum number of routes routing t...

Page 194: ...ve link IP Address The IP address of the interface Subnet Mask The IP subnet mask for the interface also known as the network mask or netmask It defines the portion of the interface s IP address that...

Page 195: ...d on the interface When local proxy ARP is enabled the interface can respond to an ARP request for a host other than itself Unlike proxy ARP local proxy ARP allows the interface to respond to ARP requ...

Page 196: ...Interface The menu contains all interfaces that can be configured for routing To configure routing settings for an interface select it from the menu and then configure the rest of the settings on the...

Page 197: ...selected network directed broadcasts are forwarded If this option is cleared network directed broadcasts are dropped Proxy ARP When this option is selected proxy ARP is enabled and the interface can r...

Page 198: ...istration Guide Ubiquiti Networks Inc Routing IP Statistics The statistics reported on the Routing IP Statistics page are as specified in RFC 1213 To display the page click Routing IP Statistics in th...

Page 199: ...arded e g for lack of buffer space Note that this counter would include datagrams counted in IpForwDatagrams if any such packets met this discretionary discard criterion IpOutNoRoutes The number of IP...

Page 200: ...de errors discovered outside the ICMP layer such as the inability of IP to route the resultant datagram In some implementations there may be no types of error which contribute to this counter s value...

Page 201: ...erface address that identifies the attached network Protocol This field tells which protocol created the specified route A route can be created in the following ways Dynamically learned through a supp...

Page 202: ...opped rather than forwarded Next Hop Interface The outgoing interface to use when forwarding traffic to the destination For a static reject route the next hop is Null Preference The preference of the...

Page 203: ...le by an administrator Static Reject A route where packets that match the route are discarded instead of forwarded The device might send an ICMP Destination Unreachable message 3 Configure the remaini...

Page 204: ...f Routing and QOS packages is required to have PBR functional Normally routers take forwarding decision based on routing tables in order to forward packets to destination addresses Policy Based Routin...

Page 205: ...use the port without restrictions At any given time only one supplicant is allowed to attempt authentication on a port in this mode Ports in this mode are under bidirectional control This is the defau...

Page 206: ...N is dynamically created This implies that the client can connect from any port and can get assigned to the appropriate VLAN This feature gives flexibility for clients to move around the network witho...

Page 207: ...Access Control Port Summary Fields Field Description Interface The interface associated with the rest of the data in the row PAE Capabilities The Port Access Entity PAE role which is one of the follo...

Page 208: ...wing Initialize Disconnected Connecting Authenticating Authenticated Aborting Held ForceAuthorized ForceUnauthorized Backend State The current state of the back end authentication state machine which...

Page 209: ...t Configuration Use the Port Access Control Port Configuration page to enable and configure port access control on one or more ports To access the Port Access Control Port Configuration page click Sec...

Page 210: ...ddresses Quiet Period The number of seconds that the port remains in the quiet state following a failed authentication exchange Transmit Period The value in seconds of the timer used by the authentica...

Page 211: ...icating the supplicant provides the password associated with the selected User Name Authentication Period The amount of time the supplicant port waits to receive a challenge from the authentication se...

Page 212: ...permission by the authentication server before it can send and receive traffic through the remote port Authenticator Options The fields in this section provide information about the settings that app...

Page 213: ...is VLAN might be configured with limited network access Supplicant Timeout The amount of time that the port waits for a response before retransmitting an EAP request frame to the client Server Timeout...

Page 214: ...ote authenticator port EAPOL Frames Received The total number of valid EAPOL frames received on the interface EAPOL Frames Transmitted The total number of EAPOL frames sent by the interface Last EAPOL...

Page 215: ...ent by a supplicant to indicate that it is disconnecting from the network and the interface can return to the unauthorized state This field is displayed only if the interface is configured as a suppli...

Page 216: ...lient uses to identify itself as a supplicant to the authentication server Supplicant MAC Address The MAC address of the supplicant that is connected to the port Session Time The amount of time that h...

Page 217: ...this field identifies each interface being configured Users The users that are allowed access to the system through the associated port When configuring user access for a port the Available Users fie...

Page 218: ...e data in the row Only interfaces that have entries in the log history are listed Time Stamp The absolute time when the authentication event took place VLAN Assigned The ID of the VLAN the supplicant...

Page 219: ...will not occur until the configured timeout value on that server has passed without a response from the RADIUS server Therefore the maximum delay in receiving a response from the RADIUS server equals...

Page 220: ...the RADIUS server Server Name Shows the RADIUS server name Multiple RADIUS servers can have the same name In this case RADIUS clients can use RADIUS servers with the same name as backups for each othe...

Page 221: ...f RADIUS packets received from the server on the authentication port and dropped for some other reason When you click Details the RADIUS Server Detailed Statistics window displays the following additi...

Page 222: ...ther the shared secret for this server has been configured Secret The shared secret text string used for authenticating and encrypting all RADIUS communications between the RADIUS client on the device...

Page 223: ...out or received a response Timeouts The number of times a response was not received from the server within the configured timeout value Packets Dropped The number of RADIUS packets received from the s...

Page 224: ...accounting statistics to zero To access the RADIUS Clear Statistics page click Security RADIUS Clear Statistics in the navigation menu RADIUS Clear Statistics Click Reset to clear all statistics for t...

Page 225: ...e Interface Configuration RADIUS Source Interface Configuration Fields Field Description Type The type of interface to use as the source interface None The primary IP address of the originating outbou...

Page 226: ...TACACS communications between the device and the TACACS server The key must match the key configured on the TACACS server Click this button to configure the field Click this button to reset the field...

Page 227: ...the additional field below Key String Specifies the authentication and encryption key for TACACS communications between the device and the TACACS server The key must match the encryption used on the T...

Page 228: ...ich the TACACS servers are used Port Specifies the authentication port Key String Specifies the authentication and encryption key for TACACS communications between the device and the TACACS server The...

Page 229: ...e Interface Configuration TACACS Source Interface Configuration Fields Field Description Type The type of interface to use as the source interface None The primary IP address of the originating outbou...

Page 230: ...is queued for transmission in a port the rate at which it is serviced depends on how the queue is configured and possibly the amount of traffic present in the other queues of the port If a delay is ne...

Page 231: ...Control Lists IP access control lists ACL allow network managers to define classification actions and rules for specific ports ACLs are composed of access control entries ACE or rules that consist of...

Page 232: ...same as IPv4 Extended ACLs but the ACL ID can be an alphanumeric name instead of a number IPv6 Named Match criteria can be based on information including the source and destination IPv6 addresses sour...

Page 233: ...signed to a rule when it is created Rules are added in the order they are created and cannot be renumbered Packets are checked against the rule criteria in order from the lowest numbered rule to the h...

Page 234: ...y if protocol is either TCP or UDP Equal to Not Equal to Greater than and Less than options are available For TCP protocol BGP Domain Echo FTP FTP Data HTTP SMTP Telnet WWW POP2 or POP3 For UDP protoc...

Page 235: ...tion is exclusive to all other match criteria if Every is selected no other match criteria can be configured To configure specific match criteria this option must be cleared Protocol The IANA assigned...

Page 236: ...n provide information about the actions to take on a frame or packet that matches the rule criteria The attributes specify actions other than the basic Permit or Deny actions Assign Queue The number t...

Page 237: ...e type also determines which attributes can be applied to matching traffic IPv4 ACLs classify Layer 3 and Layer 4 IPv4 traffic IPv6 ACLs classify Layer 3 and Layer 4 IPv6 traffic and MAC ACLs classify...

Page 238: ...sify Layer 3 and Layer 4 IPv6 traffic and MAC ACLs classify Layer 2 traffic The ACL types are as follows IPv4 Standard Match criteria is based on the source address of IPv4 packets IPv4 Extended Match...

Page 239: ...o VoIP Global Configuration page to configure the VLAN ID for the Auto VoIP VLAN or to reset the current Auto VoIP VLAN ID to the default value Voice over Internet Protocol VoIP enables telephone call...

Page 240: ...hony OUI The unique OUI that identifies the device manufacturer or vendor The OUI is specified in three octet values each octet is represented as two hexadecimal digits separated by colons Status Iden...

Page 241: ...and the interface detects an OUI match the device assigns the traffic in that session to the traffic class mapped to this priority value Traffic classes with a higher value are generally used for tim...

Page 242: ...ed Auto VoIP mode on the interfaces To display the Protocol Based Auto VoIP page click QoS Auto VoIP Protocol Based Auto VoIP in the navigation menu A portion of the UI page is shown below Protocol Ba...

Page 243: ...e bandwidth allocation to allow priority treatment for VoIP traffic Interface The interface associated with the rest of the data in the row When editing Auto VoIP settings on one or more interfaces th...

Page 244: ...to the appropriate outbound CoS queue through a mapping table CoS queue characteristics that affect queue mapping such as minimum guaranteed bandwidth transmission rate shaping etc are user configurab...

Page 245: ...244 Configuring Quality of Service EdgeSwitch Administration Guide Ubiquiti Networks Inc CoS IP DSCP Mapping Configuration 2 of 2...

Page 246: ...interface to configure To configure the same settings on all interfaces select Global Trust Mode The trust mode for ingress traffic on the interface which is one of the following untrusted The interf...

Page 247: ...interface for all the queues Queue ID The CoS queue The higher the queue value the higher its priority is for sending traffic Minimum Bandwidth The minimum guaranteed bandwidth allocated to the select...

Page 248: ...ueue threshold below which now packets are dropped for the associated drop precedence level After the minimum is reached WRED randomly drops packets based on their priority DSCP or IP precedence This...

Page 249: ...While enabled Differentiated Services are active MIB Table The information in this table displays the number of entries rows that are currently in each of the main DiffServ private MIB tables and the...

Page 250: ...enaming an existing class the name of the class is specified in the Class field of the dialog window Type The class type which is one of the following All All the various match criteria defined for th...

Page 251: ...ation Diffserv Class Configuration Fields Field Description Class The name of the class To configure match criteria for a class select its name from the menu Type The class type which is one of the fo...

Page 252: ...D with the lowest value within a range of VLANs Secondary VLAN ID End The secondary VLAN ID with the highest value within the range of VLANs This field is not required if the match criteria is a singl...

Page 253: ...following fields to configure the IP DSCP match criteria IP DSCP Keyword The IP DSCP keyword code that corresponds to the IP DSCP value to match If you select a keyword you cannot configure an IP DSC...

Page 254: ...cy the name of the policy is specified in the Policy field of the Add Policy dialog box Type The traffic flow direction to which the policy is applied In The policy is specific to inbound traffic Out...

Page 255: ...k CoS Select this option to mark all packets in a traffic stream with the specified Class of Service CoS queue value Use the Class of Service field to select the CoS value to mark in the priority fiel...

Page 256: ...or occasional bursting Conform Action The action taken on packets considered to be conforming below the police rate Exceed Action The action taken on packets that are considered to exceed the committe...

Page 257: ...Edit this dialog box opens and allows you to configure DiffServ interface policies Specifying None for a policy has no effect when adding or editing interface policies To remove an interface policy m...

Page 258: ...ut The policy is applied to traffic as it exits the interface Status The operational status of this service interface either Up or Down Octets Offered The total number of octets offered to all class i...

Page 259: ...raffic flow direction to which the policy is applied In The policy is applied to traffic as it enters the interface Out The policy is applied to traffic as it exits the interface Policy The name of th...

Page 260: ...ge 270 Configuring Differentiated Services for VoIP on page 271 Note Each configuration example starts from a factory default configuration unless otherwise noted Configuring VLANs The diagram in this...

Page 261: ...8 Select VLAN 3 from the VLAN ID and Name List 9 Select the Participate option in the VLAN field 10 For ports 0 2 0 3 and 0 4 select Include from the Participation menu to specify that these ports ar...

Page 262: ...nfig mode for port 0 2 assign VLAN3 as the default VLAN UBNT EdgeSwitch Interface 0 2 vlan pvid 3 exit 4 Specify that frames will always be transmitted tagged from ports that are members of VLAN 2 UBN...

Page 263: ...is associated with instance 10 on one switch you must associate VLAN 10 and instance 10 on the other switches Using the Web UI to Configure MSTP 1 Create VLANs 10 and 20 a Access the Switching VLAN St...

Page 264: ...associate MST instance 20 to VLAN 20 and assign it a bridge priority value of 61440 By using a lower priority for MST 20 MST 10 becomes the root bridge 5 Force port 0 2 to be the root port for MST 20...

Page 265: ...anning tree mst vlan 20 20 5 Change the name so that all the bridges that want to be part of the same region can form the region spanning tree configuration name ubnt 6 Make the MST ID 10 bridge the r...

Page 266: ...icipating in one VLAN and one port in the other The script shows the commands you would use to configure the EdgeSwitch software to provide the VLAN routing support shown in the diagram 24V 24V 24V 24...

Page 267: ...NT EdgeSwitch vlan database vlan routing 10 vlan routing 20 exit 6 View the logical interface IDs assigned to the VLAN routing interfaces UBNT EdgeSwitch show ip vlan MAC Address used by Routing VLANs...

Page 268: ...se entries are evaluated in sequence number order until the first match If there is no match the packets are routed as usual Configuring Policy Based Routing Using the CLI In the following configurati...

Page 269: ...tion include 10 exit interface 0 4 vlan pvid 20 vlan participation exclude 1 vlan participation include 20 exit interface 0 22 vlan pvid 30 vlan participation exclude 1 vlan participation include 30 e...

Page 270: ...0 0 255 exit 6 Create a route map and add match set terms to the route map configure route map pbr_test permit 10 match ip address 1 set ip next hop 3 3 3 3 exit exit 7 Assign a route map to VLAN rou...

Page 271: ...0 1 the system challenges the supplicant for login credentials The system encrypts the provided information and transmits it to the RADIUS server If the RADIUS server grants access the system sets the...

Page 272: ...tch operating as Router 1 1 28 1 28 TUE MAY 20 Calculator Calculator Calendar Calendar Gallery Gallery Sound Recorder Sound Recorder Hangouts Hangouts Gmail Gmail Settings Settings Drive Drive UniFi V...

Page 273: ...d pol_voip and then add the previously created classes class_ef and class_voip as instances within this policy This policy handles incoming packets already marked with a DSCP value of EF per class_ef...

Page 274: ...respond to support inquiries within a 24 hour period Online Resources Support support ubnt com Community community ubnt com Downloads downloads ubnt com Ubiquiti Networks Inc 2580 Orchard Parkway San...

Reviews:

No comments

Brands by name

Popular brands

Load more brands