ZyXEL Communications MES3500 Series User Manual Download Page 204 | Manualshive

Page: 204 / 370

background image

Chapter 26 AAA

MES3500 Series User’s Guide

204

26.1.2 RADIUS and

RADIUS and are security protocols used to authenticate users by means of an external
server instead of (or in addition to) an internal device user database that is limited to the memory
capacity of the device. In essence, RADIUS and authentication both allow you to validate
an unlimited number of users from a central location.

The following table describes some key differences between RADIUS and .

26.2 AAA Screens

The

AAA

screens allow you to enable authentication, authorization, accounting or all of them on the

Switch. First, configure your authentication and accounting server settings (RADIUS, or
both) and then set up the authentication priority, activate authorization and configure accounting
settings.

Click

Advanced Application

>

AAA

in the navigation panel to display the screen as shown.

Figure 117

Advanced Application > AAA

26.2.1 RADIUS Server Setup

Use this screen to configure your RADIUS server settings. See

Section 26.1.2 on page 204

for more

information on RADIUS servers and

Section 26.3 on page 212

for RADIUS attributes utilized by the

authentication and accounting features on the Switch. Click on the

RADIUS Server Setup

link in

the

AAA

screen to view the screen as shown.

Table 78

RADIUS vs

RADIUS

Transport Protocol

UDP (User Datagram Protocol)

TCP (Transmission Control Protocol)

Encryption

Encrypts the password sent for
authentication.

All communication between the client (the
Switch) and the TACACS server is encrypted.

«
...
202
203
204
205
206
...
»

Summary of Contents for MES3500 Series

Page 1: ...xel com MES3500 Series Layer 2 Management Switch Version 4 00 Edition 2 01 2016 Copyright 2016 ZyXEL Communications Corporation User s Guide Default Login Details LAN IP Address http 192 168 1 1 User...

Page 2: ...ated Documentation Quick Start Guide The Quick Start Guide shows how to connect the Switch and access the Web Configurator CLI Reference Guide The CLI Reference Guide explains how to use the Command L...

Page 3: ...g 77 VLAN 88 Static MAC Forward Setup 108 Static Multicast Forward Setup 110 Filtering 113 Spanning Tree Protocol 115 Bandwidth Control 134 Broadcast Storm Control 137 Mirroring 139 Link Aggregation 1...

Page 4: ...eries User s Guide 4 Differentiated Services 269 DHCP 276 ARP Learning 290 Maintenance 294 Access Control 303 Diagnostic 325 Syslog 326 Cluster Management 329 MAC Table 336 ARP Table 339 Configure Clo...

Page 5: ...t 21 1 2 Ways to Manage the Switch 21 1 3 Good Habits for Managing the Switch 21 Chapter 2 Hardware Installation and Connection 22 2 1 Installation Scenarios 22 2 2 Desktop Installation 22 2 3 Rack Mo...

Page 6: ...ent IP Address 45 Chapter 6 Tutorials 47 6 1 How to Use DHCP Snooping on the Switch 47 6 2 How to Use DHCP Relay on the Switch 50 6 2 1 DHCP Relay Tutorial Introduction 50 6 2 2 Creating a VLAN 51 6 2...

Page 7: ...LANs 88 9 1 1 Forwarding Tagged and Untagged Frames 88 9 2 Automatic VLAN Registration 89 9 2 1 GARP 89 9 2 2 GVRP 89 9 3 Port VLAN Trunking 90 9 4 Select the VLAN Type 90 9 5 Static VLAN 90 9 5 1 VLA...

Page 8: ...2 Spanning Tree Protocol Status Screen 120 13 3 Spanning Tree Configuration 120 13 4 Configure Rapid Spanning Tree Protocol 121 13 5 Rapid Spanning Tree Protocol Status 124 13 6 Configure Multiple Ra...

Page 9: ...n Overview 152 18 1 1 IEEE 802 1x Authentication 152 18 1 2 MAC Authentication 153 18 2 Port Authentication Configuration 154 18 2 1 Activate IEEE 802 1x Security 154 18 2 2 Guest VLAN 156 18 2 3 Acti...

Page 10: ...Scheduling WRR 180 23 2 Configuring Queuing 180 Chapter 24 VLAN Stacking 182 24 1 VLAN Stacking Overview 182 24 1 1 VLAN Stacking Example 182 24 2 VLAN Stacking Port Roles 183 24 3 VLAN Tag Format 183...

Page 11: ...12 26 3 1 Attributes Used for Authentication 213 26 3 2 Attributes Used for Accounting 213 Chapter 27 IP Source Guard 216 27 1 IP Source Guard Overview 216 27 1 1 DHCP Snooping Overview 216 27 1 2 ARP...

Page 12: ...rt Configuration 246 31 2 1 sFlow Collector Configuration 248 Chapter 32 PPPoE 250 32 1 PPPoE Intermediate Agent Overview 250 32 1 1 PPPoE Intermediate Agent Tag Format 250 32 1 2 Sub Option Format 25...

Page 13: ...olor Marker Settings 272 36 3 2 Configuring DSCP Profiles 274 36 4 DSCP to IEEE 802 1p Priority Settings 275 36 4 1 Configuring DSCP Settings 275 Chapter 37 DHCP 276 37 1 DHCP Overview 276 37 1 1 DHCP...

Page 14: ...4 FTP Restrictions 302 Chapter 40 Access Control 303 40 1 Access Control Overview 303 40 2 The Access Control Main Screen 303 40 3 About SNMP 303 40 3 1 SNMP v3 and Security 304 40 3 2 Supported MIBs...

Page 15: ...ement Status 330 43 2 1 Cluster Member Switch Management 331 43 3 Clustering Management Configuration 333 Chapter 44 MAC Table 336 44 1 MAC Table Overview 336 44 2 Viewing the MAC Table 337 Chapter 45...

Page 16: ...Table of Contents MES3500 Series User s Guide 16 Appendix C Legal Information 357 Index 362...

Page 17: ...17 PART I User s Guide...

Page 18: ...or third party SNMP management This section shows a few examples of using the Switch in various network environments 1 1 1 Backbone Application The Switch is an ideal solution for small networks where...

Page 19: ...bit Ethernet mini GBIC port on the Switch Moreover the Switch eases supervision and maintenance by allowing network managers to centralize multiple servers at a single location Figure 2 Bridging Appli...

Page 20: ...an one group With VLAN a station cannot directly talk to or hear from stations that are not in the same group s unless such traffic first goes through a router For more information on VLANs refer to C...

Page 21: ...pter 4 on page 35 Command Line Interface Line commands offer an alternative to the web configurator and in some cases are necessary to configure advanced features See the CLI Reference Guide FTP Use F...

Page 22: ...allation 1 Make sure the Switch is clean and dry 2 Set the Switch on a smooth level surface strong enough to support the weight of the Switch and the connected cables Make sure there is a power outlet...

Page 23: ...ide of the Switch lining up the four screw holes on the bracket with the screw holes on the side of the Switch Figure 5 Attaching the Mounting Brackets 2 Using a 2 Philips screwdriver install the M3 f...

Page 24: ...he Switch models that can be wall mounted Do the following to attach your Switch to a wall You may need screw anchors if mounting on a concrete or brick wall 1 Select a position free of obstructions o...

Page 25: ...sert the screws all the way in leave a small gap of about 0 5 cm If not using screw anchors use a screwdriver to insert the screws into the wall Do not insert the screws all the way in leave a gap of...

Page 26: ...anel of the Switch Figure 8 MES3500 24 Front Panel AC Model Figure 9 MES3500 24 Front Panel DC Model Figure 10 MES3500 24F Front Panel AC Model Fast Ethernet Ports Dual Personality Interfaces Console...

Page 27: ...thernet Ports Connect these ports to a computer a hub an Ethernet switch or router SFP Slots Use transceivers in these slots for fiber optic or copper connections to a computer a hub a switch or route...

Page 28: ...automatically works with a straight through or crossover Ethernet cable The Switch has two or four 1000Base T Ethernet ports which are paired with a mini GBIC slot to create a dual personality interf...

Page 29: ...iSource Agreement MSA See the SFF committee s INF 8074i specification Rev 1 0 for details You can change transceivers while the Switch is operating You can use different transceivers to connect to Eth...

Page 30: ...transceiver out of the slot Figure 15 Removing the Fiber Optic Cables Figure 16 Opening the Transceiver s Latch Example Figure 17 Transceiver Removal Example 3 1 4 Power Connector Make sure you are u...

Page 31: ...he power Note When installing the power wire push it wire firmly into the terminal as deep as possible and make sure that no exposed bare wire can be seen or touched Exposed power wire is dangerous Us...

Page 32: ...the sensor s documentation to identify its two signal output pins 2 Connect these two wires to any one of the following pairs of signal input pins on the Switch s Signal connector 4 5 6 7 8 9 10 11 T...

Page 33: ...odel 3 2 LEDs After you connect the power to the Switch view the LEDs to ensure proper functioning of the Switch and as an aid in troubleshooting 1 2 3 11 10 1 2 3 11 10 1 2 3 11 10 Pin Assignments Ta...

Page 34: ...ing The system is transmitting receiving to from a 10 Mbps or a 1000 Mbps Ethernet network On The link to a 10 Mbps or a 1000 Mbps Ethernet network is up Amber Blinking The system is transmitting rece...

Page 35: ...urator you need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScript enabled by default Java permissions enabled by...

Page 36: ...t screen that displays when you access the web configurator This guide uses the MES3500 24 screens as an example The screens may vary slightly for different models The following figure shows the navig...

Page 37: ...ays the same even if the Switch s power is turned off See Section 39 3 on page 295 for information on saving your settings to a specific configuration file C Click this link to go to the status page o...

Page 38: ...filtering rules Spanning Tree Protocol This link takes you to screens where you can configure the RSTP MRSTP MSTP to prevent network loops Bandwidth Control This link takes you to screens where you c...

Page 39: ...on the Switch IP Application Static Routing This link takes you to a screen where you can configure static routes A static route defines how the Switch should forward traffic by configuring the TCP I...

Page 40: ...t when the Switch s power is turned off Click the Save link in the upper right hand corner of the web configurator to save your configuration to nonvolatile memory Nonvolatile memory refers to the Swi...

Page 41: ...configuration file with the factory default configuration file This means that you will lose all previous configurations and the speed of the console port will be reset to the default of 9600bps with...

Page 42: ...ion for security reasons Figure 24 Web Configurator Logout Screen 4 8 Help The web configurator s online help has descriptions of individual screens and some supplementary information Click the Help l...

Page 43: ...LAN ID Configure the Switch IP management address 5 1 1 Creating a VLAN VLANs confine broadcast frames to the VLAN group in which the port s belongs You can do this with port based VLAN or tagged stat...

Page 44: ...member of the VLAN only 4 To ensure that VLAN unaware devices such as computers and hubs can receive frames properly clear the TX Tagging check box to set the Switch to remove VLAN tags before sendin...

Page 45: ...for port 1 and click Apply to save your changes back to the run time memory Settings in the run time memory are lost when the Switch s power is turned off 5 2 Configuring Switch Management IP Address...

Page 46: ...Basic Setting IP Setup in the navigation panel 4 Configure the related fields in the IP Setup screen 5 For the VLAN2 network enter 192 168 2 1 as the IP address and 255 255 255 0 as the subnet mask 6...

Page 47: ...server A connected to port 5 to assign IP addresses to all devices in VLAN 100 Create a VLAN containing ports 5 6 and 7 Connect a computer M to the Switch s port which is not in VLAN 100 Note For rela...

Page 48: ...hown Deselect Tx Tagging because you don t want outgoing traffic to contain this VLAN tag Click Add 3 Go to Advanced Application VLAN VLAN Port Setting and set the PVID of the ports 5 6 and 7 to 100 T...

Page 49: ...connected to DHCP clients Click Apply 7 Go to Advanced Application IP Source Guard DHCP snooping Configure VLAN show VLAN 100 by entering 100 in the Start VID and End VID fields and click Apply Then...

Page 50: ...hcp snooping binding to see the DHCP snooping binding table as shown next 6 2 How to Use DHCP Relay on the Switch This tutorial describes how to configure your Switch to forward DHCP client requests t...

Page 51: ...o 802 1Q Click Apply to save the settings to the run time memory 3 Click Advanced Application VLAN Static VLAN 4 In the Static VLAN screen select ACTIVE enter a descriptive name VALN 102 for example i...

Page 52: ...is turned off 8 Click the VLAN Status link in the Static VLAN screen and then the VLAN Port Setting link in the VLAN Status screen 9 Enter 102 in the PVID field for port 2 to add a tag to incoming un...

Page 53: ...y agent information such as the VLAN ID to DHCP requests 1 Click IP Application DHCP DHCPv4 and then the Global link to open the DHCP Relay screen 2 Select the Active check box 3 Enter the DHCP server...

Page 54: ...102 2 You configured the correct VLAN ID port number and system name for DHCP relay on both the DHCP server and the Switch 3 You clicked the Save link on the Switch to have your settings take effect...

Page 55: ...then click Apply Click Port on the top of the screen 2 Select Untrusted for port 5 and enter userC as Circuit id and 00134900000A as Remote id Select Trusted for port 12 and then leave the other field...

Page 56: ...hen Click Intermediate Agent on the top of the screen 3 The Intermediate Agent screen appears Click VLAN on the top of the screen 4 Enter 1 for both Start VID and End VID since both the Switch and PPP...

Page 57: ...lect Circuit id and Remote id to allow the Switch to add these two strings to frames tagged with VLAN 1 and pass to the PPPoE server Click Apply 6 3 2 Configuring Switch B The example uses another MES...

Page 58: ...r s Guide 58 Click Port on the top of the screen 2 Select Trusted for ports 11 and 12 and then click Apply Then Click Intermediate Agent on the top of the screen 3 The Intermediate Agent screen appear...

Page 59: ...Enter 1 for both Start VID and End VID Click Apply 5 Then select Yes to enable PPPoE IA in VLAN 1 and also select Circuit id and Remote id to allow the Switch to add these two strings to frames tagged...

Page 60: ...of time 10 minutes before resuming the port automatically after the problem s are gone Loop guard and Errdiable features are helpful for this demand Note Refer to Section 28 2 on page 238 and Section...

Page 61: ...le Detect select Active for cause ARP and inactive port as the mode Then click Apply 4 Click Advanced Application Errdisable Errdisable Recovery select Active and Timer Status for loopguard and ARP en...

Page 62: ...y can authenticate with the authentication server In this guest VLAN clients can surf the Internet through the default gateway attached to port 10 but are not allowed to access other network resources...

Page 63: ...the Name field and enter 200 in the VLAN Group ID field 5 Select Fixed to configure ports 1 2 3 and 10 to be permanent members of this VLAN 6 Clear the TX Tagging check box to set the Switch to remov...

Page 64: ...hen the VLAN Port Setting link in the VLAN Status screen 9 Enter 200 in the PVID field for ports 1 2 3 and 10 to add a tag to incoming untagged frames received on these ports so that the frames are fo...

Page 65: ...on Follow the steps below to enable port authentication to validate access to ports 1 8 to clients based on a RADIUS server 1 Click Advanced Application Port Authentication and then the Click Here lin...

Page 66: ...uest VLAN ID 200 in this example on ports 1 2 and 3 The Switch puts unauthenticated clients in the specified guest VLAN Set Host mode to Multi Secure to have the Switch authenticate each client that c...

Page 67: ...s in VLAN 1 6 6 How to Do Port Isolation in a VLAN You want to prevent communications between ports in a VLAN but still allow them to access the Internet or network resources through the uplink port i...

Page 68: ...run time memory 3 Click Advanced Application VLAN Static VLAN 4 In the Static VLAN screen select ACTIVE enter a descriptive name VLAN 123 for example in the Name field and enter 123 in the VLAN Group...

Page 69: ...hen the VLAN Port Setting link in the VLAN Status screen 9 Enter 123 in the PVID field for ports 2 3 4 and 25 to add a tag to incoming untagged frames received on these ports so that the frames are fo...

Page 70: ...e your configuration permanently 6 6 2 Creating a Private VLAN Rule Follow the steps below to configure private VLAN for VLAN 123 1 Click Advanced Application Private VLAN 2 In the Private VLAN screen...

Page 71: ...the web configurator to save your configuration permanently Ports 2 3 and 4 in this VLAN will be added to the isolated port list automatically and cannot send traffic to each other From port 2 3 or 4...

Page 72: ...72 PART II Technical Reference...

Page 73: ...owing statistical details 7 2 Port Status Summary To view the port statistics click Status in all web configurator screens to display the Status screen as shown next Figure 28 Status The following tab...

Page 74: ...ore information If STP is disabled this field displays FORWARDING if the link is up otherwise it displays STOP LACP This fields displays whether LACP Link Aggregation Control Protocol has been enabled...

Page 75: ...s the cable type Copper or Fiber This field displays Down if the port is not connected to any device Status If STP Spanning Tree Protocol is enabled this field displays the STP state of the port see S...

Page 76: ...This is a count of packets for which transmission failed due to excessive collisions Excessive collision is defined as the number of maximum collisions before the retransmission count is reset Late T...

Page 77: ...tting System Info LABEL DESCRIPTION System Name This field displays the descriptive name of the Switch for identification purposes Product Model This field displays the model number of the Switch ZyNO...

Page 78: ...nsor Threshold This field displays the upper temperature limit at this sensor Status This field displays Normal for temperatures below the threshold and Error for those above Voltage V The power suppl...

Page 79: ...timeserver for up to 60 seconds If you specify a timeserver that is unreachable then this screen will appear locked for 60 seconds Please wait Current Time This field displays the time you open this...

Page 80: ...lock traffic between two specific ports within the Switch you can use port isolation or private VLAN see Chapter 34 on page 264 for more information However it does not work across End Date Configure...

Page 81: ...can only be sent through non isolated port 1 or root port 7 to switch A This prevents isolated ports on switch B sending traffic through designated port 8 to switch C Traffic received on designated po...

Page 82: ...se smart isolation you should have configured 802 1Q VLAN port isolation or private VLAN and M RSTP on the Switch Smart isolation does not work with MSTP and or port based VLAN MAC Address Learning MA...

Page 83: ...fields to configure the priority level to physical queue mapping The Switch has eight physical queues that you can map to the 8 priority levels On the Switch traffic assigned to higher index queues ge...

Page 84: ...IP address Default Management IP Address DHCP Client Select this option if you have a DHCP server that can assign the Switch an IP address subnet mask a default gateway IP address and a domain name se...

Page 85: ...ccess and manage the Switch from the ports belonging to the pre defined VLAN s You must configure a VLAN first IP Address Enter the IP address for managing the Switch by the members of the VLAN specif...

Page 86: ...tor screens Type This field displays 10 100M for Fast Ethernet connections and 10 100 1000M for Gigabit connections Speed Duplex Select the speed and the duplex mode of the Ethernet connection on this...

Page 87: ...e flow control is typically used in half duplex mode to send a collision signal to the sending port mimicking a state of packet collision causing the sending port to temporarily stop sending signals a...

Page 88: ...t The remaining twelve bits define the VLAN ID giving a possible maximum number of 4 096 VLANs Note that user priority and VLAN ID are independent of each other A frame with VID VLAN Identifier of nul...

Page 89: ...it VLAN groups beyond the local Switch Please refer to the following table for common IEEE 802 1Q VLAN terminology Table 16 IEEE 802 1Q VLAN Terminology VLAN PARAMETER TERM DESCRIPTION VLAN Type Perma...

Page 90: ...wever with VLAN Trunking enabled on a port s in each intermediary switch you only need to create VLAN groups in the end devices A and B C D and E automatically allow frames with VLAN group tags 1 and...

Page 91: ...his field blank and click Search to display all VLANs configured on the Switch The Number of VLAN This is the number of VLANs configured on the Switch The Number of Search Results This is the number o...

Page 92: ...DESCRIPTION VLAN Status Click this to go to the VLAN Status screen VID This is the VLAN identification number that was configured in the Static VLAN screen Port Number This column displays the ports t...

Page 93: ...dentification purposes This name consists of up to 64 printable characters spaces are allowed VLAN Group ID Enter the VLAN ID for this static entry the valid range is between 1 and 4094 Port The port...

Page 94: ...oing frames transmitted with this VLAN Group ID Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save lin...

Page 95: ...Ingress Check If this check box is selected for a port the Switch discards incoming frames for VLANs that do not include this port in its member set Clear this check box to disable ingress filtering P...

Page 96: ...y you can configure VLAN with priority 3 and VID of 300 for traffic received from IP subnet 10 1 1 0 24 data services All untagged incoming frames will be classified based on their source IP subnet an...

Page 97: ...et VLAN you are creating or editing Name Enter up to 32 alphanumeric characters to identify this subnet based VLAN IP Enter the IP address of the subnet for which you want to configure this subnet bas...

Page 98: ...am ARP traffic from port 1 2 and 3 will be grouped together and all upstream Apple Talk traffic from port 6 and 7 will be in another group and have higher priority than ARP traffic when they go throug...

Page 99: ...d type the protocol number in hexadecimal notation For example the IP protocol in hexadecimal notation is 0800 and Novell IPX protocol is 8137 Note Protocols in the hexadecimal number range of 0x0000...

Page 100: ...dd Figure 45 Protocol Based VLAN Configuration Example To add more ports to this protocol based VLAN 1 Click the index number of the protocol based VLAN entry Click 1 2 Change the value in the Port fi...

Page 101: ...e VLAN You can assign priority to the MAC based VLAN and define a MAC to VLAN mapping table by entering a specified source MAC address in the MAC based VLAN setup screen You can also delete a MAC base...

Page 102: ...ry Priority Type a priority 0 7 for the MAC based VLAN entry The higher the numeric value you assign the higher the priority for this MAC based VLAN entry Add Click Add to save the new MAC based VLAN...

Page 103: ...s MAC address is not learned Select Drop packets with new source MAC to have the Switch discard any packet whose MAC address is not learmed Apply Click Apply to save your changes to the Switch s run...

Page 104: ...ged out MAC address aging out time can be set in the Switch Setup screen The valid range is from 0 to 16384 If you enter 0 here the Switch automatically changes to use the maximum value 16384 Note You...

Page 105: ...depending on your VLAN and VLAN security requirements If VLAN members need to communicate directly with each other then select All Connected Select Port Isolated if you want to restrict users from co...

Page 106: ...Chapter 9 VLAN MES3500 Series User s Guide 106 Figure 49 Advanced Application VLAN Port Based VLAN Setup Port Isolation...

Page 107: ...at is a port through which a data packet enters If you wish to allow two subscriber ports to talk to each other you must define the ingress port for both ports The numbers in the top row denote the in...

Page 108: ...e MAC address table Static MAC addresses do not age out When you set up static MAC address rules you are setting static MAC addresses for a port This may reduce the need for broadcasting Static MAC ad...

Page 109: ...or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afres...

Page 110: ...a member without the member having to join the group first If a multicast group has no members then the switch will either flood the multicast frames to all ports or drop them You can configure this i...

Page 111: ...ls in this screen Table 27 Advanced Application Static Multicast Forwarding LABEL DESCRIPTION Active Select this check box to activate your rule You may temporarily deactivate a rule without deleting...

Page 112: ...d values Clear Click Clear to begin configuring this screen afresh Index Click an index number to modify a static multicast MAC address rule for port s Active This field displays whether a static mult...

Page 113: ...in the navigation panel to display the screen as shown next Figure 55 Advanced Application Filtering The following table describes the related labels in this screen Table 28 Advanced Application Filt...

Page 114: ...e Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Clear Click Clear to c...

Page 115: ...e information is directly propagated throughout the network from the device that generates the topology change In STP a longer delay is required as the device that causes a topology change first notif...

Page 116: ...after a predefined interval Max Age the bridge assumes that the link to the root bridge is down This bridge then initiates negotiations with other bridges to reconfigure the network to re establish a...

Page 117: ...e the following features One Common and Internal Spanning Tree CIST that represents the entire network s connectivity Grouping of multiple bridges or switching devices into regions that appear as one...

Page 118: ...at appears as a single device to the rest of the network Each MSTP enabled device can only belong to one MST region When BPDUs enter an MST region external path cost of paths outside this region is in...

Page 119: ...gions 1 and 2 have 2 spanning tree instances Figure 59 MSTIs in Different Regions 13 1 5 4 Common and Internal Spanning Tree CIST A CIST represents the connectivity of the entire network and it is equ...

Page 120: ...Protocol This screen differs depending on which STP mode RSTP MRSTP or MSTP you configure on the Switch This screen is described in detail in the section that follows the configuration section for ea...

Page 121: ...e Multiple Rapid Spanning Tree or Multiple Spanning Tree See Section 13 1 on page 115 for background information on STP Type of Default Path Cost Select the default path cost method Short or Long you...

Page 122: ...n to enable RSTP on the Switch Bridge Priority Bridge priority is used in determining the root switch root port and designated port The switch with the highest priority lowest numeric value becomes th...

Page 123: ...rt changes its initial STP port state from blocking state to forwarding state immediately without going through listening and learning states right after the port is configured as an edge port or when...

Page 124: ...ge priority plus the MAC address This ID is the same for Root and Our Bridge if the Switch is the root switch Hello Time second This is the time interval in seconds at which the root switch transmits...

Page 125: ...e an STP tree Note You must also activate Multiple Rapid Spanning Tree in the Advanced Application Spanning Tree Protocol Configuration screen to enable MRSTP on the Switch Bridge Priority Bridge prio...

Page 126: ...blocking state to forwarding state immediately without going through listening and learning states right after the port is configured as an edge port or when its link status changes Note An edge port...

Page 127: ...ID This is the unique identifier for this bridge consisting of bridge priority plus MAC address This ID is the same for Root and Our Bridge if the Switch is the root switch Hello Time second This is t...

Page 128: ...de 128 13 8 Configure Multiple Spanning Tree Protocol To configure MSTP click MSTP in the Advanced Application Spanning Tree Protocol screen See Section 13 1 5 on page 117 for more information on MSTP...

Page 129: ...eive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a blocking state otherwis...

Page 130: ...ity for each port here Priority decides which port should be disabled when more than one port forms a loop in the Switch Ports with a higher priority numeric value are disabled first The allowed range...

Page 131: ...g state to forwarding state immediately without going through listening and learning states right after the port is configured as an edge port or when its link status changes Note An edge port becomes...

Page 132: ...n the Switch CST This section describes the Common Spanning Tree settings Bridge Root refers to the base of the spanning tree the root bridge Our Bridge is this Switch This Switch may also be the root...

Page 133: ...e spanning tree was last reconfigured Instance These fields display the MSTI to VLAN mapping In other words which VLANs run on each spanning tree instance Instance This field displays the MSTI ID VLAN...

Page 134: ...k Information Rate PIR is the maximum bandwidth allowed for the incoming traffic flow on a port when there is no network congestion The CIR and PIR should be set for all ports that use the same uplink...

Page 135: ...this row are copied to all the ports as soon as you make them Ingress Rate Active Select this check box to activate commit rate limits on this port Commit Rate Specify the guaranteed bandwidth allowe...

Page 136: ...y The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cance...

Page 137: ...ackets the Switch receives per second on the ports When the maximum number of allowable broadcast multicast and or DLF packets is reached per second the subsequent packets are discarded Enable this fe...

Page 138: ...e settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you ma...

Page 139: ...In remote port mirroring RMirror the mirroring ports and monitor port can be on different devices in a network You can use it to monitor multiple switches across your network Traffic from the source...

Page 140: ...e RMirror mirroring port on the source device can also be used as the mirroring port in local port mirroring But it cannot be the monitor port in local port mirroring Table 41 Port Rules between Diffe...

Page 141: ...Monitor Port The monitor port is the port you copy the traffic to in order to examine it in more detail without interfering with the traffic flow on the original port s Type the port number of the mon...

Page 142: ...Mirroring screen The following screen opens Figure 73 Advanced Application Mirroring RMirror Source Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these chang...

Page 143: ...the ports as soon as you make them Mirrored Select this option to mirror the traffic on a port Direction Specify the direction of the traffic to mirror by selecting from the drop down list box Choice...

Page 144: ...rrored traffic is forwarded Monitor Port Specify the port to which you copy the traffic in order to examine it in more detail without interfering with the traffic flow on the original port s Tagging S...

Page 145: ...ensures increased network stability and control over the trunk groups on your Switch See Section 17 6 on page 150 for a static port trunking example 17 2 Dynamic Link Aggregation The Switch adheres t...

Page 146: ...KEY PORT PRIORITY PORT NUMBER 0000 00 00 00 00 00 00 0000 00 0000 Table 47 Link Aggregation ID Peer Switch SYSTEM PRIORITY MAC ADDRESS KEY PORT PRIORITY PORT NUMBER 0000 00 00 00 00 00 00 0000 00 000...

Page 147: ...the same link within the trunk src mac means the Switch distributes traffic based on the packet s source MAC address dst mac means the Switch distributes traffic based on the packet s destination MAC...

Page 148: ...nt over the same link within the trunk By default the Switch uses the src dst mac distribution type If the Switch is behind a router the packet s destination or source MAC address will be changed In t...

Page 149: ...he trunk group to which a port belongs Note When you enable the port security feature on the Switch and configure port security settings for a port you cannot include the port in an active trunk group...

Page 150: ...e higher the priority level Group ID The field identifies the link aggregation group that is one logical link containing multiple ports LACP Active Select this option to enable LACP for a trunk Port T...

Page 151: ...nk Aggregation Link Aggregation Setting In this screen activate trunk group T1 select the traffic distribution algorithm used by this group and select the ports that should belong to this group as sho...

Page 152: ...onfiguring your RADIUS server settings Note If you enable IEEE 802 1x authentication and MAC authentication on the same port the Switch performs IEEE 802 1x authentication first If a user fails to aut...

Page 153: ...tch does not prompt the client for login credentials The login credentials are based on the source MAC address of the client connecting to a port on the Switch along with a password configured specifi...

Page 154: ...Radius Server Setup screen To activate a port authentication method click Advanced Application Port Authentication in the navigation panel Select a port authentication method in the screen that appea...

Page 155: ...make them Active Select this checkbox to permit 802 1x authentication on this port You must first allow 802 1x authentication on the Switch before configuring it on each port Max Req Specify the numb...

Page 156: ...ple Use this screen to enable and assign a guest VLAN to a port In the Port Authentication 802 1x screen click Guest Vlan to display the configuration screen as shown Quiet period Specify the number o...

Page 157: ...authenticated users to access limited network resources through the Switch You must also enable IEEE 802 1x authentication on the Switch and the associated ports Enter the number that identifies the...

Page 158: ...l Click Cancel to begin configuring this screen afresh Table 52 Advanced Application Port Authentication 802 1x Guest VLAN continued LABEL DESCRIPTION Table 53 Advanced Application Port Authentication...

Page 159: ...his setting See Section 8 4 on page 82 Port This field displays a port number Use this row to make the setting the same for all ports Use this row first and then make adjustments on a port by port bas...

Page 160: ...l with no limit on individual ports other than the sum cannot exceed 16K For maximum port security enable this feature disable MAC address learning and configure static MAC address es for a port It is...

Page 161: ...display in the Static MAC Forwarding screen MAC freeze Click MAC freeze to have the Switch automatically select the Active check boxes and clear the Address Learning check boxes only for the ports sp...

Page 162: ...ng enabled Limited Number of Learned MAC Address Use this field to limit the number of dynamic MAC addresses that may be learned on a port For example if you set this field to 5 on port 2 then only th...

Page 163: ...s IP addresses VLANs or socket ports 20 2 Range Profile Screen The Range Profile screens allow you to access and configure profiles for a range of VLANs IP addresses ports and socket ports Click Advan...

Page 164: ...ges to the Switch s run time memory The Switch loses this change if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory whe...

Page 165: ...your changes to the Switch s run time memory The Switch loses this change if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile...

Page 166: ...your changes to the Switch s run time memory The Switch loses this change if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile...

Page 167: ...t is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring t...

Page 168: ...t number destination port number or incoming port number For example you can configure a classifier to select traffic from the same protocol port such as Telnet to form a flow Configure QoS on the Swi...

Page 169: ...The following table describes the labels in this screen Table 59 Advanced Application Classifier LABEL DESCRIPTION Active Select this option to enable this rule Name Enter a descriptive name for this...

Page 170: ...l MAC addresses To specify a destination select MAC Mask to enter the destination MAC address of the packet in valid MAC address format six hexadecimal character pairs and type the mask for the specif...

Page 171: ...in the subnet mask Otherwise select Range and choose a predefined destination IP address range profile Socket Number Note You must select either UDP or TCP in the IP Protocol field before you configu...

Page 172: ...ptive name for this rule This is for identification purposes only Rule This field displays a summary of the classifier rule s settings Delete Click Delete to remove the selected entry from the summary...

Page 173: ...er s Guide 173 Figure 95 Classifier Example After you have configured a classifier you can configure a policy to define action s on the classified traffic flow See Chapter 22 on page 174 for informati...

Page 174: ...ry flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going 22 1 2 DSCP and Per Hop Behavior DiffServ defines a new DS Differenti...

Page 175: ...labels in this screen Table 63 Advanced Application Policy Rule LABEL DESCRIPTION Active Select this option to enable the policy Name Enter a descriptive name for identification purposes Classifier s...

Page 176: ...packet s 802 1p priority and send the packet to priority queue to replace the packet s 802 1p priority field with the value you set in the Priority field Then put the packets in the designated queue...

Page 177: ...64 Policy Summary Table LABEL DESCRIPTION Rule Usage This field displays how many rules have been configured on the Switch Index This field displays the policy index number Click an index number to ed...

Page 178: ...Chapter 22 Policy Rule MES3500 Series User s Guide 178 Figure 98 Policy Example EXAMPLE...

Page 179: ...st When that queue empties traffic on the next highest priority queue Q6 is transmitted until Q6 empties and then traffic is transmitted on Q5 and so on If higher priority queues never empty then traf...

Page 180: ...looping fashion until a queue is empty Weighted Round Robin Scheduling WRR uses the same algorithm as round robin scheduling but services queues based on their priority and queue weight the number you...

Page 181: ...e in the Weight field Queues with larger weights get more guaranteed bandwidth than queues with smaller weights Weighted Round Robin Scheduling services queues on a rotating basis based on their queue...

Page 182: ...sed on specific VLANs for many different customers A service provider s customers may require a range of VLANs to handle multiple applications A service provider s customers can assign their own inner...

Page 183: ...o a second VLAN tag outer VLAN tag can be added Note Static VLAN Tx Tagging MUST be disabled on a port where you choose Normal or Access Port Select Tunnel Port available for Gigabit ports only for eg...

Page 184: ...ard that allows the service provider to prioritize traffic based on the class of service CoS the customer has paid for On the Switch configure priority level of the inner IEEE 802 1Q tag in the Port S...

Page 185: ...ble for Gigabit ports only for egress ports at the edge of the service provider s network Select Tunnel Port to have the Switch add the Tunnel TPID tag to all outgoing frames sent on this port In orde...

Page 186: ...rt number identifies the port you are configuring SPVID SPVID is the service provider s VLAN ID the outer VLAN tag Enter the service provider ID from 1 to 4094 for frames received on this port See Cha...

Page 187: ...ame Enter a descriptive name up to 32 printable ASCII characters for identification purposes Port The port number identifies the port you are configuring CVID Enter a customer VLAN ID the inner VLAN t...

Page 188: ...tomer VLAN ID in the incoming packets SPVID This is the service provider s VLAN ID that adds to the packets from the subscribers Priority This is the service provider s priority level in the packets D...

Page 189: ...oses see the IANA website for more information 25 1 2 IGMP Filtering With the IGMP filtering feature you can control which IGMP groups a subscriber on a port can join This allows you to control the di...

Page 190: ...VLAN 25 2 Multicast Status Click Advanced Application Multicast to display the screen as shown This screen shows the multicast group information See Section 25 1 on page 189 for more information on mu...

Page 191: ...use Version2 or Version3 to enable IGMP Snooping to forward group multicast traffic only to ports that are members of that group Otherwise select Disable Querier Select this option to allow the Switch...

Page 192: ...e multicast tree when an IGMP version 2 leave message is received on this port Select this option if there is only one host connected to this port Normal Leave Enter an IGMP normal leave timeout value...

Page 193: ...iltering profile to use for this port Otherwise select Default to prohibit the port from joining any multicast group You can create IGMP filtering profiles in the Multicast Multicast Setting IGMP Filt...

Page 194: ...Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your c...

Page 195: ...me for this VLAN group VID This field displays the ID number of the VLAN group Delete Check the rule s that you want to remove in the Delete column then click the Delete button Cancel Click Cancel to...

Page 196: ...the Switch that can send and receive multicast traffic in a multicast VLAN while a receiver port can only receive multicast traffic Once configured the Switch maintains a forwarding table that matche...

Page 197: ...port matches one of the configured MVR multicast group addresses on the Switch an entry is created in the forwarding table on the Switch This maps the subscriber VLAN to the list of forwarding destina...

Page 198: ...twork Name Enter a descriptive name up to 32 printable ASCII characters for identification purposes Multicast VLAN ID Enter the VLAN ID 1 to 4094 of the multicast VLAN 802 1p Priority Select a priorit...

Page 199: ...cast traffic None Select this option to set the port not to participate in MVR No MVR multicast traffic is sent or received on this port Tagging Select this checkbox if you want the port to tag the VL...

Page 200: ...ulticast address of the multicast group in dotted decimal notation Enter the same IP address as the Start Address field if you want to configure only one IP address for a multicast group Refer to Sect...

Page 201: ...cast group in the MVR screen and set the receiver and source ports Figure 113 MVR Configuration Example To set the Switch to forward the multicast group traffic to the subscribers configure multicast...

Page 202: ...Chapter 25 Multicast MES3500 Series User s Guide 202 Figure 114 MVR Group Configuration Example 1 Figure 115 MVR Group Configuration Example 2 EXAMPLE EXAMPLE...

Page 203: ...itch itself or it can use an external server to authorize a large number of users Accounting is the process of recording what a user is doing The Switch can use an external server to track when users...

Page 204: ...ttings RADIUS TACACS or both and then set up the authentication priority activate authorization and configure accounting settings Click Advanced Application AAA in the navigation panel to display the...

Page 205: ...e RADIUS server If you are using index priority for your authentication and you are using two RADIUS servers then the timeout value is divided between the two RADIUS servers For example if you set the...

Page 206: ...representing a RADIUS accounting server entry IP Address Enter the IP address of an external RADIUS accounting server in dotted decimal notation UDP Port The default port of a RADIUS accounting server...

Page 207: ...the TACACS server If you are using index priority for your authentication and you are using two TACACS servers then the timeout value is divided between the two TACACS servers For example if you set t...

Page 208: ...entry IP Address Enter the IP address of an external TACACS accounting server in dotted decimal notation TCP Port The default port of a TACACS accounting server is 49 You need not change this value u...

Page 209: ...witch CLI Reference Guide for local authentication The TACACS and RADIUS are external servers Before you specify the priority make sure you have set up the corresponding database correctly first You c...

Page 210: ...er Active Select this to activate authorization for a specified event types Method Select whether you want to use RADIUS or TACACS for authorization of specific types of events RADIUS is the only meth...

Page 211: ...r users authenticating via the RADIUS server Mode The Switch supports two modes of recording login events Select start stop to have the Switch send information to the accounting server when a user beg...

Page 212: ...ed on the RADIUS server This section lists the RADIUS attributes supported by the Switch Table 82 Supported VSAs FUNCTION ATTRIBUTE Ingress Bandwidth Assignment Vendor Id 890 Vendor Type 1 Vendor data...

Page 213: ...erver when performing authentication 26 3 1 1 Attributes Used for Authenticating Privilege Access User Name the format of the User Name attribute is enab where is the privilege level 1 14 User Passwor...

Page 214: ...that they are sent the difference between Console and Telnet SSH Exec events is that the Telnet SSH events utilize the Calling Station Id attribute Table 84 RADIUS Attributes Exec Events via Console...

Page 215: ...86 RADIUS Attributes Exec Events via Console ATTRIBUTE START INTERIM UPDATE STOP User Name NAS IP Address NAS Port Class Called Station Id Calling Station Id NAS Identifier NAS Port Type Acct Status...

Page 216: ...rd consists of the following features Static bindings Use this to create static bindings in the binding table DHCP snooping Use this to filter unauthorized DHCP packets on the network and to build the...

Page 217: ...Switch restarts it loads static bindings from permanent memory but loses the dynamic bindings in which case the devices in the network have to send DHCP requests again As a result it is recommended yo...

Page 218: ...configure this setting for each source VLAN This setting is independent of the DHCP relay settings Chapter 37 on page 276 27 1 1 4 Configuring DHCP Snooping Follow these steps to configure DHCP snoopi...

Page 219: ...port or an untrusted port for ARP inspection This setting is independent of the trusted untrusted setting for DHCP snooping You can also specify the maximum rate at which the Switch receives ARP pack...

Page 220: ...ress and VLAN ID as an existing static binding the new static binding replaces the original one To open this screen click Advanced Application IP Source Guard Static Binding Table 87 Advanced Applicat...

Page 221: ...ear Click this to clear the fields above Index This field displays a sequential number for each binding MAC Address This field displays the source MAC address in the binding IP Address This field disp...

Page 222: ...125 Advanced Application IP Source Guard DHCP Snooping The following table describes the labels in this screen Table 89 Advanced Application IP Source Guard DHCP Snooping LABEL DESCRIPTION Database St...

Page 223: ...snooping database unsuccessfully Last failed reason This field displays the reason the Switch updated the DHCP snooping database unsuccessfully This section displays historical information about the n...

Page 224: ...leases This field displays the number of bindings the Switch ignored because the lease time had already expired Unsupported vlans This field displays the number of bindings the Switch ignored because...

Page 225: ...etween DHCP requests from different VLAN Select Disable if you do not want the Switch to forward DHCP packets to a specific VLAN Database If Timeout interval is greater than Write delay interval it is...

Page 226: ...Switch to load it You can use this to load dynamic bindings from a different DHCP snooping database than the one specified in Agent URL When the Switch loads dynamic bindings from a DHCP snooping data...

Page 227: ...cards DHCP packets from trusted ports only if the rate at which DHCP packets arrive is too high Untrusted ports are connected to subscribers and the Switch discards DHCP packets from untrusted ports i...

Page 228: ...LAN the settings are applied to all VLANs Enabled Select Yes to enable DHCP snooping on the VLAN You still have to enable DHCP snooping on the Switch and specify trusted ports Note The Switch will dro...

Page 229: ...ber port number VLAN ID and or system name specified in the profile to DHCP requests that it broadcasts to the DHCP VLAN if specified or VLAN You can specify the DHCP VLAN in the DHCP Snooping Configu...

Page 230: ...urce VLAN ID in the MAC address filter Port This field displays the source port of the discarded ARP packet Expiry sec This field displays how long in seconds the MAC address filter remains in the Swi...

Page 231: ...received from the VLAN since the Switch last restarted Forwarded This field displays the total number of ARP packets the Switch forwarded for the VLAN since the Switch last restarted Dropped This fie...

Page 232: ...ction 27 6 3 on page 232 Reason This field displays the reason the log message was generated dhcp deny An ARP packet was discarded because it violated a dynamic binding with the same MAC address and V...

Page 233: ...ssages and simply starts counting the number of entries that were dropped due to unavailable buffer Click Clearing log status table in the ARP Inspection Log Status screen to clear the log and reset t...

Page 234: ...ent bindings The rate at which ARP packets arrive is too high You can specify the maximum rate at which ARP packets can arrive on untrusted ports Limit Rate and Burst Interval settings have no effect...

Page 235: ...e applied to all VLANs Enabled Select Yes to enable ARP inspection on the VLAN Select No to disable ARP inspection on the VLAN Log Specify when the Switch generates log messages for receiving ARP pack...

Page 236: ...Loop state occurs as a result of human error It happens when two ports on a switch are connected with the same cable When a switch in loop state sends out broadcast messages the messages loop back to...

Page 237: ...not affected by the switch in loop state Figure 138 Loop Guard Probe Packet The Switch also shuts down port N if the probe packet returns to switch A on any other port In other words loop guard also...

Page 238: ...number Use this row to make the setting the same for all ports Use this row first and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you...

Page 239: ...the tagged packets according to its VLAN tag that do not match an entry in the VLAN mapping table If the incoming packets are untagged the Switch adds a PVID based on the VLAN setting Note You can not...

Page 240: ...displays the port number Use this row to make the setting the same for all ports Use this row first and then make adjustments on a port by port basis Changes in this row are copied to all the ports a...

Page 241: ...rule is applied Choices are Egress outgoing Ingress incoming and Both Add Click Add to insert the entry in the summary table below and save your changes to the Switch s run time memory The Switch los...

Page 242: ...capsulates layer 2 protocol packets with a specific MAC address before sending them across the service provider s network to other edge switches Figure 144 Layer 2 Protocol Tunneling Network Scenario...

Page 243: ...Incoming layer 2 protocol packets received on an access port are encapsulated and forwarded to the tunnel ports The Tunnel port is an egress port at the edge of the service provider s network and conn...

Page 244: ...hes in the service provider s network should be set to use the same MAC address for encapsulation Port This field displays the port number Use this row to make the setting the same for all ports Use t...

Page 245: ...us of a link Mode Select Access to have the Switch encapsulate the incoming layer 2 protocol packets and forward them to the tunnel port s Select Access for ingress ports at the edge of the service pr...

Page 246: ...ollector The sFlow collector is a server that collects and analyzes sFlow datagram An sFlow datagram includes packet header input and output interface sampling process parameters and forwarding inform...

Page 247: ...ick Cancel to begin configuring this screen afresh Port This field displays the port number Use this row to make the setting the same for all ports Use this row first and then make adjustments on a po...

Page 248: ...allow incoming traffic if the collector is behind a firewall Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power s...

Page 249: ...his field displays IP address of the sFlow collector UDP Port This field displays port number the Switch uses to send sFlow datagram to the collector Delete Check the rule s that you want to remove in...

Page 250: ...E Active Discovery Initialization and PADR PPPoE Active Discovery Request packets from PPPoE clients This tag is defined in RFC 2516 and has the following format for this feature The Tag_Type is 0x010...

Page 251: ...ong to VLAN 123 32 1 2 2 WT 101 Default Circuit ID Syntax If you do not configure a Circuit ID string for a specific VLAN on a port or for a specific port and disable the flexible Circuit ID syntax in...

Page 252: ...ent from a PPPoE client and received on an untrusted port the Switch adds a vendor specific tag to the packet and then forwards it to the trusted port s The Switch discards PADO and PADS packets which...

Page 253: ...ty and configure circuit id and remote id in the Per Port or Per Port Per VLAN screen Active Select this option to have the Switch add the user defined identifier string and variables specified in the...

Page 254: ...scribes the labels in this screen Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the t...

Page 255: ...sent from a PPPoE server but received on an untrusted port Circuit id Enter a string of up to 63 ASCII characters that the Switch adds into the Agent Circuit ID sub option for PPPoE discovery packets...

Page 256: ...o make the setting the same for all VLANs Use this row first and then make adjustments on a VLAN by VLAN basis Note Changes in this row are copied to all the VLANs as soon as you make them Circuit id...

Page 257: ...ck Apply to display the specified range of VLANs in the section below VID This field displays the VLAN ID of each VLAN in the range specified above If you configure the VLAN the settings are applied t...

Page 258: ...port This enhances the CPU efficiency and protects against potential DoS attacks or errors from other network s You then can choose to drop control packets that exceed the specified rate limit or disa...

Page 259: ...ted that control packets exceeded the rate limit configured for a port or a port is disabled according to the feature requirements and what action you configure and related information Click the Click...

Page 260: ...rol packet received on the port or the feature enabled on the port and causing the Switch to take the specified action Active This field displays whether the control packets ARP BPDU and or IGMP on th...

Page 261: ...re Port This field displays the port number Use this row to make the setting the same for all ports Use this row first and then make adjustments to each port if necessary Note Changes in this row are...

Page 262: ...all the entries as soon as you make them Active Select this option to have the Switch detect if the configured rate limit for a specific control packet is exceeded and take the action selected below...

Page 263: ...ll entries Use this row first and then make adjustments to each entry if necessary Note Changes in this row are copied to all the entries as soon as you make them Timer Status Select this option to al...

Page 264: ...iscuous port can communicate with any port in the same VLAN An isolated port can communicate with the promiscuous port s only Note You can have up to one private VLAN rule for each VLAN In the followi...

Page 265: ...our changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile...

Page 266: ...send data to a server or device that is not reachable through the default gateway for example when sending SNMP traps or using ping to test IP connectivity This figure shows a Telnet session coming i...

Page 267: ...ic represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks Enter a number that approximates th...

Page 268: ...ediate neighbor of your Switch that will forward the packet to the destination Metric This field displays the cost of transmission for routing purposes Delete Click Delete to remove the selected entry...

Page 269: ...ffServ defines a new DS Differentiated Services field to replace the Type of Service ToS field in the IP header The DS field contains a 6 bit DSCP field which can define up to 64 service levels and th...

Page 270: ...ets are admitted to the network The PIR is greater than or equal to the CIR CIR and PIR values are based on the guaranteed and maximum bandwidth respectively as negotiated between a service provider a...

Page 271: ...er packet loss priority Packets marked red high packet loss priority continue to be red without evaluation against the PIR or CIR Packets marked yellow can only be marked red or remain yellow so they...

Page 272: ...Port This field displays the index number of a port on the Switch Settings in this row apply to all ports Use this row only if you want to make some settings the same for all ports Use this row first...

Page 273: ...ets as uncolored All incoming packets are evaluated against the CIR and PIR Select color aware to treat the packets as marked by some preceding entity Incoming packets are evaluated based on their exi...

Page 274: ...continued LABEL DESCRIPTION Table 123 IP Application DiffServ 2 rate 3 Color Marker DSCP Profile LABEL DESCRIPTION Profile Name Type a descriptive name up to 32 printable ASCII characters for this pro...

Page 275: ...e Select the profile s that you want to remove Delete Click Delete to remove the selected profile s from the summary table Cancel Click Cancel to clear the Delete check boxes Table 123 IP Application...

Page 276: ...elay agent When the Switch receives a request from a computer on your network it contacts the DHCP server for the necessary IP information and then relays the assigned information back to the computer...

Page 277: ...a global DHCP relay This means that the Switch forwards all DHCP requests from all domains to the same DHCP server You can also configure the Switch to relay DHCP information based on the VLAN members...

Page 278: ...Switch sends to the DHCP server 37 4 2 DHCPv4 Option 82 Profile Use this screen to create DHCPv4 option 82 profiles Click IP Application DHCP DHCPv4 in the navigation panel and click the Option 82 Pr...

Page 279: ...ection to configure the Remote ID sub option to include information that identifies the relay agent the Switch Enable Select this option to have the Switch append the Remote ID sub option to the optio...

Page 280: ...box to enable DHCP relay Remote DHCP Server 1 3 Enter the IP address of a DHCP server in dotted decimal notation Option 82 Profile Select a pre defined DHCPv4 option 82 profile that the Switch applie...

Page 281: ...server The profile you select here has priority over the one you select in the DHCP DHCPv4 Global screen Add Click this to create a new entry or to update an existing one This saves your changes to t...

Page 282: ...ess according to the VLAN ID Figure 178 DHCP Relay Configuration Example 37 4 6 Configuring DHCPv4 VLAN Settings Use this screen to configure your DHCP settings based on the VLAN domain of the DHCP cl...

Page 283: ...n specified in the profile to DHCP requests that it relays to a DHCP server Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or los...

Page 284: ...a DHCP server The profile you select here has priority over the one you select in the DHCP DHCPv4 VLAN screen Add Click this to create a new entry or to update an existing one This saves your changes...

Page 285: ...DHCPv6 server on its network it then needs a DHCPv6 relay agent to send a message to a DHCPv6 server that is not attached to the same network The DHCPv6 relay agent can add the remote identification...

Page 286: ...lays to a DHCP server Add Click this to create a new entry or to update an existing one This saves your changes to the Switch s run time memory The Switch loses these changes if it is turned off or lo...

Page 287: ...uests from the clients before the Switch forwards them to a DHCPv6 server Enter a string of up to 64 printable characters to be carried in the interface ID option Option 37 Remote ID Select Enable to...

Page 288: ...Option37 This field displays the information that is included in the Remote ID option Option38 This field displays the information that is included in the Subscriber ID option Referenced This field di...

Page 289: ...Clear to reset the fields to the factory defaults Index This field displays a sequential number for each entry Click an index number to change the settings VID This field displays the VLAN to which th...

Page 290: ...st address The replying device which is either the IP address of the device being sought or the router that knows the way replaces the broadcast address with the target s MAC address swaps the sender...

Page 291: ...There will be no reply to a gratuitous ARP request A device may send a gratuitous ARP packet to detect IP collisions If a device restarts or its MAC address is changed it can also use gratuitous ARP t...

Page 292: ...Switch then forwards host B s ICMP reply to host A right after getting host B s MAC address and ICMP reply 38 2 ARP Learning Use this screen to configure each port s ARP learning mode Click IP Applica...

Page 293: ...Mode Select the ARP learning mode the Switch uses on the port Select ARP Reply to have the Switch update the ARP table only with the ARP replies to the ARP requests sent by the Switch Select Gratuitou...

Page 294: ...ade Click Click Here to go to the Firmware Upgrade screen Restore Configuration Click Click Here to go to the Restore Configuration screen Backup Configuration Click Click Here to go to the Backup Con...

Page 295: ...he default Switch IP address 192 168 1 1 39 3 Save Configuration Click Config 1 to save the current configuration settings permanently to Configuration 1 on the Switch Click Config 2 to save the curre...

Page 296: ...e is currently in use on the Switch 1 or 2 Refresh Click Refrech to update the time information in the Reboot Scheduled in field Cancel Click Cancel to begin configuring this screen afresh Reboot Syst...

Page 297: ...the firmware file you wish to upload to the Switch in the File Path text box or click Browse to locate it Select the Rebooting check box if you want to reboot the Switch and apply the new firmware im...

Page 298: ...click File Save As to save the file to a specific place If a dialog box pops up asking whether you want to open or save the file click Save or Save File to download it to the default downloads folder...

Page 299: ...The Mbuf log report is stored in flash permanent memory For example Mbuf 50 means a log will be created when the Mbuf utilization is over 50 The higher the Mbuf threshold number the fewer logs will be...

Page 300: ...are images ras 0 and ras 1 You can switch from one to the other by using the boot image index command where index is 1 ras 0 or 2 ras 1 See the CLI Reference Guide for more information about using com...

Page 301: ...to ras 0 Similarly put config cfg config transfers the configuration file on your computer config cfg to the Switch and renames it to config Likewise get config config cfg transfers the configuration...

Page 302: ...TP Restrictions FTP will not work when FTP service is disabled in the Service Access Control screen The IP address es in the Remote Management screen does not match the client IP address If it does no...

Page 303: ...tion on disabling multi login 40 2 The Access Control Main Screen Click Management Access Control in the navigation panel to display the main screen as shown Figure 194 Management Access Control 40 3...

Page 304: ...ents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns res...

Page 305: ...ID The OIDs beginning with 1 3 6 1 4 1 890 1 5 8 68 are specific to the MES3500 24 switch The OIDs beginning with 1 3 6 1 4 1 890 1 5 8 57 are specific to the MES3500 24F switch The OIDs beginning wit...

Page 306: ...27 2 1 This trap is sent when the Switch fails to get the time and date from a time server RTCNotUpdatedEventClea r 1 3 6 1 4 1 890 1 5 8 68 27 2 2 1 3 6 1 4 1 890 1 5 8 57 27 2 2 1 3 6 1 4 1 890 1 5...

Page 307: ...68 27 2 2 1 3 6 1 4 1 890 1 5 8 57 27 2 2 1 3 6 1 4 1 890 1 5 8 80 27 2 2 This trap is sent when the Ethernet link is up linkdown linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link...

Page 308: ...ed accounting RADIUSNotReachableEventOn 1 3 6 1 4 1 890 1 5 8 68 27 2 1 1 3 6 1 4 1 890 1 5 8 57 27 2 1 1 3 6 1 4 1 890 1 5 8 80 27 2 1 This trap is sent when there is no response message from the RAD...

Page 309: ...1 5 8 68 36 2 2 1 3 6 1 4 1 890 1 5 8 57 36 2 2 1 3 6 1 4 1 890 1 5 8 80 36 2 2 This trap is sent when the MRSTP topology changes MSTPTopologyChange 1 3 6 1 4 1 890 1 5 8 68 107 70 2 1 3 6 1 4 1 890 1...

Page 310: ...management station The Get Community string is only used by SNMP managers using SNMP version 2c or lower Note that as you type a password the screen displays an asterisk for each character you type S...

Page 311: ...n the Switch configured in the Management Access Control SNMP User screen Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or l...

Page 312: ...ox automatically clears all of the category s trap check boxes the Switch only sends traps from selected categories Apply Click Apply to save your changes to the Switch s run time memory The Switch lo...

Page 313: ...ager Clear this check box to disable the sending of SNMP traps on this port Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or...

Page 314: ...pe a password the screen displays an asterisk for each character you type Group SNMP v3 adopts the concept of View based Access Control Model VACM group SNMP managers in one group are assigned common...

Page 315: ...inistrator password is 1234 Note It is highly recommended that you change the default administrator password 1234 A non administrator username is something other than admin is someone who can view but...

Page 316: ...has read write access Old Password Type the existing system password 1234 is the default password when shipped New Password Enter your new system password Retype to confirm Retype your new system pas...

Page 317: ...ncryption Method Once the identification is verified both the client and server must agree on the type of encryption method to use 3 Authentication and Data Transmission After the identification is ve...

Page 318: ...s used so that you may securely access the Switch using the web configurator The SSL protocol specifies that the SSL server the Switch must always authenticate itself to the SSL client the computer wh...

Page 319: ...asking if you trust the server certificate You see the following Security Alert screen in Internet Explorer Select Yes to proceed to the web configurator login screen if you select No then web config...

Page 320: ...Certificate Error Internet Explorer 7 or 8 Click Install Certificate and follow the on screen instructions to install the certificate in your browser Figure 207 Certificate Internet Explorer 7 or 8 4...

Page 321: ...Series User s Guide 321 Figure 208 Security Alert Mozilla Firefox Confirm the HTTPS server URL matches Click Confirm Security Exception to proceed to the web configurator login screen Figure 209 Secur...

Page 322: ...o the website address denotes a secure connection Figure 210 Example Lock Denoting a Secure Connection 40 10 Service Port Access Control Service Access Control allows you to decide what services you m...

Page 323: ...u want to allow to access the Switch Service Port For Telnet SSH FTP HTTP or HTTPS services you may change the default service port by typing the new port number in the Server Port field If you change...

Page 324: ...Start Address End Address Configure the IP address range of trusted computers from which you can manage this Switch The Switch checks if the client IP address of a computer requesting a service or pro...

Page 325: ...anagement Diagnostic The following table describes the labels in this screen Table 155 Management Diagnostic LABEL DESCRIPTION System Log Click Display to display a log of events in the multi line tex...

Page 326: ...to the documentation of your syslog program for details The following table describes the syslog severity levels 42 2 Syslog Setup Click Management Syslog in the navigation panel to display this scre...

Page 327: ...e Select this option to set the device to generate logs for the corresponding category Facility The log facility allows you to send logs to different files in the syslog server Refer to the documentat...

Page 328: ...ch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are don...

Page 329: ...e able to communicate with one another In the following example switch A in the basement is the cluster manager and the other switches on the upper floors of the building are cluster members Table 159...

Page 330: ...330 Figure 216 Clustering Application Example 43 2 Cluster Management Status Click Management Cluster Management in the navigation panel to display the following screen Note A cluster can only have on...

Page 331: ...r nor a member of a cluster Manager This field displays the cluster manager switch s hardware MAC address The Number of Member This field displays the number of switches that make up this cluster The...

Page 332: ...re 218 Cluster Management Cluster Member Web Configurator Screen 43 2 1 1 Uploading Firmware to a Cluster Member Switch You can use FTP to upload firmware to a cluster member switch through the cluste...

Page 333: ...12 00 ras 1 rw rw rw 1 owner group 8388608 Jul 01 12 00 config 226 File sent OK ftp 297 bytes received in 0 00Seconds 297000 00Kbytes sec ftp bin 200 Type I OK ftp put 400AABB0B1 bin ras 0 200 Port c...

Page 334: ...in the Cluster Management Status screen and a warning icon appears in the member summary list below Name Type a name to identify the Clustering Manager You may use up to 32 printable characters space...

Page 335: ...in the member summary list below If multiple devices have the same password then hold SHIFT and click those switches to select them Then enter their common web configurator password Add Click Add to...

Page 336: ...mine how to forward frames See the following figure 1 The Switch examines a received frame and learns the port on which this source MAC address came 2 The Switch checks to see if the frame s destinati...

Page 337: ...tatic to display the MAC entries manually configured on the Switch Select MAC and enter a MAC address in the field provided to display a specified MAC entry Select VID and enter a VLAN ID in the field...

Page 338: ...ring entries These entries will then display only in the Filtering screen and the default filtering action is Discard source Cancel Click Cancel to change the fields back to their last saved values In...

Page 339: ...ntry is found for the IP address ARP broadcasts the request to all the devices on the LAN The Switch fills in its own MAC and IP address in the sender address fields and puts the known IP address of t...

Page 340: ...d port Flush Click Flush to remove the ARP entries according to the condition you specified Cancel Click Cancel to return the fields to the factory defaults Index This is the ARP table entry number IP...

Page 341: ...apter shows you how you can copy the settings of one port onto other ports 46 1 Configure Clone Cloning allows you to copy the basic and advanced settings from a source port to a destination port or p...

Page 342: ...copied Enter the destination port or ports under the Destination label These are the ports which are going to have the same attributes as the source port You can enter individual ports separated by a...

Page 343: ...orts Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save y...

Page 344: ...th the Switch 3 Make sure the power adaptor or cord is connected to the Switch and plugged in to an appropriate power source Make sure the power source is turned on 4 Turn the Switch off and on in DC...

Page 345: ...AC DC models 6 If the problem continues contact the vendor 47 2 Switch Access and Login I forgot the IP address for the Switch 1 The default management IP address is 192 168 1 1 2 Use the console port...

Page 346: ...ess the Switch check the remote management settings to find out why the Switch does not respond to HTTP I can see the Login screen but I cannot log in to the Switch 1 Make sure you have entered the us...

Page 347: ...o check for unauthorized access to your Switch To avoid unauthorized access configure the secured client setting in the Management Access Control Remote Management screen for telnet HTTP and SSH see S...

Page 348: ...nformation Please have the following information ready when you contact an office Required Information Product model and serial number Warranty Information Date that you received your device Brief des...

Page 349: ...om pk Philippines ZyXEL Philippines http www zyxel com ph Singapore ZyXEL Singapore Pte Ltd http www zyxel com sg Taiwan ZyXEL Communications Corporation http www zyxel com tw zh Thailand ZyXEL Thaila...

Page 350: ...Republic ZyXEL Communications Czech s r o http www zyxel cz Denmark ZyXEL Communications A S http www zyxel dk Estonia ZyXEL Estonia http www zyxel com ee et Finland ZyXEL Communications http www zyx...

Page 351: ...elux http www zyxel nl Norway ZyXEL Communications http www zyxel no Poland ZyXEL Communications Poland http www zyxel pl Romania ZyXEL Romania http www zyxel com ro ro Russia ZyXEL Russia http www zy...

Page 352: ...raine http www ua zyxel com Latin America Argentina ZyXEL Communication Corporation http www zyxel com ec es Brazil ZyXEL Communications Brasil Ltda https www zyxel com br pt Ecuador ZyXEL Communicati...

Page 353: ...User s Guide 353 North America USA ZyXEL Communications Inc North America Headquarters http www zyxel com us en Oceania Australia ZyXEL Communications Corporation http www zyxel com au en Africa South...

Page 354: ...cations that use this service or the situations in which this service is used Table 166 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Authenticat...

Page 355: ...rk environments NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service PING User Defined 1 Packet INternet Groper is a protocol that sends out ICMP ech...

Page 356: ...ote Login Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller...

Page 357: ...owing two conditions 1 This device may not cause harmful interference 2 This device must accept any interference received including interference that may cause undesired operations Changes or modifica...

Page 358: ...tronic device For detailed information about recycling of this product please contact your local city office your household waste disposal service or the store where you purchased the product Use ONLY...

Page 359: ...til ll velo a un punto limpio Cuando llegue el momento de desechar el producto la recogida por separado ste y o su bater a ayudar a salvar los recursos naturales y a proteger la salud humana y medioa...

Page 360: ...Appendix C Legal Information MES3500 Series User s Guide 360 Environmental Product Declaration...

Page 361: ...bjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or i...

Page 362: ...218 and MAC filter 219 configuring 219 syslog messages 219 trusted ports 219 ARP Reply 290 ARP Request 291 authentication and RADIUS 204 setup 208 authorization privilege levels 211 setup 208 auto cro...

Page 363: ...ration 260 overview 258 current date 79 current time 79 customer support 348 D daylight saving time 79 default Ethernet settings 28 DHCP 276 configuration options 276 modes 276 relay agent 276 relay e...

Page 364: ...ric Attribute Registration Protocol 89 GARP terminology 89 GARP timer 82 89 general setup 78 getting help 42 Gigabit ports 28 GMT Greenwich Mean Time 79 gratuitous ARP 291 Guide CLI Reference 2 Quick...

Page 365: ...col LACP 145 link aggregation 145 dynamic 145 ID information 146 setup 147 149 status 146 traffic distribution algorithm 147 traffic distribution type 148 local port mirroring 139 lockout 40 log 325 l...

Page 366: ...me 132 hello time 129 Max Age 132 max age 129 max hops 129 MST region 118 network example 117 path cost 130 port priority 130 revision level 129 MSTP Multiple Spanning Tree Protocol 115 MTU Multi Tena...

Page 367: ...ics 325 mirroring 139 speed duplex 86 power connector 30 power module current rating 31 power wire 31 power status 78 power voltage 78 power wires 31 PPPoE IA 54 trusted ports 252 untrusted ports 252...

Page 368: ...ment model 304 manager 304 MIB 305 network components 304 object variables 304 protocol operations 304 security 314 setup 309 311 users 313 version 3 304 versions supported 303 SNMP traps 305 setup 31...

Page 369: ...emulation 28 time current 79 time zone 79 Time RFC 868 79 time server 79 time service protocol 79 format 79 trademarks 361 transceiver MultiSource Agreement MSA 29 transceivers 29 installation 29 remo...

Page 370: ...ng 239 configuration 240 example 239 priority level 239 tagged 239 traffic flow 239 untagged 239 VLAN ID 239 VLAN stacking 182 184 configuration 184 example 182 frame format 184 port roles 183 185 por...

Reviews:

No comments

Related manuals for MES3500 Series

DHI-NVR5224-24P-4KS2

Brand: Dahua Pages: 24

Brand: National Instruments Pages: 24

Brand: National Instruments Pages: 32

FIELDPOINT FP-1600

Brand: National Instruments Pages: 8

Brand: QNAP Pages: 20

Brand: E-TOP Pages: 76

Brand: QNAP Pages: 39

Brand: Idis Pages: 31

Brand: Lanner Pages: 63

Brand: Ubiquiti Pages: 20

Brand: AMG Systems Pages: 2

Brand: ICP DAS USA Pages: 62

Brand: Lantronix Pages: 75

Brand: Microtek Pages: 25

Passport 8608GTE

Brand: Nortel Pages: 10

Brand: LanReady Pages: 40

Brand: R3 Pages: 48

Brand: Ubiquiti Pages: 13

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands