manualshive.com logo in svg

ZyXEL Communications XS-3900-48F, User Manual

The ZyXEL Communications XS-3900-48F is a high-performance network switch designed for seamless connectivity. Ensure smooth operations with the help of its comprehensive User Manual that can be easily downloaded for free from our website. Get the most out of your device by following the correct setup and configuration procedures outlined in the manual.

Share
Download
background image

Chapter 36 Access Control

XS3900-48F User’s Guide

288

2

Encryption Method

Once the identification is verified, both the client and server must agree on the type of encryption 
method to use.

3

Authentication and Data Transmission

After the identification is verified and data encryption activated, a secure tunnel is established 
between the client and the server. The client then sends its authentication information (user name 
and password) to the server to log in to the server.

36.5.1.1  SSH Implementation on the Switch

Your Switch supports SSH version 2 using RSA authentication and three encryption methods (DES, 
3DES and Blowfish). The SSH server is implemented on the Switch for remote management and file 
transfer on port 22. Only one SSH connection is allowed at a time.

36.5.1.2  Requirements for Using SSH

You must install an SSH client program on a client computer (Windows or Linux operating system) 
that is used to connect to the Switch over SSH.

36.5.2  HTTPS

HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol 
that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol 
that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot 
read the transferred data), authentication (one party can identify the other party) and data 
integrity (you know if data has been changed). 

It relies upon certificates, public keys, and private keys.

HTTPS on the Switch is used so that you may securely access the Switch using the web 
configurator. The SSL protocol specifies that the SSL server (the Switch) must always authenticate 
itself to the SSL client (the computer which requests the HTTPS connection with the Switch), 
whereas the SSL client only should authenticate itself when the SSL server requires it to do so. 
Authenticating client certificates is optional and if selected means the SSL-client must send the 
Switch a certificate. You must apply for a certificate for the browser from a Certificate Authority 
(CA) that is a trusted CA on the Switch.

Please refer to the following figure. 

1

HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the 
Switch’s WS (web server).

Summary of Contents for XS-3900-48F

Page 1: ...of Rack Switch with 4 port 40GbE Uplink Version 4 00 Edition 2 4 2013 Copyright 2013 ZyXEL Communications Corporation User s Guide Default Login Details IP Address http 192 168 0 1 Out of band MGMT port http 192 168 1 1 In band ports User Name admin Password 1234 ...

Page 2: ...ers to switches in general Related Documentation Module Hardware Installation Guide This guide shows how to install and remove the power and fan modules in the Switch Rack Mounting Hardware Installation Guide This guide shows how to use the rack mounting kit to install the Switch in a rack CLI Reference Guide This guide explains how to use the Command Line Interface CLI to configure the Switch Not...

Page 3: ... Multicast Forward Setup 101 Filtering 105 Spanning Tree Protocol 107 Bandwidth Control 125 Broadcast Storm Control 128 Mirroring 130 Link Aggregation 132 Port Authentication 140 Port Security 148 Classifier 151 Policy Rule 157 Queuing Method 162 VLAN Stacking 165 Multicast 172 AAA 187 IP Source Guard 200 Loop Guard 220 VLAN Mapping 224 Layer 2 Protocol Tunneling 228 sFlow 232 PPPoE 236 Error Disa...

Page 4: ...Contents Overview XS3900 48F User s Guide 4 Access Control 276 Diagnostic 296 Syslog 297 Cluster Management 300 MAC Table 306 ARP Table 309 Configure Clone 311 Troubleshooting 313 ...

Page 5: ...itch 23 1 8 Good Habits for Managing the Switch 24 Chapter 2 Tutorials 25 2 1 How to Use DHCP Snooping on the Switch 25 2 2 How to Use DHCP Relay on the Switch 28 2 2 1 DHCP Relay Tutorial Introduction 29 2 2 2 Creating a VLAN 29 2 2 3 Configuring DHCP Relay 32 2 2 4 Troubleshooting 33 2 3 How to Use PPPoE IA on the Switch 33 2 3 1 Configuring Switch A 34 2 3 2 Configuring Switch B 36 2 4 How to U...

Page 6: ...4 4 Saving Your Configuration 59 4 5 Switch Lockout 59 4 6 Resetting the Switch 59 4 6 1 Reload the Configuration File 59 4 7 Logging Out of the Web Configurator 61 4 8 Help 61 Part II Technical Reference 63 Chapter 5 System Status and Port Statistics 65 5 1 Overview 65 5 2 Port Status Summary 65 5 2 1 Status Port Details 66 Chapter 6 Basic Setting 70 6 1 Overview 70 6 2 System Information 70 6 3 ...

Page 7: ... Status 94 7 6 Port based VLAN Setup 95 7 6 1 Configure a Port based VLAN 95 Chapter 8 Static MAC Forward Setup 99 8 1 Overview 99 8 2 Configuring Static MAC Forwarding 99 Chapter 9 Static Multicast Forward Setup 101 9 1 Static Multicast Forwarding Overview 101 9 2 Configuring Static Multicast Forwarding 102 Chapter 10 Filtering 105 10 1 Configure a Filtering Rule 105 Chapter 11 Spanning Tree Prot...

Page 8: ...ast Storm Control 128 13 1 Broadcast Storm Control Setup 128 Chapter 14 Mirroring 130 14 1 Port Mirroring Setup 130 Chapter 15 Link Aggregation 132 15 1 Link Aggregation Overview 132 15 2 Dynamic Link Aggregation 132 15 2 1 Link Aggregation ID 133 15 3 Link Aggregation Status 133 15 4 Link Aggregation Setting 135 15 5 Link Aggregation Control Protocol 137 15 6 Static Trunking Example 138 Chapter 1...

Page 9: ...icy Rules 157 19 3 Viewing and Editing Policy Configuration 160 19 4 Policy Example 161 Chapter 20 Queuing Method 162 20 1 Queuing Method Overview 162 20 1 1 Strictly Priority Queuing 162 20 1 2 Weighted Fair Queuing 162 20 1 3 Weighted Round Robin Scheduling WRR 163 20 2 Configuring Queuing 163 Chapter 21 VLAN Stacking 165 21 1 VLAN Stacking Overview 165 21 1 1 VLAN Stacking Example 165 21 2 VLAN...

Page 10: ...l User Accounts 187 23 1 2 RADIUS and TACACS 188 23 2 AAA Screens 188 23 2 1 RADIUS Server Setup 188 23 2 2 TACACS Server Setup 191 23 2 3 AAA Setup 193 23 2 4 Vendor Specific Attribute 195 23 2 5 Tunnel Protocol Attribute 196 23 3 Supported RADIUS Attributes 196 23 3 1 Attributes Used for Authentication 197 23 3 2 Attributes Used for Accounting 197 Chapter 24 IP Source Guard 200 24 1 IP Source Gu...

Page 11: ...AN Mapping 226 Chapter 27 Layer 2 Protocol Tunneling 228 27 1 Layer 2 Protocol Tunneling Overview 228 27 1 1 Layer 2 Protocol Tunneling Mode 229 27 2 Configuring Layer 2 Protocol Tunneling 230 Chapter 28 sFlow 232 28 1 sFlow Overview 232 28 2 sFlow Port Configuration 233 28 2 1 sFlow Collector Configuration 234 Chapter 29 PPPoE 236 29 1 PPPoE Intermediate Agent Overview 236 29 1 1 PPPoE Intermedia...

Page 12: ...6 33 1 1 DSCP and Per Hop Behavior 256 33 1 2 DiffServ Network Example 256 33 2 Two Rate Three Color Marker Traffic Policing 257 33 2 1 TRTCM Color blind Mode 258 33 2 2 TRTCM Color aware Mode 258 33 3 Activating DiffServ 258 33 3 1 Configuring 2 Rate 3 Color Marker Settings 259 33 4 DSCP to IEEE 802 1p Priority Settings 261 33 4 1 Configuring DSCP Settings 261 Chapter 34 DHCP 263 34 1 DHCP Overvi...

Page 13: ...l 276 36 1 Access Control Overview 276 36 2 The Access Control Main Screen 276 36 3 About SNMP 276 36 3 1 SNMP v3 and Security 277 36 3 2 Supported MIBs 278 36 3 3 SNMP Traps 278 36 3 4 Configuring SNMP 282 36 3 5 Configuring SNMP Trap Group 283 36 3 6 Configuring SNMP User 284 36 4 Setting Up Login Accounts 285 36 5 Service Access Control Overview 287 36 5 1 SSH 287 36 5 2 HTTPS 288 36 5 3 Config...

Page 14: ...306 40 1 MAC Table Overview 306 40 2 Viewing the MAC Table 307 Chapter 41 ARP Table 309 41 1 ARP Table Overview 309 41 1 1 How ARP Works 309 41 2 The ARP Table Screen 310 Chapter 42 Configure Clone 311 42 1 Configure Clone 311 Chapter 43 Troubleshooting 313 43 1 Power Hardware Connections and LEDs 313 43 2 Switch Access and Login 314 43 3 Switch Configuration 316 Appendix A Common Services 317 App...

Page 15: ...15 PART I User s Guide ...

Page 16: ...16 ...

Page 17: ...e the datasheet for a full list of software features available on this Switch 1 2 Data Center Bridging DCB A traditional Ethernet network is best effort that is frames may be dropped due to device queue overflow or network congestion FCoE Fiber Channel over Ethernet transparently encapsulates fiber channel traffic into Ethernet so that you don t need separate fiber channel and Ethernet switches Da...

Page 18: ...he graphic 1 2 1 PFC ETS and DCBX Standards DCB may use PFC ETS application priority and DCBX to adapt to the FCoE Table 1 DCB Graphic Key LABEL DESCRIPTION EES Enhanced Ethernet Switch LLAN Legacy Local Area Network Ethernet ELAN Enhanced LAN Ethernet FCoE FCF Fiber Channel Forwarder SAN Storage Access Network ...

Page 19: ...ging capability eXchange IEEE 802 1Qaz 2011 uses LLDP Link Layer Discovery Protocol to advertize PFC ETS and application priority information between switches PFC information should be consistent between connected switches so PFC can be configured automatically using DCBX 1 2 2 DCB Configuration You should configure DCB on any port that has both Ethernet and FCoE traffic 1 2 2 1 DCB Only Do the fo...

Page 20: ...ected peer switch has the same configured priorities 1 2 2 2 DCB with DCBX Do the following if you re using DCB with DCBX that is switches need to know each other s PFC ETS and application priority information Enable transmission and reception of LLDP PDUs Protocol Data Unit on a port using lldp admin status tx rx Enable TLV Type Length Value transmission of formats so that switches can read each ...

Page 21: ...ddress hex value sum is used Verify configurations by displaying all port and Switch local and peer LLDP information Local port and Switch configuration and statistics can also be viewed Note At the time of writing DCB is configured using the Command Line Interface CLI only See the CLI reference guide for details and usage examples 1 3 Bridging Example In this example the Switch connects different...

Page 22: ...h speed but more costly single port link Figure 2 High Performance Switching 1 5 IEEE 802 1Q VLAN Application Example A VLAN Virtual Local Area Network allows a physical network to be partitioned into multiple logical networks Stations on a logical network belong to one or more groups With VLAN a station cannot directly talk to or hear from stations that are not in the same group s unless such tra...

Page 23: ...ed to discover other IPv6 devices in a network Remote Management using ping SNMP telnet HTTP and FTP services ICMPv6 to report errors encountered in packet processing and perform diagnostic functions such as ping IPv4 IPv6 dual stack the Switch can run IPv4 and IPv6 at the same time DHCPv6 client and relay Multicast Listener Discovery MLD snooping and proxy For more information on IPv6 refer to th...

Page 24: ...asy to guess and that consists of different types of characters such as numbers and letters Write down the password and put it in a safe place Back up the configuration and make sure you know how to restore it Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes If you forget your password you will have to reset the Switch to its factory default s...

Page 25: ... DHCP Snooping on the Switch You only want DHCP server A connected to port 5 to assign IP addresses to all devices in VLAN 100 Create a VLAN containing ports 5 6 and 7 Connect a computer M to the Switch s MGMT port Figure 4 Tutorial DHCP Snooping Tutorial Overview Note For related information about DHCP snooping see Section 24 1 on page 200 The settings in this tutorial are as the following Table ...

Page 26: ...Advanced Application VLAN Static VLAN and create a VLAN with ID of 100 Add ports 5 6 and 7 in the VLAN by selecting Fixed in the Control field as shown Deselect Tx Tagging because you don t want outgoing traffic to contain this VLAN tag Click Add 3 Go to Advanced Application VLAN VLAN Port Setting and set the PVID of the ports 5 6 and 7 to 100 This tags untagged incoming frames on ports 5 6 and 7 ...

Page 27: ...fy VLAN 100 as the DHCP VLAN as shown Click Apply 5 Click the Port link at the top right corner 6 The DHCP Snooping Port Configure screen appears Select Trusted in the Server Trusted state field for port 5 because the DHCP server is connected to port 5 Keep ports 6 and 7 Untrusted because they are connected to DHCP clients Click Apply ...

Page 28: ... port 6 or 7 The computer should be able to get an IP address from the DHCP server If you put the DHCP server on port 6 or 7 the computer will not able to get an IP address 10 To check if DHCP snooping works go to Advanced Application IP Source Guard you should see an IP assignment with the type dhcp snooping as shown You can also telnet or log into the Switch s console Use the command show dhcp s...

Page 29: ...nd gateway information to DHCP client A based on the system name VLAN ID and port number in the DHCP request Client A connects to the Switch s port 2 in VLAN 102 Figure 5 Tutorial DHCP Relay Scenario 2 2 2 Creating a VLAN Follow the steps below to configure port 2 as a member of VLAN 102 1 Access the web configurator through the Switch s management port VLAN 102 DHCP Server Port 2 PVID 102 172 16 ...

Page 30: ...me memory 3 Click Advanced Application VLAN Static VLAN 4 In the Static VLAN screen select ACTIVE enter a descriptive name VLAN 102 for example in the Name field and enter 102 in the VLAN Group ID field 5 Select Fixed to configure port 2 to be a permanent member of this VLAN 6 Clear the TX Tagging check box to set the Switch to remove VLAN tags before sending ...

Page 31: ...re lost when the Switch s power is turned off 8 Click the VLAN Status link in the Static VLAN screen and then the VLAN Port Setting link in the VLAN Status screen 9 Enter 102 in the PVID field for port 2 to add a tag to incoming untagged frames received on that port so that the frames are forwarded to the VLAN group that the tag defines ...

Page 32: ...steps below to enable DHCP relay on the Switch and allow the Switch to add relay agent information such as the VLAN ID to DHCP requests 1 Click IP Application DHCP and then the Global link to open the DHCP Relay screen 2 Select the Active check box 3 Enter the DHCP server s IP address 192 168 2 3 in this example in the Remote DHCP Server 1 field 4 Select the Option 82 and the Information check box...

Page 33: ...e PPPoE IA on the Switch You want to configure PPPoE Intermediate Agent on the Switch A to pass a subscriber s information to a PPPoE server S There is another switch B between switch A and server S Switch B is connected to switch A In this way PPPoE server S can identify subscriber C and may apply different settings to it Figure 6 Tutorial PPPoE Intermediate Agentt Tutorial Overview Note For rela...

Page 34: ...E Intermediate Agent Select Active then click Apply Click Port on the top of the screen 2 Select Untrusted for port 5 and enter userC as Circuit id and 00134900000A as Remote id Select Trusted for port 12 and then leave the other fields empty Click Apply Then Click Intermediate Agent on the top of the screen ...

Page 35: ...4 Enter 1 for both Start VID and End VID since both the Switch and PPPoE server are in VLAN 1 in this example Click Apply 5 Then select Yes to enable PPPoE IA in VLAN 1 and also select Circuit id and Remote id to allow the Switch to add these two strings to frames tagged with VLAN 1 and pass to the PPPoE server Click Apply ...

Page 36: ...he example uses an XGS4700 48F as switch B 1 Click Advanced Application PPPoE Intermediate Agent Select Active then click Apply Click Port on the top of the screen 2 Select Trusted for ports 11 and 12 and then click Apply Then Click Intermediate Agent on the top of the screen ...

Page 37: ...lick VLAN on the top of the screen 4 Enter 1 for both Start VID and End VID Click Apply 5 Then select Yes to enable PPPoE IA in VLAN 1 and also select Circuit id and Remote id to allow the Switch to add these two strings to frames tagged with VLAN 1 and pass to the PPPoE server Click Apply ...

Page 38: ...over 100 packets per second have been received on a port You also want the Switch to wait for a period of time 10 minutes before resuming the port automatically after the problem s are gone Loop guard and Errdiable features are helpful for this demand Note Refer to Section 25 2 on page 222 and Section 30 2 on page 244 for more information about Loop Guard and Errdiable To configure the settings 1 ...

Page 39: ...t to apply the setting to all ports Then click Apply 3 Click Advanced Application Errdisable Errdisable Detect select Active for cause ARP and inactive port as the mode Then click Apply 4 Click Advanced Application Errdisable Errdisable Recovery select Active and Timer Status for loopguard and ARP entries Also enter 180 180 seconds 3 minutes in the Interval field for both entries Then click Apply ...

Page 40: ...d static VLAN with fixed port members In this example you want to configure port 1 as a member of VLAN 2 Figure 7 Initial Setup Network Example VLAN 1 Click Advanced Application VLAN in the navigation panel and click the Static VLAN link 2 In the Static VLAN screen select ACTIVE enter a descriptive name in the Name field and enter 2 in the VLAN Group ID field for the VLAN2 network EXAMPLE ...

Page 41: ...me memory Settings in the run time memory are lost when the Switch s power is turned off 2 6 Setting Port VID Use PVID to add a tag to incoming untagged frames received on that port so that the frames are forwarded to the VLAN group that the tag defines In the example network configure 2 as the port VID on port 1 so that any untagged frames received on that port get sent to VLAN 2 Figure 8 Initial...

Page 42: ...connect to ports 1 2 or 3 to a guest VLAN 200 for example before they can authenticate with the authentication server In this guest VLAN clients can surf the Internet through the default gateway attached to port 10 but are not allowed to access other network resources such as the mail server or local data base 2 7 1 Creating a Guest VLAN Follow the steps below to configure port 1 2 3 and 10 as a m...

Page 43: ...Advanced Application VLAN Static VLAN 4 In the Static VLAN screen select ACTIVE enter a descriptive name VLAN 200 for example in the Name field and enter 200 in the VLAN Group ID field 5 Select Fixed to configure ports 1 2 3 and 10 to be permanent members of this VLAN 6 Clear the TX Tagging check box to set the Switch to remove VLAN tags before sending frames out of these ports ...

Page 44: ... when the Switch s power is turned off 8 Click the VLAN Status link in the Static VLAN screen and then the VLAN Port Setting link in the VLAN Status screen 9 Enter 200 in the PVID field for ports 1 2 3 and 10 to add a tag to incoming untagged frames received on these ports so that the frames are forwarded to the VLAN group that the tag defines ...

Page 45: ...e upper right corner of the web configurator to save your configuration permanently 2 7 2 Enabling IEEE 802 1x Port Authentication Follow the steps below to enable port authentication to validate access to ports 1 8 to clients based on a RADIUS server 1 Click Advanced Application Port Authentication and then the Click Here link for 802 1x ...

Page 46: ...he first Active checkbox to enable 802 1x authentication on the Switch Select the Active checkboxes for ports 1 to 8 to turn on 802 1x authentication on the selected ports Click Apply 2 7 3 Enabling Guest VLAN 1 Click the Guest Vlan link in the 802 1x screen ...

Page 47: ...client that connects to one of these ports and specify the maximum number of clients that the Switch will authenticate on each of these port 5 in this example Click Apply 3 Click the Save link in the upper right corner of the web configurator to save your configuration permanently Clients that attach to port 1 2 or 3 and fail to authenticate with the RADIUS server now should be in VLAN 200 and can...

Page 48: ...Chapter 2 Tutorials XS3900 48F User s Guide 48 ...

Page 49: ...with transceivers You must use transceivers that comply with the Small Table 7 Panel Connections CONNECTOR DESCRIPTION 48 10GbE SFP Ports Use Small Form Factor Pluggable Plus SFP transceivers in these ports for fiber optic or copper connections to a server Ethernet switch or router You can also insert an SFP Direct Attach Copper DAC in the SFP slot Four 40GbE QSFP Ports Use Quad Small Form Factor ...

Page 50: ...second Gbps To avoid possible eye injury do not look into an operating fiber optic module s connectors 3 1 1 1 Transceiver Installation Use the following steps to install a Q SFP transceiver the graphics are indicative only 1 Insert the transceiver into the slot with the exposed section of PCB board facing down Figure 10 Transceiver Installation Example 2 Press the transceiver firmly until it clic...

Page 51: ...odules A Two slots for power modules with power receptacles B Figure 14 Rear Panel 3 2 1 Power Connection Make sure you are using the correct power source and that no objects obstruct the airflow of the fans in both fan and power modules The Switch uses two power supply modules one of which is redundant so if one power module fails the system can operate on the remaining module The power connectio...

Page 52: ...tioning properly Amber On The Switch is overheating due to abnormal voltage or fan speed Off The power is off or the Switch is not ready or malfunctioning MGMT LINK Green On The MGMT port is connected at 1000 Mbps Amber On The MGMT port is connected at 10 or 100 Mbps Off The MGMT port is not up or not connected to an Ethernet device ACTIVITY Green Blinking The Switch is transmitting or receiving t...

Page 53: ... recommended screen resolution is 1024 by 768 pixels In order to use the web configurator you need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScript enabled by default Java permissions enabled by default 4 2 System Login 1 Start your web browser 2 Type http and the IP address of the Switch for example the defau...

Page 54: ...1234 The date and time display as shown if you have not configured a time server nor manually entered a time and date in the General Setup screen Figure 15 Web Configurator Login 4 Click OK to view the first web configurator screen 4 3 The Web Configurator Layout The Status screen is the first screen that displays when you access the web configurator ...

Page 55: ...re currently working in B Click this link to save your configuration into the Switch s nonvolatile memory Nonvolatile memory is saved in the configuration file from which the Switch booted from and it stays the same even if the Switch s power is turned off See Section 35 3 on page 270 for information on saving your settings to a specific configuration file C Click this link to go to the status pag...

Page 56: ...u to a screen where you can set up global Switch parameters such as VLAN type MAC address learning GARP and priority queues IP Setup This link takes you to a screen where you can configure the IP address subnet mask necessary for Switch management and DNS domain name server and set up to 64 IP routing domains Port Setup This link takes you to screens where you can configure speed flow control and ...

Page 57: ...iated queue weights for each port VLAN Stacking This link takes you to screens where you can activate and configure VLAN stacking Multicast This link takes you to screen where you can configure various multicast features IGMP snooping and create multicast VLANs AAA This link takes you to a screen where you can configure authentication authorization and accounting services via external servers The ...

Page 58: ...rol This link takes you to screens where you can change the system login password and configure SNMP and remote management Diagnostic This link takes you to screens where you can view system logs and can test port s Syslog This link takes you to screens where you can setup system logs and a system log server Cluster Management This link takes you to a screen where you can configure clustering mana...

Page 59: ...as a member The CPU port is the management port of the Switch 3 Filter all traffic to the CPU port 4 Disable all ports 5 Misconfigure the text configuration file 6 Forget the password and or IP address 7 Prevent all services from accessing the Switch 8 Change a service port number but forget it Note Be careful not to lock yourself and others out of the Switch If you do lock yourself out try using ...

Page 60: ...r Debug Mode within 3 seconds press any key to enter debug mode 4 Type atlc after the Enter Debug Mode message 5 Wait for the Starting XMODEM upload message before activating XMODEM upload on your terminal 6 After a configuration file upload type atgo to restart the Switch Figure 18 Resetting the Switch Via the Console Port The Switch is now reinitialized with a default configuration file includin...

Page 61: ... your password again after you log out This is recommended after you finish a management session for security reasons Figure 19 Web Configurator Logout Screen 4 8 Help The web configurator s online help has descriptions of individual screens and some supplementary information Click the Help link from a web configurator screen to view an online help description of that screen ...

Page 62: ...Chapter 4 The Web Configurator XS3900 48F User s Guide 62 ...

Page 63: ...63 PART II Technical Reference ...

Page 64: ...64 ...

Page 65: ...statistical details 5 2 Port Status Summary To view the port statistics click Status in all web configurator screens to display the Status screen as shown next Figure 20 Port Status The following table describes the labels in this screen Table 11 Port Status LABEL DESCRIPTION Port This identifies the Ethernet port Click a port number to display the Port Details screen refer to Figure 21 on page 67...

Page 66: ...f the link is up otherwise it displays STOP LACP This fields displays whether LACP Link Aggregation Control Protocol has been enabled on the port TxPkts This field shows the number of transmitted frames on this port RxPkts This field shows the number of received frames on this port Errors This field shows the number of received errors on this port Tx KB s This field shows the transmission speed of...

Page 67: ...ex F for full duplex Status If STP Spanning Tree Protocol is enabled this field displays the STP state of the port see Section 11 1 3 on page 108 for more information If STP is disabled this field displays FORWARDING if the link is up otherwise it displays STOP LACP This field shows if LACP is enabled on this port or not TxPkts This field shows the number of transmitted frames on this port RxPkts ...

Page 68: ...s received Pause Pause is a flow control mechanism that notifies the sender to slow transmission if the receiver s buffers are almost full This field shows the number of 802 3x Pause frames received Priority Pause This field shows the number of 802 1Qbb Pause frames received Control This field shows the number of control frames received including those with CRC error but it does not include the 80...

Page 69: ... 511 This field shows the number of frames including bad frames received that were between 256 and 511 octets in length 512 1023 This field shows the number of frames including bad frames received that were between 512 and 1023 octets in length 1024 1518 This field shows the number of frames including bad frames received that were between 1024 and 1518 octets in length Giant This field shows the n...

Page 70: ... external server when you turn on your Switch The real time is then displayed in the Switch logs The Switch Setup screen allows you to set up and configure global Switch features The IP Setup screen allows you to configure Switch outband and inband IP addresses subnet mask s and DNS domain name server for management purposes The Port Setup screen allows you to enable or disable a port on the Switc...

Page 71: ...low the threshold and Error for those above Fan Speed RPM A properly functioning fan is an essential component along with a sufficiently ventilated cool operating environment in order for the device to stay within the temperature threshold Each fan has a sensor that is capable of detecting and reporting if the fan speed falls below the threshold shown Current This field displays this fan s current...

Page 72: ...se Time Server when Bootup Type the time service protocol that your timeserver uses Not all time servers support all protocols so you may have to use trial and error to find a protocol that works The main differences between them are the time format When you select the Daytime RFC 867 format the Switch displays the day month year and time with no time zone adjustment When you use this format it is...

Page 73: ... 24 hour format Here are a couple of examples Daylight Saving Time starts in most parts of the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States you would select Second Sunday March and 2 00 Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones i...

Page 74: ...this screen Refer to the chapter on VLAN Figure 24 Basic Setting Switch Setup The following table describes the labels in this screen Table 15 Basic Setting Switch Setup LABEL DESCRIPTION VLAN Type Choose 802 1Q or Port Based The VLAN Setup screen changes depending on whether you choose 802 1Q VLAN type or Port Based VLAN type in this screen See Chapter 7 on page 81 for more information Bridge Con...

Page 75: ... physical queue mapping The Switch has eight physical queues that you can map to the 8 priority levels On the Switch traffic assigned to higher index queues gets through faster while traffic in lower index queues is dropped if the network is congested Priority Level The following descriptions are based on the traffic types defined in the IEEE 802 1d standard which incorporates the 802 1p Level 7 T...

Page 76: ... In Band or Out of band the Switch is to send frames originating from itself such as SNMP traps or frames with unknown source Select Out of band to have the Switch send the frames to the management port labelled MGMT This means that device s connected to the other port s do not receive these frames Select In Band to have the Switch send the frames to all ports except the management port labelled M...

Page 77: ...guration In band IP address You can create up to 64 IP addresses which are used to access and manage the Switch from the ports belonging to the pre defined VLAN s You must configure a VLAN first IP Address Enter the IP address for managing the Switch by the members of the VLAN specified in the VID field below IP Subnet Mask Enter the IP subnet mask in dotted decimal notation VID Type the VLAN grou...

Page 78: ...ing the signal on the cable and using half duplex mode When the Switch s auto negotiation is turned off a port uses the pre configured speed and duplex mode when making a connection thus requiring you to make sure that the settings of the peer port are the same in order to connect Both 1000 Auto and 1000M Full Duplex operate at 1Gbps speed in full duplex mode The differences are as follows Click B...

Page 79: ...low Control is used to regulate transmission of signals to match the bandwidth of the receiving port The Switch uses IEEE 802 3x flow control in full duplex mode and backpressure flow control in half duplex mode IEEE 802 3x flow control is used in full duplex mode to send a pause signal to the sending port causing it to temporarily stop sending signals when the receiving port memory buffers fill B...

Page 80: ...mory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 18 Basic Setting Port Setup continued LABEL DESCRIPTION ...

Page 81: ... The remaining twelve bits define the VLAN ID giving a possible maximum number of 4 096 VLANs Note that user priority and VLAN ID are independent of each other A frame with VID VLAN Identifier of null 0 is called a priority frame meaning that only the priority level is significant and the default VID of the ingress port is given as the VID of the frame Of the 4096 possible VIDs a VID of 0 is used ...

Page 82: ...t VLAN groups beyond the local Switch Please refer to the following table for common IEEE 802 1Q VLAN terminology Table 19 IEEE 802 1Q VLAN Terminology VLAN PARAMETER TERM DESCRIPTION VLAN Type Permanent VLAN This is a static VLAN created manually Dynamic VLAN This is a VLAN configured by a GVRP registration deregistration process VLAN Administrative Control Registration Fixed Fixed registration p...

Page 83: ...rt s in each intermediary switch you only need to create VLAN groups in the end devices A and B C D and E automatically allow frames with VLAN group tags 1 and 2 VLAN groups that are unknown to those switches to pass through their VLAN trunking port s Figure 27 Port VLAN Trunking 7 4 Select the VLAN Type Select a VLAN type in the Basic Setting Switch Setup screen Figure 28 Switch Setup Select VLAN...

Page 84: ...n the Switch The Number of VLAN This is the number of VLANs configured on the Switch The Number of Search Results This is the number of VLANs that match the searching criteria and display in the list below This field displays only when you use the Search button to look for certain VLANs Index This is the VLAN index number Click on an index number to view more VLAN details VID This is the VLAN iden...

Page 85: ... in a VLAN are marked as Elapsed Time This field shows how long it has been since a normal VLAN was registered or a static VLAN was set up Status This field shows how this VLAN was added to the Switch Dynamic using GVRP Static manually added as a normal entry Private manually added as a private VLAN primary isolated or community MVR added via Multicast VLAN Registration MVR Private VLAN Status The...

Page 86: ...Q VLAN To configure a static or private VLAN click Static VLAN in the VLAN Status screen to display the screen as shown next Figure 31 Advanced Application VLAN Static VLAN The following table describes the related labels in this screen Table 22 Advanced Application VLAN Static VLAN LABEL DESCRIPTION ACTIVE Select this check box to activate the VLAN settings Name Enter a descriptive name for the V...

Page 87: ...s VLAN group Select Forbidden if you want to prohibit the port from joining this VLAN group Tagging Select TX Tagging if you want the port to tag all outgoing frames transmitted with this VLAN Group ID Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your cha...

Page 88: ...s a registration protocol that defines a way for switches to register necessary VLAN members on ports across the network Select this check box to permit VLAN groups beyond the local Switch Port This field displays the port number Settings in this row apply to all ports Use this row only if you want to make some settings the same for all ports Use this row first to set the common settings and then ...

Page 89: ... untagged frames received on a port so that the frames are forwarded to the VLAN group that the tag defines Enter a number between 1 and 4094 as the port VLAN ID GVRP Select this check box to allow GVRP on this port Acceptable Frame Type Specify the type of frames allowed on a port Choices are All Tag Only and Untag Only Select All from the drop down list box to accept all untagged or tagged frame...

Page 90: ...ghest priority and data the lowest Figure 33 Subnet Based VLAN Application Example 7 5 5 1 Configuring Subnet Based VLAN Click Subnet Based VLAN in the VLAN Port Setting screen to display the configuration screen as shown Figure 34 Advanced Application VLAN VLAN Port Setting Subnet Based VLAN 10 1 1 0 24 192 168 1 0 24 172 16 1 0 24 Internet VID 100 VID 200 VID 300 Untagged Frames Tagged Frames ...

Page 91: ...AN IP Enter the IP address of the subnet for which you want to configure this subnet based VLAN Mask Bits Enter the bit number of the subnet mask To find the bit number convert the subnet mask to binary format and add all the 1 s together Take 255 255 255 0 for example 255 converts to eight 1s in binary There are three 255s so add three eights together and you get the bit number 24 VID Enter the I...

Page 92: ...switch C Figure 35 Protocol Based VLAN Application Example 7 5 6 1 Configuring Protocol Based VLAN Click Protocol Based VLAN in the VLAN Port Setting screen to display the configuration screen as shown Figure 36 Advanced Application VLAN VLAN Port Setting Protocol Based VLAN The following table describes the labels in this screen Table 25 Advanced Application VLAN VLAN Port Setting Protocol Based ...

Page 93: ...pplications VLAN screens Priority Select the priority level that the Switch will assign to frames belonging to this VLAN Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel...

Page 94: ...ck 1 2 Change the value in the Port field to the next port you want to add 3 Click Add 7 5 7 View Private VLAN Status Use this screen to view all private VLANs created on the Switch See also Advanced Application Private VLAN Make sure 802 1Q is selected in the Basic Setting Switch Setup screen Click Private VLAN Status in the VLAN Status screen to display the screen as shown next Figure 38 Advance...

Page 95: ... a Port based VLAN Select Port Based as the VLAN Type in the Switch Setup screen and then click VLAN from the navigation panel to display the following screen Select either All Connected or Port Isolated from the drop down list depending on your VLAN and VLAN security requirements If VLAN members need to communicate directly with each other then select All Connected Select Port Isolated if you wan...

Page 96: ...Chapter 7 VLAN XS3900 48F User s Guide 96 The following screen shows users on a port based all connected VLAN configuration Figure 39 Advanced Application VLAN Port Based VLAN Setup All Connected ...

Page 97: ...Chapter 7 VLAN XS3900 48F User s Guide 97 The following screen shows users on a port based port isolated VLAN configuration Figure 40 Advanced Application VLAN Port Based VLAN Setup Port Isolation ...

Page 98: ...t is a port through which a data packet enters If you wish to allow two subscriber ports to talk to each other you must define the ingress port for both ports The numbers in the top row denote the incoming port for the corresponding port listed on the left its outgoing port CPU refers to the Switch management port By default it forms a VLAN with all Ethernet ports If it does not form a VLAN with a...

Page 99: ...AC address table Static MAC addresses do not age out When you set up static MAC address rules you are setting static MAC addresses for a port This may reduce the need for broadcasting Static MAC address forwarding together with port security allows only computers in the MAC address table on a port to access the Switch See Chapter 17 on page 148 for more information on port security Click Advanced ...

Page 100: ...r loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Clear Click Clear to reset the fields to the factory defaults Index Click an index number to modify a static MAC address rule for a port Active This field displays whether this static MAC address for...

Page 101: ...e administrator to forward multicast frames to a member without the member having to join the group first If a multicast group has no members then the switch will either flood the multicast frames to all ports or drop them You can configure this in the Advanced Application Multicast Multicast Setting screen see Section 22 3 on page 174 Figure 42 shows such unknown multicast frames flooded to all p...

Page 102: ...ast Forwarding Figure 43 Static Multicast Forwarding to A Single Port Figure 44 Static Multicast Forwarding to Multiple Ports 9 2 Configuring Static Multicast Forwarding Use this screen to configure rules to forward specific multicast frames such as streaming or control frames to specific port s ...

Page 103: ...VLAN group here If you don t have a specific target VLAN enter 1 Port Enter the port s where frames with destination MAC address that matched the entry above are forwarded You can enter multiple ports separated by no space comma or hyphen For example enter 3 5 for ports 3 4 and 5 Enter 3 5 7 for ports 3 5 and 7 Add Click Add to save your rule to the Switch s run time memory The Switch loses this r...

Page 104: ...a identified VLAN group to which frames containing the specified multicast MAC address will be forwarded Delete Click Delete to remove the selected entry from the summary table Cancel Click Cancel to clear the Delete check boxes Table 29 Advanced Application Static Multicast Forwarding continued LABEL DESCRIPTION ...

Page 105: ...TION Active Make sure to select this check box to activate your rule You may temporarily deactivate a rule without deleting it by deselecting this check box Name Type a descriptive name up to 32 printable ASCII characters for this rule This is for identification only Action Select Discard source to drop frames from the source MAC address specified in the MAC field The Switch can still send frames ...

Page 106: ...the factory defaults Index This field displays the index number of the rule Click an index number to change the settings Active This field displays Yes when the rule is activated and No when is it deactivated Name This field displays the descriptive name for this rule This is for identification purposes only MAC Address This field displays the source destination MAC address with the VLAN identific...

Page 107: ...ing backwards compatible with STP only aware bridges In RSTP topology change information is directly propagated throughout the network from the device that generates the topology change In STP a longer delay is required as the device that causes a topology change first notifies the root bridge and then the root bridge notifies the network Both RSTP and STP flush unwanted learned addresses from the...

Page 108: ...o BPDU after a predefined interval Max Age the bridge assumes that the link to the root bridge is down This bridge then initiates negotiations with other bridges to reconfigure the network to re establish a valid network topology 11 1 3 STP Port States STP assigns five port states to eliminate packet looping A bridge port is not allowed to go directly from blocking state to forwarding state so as ...

Page 109: ... is backwards compatible with STP RSTP and addresses the limitations of existing spanning tree protocols STP and RSTP in networks to include the following features One Common and Internal Spanning Tree CIST that represents the entire network s connectivity Grouping of multiple bridges or switching devices into regions that appear as one single bridge on the network A VLAN can be mapped to a specif...

Page 110: ...fferent spanning trees in the network Thus traffic from the two VLANs travel on different paths The following figure shows the network example using MSTP Figure 49 MSTP Network Example 11 1 5 2 MST Region An MST region is a logical grouping of multiple network devices that appears as a single device to the rest of the network Each MSTP enabled device can only belong to one MST region When BPDUs en...

Page 111: ... to a region Thus an MSTI does not span across MST regions The following figure shows an example where there are two MST regions Regions 1 and 2 have 2 spanning tree instances Figure 50 MSTIs in Different Regions 11 1 5 4 Common and Internal Spanning Tree CIST A CIST represents the connectivity of the entire network and it is equivalent to a spanning tree in an STP RSTP The CIST is the default MST...

Page 112: ...figuration screen to activate one of the STP modes on the Switch Click Configuration in the Advanced Application Spanning Tree Protocol Figure 53 Advanced Application Spanning Tree Protocol Configuration The following table describes the labels in this screen Table 33 Advanced Application Spanning Tree Protocol Configuration LABEL DESCRIPTION Spanning Tree Mode You can activate one of the STP mode...

Page 113: ...t also activate Rapid Spanning Tree in the Advanced Application Spanning Tree Protocol Configuration screen to enable RSTP on the Switch Bridge Priority Bridge priority is used in determining the root switch root port and designated port The switch with the highest priority lowest numeric value becomes the STP root switch If all switches have the same priority the switch with the lowest MAC addres...

Page 114: ...irst to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Active Select this check box to activate RSTP on this port Edge Select this check box to configure a port as an edge port when it is directly attached to a computer An edge port changes its initial STP port state from blocking state to forw...

Page 115: ... Hello Time second This is the time interval in seconds at which the root switch transmits a configuration message The root bridge determines Hello Time Max Age and Forwarding Delay Max Age second This is the maximum time in seconds a switch can wait without receiving a configuration message before attempting to reconfigure Forwarding Delay second This is the time in seconds the root switch will w...

Page 116: ...trees Active Select this check box to activate an STP tree Clear this checkbox to disable an STP tree Note You must also activate Multiple Rapid Spanning Tree in the Advanced Application Spanning Tree Protocol Configuration screen to enable MRSTP on the Switch Bridge Priority Bridge priority is used in determining the root switch root port and designated port The switch with the highest priority l...

Page 117: ...e some settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Active Select this check box to activate STP on this port Edge Select this check box to configure a port as an edge port when it is directly attached to a computer An edge port changes it...

Page 118: ...e for Root and Our Bridge if the Switch is the root switch Hello Time second This is the time interval in seconds at which the root switch transmits a configuration message The root bridge determines Hello Time Max Age and Forwarding Delay Max Age second This is the maximum time in seconds a switch can wait without receiving a configuration message before attempting to reconfigure Forwarding Delay...

Page 119: ...e 119 11 8 Configure Multiple Spanning Tree Protocol To configure MSTP click MSTP in the Advanced Application Spanning Tree Protocol screen See Section 11 1 5 on page 109 for more information on MSTP Figure 58 Advanced Application Spanning Tree Protocol MSTP ...

Page 120: ... a general rule Note 2 Forward Delay 1 Max Age 2 Hello Time 1 Maximum hops Enter the number of hops between 1 and 255 in an MSTP region before the BPDU is discarded and the port information is aged Configuration Name Enter a descriptive name up to 32 characters of an MST region Revision Number Enter a number to identify a region s configuration Devices must have the same revision number to belong ...

Page 121: ...h cost is the cost of transmitting a frame on to a LAN through that port It is recommended to assign this value according to the speed of the bridge The slower the media the higher the cost see Table 31 on page 107 for more information Add Click Add to save this MST instance to the Switch s run time memory The Switch loses this change if it is turned off or loses power so use the Save link on the ...

Page 122: ...t by port basis Note Changes in this row are copied to all the ports as soon as you make them Edge Select this check box to configure a port as an edge port when it is directly attached to a computer An edge port changes its initial STP port state from blocking state to forwarding state immediately without going through listening and learning states right after the port is configured as an edge po...

Page 123: ... the Switch CST This section describes the Common Spanning Tree settings Bridge Root refers to the base of the spanning tree the root bridge Our Bridge is this Switch This Switch may also be the root bridge Bridge ID This is the unique identifier for this bridge consisting of bridge priority plus MAC address This ID is the same for Root and Our Bridge if the Switch is the root switch Hello Time se...

Page 124: ... spanning tree was last reconfigured Instance These fields display the MSTI to VLAN mapping In other words which VLANs run on each spanning tree instance Instance This field displays the MSTI ID VLAN This field displays which VLANs are mapped to an MSTI MSTI Select the MST instance settings you want to view Bridge Root refers to the base of the MST instance Our Bridge is this Switch This Switch ma...

Page 125: ...uaranteed bandwidth for the incoming traffic flow on a port The Peak Information Rate PIR is the maximum bandwidth allowed for the incoming traffic flow on a port when there is no network congestion The CIR and PIR should be set for all ports that use the same uplink bandwidth If the CIR is reached packets are sent at the rate up to the PIR When network congestion occurs packets through the ingres...

Page 126: ... and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Ingress Rate Active Select this check box to activate commit rate limits on this port Commit Rate Specify the guaranteed bandwidth allowed in kilobits per second Kbps for the incoming traffic flow on a port The commit rate should be less than the peak rate The sum of com...

Page 127: ... The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 41 Advanced Application Bandwidth Control continued LABEL DESCRIPTION ...

Page 128: ...cond the subsequent packets are discarded Enable this feature to reduce broadcast multicast and or DLF packets in your network You can specify limits for each packet type on each port Click Advanced Application Broadcast Storm Control in the navigation panel to display the screen as shown next Figure 62 Advanced Application Broadcast Storm Control The following table describes the labels in this s...

Page 129: ...lticast pkt s Select this option and specify how many multicast packets the port receives per second The allowed range is 0 to 33554431 DLF pkt s Select this option and specify how many destination lookup failure DLF packets the port receives per second The allowed range is 0 to 33554431 Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is ...

Page 130: ... screen to select a monitor port and specify the traffic flow to be copied to the monitor port Figure 63 Advanced Application Mirroring The following table describes the labels in this screen Table 43 Advanced Application Mirroring LABEL DESCRIPTION Active Select this check box to activate port mirroring on the Switch Clear this check box to disable the feature Monitor Port The monitor port is the...

Page 131: ...irror the traffic on a port Direction Specify the direction of the traffic to mirror by selecting from the drop down list box Choices are Egress outgoing Ingress incoming and Both Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non vo...

Page 132: ...ensures increased network stability and control over the trunk groups on your Switch See Section 15 6 on page 138 for a static port trunking example 15 2 Dynamic Link Aggregation The Switch adheres to the IEEE 802 3ad standard for static and dynamic LACP port trunking The Switch supports the link aggregation IEEE802 3ad standard This standard describes the Link Aggregation Control Protocol LACP wh...

Page 133: ...k Aggregation ID Local Switch SYSTEM PRIORITY MAC ADDRESS KEY PORT PRIORITY PORT NUMBER 0000 00 00 00 00 00 00 0000 00 0000 Table 45 Link Aggregation ID Peer Switch SYSTEM PRIORITY MAC ADDRESS KEY PORT PRIORITY PORT NUMBER 0000 00 00 00 00 00 00 0000 00 0000 1 Port Priority and Port Number are 0 as it is the aggregator ID for the trunk group not the individual port Table 46 Advanced Application Li...

Page 134: ... the Switch distributes traffic based on the packet s source MAC address dst mac means the Switch distributes traffic based on the packet s destination MAC address src dst mac means the Switch distributes traffic based on a combination of the packet s source and destination MAC addresses src ip means the Switch distributes traffic based on the packet s source IP address dst ip means the Switch dis...

Page 135: ...vanced Application Link Aggregation Link Aggregation Setting The following table describes the labels in this screen Table 47 Advanced Application Link Aggregation Link Aggregation Setting LABEL DESCRIPTION Link Aggregation Setting This is the only screen you need to configure to enable static link aggregation Group ID The field identifies the link aggregation group that is one logical link contai...

Page 136: ...addresses Select src ip to distribute traffic based on the packet s source IP address Select dst ip to distribute traffic based on the packet s destination IP address Select src dst ip to distribute traffic based on a combination of the packet s source and destination IP addresses Port This field displays the port number Group Select the trunk group to which a port belongs Note When you enable the...

Page 137: ...ion on dynamic link aggregation Figure 66 Advanced Application Link Aggregation Link Aggregation Setting LACP The following table describes the labels in this screen Table 48 Advanced Application Link Aggregation Link Aggregation Setting LACP LABEL DESCRIPTION Link Aggregation Control Protocol Note Do not configure this screen unless you want to enable dynamic link aggregation Active Select this c...

Page 138: ...ield displays the port number Settings in this row apply to all ports Use this row only if you want to make some settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them LACP Timeout Timeout is the time interval between the individual port exchanges o...

Page 139: ...regation Setting In this screen activate trunk group T1 select the traffic distribution algorithm used by this group and select the ports that should belong to this group as shown in the figure below Click Apply when you are done Figure 68 Trunking Example Configuration Screen Your trunk group 1 T1 configuration is now complete EXAMPLE ...

Page 140: ...tocol to validate users See Section 23 1 2 on page 188 for more information on configuring your RADIUS server settings If you enable IEEE 802 1x authentication and MAC authentication on the same port the Switch performs IEEE 802 1x authentication first If a user fails to authenticate via the IEEE 802 1x method then access to the port is denied 16 1 1 IEEE 802 1x Authentication The following figure...

Page 141: ...x Authentication Process 16 1 2 MAC Authentication MAC authentication works in a very similar way to IEEE 802 1x authentication The main difference is that the Switch does not prompt the client for login credentials The login credentials are based New Connection Access Request Authentication Reply 1 8 9 Challenge Response 7 6 Session Granted Denied Login Credentials Identity Request 3 2 Authentica...

Page 142: ...t authentication first activate the port authentication method s you want to use both on the Switch and the port s then configure the RADIUS server settings in the AAA Radius Server Setup screen To activate a port authentication method click Advanced Application Port Authentication in the navigation panel Select a port authentication method in the screen that appears Figure 71 Advanced Application...

Page 143: ... only if you want to make some settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Active Select this checkbox to permit 802 1x authentication on this port You must first allow 802 1x authentication on the Switch before configuring it on each por...

Page 144: ...enter his or her username and password to stay connected to the port Reauth period Specify the length of time required to pass before a client has to re enter his or her username and password to stay connected to the port Quiet period Specify the number of seconds the port remains in the HELD state and rejects further authentication requests from the connected client after a failed authentication ...

Page 145: ...ou want to make some settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Active Select this checkbox to enable the guest VLAN feature on this port Clients that fail authentication are placed in the guest VLAN and can receive limited services Gues...

Page 146: ...correct credential they are all put in the guest VLAN Once the first user who did authentication logs out or disconnects from the port rest of the users are blocked until a user does the authentication process again Select Multi Secure to authenticate each user that connects to this port Multi Secure Num If you set Host mode to Multi Secure specify the maximum number of users between 1 and 24 that...

Page 147: ...ent fails MAC authentication its MAC address is learned by the MAC address table with a status of denied The timeout period you specify here is the time the MAC address entry stays in the MAC address table until it is cleared If you specify 0 for the timeout value then this entry will not be deleted from the MAC address table Note If the Aging Time in the Switch Setup screen is set to a lower valu...

Page 148: ...vidual ports other than the sum cannot exceed 32K For maximum port security enable this feature disable MAC address learning and configure static MAC address es for a port It is not recommended you disable port security together with MAC address learning as this will result in many broadcasts By default MAC address learning is still enabled even though the port security is not activated 17 2 Port ...

Page 149: ... box to enable the port security feature on this port The Switch forwards packets whose MAC address es is in the MAC address table on this port Packets with no matching MAC address es are dropped Clear this check box to disable the port security feature The Switch forwards all packets on this port Address Learning MAC address learning reduces outgoing broadcast traffic For MAC address learning to ...

Page 150: ...e five learned MAC addresses aged out MAC address aging out time can be set in the Switch Setup screen The valid range is from 0 to 16384 0 means this feature is disabled Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory...

Page 151: ... as the source address destination address source port number destination port number or incoming port number For example you can configure a classifier to select traffic from the same protocol port such as Telnet to form a flow Configure QoS on the Switch to group and prioritize application traffic and fine tune network performance Setting up QoS involves two separate steps 1 Configure classifier...

Page 152: ...ve Select this option to enable this rule Name Enter a descriptive name for this rule for identifying purposes Packet Format Specify the format of the packet Choices are All 802 3 tagged 802 3 untagged Ethernet II tagged and Ethernet II untagged A value of 802 3 indicates that the packets are formatted according to the IEEE 802 3 standards A value of Ethernet II indicates that the packets are form...

Page 153: ...ct the second option and specify a DSCP DiffServ Code Point number between 0 and 63 in the field provided IP Protocol Select an IP protocol type or select Other and enter the protocol number in decimal value Refer to Table 57 on page 155 for more information You may select Establish Only for TCP protocol type This means that the Switch will pick out the packets that are sent to establish TCP conne...

Page 154: ...igation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Clear Click Clear to set the above fields back to the factory defaults Table 54 Advanced Application Classifier continued LABEL DESCRIPTION Table 55 Classifier Summary Table LABEL DESCRIPTION Index This field displays the index number of the rule C...

Page 155: ...t common IP ports are Banyan Systems 0BAD BBN Simnet 5208 IBM SNA 80D5 AppleTalk AARP 80F3 Table 57 Common IP Ports PORT NUMBER PORT NAME 21 FTP 23 Telnet 25 SMTP 53 DNS 80 HTTP 110 POP3 Table 56 Common Ethernet Types and Protocol Number ETHERNET TYPE PROTOCOL NUMBER ...

Page 156: ...figuring a classifier that identifies all traffic from MAC address 00 50 ba ad 4f 81 on port 2 Figure 80 Classifier Example After you have configured a classifier you can configure a policy to define action s on the classified traffic flow See Chapter 19 on page 157 for information on configuring a policy rule EXAMPLE ...

Page 157: ...y flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going 19 1 2 DSCP and Per Hop Behavior DiffServ defines a new DS Differentiated Services field to replace the Type of Service TOS field in the IP header The DS field contains a 2 bit unused field and a 6 bit DSCP field which can define up to 64 service levels The following fi...

Page 158: ...tion panel to display the screen as shown Figure 81 Advanced Application Policy Rule The following table describes the labels in this screen Table 58 Advanced Application Policy Rule LABEL DESCRIPTION Active Select this option to enable the policy Name Enter a descriptive name for identification purposes ...

Page 159: ...ets Select Discard the packet to drop the packets Select Do not drop the matching frame previously marked for dropping to retain the frames that were marked to be dropped before Priority Select No change to keep the priority setting of the frames Select Set the packet s 802 1p priority to replace the packet s 802 1p priority field with the value you set in the Priority field Select Send the packet...

Page 160: ...that are marked to be dropped Add Click Add to insert the entry in the summary table below and save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Cl...

Page 161: ... Example The figure below shows an example Policy screen where you configure a policy to limit bandwidth and discard out of profile traffic on a traffic flow classified using the Example classifier refer to Section 18 4 on page 156 Figure 83 Policy Example EXAMPLE ...

Page 162: ...first When that queue empties traffic on the next highest priority queue Q6 is transmitted until Q6 empties and then traffic is transmitted on Q5 and so on If higher priority queues never empty then traffic on lower priority queues never gets sent SP does not automatically adapt to changing network requirements 20 1 2 Weighted Fair Queuing Weighted Fair Queuing is used to guarantee each queue s mi...

Page 163: ...oping fashion until a queue is empty Weighted Round Robin Scheduling WRR uses the same algorithm as round robin scheduling but services queues based on their priority and queue weight the number you configure in the queue Weight field rather than a fixed amount of bandwidth WRR is activated only when a port has more traffic than it can handle Queues with larger weights get more service than queues...

Page 164: ...er the queue weight here Bandwidth is divided across the different traffic queues according to their weights Hybrid SPQ Lowest Queue This field is applicable only when you select WFQ or WRR Select a queue Q0 to Q7 to have the Switch use SPQ to service the subsequent queue s after and including the specified queue for the 1000Base T 1000Base X and 10 Gigabit Ethernet ports For example if you select...

Page 165: ...p to 4 094 customer VLANs This allows a service provider to provide different service based on specific VLANs for many different customers A service provider s customers may require a range of VLANs to handle multiple applications A service provider s customers can assign their own inner VLAN tags on ports for these applications The service provider can assign an outer VLAN tag for each customer T...

Page 166: ...witching Select Access Port for ingress ports on the service provider s edge devices 1 and 2 in the VLAN stacking example figure The incoming frame is treated as untagged so a second VLAN tag outer VLAN tag can be added Note Static VLAN Tx Tagging MUST be disabled on a port where you choose Normal or Access Port Select Tunnel Port available for Gigabit ports only for egress ports at the edge of th...

Page 167: ...rame s SP TPID is the same as the one configured on the Switch then the Switch will not add the tag Priority refers to the IEEE 802 1p standard that allows the service provider to prioritize traffic based on the class of service CoS the customer has paid for On the Switch configure priority level of the inner IEEE 802 1Q tag in the Port Setup screen 0 is the lowest priority level and 7 is the high...

Page 168: ...mmon settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Role Select Normal to have the Switch ignore frames received or transmitted on this port with VLAN stacking tags Anything you configure in SPVID and Priority of the Port based QinQ or the Selective QinQ screen are ignored Select Access Port to have the Switc...

Page 169: ...ames are double tagged The value of this field is 0x8100 as defined in IEEE 802 1Q If the Switch needs to communicate with other vendors devices they should use the same TPID Note You can define up to four different tunnel TPIDs including 8100 in this screen at a time Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses ...

Page 170: ...from 0 to 7 This is the service provider s priority level that adds to the frames received on this port 0 is the lowest priority level and 7 is the highest Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you a...

Page 171: ...n panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Index This is the number of the selective VLAN stacking rule Active This shows whether this rule is activated or not Name This is the descriptive name for this rule Port This is the port number to which this rule is applied CVID This is the customer VLAN...

Page 172: ...ses see the IANA website for more information 22 1 2 IGMP Filtering With the IGMP filtering feature you can control which IGMP groups a subscriber on a port can join This allows you to control the distribution of multicast services such as content information distribution based on service plans and types of subscription You can set the Switch to filter the multicast group join reports on a per por...

Page 173: ...s not learn multicast group membership of any VLANs other than those explicitly added as an IGMP snooping VLAN 22 2 Multicast Status Click Advanced Applications Multicast to display the screen as shown This screen shows the multicast group information See Section 22 1 on page 172 for more information on multicasting Figure 89 Advanced Application Multicast The following table describes the labels ...

Page 174: ...at are members of that group Querier Select this option to allow the Switch to send IGMP General Query messages to the VLANs with the multicast hosts attached Host Timeout Specify the time from 1 to 16 711 450 in seconds that elapses before the Switch removes an IGMP group membership entry if it does not receive report messages from the port 802 1p Priority Select a priority level 0 7 to which the...

Page 175: ...rom 200 to 6 348 800 in miliseconds Select this option to have the Switch use this timeout to update the forwarding table for the port In normal leave mode when the Switch receives an IGMP leave message from a host on a port it forwards the message to the multicast router The multicast router then sends out an IGMP Group Specific Query GSQ message to determine whether other hosts connected to the ...

Page 176: ...onnected to an IGMP multicast router or server The Switch forwards IGMP join or leave packets to an IGMP query port Select Auto to have the Switch use the port as an IGMP query port if the port receives IGMP query packets Select Fixed to have the Switch always use the port as an IGMP query port Select this when you connect an IGMP multicast server to the port Select Edge to stop the Switch from us...

Page 177: ...itch can learn up to 16 VLANs including up to five VLANs you configured in the MVR screen For example if you have configured one multicast VLAN in the MVR screen you can only specify up to 15 VLANs in this screen The Switch drops any IGMP control messages which do not belong to these 16 VLANs Note You must also enable IGMP snooping in the Multicast Setting screen first Apply Click Apply to save yo...

Page 178: ...ng IGMP Filtering Profile Add Click Add to insert the entry in the summary table below and save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to reset the fields to your previous configura...

Page 179: ...me and specify a different IP multicast address range Start Address Type the starting multicast IP address for a range of multicast IP addresses that you want to belong to the IGMP filter profile End Address Type the ending multicast IP address for a range of IP addresses that you want to belong to the IGMP filter profile If you want to add a single multicast IP address enter it in both the Start ...

Page 180: ...patible mode the Switch does not send any IGMP reports In this case you must manually configure the forwarding settings on the multicast devices in the multicast VLAN 22 6 3 How MVR Works The following figure shows a multicast television example where a subscriber device such as a computer in VLAN 1 receives multicast traffic from the streaming media server S via the Switch Multiple subscriber dev...

Page 181: ... the forwarding table Figure 94 MVR Multicast Television Example 22 7 General MVR Configuration Use the MVR screen to create multicast VLANs and select the receiver port s and a source port for each multicast VLAN Click Advanced Applications Multicast Multicast Setting MVR link to display the screen as shown next Note You can create up to five multicast VLANs and up to 256 multicast rules on the S...

Page 182: ...ion purposes Multicast VLAN ID Enter the VLAN ID 1 to 4094 of the multicast VLAN 802 1p Priority Select a priority level 0 7 with which the Switch replaces the priority in outgoing IGMP control packets belonging to this multicast VLAN Mode Specify the MVR mode on the Switch Choices are Dynamic and Compatible Select Dynamic to send IGMP reports to all MVR source ports in the multicast VLAN Select C...

Page 183: ...utgoing frames transmitted Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh VLAN This field displays the multicast VLAN ID Active...

Page 184: ...o Section 22 1 1 on page 172 for more information on IP multicast addresses End Address Enter the ending IP multicast address of the multicast group in dotted decimal notation Enter the same IP address as the Start Address field if you want to configure only one IP address for a multicast group Refer to Section 22 1 1 on page 172 for more information on IP multicast addresses Add Click Add to save...

Page 185: ...VLAN 1 are able to receive the traffic Figure 97 MVR Configuration Example To configure the MVR settings on the Switch create a multicast group in the MVR screen and set the receiver and source ports Figure 98 MVR Configuration Example S Multicast VID 200 VLAN 1 A B C News 224 1 4 10 224 1 4 50 1 Movie 230 1 2 50 230 1 2 60 2 3 7 EXAMPLE ...

Page 186: ...o the subscribers configure multicast group settings in the Group Configuration screen The following figure shows an example where two multicast groups News and Movie are configured for the multicast VLAN 200 Figure 99 MVR Group Configuration Example Figure 100 MVR Group Configuration Example EXAMPLE EXAMPLE ...

Page 187: ...tch itself or it can use an external server to authorize a large number of users Accounting is the process of recording what a user is doing The Switch can use an external server to track when users log in log out execute commands and so on Accounting can also record system related actions such as boot up and shut down times of the Switch The external servers that perform authentication authorizat...

Page 188: ...Switch First configure your authentication and accounting server settings RADIUS TACACS or both and then set up the authentication priority activate authorization and configure accounting settings Click Advanced Application AAA in the navigation panel to display the screen as shown Figure 102 Advanced Application AAA 23 2 1 RADIUS Server Setup Use this screen to configure your RADIUS server settin...

Page 189: ...s authentication requests to Timeout Specify the amount of time in seconds that the Switch waits for an authentication request response from the RADIUS server If you are using two RADIUS servers then the timeout value is divided between the two RADIUS servers For example if you set the timeout value to 30 seconds then the Switch waits for a response from the first RADIUS server for 15 seconds and ...

Page 190: ...ernal RADIUS accounting server in dotted decimal notation UDP Port The default port of a RADIUS accounting server for accounting is 1813 You need not change this value unless your network administrator instructs you to do so Shared Secret Specify a password up to 32 alphanumeric characters as the key to be shared between the external RADIUS accounting server and the Switch This key is not sent ove...

Page 191: ...CACS server if the TACACS server does not respond then the Switch tries to authenticate with the second TACACS server Select round robin to alternate between the TACACS servers that it sends authentication requests to Timeout Specify the amount of time in seconds that the Switch waits for an authentication request response from the TACACS server If you are using two TACACS servers then the timeout...

Page 192: ...ver Index This is a read only number representing a TACACS accounting server entry IP Address Enter the IP address of an external TACACS accounting server in dotted decimal notation TCP Port The default port of a TACACS accounting server is 49 You need not change this value unless your network administrator instructs you to do so Shared Secret Specify a password up to 32 alphanumeric characters as...

Page 193: ...Switch management Configure the access privilege of accounts via commands see the Ethernet Switch CLI Reference Guide for local authentication The TACACS and RADIUS are external servers Before you specify the priority make sure you have set up the corresponding database correctly first You can specify up to three methods for the Switch to authenticate the access privilege level of administrators T...

Page 194: ...r Active Select this to activate authorization for a specified event types Method Select whether you want to use RADIUS or TACACS for authorization of specific types of events RADIUS is the only method for IEEE 802 1x authorization Accounting Use this section to configure accounting settings on the Switch Update Period This is the amount of time in minutes before the Switch sends an update to the ...

Page 195: ... users authenticating via the RADIUS server Mode The Switch supports two modes of recording login events Select start stop to have the Switch send information to the accounting server when a user begins a session during a user s session if it lasts past the Update Period and when a user ends a session stop only to have the Switch send information to the accounting server only when a user ends a se...

Page 196: ...d on the RADIUS server This section lists the RADIUS attributes supported by the Switch Table 77 Supported VSAs FUNCTION ATTRIBUTE Ingress Bandwidth Assignment Vendor Id 890 Vendor Type 1 Vendor data ingress rate Kbps in decimal format Egress Bandwidth Assignment Vendor Id 890 Vendor Type 2 Vendor data egress rate Kbps in decimal format Privilege Assignment Vendor ID 890 Vendor Type 3 Vendor Data ...

Page 197: ...rver when performing authentication 23 3 1 1 Attributes Used for Authenticating Privilege Access User Name the format of the User Name attribute is enab where is the privilege level 1 14 User Password NAS Identifier NAS IP Address 23 3 1 2 Attributes Used to Login Users User Name User Password NAS Identifier NAS IP Address 23 3 1 3 Attributes Used by the IEEE 802 1x Authentication User Name NAS Id...

Page 198: ...that they are sent the difference between Console and Telnet SSH Exec events is that the Telnet SSH events utilize the Calling Station Id attribute Table 79 RADIUS Attributes Exec Events via Console ATTRIBUTE START INTERIM UPDATE STOP User Name NAS Identifier NAS IP Address Service Type Acct Status Type Acct Delay Time Acct Session Id Acct Authentic Acct Session Time Acct Terminate Cause Table 80 ...

Page 199: ...81 RADIUS Attributes Exec Events via Console ATTRIBUTE START INTERIM UPDATE STOP User Name NAS IP Address NAS Port Class Called Station Id Calling Station Id NAS Identifier NAS Port Type Acct Status Type Acct Delay Time Acct Session Id Acct Authentic Acct Input Octets Acct Output Octets Acct Session Time Acct Input Packets Acct Output Packets Acct Terminate Cause Acct Input Gigawords Acct Output G...

Page 200: ...is a binding the Switch forwards the packet If there is not a binding the Switch discards the packet The Switch builds the binding table by snooping DHCP packets dynamic bindings and from information provided manually by administrators static bindings IP source guard consists of the following features Static bindings Use this to create static bindings in the binding table DHCP snooping Use this to...

Page 201: ...all DHCP requests if you enable DHCP snooping and there are no trusted ports Untrusted ports are connected to subscribers The Switch discards DHCP packets from untrusted ports in the following situations The packet is a DHCP server packet for example OFFER ACK or NACK The source MAC address and source IP address in the packet do not match any of the current bindings The packet is a RELEASE or DECL...

Page 202: ...Switch can add information to DHCP requests that it does not discard This provides the DHCP server more information about the source of the requests The Switch can add the following information Slot ID 1 byte port ID 1 byte and source VLAN ID 2 bytes System name up to 32 bytes This information is stored in an Agent Information field in the option 82 field of the DHCP headers of client DHCP request...

Page 203: ...ter X Computer X can read and alter the information passed between them 24 1 3 1 ARP Inspection and MAC Address Filters When the Switch identifies an unauthorized ARP packet it automatically creates a MAC address filter to block traffic from the source MAC address and source VLAN ID of the unauthorized ARP packet You can configure how long the MAC address filter remains in the Switch These MAC add...

Page 204: ...he maximum number of ARP packets that each port can receive per second 24 2 IP Source Guard Use this screen to look at the current bindings for DHCP snooping and ARP inspection Bindings are used by DHCP snooping and ARP inspection to distinguish between authorized and unauthorized packets in the network The Switch learns the bindings by snooping DHCP packets dynamic bindings and from information p...

Page 205: ...an administrator dhcp snooping This binding was learned by snooping DHCP packets VID This field displays the source VLAN ID in the binding Port This field displays the port number in the binding If this field is blank the binding applies to all ports Table 83 IP Source Guard continued LABEL DESCRIPTION Table 84 IP Source Guard Static Binding LABEL DESCRIPTION MAC Address Enter the source MAC addre...

Page 206: ...field displays how long the binding is valid Type This field displays how the Switch learned the binding static This binding was learned from information provided manually by an administrator VLAN This field displays the source VLAN ID in the binding Port This field displays the port number in the binding If this field is blank the binding applies to all ports Delete Select this and click Delete t...

Page 207: ...P Source Guard DHCP Snooping Figure 110 DHCP Snooping The following table describes the labels in this screen Table 85 DHCP Snooping LABEL DESCRIPTION Database Status This section displays the current settings for the DHCP snooping database You can configure them in the DHCP Snooping Configure screen See Section 24 5 on page 209 Agent URL This field displays the location of the DHCP snooping datab...

Page 208: ...updated the DHCP snooping database unsuccessfully Last failed reason This field displays the reason the Switch updated the DHCP snooping database unsuccessfully This section displays historical information about the number of times the Switch successfully or unsuccessfully read or updated the DHCP snooping database Total attempts This field displays the number of times the Switch has tried to acce...

Page 209: ...bindings the Switch ignored because the lease time had already expired Unsupported vlans This field displays the number of bindings the Switch ignored because the VLAN ID does not exist anymore Last ignored time This field displays the last time the Switch ignored any bindings for any reason from the DHCP binding database Total ignored bindings counters This section displays the reasons the Switch...

Page 210: ...uish between DHCP requests from different VLAN Select Disable if you do not want the Switch to forward DHCP packets to a specific VLAN Database If Timeout interval is greater than Write delay interval it is possible that the next update is scheduled to occur before the current update has finished successfully or timed out In this case the Switch waits to start the next update until it completes th...

Page 211: ...witch to load it You can use this to load dynamic bindings from a different DHCP snooping database than the one specified in Agent URL When the Switch loads dynamic bindings from a DHCP snooping database it does not discard the current dynamic bindings first If there is a conflict the Switch keeps the dynamic binding in volatile memory and updates the Binding collisions counter in the DHCP Snoopin...

Page 212: ...ected to subscribers and the Switch discards DHCP packets from untrusted ports in the following situations The packet is a DHCP server packet for example OFFER ACK or NACK The source MAC address and source IP address in the packet do not match any of the current bindings The packet is a RELEASE or DECLINE packet and the source MAC address and source port do not match any of the current bindings Th...

Page 213: ...number port number and VLAN ID to DHCP requests that it broadcasts to the DHCP VLAN if specified or VLAN You can specify the DHCP VLAN in the DHCP Snooping Configure screen See Section 24 5 on page 209 Information Select this to have the Switch add the system name to DHCP requests that it broadcasts to the DHCP VLAN if specified or VLAN You can configure the system name in the General Setup screen...

Page 214: ... and IP address were in the binding table but the port number was not valid Delete Select this and click Delete to remove the specified entry Delete Click this to remove the selected entries Cancel Click this to clear the Delete check boxes above Table 89 ARP Inspection Status continued LABEL DESCRIPTION Table 90 ARP Inspection VLAN Status LABEL DESCRIPTION Show VLAN range Use this section to spec...

Page 215: ...RP Inspection Log Status LABEL DESCRIPTION Clearing log status table Click Apply to remove all the log messages that were generated by ARP packets and that have not been sent to the syslog server yet Total number of logs This field displays the number of log messages that were generated by ARP packets and that have not been sent to the syslog server yet If one or more log messages are dropped due ...

Page 216: ...ng with the same MAC address and VLAN ID static deny An ARP packet was discarded because it violated a static binding with the same MAC address and VLAN ID deny An ARP packet was discarded because there were no bindings with the same MAC address and VLAN ID dhcp permit An ARP packet was forwarded because it matched a dynamic binding static permit An ARP packet was forwarded because it matched a st...

Page 217: ...e dropped due to unavailable buffer Click Clearing log status table in the ARP Inspection Log Status screen to clear the log and reset this counter See Section 24 6 2 on page 215 Syslog rate Type the maximum number of syslog messages the Switch can send to the syslog server in one batch This number is expressed as a rate because the batch frequency is determined by the Log Interval You must config...

Page 218: ...rusted ports Limit Rate and Burst Interval settings have no effect on trusted ports Rate pps Specify the maximum rate 1 2048 packets per second at which the Switch receives ARP packets from each port The Switch discards any additional ARP packets Enter 0 to disable this limit Burst interval seconds The burst interval is the length of time over which the rate of ARP packets is monitored for each po...

Page 219: ...plays the VLAN ID of each VLAN in the range specified above If you configure the VLAN the settings are applied to all VLANs Enabled Select Yes to enable ARP inspection on the VLAN Select No to disable ARP inspection on the VLAN Log Specify when the Switch generates log messages for receiving ARP packets from the VLAN None The Switch does not generate any log messages when it receives an ARP packet...

Page 220: ...roblems on the edge of your network This can occur when a port is connected to a Switch that is in a loop state Loop state occurs as a result of human error It happens when two ports on a switch are connected with the same cable When a switch in loop state sends out broadcast messages the messages loop back to the switch and are re broadcast again and again causing a broadcast storm If a switch no...

Page 221: ...d enabled port N on switch A sending a probe packet P to switch B Since switch B is in loop state the probe packet P returns to port N on A The Switch then shuts down port N to ensure that the rest of the network is not affected by the switch in loop state Figure 122 Loop Guard Probe Packet The Switch also shuts down port N if the probe packet returns to switch A on any other port In other words l...

Page 222: ...nced Application Loop Guard LABEL DESCRIPTION Active Select this option to enable loop guard on the Switch The Switch generates syslog internal log messages as well as SNMP traps when it shuts down a port via the loop guard feature Port This field displays a port number Use this row to make the setting the same for all ports Use this row first and then make adjustments on a port by port basis Note...

Page 223: ... The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 95 Advanced Application Loop Guard continued LABEL DESCRIPTION ...

Page 224: ... Gigabit uplink port When VLAN mapping is enabled the Switch discards the tagged packets that do not match an entry in the VLAN mapping table If the incoming packets are untagged the Switch adds a PVID based on the VLAN setting Note You can not enable VLAN mapping and VLAN stacking at the same time 26 1 1 VLAN Mapping Example In the following example figure packets that carry VLAN ID 12 and are re...

Page 225: ...e setting the same for all ports Use this row first and then make adjustments on a port by port basis Changes in this row are copied to all the ports as soon as you make them Active Select this check box to enable the VLAN mapping feature on this port Clear this check box to disable the VLAN mapping feature Apply Click Apply to save your changes to the Switch s run time memory The Switch loses the...

Page 226: ...evel that replaces the customer priority level in the tagged packets or adds to the untagged packets Add Click Add to insert the entry in the summary table below and save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done con...

Page 227: ...Chapter 26 VLAN Mapping XS3900 48F User s Guide 227 ...

Page 228: ...customer switches A B and C in the following figure connected through the service provider s network The edge switch encapsulates layer 2 protocol packets with a specific MAC address before sending them across the service provider s network to other edge switches Figure 128 Layer 2 Protocol Tunneling Network Scenario In the following example if you enable L2PT for STP you can have switches A B C a...

Page 229: ...r 2 protocol tunneling modes Access and Tunnel The Access port is an ingress port on the service provider s edge device 1 or 2 in Figure 129 on page 229 and connected to a customer switch A or B Incoming layer 2 protocol packets received on an access port are encapsulated and forwarded to the tunnel ports The Tunnel port is an egress port at the edge of the service provider s network and connected...

Page 230: ...cing the destination MAC address in the packets Note The MAC address can be either a unicast MAC address or multicast MAC address If you use a unicast MAC address make sure the MAC address does not exist in the address table of a switch on the service provider s network Note All the edge switches in the service provider s network should be set to use the same MAC address for encapsulation Port Thi...

Page 231: ...tion to have the Switch send LACP packets to a peer to dynamically creates and manages trunk groups UDLD Select this option to have the Switch send UDLD packets to a peer s port it connected to monitor the physical status of a link Mode Select Access to have the Switch encapsulate the incoming layer 2 protocol packets and forward them to the tunnel port s Select Access for ingress ports at the edg...

Page 232: ...w agent then creates sFlow data and sends it to an sFlow collector The sFlow collector is a server that collects and analyzes sFlow datagram An sFlow datagram includes packet header input and output interface sampling process parameters and forwarding information sFlow minimizes impact on CPU load of the Switch as it analyzes sample data only sFlow can continuously monitor network traffic and crea...

Page 233: ...n volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Port This field displays the port number Use this row to make the setting the same for all ports Use this row first and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Active Select this to allow the Switch to monito...

Page 234: ... allow incoming traffic if the collector is behind a firewall Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 99 Advan...

Page 235: ...is field displays IP address of the sFlow collector UDP Port This field displays port number the Switch uses to send sFlow datagram to the collector Delete Check the rule s that you want to remove in the Delete column and then click the Delete button Cancel Click Cancel to begin configuring this screen afresh Table 100 Advanced Application sFlow Collector continued LABEL DESCRIPTION ...

Page 236: ... Active Discovery Initialization and PADR PPPoE Active Discovery Request packets from PPPoE clients This tag is defined in RFC 2516 and has the following format for this feature The Tag_Type is 0x0105 for vendor specific tags as defined in RFC 2516 The Tag_Len indicates the length of Value i1 and i2 The Value is the 32 bit number 0x00000DE9 which stands for the ADSL Forum IANA entry i1 and i2 are ...

Page 237: ...ng to VLAN 123 29 1 2 2 WT 101 Default Circuit ID Syntax If you do not configure a Circuit ID string for a specific VLAN on a port or for a specific port and disable the flexible Circuit ID syntax in the PPPoE Intermediate Agent screen the Switch automatically generates a Circuit ID string according to the default Circuit ID syntax which is defined in the DSL Forum Working Text WT 101 The default ...

Page 238: ...d to subscribers If a PADI PADR or PADT packet is sent from a PPPoE client and received on an untrusted port the Switch adds a vendor specific tag to the packet and then forwards it to the trusted port s The Switch discards PADO and PADS packets which are sent from a PPPoE server but received on an untrusted port 29 2 The PPPoE Screen Use this screen to configure the PPPoE Intermediate Agent on th...

Page 239: ...over this That means if you also want to configure PPPoE IA Per Port or Per Port Per VLAN setting leave the fields here empty and configure circuit id and remote id in the Per Port or Per Port Per VLAN screen Active Select this option to have the Switch add the user defined identifier string and variables specified in the option field to PADI or PADR packets from PPPoE clients If you leave this op...

Page 240: ...cribes the labels in this screen Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 106 Advanced Application PPPoE Interm...

Page 241: ...untrusted port Circuit id Enter a string of up to 63 ASCII characters that the Switch adds into the Agent Circuit ID sub option for PPPoE discovery packets received on this port Spaces are allowed The Circuit ID you configure for a specific VLAN on a port in the Advanced Application PPPoE Intermediate Agent Port VLAN screen has the highest priority Remote id Enter a string of up to 63 ASCII charac...

Page 242: ...ings are applied to all VLANs Use this row to make the setting the same for all VLANs Use this row first and then make adjustments on a VLAN by VLAN basis Note Changes in this row are copied to all the VLANs as soon as you make them Circuit id Enter a string of up to 63 ASCII characters that the Switch adds into the Agent Circuit ID sub option for this VLAN on the specified port Spaces are allowed...

Page 243: ...k Apply to display the specified range of VLANs in the section below VID This field displays the VLAN ID of each VLAN in the range specified above If you configure the VLAN the settings are applied to all VLANs Use this row to make the setting the same for all VLANs Use this row first and then make adjustments on a VLAN by VLAN basis Note Changes in this row are copied to all the VLANs as soon as ...

Page 244: ...ows you to limit the rate of ARP BPDU and IGMP packets to be delivered to the CPU on a port This enhances the CPU efficiency and protects against potential DoS attacks or errors from other network s You then can choose to drop control packets that exceed the specified rate limit or disable a port on which the packets are received 30 2 Error Disable Recovery Overview Some features such as loop guar...

Page 245: ...iguration Use this screen to limit the maximum number of control packets ARP BPDU and or IGMP that the Switch can receive or transmit on a port Click the Click Here link next to CPU protection in the Advanced Application Errdisable screen to display the screen as shown Note After you configure this screen make sure you also enable error detection for the specific control packets in the Advanced Ap...

Page 246: ...s you make them Rate Limit pkt s Enter a number from 0 to 256 to specify how many control packets this port can receive or transmit per second 0 means no rate limit You can configure the action that the Switch takes when the limit is exceeded See Section 30 5 on page 246 for detailed information Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes i...

Page 247: ...t rate limitation The Switch drops the additional control packets the port has to handle in every one second Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begi...

Page 248: ...ter the number of seconds from 30 to 2592000 for the time interval Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 112...

Page 249: ...with ports in different primary VLANs Community Ports in a Community VLAN can communicate with promiscuous ports in an associated Primary VLAN and other community ports in the same Community VLAN They cannot communicate with ports in Isolated VLANs non associated Primary VLAN promiscuous ports nor community ports in different Community VLANs Isolated Ports in an Isolated VLAN can communicate with ...

Page 250: ... promiscuous ports in P VLAN 100 and other commuity ports in C VLAN 101 They cannot communicate with isolated ports in I VLAN 102 Isolated ports can communicate with promiscuous ports in P VLAN 100 They cannot communicate with other isolated ports in I VLAN 102 nor community ports in C VLAN 101 C VLAN 101 Community private VLAN I VLAN 102 Isolated private VLAN Table 114 Spanning PVLAN Graphic Key ...

Page 251: ... necessary Note Changes in this row are copied to all the entries as soon as you make them Mode This is the type of VLAN mapped to this port Normal These are ports in a static VLAN This is not a private VLAN Promiscuous Ports in a Primary VLAN are Promiscuous They can communicate with all ports in the Primary VLAN and associated Community and Isolated VLANs They cannot communicate with Promiscuous...

Page 252: ...port it adds the PVID to untagged frames before sending them out Clear this if the VLAN includes ports on this Switch only The Switch forwards untagged frames through this port it removes the VLAN ID from tagged frames before sending them out Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link...

Page 253: ... the default gateway The Switch can also use static routes to send data to a server or device that is not reachable through the default gateway for example when sending SNMP traps or using ping to test IP connectivity This figure shows a Telnet session coming in from network N1 The Switch sends reply traffic to default gateway R1 which routes it back to the manager s computer The Switch needs a st...

Page 254: ...he gateway The gateway is an immediate neighbor of your Switch that will forward the packet to the destination The gateway must be a router on the same segment as your Switch Metric The metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks Enter a number that approximates the cost for...

Page 255: ...ays the subnet mask for this destination Gateway Address This field displays the IP address of the gateway The gateway is an immediate neighbor of your Switch that will forward the packet to the destination Metric This field displays the cost of transmission for routing purposes Delete Click Delete to remove the selected entry from the summary table Cancel Click Cancel to clear the Delete check bo...

Page 256: ...fServ defines a new DS Differentiated Services field to replace the Type of Service ToS field in the IP header The DS field contains a 6 bit DSCP field which can define up to 64 service levels and the remaining 2 bits are defined as currently unused CU The following figure illustrates the DS field Figure 146 DiffServ Differentiated Service Field DSCP is backward compatible with the three precedenc...

Page 257: ... packets are admitted to the network The PIR is greater than or equal to the CIR CIR and PIR values are based on the guaranteed and maximum bandwidth respectively as negotiated between a service provider and client Two Rate Three Color Marker evaluates incoming packets and marks them with one of three colors which refer to packet loss priority levels High packet loss priority level is referred to ...

Page 258: ... can only be marked with an equal or higher packet loss priority Packets marked red high packet loss priority continue to be red without evaluation against the PIR or CIR Packets marked yellow can only be marked red or remain yellow so they are only evaluated against the PIR Only the packets marked green are first evaluated against the PIR and then if they don t exceed the PIR level are they evalu...

Page 259: ...witch Port This field displays the index number of a port on the Switch Settings in this row apply to all ports Use this row only if you want to make some settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Active Select Active to enable DiffServ...

Page 260: ...e the Switch treat all incoming packets as uncolored All incoming packets are evaluated against the CIR and PIR Select color aware to treat the packets as marked by some preceding entity Incoming packets are evaluated based on their existing color Incoming packets that are not marked proceed through the Switch Port This field displays the index number of a port on the Switch Settings in this row a...

Page 261: ...sign to packets based on the color they are marked via TRTCM green Specify the DSCP value to use for packets with low packet loss priority yellow Specify the DSCP value to use for packets with medium packet loss priority red Specify the DSCP value to use for packets with high packet loss priority Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes ...

Page 262: ...cation number To set the IEEE 802 1p priority mapping select the priority level from the drop down list box Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin...

Page 263: ...u should use for configuration depends on the DHCP services you want to offer the DHCP clients on your network Choose the configuration screen based on the following criteria Global The Switch forwards all DHCP requests to the same DHCP server VLAN The Switch is configured on a VLAN by VLAN basis 34 2 DHCP Status Click IP Application DHCP in the navigation panel The DHCP Status screen displays Fig...

Page 264: ...sts that it relays to a DHCP server by adding Relay Agent Information This helps provide authentication about the source of the requests The DHCP server can then provide an IP address based on this information Please refer to RFC 3046 for more details The DHCP Relay Agent Information feature adds an Agent Information field to the Option 82 field The Option 82 field is in the DHCP headers of client...

Page 265: ...on Relay Agent Information Select the Option 82 check box to have the Switch add information slot number port number and VLAN ID to client DHCP requests that it relays to a DHCP server Information This read only field displays the system name you configure in the General Setup screen Select the check box for the Switch to add the system name to the client DHCP requests that it relays to a DHCP ser...

Page 266: ...sure you select the Option 82 check box to set the Switch to send additional information such as the VLAN ID together with the DHCP requests to the DHCP server This allows the DHCP server to assign the appropriate IP address according to the VLAN ID Figure 156 DHCP Relay Configuration Example 34 4 Configuring DHCP VLAN Settings Use this screen to configure your DHCP settings based on the VLAN doma...

Page 267: ...Switch add information slot number port number and VLAN ID to client DHCP requests that it relays to a DHCP server Information This read only field displays the system name you configure in the General Setup screen Select the check box for the Switch to add the system name to the client DHCP requests that it relays to a DHCP server Add Click Add to save your changes to the Switch s run time memory...

Page 268: ...t to the other DHCP server with an IP address of 172 23 10 100 Figure 158 DHCP Relay for Two VLANs For the example network configure the VLAN Setting screen as shown Figure 159 DHCP Relay for Two VLANs Configuration Example VLAN 1 VLAN 2 DHCP 192 168 1 100 DHCP 172 23 10 100 EXAMPLE ...

Page 269: ...irmware Upgrade Click Click Here to go to the Firmware Upgrade screen Restore Configuration Click Click Here to go to the Restore Configuration screen Backup Configuration Click Click Here to go to the Backup Configuration screen Load Factory Default Click Click Here to reset the configuration to the factory default settings Save Configuration Click Config 1 to save the current configuration setti...

Page 270: ...mputer to be in the same subnet as that of the default Switch IP address 192 168 1 1 35 3 Save Configuration Click Config 1 to save the current configuration settings permanently to configuration one on the Switch Click Config 2 to save the current configuration settings to configuration two on the Switch Alternatively click Save on the top right hand corner in any screen to save the configuration...

Page 271: ...re and version to your computer before uploading to the device Be sure to upload the correct model firmware as uploading the wrong model firmware may damage your device From the Maintenance screen display the Firmware Upgrade screen as shown next Figure 163 Management Maintenance Firmware Upgrade Type the path and file name of the firmware file you wish to upload to the Switch in the File Path tex...

Page 272: ...figuration file is automatically renamed when you restore using this screen 35 7 Backup a Configuration File Backing up your Switch configurations allows you to create various snapshots of your device from which you may restore at a later date Back up your current Switch configuration to a computer using the Backup Configuration screen Figure 165 Management Maintenance Backup Configuration Follow ...

Page 273: ...d ras 1 You can switch from one to the other by using the boot image index command where index is 1 ras 0 or 2 ras 1 See the CLI Reference Guide for more information about using commands The system does not reboot after it switches from one image to the other 35 8 1 1 Example FTP Commands ftp put firmware bin ras 0 This is a sample FTP session showing the transfer of the computer file firmware bin...

Page 274: ...our computer and renames it to config cfg See Table 126 on page 273 for more information on filename conventions 7 Enter quit to exit the ftp prompt 35 8 3 GUI based FTP Clients The following table describes some of the commands that you may see in GUI based FTP clients 35 8 4 FTP Restrictions FTP will not work when FTP service is disabled in the Service Access Control screen Table 127 General Com...

Page 275: ...r 35 Maintenance XS3900 48F User s Guide 275 The IP address es in the Remote Management screen does not match the client IP address If it does not match the Switch will disconnect the FTP session immediately ...

Page 276: ...information on disabling multi login 36 2 The Access Control Main Screen Click Management Access Control in the navigation panel to display the main screen as shown Figure 166 Management Access Control 36 3 About SNMP Simple Network Management Protocol SNMP is an application layer protocol used to manage and monitor TCP IP based devices SNMP is used to exchange management information between the n...

Page 277: ...nts to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations 36 3 1 SNMP v3 and Security SNMP v3 enhances security for SNMP management SNMP managers can be required to authenticate with agents before conducting SNMP...

Page 278: ... Traps OPTION OBJECT LABEL OBJECT ID DESCRIPTION coldstart coldStart 1 3 6 1 6 3 1 1 5 1 This trap is sent when the Switch is turned on warmstart warmStart 1 3 6 1 6 3 1 1 5 2 This trap is sent when the Switch restarts fanspeed FanSpeedEventOn 1 3 6 1 4 1 890 1 5 8 74 31 2 1 This trap is sent when the fan speed goes above or below the normal operating range FanSpeedEventClear 1 3 6 1 4 1 890 1 5 8...

Page 279: ...UpdatedEventClear 1 3 6 1 4 1 890 1 5 8 74 31 2 2 This trap is sent when the Switch gets the time and date from a time server intrusionlock IntrusionLockEventOn 1 3 6 1 4 1 890 1 5 8 74 31 2 1 This trap is sent when intrusion lock occurs on a port loopguard LoopguardEventOn 1 3 6 1 4 1 890 1 5 8 74 31 2 1 This trap is sent when loopguard shuts down a port errdisable errdisableDetect 1 3 6 1 4 1 89...

Page 280: ...s such as transceiver temperature laser bias current transmitted optical power received optical power and transceiver supply voltage is above or below a factory set normal range DDMIRxPowerEventClear DDMITemperatureEventClear DDMITxBiasEventClear DDMITxPowerEventClear DDMIVoltageEventClear 1 3 6 1 4 1 890 1 5 8 74 31 2 2 This trap is sent when all device operating parameters return to the normal o...

Page 281: ...raps OPTION OBJECT LABEL OBJECT ID DESCRIPTION stp STPNewRoot 1 3 6 1 2 1 17 0 1 This trap is sent when the STP root switch changes MRSTPNewRoot 1 3 6 1 4 1 890 1 5 8 74 35 2 1 This trap is sent when the MRSTP root switch changes MSTPNewRoot 1 3 6 1 4 1 890 1 5 8 74 107 7 0 1 This trap is sent when the MSTP root switch changes STPTopologyChange 1 3 6 1 2 1 17 0 2 This trap is sent when the STP top...

Page 282: ...y Enter the Get Community string which is the password for the incoming Get and GetNext requests from the management station The Get Community string is only used by SNMP managers using SNMP version 2c or lower Set Community Enter the Set Community string which is the password for the incoming Set requests from the management station The Set Community string is only used by SNMP managers using SNM...

Page 283: ... begin configuring this screen afresh Table 135 Management Access Control SNMP continued LABEL DESCRIPTION Table 136 Management Access Control SNMP Trap Group LABEL DESCRIPTION Trap Destination IP Select one of your configured trap destination IP addresses These are the IP addresses of the SNMP managers You must first configure a trap destination IP address in the SNMP Setting screen Use the rest ...

Page 284: ...ol SNMP Trap Group continued LABEL DESCRIPTION Table 137 Management Access Control SNMP User LABEL DESCRIPTION User Information Note Use the username and password of the login accounts you specify in this screen to create accounts on the SNMP v3 manager Username Specify the username of a login account on the Switch Security Level Select whether you want to implement authentication and or encryptio...

Page 285: ...tem configuration including the management of administrator accounts readwrite Members of this group have read and write rights meaning that the user can create and edit the MIBs on the Switch except the user account and AAA configuration readonly Members of this group have read rights only meaning the user can collect information from the Switch Add Click Add to insert the entry in the summary ta...

Page 286: ...ing system password 1234 is the default password when shipped New Password Enter your new system password Retype to confirm Retype your new system password for confirmation Edit Logins You may configure passwords for up to four users These users have read only access You can give users higher privileges via the CLI For more information on assigning privileges see the Ethernet Switch CLI Reference ...

Page 287: ...sts over an unsecured network Figure 172 SSH Communication Example The following table summarizes how a secure connection is established between two remote hosts Figure 173 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key ...

Page 288: ...ver Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication one party can identify the other party and data integrity you know if data has been changed It relies upon c...

Page 289: ...Switch then in your browser enter https Switch IP Address as the web site address where Switch IP Address is the IP address or domain name of the Switch you wish to access 36 5 2 2 Internet Explorer Warning Messages 36 5 2 3 Internet Explorer 7 or 8 When you attempt to access the Switch HTTPS server a screen with the message There is a problem with this website s security certificate may display I...

Page 290: ...sage Certificate Error Click on Certificate Error next to the address bar and click View certificates Figure 176 Certificate Error Internet Explorer 7 or 8 Click Install Certificate and follow the on screen instructions to install the certificate in your browser Figure 177 Certificate Internet Explorer 7 or 8 EXAMPLE ...

Page 291: ... 4 Mozilla Firefox Warning Messages When you attempt to access the Switch HTTPS server a This Connection is Unstructed screen may display If that is the case click I Understand the Risks and then the Add Exception button Figure 178 Security Alert Mozilla Firefox ...

Page 292: ...on to proceed to the web configurator login screen Figure 179 Security Alert Mozilla Firefox 36 5 2 5 The Main Screen After you accept the certificate and enter the login username and password the Switch main screen appears The lock displayed in the bottom right of the browser status bar in Internet Explorer 6 or EXAMPLE ...

Page 293: ...5 3 Configuring Service Port Access Control Service Access Control allows you to decide what services you may use to access the Switch You may also change the default service port and configure trusted computer s for each service in the Remote Management screen discussed later Click Access Control to go back to the main Access Control screen Figure 181 Management Access Control Service Access Cont...

Page 294: ...allow to access the Switch Service Port For Telnet SSH FTP HTTP or HTTPS services you may change the default service port by typing the new port number in the Server Port field If you change the default port number then you will have to let people who wish to use the service know the new port number for that service Timeout Type how many minutes a management session via the web configurator can be...

Page 295: ...nfigure the IP address range of trusted computers from which you can manage this Switch The Switch checks if the client IP address of a computer requesting a service or protocol matches the range set here The Switch immediately disconnects the session if it does not match Telnet FTP HTTP ICMP SNMP SSH HTTPS Select services that may be used for managing the Switch from the specified trusted compute...

Page 296: ...lowing table describes the labels in this screen Table 141 Management Diagnostic LABEL DESCRIPTION System Log Click Display to display a log of events in the multi line text box Click Clear to empty the text box and reset the syslog entry IP Ping Type the IP address of a device that you want to ping in order to test a connection Click Ping to have the Switch ping the IP address in the field to the...

Page 297: ...message has a facility and severity level The syslog facility identifies a file in the syslog server Refer to the documentation of your syslog program for details The following table describes the syslog severity levels Table 142 Syslog Severity Levels CODE SEVERITY 0 Emergency The system is unusable 1 Alert Action must be taken immediately 2 Critical The system condition is critical 3 Error There...

Page 298: ...etting Logging Type This column displays the names of the categories of logs that the device can generate Active Select this option to set the device to generate logs for the corresponding category Facility The log facility allows you to send logs to different files in the syslog server Refer to the documentation of your syslog program for more details Apply Click Apply to save your changes to the...

Page 299: ...more critical the logs are Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Clear Click Clear to return the fields to the factory...

Page 300: ...ted and be in the same VLAN group so as to be able to communicate with one another Table 145 ZyXEL Clustering Management Specifications Maximum number of cluster members 24 Cluster Member Models Cluster member models must be compatible with ZyXEL cluster management implementation Cluster Manager The cluster manager is the Switch through which you manage the cluster member switches Cluster Members ...

Page 301: ...ger and the other switches on the upper floors of the building are cluster members Figure 186 Clustering Application Example 39 2 Cluster Management Status Click Management Cluster Management in the navigation panel to display the following screen Note A cluster can only have one manager Figure 187 Management Cluster Management ...

Page 302: ...witch s hardware MAC address The Number of Member This field displays the number of switches that make up this cluster The following fields describe the cluster member switches Index You can manage cluster member switches via the cluster manager switch Each number in the Index column is a hyperlink leading to the cluster member switch s web configurator see Figure 188 on page 303 MacAddr This is t...

Page 303: ...2 168 1 1 Connected to 192 168 1 1 220 Switch FTP version 1 0 ready at Thu Jan 1 00 58 46 1970 User 192 168 0 1 none admin 331 Enter PASS command Password 230 Logged in ftp ls 200 Port command okay 150 Opening data connection for LIST w w w 1 owner group 3042210 Jul 01 12 00 ras rw rw rw 1 owner group 393216 Jul 01 12 00 config w w w 1 owner group 0 Jul 01 12 00 fw 00 a0 c5 01 23 46 rw rw rw 1 own...

Page 304: ...ad to Cluster Member Example FTP PARAMETER DESCRIPTION User Enter admin Password The web configurator password default is 1234 ls Enter this command to list the name of cluster member switch s firmware and configuration file 400AAEW0C0 bin This is the name of the firmware file you want to upload to the cluster member switch fw 00 a0 c5 01 23 46 This is the cluster member switch s firmware name as ...

Page 305: ...A list of suitable candidates found by auto discovery is shown here The switches must be directly connected Directly connected switches that are set to be cluster managers will not be visible in the Clustering Candidate list Switches that are not in the same management VLAN group will not be visible in the Clustering Candidate list Password Each cluster member s password is its web configurator pa...

Page 306: ... The Switch uses the MAC Table to determine how to forward frames See the following figure 1 The Switch examines a received frame and learns the port from which this source MAC address came 2 The Switch checks to see if the frame s destination MAC address matches a source MAC address already learned in the MAC Table If the Switch has already learned the port for this MAC address then it forwards t...

Page 307: ...ication number to display all MAC addresses in the VLAN Select Port and type the number of a port to display all MAC addresses learned from the port Sort by Select this to display and arrange the data according to MAC address MAC VLAN group VID or port number Port The information is then displayed in the summary table below Transfer Type Select Dynamic to MAC forwarding and click Transfer to add t...

Page 308: ...ng frame index number MAC Address This is the MAC address of the device from which this incoming frame came VID This is the VLAN group to which this frame belongs Port This is the port from which the above MAC address was learned Type This shows whether the MAC address is dynamic learned by the Switch or static manually entered in the Static MAC Forwarding screen Change Pages Click Previous or Nex...

Page 309: ...h s ARP program looks in the ARP Table and if it finds the address it sends it to the device If no entry is found for the IP address ARP broadcasts the request to all the devices on the LAN The Switch fills in its own MAC and IP address in the sender address fields and puts the known IP address of the target in the target IP address field In addition the Switch puts all ones in the target MAC fiel...

Page 310: ...dress Select Port and enter a port number to remove the dynamic entries learned on the specified port Flush Click Flush to remove the ARP entries according to the condition you specified Cancel Click Cancel to return the fields to the factory defaults Index This is the ARP table entry number IP Address This is the learned IP address of a device connected to a Switch port with the corresponding MAC...

Page 311: ...you can copy the settings of one port onto other ports 42 1 Configure Clone Cloning allows you to copy the basic and advanced settings from a source port to a destination port or ports Click Management Configure Clone to open the following screen Figure 194 Management Configure Clone ...

Page 312: ...ple 2 4 6 indicates that ports 2 4 and 6 are the destination ports 2 6 indicates that ports 2 through 6 are the destination ports Basic Setting Select which port settings configured in the Basic Setting menus should be copied to the destination port s Advanced Application Select which port settings configured in the Advanced Application menus should be copied to the destination ports Apply Click A...

Page 313: ...adaptor or cord is connected to the Switch and plugged in to an appropriate power source Make sure the power source is turned on 4 Turn the Switch off and on 5 Disconnect and re connect the power adaptor or cord to the Switch in AC models or if the AC power supply is connected in AC DC models 6 If the problem continues contact the vendor One of the LEDs does not behave as expected 1 Make sure you ...

Page 314: ... username is admin and the default password is 1234 2 If this does not work you have to reset the device to its factory defaults See Section 4 6 on page 59 I cannot see or access the Login screen in the web configurator 1 Make sure you are using the correct IP address The default in band IP address is 192 168 1 1 If you changed the IP address use the new IP address If you changed the IP address an...

Page 315: ...er of concurrent Telnet sessions Close other Telnet session s or try connecting again later Check that you have enabled logins for HTTP or Telnet If you have configured a secured client IP address your computer s IP address must match it Refer to the chapter on access control for details 3 Disconnect and re connect the cord to the Switch 4 If this does not work you have to reset the device to its ...

Page 316: ...telnet HTTP and SSH see Section 36 6 on page 294 Computers not belonging to the secured client set cannot get permission to access the Switch 43 3 Switch Configuration I lost my configuration settings after I restart the Switch Make sure you save your configuration into the Switch s nonvolatile memory each time you make changes Click Save at the top right corner of the web configurator to save the...

Page 317: ...ns in which this service is used Table 152 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Authentication Header tunneling protocol uses this service AIM New ICQ TCP 5190 AOL s Internet Messenger service It is also used as a listening port by ICQ AUTH TCP 113 Authentication protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP_...

Page 318: ... sends out ICMP echo requests to test whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP_TUNNEL GRE User Defined 47 PPTP Point to P...

Page 319: ... UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP ...

Page 320: ...Appendix A Common Services XS3900 48F User s Guide 320 ...

Page 321: ... to http www zyxel com to view this product s documentation and certifications ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this product is free from any defects in material or workmanship for a specific period the Warranty Period from the date of purchase The Warranty Period varies by region Check with your vendor and or the authorized ZyXEL local distributor for ...

Page 322: ...e ONLY an appropriate power adaptor or cord for your device Connect it to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the pow...

Page 323: ...tup 193 authorization privilege levels 195 setup 193 automatic VLAN registration 82 B back up configuration file 272 basic settings 70 basic setup tutorial 25 binding 200 binding table 200 building 200 BPDUs Bridge Protocol Data Units 108 Bridge Protocol Data Units BPDUs 108 C CDP 230 certifications notices 321 viewing 321 CFI Canonical Format Indicator 81 changing the password 58 Cisco Discovery ...

Page 324: ...e 267 setup 266 DHCP Dynamic Host Configuration Protocol 263 DHCP relay option 82 202 DHCP snooping 25 200 201 configuring 202 DHCP relay option 82 202 trusted ports 201 untrusted ports 201 DHCP snooping database 201 diagnostics 296 Ethernet port test 296 ping 296 system log 296 Differentiated Service DiffServ 256 DiffServ 256 activate 258 and TRTCM 260 DS field 256 DSCP 256 DSCP to IEEE802 1p map...

Page 325: ... Time 73 Guide CLI Reference 2 GVRP 82 88 89 and port assignment 89 GVRP GARP VLAN Registration Protocol 82 H hardware monitor 71 hello time 120 hops 120 HTTPS 288 certificates 288 implementation 288 public keys private keys 288 HTTPS example 289 I IEEE 802 1p priority 75 IEEE 802 1x activate 143 146 191 reauthentication 144 IEEE 802 1x port authentication 140 IGMP version 172 IGMP Internet Group ...

Page 326: ... 220 how it works 221 port shut down 222 probe packet 221 loop guard vs STP 220 M MAC Media Access Control 71 MAC address 71 309 maximum number per port 149 150 MAC address learning 74 90 92 99 149 specify limit 149 MAC authentication 141 aging time 147 MAC filter and ARP inspection 203 MAC freeze 149 MAC table 306 how it works 306 viewing 307 maintanence configuration backup 272 firmware 271 rest...

Page 327: ... MSTP 107 Multiple STP 108 Multiple STP see MSTP 109 MVR 179 configuration 181 group configuration 183 network example 179 MVR Multicast VLAN Registration 179 N network management system NMS 276 NTP RFC 1305 72 O other documentation 2 P PAGP 231 password 58 administrator 286 PHB Per Hop Behavior 256 ping test connection 296 policy 158 160 and classifier 158 and DiffServ 157 configuration 158 examp...

Page 328: ...QSFP 49 queue weight 163 queuing 162 SPQ 163 WFQ 163 WRR 163 queuing method 162 164 R RADIUS 188 advantages 188 and authentication 188 Network example 187 server 188 settings 188 setup 188 Rapid Spanning Tree Protocol See RSTP 107 reboot load configuration 270 reboot system 270 Reference Guide CLI 2 registration product 321 related documentation 2 remote management 294 service 295 trusted computer...

Page 329: ...tic multicast address 101 static multicast forwarding 101 static route configuration 254 static routes 255 static trunking example 138 Static VLAN 86 static VLAN control 87 tagging 87 status 65 LED 52 link aggregation 133 port 65 port details 66 power 71 STP 114 117 123 VLAN 84 STP 107 231 bridge ID 115 118 bridge priority 113 116 configuration 113 116 119 designated bridge 108 forwarding delay 11...

Page 330: ... Error Disable 38 PPPoE IA 33 Two Rate Three Color Marker TRTCM 257 Two Rate Three Color Marker see TRTCM 257 Type of Service ToS 256 U UDLD 231 UniDirectional Link Detection see UDLD untrusted ports ARP inspection 204 DHCP snooping 201 PPPoE IA 238 user profiles 187 V Vendor Specific Attribute See VSA VID 81 84 85 167 number of possible VIDs 81 priority frame 81 VID VLAN Identifier 81 VLAN 73 81 ...

Page 331: ...col see VTP VLAN protocol based See protocol based VLAN VLAN subnet based See subnet based VLANs 89 VSA 195 VTP 231 W warranty 321 note 321 web configurator 23 53 getting help 61 layout 54 login 53 logout 61 navigation panel 56 weight queuing 163 Weighted Round Robin Scheduling WRR 163 WFQ Weighted Fair Queuing 163 WRR Weighted Round Robin Scheduling 163 Z ZyNOS ZyXEL Network Operating System 273 ...

Page 332: ...Index XS3900 48F User s Guide 332 ...

Reviews:

No comments

Related manuals for XS-3900-48F

PKP PSA10 Instruction Manual preview
PSA10
Brand: PKP Pages: 11
Gefen HDMI-341 User Manual preview
HDMI-341
Brand: Gefen Pages: 12
A SYSTEMS AV800HD User Manual preview
AV800HD
Brand: A SYSTEMS Pages: 80
Black Box ServSwitch TDX User Manual preview
ServSwitch TDX
Brand: Black Box Pages: 21
Madas CE-51AT1438 Manual preview
CE-51AT1438
Brand: Madas Pages: 24
Netis ST-3131 User Manual preview
ST-3131
Brand: Netis Pages: 9
Novy 990.031 Operating Instructions Manual preview
990.031
Brand: Novy Pages: 12
GarrettCom DS8016 Installation And User Manual preview
DS8016
Brand: GarrettCom Pages: 42
IOGear MiniView G-CS12 Owner'S Manual preview
MiniView G-CS12
Brand: IOGear Pages: 18
Eaton PDI WaveStar BCMS Installation And Operation Manual preview
PDI WaveStar BCMS
Brand: Eaton Pages: 54
VNS S901 Quick User Manual preview
S901
Brand: VNS Pages: 8
Tripp Lite B005-DPUA4 Owner'S Manual preview
B005-DPUA4
Brand: Tripp Lite Pages: 12
Data Video HS-1500T Instruction Manual preview
HS-1500T
Brand: Data Video Pages: 47
TJERNLUND 950-2080 NEW STYLE GAS PRESSURE SWITCH Manual preview
950-2080 NEW STYLE GAS PRESSURE SWITCH
Brand: TJERNLUND Pages: 1
Asco J 4000 Series Installation Manual preview
J 4000 Series
Brand: Asco Pages: 20
CYP CPLUS-V3H1H Operation Manual preview
CPLUS-V3H1H
Brand: CYP Pages: 20
Honeywell DPSL200 Installation Instructions preview
DPSL200
Brand: Honeywell Pages: 2
3onedata IES2005 Quick Installation Manual preview
IES2005
Brand: 3onedata Pages: 2

Brands by name

Popular brands

Load more brands