LevelOne GEL-1061 Скачать руководство пользователя страница 300 | Manualshive

Страница: 300 / 500

background image

Chapter 12

| Security Measures

DHCP Snooping

– 300 –

Command Usage

DHCP Snooping Process

◆

Network traffic may be disrupted when malicious DHCP messages are received
from an outside source. DHCP snooping is used to filter DHCP messages
received on a non-secure interface from outside the network or fire wall. When
DHCP snooping is enabled globally and enabled on a VLAN interface, DHCP
messages received on an untrusted interface from a device not listed in the
DHCP snooping table will be dropped.

◆

Table entries are only learned for trusted interfaces. An entry is added or
removed dynamically to the DHCP snooping table when a client receives or
releases an IP address from a DHCP server. Each entry includes a MAC address,
IP address, lease time, VLAN identifier, and port identifier.

◆

The rate limit for the number of DHCP messages that can be processed by the
switch is 100 packets per second. Any DHCP packets in excess of this limit are
dropped.

◆

When DHCP snooping is enabled, DHCP messages entering an untrusted
interface are filtered based upon dynamic entries learned via DHCP snooping.

◆

Filtering rules are implemented as follows:

■

If the global DHCP snooping is disabled, all DHCP packets are forwarded.

■

If DHCP snooping is enabled globally, and also enabled on the VLAN where
the DHCP packet is received, all DHCP packets are forwarded for a

trusted

port. If the received packet is a DHCP ACK message, a dynamic DHCP
snooping entry is also added to the binding table.

■

If DHCP snooping is enabled globally, and also enabled on the VLAN where
the DHCP packet is received, but the port is

not trusted

, it is processed as

follows:

■

If the DHCP packet is a reply packet from a DHCP server (including
OFFER, ACK or NAK messages), the packet is dropped.

■

If the DHCP packet is from a client, such as a DECLINE or RELEASE
message, the switch forwards the packet only if the corresponding
entry is found in the binding table.

■

If the DHCP packet is from a client, such as a DISCOVER, REQUEST,
INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC
address verification is disabled. However, if MAC address verification is
enabled, then the packet will only be forwarded if the client’s hardware
address stored in the DHCP packet is the same as the source MAC
address in the Ethernet header.

■

If the DHCP packet is not a recognizable type, it is dropped.

«
...
298
299
300
301
302
...
»

Содержание GEL-1061

Страница 1: ...t L2 Managed Gigabit Switch 2 x SFP GEP 1061 10 Port L2 Managed Gigabit PoE Switch 2 x SFP 802 3at PoE 125W GEL 2861 28 Port L2 Managed Gigabit Switch 4 x SFP User Manual V2 0 Digital Data Communicati...

Страница 2: ...nd 2 Gigabit SFP Ports GEP 1061 10 Port L2 Managed Gigabit PoE Switch with 8 10 100 1000BASE T RJ 45 802 3 af at PoE Ports and 2 Gigabit SFP Ports PoE Power Budget 125 W GEL 2861 Managed Gigabit Switc...

Страница 3: ...s key features It also describes the switch s web browser interface For information on the command line interface refer to the CLI Reference Guide The guide includes these sections Section I Getting S...

Страница 4: ...r attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Warning Alerts you to a potential hazard that c...

Страница 5: ...otocol 34 System Defaults 35 Section II Web Configuration 39 2 Using the Web Interface 41 Connecting to the Web Interface 41 Navigating the Web Browser Interface 42 Dashboard 42 Home Page 44 Configura...

Страница 6: ...ime 83 Configuring the Console Port 85 Configuring Telnet Settings 87 Displaying CPU Utilization 88 Configuring CPU Guard 89 Displaying Memory Utilization 90 Resetting the System 91 4 Interface Config...

Страница 7: ...AN Groups 149 Mapping Protocol Groups to Interfaces 150 Configuring MAC based VLANs 152 6 Address Table Settings 155 Configuring MAC Address Learning 155 Setting Static Addresses 157 Changing the Agin...

Страница 8: ...10 Attaching a Policy Map to a Port 214 11 VoIP Traffic Configuration 217 Overview 217 Configuring VoIP Traffic 218 Configuring Telephony OUI 219 Configuring VoIP Traffic Ports 220 12 Security Measure...

Страница 9: ...ort to an Access Control List 277 Showing ACL Hardware Counters 278 ARP Inspection 279 Configuring Global Settings for ARP Inspection 280 Configuring VLAN Settings for ARP Inspection 282 Configuring I...

Страница 10: ...P Interface Civic Address 327 Displaying LLDP Local Device Information 329 Displaying LLDP Remote Device Information 333 Displaying Device Statistics 341 Power over Ethernet 343 Setting the Switch s O...

Страница 11: ...ast Data 410 Displaying Multicast Groups Discovered by IGMP Snooping 411 Displaying IGMP Snooping Statistics 412 Filtering and Throttling IGMP Groups 416 Enabling IGMP Filtering and Throttling 416 Con...

Страница 12: ...the Switch s IP Address IP Version 4 451 Configuring the IPv4 Default Gateway 451 Configuring IPv4 Interface Settings 452 Setting the Switch s IP Address IP Version 6 455 Configuring the IPv6 Default...

Страница 13: ...Contents 13 Using System Logs 480 C License Information 481 The GNU General Public License 481 Glossary 485 Index 493...

Страница 14: ...Contents 14...

Страница 15: ...ing the System Clock 76 Figure 14 Setting the Polling Interval for SNTP 77 Figure 15 Configuring NTP 78 Figure 16 Specifying SNTP Time Servers 79 Figure 17 Adding an NTP Time Server 80 Figure 18 Showi...

Страница 16: ...unks 114 Figure 46 Adding Static Trunks Members 114 Figure 47 Configuring Connection Parameters for a Static Trunk 115 Figure 48 Showing Information for Static Trunks 115 Figure 49 Configuring Dynamic...

Страница 17: ...VLANs 152 Figure 81 Showing the Interface to Protocol Group Mapping 152 Figure 82 Configuring MAC Based VLANs 154 Figure 83 Showing MAC Based VLANs 154 Figure 84 Configuring MAC Address Learning 156 F...

Страница 18: ...194 Figure 115 Setting the Queue Mode Strict 196 Figure 116 Setting the Queue Mode WRR 196 Figure 117 Setting the Queue Mode Strict and WRR 197 Figure 118 Setting the Trust Mode 199 Figure 119 Configu...

Страница 19: ...ccounting Sessions 237 Figure 150 Configuring AAA Authorization Methods 239 Figure 151 Showing AAA Authorization Methods 239 Figure 152 Configuring AAA Authorization Methods for Exec Service 240 Figur...

Страница 20: ...Configuring Port Authentication 292 Figure 188 Configuring Global Settings for 802 1X Port Authentication 293 Figure 189 Configuring Interface Settings for 802 1X Port Authenticator 297 Figure 190 Sh...

Страница 21: ...18 Configuring Global Settings for SNMP 350 Figure 219 Configuring the Local Engine ID for SNMP 351 Figure 220 Configuring a Remote Engine ID for SNMP 352 Figure 221 Showing Remote Engine IDs for SNMP...

Страница 22: ...Configuring Interface Settings for LBD 392 Figure 258 Multicast Filtering Concept 393 Figure 259 Configuring General Settings for IGMP Snooping 399 Figure 260 Configuring a Static Interface for a Mult...

Страница 23: ...e Route to a Network Device 434 Figure 289 Displaying ARP Entries 435 Figure 290 Configuring General Settings for DNS 438 Figure 291 Configuring a List of Domain Names for DNS 439 Figure 292 Showing t...

Страница 24: ...igure 310 Showing IPv6 Neighbors 466 Figure 311 Showing IPv6 Statistics IPv6 470 Figure 312 Showing IPv6 Statistics ICMPv6 471 Figure 313 Showing IPv6 Statistics UDP 471 Figure 314 Showing Reported MT...

Страница 25: ...alues to Internal PHB Drop Values 200 Table 14 Default Mapping of CoS CFI to Internal PHB Drop Precedence 202 Table 15 Dynamic QoS Profiles 244 Table 16 HTTPS System Support 251 Table 17 ARP Inspectio...

Страница 26: ...tatements 444 Table 31 Options 55 and 124 Statements 444 Table 32 Show IPv6 Neighbors display description 465 Table 33 Show IPv6 Statistics display description 467 Table 34 Show MTU display descriptio...

Страница 27: ...ion provides an overview of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes...

Страница 28: ...Section I Getting Started 28...

Страница 29: ...A password Telnet SSH Web HTTPS General Security Measures AAA ARP Inspection DHCP Snooping with Option 82 relay information DoS Protection IP Source Guard Port Authentication IEEE 802 1X Port Security...

Страница 30: ...e port Telnet or a web browser User names and passwords can be configured locally or can be verified via a remote authentication server i e RADIUS or TACACS Port based authentication is also supported...

Страница 31: ...ngestion and prevent the loss of packets when port buffer thresholds are exceeded The switch supports flow control based on the IEEE 802 3x standard now incorporated in IEEE 802 3 2002 Rate Limiting T...

Страница 32: ...ancy check CRC This prevents bad frames from entering the network and wasting bandwidth To avoid dropping frames on congested ports the switch provides 12 Mbits for frame buffering This buffer can que...

Страница 33: ...adjacent ports within the same VLAN and allowing you to limit the total number of VLANs that need to be configured Use protocol VLANs to restrict traffic to specified interfaces based on protocol type...

Страница 34: ...nated VLAN The switch uses IGMP Snooping and Query for IPv4 and MLD Snooping and Query for IPv6 to manage multicast group registration Link Layer Discovery Protocol LLDP is used to discover basic info...

Страница 35: ...ts 1 Parity none Local Console Timeout 600 seconds Authentication and Security Measures Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privi...

Страница 36: ...l Broadcast Enabled 64 kbits sec Multicast Disabled Unknown Unicast Disabled Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled RSTP Defaults RSTP standard Edge Ports Auto LLD...

Страница 37: ...s Multicast Filtering IGMP Snooping Layer 2 Snooping Enabled Querier Disabled MLD Snooping Layer 2 IPv6 Snooping Enabled Querier Disabled IGMP Proxy Reporting Disabled System Log Status Enabled Messag...

Страница 38: ...Chapter 1 Introduction System Defaults 38...

Страница 39: ...ks on page 61 Interface Configuration on page 95 VLAN Configuration on page 139 Address Table Settings on page 155 Spanning Tree Algorithm on page 165 Congestion Control on page 189 Class of Service o...

Страница 40: ...Section II Web Configuration 40...

Страница 41: ...nitial Switch Configuration in the CLI Reference Guide 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords...

Страница 42: ...d for the administrator is admin The administrator has full access privileges to configure any parameters in the web interface The default user name and password for guest access is guest The guest on...

Страница 43: ...Chapter 2 Using the Web Interface Navigating the Web Browser Interface 43 Note You can open a connection to the vendor s web site by clicking on the Level 1 logo...

Страница 44: ...L 2861 Gigabit Ethernet switch Other than the difference in port count and support for PoE there are no significant differences Therefore most of the screen display examples are based on the GEP 1061...

Страница 45: ...up or down Duplex i e half or full duplex or Flow Control i e with or without flow control Figure 3 Front Panel Indicators Saves current configuration settings Displays help for the selected page Ref...

Страница 46: ...ss Sets the IPv4 address for management access 452 Show Address Shows the IPv4 address for management access 452 IPv6 Configuration 455 Configure Global Sets an IPv6 default gateway for traffic with n...

Страница 47: ...nnection parameters 87 CPU Utilization Displays information on CPU utilization 88 CPU Guard Sets the CPU utilization watermark and threshold 89 Memory Status Shows memory utilization parameters 90 Res...

Страница 48: ...arameters for link aggregation group members on the remote side 115 Show Information 121 Counters Displays statistics for LACP protocol messages 121 Internal Displays configuration settings and operat...

Страница 49: ...er interface 144 Edit Member by Interface Range Specifies VLAN attributes per interface range 144 Protocol 148 Configure Protocol 149 Add Creates a protocol group specifying supported protocols 149 Sh...

Страница 50: ...gorithm 183 Configure Global 183 Add Configures initial VLAN and priority for an MST instance 183 Modify Configures the priority or an MST instance 183 Show Configures global settings for an MST insta...

Страница 51: ...0 Modify Modifies the name of a policy map 210 Add Rule Sets the boundary parameters used for monitoring inbound traffic and the action to take for conforming and non conforming traffic 210 Show Rule...

Страница 52: ...ethods applied to specific interfaces 231 Statistics Shows basic accounting information recorded for user sessions 231 Authorization Enables authorization of requested services 237 Configure Method 23...

Страница 53: ...TCAM Shows utilization parameters for TCAM 262 Add Adds an ACL based on IP or MAC address filtering 264 Show Shows the name and type of configured ACLs 264 Add Rule Configures packet filtering based...

Страница 54: ...ts the trust mode for an interface 304 Show Information Displays the DHCP Snooping binding information 306 IP Source Guard Filters IP traffic based on static entries in the IP Source Guard table or dy...

Страница 55: ...isplays statistics for remote devices on a selected port or trunk 341 PoE Power over Ethernet 343 PSE Power sourcing equipment 343 Configure Global Set the maximum PoE power budget for the switch powe...

Страница 56: ...gure Notify Filter Add Creates an SNMP notification log 372 Show Shows the configured notification logs 372 Show Statistics Shows the status of SNMP communications 374 RMON Remote Monitoring 376 Confi...

Страница 57: ...s Resolution Protocol cache 434 Show Information Shows entries in the Address Resolution Protocol ARP cache 435 IP Service 437 DNS Domain Name Service 437 General 437 Configure Global Enables DNS look...

Страница 58: ...terface 404 Configure Port Configures the interface to drop IGMP query packets or all multicast data packets 410 Configure Trunk Configures the interface to drop IGMP query packets or all multicast da...

Страница 59: ...424 Show Current Multicast Router Displays ports attached to a neighboring multicast router either through static or dynamic configuration 424 MLD Member 426 Add Static Member Statically assigns multi...

Страница 60: ...Chapter 2 Using the Web Interface Navigating the Web Browser Interface 60...

Страница 61: ...erating software or configuration files and set the system start up files Setting the System Clock Sets the current time manually or through specified NTP or SNTP servers Configuring the Console Port...

Страница 62: ...of device type System Object ID MIB II object ID for switch s network management subsystem System Up Time Length of time the management agent has been up System Name Name assigned to the switch system...

Страница 63: ...ion Serial Number The serial number of the switch Number of Ports Number of built in ports Hardware Version Hardware version of the main board Main Power Status Displays the status of the internal pow...

Страница 64: ...r trunks Compared to standard Ethernet frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields Usage Guidel...

Страница 65: ...icast Filtering Services This switch does not support the filtering of individual multicast addresses based on GMRP GARP Multicast Registration Protocol Traffic Classes This switch provides mapping of...

Страница 66: ...egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration on page 139 Max Supported VLAN Numbers The maximum number of VLANs supported on this switch Max Supported VLAN ID The max...

Страница 67: ...for a user name and password configured on the remote server Note that Anonymous is set as the default user name The reset command will not be accepted during copy operations to flash memory Parameter...

Страница 68: ...cfg can be copied to a file server or management station but cannot be used as the destination file name on the switch Web Interface To copy firmware files 1 Click System then File 2 Select Copy from...

Страница 69: ...rameters are displayed Copy Type The copy operation includes this option Running Config Copies the current configuration settings to a local file on the switch Destination File Name Copy to the curren...

Страница 70: ...e System File Set Start Up page to specify the firmware or configuration file to use for system initialization Web Interface To set a file to use for system initialization 1 Click System then File 2 S...

Страница 71: ...to automatically download an operation code file when a file newer than the currently installed one is discovered on the file server After the file is transferred from the server and successfully writ...

Страница 72: ...e file is stored as LEVEL 1 xx61 bix or even LeveL 1 xx61 bix on a case sensitive server then the switch requesting gel 1061 series bix will not be upgraded because the server does not recognize the r...

Страница 73: ...pgrade file can be found Nested directory structures are accepted The directory name must be separated from the host and in nested directory structures from the parent directory with a prepended forwa...

Страница 74: ...directory relative to the TFTP root The following examples demonstrate the URL syntax for an FTP server at IP address 192 168 0 1 with various user name password and file location options presented f...

Страница 75: ...tarted Flash programming completed The switch will now restart Setting the System Clock Simple Network Time Protocol SNTP allows the switch to set its internal clock based on periodic updates from a t...

Страница 76: ...switch Hours Sets the hour Range 0 23 Minutes Sets the minute value Range 0 59 Seconds Sets the second value Range 0 59 Month Sets the month Range 1 12 Day Sets the day of the month Range 1 31 Year Se...

Страница 77: ...b Interface To set the polling interval for SNTP 1 Click System then Time 2 Select Configure General from the Step list 3 Select SNTP from the Maintain Type list 4 Modify the polling interval if requi...

Страница 78: ...ts for a time update from NTP servers Fixed 1024 seconds Web Interface To set the clock maintenance type to NTP 1 Click System then Time 2 Select Configure General from the Step list 3 Select NTP from...

Страница 79: ...Specifying SNTP Time Servers Specifying NTP Time Servers Use the System Time Configure Time Server Add NTP Server page to add the IP address for up to 50 NTP time servers Parameters The following par...

Страница 80: ...ange 1 65535 Web Interface To add an NTP time server to the server list 1 Click System then Time 2 Select Configure Time Server from the Step list 3 Select Add NTP Server from the Action list 4 Enter...

Страница 81: ...ys can be configured on the switch Range 1 65535 Key Context An MD5 authentication key string The key string can be up to 32 case sensitive printable ASCII characters no spaces NTP authentication key...

Страница 82: ...Parameters The following parameters are displayed Predefined Configuration A drop down box provides access to the 80 predefined time zone configurations Each choice indicates it s offset from UTC and...

Страница 83: ...ers are displayed in the web interface General Configuration Summer Time in Effect Shows if the system time has been adjusted Status Shows if summer time is set to take effect during the specified per...

Страница 84: ...e To specify a time corresponding to your local time when summer time is in effect you must indicate the number of minutes your summer time zone deviates from your regular time zone Offset Summer time...

Страница 85: ...timeout interval the connection is terminated for the session Range 10 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input i...

Страница 86: ...e connected to the serial port Range 9600 19200 38400 57600 or 115200 baud Default 115200 baud Note The password for the console connection can only be configured through the CLI see the password comm...

Страница 87: ...in Timeout Sets the interval that the system waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 10 3...

Страница 88: ...required 3 Click Apply Figure 24 Telnet Connection Settings Displaying CPU Utilization Use the System CPU Utilization page to display information on CPU utilization Parameters The following parameter...

Страница 89: ...already in the buffer until usage time falls below the low watermark Range 40 100 Default 90 Low Watermark If packet flow has been stopped after exceeding the high watermark normal flow will be restor...

Страница 90: ...the minimum threshold before the alarm is terminated and then exceed the maximum threshold again before another alarm is triggered Current Threshold Shows the configured threshold in packets per seco...

Страница 91: ...red in non volatile memory See Saving the Running Configuration to a Local File on page 69 Parameters The following parameters are displayed System Reload Information Reload Settings Displays informat...

Страница 92: ...Range 01 31 MM The month at which to reload Range 01 12 YYYY The year at which to reload Range 1970 2037 HH The hour at which to reload Range 00 23 MM The minute at which to reload Range 00 59 Regular...

Страница 93: ...Chapter 3 Basic Management Tasks Resetting the System 93 5 When prompted confirm that you want reset the switch Figure 28 Restarting the Switch Immediately Figure 29 Restarting the Switch In...

Страница 94: ...Chapter 3 Basic Management Tasks Resetting the System 94 Figure 30 Restarting the Switch At Figure 31 Restarting the Switch Regularly...

Страница 95: ...ters for optical transceivers which support DDM Configuring Transceiver Thresholds Configures thresholds for alarm and warning messages for optical transceivers which support DDM Trunk Configuration C...

Страница 96: ...ard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk If not used the success of the link process cannot be guaranteed whe...

Страница 97: ...n and IEEE 802 3 2005 formally IEEE 802 3x for full duplex operation Default Autonegotiation enabled Advertised capabilities for 1000BASE T 10half 10full 100half 100full 1000full 1000BASE SX LX ZX SFP...

Страница 98: ...rtise or manually fix the speed duplex mode and flow control Parameters Except for the trap command refer to Configuring by Port List on page 96 for more information on command usage and a description...

Страница 99: ...rface label Admin Shows if the port is enabled or disabled Oper Status Indicates if the link is Up or Down Shutdown Reason Shows the reason this interface has been shut down if applicable Some of the...

Страница 100: ...d to identify potential problems with the switch such as a faulty port or unusually heavy loading RMON statistics provide access to a broad range of statistics including a total count of different fra...

Страница 101: ...of packets delivered by this sub layer to a higher sub layer which were addressed to a broadcast address at this sub layer Transmitted Broadcast Packets The total number of packets that higher level...

Страница 102: ...t utilization Received Packets The total number of packets bad broadcast and multicast received Broadcast Packets The total number of good packets received that were directed to the broadcast address...

Страница 103: ...atistics 1 Click Interface Port Chart 2 Select the statistics mode to display Interface Etherlike RMON or All 3 If Interface Etherlike RMON statistics mode is chosen select a port from the drop down l...

Страница 104: ...Trunk History page to display statistical history for the specified interfaces Command Usage For a description of the statistics displayed on these pages see Showing Port or Trunk Statistics on page 1...

Страница 105: ...take Show Details Mode Status Shows the sample parameters Current Entry Shows current statistics for the specified port and named sample Input Previous Entries Shows statistical history for ingress tr...

Страница 106: ...how from the Action menu 3 Select an interface from the Port or Trunk list Figure 38 Showing Entries for History Sampling To show the configured parameters for a sampling entry 1 Click Interface Port...

Страница 107: ...rent interval of a sample entry 1 Click Interface Port Statistics or Interface Trunk Statistics 2 Select Show Details from the Action menu 3 Select Current Entry from the options for Mode 4 Select an...

Страница 108: ...ying Transceiver Data Use the Interface Port Transceiver page to display identifying information and operational for optical transceivers which support Digital Diagnostic Monitoring DDM Parameters The...

Страница 109: ...ta Configuring Transceiver Thresholds Use the Interface Port Transceiver page to configure thresholds for alarm and warning messages for optical transceivers which support Digital Diagnostic Monitorin...

Страница 110: ...ning message when the high threshold is crossed Low Warning Sends a warning message when the low threshold is crossed Low Alarm Sends an alarm message when the low threshold is crossed The configurabl...

Страница 111: ...al transceivers 1 Click Interface Port Transceiver 2 Select a port from the scroll down list 3 Set the switch to send a trap based on default or manual settings 4 Set alarm and warning thresholds if m...

Страница 112: ...ther ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on t...

Страница 113: ...twork be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface Parameters...

Страница 114: ...4 Select a trunk identifier 5 Set the unit and port for an additional trunk member 6 Click Apply Figure 46 Adding Static Trunks Members To configure connection parameters for a static trunk 1 Click I...

Страница 115: ...r Static Trunks Configuring a Dynamic Trunk Use the Interface Trunk Dynamic pages to set the administrative key for an aggregation group enable LACP on a port configure protocol parameters for local a...

Страница 116: ...i e it has a null value of 0 the operational value of this key is set to the same value as the port admin key used by the interfaces that joined the group see the show lacp internal command in the CL...

Страница 117: ...n group LAG membership and to identify this device to other switches during LAG negotiations System MAC Address The device MAC address assigned to each trunk Configure Aggregation Port General Port Po...

Страница 118: ...with the maximum number of allowed port members and LACP is subsequently enabled on another port using a higher priority than an existing member the newly configured port will replace an existing port...

Страница 119: ...Configure from the Action list 4 Click General 5 Enable LACP on the required ports 6 Click Apply Figure 51 Enabling LACP on a Port To configure LACP parameters for group members 1 Click Interface Tru...

Страница 120: ...p list 3 Select Show Member from the Action list 4 Select a Trunk Figure 53 Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk 1 Click Interface Trunk Dynamic 2...

Страница 121: ...yed Table 7 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Ma...

Страница 122: ...on Port Show Information Internal page to display the configuration settings and operational state for the local side of a link aggregation Parameters These parameters are displayed Table 8 LACP Inter...

Страница 123: ...of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be dis...

Страница 124: ...ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port nu...

Страница 125: ...Trunk Load Balance page to set the load distribution method used among ports in aggregated links Command Usage This command applies to all static and dynamic trunks on the switch To ensure that the s...

Страница 126: ...switch trunk links where traffic through the switch is received from and destined for many different hosts Source IP Address All traffic with the same source IP address is output on the same link in a...

Страница 127: ...er keeping the MAC interface powered up even if no link connection exists When using power savings mode the switch checks for energy on the circuit to determine if there is a link partner If none is d...

Страница 128: ...60 meters Parameters These parameters are displayed Port Power saving mode only applies to the Gigabit Ethernet ports using copper media Range 1 8 24 Power Saving Status Adjusts the power provided to...

Страница 129: ...ation port on this switch remote port mirroring as described in Configuring Remote Port Mirroring on page 130 Monitor port speed should match or exceed source port speed otherwise traffic may be dropp...

Страница 130: ...Use the Interface RSPAN page to mirror traffic from remote switches for analysis at a destination port on the local switch This feature also called Remote Switched Port Analyzer RSPAN carries traffic...

Страница 131: ...port1 Then specify the source port s and the traffic type to monitor Rx Tx or Both 3 Set up all intermediate switches on the RSPAN configuration page entering the mirror session the switch s role Inte...

Страница 132: ...ng will still not be re started on the RSPAN uplink ports IEEE 802 1X RSPAN and 802 1X are mutually exclusive functions When 802 1X is enabled globally RSPAN uplink ports cannot be configured even tho...

Страница 133: ...of the RSPAN VLAN Ports cannot be manually assigned to an RSPAN VLAN through the VLAN Static page Nor can GVRP dynamically add port members to an RSPAN VLAN Also note that the VLAN Static Show page w...

Страница 134: ...e Configuration Configuring Remote Port Mirroring 134 Figure 65 Configuring Remote Port Mirroring Source Figure 66 Configuring Remote Port Mirroring Intermediate Figure 67 Configuring Remote Port Mirr...

Страница 135: ...link ports used by other clients allowing different clients to share access to their uplink ports where security is less likely to be compromised Enabling Traffic Segmentation Use the Interface Traffi...

Страница 136: ...anning tree protocol A port cannot be configured in both an uplink and downlink list A port can only be assigned to one traffic segmentation session A downlink port can only communicate with an uplink...

Страница 137: ...the direction to uplink or downlink Default Uplink Interface Displays a list of ports or trunks Port Port Identifier Range 1 10 28 Trunk Trunk Identifier Range 1 8 Web Interface To configure the memb...

Страница 138: ...c Segmentation 138 To show the members of the traffic segmentation group 1 Click Interface Traffic Segmentation 2 Select Configure Session from the Step list 3 Select Show from the Action list Figure...

Страница 139: ...An IEEE 802 1Q VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLANs help to simplify network management by allo...

Страница 140: ...ffic for one or more VLANs and any intermediate network devices or the host at the other end of the connection supports VLANs Then assign ports on the other VLAN aware network devices along the path t...

Страница 141: ...y isolate user groups or subnets However you should use IEEE 802 3 tagged VLANs with GVRP whenever possible to fully automate VLAN registration Forwarding Tagged Untagged Frames If you want to create...

Страница 142: ...nables or disables the specified VLAN Remote VLAN Reserves this VLAN for RSPAN see Configuring Remote Port Mirroring on page 130 Modify VLAN ID ID of configured VLAN 1 4094 VLAN Name Name of the VLAN...

Страница 143: ...ngs for VLAN groups 1 Click VLAN Static 2 Select Modify from the Action list 3 Select the identifier of a configured VLAN 4 Modify the VLAN name or operational status as required 5 Enable the L3 Inter...

Страница 144: ...are connected to 802 1Q VLAN compliant devices or untagged they are not connected to any VLAN aware devices Or configure a port as forbidden to prevent the switch from automatically adding it to a VL...

Страница 145: ...Ns for which it is not a member these frames will be flooded to all other ports except for those VLANs explicitly forbidden on this port If ingress filtering is enabled and a port receives frames tagg...

Страница 146: ...unk Range Displays a list of ports Range 1 8 Note The PVID acceptable frame type and ingress filtering parameters for each interface within the specified range must be configured on either the Edit Me...

Страница 147: ...LAN Members by Interface To configure static members by interface range 1 Click VLAN Static 2 Select Edit Member by Interface Range from the Action list 3 Set the Interface type to display as Port or...

Страница 148: ...ired protocol When a frame is received at a port its VLAN membership can then be determined based on the protocol type being used by the inbound packets Command Usage To configure protocol based VLANs...

Страница 149: ...affic which matches IP Protocol Ethernet Frames is mapped to the VLAN VLAN 1 that has been configured with the switch s administrative IP IP Protocol Ethernet traffic must not be mapped to another VLA...

Страница 150: ...roup to a VLAN for each interface that will participate in the group Command Usage When creating a protocol based VLAN only assign interfaces using this configuration screen If you assign interfaces u...

Страница 151: ...p ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID VLAN to which matching protocol traffic is forwarded Range 1 4094 Priority The priority assigned to untagged ingre...

Страница 152: ...Mapping Configuring MAC based VLANs Use the VLAN MAC Based page to configure VLAN based on MAC addresses The MAC based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC...

Страница 153: ...i e it cannot be 101 or 001 A mask for the MAC address 00 50 6e 00 5f b1 translated into binary MAC 00000000 01010000 01101110 00000000 01011111 10110001 could be 11111111 11xxxxxx xxxxxxxx xxxxxxxx x...

Страница 154: ...nfiguration Configuring MAC based VLANs 154 Figure 82 Configuring MAC Based VLANs To show the MAC addresses mapped to a VLAN 1 Click VLAN MAC Based 2 Select Show from the Action list Figure 83 Showing...

Страница 155: ...ap when a dynamic MAC address is added or removed Configuring MAC Address Learning Use the MAC Address Learning Status page to enable or disable MAC address learning on an interface Command Usage When...

Страница 156: ...ty Status see Configuring Port Security on page 289 is enabled on the same interface Parameters These parameters are displayed Interface Displays a list of ports or trunks Port Port Identifier Range 1...

Страница 157: ...not be written to the address table Static addresses will not be removed from the address table when a given interface link is down A static address cannot be learned on another port until the address...

Страница 158: ...m the Action list 3 Specify the VLAN the port or trunk to which the address will be assigned the MAC address and the time to retain this entry 4 Click Apply Figure 85 Configuring Static MAC Addresses...

Страница 159: ...eb Interface To set the aging time for entries in the dynamic address table 1 Click MAC Address Dynamic 2 Select Configure Aging from the Action list 3 Modify the aging status if required 4 Specify a...

Страница 160: ...terface Indicates a port or trunk Type Shows that the entries in this table are learned Values Learned or Security the last of which indicates Port Security Life Time Shows the time to retain the spec...

Страница 161: ...ries for a specific MAC address all the entries in a VLAN or all the entries associated with a port or trunk Web Interface To clear the entries in the dynamic address table 1 Click MAC Address Dynamic...

Страница 162: ...es the interval between issuing two consecutive traps Range 1 3600 seconds Default 1 second Configure Interface Port Port Identifier Range 1 10 28 MAC Notification Trap Enables MAC authentication trap...

Страница 163: ...o enable MAC address traps at the interface level 1 Click MAC Address MAC Notification 2 Select Configure Interface from the Step list 3 Enable MAC notification traps for the required ports 4 Click Ap...

Страница 164: ...Chapter 6 Address Table Settings Issuing MAC Address Traps 164...

Страница 165: ...etwork and provide backup links which automatically take over when a primary link goes down The spanning tree algorithms supported by this switch include these versions STP Spanning Tree Protocol IEEE...

Страница 166: ...ed when a node or port fails and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs MSTP When using STP or RSTP it may be difficult to...

Страница 167: ...TI tree to maintain connectivity among each of the VLANs MSTP maintains contact with the global network because each instance is treated as an RSTP node in the Common Spanning Tree CST Configuring Loo...

Страница 168: ...nually released from discard mode This is only available if the interface is configured for manual release mode Action Sets the response for loopback detection to shut down the interface Default Shutd...

Страница 169: ...VLANs we recommend selecting the MSTP option Rapid Spanning Tree Protocol3 RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting...

Страница 170: ...back detection is disabled Spanning Tree Type Specifies the type of spanning tree used on this switch STP Spanning Tree Protocol IEEE 802 1D i e when this option is selected the switch will use RSTP s...

Страница 171: ...ned to each interface Long Specifies 32 bit based values that range from 1 200 000 000 This is the default Short Specifies 16 bit based values that range from 1 65535 Transmission Limit The maximum tr...

Страница 172: ...omatic detection of point to point link types both of which allow a port to directly transition to the forwarding state Configuration Settings for MSTP Max Instance Numbers The maximum number of MSTP...

Страница 173: ...Modify any of the required attributes Note that the parameters displayed for the spanning tree types STP RSTP MSTP varies as described in the preceding section 5 Click Apply Figure 96 Configuring Glo...

Страница 174: ...tems Bridge ID A unique identifier for this bridge consisting of the bridge priority the MST Instance ID 0 for the Common Spanning Tree when spanning tree type is set to MSTP and MAC address where the...

Страница 175: ...rmation from the Action list Figure 99 Displaying Global Settings for STA Configuring Interface Settings for STA Use the Spanning Tree STA Configure Interface Configure page to configure RSTP and MSTP...

Страница 176: ...assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 Admin Path Cost This parameter is used by the STA to determine the best pa...

Страница 177: ...ed Then even if the path cost of i2 on SW3 is configured changed to 0 these ports will still have the same root path cost and it will be impossible for i2 to become the root port just by changing its...

Страница 178: ...rcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device Default Auto Enabled Manually configures a port as an Edge Po...

Страница 179: ...e specified interval Range 30 86400 seconds Default Disabled BPDU Guard Auto Recovery Interval The time to wait before re enabling an interface Range 30 86400 seconds Default 300 seconds BPDU Filter B...

Страница 180: ...port STA Status Displays current state of this port within the Spanning Tree Discarding Port receives STA configuration messages but does not forward packets Learning Port has transmitted configuratio...

Страница 181: ...status of the LAN segment attached to this interface This parameter is determined by manual configuration or by auto detection as described for Admin Link Type in STA Port Configuration on page 175 Op...

Страница 182: ...port number in that order and as applicable to the role under question Web Interface To display interface settings for STA 1 Click Spanning Tree STA 2 Select Configure Interface from the Step list 3 S...

Страница 183: ...MSTI Region page 169 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions...

Страница 184: ...the MST instance identifier and the initial VLAN member Additional member can be added using the Spanning Tree MSTP Configure Global Add Member page If the priority is not specified the default value...

Страница 185: ...e priority for an MSTP Instance 5 Click Apply Figure 106 Modifying the Priority for an MST Instance To display global settings for MSTP 1 Click Spanning Tree MSTP 2 Select Configure Global from the St...

Страница 186: ...ect an MST instance from the MST ID list 5 Enter the VLAN group to add to the instance in the VLAN ID field Note that the specified member does not have to be a configured VLAN 6 Click Apply Figure 10...

Страница 187: ...same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree...

Страница 188: ...face from the Step list 3 Select Configure from the Action list 4 Enter the priority and path cost for an interface 5 Click Apply Figure 110 Configuring MSTP Interface Settings To display MSTP paramet...

Страница 189: ...ived or transmitted on an interface Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network Packets that exceed the acceptable amount of traffic...

Страница 190: ...erly configured If there is too much traffic on your network performance can be severely degraded or everything can come to complete halt You can protect your network from traffic storms by setting a...

Страница 191: ...control for broadcast traffic Status Enables or disables storm control Default Disabled Rate Threshold level in packets per second Range 500 262142 pps Default 500 pps Resolution Indicates the resolut...

Страница 192: ...Chapter 8 Congestion Control Storm Control 192...

Страница 193: ...s This section describes how to configure the default priority for untagged frames set the queue mode set the weights assigned to each queue and map class of service tags to queues Setting the Default...

Страница 194: ...tting the Default Port Priority Selecting the Queue Mode Use the Traffic Priority Queue page to set the queue mode for the egress queues on any interface The switch can be set to service the queues ba...

Страница 195: ...ed queue mode applies to all interfaces Parameters These parameters are displayed Queue Mode Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queue...

Страница 196: ...eighted queue mode is selected the queue weight can be modified if required 4 If the queue mode that uses a combination of strict and weighted queueing is selected the queues which are serviced first...

Страница 197: ...es are enabled the priorities are mapped to a Class of Service value by the switch and the traffic then sent to the corresponding output queue Because different priority information may be contained i...

Страница 198: ...ority processing if the packet is tagged For an untagged packet the default port priority see page 193 is used for priority processing If the QoS mapping mode is set to CoS and the ingress packet type...

Страница 199: ...different kinds of forwarding Command Usage Enter per hop behavior and drop precedence for any of the DSCP values 0 63 This map is only used when the priority mapping mode is set to DSCP see page 198...

Страница 200: ...p10 0 1 2 3 4 5 6 7 8 9 0 0 0 0 1 0 0 0 3 0 0 0 1 0 0 0 3 1 0 1 1 1 1 0 1 3 1 0 1 1 1 0 1 3 2 0 2 1 2 0 2 3 2 2 0 2 1 2 0 2 3 3 0 3 1 3 0 3 3 3 0 3 1 3 3 0 3 3 4 0 4 1 4 0 4 3 4 0 4 1 4 0 4 3 4 5 0 5...

Страница 201: ...le 14 on page 202 Enter up to eight CoS CFI paired values per hop behavior and drop precedence If a packet arrives with a 802 1Q header but it is not an IP packet then the CoS CFI to PHB Drop Preceden...

Страница 202: ...dence used in controlling traffic congestion Range 0 Green 3 Yellow 1 Red Web Interface To map CoS CFI values to internal PHB drop precedence 1 Click Traffic Priority CoS to DSCP 2 Select Configure fr...

Страница 203: ...f Service Layer 3 4 Priority Settings 203 To show the CoS CFI to internal PHB drop precedence map 1 Click Traffic Priority CoS to DSCP 2 Select Show from the Action list Figure 122 Showing CoS to DSCP...

Страница 204: ...Chapter 9 Class of Service Layer 3 4 Priority Settings 204...

Страница 205: ...ies different kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to pa...

Страница 206: ...configured to monitor the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to a...

Страница 207: ...ntrol list Any type of ACL can be specified including standard or extended IPv4 IPv6 ACLs and MAC ACLs IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence value Range 0 7 IPv6 DSCP A DSCP v...

Страница 208: ...Showing Class Maps To edit the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Spe...

Страница 209: ...a Class Map 209 Figure 125 Adding Rules to a Class Map To show the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Show Rule from the Action list Fi...

Страница 210: ...ucket is by specified by the committed rate option Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698 The behavior of the meter is specified in terms of its mode a...

Страница 211: ...ering functions Set CoS Configures the service provided to ingress traffic by setting an internal CoS value for a matching packet as specified in rule settings for a class map Range 0 7 See Table 14 D...

Страница 212: ...nfigure Policy from the Step list 3 Select Add from the Action list 4 Enter a policy name 5 Enter a description 6 Click Apply Figure 127 Configuring a Policy Map To show the configured policy maps 1 C...

Страница 213: ...list 3 Select Add Rule from the Action list 4 Select the name of a policy map 5 Click on the Action field and set the CoS or per hop behavior for matching packets to specify the quality of service to...

Страница 214: ...rface page to bind a policy map to a port Command Usage First define a class map define a policy map and then bind the service policy to the required interface Parameters These parameters are displaye...

Страница 215: ...Chapter 10 Quality of Service Attaching a Policy Map to a Port 215 5 Click Apply Figure 131 Attaching a Policy Map to a Port...

Страница 216: ...Chapter 10 Quality of Service Attaching a Policy Map to a Port 216...

Страница 217: ...acket delays packet loss and jitter This is best achieved by assigning all VoIP traffic to a single Voice VLAN The use of a Voice VLAN has several advantages It provides security by isolating the VoIP...

Страница 218: ...ode see Adding Static Members to VLANs on page 144 Parameters These parameters are displayed Auto Detection Status Enables the automatic detection of VoIP traffic on switch ports Default Disabled Voic...

Страница 219: ...ers are displayed Telephony OUI Specifies a MAC address range to add to the list Format xx xx xx xx xx xx Mask Identifies a range of MAC addresses Setting a mask of FF FF FF 00 00 00 identifies all de...

Страница 220: ...oIP Traffic Ports Use the Traffic VoIP Configure Interface page to configure ports for VoIP traffic you need to set the mode Auto or Manual specify the discovery method to use and set the traffic prio...

Страница 221: ...ffic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address OUI numbers are assigned to vendors and form the first three octets of a device MAC address M...

Страница 222: ...ise if the VoIP Mode is Disabled or set to Manual the remaining age will display NA Web Interface To configure VoIP traffic settings for a port 1 Click Traffic VoIP 2 Select Configure Interface from t...

Страница 223: ...ovide a secure shell for secure Telnet access ACL Access Control Lists provide packet filtering for IP frames based on address protocol Layer 4 protocol port number or TCP control code ARP Inspection...

Страница 224: ...be defined as sequential groups that are applied as a method for controlling user access to specified services For example when the switch attempts to authenticate a user a request is sent to the firs...

Страница 225: ...nst the authentication database stored on the local switch If a remote authentication server is used you must specify the authentication sequence Then specify the corresponding parameters for the remo...

Страница 226: ...n a central server to control access to RADIUS aware or TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege...

Страница 227: ...bal Provides globally applicable RADIUS settings Server Index Specifies one of five RADIUS servers that may be configured The switch attempts authentication using the listed sequence of servers The pr...

Страница 228: ...the request Range 1 65535 Default 5 Authentication Retries Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Set Key Mark this box to se...

Страница 229: ...ver from the Step list 3 Select RADIUS or TACACS server type 4 Select Global to specify the parameters that apply globally to all specified servers or select a specific Server Index to specify the par...

Страница 230: ...ADIUS or TACACS server groups to use for accounting and authorization 1 Click Security AAA Server 2 Select Configure Group from the Step list 3 Select Add from the Action list 4 Select RADIUS or TACAC...

Страница 231: ...e configured accounting methods the methods applied to specific interfaces and basic accounting information recorded for user sessions Command Usage AAA authentication through a RADIUS or TACACS serve...

Страница 232: ...up names radius and tacacs specifies all configured RADIUS and TACACS hosts see Configuring Local Remote Logon Authentication on page 225 Any other group name refers to a server group configured on th...

Страница 233: ...les apply This field is null if the accounting method and associated server group has not been assigned to an interface Show Information Statistics User Name Displays a registered user name Accounting...

Страница 234: ...d from the Step list 3 Select Add from the Action list 4 Select the accounting type 802 1X Command Exec 5 Specify the name of the accounting method and server group name 6 Click Apply Figure 143 Confi...

Страница 235: ...to specific interfaces console commands entered at specific privilege levels and local console Telnet or SSH connections 1 Click Security AAA Accounting 2 Select Configure Service from the Step list 3...

Страница 236: ...Accounting Service for Command Service Figure 147 Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified...

Страница 237: ...3 Click Statistics Figure 149 Displaying Statistics for AAA Accounting Sessions Configuring AAA Authorization Use the Security AAA Authorization page to enable authorization of requested services and...

Страница 238: ...Remote Logon Authentication on page 225 Any other group name refers to a server group configured on the TACACS Group Settings page Authorization is only supported for TACACS servers Configure Service...

Страница 239: ...Select Configure Method from the Step list 3 Specify the name of the authorization method and server group name 4 Click Apply Figure 150 Configuring AAA Authorization Methods To show the authorizatio...

Страница 240: ...Select Configure Service from the Step list 3 Enter the required authorization method 4 Click Apply Figure 152 Configuring AAA Authorization Methods for Exec Service To display a the configured author...

Страница 241: ...evel 0 7 provide the same default access to a limited number of commands which display the current status of the switch as well as several database clear and reset functions These commands are equival...

Страница 242: ...words Password Specifies the user password Range 0 32 characters case sensitive Confirm Password Re type the string entered in the previous field to ensure no errors were made The switch will not chan...

Страница 243: ...enticating the MAC address of each host that attempts to connect to a switch port Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully...

Страница 244: ...switch port for an authenticated user The Filter ID attribute attribute 11 can be configured on the RADIUS server to pass the following QoS information Multiple profiles can be specified in the Filter...

Страница 245: ...uration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access While a...

Страница 246: ...ing the maximum MAC count and enabling dynamic VLAN or dynamic QoS assignments Parameters These parameters are displayed Guest VLAN Specifies the VLAN to be assigned to the port when 802 1X Authentica...

Страница 247: ...ned to the default untagged VLAN When the dynamic VLAN assignment status is changed on a port all authenticated addresses mapped to that port are cleared from the secure MAC address table MAC Filter I...

Страница 248: ...are displayed Filter ID Adds a filter rule for the specified filter Range 1 64 MAC Address The filter rule will check ingress packets against the entered MAC address or range of MAC addresses as defin...

Страница 249: ...tion on the secure MAC entries can be displayed and selected entries can be removed from the table Parameters These parameters are displayed Query By Specifies parameters to use in the MAC address que...

Страница 250: ...ecurity Network Access 2 Select Show Information from the Step list 3 Use the sort key to display addresses based MAC address interface or attribute 4 Restrict the displayed addresses by entering a sp...

Страница 251: ...tps device port_number When you start HTTPS the connection is established in this way The client authenticates the server using the server s digital certificate The client and server negotiate a set o...

Страница 252: ...e site certificate When you log onto the web interface using HTTPS for secure access a Secure Sockets Layer SSL certificate appears for the switch By default the certificate that the web browser displ...

Страница 253: ...urce File Name Name of certificate file stored on the TFTP server Private Key Source File Name Name of private key file stored on the TFTP server Private Password Password stored in the private key fi...

Страница 254: ...SH also encrypts all data transfers passing between the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered Note You need to install an...

Страница 255: ...the User Accounts page as described on page 241 The clients are subsequently authenticated using these keys The current firmware only accepts public key files based on standard UNIX format as shown in...

Страница 256: ...lient s private key corresponds to an authorized public key and the client is authenticated Authenticating SSH v2 Clients a The client first queries the switch to determine if DSA public key authentic...

Страница 257: ...e 1 120 seconds Default 120 seconds Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authen...

Страница 258: ...generate the host key pair i e public and private keys Range RSA Version 1 DSA Version 2 Both Default Both The SSH server uses RSA or DSA for key exchange when the client first establishes a connectio...

Страница 259: ...blic key authentication mechanism If the user s public key does not exist on the switch SSH will revert to the interactive password authentication mechanism to complete authentication Parameters These...

Страница 260: ...ey 1 Click Security SSH 2 Select Configure User Key from the Step list 3 Select Copy from the Action list 4 Select the user name and the public key type from the respective drop down boxes input the T...

Страница 261: ...s packets against the conditions in an ACL one by one A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match the packet is accepte...

Страница 262: ...ound down to the end of the list the traffic is denied For this reason frequently hit entries should be placed at the top of the list There is an implied deny for traffic that is not explicitly permit...

Страница 263: ...n the TCAM List Unit Stack unit identifier Device Memory chip used for indicated pools Pool Rule slice or call group Each slice has a fixed number of rules that are used for the specified features Tot...

Страница 264: ...ts based on the source or destination IPv4 address as well as the protocol type and protocol port number If the TCP protocol is specified then you can also filter packets based on the TCP control code...

Страница 265: ...CL 2 Select Configure ACL from the Step list 3 Select Add from the Action list 4 Fill in the ACL Name field and select the ACL type 5 Click Apply Figure 169 Creating an ACL To show a list of ACLs 1 Cl...

Страница 266: ...ource IP Address Source IP address Source Subnet Mask A subnet mask containing four integers from 0 to 255 each separated by a period The mask uses 1 bits to indicate match and 0 bits to indicate igno...

Страница 267: ...de all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and Subnet Mask fields Options Any Host IP Default Any Sou...

Страница 268: ...8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the following flags set SYN flag valid use control code 2 control bit mask 2...

Страница 269: ...d page to configure a Standard IPv6ACL Parameters These parameters are displayed Type Selects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action A...

Страница 270: ...the address Range 0 128 bits Time Range Name of a time range Web Interface To add rules to a Standard IPv6 ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the...

Страница 271: ...ss must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number...

Страница 272: ...ayload RFC 2406 51 Authentication RFC 2402 60 Destination Options RFC 2460 Time Range Name of a time range Web Interface To add rules to an Extended IPv6 ACL 1 Click Security ACL 2 Select Configure AC...

Страница 273: ...in any combination of permit or deny rules Source Destination Address Type Use Any to include all possible addresses Host to indicate a specific MAC address or MAC to specify an address range with the...

Страница 274: ...value Range 0 7 where 7 is the highest priority CoS Bit Mask CoS bitmask Range 0 7 Time Range Name of a time range Web Interface To add rules to a MAC ACL 1 Click Security ACL 2 Select Configure ACL f...

Страница 275: ...hing the selected type Action An ACL can contain any combination of permit or deny rules Packet Type Indicates an ARP request ARP response or either type Range IP Request Response Default IP Source De...

Страница 276: ...address Log Logs a packet when it matches the access control entry Web Interface To add rules to an ARP ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the A...

Страница 277: ...appropriate ACLs Parameters These parameters are displayed Type Selects the type of ACLs to bind to a port Port Port identifier Range 1 10 28 ACL ACL used for ingress packets Time Range Name of a time...

Страница 278: ...meters These parameters are displayed Port Port identifier Range 1 10 28 Type Selects the type of ACL Direction Displays statistics for ingress or egress traffic Query Displays statistics for selected...

Страница 279: ...man in the middle attacks This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to th...

Страница 280: ...ARP Inspection configuration of any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will only become a...

Страница 281: ...the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses If multiple identical invalid ARP packets are received consecutively on the sam...

Страница 282: ...9 Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Use the Security ARP Inspection Configure VLAN page to enable ARP inspection for any VLAN and to specify t...

Страница 283: ...CL Name Allows selection of any configured ARP ACLs Default None Static When an ARP ACL is selected and static mode also selected the switch only performs ARP Inspection and bypasses validation agains...

Страница 284: ...d will always be forwarded while those arriving on untrusted interfaces are subject to all configured ARP inspection tests Packet Rate Limit Sets the maximum number of ARP packets that can be processe...

Страница 285: ...xceeding the ARP Inspection rate limit Dropped ARP packets in the process of ARP inspection rate limit Count of ARP packets exceeding and dropped by ARP rate limiting ARP packets dropped by additional...

Страница 286: ...s are displayed Web Interface To display the ARP Inspection log 1 Click Security ARP Inspection 2 Select Show Information from the Step list 3 Select Show Log from the Action list Table 18 ARP Inspect...

Страница 287: ...event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five differe...

Страница 288: ...s of a range End IP Address The end address of a range Web Interface To create a list of IP addresses authorized for management access 1 Click Security IP Filter 2 Select Add from the Action list 3 Se...

Страница 289: ...vice with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message Comma...

Страница 290: ...bled on a port that port cannot be set as an RSPAN uplink port Also when a port is configured as an RSPAN uplink port source port or destination port port security cannot be enabled on that port Param...

Страница 291: ...an invalid address is detected on a port and set the maximum number of MAC addresses allowed on the port 3 Click Apply Figure 186 Configuring Port Security Configuring 802 1X Port Authentication Netwo...

Страница 292: ...e The RADIUS server verifies the client credentials and responds with an accept or reject packet If authentication is successful the switch allows the client to access the network Otherwise non EAP tr...

Страница 293: ...her comparable client software Configuring 802 1X Global Settings Use the Security Port Authentication Configure Global page to configure IEEE 802 1X port authentication The 802 1X protocol must be en...

Страница 294: ...e and as a supplicant on other ports by the setting the control mode to Force Authorized on this page and enabling the PAE supplicant on the Supplicant configuration page Parameters These parameters a...

Страница 295: ...ter the Max Request Count has been exceeded before attempting to acquire a new client Range 1 65535 seconds Default 60 seconds Tx Period Sets the time period during an authentication session that the...

Страница 296: ...efault setting Guest VLAN All traffic for the port is assigned to a guest VLAN The guest VLAN must be separately configured See Configuring VLAN Groups on page 142 and mapped on each port See Configur...

Страница 297: ...ing initialize reauthenticate Web Interface To configure port authenticator settings for 802 1X 1 Click Security Port Authentication 2 Select Configure Interface from the Step list 3 Modify the authen...

Страница 298: ...cator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received...

Страница 299: ...mation to a DHCP server This information can be useful in tracking an IP address back to a physical port Rx EAP LenError The number of EAPOL frames that have been received by this Supplicant in which...

Страница 300: ...via DHCP snooping Filtering rules are implemented as follows If the global DHCP snooping is disabled all DHCP packets are forwarded If DHCP snooping is enabled globally and also enabled on the VLAN w...

Страница 301: ...ting malicious network attacks from attached clients on DHCP services such as IP Spoofing Client Identifier Spoofing MAC Address Spoofing and Address Exhaustion DHCP Snooping must be enabled for Optio...

Страница 302: ...ields in circuit ID CID and remote ID RID in Option 82 information Default Enabled DHCP Snooping Information Option Remote ID Specifies the MAC address IP address or arbitrary identifier of the reques...

Страница 303: ...gs for DHCP Snooping DHCP Snooping VLAN Configuration Use the Security DHCP Snooping Configure VLAN page to enable or disable DHCP snooping on specific VLANs Command Usage When DHCP snooping is enable...

Страница 304: ...a VLAN Configuring Ports for DHCP Snooping Use the Security DHCP Snooping Configure Interface page to configure switch ports as trusted or untrusted Command Usage A trusted interface is an interface...

Страница 305: ...on Mode Specifies the default string VLAN Unit Port or an arbitrary string Default VLAN Unit Port Value An arbitrary string inserted into the circuit identifier field Range 1 32 characters Web Interfa...

Страница 306: ...which this entry is bound Interface Port or trunk to which this entry is bound Store Writes all dynamically learned snooping entries to flash memory This function can be used to store the currently l...

Страница 307: ...a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address 255 255 255 255 all of which uses a spoofed source address of the intended victim Th...

Страница 308: ...interfaces based on manually configured entries in the IP Source Guard table or dynamic entries in the DHCP Snooping table when enabled see DHCP Snooping on page 299 IP source guard can be used to pre...

Страница 309: ...table Filtering rules are implemented as follows If DHCP snooping is disabled see page 302 IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC o...

Страница 310: ...erface ACL Table 1 5 Default 5 MAC Table 1 32 Default 16 This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table including both dynamic entrie...

Страница 311: ...he binding table Static bindings are processed as follows A valid static IP source guard entry will be added to the binding table in ACL mode if one of the following conditions is true If there is no...

Страница 312: ...or C Port The port to which a static entry is bound Specify a physical port number or list of port numbers Separate nonconsecutive port numbers with a comma and no spaces or use a hyphen to designate...

Страница 313: ...Action list Figure 198 Configuring Static Bindings for IPv4 Source Guard Displaying Information for Dynamic IPv4 Source Guard Bindings Use the Security IP Source Guard Dynamic Binding page to display...

Страница 314: ...ort to which this entry is bound IP Address IP address corresponding to the client Type Entry types include DHCP Snooping or BOOTP Snooping Web Interface To display the binding table for IP Source Gua...

Страница 315: ...the local switch or discovery of information about neighboring devices on the local broadcast domain Power over Ethernet7 Sets the priority and power budget for each port Simple Network Management Pro...

Страница 316: ...hat are logged to flash or RAM memory The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM Parameters These parameters are displayed System Log Status Ena...

Страница 317: ...ommand Log Status Records the commands executed from the CLI including the execution time and information about the CLI user including the user name user interface console port telnet or SSH and user...

Страница 318: ...s are displayed Remote Log Status Enables disables the logging of debug or error messages to the remote logging process Default Disabled Logging Facility Sets the facility type for remote logging of s...

Страница 319: ...e Logging of Error Messages Sending Simple Mail Transfer Protocol Alerts Use the Administration Log SMTP page to alert system administrators of problems by sending SMTP Simple Mail Transfer Protocol e...

Страница 320: ...t messages You can specify up to five recipients Server IP Address Specifies a list of up to three recipient SMTP servers IPv4 or IPv6 addresses may be specified The switch attempts to connect to the...

Страница 321: ...Timing Attributes Use the Administration LLDP Configure Global page to set attributes for general functions such as globally enabling LLDP on the switch setting the message ageout time and setting th...

Страница 322: ...changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a notification are included in the transmission An SNMP agent should th...

Страница 323: ...Enabled This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section Trap notifications include informati...

Страница 324: ...hrough the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier VID associated with the management address reported by this TLV Port Description The...

Страница 325: ...ch includes information about auto negotiation support capabilities and operational Multistation Access Unit MAU type Default Enabled PoE8 Power over Ethernet capabilities including whether or not PoE...

Страница 326: ...ssages including the country and the device type Country The two letter ISO 3166 country code in capital ASCII letters Example DK DE or US Device entry refers to The type of device to which the locati...

Страница 327: ...s such as the city street number building and room information The address location is specified as a type and value pair with the civic address type defined in RFC 4776 The following table describes...

Страница 328: ...ange 1 32 characters Web Interface To specify the physical location of the attached device 1 Click Administration LLDP 2 Select Configure Interface from the Step list 3 Select Add CA Type from the Act...

Страница 329: ...mation Parameters These parameters are displayed General Settings Chassis Type Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several w...

Страница 330: ...address for the CPU or for the port sending this advertisement Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions appl...

Страница 331: ...the interface LLDP MED Capabilities Network Policy Location Identification Extended Power via MDI PSE Extended Power via MDI PD Inventory Web Interface To display LLDP information for the local devic...

Страница 332: ...tocols Link Layer Discovery Protocol 332 Figure 208 Displaying Local Device Information for LLDP General Figure 209 Displaying Local Device Information for LLDP Port Figure 210 Displaying Local Device...

Страница 333: ...ch Range 1 10 28 Remote Index Index of remote device attached to this port Local Port The local port to which a remote LLDP capable device is attached Chassis Type Identifies the chassis containing th...

Страница 334: ...ocol VLANs configured on this interface whether the given port associated with the remote system supports port based protocol VLANs and whether the port based protocol VLANs are enabled on the given p...

Страница 335: ...eans that the spare pairs only are in use Remote Power MDI Supported Shows whether MDI power is supported on the given port associated with the remote system Remote Power Pair Controllable Indicates w...

Страница 336: ...ty 9 Device Class Any of the following categories of endpoint devices Class 1 The most basic class of endpoint devices Class 2 Endpoint devices that supports media stream capabilities Class 3 Endpoint...

Страница 337: ...in IEEE 802 1Q A value of zero indicates that the port is using priority tagged frames meaning that only the IEEE 802 1D priority level is significant and the default PVID of the ingress port is used...

Страница 338: ...rimary Power Source Backup Power Source Power conservation mode Power Value The total power in watts required by a PD device from a PSE device or the total power a PSE device is capable of sourcing ov...

Страница 339: ...port 1 Click Administration LLDP 2 Select Show Remote Device Information from the Step list 3 Select Port Port Details Trunk or Trunk Details 4 When the next page opens select a port on this switch a...

Страница 340: ...Chapter 13 Basic Administration Protocols Link Layer Discovery Protocol 340 Figure 212 Displaying Remote Device Information for LLDP Port Details...

Страница 341: ...display statistics for LLDP capable devices attached to the switch and for LLDP protocol messages transmitted or received on all local interfaces Parameters These parameters are displayed General Sta...

Страница 342: ...TLV Frames Invalid A count of all LLDPDUs received with one or more detectable errors Frames Received Number of LLDP PDUs received Frames Sent Number of LLDP PDUs transmitted TLVs Unrecognized A count...

Страница 343: ...switch that is authenticated by a PoE signature from the connected device Detection and authentication prevent damage to non compliant devices prior to IEEE 802 3af The switch s power management enabl...

Страница 344: ...ty settings are used to control the supplied power PoE Maximum Allocation Power Sets a power budget for the switch Range 50000 740000 milliwatts Default 125000 milliwatts Compatible Mode Allows the sw...

Страница 345: ...causes an 802 3at PD to respond as a Class 4 device and draw Class 4 current Afterwards the switch exchanges information with the PD such as duty cycle peak and average power needs All the RJ 45 ports...

Страница 346: ...all of the ports port priority defaults to Port 1 Port 2 Port 3 Port 24 with available power being supplied in that sequence If priority is not set for any ports and PoE consumption exceeds the maxim...

Страница 347: ...s for proper operation in a network environment as well as to monitor them to evaluate performance or detect potential problems Managed devices supporting SNMP contain software which runs locally on t...

Страница 348: ...e following table shows the security models and levels available and the system default settings Note The predefined default groups and view can be deleted from the system You can then define customiz...

Страница 349: ...se the Administration SNMP Configure Engine page to change the local engine ID If you want to change the default engine ID it must be changed before configuring other parameters 4 Use the Administrati...

Страница 350: ...SNMPv3 packets Command Usage A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SN...

Страница 351: ...ngine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and a user on the remote host Command Usage SNMP passwords are localized using th...

Страница 352: ...3 Select Add Remote Engine from the Action list 4 Enter an ID of a least 9 hexadecimal characters and the IP address of the remote host 5 Click Apply Figure 220 Configuring a Remote Engine ID for SNM...

Страница 353: ...bject identifier of a branch within the MIB tree is included or excluded from the SNMP view Add OID Subtree View Name Lists the SNMP views configured in the Add View page Range 1 32 characters OID Sub...

Страница 354: ...Select Show View from the Action list Figure 223 Showing SNMP Views To add an object identifier to an existing SNMP view of the switch s MIB database 1 Click Administration SNMP 2 Select Configure Vie...

Страница 355: ...iews Figure 225 Showing the OID Subtree Configured for SNMP Views Configuring SNMPv3 Groups Use the Administration SNMP Configure Group page to add an SNMPv3 group which can be used to set the access...

Страница 356: ...encryption used in SNMP communications This is the default security level AuthNoPriv SNMP communications use authentication but the data is not encrypted AuthPriv SNMP communications use both authent...

Страница 357: ...that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state but not from the notPre...

Страница 358: ...hen a broadcast storm is detected as normal traffic this trap is fired swAtcBcastStormTcApplyTrap 1 3 6 1 4 1 22426 43 103 2 1 0 72 When ATC is activated this trap is fired swAtcBcastStormTcReleaseTra...

Страница 359: ...to memoryUtiFallingThreshold dhcpRougeServerAttackTrap 1 3 6 1 4 1 22426 43 103 2 1 0 114 This trap is sent when receiving a DHCP packet from a rouge server macNotificationTrap 1 3 6 1 4 1 22426 43 10...

Страница 360: ...03 2 1 0 213 This trap is sent when CPU utilization rises above the high watermark the first time or when CPU utilization rises from below the low watermark to above the high watermark cpuGuardRelease...

Страница 361: ...re Group from the Step list 3 Select Add from the Action list 4 Enter a group name assign a security model and level and then select read write and notify views 5 Click Apply Figure 226 Creating an SN...

Страница 362: ...s to the SNMP protocol Range 1 32 characters case sensitive Default strings public Read Only private Read Write Access Mode Specifies the access rights for the community string Read Only Authorized ma...

Страница 363: ...with a specific security level and assigned to a group The SNMPv3 group restricts users to a specific read write and notify view Parameters These parameters are displayed User Name The name of user co...

Страница 364: ...lable Privacy Password A minimum of eight plain text characters is required Web Interface To configure a local SNMPv3 user 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Sele...

Страница 365: ...User from the Step list 3 Select Show SNMPv3 Local User from the Action list Figure 231 Showing Local SNMPv3 Users To change a local SNMPv3 local user group 1 Click Administration SNMP 2 Select Chang...

Страница 366: ...n page 351 Parameters These parameters are displayed User Name The name of user connecting to the SNMP agent Range 1 32 characters Group Name The name of the SNMP group to which the user is assigned R...

Страница 367: ...to identify the source of SNMPv3 inform messages sent from the local switch If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv then an authentication protocol and...

Страница 368: ...However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deci...

Страница 369: ...receive notification message i e the targeted recipient Version Specifies whether to send notifications as SNMP v1 v2c or v3 traps Notification Type Traps Notifications are sent as trap messages Infor...

Страница 370: ...ange 0 255 Default 3 Local User Name The name of a local user which is used to identify the source of SNMPv3 trap messages sent from the local switch Range 1 32 characters If an account for the specif...

Страница 371: ...onfigure trap managers 1 Click Administration SNMP 2 Select Configure Trap from the Step list 3 Select Add from the Action list 4 Fill in the required parameters based on the selected SNMP version 5 C...

Страница 372: ...Configure Notify Filter Add page to create an SNMP notification log Command Usage Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notif...

Страница 373: ...rmation recorded in a notification log and the entry aging time can only be configured using SNMP from a network management station When a trap host is created using the Administration SNMP Configure...

Страница 374: ...units Parameters The following counters are displayed SNMP packets input The total number of messages delivered to the SNMP entity from the transport service Bad SNMP version errors The total number...

Страница 375: ...pted and processed or generated by the SNMP protocol entity SNMP packets output The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service Too big error...

Страница 376: ...it can automatically notify the network administrator of a failure and provide historical information about the event If it cannot connect to the management agent it will continue to perform any speci...

Страница 377: ...nes the MIB variable plus the etherStatsIndex For example 1 3 6 1 2 1 16 1 1 1 6 1 denotes etherStatsBroadcastPkts plus the etherStatsIndex of 1 Interval The polling interval Range 1 31622400 seconds...

Страница 378: ...monitored variables reaching or crossing below the falling threshold If there is no corresponding entry in the event control table then no event will be generated Range 0 65535 Owner Name of the perso...

Страница 379: ...take when an alarm is triggered The response can include logging the alarm or sending a message to a trap manager Alarms and corresponding events provide a way of immediately responding to critical ne...

Страница 380: ...1 and v2c hosts Although the community string can be set on this configuration page it is recommended that it be defined on the SNMP trap configuration page see Setting Community Access Strings on pag...

Страница 381: ...les Use the Administration RMON Configure Interface Add History page to collect statistics on a physical interface to monitor network utilization packet types and errors A historical record of activit...

Страница 382: ...using the Add page this index will not appear in the Show nor Show Details page for the port to which is normally assigned For example if control entry 15 is assigned to port 5 this index entry will...

Страница 383: ...he name of the owner for this entry 7 Click Apply Figure 246 Configuring an RMON History Sample To show configured RMON history samples 1 Click Administration RMON 2 Select Configure Interface from th...

Страница 384: ...ch can subsequently be used to monitor the network for common errors and overall traffic rates Command Usage If statistics collection is already enabled on an interface the entry must be deleted befor...

Страница 385: ...om the Action list 4 Click Statistics 5 Select a port from the list as the data source 6 Enter an index number and the name of the owner for this entry 7 Click Apply Figure 249 Configuring an RMON Sta...

Страница 386: ...d RMON Statistical Samples To show collected RMON statistical samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show Details from the Action list 4 Select a...

Страница 387: ...take effect if the current time is within the absolute time range and one of the periodic time ranges A maximum of eight rules can be configured for a time range Parameters These parameters are displa...

Страница 388: ...Name of a Time Range To show a list of time ranges 1 Click Administration Time Range 2 Select Show from the Action list Figure 253 Showing a List of Time Ranges To configure a rule for a time range 1...

Страница 389: ...led a control frame is transmitted on the participating ports and the switch monitors inbound traffic to see if the frame is looped back Usage Guidelines The default settings for the control frame tra...

Страница 390: ...me Specifies the interval to wait before the switch automatically releases an interface from shutdown state Range 60 1 000 000 seconds Default 60 seconds When the loopback detection mode is changed an...

Страница 391: ...oopback condition Detect Sends an SNMP trap message when a loopback condition is detected None Does not send an SNMP trap for loopback detection or recovery Recover Sends an SNMP trap message when the...

Страница 392: ...displayed Interface Displays a list of ports or trunks Port Port Identifier Range 1 10 28 Trunk Trunk Identifier Range 1 8 Admin State Manually enables or disables an interface Default Enabled Operat...

Страница 393: ...k and any hosts that want to receive the multicast register with their local multicast switch router Although this approach reduces the network overhead required by a multicast server the broadcast tr...

Страница 394: ...work segments where no node has expressed interest in receiving a specific multicast service For switches that do not support multicast routing or where multicast routing is already enabled on other s...

Страница 395: ...e Configuring IGMP Snooping and Query Parameters on page 396 Static IGMP Router Interface If IGMP snooping cannot locate the IGMP querier you can manually designate a known IGMP querier i e a multicas...

Страница 396: ...see Unregistered Data Flooding in the Command Attributes section IGMP Querier A router or multicast enabled switch can periodically ask their hosts if they want to receive multicast traffic If there i...

Страница 397: ...hanism is used to delete all of the currently learned multicast channels When a new uplink port starts up the switch sends unsolicited reports for all currently learned channels out the new uplink por...

Страница 398: ...ion Unregistered Data Flooding Floods unregistered multicast traffic into the attached VLAN Default Disabled Once the table used to store multicast entries for IGMP snooping and multicast routing is f...

Страница 399: ...onfigures the IGMP report query version used by IGMP snooping Versions 1 3 are all supported and versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the...

Страница 400: ...MP Snooping must be enabled globally on the switch see Configuring IGMP Snooping and Query Parameters on page 396 before a multicast router port can take effect Parameters These parameters are display...

Страница 401: ...attached to the multicast router 4 Click Apply Figure 260 Configuring a Static Interface for a Multicast Router To show the static interfaces attached to a multicast router 1 Click Multicast IGMP Sno...

Страница 402: ...lly assign a multicast service to an interface Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages see Configuring IGMP Snooping and Query Parameters on page...

Страница 403: ...ion list 3 Select the VLAN that will propagate the multicast service specify the interface attached to a multicast service through an IGMP enabled switch or multicast router and enter the multicast IP...

Страница 404: ...ing and multicast routing devices MRD is used to discover which interfaces are attached to multicast routers allowing IGMP enabled devices to determine where to send multicast source and group members...

Страница 405: ...ace is administratively disabled The router is gracefully shut down Advertisement and Termination messages are sent to the All Snoopers multicast address Solicitation messages are sent to the All Rout...

Страница 406: ...this time out is set to Last Member Query Interval Robustness Variable fixed at 2 as defined in RFC 2236 If immediate leave is enabled the switch assumes that only one host is connected to the interfa...

Страница 407: ...ages sent to downstream hosts and in report and leave messages sent upstream from the multicast router port If a proxy query address is not configured the switch will use the VLAN s IP address as the...

Страница 408: ...ping proxy reporting is enabled page 396 or IGMP querier is enabled page 396 Last Member Query Count The number of IGMP proxy group specific or group and source specific query messages that are sent o...

Страница 409: ...igure and update the required parameters 4 Click Apply Figure 265 Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping 1 Click Multicast IGMP Snooping Interface 2 Selec...

Страница 410: ...specified interface If this switch is acting as a Querier this prevents it from being affected by messages received from another Querier Multicast Data Drop Configures an interface to stop multicast...

Страница 411: ...ulticast group address Group Address IP multicast group address with subscribers directly attached or downstream from the switch or a static multicast group assigned to this interface Interface A down...

Страница 412: ...local querier is assumed to have expired Self Querier Uptime Time local querier has been up General Query Received The number of general queries received on this interface General Query Sent The numbe...

Страница 413: ...report leave or query was dropped Packets may be dropped due to invalid format rate limiting packet content not allowed or IGMP group report received Join Success The number of times a multicast grou...

Страница 414: ...g and Query for IPv4 414 Figure 269 Displaying IGMP Snooping Statistics Query To display IGMP snooping protocol related statistics for a VLAN 1 Click Multicast IGMP Snooping Statistics 2 Select Show V...

Страница 415: ...igure 270 Displaying IGMP Snooping Statistics VLAN To display IGMP snooping protocol related statistics for a port 1 Click Multicast IGMP Snooping Statistics 2 Select Show Port Statistics from the Act...

Страница 416: ...file If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum num...

Страница 417: ...the start and end of the range Parameters These parameters are displayed Add Profile ID Creates an IGMP profile Range 1 4294967295 Access Mode Sets the access mode of the profile either permit or den...

Страница 418: ...and set its access mode 5 Click Apply Figure 273 Creating an IGMP Filtering Profile To show the IGMP filter profiles 1 Click Multicast IGMP Snooping Filter 2 Select Configure Profile from the Step li...

Страница 419: ...formation Figure 276 Showing the Groups Assigned to an IGMP Filtering Profile Configuring IGMP Filtering and Throttling for Interfaces Use the Multicast IGMP Snooping Filter Configure Interface page t...

Страница 420: ...t the same time Range 1 511 Default 511 Current Multicast Groups Displays the current multicast groups the interface has joined Throttling Action Mode Sets the action to take when the maximum number o...

Страница 421: ...ets include MLDv2 query and report messages as well as MLDv1 report and done messages Remember that IGMP Snooping and MLD Snooping are independent functions and can therefore both function at the same...

Страница 422: ...e multicast groups they have joined Query Max Response Time The maximum response time advertised in MLD general queries Range 5 25 seconds Default 10 seconds This attribute controls how long the host...

Страница 423: ...he parent VLAN Default Disabled If MLD immediate leave is not used a multicast router or querier will send a group specific query message when an MLD group leave message is received The router querier...

Страница 424: ...current multicast groups Command Usage MLD Snooping must be enabled globally on the switch see Configuring MLD Snooping and Query Parameters on page 421 before a multicast router port can take effect...

Страница 425: ...Select the VLAN for which to display this information Figure 281 Showing Static Interfaces Attached an IPv6 Multicast Router To show all the interfaces attached to a multicast router 1 Click Multicas...

Страница 426: ...ly be forwarded to ports within that VLAN Parameters These parameters are displayed VLAN Specifies the VLAN which is to propagate the multicast service Range 1 4094 Multicast IPv6 Address The IP addre...

Страница 427: ...3 Select the VLAN for which to display this information Figure 284 Showing Static Interfaces Assigned to an IPv6 Multicast Service To display information about all IPv6 multicast groups MLD Snooping o...

Страница 428: ...ress to a minimum set such that all nodes listening states are respected In Include mode the router only uses the request list indicating that the reception of packets sent to the specified multicast...

Страница 429: ...Pv4 429 Web Interface To display known MLD multicast groups 1 Click Multicast MLD Snooping Group Information 2 Select the port or trunk and then select a multicast service assigned to that interface F...

Страница 430: ...Chapter 14 Multicast Filtering MLD Snooping Snooping and Query for IPv4 430...

Страница 431: ...e IP Address Alias or IPv4 IPv6 address of the host Probe Count Number of packets to send Range 1 16 Packet Size Number of bytes in a packet Range 32 512 bytes for IPv4 0 1500 bytes for IPv6 The actua...

Страница 432: ...faces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the delimiter For example FE80 7272 1 identifies...

Страница 433: ...ses the first router to discard the datagram and return an error message The trace function then sends several probe messages at each subsequent TTL level and displays the round trip time for each mes...

Страница 434: ...his way with each routing device mapping the destination IP address to the MAC address of the next hop toward the recipient until the packet is delivered to the final destination If there is no entry...

Страница 435: ...e and also cache the MAC of the source device s IP address Displaying Dynamic or Local ARP Entries Use the Tools ARP page to display dynamic or local entries in the ARP cache The ARP cache contains st...

Страница 436: ...Chapter 15 IP Tools Address Resolution Protocol 436...

Страница 437: ...to other name servers on the network When a client device designates this switch as a DNS server the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switc...

Страница 438: ...re Global from the Action list 3 Enable domain lookup and set the default domain name 4 Click Apply Figure 290 Configuring General Settings for DNS Configuring a List of Domain Names Use the IP Servic...

Страница 439: ...age 440 If all name servers are deleted DNS will automatically be disabled Parameters These parameters are displayed Domain Name Name of the host Do not include the initial dot that separates the host...

Страница 440: ...e server is specified the servers are queried in the specified sequence until a response is received or the end of the list is reached with no response If all name servers are deleted DNS will automat...

Страница 441: ...Service DNS Static Host Table Add page to manually configure static entries in the DNS table that are used to map domain names to IP addresses Command Usage Static entries may be used for local device...

Страница 442: ...ic Host Table 2 Select Show from the Action list Figure 296 Showing Static Entries in the DNS Table Displaying the DNS Cache Use the IP Service DNS Cache page to display entries in the DNS cache that...

Страница 443: ...namic Host Configuration Protocol DHCP can dynamically allocate an IP address and other configuration information to network clients when they boot up If a subnet does not already include a BOOTP or D...

Страница 444: ...information the DHCP client request sent by this switch includes a parameter request list asking for this information Besides the client request also includes a vendor class identifier that allows the...

Страница 445: ...devices including DHCP option 82 information DHCP provides an option for sending information about its DHCP clients to the DHCP server specifically the interface on the relay server through which the...

Страница 446: ...fied DHCP server addresses are not located in the same network segment with this switch specify the default router through which this switch can reach other IP subnetworks see Configuring the IPv4 Def...

Страница 447: ...which it was received If the RID in the DHCP reply packet matches that configured on the switch it then removes the Option 82 information from the packet and sends it on as follows If the DHCP packet...

Страница 448: ...relay agent itself inserts the relay agent s address and unicasts the packet to the DHCP server DHCP Sub option Format Specifies whether or not to use the sub type and sub length fields in the circuit...

Страница 449: ...ed under the ip dhcp dynamic provision command in the CLI Reference Guide By default the parameters for DHCP option 66 67 are not carried by the reply sent from the DHCP server To ask for a DHCP reply...

Страница 450: ...Chapter 16 IP Services Dynamic Host Configuration Protocol 450 Figure 301 Enabling Dynamic Provisioning via DHCP...

Страница 451: ...Version 4 This section describes how to configure an IPv4 interface for management access over the network This switch supports both IPv4 and IPv6 and can be managed through either of these address ty...

Страница 452: ...to obtain an address from a BOOTP or DHCP server or manually configure a static IP address Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Anything other than this fo...

Страница 453: ...ses a secondary address all other routers switches in that segment must also use a secondary address from the same network or subnet address space IP Address IP Address of the VLAN Valid IP addresses...

Страница 454: ...igured VLAN and set IP Address Mode to BOOTP or DHCP 5 Click Apply to save your changes 6 Then click Restart DHCP to immediately request a new address IP will be enabled but will not function until a...

Страница 455: ...ystem IP 2 Select Configure Interface from the Step list 3 Select Show Address from the Action list 4 Select an entry from the VLAN list Figure 305 Showing the Configured IPv4 Address for an Interface...

Страница 456: ...r the switch Parameters These parameters are displayed Default Gateway Sets the IPv6 address of the default next hop router to use when no routing information is known about an IPv6 address An IPv6 de...

Страница 457: ...he paths to active neighbors The key parameters used to facilitate this process are the number of attempts made to verify whether or not a duplicate address exists on the same network segment and the...

Страница 458: ...U value in cases where the link MTU is not otherwise well known IPv6 routers do not fragment IPv6 packets forwarded from other routers However traffic originating from an end station connected to an I...

Страница 459: ...ations When a non default value is configured the specified interval is used both for router advertisements and by the router itself ND Reachable Time The amount of time that a remote IPv6 node is con...

Страница 460: ...used only for other configuration settings Neighboring routers are configured to advertise non link local address prefixes from which IPv6 hosts derive stateless addresses This combination is known as...

Страница 461: ...e 457 will also automatically generate a link local unicast address The prefix length for a link local address is fixed at 64 bits and the host portion of the default address is based on the modified...

Страница 462: ...pe configured for this interface Global Configures an IPv6 global unicast address with a full IPv6 address including the network prefix and host address bits followed by a forward slash and a decimal...

Страница 463: ...s resulting in a modified EUI 64 interface identifier of 2A 9F 18 FF FE 1C 82 35 This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single devic...

Страница 464: ...r the same types as used by link local unicast addresses including all nodes FF02 1 all routers FF02 2 and solicited nodes FF02 1 FFXX XXXX as described below A node is also required to compute and jo...

Страница 465: ...e state to invalid dis associates the interface identified with this entry from the indicated mapping RFC 4293 Reachable Positive confirmation was received within the last ReachableTime interval that...

Страница 466: ...g packets if necessary for transmission through small packet networks ICMPv6 Internet Control Message Protocol for Version 6 addresses is a network layer protocol that transmits message packets to rep...

Страница 467: ...ot a valid address to be received at this entity This count includes invalid addresses e g 0 and unsupported addresses e g addresses with unallocated prefixes For entities which are not IPv6 routers a...

Страница 468: ...The number of output IPv6 datagrams for which no problem was encountered to prevent their transmission to their destination but which were discarded e g for lack of buffer space Note that this counter...

Страница 469: ...rts received by the interface ICMPv6 Transmitted Output The total number of ICMP messages which this interface attempted to send Note that this counter includes all those counted by icmpOutErrors Dest...

Страница 470: ...Listener Discovery Version 2 Reports The number of MLDv2 reports sent by the interface UDP Statistics Input The total number of UDP datagrams delivered to UDP users No Port Errors The total number of...

Страница 471: ...Chapter 17 IP Configuration Setting the Switch s IP Address IP Version 6 471 Figure 312 Showing IPv6 Statistics ICMPv6 Figure 313 Showing IPv6 Statistics UDP...

Страница 472: ...parameters are displayed Web Interface To show the MTU reported from other devices 1 Click System IPv6 Configuration 2 Select Show MTU from the Action list Figure 314 Showing Reported MTU Values Tabl...

Страница 473: ...473 Section III Appendices This section provides additional information and includes these items Software Specifications on page 475 Troubleshooting on page 479 License Information on page 481...

Страница 474: ...Section III Appendices 474...

Страница 475: ...1000 Mbps at full duplex SFP Flow Control Full Duplex IEEE 802 3 2005 Half Duplex Back pressure Storm Control Broadcast multicast or unknown unicast traffic throttled above a critical threshold Port...

Страница 476: ...Snooping Layer 2 IPv6 IP Routing ARP CIDR Classless Inter Domain Routing Additional Features BOOTP Client DHCP Client Option 82 LLDP Link Layer Discover Protocol RMON Remote Monitoring groups 1 2 3 9...

Страница 477: ...ink Aggregation Control Protocol LACP Full duplex flow control ISO IEC 8802 3 IEEE 802 3ac VLAN tagging ARP RFC 826 DHCP Client RFC 2131 HTTPS ICMP RFC 792 IGMP RFC 1112 IGMPv2 RFC 2236 IGMP Proxy RFC...

Страница 478: ...II RFC 1213 NTP RFC 1305 P Bridge MIB RFC 2674P Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Power Ethernet MIB RFC 3621 Private MIB Q Bridge MIB RFC 2674Q Quality of Service M...

Страница 479: ...onnecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting ag...

Страница 480: ...Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set...

Страница 481: ...ou have the freedom to distribute copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use piec...

Страница 482: ...under the terms of Section 1 above provided that you also meet all of these conditions a You must cause the modified files to carry prominent notices stating that you changed the files and the date o...

Страница 483: ...parties are not compelled to copy the source along with the object code 5 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt other...

Страница 484: ...which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Pro...

Страница 485: ...ound robin service to enforce priority service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port numbe...

Страница 486: ...t used by IPv6 to identify the host portion of the network address The interface identifier in EUI compatible addresses is based on the link layer MAC address of an interface Interface identifiers use...

Страница 487: ...Rapid Spanning Tree Protocol RSTP which reduces the convergence time for network topology changes to about 10 of that required by the older IEEE 802 1D STP standard Now incorporated in IEEE 802 1D 20...

Страница 488: ...lt but may be configured differently to suit the requirements for specific network applications LACP Link Aggregation Control Protocol Allows ports to automatically negotiate a trunked link with LACP...

Страница 489: ...group NTP Network Time Protocol provides the mechanisms to synchronize time across the network The time servers operate in a hierarchical master slave configuration in order to synchronize local clock...

Страница 490: ...based on periodic updates from a Network Time Protocol NTP server Updates can be requested from a specific NTP server or can be received via broadcasts sent by NTP servers SSH Secure Shell is a secure...

Страница 491: ...w or just unnecessary UTC Universal Time Coordinate UTC is a time scale that couples Greenwich Mean Time based solely on the Earth s rotation rate with highly accurate atomic time The UTC does not hav...

Страница 492: ...Glossary 492...

Страница 493: ...RP ACL 275 ARP inspection 279 ACL filter 282 additional validation criteria 281 ARP ACL 283 enabling globally 281 trusted ports 284 authentication MAC address authentication 243 MAC configuring ports...

Страница 494: ...s 211 setting PHB for matching packets 211 DNS default domain name 437 displaying the cache 442 domain name list 437 enabling lookup 437 name server list 437 static entries IPv4 441 Domain Name Servic...

Страница 495: ...ing 395 immediate leave IGMP snooping 406 immediate leave MLD snooping 423 importing user public keys 259 ingress filtering 145 IP address BOOTP DHCP 452 setting 451 IP filter for management access 28...

Страница 496: ...Management Information Bases MIBs 477 matching class settings classifying QoS traffic 207 memory status 90 utilization showing 90 mirror port configuring 129 configuring local traffic 129 configuring...

Страница 497: ...ts port 345 port priority 346 power savings configuring 127 enabling per port 127 priority default port ingress 193 private key 254 problems troubleshooting 479 protocol migration 179 protocol VLANs 1...

Страница 498: ...keys for clients 259 generating host key pair 258 server configuring 256 timeout 257 SSL replacing certificate 252 STA 165 BPDU auto recovery 179 BPDU filter 179 BPDU flooding 170 176 BPDU shutdown 1...

Страница 499: ...bers 144 creating 142 description 139 displaying port members by interface 147 displaying port members by interface range 148 displaying port members by VLAN index 146 dynamic assignment 246 egress mo...

Страница 500: ...E052016 ST R02 150200001416A...

Отзывы:

Нет отзывов

Похожие инструкции для GEL-1061

SmartPro DGS-1500-20

Бренд: D-Link Страницы: 113

xStack DGS-3120 Series

Бренд: D-Link Страницы: 1150

Бренд: BeeSecure Страницы: 35

Бренд: IDEM SAFETY SWITCHES Страницы: 2

Matrix DFE-Gold 4G4202-60

Бренд: Enterasys Страницы: 78

Бренд: ZENEC Страницы: 16

Бренд: SMART Страницы: 46

Бренд: F&G Страницы: 6

Бренд: Cardin Elettronica Страницы: 2

Бренд: SignaMax Страницы: 2

Бренд: TRENDnet Страницы: 16

Бренд: FS Страницы: 41

Бренд: HIKVISION Страницы: 5

Бренд: Bridgetek Страницы: 2

Storage Networking SAN128B-6

Бренд: IBM Страницы: 116

Бренд: N-Tron Страницы: 2

Бренд: IOGear Страницы: 10

Бренд: Lucent Technologies Страницы: 1421

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды