Cisco Systems ESW 500 User Manual

Size:
7.04 Mb
Download

ADMINISTRATION

GUIDE

Cisco Small Business Pro

ESW 500 Series Switches

 

6bZg^XVh =ZVYfjVgiZgh

6h^V EVX^[^X =ZVYfjVgiZgh

:jgdeZ =ZVYfjVgiZgh

 

8^hXd HnhiZbh! >cX#

8^hXd HnhiZbh JH6 EiZ# AiY#

8^hXd HnhiZbh >ciZgcVi^dcVa 7K

 

 

HVc ?dhZ! 86

H^c\VedgZ

6bhiZgYVb! I]Z CZi]ZgaVcYh

 

8^hXd ]Vh bdgZ i]Vc '%% d[[^XZh ldgaYl^YZ# 6YYgZhhZh! e]dcZ cjbWZgh! VcY [Vm cjbWZgh VgZ a^hiZY dc i]Z 8^hXd LZWh^iZ Vi lll#X^hXd#Xdb$\d$d[[^XZh#

889:! 88:CI! 8^hXd :dh! 8^hXd Ajb^c! 8^hXd CZmjh! 8^hXd HiVY^jbK^h^dc! 8^hXd IZaZEgZhZcXZ! 8^hXd LZW:m! i]Z 8^hXd ad\d! 98:! VcY LZaXdbZ id i]Z =jbVc CZildg` VgZ igVYZbVg`h0 8]Vc\^c\ i]Z LVn LZ Ldg`!A^kZ! EaVn! VcY AZVgc VcY 8^hXd HidgZ VgZ hZgk^XZ bVg`h06bZg^VcY 6XVhXZhh=ZVYfjGZ\^higVg!iZgh6^gdcZi! 6hncXDH! 7g^c\^c\ i]Z BZZi^c\6h^V EVX^[^XId Ndj!=ZVYfjVgiZgh8ViVanhi! 8896! 889E! 88>:! 88>E! 88C6!:jgdeZ88CE! 88HE!=ZVYfjVgiZgh88KE! 8^hXd! i]Z 8^hXd 8Zgi^[^ZY

>ciZgcZildg` :meZgi ad\d!

8^hXd HnhiZbh! >cX#

8^hXd HnhiZbh JH6 EiZ# AiY#

8^hXd HnhiZbh >ciZgcVi^dcVa 7K

8^hXd >DH! 8^hXd EgZhh! 8^hXd HnhiZbh! 8^hXd HnhiZbh 8Ve^iVa! i]Z 8^hXd HnhiZbh ad\d! 8^hXd Jc^in! 8daaVWdgVi^dc L^i]dji A^b^iVi^dc! :i]Zg;Vhi! :i]ZgHl^iX]! :kZci 8ZciZg! ;Vhi HiZe! ;daadl BZ

 

HVc ?dhZ! 86

H^c\VedgZ

6bhiZgYVb! I]Z CZi]ZgaVcYh

7gdlh^c\! ;dgbH]VgZ! <^\V9g^kZ! =dbZA^c`! >ciZgcZi6bZg^XVhFjdi^Zci! >DH!=ZVYfjVgiZgh^E]dcZ! ^Fj^X` HijYn! >gdcEdgi! i]Z >gdcEdgi6h^Vad\d!EVX^[^XA^\]iHig=ZVb!YfjVgiZghA^c`hnh! BZY^VIdcZ! BZZi^c\EaVXZ! BZZi^c\EaVXZ:jgdeZ =ZVYfjVgiZgh8]^bZ HdjcY! B<M! CZildg`Zgh! CZildg`^c\

 

8^hXd HnhiZbh! >cX#

8^hXd HnhiZbh JH6 EiZ# AiY#

8^hXd HnhiZbh >ciZgcVi^dcVa 7K

6XVYZbn! CZildg` GZ\^higVg! E8Cdl! E>M! EdlZgEVcZah! Egd8dccZXi! HXg^eiH]VgZ! HZcYZg7VhZ! HB6GIcZi! HeZXigjb :meZgi! HiVX`L^hZ! I]Z ;VhiZhi LVn id >cXgZVhZ Ndjg >ciZgcZi Fjdi^Zci! IgVchEVi]! LZW:m! VcY i]Z LZW:m

 

HVc ?dhZ! 86

H^c\VedgZ

6bhiZgYVb! I]Z CZi]ZgaVcYh

ad\d VgZ gZ\^hiZgZY igVYZbVg`h d[ 8^hXd HnhiZbh! >cX# VcY$dg ^ih V[[^a^ViZh ^c i]Z Jc^iZY HiViZh VcY XZgiV^c di]Zg Xdjcig^Zh#

 

8^hXd ]Vh bdgZ i]Vc '%% d[[^XZh ldgaYl^YZ# 6YYgZhhZh! e]dcZ cjbWZgh! VcY [Vm cjbWZgh VgZ a^hiZY dc i]Z 8^hXd LZWh^iZ Vi lll#X^hXd#Xdb$\d$d[[^XZh#

6aa di]Zg igVYZbVg`h bZci^dcZY ^c i]^h YdXjbZci dg lZWh^iZ VgZ i]Z egdeZgin d[ i]Z^g gZheZXi^kZ dlcZgh# I]Z jhZ d[ i]Z ldgY eVgicZg YdZh cdi ^bean V eVgicZgh]^e gZaVi^dch]^e WZilZZc 8^hXd VcY Vcn di]Zg XdbeVcn# %-%.GXd ]889:!Vh bdgZ88:CI!i]Vc8^hXd'%%:dh!d[[^XZh8^hXd Ajb^c!ldgaYl^YZ#8^hXd CZmjh!6YYgZhhZh!8^hXd HiVY^jbK^h^dc!e]dcZ8^hXdcjbWZgh!IZaZEgZhZcXZ!VcY8^hXd[VmLZW:m!cjbWZghi]Z 8^hXdVgZad\d!a^hiZY98:! VcYdcLZaXdbZi]Z 8^hXdid i]Z =jbVcLZWh^iZCZildg`Vi VgZlll#X^hXd#XdbigVYZbVg`h0 8]Vc\^c\$\di]Z$d[[^XZh#LVn LZ Ldg`!

© 2009 Cisco Systems, Inc. All rights reserved.

OL-19128-01

Contents

Chapter : Getting Started

12

Introduction

12

Typical Installation Methods

13

Default Configuration settings on the ESW 500 Series Switches

14

Physical Connectivity

14

Connecting to the Switch

17

Using the Default Static IP Address

17

Using a Dynamic IP Address Allocated to the Switch By DHCP

22

Using the Cisco Configuration Assistant (CCA)

24

Navigating The Cisco Switch Configuration Utility

29

Using the Management Buttons

29

Performing Common Configuration Tasks

30

Checking the Software Version

30

Checking the System Information

30

Viewing what Devices are Attached to the Switch

31

Configuring the VLAN Settings for the Switch

32

Configuring individual ports using Cisco Smartport Roles

33

Smartport Roles

34

Checking the Device Power Consumption

38

Saving the Configuration

40

Upgrading the Firmware on the Switch

41

Resetting the Device

46

Manual Reset

47

Logging Off the Device

47

Using The Switch Console Port

48

Selecting Menu Options and Actions

48

Chapter : Managing Device Information

52

Understanding the Dashboards

52

Ports

59

Health and Monitoring

59

Common Tasks

60

ESW 500 Series Switches Administration Guide

3

Contents

Help

60

Defining System Information

60

Viewing Device Health

62

Resetting the Device

64

Managing Cisco Discovery Protocol

65

Defining the Bonjour Discovery Protocol

68

TCAM Utilization

70

Chapter : Managing Smart Ports

72

Configuring Smart Ports for Desktops

73

Configuring Smart Ports for IP Phones and Desktops

77

Configuring Smart Ports for Access Points

80

Configuring Smart Ports for Switches

82

Configuring Smart Ports for Routers

84

Configuring Smart ports for Guests

87

Configuring Smart ports for Servers

89

Configuring Smart ports for Printers

91

Configuring Smart ports for VS Camera

94

Configuring Smart Ports for Other

96

Chapter : Configuring System Time

99

Defining System Time

99

Defining SNTP Settings

103

Defining SNTP Authentication

105

Chapter : Configuring Device Security

108

Passwords Management

108

Modifying the Local User Settings

110

Defining Authentication

111

Defining Profiles

111

Modifying an Authentication Profile

114

ESW 500 Series Switches Administration Guide

4

Contents

Mapping Authentication Profiles

115

Defining TACACS+

117

Modifying TACACS+ Settings

120

Defining RADIUS

122

Modifying RADIUS Server Settings

126

Defining Access Methods

127

Defining Access Profiles

128

Defining Profile Rules

131

Modifying Profile Rules

135

Defining Traffic Control

137

Defining Storm Control

138

Modifying Storm Control

140

Defining Port Security

141

Modifying Port Security

145

Defining 802.1x

146

Defining 802.1X Properties

147

Defining Port Authentication

149

Modifying 8021X Security

152

Defining Authentication

155

Modifying Authentication Settings

157

Authenticated Hosts

158

Defining Access Control

160

Defining MAC Based ACL

160

Adding Rule to MAC Based ACL

164

Modifying MAC Based ACL

166

Defining IP Based ACL

168

Modifying IP Based ACL

174

Adding an IP Based Rule

177

Defining ACL Binding

179

Modifying ACL Binding

180

Defining DoS Prevention

181

DoS Global Settings

181

ESW 500 Series Switches Administration Guide

5

Contents

Defining Martian Addresses

183

Defining DHCP Snooping

185

Defining DHCP Snooping Properties

186

Defining DHCP Snooping on VLANs

188

Defining Trusted Interfaces

189

Binding Addresses to the DHCP Snooping Database

191

Query By

192

Query Results

193

Defining IP Source Guard

195

Configuring IP Source Guard Properties

195

Defining IP Source Guard Interface Settings

197

Querying the IP Source Binding Database

199

TCAM Resources

200

Query By

201

Query Results

201

Defining Dynamic ARP Inspection

202

Defining ARP Inspection Properties

203

Defining ARP Inspection Trusted Interfaces

205

Defining ARP Inspection List

207

Static ARP Inspection Table

208

Adding a Binding List entry

209

Assigning ARP Inspection VLAN Settings

210

Enabled VLAN Table

211

Chapter : Configuring Ports

213

Port Settings

213

Modifying Port Settings

215

Chapter : Configuring VLANs

219

Defining VLAN Properties

220

Modifying VLANs

222

Defining VLAN Membership

223

Modifying VLAN Membership

224

ESW 500 Series Switches Administration Guide

6

Contents

Assigning Ports to Multiple VLANs

226

Defining Interface Settings

229

Modifying VLAN Interface Settings

230

Defining GVRP Settings

232

Modifying GVRP Settings

234

Defining Protocol Groups

236

Modifying Protocol Groups

237

Defining a Protocol Port

238

Chapter : Configuring IP Information

241

IP Addressing

241

Defining DHCP Relay

243

Defining DHCP Relay Interfaces

245

Managing ARP

247

ARP Table

249

Modifying ARP Settings

250

Domain Name System

251

Defining DNS Servers

251

Default Parameters

252

DNS Server Details

253

Mapping DNS Hosts

253

Chapter : Defining Address Tables

256

Defining Static Addresses

256

Defining Dynamic Addresses

259

Query By Section

261

Chapter : Configuring Multicast Forwarding

262

IGMP Snooping

262

Modifying IGMP Snooping

264

Defining Multicast Group

266

ESW 500 Series Switches Administration Guide

7

Contents

Modifying a Multicast Group

268

Defining Multicast Forwarding

269

Modifying Multicast Forwarding

271

Defining Unregistered Multicast Settings

272

Chapter : Configuring Spanning Tree

275

Defining STP Properties

275

Global Settings

276

Defining Spanning Tree Interface Settings

278

Modifying Interface Settings

282

Defining Rapid Spanning Tree

284

Modifying RTSP

287

Defining Multiple Spanning Tree

289

Defining MSTP Properties

290

Defining MSTP Instance to VLAN

291

Defining MSTP Instance Settings

293

Defining MSTP Interface Settings

294

Chapter : Configuring Quality of Service

301

Managing QoS Statistics

302

Policer Statistics

302

Add Aggregated Policer Statistics

304

Resetting Aggregate Policer Statistics Counters

307

Queues Statistics

307

Adding Queues Statistics

309

Resetting Queue Statistics Counters

309

Defining General Settings

310

Defining CoS

310

Modifying Interface Priorities

312

Defining QoS Queue

313

Mapping CoS to Queue

316

Mapping DSCP to Queue

318

ESW 500 Series Switches Administration Guide

8

Contents

Configuring Bandwidth

319

Modifying Bandwidth Settings

320

Configuring VLAN Rate Limit

322

Modifying the VLAN Rate Limit

324

Defining Advanced QoS Mode

324

Configuring DSCP Mapping

325

Defining Class Mapping

327

Defining Aggregate Policer

329

Modifying QoS Aggregate Policer

331

Configuring Policy Table

332

Modifying the QoS Policy Profile

335

Defining Policy Binding

337

Modifying QoS Policy Binding Settings

339

Defining QoS Basic Mode

340

Rewriting DSCP Values

341

Chapter : Configuring SNMP

343

SNMP Versions

343

SNMP v1 and v2

343

SNMP v3

343

Configuring SNMP Security

344

Defining the SNMP Engine ID

344

Defining SNMP Views

346

Defining SNMP Users

348

Modifying SNMP Users

350

Define SNMP Groups

351

Modifying SNMP Group Profile Settings

354

Defining SNMP Communities

355

Modifying SNMP Community Settings

358

Defining Trap Management

359

Defining Trap Settings

359

Configuring Station Management

361

ESW 500 Series Switches Administration Guide

9

Contents

Modifying SNMP Notifications

365

Defining SNMP Filter Settings

367

Managing Cisco Discovery Protocol

370

Chapter : Managing System Files

373

Software Upgrade

374

Save Configuration

375

Copy Configuration

377

Via TFTP

378

Via HTTP

379

Active Image

379

DHCP Auto Configuration

381

Chapter : Managing Power-over-Ethernet Devices

382

Defining PoE Settings

382

Chapter : Managing System Logs

386

Enabling System Logs

386

Viewing the Device Memory Logs

388

Clearing Message Logs

389

Viewing the System Flash Logs

390

Clearing Flash Logs

391

Remote Log Servers

391

Modifying Syslog Server Settings

394

Chapter : Viewing Statistics

397

Viewing Ethernet Statistics

397

Defining Interface Statistics

397

Resetting Interface Statistics Counters

399

Viewing Etherlike Statistics

399

Resetting Etherlike Statistics Counters

401

Viewing GVRP Statistics

401

ESW 500 Series Switches Administration Guide

10

Contents

Resetting GVRP Statistics Counters

403

Viewing EAP Statistics

403

Managing RMON Statistics

405

Viewing RMON Statistics

406

Resetting RMON Statistics Counters

408

Configuring RMON History

408

Defining RMON History Control

408

Viewing the RMON History Table

411

Defining RMON Events Control

413

Modifying RMON Event Log Settings

415

Viewing the RMON Events Logs

416

Defining RMON Alarms

417

Modifying RMON Alarm Settings

421

Chapter : Aggregating Ports

424

Defining EtherChannel Management

425

Defining EtherChannel Settings

427

Modifying EtherChannel Settings

429

Configuring LACP

431

Chapter : Managing Device Diagnostics

434

Ethernet Port Testing

434

Performing GBIC Uplink Testing

437

Configure Span (Port Mirroring)

438

Monitoring CPU Utilization

440

ESW 500 Series Switches Administration Guide

11

Getting Started

Introduction

Getting Started

Introduction

Thank you for choosing the Cisco Small Business Pro ESW 500 Series Switch. The ESW 500 series is a family of Ethernet switches that addresses network infrastructure and access needs of small business customers for voice, data, PCs, Servers, and video applications. They are simple to deploy and manage for use with IP phones, Access Points, IP cameras, and Network Attached Storage servers as well as most any Ethernet device. The ESW 500 series includes seven Fast Ethernet and GigE switches in both 24and 48-portconfigurations with PoE andnon-PoEoptions. The ESW 500 series also includes two 8 port PoE switches in Fast Ethernet and GigE models. The switch models covered in this guide are:

ESW 500 Series Switch

Port Configuration

ESW 520-8P

8 Port 10/100 PoE

ESW 540-8P

8 Port 10/100/1000 PoE

ESW 520-24

24 Port 10/100

ESW 520-24P

24 Port 10/100 PoE

ESW 520-48

48 Port 10/100

ESW 520-48P

48 Port 10/100 PoE

ESW 540-24

24 Port 10/100/1000

ESW 540-24P

24 Port 10/100/1000 PoE

ESW-540-48

48 Port 10/100/1000

This section provides information about the different methods to connect to the switch, as well as some examples of a typical installation. It also provides an introduction to the user interface, and includes the following:

Typical Installation Methods, page 13

Connecting to the Switch, page 17

-Using the Default Static IP Address, page 17

-Using a Dynamic IP Address Allocated to the Switch By DHCP, page 22

-Using the Cisco Configuration Assistant (CCA), page 24

Navigating The Cisco Switch Configuration Utility, page 29

ESW 500 Series Switches Administration Guide

12

Getting Started

Typical Installation Methods

Performing Common Configuration Tasks, page 30

Using The Switch Console Port, page 48

Typical Installation Methods

The first step in any installation scenario is to connect to the switch and configure basic connectivity to ensure it communicates with the rest of the network.

The following diagram illustrates three common installation scenarios:

In the first two scenarios, called VOICE and SECURITY DATA, you are adding an ESW 500 switch to a new or existing Cisco Smart Business Communications Systems (SBCS) network deployment. This deployment is either a VOICE network with UC520 being the anchor device or SECURITY / DATA network with the SR520 being the anchor device.

ESW 500 Series Switches Administration Guide

13

Getting Started

Typical Installation Methods

In the third scenario, called Heterogeneous Network, you are adding an ESW 500 switch to a network which does not have any Cisco Small Business products.

Default Configuration settings on the ESW 500 Series

Switches

The ESW 500 series switches ship with a default configuration that enables simplified installation and plug and play when connected into a Cisco Small Business network such as SBCS. The default settings are as follows:

Management VLAN is VLAN 1

Management IP Address is obtained via DHCP by default. If the switch times out on a Dynamic Host Configuration Protocol (DHCP) response, it falls back to a static IP address 192.168.10.2 with subnet mask of 255.255.255.0.

Voice VLAN is VLAN 100

Cisco Discovery Protocol (CDP) is enabled on all ports

Physical Connectivity

Physical connections to the switch are described in the tables and graphics on the next two pages.

 

Uplink Ports

 

ESW 500 Series Switch

Copper

SFP (mini-GBIC)

Layer 2 Ethernet Ports

ESW 520-8P

GE1

GE1

1-8

ESW 540-8P

GE1

GE1

1-8

ESW 520-24/24P

GE1-GE4

GE3-GE4

1-24

ESW 520-48/48P

GE1-GE2

GE3-GE4

1-48

ESW 540-24/24P

11-12,23-24

GE1-GE4

1-10,13-22

ESW 540-48

23-24,47-48

GE1-GE4

1-22,25-46

NOTE On the 8 port devices, the Uplink and the GBIC ports can not be used at the same time.

ESW 500 Series Switches Administration Guide

14

Getting Started

Typical Installation Methods

The ESW 540-24/24Pand ESW540-48use shared ports. When connecting to uplink ports, the GE ports take precedence over the Copper ports. For example, on an ESW540-24,if you plug a device into GE1, you cannot use port 11. The other port relationships are shown in the following table:

ESW 500 Series Switch

GE Port

Takes Precedence Over Copper Port

ESW 540-24/24P

GE1

11

ESW 540-24/24P

GE2

23

ESW 540-24/24P

GE3

12

ESW 540-24/24P

GE4

24

ESW 540-48

GE1

23

ESW 540-48

GE2

47

ESW 540-48

GE3

24

ESW 540-48

GE4

48

Compare the following table with the four examples of switch front panels that are on the next page:

#

Port

Description

 

 

 

1

Switch

The switch is equipped with auto-sensing,Ethernet (802.3) network ports

 

Ports

which use RJ-45connectors. The Ethernet ports support network

 

 

speeds of 10 Mbps, 100 Mbps, or 1000 Mbps. They can operate in half

 

 

and full-duplexmodes.Auto-sensingtechnology enables each port to

 

 

automatically detect the speed of the device connected to it, and adjust

 

 

its speed and duplex accordingly. These ports are typically used for

 

 

devices such as PCs, servers, IP phones and Access Points., and are

 

 

highlighted RED in the examples.

 

 

 

2

Uplink

These ports are typically used for connecting to other switches, routers,

 

Ports

or network backbone devices, and are highlighted in YELLOW in the

 

 

examples. The mini-GBICports are a type of uplink port.

 

 

 

3

mini-

The mini-GBIC(Gigabit Interface Converter) port is a connection point for

 

GBIC

a mini-GBICexpansion module, allowing the switch to be uplinked via

 

Ports

fiber to another switch. Each mini-GBICport provides a link to a high-

 

 

speed network segment or individual workstation at speeds of up to

 

 

1000 Mbps. The mini-GBICports are highlighted inGREEN in the

 

 

examples.

 

 

 

ESW 500 Series Switches Administration Guide

15

Getting Started

Typical Installation Methods

ESW-520-24/24P

ESW-520-48/48P

ESW-540-24/24P

ESW-540-48

ESW 500 Series Switches Administration Guide

16

Getting Started

Connecting to the Switch

Connecting to the Switch

This section contains information for starting the Switch Configuration Utility to provision the switch features. There are four different options to connect to the switch, three of which launch theSwitch Configuration Utility.They are:

Using the default static IP address of the switch

Using Cisco Configuration Assistant

Using a dynamic IP address allocated to the switch via DHCP (from DHCP server)

Using the Console

The first three options to connect to the switch will open the ESW 500 Series Switch Configuration Utility, which is a web-baseddevice manager used to provision the switch. The console option uses a terminal emulation program such as HyperTerminal (bundled with Windows) or Putty (freeware).

NOTE Using the Console does not launch the Switch Configuration Utility and is recommended for advanced users only. Using the Console is discussed at the end of this chapter.

Using the Default Static IP Address

To start configuring the switch, follow these steps:

STEP 1 Make sure that there are no devices connected to the switch, the switch is not connected to the network, and then power up the switch by connecting the power cord.

NOTE If the switch was previously connected to the network, it may have obtained an IP address from a DHCP server. To perform a static IP address installation, disconnect all devices and remove the switch from the network. Then perform a power cycle of the switch by unplugging the power cable, waiting 5 seconds, and plugging it back in.

STEP 2 Connect a PC to port 1 of the switch with an ethernet cable.

ESW 500 Series Switches Administration Guide

17

Getting Started

Connecting to the Switch

STEP 3 If your PC is using a static IP address, make note of your current IP address settings, and record them for future use.

STEP 4 Place the PC on the same subnet of the switch by configuring the PC with the following parameters:

Static IP address — 192.168.10.11

Subnet mask — 255.255.255.0

Default gateway — 192.168.10.2

NOTE Details on how to change the IP address on your PC are dependent upon the type of architecture and operating system installed. Use your PC’s local Help and Support functionality and search for “IP Addressing”.

STEP 5 Open a web browser. Cisco recommends Internet Explorer version 6 or higher, or Firefox version 3. Accept any requests to installActive-Xplugin.

Enter http://192.168.10.2 in the address bar and press Enter. The Log In page opens:

ESW 500 Series Switches Administration Guide

18

Getting Started

Connecting to the Switch

Log In page

STEP 6 Enter a user name and password. The default user name iscisco and the default password iscisco. Passwords are both case sensitive andalpha-numeric.Click Log In.

STEP 7 While the system is verifying the login attempt, the Log In Progress Indicator appears. The indicator dots rotate clockwise to indicate that the system is still working. If the login attempt is successful, the Change Username/Password Page opens.

NOTE After logging in using the default username and password you must change to a new username and password. Only after the change has been made, can you operate the device through the web browser. Every time you log in using cisco as the username and password, you will be redirected to the Change Username/Password Page.

STEP 8 Click Apply. The Switch Configuration Utility - System DashboardPage opens.

ESW 500 Series Switches Administration Guide

19

Getting Started

Connecting to the Switch

Switch Configuration Utility - System Dashboard

STEP 9 Click Monitor & Device Properties > System Management > IP Addressing > IPv4 Interface.TheIPv4 Interface page opens.

ESW 500 Series Switches Administration Guide

20

Getting Started

Connecting to the Switch

IPv4 Interface Page

NOTE It is expected that the IP address to be assigned to the switch is known prior to installation, based on the network topology.

STEP 10 Select the Static IP address radio button and enter the IP Address, Network Mask and User Defined Default Gateway. These must match the IP addressing subnet in the network in which the ESW 500 switch will be deployed. Click Apply.

NOTE The PC loses the connection to the switch at this point.

STEP 11 Now that you have finished using the PC to connect to the switch and made the switch part of your network, you can reconfigure the PC to its original IP address configuration and physical configuration as part of your network.

STEP 12 You are now ready to proceed with additional switch configuration.

ESW 500 Series Switches Administration Guide

21

Getting Started

Connecting to the Switch

NOTE If you will be using this PC for further switch configuration, it will need to be on the same subnet as the switch.

Using a Dynamic IP Address Allocated to the Switch By DHCP

If this method of obtaining an IP address is used, you will need to have access to a configuration device that would allow you to see what IP addresses the DHCP server allocates. Prior to choosing this method of installation, speak with your network administrator to ensure you will have the correct information available to you.

NOTE By default, the IP address of the device is assigned dynamically.

Log on to the DHCP server and check the IP address corresponding to the Media Access Control (MAC) address of the switch. On the 24 and 48 port models, the MAC address is on the back panel of the switch next to the power adapter. On the 8 port models, the MAC address is on the bottom of the device. The illustration below shows a MAC address of 00211BFE7218.

Once you have the correct IP address that has been assigned to the switch, you can begin configuring the switch.

STEP 1 Open a web browser. Cisco recommends Internet Explorer version 6 or higher, or Firefox version 3 or higher.

Enter the IP address that has been assigned to the switch in the address bar and press Enter. The Log In page opens:

ESW 500 Series Switches Administration Guide

22

Getting Started

Connecting to the Switch

Log In page

STEP 2 Enter a user name and password. The default user name iscisco and the default password iscisco. Passwords are both case sensitive andalpha-numeric.

STEP 3 Click Log In. The Switch Configuration Utility - System DashboardPage opens.

STEP 4 A window opens that prompts you to change your username and password from the default. Choose a new username and password, then click Apply.

ESW 500 Series Switches Administration Guide

23

Getting Started

Connecting to the Switch

Switch Configuration Utility - System Dashboard

STEP 5 You are now ready to proceed with additional switch configuration.

Using the Cisco Configuration Assistant (CCA)

NOTE To perform an installation using CCA, you must have a PC with Windows Vista Ultimate or Windows XP, Service Pack 1 or later installed and CCA version 2.2 or higher installed.

The Cisco Configuration Assistant can be used to connect to and configure the switch when there is an existing or new Smart Business Communications System (SBCS) or with other Cisco Small Business Pro products such as the SA 500 Series Security Appliance or the AP 541 Access Point. The ESW 500 series switch obtains the management IP address via DHCP after it is connected to the network.

To begin installing the switch using CCA, perform the following steps:

ESW 500 Series Switches Administration Guide

24

Getting Started

Connecting to the Switch

STEP 1 Power on the ESW 500 series switch.

STEP 2 Connect one of the designated uplink ports on the ESW 500 series switch to the expansion port on the UC520 or one of the switch ports on the SR520.

STEP 3 Connect the PC with CCA installed to any access switch port on the ESW 500 or alternately, the UC500 or Small Business Pro router.

STEP 4 Launch CCA. To verify you have CCA version 2.2 or higher, click Help > About. Theversion page opens.

CCA Version page

STEP 5 Connect to an existing community, or create a new one. For more information on how to create a community, refer to the "How to create a CCA community" VOD athttps://www.myciscocommunity.com/docs/DOC1423#UC500_System_Level_Features

ESW 500 Series Switches Administration Guide

25

Getting Started

Connecting to the Switch

Connect page

STEP 6 Once you have connected to the community, theTopology View opens and displays the ESW 500 Series Switch.Right-clickon the switch and it displays three options:

Device Manager

Properties

Annotation

You can now continue with configuring the switch by two different options; use CCA to do all of the configuration, or use the Device Manager to go to the switch Configuration Utility. Additional information is described in detail in the appropriate CCA user documentation. This procedure uses the Device Manager.

ESW 500 Series Switches Administration Guide

26

Getting Started

Connecting to the Switch

CCA Topology View page

STEP 7 Click on Device Manager.

The Log In page will launch in a new browser window.

Log In page

STEP 8 Enter a user name and password. The default user name iscisco and the default password iscisco. Passwords are both case sensitive andalpha-numeric.

STEP 9 Click Log In. The Switch Configuration Utility - System DashboardPage opens.

ESW 500 Series Switches Administration Guide

27

Getting Started

Connecting to the Switch

STEP 10 A window opens that prompts you to change your username and password from the default. Choose a new username and password, then click Apply.

Switch Configuration Utility - System Dashboard

STEP 11 You are now ready to proceed with additional switch configuration.

ESW 500 Series Switches Administration Guide

28

Getting Started

Navigating The Cisco Switch Configuration Utility

Navigating The Cisco Switch Configuration Utility

The Cisco Switch Configuration Utility is a web-baseddevice manager that is used to provision the switch. You must have IP connectivity between the PC and the switch to configure the switch. The following section describes how to navigate within the interface.

Switch Configuration Utility - System Dashboard Page

The following table lists the interface components with their corresponding numbers:

Component

Description

1 Navigation Pane

The navigation pane provides easy navigation through the

 

configurable device features.The main branches expand

 

to provide the subfeatures.

2 Device View

The device view contains a graphical representation of

 

the device faceplate, including the device status and port

 

LEDs. Clicking on a port will open up the Edit Port Page.

3 Getting Started

The getting started links allow you to navigate through the

Links

different device features.

Using the Management Buttons

Device Management buttons and icons provide an easy method of configuring device information.

ESW 500 Series Switches Administration Guide

29

Getting Started

Performing Common Configuration Tasks

Performing Common Configuration Tasks

Once the Switch Configuration Utility has been launched and you have logged into the switch, these are some examples of the common configuration tasks you can perform. Use the menus in the left navigation panel to choose a specific area of configuration.

Checking the Software Version

To check the version of the software on the switch, click About at the top of the page.

Software Version Page

Checking the System Information

Click on Monitor & Device Properties > System Management > System

Information. The System Information page opens.

ESW 500 Series Switches Administration Guide

30

Getting Started

Performing Common Configuration Tasks

System Information Page

From this page you can configure the hostname of the switch, location and contact information for support. Also, you can view important information such as the system uptime, software version, MAC Address and Serial Number (SN).

Viewing what Devices are Attached to the Switch

To view what devices there are attached to the switch, click Monitor & Device

Properties > CDP. The CDP page opens.

ESW 500 Series Switches Administration Guide

31

Getting Started

Performing Common Configuration Tasks

CDP Page

Review the ports for connecting IP Phones, PCs, Access Points and the uplink to the Cisco UC520 or SR520. You can change the Voice VLAN from the default of 100 if required.

Configuring the VLAN Settings for the Switch

To add or edit the default VLAN settings, click on VLAN & Port Settings > VLAN

Management > Properties. The Properties page opens.

NOTE If the ESW 500 series switch is being deployed into a Cisco SBCS network, the installation is plug and play. If the switch is being deployed into a nonCisco network, you will need to manually change VLAN settings.

ESW 500 Series Switches Administration Guide

32

Getting Started

Performing Common Configuration Tasks

Properties Page

Configuring individual ports using Cisco Smartport Roles

Smartport Roles make it easy to provision switch ports by automatically applying the appropriate configuration for attached IP phones, access points, or other devices to optimize network performance. The ESW 500 series switches support the predefined roles listed below:

Role

Description

Desktop

Optimized for desktop connectivity

 

Configurable VLAN setting

 

Port security enabled to limit unauthorized access to the

 

network

IP Phone +

Optimized Quality of Service (QoS) for IP phone + desktop

Desktop

 

configurations

 

Voice traffic is placed on"Cisco-Voice"VLAN

 

Configurable data VLAN

 

QoS level assuresvoice-over-IP(VoIP) traffic takes precedence

 

Port security enabled to limit unauthorized access to the

 

 

network

 

 

 

ESW 500 Series Switches Administration Guide

33

Getting Started

Performing Common Configuration Tasks

 

 

Role

Description

Router

Configured for optimal connection to a router or firewall for WAN

 

connectivity

Switch

Configured as an uplink port to another switch or router Layer 2

 

 

port for fast convergence

 

Enables 802.1Q trunking

Access Point

Configured for optimal connection to a wireless access point

 

Configurable VLAN

Guest

Configured for a guest in a company, where the user would

 

need to be restricted to specific applications.

Server

Configured for optimal connection to a server

Printer

Configured for optimal connection to a printer

VS Camera

Configured for optimal connection to a Video Surveillance

 

Camera

Other

An "Other" Smartports role allows for flexible connectivity of

 

 

non-specifieddevices

 

Configurable VLAN

 

No security

 

No QoS policy

 

 

 

Smartport Roles

Default Smartport Roles applied to the individual ports for each type of device are as follows:

 

Layer 2 Switch Ports

Uplink Ports

 

 

 

 

ESW 500

Desktop

IP Phone +

SwitchSmartport

Series

Smartport Role

Desktop

Role

 

 

Smartport Role

 

 

 

 

 

ESW 520-8P

-

1-8

G1

 

 

 

 

ESW 540-8P

-

1-8

G1

 

 

 

 

ESW 520-24

1-24

-

G1-G4

 

 

 

 

ESW 520-24P

-

1-24

G1-G4

 

 

 

 

ESW 520-48

1-48

-

G1-G4

 

 

 

 

ESW 520-48P

-

1-48

G1-G4

 

 

 

 

ESW 540-24

1-10,13-22

-

11-12,23-24

 

 

 

 

ESW 540-24P

-

1-10,13-22

11-12,23-24

 

 

 

 

ESW 540-48

1-22,25-46

-

23-24,47-48

 

 

 

 

ESW 500 Series Switches Administration Guide

34

Getting Started

Performing Common Configuration Tasks

NOTE The G in the port tables denotes 10/100/1000 (Gigabit) copper or GBIC ports on the ESW520 series switches, and denotes the single G1 interface on the 8 port versions of the switch.

The following steps show one example of using the Smart Ports Setting Wizard to configure access points. It is not necessary to configure your switch in this manner.

STEP 1 Click on the System Dashboard, and then on the Smartports Wizard. TheSmart Ports Wizard opens.

To change a port from the default setting to a different role, highlight the appropriate port on this page by clicking on it, then select a different profile from the drop-downlist under Assign Profile:

Smart Ports Setting Wizard

STEP 2 Configure ports4-6for Access Points.

ESW 500 Series Switches Administration Guide

35

Getting Started

Performing Common Configuration Tasks

Smart Ports Setting Wizard

STEP 3 Click Next. TheAccess Point window opens. To ensure all VLANs in the network are trunked to the Wireless Access Points, select thedrop-downlist beside Trunk Allowed VLANs. Select vlan 100 from thedrop-downlist to allow voice over wireless.

Smart Ports Settings Wizard - Access Point

STEP 4 Click Allow to ensure that VLAN100 shows up in the allowed list, and then click Apply.

ESW 500 Series Switches Administration Guide

36

Getting Started

Performing Common Configuration Tasks

Smart Ports Settings Wizard - Access Point

STEP 5 A confirmation page opens. Review your changes and click OK.

Smart Ports Settings Wizard - Access Point Setting Status

STEP 6 Return to the System Dashboard and click on the Smart Ports Wizard. The icons for ports4-6should appear as follows:

ESW 500 Series Switches Administration Guide

37

Getting Started

Performing Common Configuration Tasks

Smart Ports Setting

Checking the Device Power Consumption

Check the overview of the power consumption on the switch. Click System Dashboard > PoE Settings. The PoE Settings page opens.

ESW 500 Series Switches Administration Guide

38

Getting Started

Performing Common Configuration Tasks

PoE Settings Page

Click Edit to change a PoE setting.

The number of PoE devices supported on a switch depends on the power requirements for each device and the switch model in question. To help illustrate this, the PoE Device Support table shows the recommended number of POE devices for 3 different scenarios:

Scenario 1 — Assumes the POE devices connected to the switch are all IEEE 802.3af Class 2 devices which draw less than 7.5W per device

Scenario 2 — Assumes the POE devices connected to the switch are a mix of IEEE 802.3af Class 2 & Class 3 devices devices which on average draw less than 11W per device

Scenario 3 — Assumes the POE devices connected to the switch are all IEEE 802.3af Class 3 devices which draw less than 15.4W per device

ESW 500 Series Switches Administration Guide

39

Getting Started

Performing Common Configuration Tasks

PoE Device Support

ESW 500

Total

Scenario 1

Scenario 2 PoE

Scenario 3 PoE

Series

Power

PoE Devices

Devices

Devices drawing

Switch

 

drawing < 7W

drawing < 11W

< 15.4 W

 

 

 

 

 

ESW 520-8P

60 Watts

Up to 15.4 Watts to each port up to the total budget

 

 

 

ESW 540-8P

120 Watts

Up to 15.4 Watts to each port up to the total budget

 

 

 

 

 

ESW 520-24P

180 Watts

24 Devices

16 Devices

12 Devices

 

 

 

 

 

ESW 520-48P

380 Watts

48 Devices

32 Devices

24 Devices

 

 

 

 

 

ESW 540-24P

280 Watts

24 Devices

24 Devices

18 Devices

 

 

 

 

 

In these scenarios, a device would be a wireless access point, IP phone, video surveillance camera or other such device. Refer to the information that came with your specific device for power consumption information.

Refer to additional sections in this guide for details on further PoE configuration.

Saving the Configuration

After any changes, always make sure to save the switch configuration. Click Maintenance > File management > Save Configuration. The Save Configuration page opens.

ESW 500 Series Switches Administration Guide

40

Getting Started

Performing Common Configuration Tasks

Save Configuration Page

The Save Configuration Page contains the following fields:

Source File Name — Indicates the device configuration file to copy and the intended usage of the copied file (Running, Startup, or Backup).

Destination File Name — Indicates the device configuration file to copy to and the intended usage of the file (Running, Startup, or Backup).

Define the relevant fields and then Click Apply. The Configuration Files are updated.

Another option to quickly save the Running Configuration to the Startup Configuration is to click Save Configuration at the top of the page. This link is initially grayed out. Once switch configuration changes are made, the link becomes active.

Upgrading the Firmware on the Switch

The following steps show how to download, install, and make a new firmware release the active image on the switch.

ESW 500 Series Switches Administration Guide

41

Getting Started

Performing Common Configuration Tasks

STEP 1 Ensure the PC has IP connectivity to the ESW 500 series switch.

STEP 2 The switch can be upgraded through the TFTP or HTTP protocol. If you choose to use TFTP, the PC needs to have a TFTP server running on it. A free TFTP server can be downloaded from:

http://www.solarwinds.com/downloads/index.aspx

STEP 3 Download the latest ESW 500 series software file from:

www.cisco.com/go/esw500help

If you choose to use TFTP, make sure it is stored in the root directory of the TFTP server running on your PC.

STEP 4 Download the software image from the PC to the ESW 500 series switch. Click on Maintenance > File Management > Software Upgrade. TheSoftware Upgrade page opens.

Software Upgrade Page

STEP 5 For TFTP: Enter the PC IP address in theTFTP Server field, the exact filename for the image inSource File field, then click Apply. TheSoftware Upgrade page shows the progress of the download.

ESW 500 Series Switches Administration Guide

42

Getting Started

Performing Common Configuration Tasks

For HTTP: Click Browse and navigate to the file name of the image.

STEP 6 Once the download is complete, click on Maintenance > File Management > Active Image TheActive Image page opens.

Active Image Page

STEP 7 Choose the new image from thedrop-downlist underAfter Reset and click Apply.

STEP 8 Save the switch configuration. Click Maintenance > File Management > Save Configuration. The Save Configuration page opens.

ESW 500 Series Switches Administration Guide

43

Getting Started

Performing Common Configuration Tasks

Save Configuration Page

STEP 9 Keep the defaults forSource File Name andDestination File Name and click Apply.

STEP 10 Reset the switch by clicking on Monitor & Device Properties > System

Management > Restart / Reset.

ESW 500 Series Switches Administration Guide

44

Getting Started

Performing Common Configuration Tasks

Restart / Reset Page

STEP 11 Click on Reset / Reboot and the switch should reboot with the new image.

STEP 12 After the switch has completed rebooting and is up and running, log back in.

STEP 13 Ensure the software has been upgraded by clicking on About at the top of the Dashboard page. A version page will appear:

ESW 500 Series Switches Administration Guide

45

Getting Started

Performing Common Configuration Tasks

Resetting the Device

The Restart / Reset Page enables the device to be reset from a remote location. Save all changes to the Running Configuration file before resetting the device by clicking on Maintenance > File Management > Save Configuration. Define the relevant fields and then click Apply. This prevents losing the current device configuration.

To reset the device:

STEP 1 Click Monitor & Device Properties > System Management > Restart / Reset. The

Restart / Reset Page opens.

Restart / Reset Page

STEP 2 Click one of the available Reset commands:

Reset / Reboot — Resets the device. Ensure the device configuration has been saved.

Restore Default — Restores the device to the factory default configuration.

STEP 3 After the switch has completed rebooting and is up and running, relaunch the Switch Configuration Utility and log back into the switch.

ESW 500 Series Switches Administration Guide

46

Getting Started

Performing Common Configuration Tasks

NOTE If using CCA to launch the Switch Configuration Utility,right-clickon switch > Device Manager. Refresh the topology screen to get the latest IP address for the switch.

Manual Reset

The Switch can be reset by inserting a pin or paper clip into the RESET opening. Pressing the manual reset for 0 to 10 seconds reboots the switch. Pressing the manual reset for longer than 10 seconds results in the switch being reset to factory defaults.

Logging Off the Device

Click Logout at the top of the page. The system logs off. The Switch Configuration Utility closes and the Log In page opens.

ESW 500 Series Switches Administration Guide

47

Getting Started

Using The Switch Console Port

Using The Switch Console Port

The switch features a menu-basedconsole interface for basic configuration of the switch and management of your network. The switch can be configured using themenu-basedinterface through the console port or through a telnet connection.

This section describes console interface configuration.

TIP Configuration of the switch through the Console Port requires advanced skills. This should only be attempted by trained personnel.

Selecting Menu Options and Actions

Within the Console Interface, menus list options in numeric order. Actions appear at the end of the page. To select menu options and actions, use the following keys on your keyboard:

Key

Function

 

 

Arrow keys

Move the cursor up, down, left, or right.

 

 

Number key

Press the menu number and then press Enter key to

 

select a menu option.

 

 

Tab

Move the cursor from one field to the next on an editing

 

page.

 

 

Enter

Select an option that is highlighted by the cursor.

 

 

Esc

Return to the previous menu or page, or move cursor

 

from editable fields to Action list.

 

 

Use the following steps to connect to the switch using the console:

STEP 1 Power up the ESW 500 Series switch.

STEP 2 Connect it to the network if required.

STEP 3 Use the console cable supplied with the switch to connect the serial port on the PC to the console port on the switch.

ESW 500 Series Switches Administration Guide

48

Getting Started

Using The Switch Console Port

STEP 4 On the PC, launch a terminal emulation program such as HyperTerminal (bundled with Windows) or Putty (freeware) and configure a new connection with the following settings:

Speed or Bits Per Second — 115200

Data Bits — 8

Stop Bit — 1

Parity — None

Flow Control — None

Serial Port — Choose the appropriate serial or COM port on the PC that the console cable is connected to

STEP 5 Save these settings and open a connection using the terminal emulation software. If a blinking cursor appears, press Tab and enter the default usernamecisco and press Tab again and enter the default passwordcisco. Press Enter to continue.

STEP 6 The switch main menu opens.

The System Configuration Menu line should be highlighted.

STEP 7 Press Enter. The page changes to System Configuration Menu.

ESW 500 Series Switches Administration Guide

49

Getting Started

Using The Switch Console Port

STEP 8 Scroll down to option 6, IP Configuration, and press Enter. The IP Configuration Menu opens.

STEP 9 Highlight option 1, IPv4 Address Configuration, and press Enter. The IPv4 Address Configuration Menu opens.

STEP 10 Highlight option 1, IPv4 Address Settings, and press Enter. The IPv4 Address Settings page opens.

ESW 500 Series Switches Administration Guide

50

Getting Started

Using The Switch Console Port

The current IP address setting for the ESW 500 series switch is shown. If the switch is already connected to the network and obtained an IP address via DHCP, this is the IP address which is used to launch the ESW 500 Switch Configuration Utility.

If you need to change the IP address to a static IP address, perform the following steps:

STEP 1 Use the Right arrow key to highlight Edit, then press Enter. The IPv4 Address field should be highlighted.

STEP 2 Using the arrow keys to navigate around the window, and the enter key to apply changes, modify the IPv4 Address, Subnet mask, and Default Gateway.

STEP 3 Change the DHCP Client field to be Disable by pressing the space bar.

STEP 4 Press the ESC key, press the right arrow to highlight Save, and press Enter to save all changes.

ESW 500 Series Switches Administration Guide

51

Managing Device Information

Understanding the Dashboards

Managing Device Information

This section provides information for defining both basic and advanced system information. This section contains the following topics:

Understanding the Dashboards

Defining System Information

Viewing Device Health

Managing Cisco Discovery Protocol

Defining the Bonjour Discovery Protocol

TCAM Utilization

Understanding the Dashboards

The System Dashboard page is the main window and contains links for configuring ports, viewing device health information, common device tasks, and viewing online help.

Ports — Includes Smartports Wizard and VLAN Configuration

Health and Monitoring — Includes System Information, Health, and SPAN (Port Mirroring)

Common Tasks — Includes PoE Settings (PoE switches only), Restart/Reset, and Save Configuration

Help — Includes online Device Help and More help at Cisco.com

To open the System Dashboard Page:

Click System Dashboard (Device Name). The System Dashboard page for your device opens:

ESW 500 Series Switches Administration Guide

52

Managing Device Information

Understanding the Dashboards

System Dashboard (ESW-520-24)Page

ESW 500 Series Switches Administration Guide

53

Managing Device Information

Understanding the Dashboards

System Dashboard (ESW-520-24P)Page

ESW 500 Series Switches Administration Guide

54

Managing Device Information

Understanding the Dashboards

System Dashboard (ESW-520-48)Page

ESW 500 Series Switches Administration Guide

55

Managing Device Information

Understanding the Dashboards

System Dashboard (ESW-520-48P)Page

ESW 500 Series Switches Administration Guide

56

Managing Device Information

Understanding the Dashboards

System Dashboard (ESW-540-24)Page

ESW 500 Series Switches Administration Guide

57

Managing Device Information

Understanding the Dashboards

System Dashboard (ESW-540-24P)Page

ESW 500 Series Switches Administration Guide

58

Managing Device Information

Understanding the Dashboards

System Dashboard (ESW-540-48)Page

You can edit a specific port on the switch by clicking on that port from the device view.

The System Dashboard page contains the following port indicators in the device graphical representation:

Green — Indicates the port is currently operating.

The System Dashboard pages contains the links to the following:

Ports

Smart Ports Wizard — Opens the Smart Ports Wizard page.

VLAN Configuration — Opens the VLAN Properties Page.

Health and Monitoring

System Information — Opens the System Information Page.

Health — Opens theHealth Page.

SPAN (Port Mirroring) — Opens the SPAN (Port Mirroring) Page.

ESW 500 Series Switches Administration Guide

59

Managing Device Information

Defining System Information

Common Tasks

PoE Settings — Opens the PoE Settings Page (PoE switches only)

Restart / Reset — Opens the Restart/Reset Page.

Save Configuration — Opens the Save Configuration Page.

Help

Device Help — Opens the online help.

More help at Cisco.com — Provides a link to online Technical Support.

Defining System Information

The System Information Page contains parameters for configuring general device information.To open theSystem Information Page:

ESW 500 Series Switches Administration Guide

60

Managing Device Information

Defining System Information

STEP 1 Click Monitor & Device Properties > System Management > System Information. TheSystem Information Page opens:

System Information Page

The System Information Page contains the following fields:

System Name — Displays the user configured name of the system.

System Location — Defines the location where the system is currently running. The field range is from 0-160characters.

System Contact — Defines the name of the contact person. The field range is 0-160characters.

Login Banner — Defines a user-configurablemessage of up to 1000 characters

System Object ID — Displays the vendor’s authoritative identification of the network management subsystem contained in the entity.

System Up Time — Displays the amount of time that has elapsed since the last device reset. The system time is displayed in the following format: Days, Hours,

ESW 500 Series Switches Administration Guide

61

Managing Device Information

Viewing Device Health

Minutes and Seconds. For example: 41 days, 2 hours, 22 minutes and 15 seconds.

Base MAC Address — Displays the device MAC address.

Software Version — Displays the software version number.

Boot Version — Indicates the system boot version currently running on the device.

Jumbo Frame — Indicates if Jumbo Frames are enabled . Jumbo Frames become active after resetting the device. (Jumbo Frames are not available on ESW-520devices). The possible field values are:

-Enable — Enables Jumbo Frames on the device.

-Disable — Disables Jumbo Frames on the device.

Unique Device Identifier — Displays theUnique Device Identifier (UDI). The UDI provides a unique indentifier for Cisco devices. The device comes with the UDI preconfigured. The UDI is composed of three parts, including:

-PID — TheProduct Identifier (PID) is an alphanumeric identifier that identifies the specific Cisco hardware.

-VID —TheVersion Identifier (VID) provides tracking for the CustomerOrderable PID version. The VD indicates the number reportable customer versions.

-SN — TheSerial Number (SN) is unique to device, and identifies the device and theField Replaceable Unit (FRU).

STEP 2 Define the relevant fields.

STEP 3 Click Apply. The system information is defined, and the device is updated.

Viewing Device Health

The Health Page displays physical device information, including information about the device’s power and ventilation sources.

ESW 500 Series Switches Administration Guide

62

Managing Device Information

Viewing Device Health

STEP 1 Click Monitor & Device Properties > System Management > Health. TheHealth Page opens:

Health Page

The Health Page contains the following fields:

Power Supply Status — Displays the power supply status. Power supply 1 is displayed as PS in the interface, while the redundant power supply is displayed as RPS. The possible field values are:

-OK — Indicates the power supply is operating normally.

-Fail — Indicates the power supply is not operating normally.

-Not Present — Indicates a redundant power supply is not connected.

Fan Status — Displays the fan status. The device has five fans. Each fan is denoted as fan plus the fan number. The possible field values are:

-OK — Indicates the fan is operating normally.

-Fail — Indicates the fan is not operating normally.

ESW 500 Series Switches Administration Guide

63

Managing Device Information

Resetting the Device

- Not Present --Indicates the fan is not present.

Resetting the Device

The Restart / Reset page enables the device to be reset from a remote location. Save all changes to the Running Configuration file before resetting the device. This prevents the current device configuration from being lost.To open theRestart / Reset Page:

STEP 1 Click Monitor & Device Properties > System Management > Restart / Reset. The

Restart / Reset Page opens:

Restart / Reset Page

The following resets the device:

Reset / Reboot — Resets the device. Ensure the device configuration has been saved.

Restore Default — The device is restored to the factory default configuration.

ESW 500 Series Switches Administration Guide

64

Managing Device Information

Managing Cisco Discovery Protocol

Managing Cisco Discovery Protocol

The Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol that enables devices to advertise their existence to other devices by CDP sending out periodic updates to a Multicast address. In addition, CDP allows devices to receive information about other devices on the same LAN or on the remote WAN side. The system supports CDP versions 1 and 2. To enable CDP on the device:

STEP 1 Click Monitor & Device Properties > CDP. TheCDP Page opens:

CDP Page

The CDP Page contains the following fields:

The following fields are configurable by the user:

CDP Status — Indicates if CDP is enabled on the device. The possible field values are:

-

-

Enable — Enables CDP on the device. This is the default value.

Disable — Disables CDP on the device.

ESW 500 Series Switches Administration Guide

65

Managing Device Information

Managing Cisco Discovery Protocol

Voice VLAN — The Voice VLAN field displays the current Voice VLAN used by the switch. The default is VLAN #100. This VLAN carries the voice traffic, and is also advertised through the CDP to the other elements in the network. The user can change the Voice VLAN via this screen.

The following fields display Neighbors Information and are Read-only.

Device ID — Indicates the device ID that is advertised by neighboring devices.

Local Interface — Indicates the receiving port number.

Advertise Version — Indicates the CDP version advertised by the neighboring device.

Time to Live — Indicates the amount of time in seconds before the neighboring device CDP information is aged out. The field default is 180 seconds.

Capabilities — Indicates the device capabilities advertised by the neighboring devices. There are 11 capabilities whereby each capability is represented by a one letter code. A neighbor device can advertise more than one capability, which is presented as a series of one letter codes, for example: S I D - represents Switch + Remotely-Managed-Device.The list of capabilities follows:

-R — Router

-T — Trans Bridge

-B — Source Route Bridge

-S — Switch

-H — Host

-I — IGMP

-r — Repeater

-P VoIP-Phone

-D Remotely-Managed-Device

-C — CVTA

-M Two-portMac Relay

Platform — Indicates product name and model number of the neighboring device.

ESW 500 Series Switches Administration Guide

66

Managing Device Information

Managing Cisco Discovery Protocol

Port ID — Indicates the neighboring device’s port from which the CDP packet was sent.

STEP 2 Select Enable in theCDP Status field to enable the Cisco Discovery Protocol on the device.

STEP 3 Define a VLAN ID to be advertised by the device in theVoice VLAN field.

STEP 4 Click Apply. CDP is enabled, and the device is updated.

To view additional neighboring device CDP information:

STEP 1 Click Monitor & Device Properties > CDP. TheCDP Page opens.

STEP 2 Click Details. The CDP Neighbors Details Pageopens:

CDP Neighbors Details Page

In addition to the fields in the CDP Page, theCDP Neighbors Details Page contains the following additional fields:

Device ID — Indicates the name of the neighbor device and either the MAC address or the serial number of the device.

ESW 500 Series Switches Administration Guide

67

Managing Device Information

Defining the Bonjour Discovery Protocol

Advertisement Version — Indicates the CDP version advertised by the neighboring device.

Native VLAN — Defines the ID number of the VLAN on the neighbor device.

Duplex — Displays the duplex state of connection between the current device and the neighbor device. The possible field values are:

-Full — Indicates that the interface supports transmission between the device and the client in both directions simultaneously.

-Half — Indicates that the interface supports transmission between the device and the client in only one direction at a time.

IP Address — Indicates the IP address advertised by the neighboring device.

Platform — Indicates the product name and number of the neighboring device.

Capabilities — Indicates the device type of the neighbor. This device can be a router, a bridge, a transparent bridge, a source-routingbridge, a switch, a host, an IGMP device, or a repeater.

Interface — Indicates the protocol and port number of the port on the current device.

Port ID (outgoing port) — Indicates the neighboring device’s port from which the CDP packet was sent.

Time to Live — Indicates the amount of time in seconds before the neighboring device CDP information is aged out. The field default is 180 seconds.

Version — Indicates the software version of the neighboring device.

Defining the Bonjour Discovery Protocol

Bonjour is a service discovery protocol that enables automatic discovery of computers, devices, and services on IP networks. Bonjour’s multicast Domain Name System (mDNS) service allows the device to publish device services by sending and receiving UDP packets only to the following multicast address 224.0.0.251 and to port number 5353.

ESW 500 Series Switches Administration Guide

68

Managing Device Information

Defining the Bonjour Discovery Protocol

The Bonjour screen contains information for enabling/disabling Bonjour on the device, specifying a Service Type and the related port used for publishing devices over the network. A Service Type is the type of service registration performed as part of the device system start up. It is intended to assure the uniqueness of the published service and proclaims the related information. The Service Types that are provided for Bonjour are HTTP, HTTPS, and Cisco Config, a Cisco specific Service Type.

To enable Bonjour on the device:

STEP 1 Click Monitor & Device Properties > Bonjour. TheBonjour Page opens:

Bonjour Page

The Bonjour page contains the following fields:

Enable Bonjour — Specifies whether the switch can publish device services via Bonjour using the mDNS service. The possible field values are:

-Checked — Enables Bonjour on the device. Bonjour is enabled by default.

-Unchecked — Disables Bonjour on the device.

Active Bonjour Services — Specifies the Bonjour services supported by the device By default all three serves are published.

ESW 500 Series Switches Administration Guide

69

Managing Device Information

TCAM Utilization

-HTTP — Specifies the Service Type selected is HTTP. This service is enabled by default, and can beuser-disabledbut not deleted. The service uses the default port 80. The port can be changed using the menu CLI.

-HTTPS — Specifies the Service Type selected is secured HTTP. This service is enabled by default, and can beuser-disabled,but not deleted. The service uses the default port 443. The port can be changed using the menu CLI.

-CiscoConfig — Specifies the Service Type selected is CiscoConfig, the Cisco Configuration Service. This service uses the default HTTP port 80.CiscoConfig is enabled by default.

STEP 2 Check Enable in theEnable Bonjour field to enable Bonjour on the device.

STEP 3 Check HTTP and/or HTTPS, and/or CiscoConfig in the Active Bonjour Services field.

STEP 4 Click Apply. Bonjour is enabled, and the device is updated.

TCAM Utilization

The TCAM Utilization Pagedisplay the availability of Ternary Content Addressable Memory(TCAM) resources. TCAM is used for high-speed searching and performs security, QoS, and other types of applications. In contrast with binary CAM, TCAM allows a third matching state of Xor Don’t Carebits in data searches. The first two bit types are 0and 1, adding more flexibility to searches. However, the need to encode three possible states instead of two also adds greater resource costs.

The maximum number of rules that may be allocated by all applications on the device is 1024. Some applications allocate rules upon their initiation. Additionally, applications that initialize during system boot use some of their rules during the startup process.

TCAM Allocation

To view TCAM Resources:

ESW 500 Series Switches Administration Guide

70

Managing Device Information

TCAM Utilization

STEP 1 Click Monitor & Device Properties > System Management > TCAM Utilization. The

TCAM Utilization Page opens:

TCAM Utilization Page

The TCAM Utilization Page contains the following field:

TCAM Utilization – Indicates the percentage of the available TCAM resources which are used. For example, if more ACLs and policy maps are defined, the system uses more TCAM resources.

ESW 500 Series Switches Administration Guide

71

Managing Smart Ports

Managing Smart Ports

The Smart Ports wizards provide network managers with quick and simple solution to configuring the devices by understanding and automatically configuring the port settings for various network devices, including:

Desktop — Allows network administrators to define settings for personal desktop users.

IP Phone and Desktop —Allowsnetwork administrators to define settings between the switch and the IP Phone. This helps ensure proper network management for voice traffic. The Smart Port IP Phone and Desktop wizard allows network mangers to connect a phone and a PC.

Access Point — Allows network administrators to manage the connection between the device and wireless access points.

Switch — Allows network administrators to manage network settings between switches.

Router — Allows network administrators to manage network settings between routers.

Guest — Allows network administrators to define a port that is connected to a guest.

Server — Allows network administrators to define a port that is connected to a server.

Printer — Allows network administrators to define a port that is connected to a printer.

VS Camera — Allows network administrators to define a port that is connected to a VS camera.

Other — Allows network administrators to remove any previous Smart ports configurations from a port.

ESW 500 Series Switches Administration Guide

72

Managing Smart Ports

Configuring Smart Ports for Desktops

NOTE By default, the user ports are configured as IP Phone + Desktop for PoE switches and Desktop fornon-PoEswitches. For devices other than IP Phone and Desktop, users need to configure the smartport role per device (e.g., switch, access point etc.). A port will be deactivated or has degraded service by connecting a switch or an access point to IP phone + desktop smartport respectively because of mismatched port role.

For example, if the network administrator knows that ports 1-10are access points for a WLAN network, the Smart Ports Wizard is applied to the ports, and the ports are configured with the most common settings for WLAN networks.

Note the following when using the Smart Ports wizard:

During the Boot Process the Smart Port wizard commands are saved in the Running Configuration file. This ensures that if the device is reset, the Smart Port wizard settings are applied to the ports when the device restarts

Ports are enabled for the Smart Port wizards by default. However, the initial configuration of the Smart Ports wizards can only occur if the Startup Configuration file is empty.

If the network administrator modifies the port configuration manually, the Smart ports Wizard may not operate correctly.

Configuring Smart Ports for Desktops

The Smart Ports for Desktops Page allows network administrators to define port settings for personal desktop users.To configure ports for desktop users using the Smart Ports Wizard:

ESW 500 Series Switches Administration Guide

73

Managing Smart Ports

Configuring Smart Ports for Desktops

STEP 1 Open theSwitch Configuration Utility. The web application automatically opens to theSystem Dashboard Page.

System Dashboard Page

STEP 2 Click Smart Ports Wizard under Ports on theSystem Dashboard Page. TheSmart Ports Setting Page opens:

ESW 500 Series Switches Administration Guide

74

Managing Smart Ports

Configuring Smart Ports for Desktops

Smart Ports Setting Page

STEP 3 Select a port or range of ports.

STEP 4 SelectDesktop in theAssign Profile drop-downlist. ClickNext. TheSmart Ports Desktop Settings Page opens:

Smart Ports Desktops Settings Page

The Smart Ports Desktops Settings Pagecontains the following fields:

Port — Indicates the port to which Smart Port wizard settings are applied.

VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The possible value is:

ESW 500 Series Switches Administration Guide

75

Managing Smart Ports

Configuring Smart Ports for Desktops

-Access — Indicates a port belongs to a single untagged VLAN. This is the default setting for ports that are connected to desktops.

VLAN ID — Indicates the VLAN to which the port belongs.

Port Security Mode — Defines the locked port type. The possible field value is:

-Dynamic Lock — Locks the port with current learned addresses. The dynamic addresses associated with the port are not aged out or relearned on the port as long as the port is locked.

Max MAC Addresses — Indicates the maximum number of MAC addresses that can be learned on the port. The field default is 1.

Port Security Actions — Indicates the action applied to packets arriving on a locked port. The possible field value is:

-Discard — Discards packets from any unlearned source. This is the default value.

Violation Trap Every — Indicates that traps are sent every 60 seconds:

Broadcast Storm Control — Indicates if the percentage of Broadcast Storm Control enabled on the port. The default value is 10% of the port speed.

Spanning Tree Port Fast — Indicates if Fast Link is enabled on the port. If Fast Link mode is enabled for a port, the Port State is automatically placed in the Forwarding state when the port link is up. Fast Link optimizes the STP protocol convergence. STP convergence can take30-60seconds in large networks. Port Fast is enabled by default.

Spanning Tree BPDU Guard — Indicates if BPDU Guard is enabled on the interface. BPDU Guard protects the network from invalid configurations. It is usually used either when fast link ports (ports connected to clients) are enabled or when STP is disabled. If a BPDU message is received, the port shuts down and the device generates an appropriate SNMP trap. Spanning Tree BPDU Guard is enabled by default.

QoS Policy —Indicatesthat the default QoS policy settings are applied to the port. The name of the default QoS policy isgeneral-map.

Macro Description — Indicates the type of device connected to the port. For desktops, this field is always Desktop.

STEP 5 Select a VLAN in theVLAN ID drop-downlist.

ESW 500 Series Switches Administration Guide

76

Managing Smart Ports

Configuring Smart Ports for IP Phones and Desktops

STEP 6 ClickApply. The Desktop port settings are saved, and the device is updated.

Configuring Smart Ports for IP Phones and Desktops

The Smart Ports for IP Phones and Desktops Pageallows network administrators to define settings between the switch and the IP Phone. This helps ensure proper network management for voice traffic. The Smart Port IP Phone and Desktop wizard allows network mangers to connect a phone and a PC.

STEP 1 Open theSwitch Configuration Utility. The web application automatically opens to theSystem Dashboard Page.

STEP 2 Click Smart Ports Wizard under Ports on theSystem Dashboard Page. TheSmart Ports Setting Page opens:

Smart Ports Setting Page

STEP 3 Select a port or range of ports.

STEP 4 SelectIP Phone + Desktop in theAssign Profile drop-downlist. ClickNext. The

Smart Ports IP Phones and Desktop Settings Page opens:

ESW 500 Series Switches Administration Guide

77

Managing Smart Ports

Configuring Smart Ports for IP Phones and Desktops

Smart Ports IP Phones and Desktop Settings Page

The Smart Ports IP Phones and Desktop Settings Pagecontains the following fields:

Ports — Indicates the port to which Smart Port wizard settings are applied.

VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The possible value is:

-Trunk — Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged. This is the default setting for ports that are connected to desktops and IP phones.

Data VLAN — Defines a specific VLAN as the Data VLAN. Data VLANs only carry data packets and receive a lower priority than voice traffic.

Voice VLAN — Indicates which VLAN is the Voice VLAN. Voice VLANs allows network administrators enhance VoIP service by configuring access ports to carry IP voice traffic from IP phones on specific VLANs.

Port Security Mode — Defines the locked port type. The possible field value is:

-Dynamic Lock — Locks the port with current learned addresses. The dynamic addresses associated with the port are not aged out or relearned on the port as long as the port is locked.

ESW 500 Series Switches Administration Guide

78

Managing Smart Ports

Configuring Smart Ports for IP Phones and Desktops

Max MAC Addresses — Indicates the maximum number of MAC addresses that can be learned on the port. A maximum of 3 MAC addresses can be learned on the port.

Port Security Action — Indicates the action applied to packets arriving on a locked port. The possible field value is:

-Discard — Discards packets from any unlearned source. This is the default value.

Violation Trap Every — Indicates that traps are sent every 60 seconds:

Broadcast Storm Control — Indicates if the percentage of Broadcast Storm Control enabled on the port. The default value is 10% of the port speed.

Spanning Tree Port Fast — Indicates if Fast Link is enabled on the port. If Fast Link mode is enabled for a port, the Port State is automatically placed in the Forwarding state when the port link is up. Fast Link optimizes the STP protocol convergence. STP convergence can take30-60seconds in large networks. Fast Port is enabled by default.

Spanning Tree BPDU Guard — Indicates if BPDU Guard is enabled on the interface. BPDU Guard protects the network from invalid configurations. It is usually used either when fast link ports (ports connected to clients) are enabled or when STP is disabled. If a BPDU message is received, the port shuts down and the device generates an appropriate SNMP trap. BPDU guard is enabled by default.

QoS Policy — Indicates that the default QoS policy settings are applied to the port. The Default policy isvoice-map.

Macro Description — Indicates the type of device connected to the port. For IP Phones + Desktops, this field is alwaysIP Phones + Desktops.

STEP 5 Select a VLAN in theData VLAN drop-downlist.

STEP 6 ClickApply. The IP Phone + Desktop port settings are saved, and the device is updated.

STEP 7 Click OK. The Smart ports Setting page opens.

ESW 500 Series Switches Administration Guide

79

Managing Smart Ports

Configuring Smart Ports for Access Points

Configuring Smart Ports for Access Points

The Smart Ports for Access Points Page allows network administrators to manage the connection between the switch and wireless access points. To configure smart ports for access points:

STEP 1 Open theSwitch Configuration Utility. The web application automatically opens to theSystem Dashboard Page.

STEP 2 Click Smart Ports Wizard under Ports on theSystem Dashboard Page. TheSmart Ports Setting Page opens:

Smart Ports Setting Page

STEP 3 Select a port or range of ports.

STEP 4 SelectAccess Points in theAssign Profile drop-downlist.

STEP 5 Click Next. The Smart Ports Access Point Settings Page opens:.

ESW 500 Series Switches Administration Guide

80

Managing Smart Ports

Configuring Smart Ports for Access Points

Smart Ports for Access Points Settings Page

The Smart Ports for Access Points Settings Pagecontains the following fields:

Ports — Indicates the port to which Smart Port wizard settings are applied.

VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The possible value is:

-Trunk — Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged. This is the default setting for ports that are connected to access points.

Trunk Native VLAN ID — Defines the VLAN receiving untagged packets at ingress.

Excluded VLANs — Defines VLANs that are excluded from receiving untagged packets at egress.

Allowed VLANs — Defines VLANs that are allowed to receive untagged packets at egress.

Broadcast Storm Control — Indicates if the percentage of Broadcast Storm Control enabled on the port. The default value is 10% of the port speed.

QoS Policy — Indicates that the default QoS policy settings are applied to the port. The name of the default QoS policy isgeneral-map.

Macro Description — Indicates the type of device connected to the port. For access points, this field is alwaysAccess Point.

STEP 6 Select a VLAN in theTrunk Native VLAN ID drop-downlist.

ESW 500 Series Switches Administration Guide

81

Managing Smart Ports

Configuring Smart Ports for Switches

STEP 7 Select which trunks are permitted in the VLAN using theAllow andExclude buttons.

STEP 8 ClickApply. The Access Point port settings are saved, and the device is updated.

STEP 9 Click OK. The Smart ports Setting page opens.

Configuring Smart Ports for Switches

The Smart Ports Switch Settings Page allows network administrators to manage network settings between switches. To configure smart ports for switches:

STEP 1 Open theSwitch Configuration Utility. The web application automatically opens to theSystem Dashboard Page.

STEP 2 Click Smart Ports Wizard under Ports on theSystem Dashboard Page. TheSmart Ports Setting Page opens:

Smart Ports Setting Page

STEP 3 Select a port or range of ports.

ESW 500 Series Switches Administration Guide

82

Managing Smart Ports

Configuring Smart Ports for Switches

STEP 4 SelectSwitch in theAssign Profile drop-downlist. ClickNext. TheSmart Ports Switch Setting Page opens:

Smart Ports Switch Settings Page

The Smart Ports Switch Settings Page contains the following fields:

Ports — Indicates the port to which Smart Port wizard settings are applied.

VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The possible field value is:

-Trunk — Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged. This is the default setting for ports that are connected to switches.

Trunk Native VLAN ID — Defines the VLAN receiving untagged packets at ingress.

Trunk Allowed VLANs — Defines VLANs that are allowed to receive untagged packets at egress.

RSTP Link Type — Displays the Rapid Spanning Tree Link type. The default value for switches ispoint-to-point.

QoS Policy — Indicates that the default QoS policy settings are applied to the port. The name of the default QoS policy isswitch-map.

ESW 500 Series Switches Administration Guide

83

Managing Smart Ports

Configuring Smart Ports for Routers

Macro Description — Indicates the type of device connected to the port. For switches, this field is alwaysSwitch.

STEP 5 Select a VLAN in theTrunk Native VLAN ID drop-downlist.

STEP 6 Select which trunks are permitted in the VLAN using theAdd andDelete buttons.

STEP 7 ClickApply. The switching port settings are saved, and the device is updated.

STEP 8 Click OK. The Smart ports Setting page opens.

Configuring Smart Ports for Routers

The Smart Port Router Page allows network administrators to manage network settings between routers. To configure smart ports for routers:

STEP 1 Open theSwitch Configuration Utility. The web application automatically opens to theSystem Dashboard Page.

STEP 2 Click Smart Ports Wizard under Ports on theSystem Dashboard Page. TheSmart Ports Setting Page opens:

ESW 500 Series Switches Administration Guide

84

Managing Smart Ports

Configuring Smart Ports for Routers

Smart Ports Setting Page

STEP 3 Select a port or range of ports.

STEP 4 SelectRouter in theAssign Profile drop-downlist.

STEP 5 Click Next. The Smart Port Router Settings Pageopens:

ESW 500 Series Switches Administration Guide

85

Managing Smart Ports

Configuring Smart Ports for Routers

Smart Port Router Settings Page

The Edit Smart Port Router Page contains the following fields:

Ports — Indicates the port to which Smart Port wizard settings are applied.

VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The possible value is:

-Trunk — Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged. This is the default setting for ports that are connected to routers.

Trunk Native VLAN ID — Defines the VLAN receiving untagged packets at ingress.

Trunk Allowed VLANs — Defines VLANs that are allowed to receive untagged packets at egress.

Broadcast Storm Control — Indicates if the percentage of Broadcast Storm Control enabled on the port. The default value is 10% of the port speed.

QoS Policy — Indicates that the default QoS policy settings are applied to the port. The name of the default QoS policy is router-map.

Macro Description — Indicates the type of device connected to the port. For routers, this field is alwaysRouter.

STEP 6 Select a VLAN in theTrunk Native VLAN ID drop-downlist.

ESW 500 Series Switches Administration Guide

86

Managing Smart Ports

Configuring Smart ports for Guests

STEP 7 Select with trunks are permitted in the VLAN using theAdd andDelete buttons.

STEP 8 ClickApply. The routing port settings are saved, and the device is updated.

STEP 9 Click OK. The Smart ports Setting page opens.

Configuring Smart ports for Guests

The Smart Ports Setting Page allows network administrators to manage network settings between the switch and a guest in the company. It is recommended that this connection be restricted to specific applications. To configure Smart ports for a guest:

STEP 1 Open the Small Business Pro web application. The web application automatically opens to the Ports are enabled for the Smart Port wizards by default. However, the initial configuration of the Smart Ports wizards can only occur if the Startup Configuration file is empty..

STEP 2 ClickSmart ports Wizard under Ports on the Ports are enabled for the Smart Port wizards by default.

STEP 3 Select a port or range of ports.

STEP 4 SelectGuest in theAssign Profile dropdown box.

Smart ports Setting Page

STEP 5 Click Next. The Smartports Guest Settings Pageopens:

ESW 500 Series Switches Administration Guide

87

Managing Smart Ports

Configuring Smart ports for Guests

Smartports Guest Settings Page

The Smartports Guest Settings Page contains the following fields:

Ports — Indicates the port to which Smart ports Wizard settings are applied.

VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The value is:

-Access — Indicates the value is Access.

Trunk Native VLAN ID — Defines the VLAN receiving untagged packets at ingress. The default value is VLAN 1. The user can change it to any other created VLAN through a drop down list.

Broadcast Storm Control — Indicates the percentage of Broadcast Storm Control enabled on the port. The value is 10% of the port speed.

Spanning Tree Port Fast — Indicates Fast Link is enabled on the port. If Fast Link mode is enabled for a port, the Port State is automatically placed in the Forwarding state when the port link is up. Fast Link optimizes the STP protocol convergence. STP convergence can take 30-60seconds in large networks.

Spanning Tree BPDU Guard — Indicates if BPDU Guard is enabled on the interface.

QoS Policy — Indicates that the default QoS policy settings are applied to the port. The name of the default QoS policy is router-map.

Macro Description— Indicates the type of device connected to the port. For guests, this field is always Guest.

STEP 6 Select a VLAN in theVLAN ID dropdown box.

STEP 7 Click Apply. The guest port settings are saved, and the device is updated.

STEP 8 Click OK. TheSmart ports Setting page opens.

ESW 500 Series Switches Administration Guide

88

Managing Smart Ports

Configuring Smart ports for Servers

Configuring Smart ports for Servers

The Smart ports Setting Page allows network administrators to define settings between the device and a server.

To configure ports using the Server:

STEP 1 Open the Small Business Pro web application. The web application automatically opens to the Ports are enabled for the Smart Port wizards by default. However, the initial configuration of the Smart Ports wizards can only occur if the Startup Configuration file is empty..

STEP 2 Click Smart ports Wizard under Ports on thePorts are enabled for the Smart Port wizards by default.

STEP 3 Select a port or range of ports.

STEP 4 Select Serverin the Assign Role dropdownbox.

Smart ports Setting Page

STEP 5 Click Next. The Smart ports Server Settings Pageopens:

ESW 500 Series Switches Administration Guide

89

Managing Smart Ports

Configuring Smart ports for Servers

Smart ports Server Settings Page

The Smart ports Server Settings Page contains the following fields:

Ports — Indicates the port to which Smart ports Wizard settings are applied.

VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The value is:

-Access — Indicates the value is Access.

Trunk Native VLAN ID — Indicates the VLAN to which the port belongs. The default is VLAN 1 – the user can change this VLAN by selecting one of the created VLANs via the drop down list.

Port Security Mode — Defines the locked port type. The field value is: Dynamic Lock.

Max MAC Addresses — Indicates the maximum number of MAC addresses that can be learned on the port. A maximum of three MAC addresses can be learned on the port.

Port Security Action — Indicates the action applied to packets arriving on a locked port. The value is:

-Discard — Discards packets from any unlearned source. This is the default value.

Violation Trap Every — Indicates that traps are sent every 60 seconds.

Broadcast Storm Control — Indicates the percentage of Broadcast Storm Control enabled on the port. The value is 10% of the port speed.

Spanning Tree Port Fast — Indicates Fast Link is enabled on the port. If Fast Link mode is enabled for a port, the Port State is automatically placed in the

ESW 500 Series Switches Administration Guide

90

Managing Smart Ports

Configuring Smart ports for Printers

Forwarding state when the port link is up. Fast Link optimizes the STP protocol convergence. STP convergence can take 30-60seconds in large networks.

Spanning Tree BPDU Guard — Indicates if BPDU Guard is enabled on the interface.

QoS Policy — Indicates that the default QoS policy settings are applied to the port. The Default policy is voice-map.

Macro Description— Indicates the type of device connected to the port. For servers, this field is always Server.

STEP 6 Select a VLAN in theVLAN ID dropdown box.

STEP 7 Click Apply. The Server port settings are saved, and the device is updated.

STEP 8 Click OK. TheSmart ports Setting page opens.

Configuring Smart ports for Printers

The Smart ports Setting Page allows network administrators to define settings between the device and a printer.

To configure ports using the printer:

STEP 1 Open the Small Business Pro web application. The web application automatically opens to thePorts are enabled for the Smart Port wizards by default.However, the initial configuration of the Smart Ports wizards can only occur if the Startup Configuration file is empty.

STEP 2 Click Smart ports Wizard under Ports on thePorts are enabled for the Smart Port wizards by default.

STEP 3 Select a port or range of ports.

STEP 4 Select Printerin the Assign Role dropdownbox.

ESW 500 Series Switches Administration Guide

91

Managing Smart Ports

Configuring Smart ports for Printers

Smart ports Setting Page

STEP 5 Click Next. The Smartports Printer Settings Pageopens:

Smartports Printer Settings Page

The Smartports Printer Settings Page contains the following fields:

Ports — Indicates the port to which Smart ports Wizard settings are applied.

VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The value is:

-Access — Indicates the value is Access.

ESW 500 Series Switches Administration Guide

92

Managing Smart Ports

Configuring Smart ports for Printers

Trunk Native VLAN ID — Indicates the VLAN to which the port belongs. The default is VLAN 1 – the user can change this VLAN by selecting one of the created VLANs via the drop down list.

Port Security Mode — Defines the locked port type. The field value is: Dynamic Lock.

Max MAC Addresses — Indicates the maximum number of MAC addresses that can be learned on the port. A maximum of three MAC addresses can be learned on the port.

Port Security Action — Indicates the action applied to packets arriving on a locked port. The value is:

-Discard — Discards packets from any unlearned source. This is the default value.

Violation Trap Every — Indicates that traps are sent every 60 seconds.

Broadcast Storm Control — Indicates the percentage of Broadcast Storm Control enabled on the port. The value is 10% of the port speed.

Spanning Tree Port Fast — Indicates Fast Link is enabled on the port. If Fast Link mode is enabled for a port, the Port State is automatically placed in the Forwarding state when the port link is up. Fast Link optimizes the STP protocol convergence. STP convergence can take 30-60seconds in large networks.

Spanning Tree BPDU Guard — Indicates if BPDU Guard is enabled on the interface.

QoS Policy — Indicates that the default QoS policy settings are applied to the port. The Default policy is voice-map.

Macro Description— Indicates the type of device connected to the port. For printers, this field is always Printer.

STEP 6 Select a VLAN in theVLAN ID dropdown box.

STEP 7 Click Apply. The Server port settings are saved, and the device is updated.

STEP 8 Click OK. TheSmart ports Setting page opens.

ESW 500 Series Switches Administration Guide

93

Managing Smart Ports

Configuring Smart ports for VS Camera

Configuring Smart ports for VS Camera

The Smart ports Setting Page allows network administrators to define settings between the device and a video surveillance camera.

To configure ports using a VS camera:

STEP 1 Open the Small Business Pro web application. The web application automatically opens to thePorts are enabled for the Smart Port wizards by default.However, the initial configuration of the Smart Ports wizards can only occur if the Startup Configuration file is empty.

STEP 2 Click Smart ports Wizard under Ports on thePorts are enabled for the Smart Port wizards by default.

STEP 3 Select a port or range of ports.

STEP 4 Select VS Camerain the Assign Role dropdownbox.

Smart ports Setting Page

STEP 5 Click Next. The Smartports VS Camera Settings Pageopens:

ESW 500 Series Switches Administration Guide

94

Managing Smart Ports

Configuring Smart ports for VS Camera

Smart ports VS Camera Settings Page

The Smart ports Server Settings Page contains the following fields:

Ports — Indicates the port to which Smart ports Wizard settings are applied.

VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The value is:

-Access — Indicates the value is Access.

Trunk Native VLAN ID — Indicates the VLAN to which the port belongs. The default is VLAN 1 – the user can change this VLAN by selecting one of the created VLANs via the drop down list.

Port Security Mode — Defines the locked port type. The field value is: Dynamic Lock.

Max MAC Addresses — Indicates the maximum number of MAC addresses that can be learned on the port. A maximum of three MAC addresses can be learned on the port.

Port Security Action — Indicates the action applied to packets arriving on a locked port. The value is:

-Discard — Discards packets from any unlearned source. This is the default value.

Violation Trap Every — Indicates that traps are sent every 60 seconds.

Broadcast Storm Control — Indicates the percentage of Broadcast Storm Control enabled on the port. The value is 10% of the port speed.

ESW 500 Series Switches Administration Guide

95

Managing Smart Ports

Configuring Smart Ports for Other

Spanning Tree Port Fast — Indicates Fast Link is enabled on the port. If Fast Link mode is enabled for a port, the Port State is automatically placed in the Forwarding state when the port link is up. Fast Link optimizes the STP protocol convergence. STP convergence can take 30-60seconds in large networks.

Spanning Tree BPDU Guard — Indicates if BPDU Guard is enabled on the interface.

QoS Policy — Indicates that the default QoS policy settings are applied to the port. The Default policy is voice-map.

Macro Description— Indicates the type of device connected to the port. For VS cameras, this field is always VS Camera.

STEP 6 Select a VLAN in theVLAN ID dropdown box.

STEP 7 Click Apply. The Server port settings are saved, and the device is updated.

STEP 8 Click OK. TheSmart ports Setting page opens.

Configuring Smart Ports for Other

The Smart Port Other Page allows network administrators to remove any previous Smart Ports configuration from a port.

You can also use the smart ports for other setting to analyze network traffic. You can analyze network traffic passing through ports or by using SPAN to send a copy of the traffic to another port on the switch or on another switch that has been connected to a network analyzer or other monitoring or security device. The following are the steps to set up port mirroring:

STEP 1 Select the destination port. Configure the port as Other

STEP 2 Connect the destination port to a computer with Wireshack network protocol analyzer.

STEP 3 Go to Maintenance->Diagnostics->SPAN (Port Monitoring). Configure the destination port and source port together with traffic type.

STEP 4 Monitor the source ports traffic by Wireshack.

ESW 500 Series Switches Administration Guide

96

Managing Smart Ports

Configuring Smart Ports for Other

For more information on configuring SPAN (Port Mirroring), see Chapter 19,

Managing Device Diagnostics.

To remove any previous Smart Ports configuration from a port, configure smart ports for other:

STEP 1 Open theSwitch Configuration Utility. The web application automatically opens to theSystem Dashboard Page.

STEP 2 Click Smart Ports Wizard under Ports on theSystem Dashboard Page. TheSmart Ports Setting Page opens:

Smart Ports Settings Page

STEP 3 Select a port or range of ports.

STEP 4 Select Other in theAssign Profile drop-downlist.

STEP 5 Click Next, the Other page opens.

ESW 500 Series Switches Administration Guide

97

Managing Smart Ports

Configuring Smart Ports for Other

Smart Ports Other Page

The Edit Smart Port Other Page contains the following fields:

Ports — Indicates the port to which Smart Port wizard settings are applied.

VLAN Port Mode — Indicates the VLAN port mode enabled on the port. The possible value is:

-Trunk — Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged. This is the default setting for ports that are connected to routers.

Trunk Native VLAN ID — Defines the VLAN receiving untagged packets at ingress. The default value is VLAN 1, the user can change it to any other created VLAN through a drop down list.

Macro Description — Displays Other, which indicates the port has no Wizard configured.

STEP 6 Select a VLAN in theVLAN ID drop-downlist.

STEP 7 ClickApply. The port settings are saved, and the device is updated.

ESW 500 Series Switches Administration Guide

98

Configuring System Time

Defining System Time

Configuring System Time

The device supports the Simple Network Time Protocol (SNTP). SNTP assures accurate network device clock time synchronization up to the millisecond. Time synchronization is performed by a network SNTP server. The device operates only as an SNTP client, and cannot provide time services to other systems.

This section provides information for configuring the system time, and includes the following topics:

Defining System Time

Defining SNTP Settings

Defining SNTP Authentication

Defining System Time

The System Time Page contains fields for defining system time parameters for both the local hardware clock, and the external SNTP clock. If the system time is kept using an external SNTP clock, and the external SNTP clock fails, the system time reverts to the local hardware clock. Daylight Savings Time can be enabled on the device.

To define system time:

ESW 500 Series Switches Administration Guide

99

Configuring System Time

Defining System Time

STEP 1 Click Monitor & Device Properties > System Management > Time > System Time. TheSystem Time Page opens:

System Time Page

The System Time Page contains the following fields:

Clock Source — Indicates the source used to set the system clock. The possible field values:

-Use Local Settings — The system time is set on the local device. This is the default value.

-Use SNTP Server — Sets the system time via an SNTP server.

Date — Indicates the system date. The field format is DD/MMM/YY, for example, 12/Dec/08.

Local Time — Indicates the system time. The field format is HH:MM:SS, for example, 21:15:03.

Time Zone Offset — Indicates the difference between Greenwich Mean Time (GMT) and local time. For example, the Time Zone Offset for Paris is GMT +1,

ESW 500 Series Switches Administration Guide

100

Configuring System Time

Defining System Time

while the local time in New York is GMT –5.There are two types of daylight settings, either by a specific date in a particular year or a recurring setting irrespective of the year. For a specific setting in a particular year complete theDaylight Savings area, and for a recurring setting, complete theRecurring area.

Daylight Savings — Enables the Daylight Savings Time (DST) on the device based on the devices location. The possible field values are:

-USA — The device switches to DST 2 a.m. on the second Sunday of March, and reverts to standard time at 2 a.m. on the first Sunday in November.

-European — The device switches to DST at 1:00 am on the last Sunday in March and reverts to standard time at 1:00 am on the last Sunday in October. TheEuropean option applies to EU members, and other European countries using the EU standard.

-Other — The DST definitions areuser-definedbased on the device locality. If Other is selected, theFrom andTo fields must be defined.

Time Set Offset (1-1440)— Indicates the difference in minutes between DST and the local standard time. The default time is 60 minutes.

The following fields are active for non-USAand European countries.

From — Indicates the time that DST ends in countries other than USA or Europe in the Day:Month:Year format in one field and time in another. For example, DST begins on the 25th October 2007 5:00 am, the two fields will be 25/Oct/07 and 5:00. The possible field values are:

-Date — The date at which DST begins. The possible field range is1-31.

-Month — The month of the year in which DST begins. The possible field range isJan-Dec.

-Year — The year in which the configured DST begins.

-Time — The time at which DST begins. The field format is Hour:Minute, for example, 05:30.

To — Indicates the time that DST ends in countries other than USA or Europe in the Day:Month:Year format in one field and time in another. For example, DST ends on the 23rd March 2008 12:00 am, the two fields will be 23/Mar/08 and 12:00. The possible field values are:

-Date — The date at which DST ends. The possible field range is1-31.

ESW 500 Series Switches Administration Guide

101

Configuring System Time

Defining System Time

-Month — The month of the year in which DST ends. The possible field range isJan-Dec.

-Year — The year in which the configured DST ends.

-Time — The time at which DST starts. The field format is Hour:Minute, for example, 05:30.

Recurring — Select if the DST period in countries other than USA or European is constant from year to year. The possible field values are:

From — Indicates the day and time that DST begins each year. For example, DST begins locally every second Sunday in April at 5:00 am. The possible field values are:

-Day — The day of the week from which DST begins every year. The possible field range is SundaySaturday.

-Week — The week within the month from which DST begins every year. The possible field range is First, 2,3,4, Last.

-Month — The month of the year in which DST begins every year. The possible field range isJan.-Dec.

-Time — The time at which DST begins every year. The field format is Hour:Minute, for example, 02:10.

To — Indicates the day and time that DST ends each year. For example, DST ends locally every fourth Friday in October at 5:00 am. The possible field values are:

-Day — The day of the week at which DST ends every year. The possible field range isSunday-Saturday.

-Week — The week within the month at which DST ends every year. The possible field range is First, 2,3,4, Last.

-Month — The month of the year in which DST ends every year. The possible field range isJan.-Dec.

-Time — The time at which DST ends every year. The field format is Hour:Minute, for example, 05:30.

STEP 2 Define the relevant fields.

STEP 3 Click Apply. The Time Settings are defined, and the device is updated.

ESW 500 Series Switches Administration Guide

102

Configuring System Time

Defining SNTP Settings

Defining SNTP Settings

The SNTP Settings Page contains information for enabling SNTP servers, as well as adding new SNTP servers. In addition, theSNTP Settings Page enables the device to request and accept SNTP traffic from a server. To define SNTP global settings:

STEP 1 Click Monitor & Device Properties > System Management > Time > SNTP Settings. TheSNTP Settings Page opens:

SNTP Settings Page

The SNTP Settings Page contains the following fields:

Enable SNTP Broadcast Reception — Enables polling the selected SNTP Server for system time information.

SNTP Server — Indicates the SNTP server IP address. Up to eight SNTP servers can be defined.

Poll Interval — Defines the interval (in seconds) at which the SNTP server is polled for system time information. By default, the poll interval is 1024 seconds.

ESW 500 Series Switches Administration Guide

103

Configuring System Time

Defining SNTP Settings

Encryption Key ID — Indicates the Key Identification used to communicate between the SNTP server and device. The range is 1 - 4294967295.

Preference — The SNTP server providing SNTP system time information. The possible field values are:

-Primary — The primary server provides SNTP information.

-Secondary — The backup server provides SNTP information.

-In progress — The SNTP server is currently sending or receiving SNTP information.

-Unknown — The progress of the SNTP information currently being sent is unknown. For example, the device is currently trying to locate an interface.

Status — The operating SNTP server status. The possible field values are:

-Up — The SNTP server is currently operating normally.

-Down — Indicates that a SNTP server is currently not available. For example, the SNTP server is currently not connected or is currently down.

-Unknown — Indicates that the device (sntp client) is currently looking for sntp server.

Last Response — Indicates the last time a response was received from the SNTP server.

Offset — Indicates the difference in minutes between DST and the local standard time.The default time is 60 minutes.

Delay — Indicates the amount of time it takes to reach the SNTP server.

STEP 2 Click the Add button. TheAdd SNTP Server Page opens:

ESW 500 Series Switches Administration Guide

104

Configuring System Time

Defining SNTP Authentication

Add SNTP Server Page

The Add SNTP Server Page contains the following fields:

SNTP Server — The SNTP server’s IP address.

Enable Poll Interval — Select whether or not the device polls the selected SNTP server for system time information.

Encryption Key ID — Select if Key Identification is used to communicate between the SNTP server and device. The range is 1 - 4294967295.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The SNTP Server is added, and the device is updated.

Defining SNTP Authentication

The SNTP Authentication Page provides parameters for performing authentication of the SNTP server.

ESW 500 Series Switches Administration Guide

105

Configuring System Time

Defining SNTP Authentication

STEP 1 Click Monitor & Device Properties > System Management > Time > SNTP Authentication. TheSNTP Authentication Page opens:

SNTP Authentication Page

The SNTP Authentication Page contains the following fields:

Enable SNTP Authentication — Indicates if authenticating an SNTP session between the device and an SNTP server is enabled on the device. The possible field values are:

-Checked — Authenticates SNTP sessions between the device and SNTP server.

-Unchecked — Disables authenticating SNTP sessions between the device and SNTP server.

Encryption Key ID — Indicates the Key Identification used to authenticate the SNTP server and device. The range is 1 - 4294967295.

Authentication Key — Displays the key used for authentication.

Trusted Key — Indicates the encryption key used (Unicast/Anycast) or elected (Broadcast) to authenticate the SNTP server.

STEP 2 Click the Add button. The Add SNTP Authentication Pageopens:

ESW 500 Series Switches Administration Guide

106

Configuring System Time

Defining SNTP Authentication

Add SNTP Authentication Page

The Add SNTP Authentication Page contains the following fields:

Encryption Key ID — Defines the Key Identification used to authenticate the SNTP server and device. The range is 1 - 4294967295.

Authentication Key — Defines the key used for authentication.

Trusted Key — Indicates if an encryption key is used (Unicast/Anycast) or elected (Broadcast) to authenticate the SNTP server.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The SNTP Authentication is defined, and the device is updated.

ESW 500 Series Switches Administration Guide

107

Configuring Device Security

Passwords Management

Configuring Device Security

The Security Suite contains the following topics:

Passwords Management

Defining Authentication

Defining Access Methods

Defining Traffic Control

Defining 802.1x

Defining Access Control

Defining DoS Prevention

Defining DHCP Snooping

Defining Dynamic ARP Inspection

Passwords Management

This section contains information for defining passwords. Passwords are used to authenticate users accessing the device. By default, a single user name is defined, cisco, with a password ofcisco.

NOTE When a new Local User is added, the default user name,cisco will be overwritten.

To define Passwords:

ESW 500 Series Switches Administration Guide

108

Configuring Device Security

Passwords Management

STEP 1 Click Security >Users and Passwords > User Authentication. TheUser Authentication Page opens:

User Authentication Page

The User Authentication Page contains the following fields:

User Name — Displays the user name.

STEP 2 Click theAdd button. TheAdd Local User Page opens:

Add Local User Page

The Add Local User Page contains the following fields:

ESW 500 Series Switches Administration Guide

109

Configuring Device Security

Passwords Management

User Name — Specifies the user name.

Password — Specifies the new password. The password is not displayed. As it is entered an * corresponding to each character is displayed in the field. (Range:1-159characters)

Confirm Password — Confirms the new password. The password entered into this field must be exactly the same as the password entered in the Password field.

STEP 3 Define the relevant fields

STEP 4 Click Apply. The local user settings are modified, and the device is updated..

Modifying the Local User Settings

STEP 1 Click Security >Users and Passwords > User Authentication. TheUser Authentication Page opens:

STEP 2 Click the Edit Button. TheEdit Local User Page opens:

Edit Local User Page

The Edit Local User Page contains the following fields:

User Name — Specifies the user name.

Password — Specifies the new password. The password is not displayed. As it entered an * corresponding to each character is displayed in the field. (Range:1-159characters)

Confirm Password — Confirms the new password. The password entered into this field must be exactly the same as the password entered in the Password field.

ESW 500 Series Switches Administration Guide

110

Configuring Device Security

Defining Authentication

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The local user settings are modified, and the device is updated.

Defining Authentication

The Authentication section contains the following pages:

Defining Profiles

Mapping Authentication Profiles

Defining TACACS+

Defining RADIUS

Defining Profiles

Authentication profiles allow network administrators to assign authentication methods for user authentication. User authentication can be performed locally or on an external server. User authentication occurs in the order the methods are selected. If the first authentication method is not available, the next selected method is used. For example, if the selected authentication methods are RADIUS and Local, and the RADIUS server is not available, then the user is authenticated locally.

ESW 500 Series Switches Administration Guide

111

Configuring Device Security

Defining Authentication

STEP 1 Click Security > Authentication > Profiles. TheProfiles Page opens:

Profiles Page

The Profiles Page contains the following fields:

Profile Name — Displays the Profile name defined for the Login Table.

Methods — Defines the user authentication methods. The order of the authentication methods defines the order in which authentication is attempted. For example, if the authentication method order is RADIUS, Local, the system first attempts to authenticate the user on a RADIUS server. If there is no available RADIUS server, then authentication is attempted on the local data base. Note that if the RADIUS server is available, but authentication fails, then the user is denied access. The possible field values are:

-Local — Authenticates the user at the device level. The device checks the user name and password for authentication.

-RADIUS — Authenticates the user at the RADIUS server.

-TACACS+ — Authenticates the user at the TACACS+ server.

-None — Indicates that no authentication method is used to authenticate the user.

STEP 2 Click the Add button. TheAdd Authentication Profile Page opens:

ESW 500 Series Switches Administration Guide

112

Configuring Device Security

Defining Authentication

Add Authentication Profile Page

The Add Authentication Profile Page contains the following fields:

Profile Name — Defines the Authentication profile name.

Authentication Method — Defines the user authentication methods. The order of the authentication methods defines the order in which authentication is attempted. For example, if the authentication method order is RADIUS, Local, the system first attempts to authenticate the user on a RADIUS server. If there is no available RADIUS server, then authentication is attempted on the local data base. Note that if the RADIUS server is available, but authentication fails, then the user is denied access. The possible field values are:

-Local — Authenticates the user at the device level. The device checks the user name and password for authentication. No option can be inserted belowLocal.

-RADIUS — Authenticates the user at the RADIUS server.

-TACACS+ — Authenticates the user at the TACACS+ server.

-None — Indicates that no authentication method is used to authenticate the user. No option can be inserted belowNone.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The authentication profile is defined, the device is updated.

ESW 500 Series Switches Administration Guide

113

Configuring Device Security

Defining Authentication

Modifying an Authentication Profile

STEP 1 Click Security > Authentication > Profiles. TheProfiles Page opens:

STEP 2 Click the Edit Button. TheEdit Authentication Profile Page opens:

Edit Authentication Profile Page

The Edit Authentication Profile Page contains the following fields:

Profile Name — Displays the Authentication profile name.

Authentication Methods — Defines the user authentication methods. The possible field values are:

-Local — Authenticates the user at the device level. The device checks the user name and password for authentication.

-RADIUS — Authenticates the user at the RADIUS server.

-TACACS+ — Authenticates the user at the TACACS+ server.

-None — Indicates that no authentication method is used to authenticate the device.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The authentication profile is defined, the device is updated.

ESW 500 Series Switches Administration Guide

114

Configuring Device Security

Defining Authentication

Mapping Authentication Profiles

After authentication profiles are defined, authentication profiles can be applied to management access methods. For example, console users can be authenticated by one authentication profile, while Telnet users are authenticated by another authentication profile.

Authentication methods are selected using arrows. The order in which the methods are selected is the order by which the authentication methods are used.

The Mapping Profiles Page contains parameters for mapping authentication methods. To map authentication profiles:

STEP 1 Click Security > Authentication > Mapping Profiles. TheMapping Profiles Page opens:

Mapping Profiles Page

The Mapping Profiles Page contains the following fields:

Console — Indicates that Authentication profiles are used to authenticate console users.

Telnet — Indicates that Authentication profiles are used to authenticate Telnet users.

ESW 500 Series Switches Administration Guide

115

Configuring Device Security

Defining Authentication

Secure Telnet (SSH) — Indicates that Authentication profiles are used to authenticate Secure Shell (SSH) users. SSH provides clients secure and encrypted remote connections to a device.

Secure HTTP — Configures the device Secure HTTP settings.

Optional Methods — Lists available authentication methods.

-Local — Authenticates the user at the device level. The device checks the user name and password for authentication. No authentication method can be added underLocal.

-RADIUS Remote AuthorizationDial-InUser Service(RADIUS) servers provide additional security for networks.

-TACACS+ Terminal Access Controller Access Control System

(TACACS+) provides centralized security user access validation.

-None — Indicates that no authentication method is used to authenticate the device. No authentication method can be added underNone.

Selected Methods — Selects authentication methods from the methods offered in the Optional methods area.

HTTP — Configures the device HTTP settings.

Optional Methods — Lists available authentication methods.

-Local — Authenticates the user at the device level. The device checks the user name and password for authentication. No authentication method can be added underLocal.

-RADIUS Remote AuthorizationDial-InUser Service(RADIUS) servers provide additional security for networks.

-TACACS+ Terminal Access Controller Access Control System

(TACACS+) provides centralized security user access validation.

-None — Indicates that no authentication method is used to authenticate the device. No authentication method can be added underNone.

Selected Methods — Selects authentication methods from the methods offered in the Optional methods area.

STEP 2 Define the relevant fields.

STEP 3 Click Apply. Mapping Profiles is defined, and the device is updated.

ESW 500 Series Switches Administration Guide

116

Configuring Device Security

Defining Authentication

Defining TACACS+

The devices provide Terminal Access Controller Access Control System

(TACACS+) client support. TACACS+ provides centralized security for validation of users accessing the device. TACACS+ provides a centralized user management system, while still retaining consistency with RADIUS and other authentication processes. TACACS+ provides the following services:

Authentication — Provides authentication during login and via user names and user-definedpasswords.

Authorization — Performed at login. Once the authentication session is completed, an authorization session starts using the authenticated user name. The TACACS server checks the user privileges.

The TACACS+ protocol ensures network integrity through encrypted protocol exchanges between the device and TACACS+ server.

The TACACS+ default parameters are user-assigneddefaults. The default settings are applied to newly defined TACACS+ servers. If default values are not defined, the system defaults are applied to the new TACACS+ new servers. TheTACACS+ Page contains fields for assigning the Default Parameters for the TACACS+ servers.

To define TACACS+:

ESW 500 Series Switches Administration Guide

117

Configuring Device Security

Defining Authentication

STEP 1 Click Security > Authentication > TACACS+. TheTACACS+ Page opens:

TACACS+ Page

The TACACS+ Page contains the following fields:

Source IP Address — Displays the device source IP address used for the TACACS+ session between the device and the TACACS+ server.

Key String — Defines the authentication and encryption key for TACACS+ server. The key must match the encryption key used on the TACACS+ server.

Timeout for Reply — Displays the amount of time that passes before the connection between the device and the TACACS+ server times out. The field range is 1-30seconds.

The following parameters are configured for each TACACS+ server:

Host IP Address — Displays the TACACS+ Server IP address.

Priority — Displays the order in which the TACACS+ servers are used. The default is 0.

Source IP Address — Displays the device source IP address used for the TACACS+ session between the device and the TACACS+ server.

Authentication Port — Displays the port number through which the TACACS+ session occurs. The default is port 49.

ESW 500 Series Switches Administration Guide

118

Configuring Device Security

Defining Authentication

Timeout for Reply — Displays the amount of time in seconds that passes before the connection between the device and the TACACS+ times out. The field range is 1-1000seconds.

Single Connection — Maintains a single open connection between the device and the TACACS+ server when selected.

Status — Displays the connection status between the device and the TACACS+ server. The possible field values are:

-Connected — Indicates there is currently a connection between the device and the TACACS+ server.

-Not Connected — Indicates there is no current connection between the device and the TACACS+ server.

STEP 2 Click theAdd button. TheAdd TACACS+ Server Page opens:

Add TACACS+ Server Page

The Add TACACS+ Server Page contains the following fields:

Host IP Address — Defines the TACACS+ Server IP address.

Priority — Defines the order in which the TACACS+ servers are used. The default is 0.

Source IP Address — Defines the device source address used for the TACACS+ session between the device and the TACACS+ server. The possible values are:

-User Defined — Allows the user to define the source Address.

ESW 500 Series Switches Administration Guide

119

Configuring Device Security

Defining Authentication

-Use Default — Uses the default value for the parameter. If Use Default check box is selected, the global value of 0.0.0.0. is used and interpreted as a request to use the IP address of the outgoing IP interface.

Key String — Defines the authentication and encryption key for TACACS+ server. The key must match the encryption key used on the TACACS+ server. The possible values are:

-User Defined — Allows the user to define the Key String value.

-Use Default — Uses the default value for the parameter. If Use Default check box is selected, the global value is used which is an empty string.

Authentication Port — Defines the port number through which the TACACS+ session occurs. The default is port 49.

Timeout for Reply — Defines the amount of time that passes before the connection between the device and the TACACS+ server times out. The field range is 1-30seconds.

-User Defined — Allows the user to define theTimeout for Reply value.

-Use Default — Uses the default value for the parameter. If Use Default check box is selected, the default is 5 seconds.

Single Connection — Enables a single open connection between the device and the TACACS+ server when selected.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The TACACS+ server is added, and the device is updated.

Modifying TACACS+ Settings

STEP 1 Click Security > Authentication > TACACS+. TheTACACS+ Page opens:

STEP 2 Click the Edit Button. TheEdit TACACS+ Server Page opens:

ESW 500 Series Switches Administration Guide

120

Configuring Device Security

Defining Authentication

Edit TACACS+ Server Page

The Edit TACACS+ Server Page contains the following fields:

Host IP Address — Defines the TACACS+ Server IP address.

Priority — Defines the order in which the TACACS+ servers are used. The default is 0.

Source IP Address — Defines the device source address used for the TACACS+ session between the device and the TACACS+ server.

Key String — Defines the authentication and encryption key for TACACS+ server. The key must match the encryption key used on the TACACS+ server.

Authentication Port — Defines the port number through which the TACACS+ session occurs. The default is port 49.

Timeout for Reply — Defines the amount of time that passes before the connection between the device and the TACACS+ server times out. The field range is 1-30seconds.

Status — Displays the connection status between the device and the TACACS+ server. The possible field values are:

-Connected — Indicates there is currently a connection between the device and the TACACS+ server.

-Not Connected — Indicates there is no current connection between the device and the TACACS+ server.

ESW 500 Series Switches Administration Guide

121

Configuring Device Security

Defining Authentication

Single Connection — Maintains a single open connection between the device and the TACACS+ server when selected

Use Default — Indicates that the factory default value is used.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The TACACS+ settings are modified, and the device is updated.

Defining RADIUS

Remote Authorization Dial-InUser Service(RADIUS) servers provide additional security for networks. RADIUS servers provide a centralized authentication method for web access. The default parameters are user-defined, and are applied to newly defined RADIUS servers. If new default parameters are not defined, the system default values are applied to newly defined RADIUS servers.

To define RADIUS:

STEP 1 Click Security > Authentication > RADIUS. TheRADIUS Page opens:

RADIUS Page

The RADIUS Page contains the following fields:

ESW 500 Series Switches Administration Guide

122

Configuring Device Security

Defining Authentication

Radius Accounting — Defines the authentication method used for RADIUS session accounting. Possible field values are:

-802.1x — 802.1x authentication is used to initiate accounting.

-Login — Login authentication is used to initiate accounting.

-Both — Both 802.1x and login authentication are used to initiate accounting.

-None — No authentication is used to initiate accounting.

Default Retries — Provides the default retries.

Default Timeout for Reply — Provides the device default Timeout for Reply.

Default Dead Time — Provides the device default Dead Time.

Default Key String — Provides the device default Default Key String.

Source IP Address — Defines the source IP address that is used for communication with RADIUS servers.

The following parameters are configured for each RADIUS server:

IP Address — Displays the Authentication Server IP addresses.

Priority — Indicates the server priority. The possible values are 0-65535,where 1 is the highest value. The RADIUS Server priority is used to configure the server query order.

Source IP Address — Displays the Authentication port’s IP address.

Authentication Port — Identifies the authentication port. The authentication port is used to verify the RADIUS server authentication. The authentication port default is 1812.

Accounting Port — Indicates the port used to send login and logout messages to the RADIUS server. The accounting port default is 1813.

Number of Retries — Defines the number of transmitted requests sent to RADIUS server before a failure occurs. The possible field values are 1 - 10. Three is the default value.

Timeout for Reply — Defines the amount of the time in seconds the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server. The possible field values are 1 - 30. Three is the default value.

ESW 500 Series Switches Administration Guide

123

Configuring Device Security

Defining Authentication

Dead Time — Defines the amount of time (minutes) that a RADIUS server is bypassed for service requests. The range is 0-2000.The Dead Time default is 0 minutes.

Key String — Defines the default key string used for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. This key must match the RADIUS encryption.

Usage Type — Specifies the RADIUS server authentication type. The default value is Login. The possible field values are:

-Login — Indicates that the RADIUS server is used for authenticating user name and passwords.

-802.1X — Indicates that the RADIUS server is used for 802.1X authentication.

-All — Indicates that the RADIUS server is used for authenticating user name and passwords, and 802.1X port authentication.

STEP 2 Click theAdd button. TheAdd RADIUS Server Page opens:

Add RADIUS Server Page

The Add RADIUS Server Page contains the following fields:

Host IP Address — Displays theRADIUS Server IP address.

ESW 500 Series Switches Administration Guide

124

Configuring Device Security

Defining Authentication

Priority — Displays the server priority. The possible values are 0-65535,where 1 is the highest value. The RADIUS Server priority is used to configure the server query order.

Source IP Address — Defines the source IP address that is used for communication with RADIUS servers.

Authentication Port — Identifies the authentication port. The authentication port is used to verify the RADIUS server authentication. The authentication port default is 1812.

Accounting Port — Indicates the port used to send login and logout messages to the RADIUS server. The accounting port default is 1813.

Number of Retries — Defines the number of transmitted requests sent to RADIUS server before a failure occurs. The possible field values are 1 - 10. Three is the default value.

Timeout for Reply — Defines the amount of the time in seconds the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server. The possible field values are 1 - 30. Three is the default value.

Dead Time — Defines the amount of time (minutes) that a RADIUS server is bypassed for service requests. The range is 0-2000.The Dead Time default is 0 minutes.

Key String — Defines the default key string used for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. This key must match the RADIUS encryption.

Usage Type — Specifies the RADIUS server authentication type. The default value is Login. The possible field values are:

-Login — Indicates that the RADIUS server is used for authenticating user name and passwords.

-802.1X — Indicates that the RADIUS server is used for 802.1X authentication.

-All — Indicates that the RADIUS server is used for authenticating user name and passwords, and 802.1X port authentication.

Use Default — Uses the default value for the parameter.

STEP 3 Define the relevant fields.

ESW 500 Series Switches Administration Guide

125

Configuring Device Security

Defining Authentication

STEP 4 Click Apply. The RADIUS Server is added, and the device is updated.

Modifying RADIUS Server Settings

STEP 1 Click Security > Authentication > RADIUS. TheRADIUS Page opens:

STEP 2 Click the Edit button. TheEdit RADIUS Server Page opens:

Edit RADIUS Server Page

The Edit RADIUS Server Page contains the following fields:

IP Address — Defines the RADIUS Server IP address.

Priority — Displays the server priority. The possible values are 0-65535,where 1 is the highest value. The RADIUS Server priority is used to configure the server query order.

Source IP Address — Defines the source IP address that is used for communication with RADIUS servers.

Authentication Port — Displays the authentication port. The authentication port is used to verify the RADIUS server authentication. The authentication port default is 1812.

ESW 500 Series Switches Administration Guide

126

Configuring Device Security

Defining Access Methods

Accounting Port — Indicates the port used to send login and logout messages to the RADIUS server. The accounting port default is 1813.

Number of Retries — Defines the number of transmitted requests sent to RADIUS server before a failure occurs. The possible field values are 1 - 10. Three is the default value.

Timeout for Reply — Defines the amount of the time in seconds the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server. The possible field values are 1 - 30. Three is the default value.

Dead Time — Defines the amount of time (minutes) that a RADIUS server is bypassed for service requests. The range is 0-2000.The Dead Time default is 0 minutes.

Key String — Defines the default key string used for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. This key must match the RADIUS encryption.

Usage Type — Specifies the RADIUS server authentication type. The default value is Login. The possible field values are:

-Login — Indicates that the RADIUS server is used for authenticating user name and passwords.

-802.1X — Indicates that the RADIUS server is used for 802.1X authentication.

-All — Indicates that the RADIUS server is used for authenticating user name and passwords, and 802.1X port authentication.

Use Default — Uses the default value for the parameter.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The RADIUS Server is modified, and the device is updated.

Defining Access Methods

The access method section contains the following pages:

Defining Access Profiles

ESW 500 Series Switches Administration Guide

127

Configuring Device Security

Defining Access Methods

Defining Profile Rules

Defining Access Profiles

Access profiles are profiles and rules for accessing the device. Access to management functions can be limited to user groups. User groups are defined for interfaces according to IP addresses or IP subnets. Access profiles contain management methods for accessing and managing the device. The device management methods include:

All

Telnet

Secure Telnet (SSH)

HTTP

Secure HTTP (HTTPS)

SNMP

Management access to different management methods may differ between user groups. For example, User Group 1 can access the switch module only via an HTTPS session, while User Group 2 can access the switch module via both HTTPS and Telnet sessions. The Access Profile Page contains the currently configured access profiles and their activity status. Assigning an access profile to an interface denies access via other interfaces. If an access profile is assigned to any interface, the device can be accessed by all interfaces.

To define access profiles:

ESW 500 Series Switches Administration Guide

128

Configuring Device Security

Defining Access Methods

STEP 1 Click Security > Access Method > Access Profiles. TheAccess Profiles Page opens:

Access Profiles Page

The Access Profiles Page contains the following fields:

Access Profile Name — Defines the access profile name. The access profile name can contain up to 32 characters.

Current Active Access Profile — Defines the access profile currently active.

STEP 2 Click the Add button. TheAdd Access Profile Page opens:

ESW 500 Series Switches Administration Guide

129

Configuring Device Security

Defining Access Methods

Add Access Profile Page

The Add Access Profile Page contains the following fields:

Access Profile Name — Defines the access profile name. The access profile name can contain up to 32 characters.

Rule Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access. The rule number is essential to matching packets to rules, as packets are matched on a first-fitbasis. The rule priorities are assigned in the Profile Rules Page.

Management Method — Defines the management method for which the rule is defined. Users with this access profile can access the device using the management method selected. The possible field values are:

-All — Assigns all management methods to the rule.

-Telnet — Assigns Telnet access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device.

-Secure Telnet (SSH) — Assigns SSH access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device.

ESW 500 Series Switches Administration Guide

130

Configuring Device Security

Defining Access Methods

-HTTP — Assigns HTTP access to the rule. If selected, users accessing the device using HTTP meeting access profile criteria are permitted or denied access to the device.

-Secure HTTP (HTTPS) — Assigns HTTPS access to the rule. If selected, users accessing the device using HTTPS meeting access profile criteria are permitted or denied access to the device.

-SNMP — Assigns SNMP access to the rule. If selected, users accessing the device using SNMP meeting access profile criteria are permitted or denied access to the device.

Interface — Defines the interface on which the access profile is defined. The possible field values are:

-Port — Specifies the port on which the access profile is defined.

-EtherChannel — Specifies the EtherChannel on which the access profile is defined.

-VLAN — Specifies the VLAN on which the access profile is defined.

Source IP Address — Defines the interface source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork.

Network Mask — Determines what subnet the source IP Address belongs to in the network.

Prefix Length — Defines the number of bits that comprise the source IP address prefix, or the network mask of the source IP address.

Action — Defines the action attached to the rule. The possible field values are:

-Permit — Permits access to the device.

-Deny — Denies access to the device. This is the default.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The access profile is added, and the device is updated.

Defining Profile Rules

Access profiles can contain up to 128 rules that determine which users can manage the switch module, and by which methods. Users can also be blocked from accessing the device. Rules are composed of filters including:

ESW 500 Series Switches Administration Guide

131

Configuring Device Security

Defining Access Methods

Rule Priority

Interface

Management Method

IP Address

Prefix Length

Forwarding Action To define profile rules:

STEP 1 Click Security > Access Method > Profile Rules. TheProfile Rules Page opens:

Profile Rules Page

The Profile Rules Page contains the following fields:

Access Profile Name — Displays the access profile to which the rule is attached.

Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access. The rule number is essential to matching packets to rules, as packets are matched on a first-fitbasis.

ESW 500 Series Switches Administration Guide

132

Configuring Device Security

Defining Access Methods

Interface — Indicates the interface type to which the rule applies. The possible field values are:

-Port — Attaches the rule to the selected port.

-EtherChannel — Attaches the rule to the selected EtherChannel.

-VLAN — Attaches the rule to the selected VLAN.

Management Method — Defines the management method for which the rule is defined. Users with this access profile can access the device using the management method selected. The possible field values are:

-All — Assigns all management methods to the rule.

-Telnet — Assigns Telnet access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device.

-SNMP — Assigns SNMP access to the rule. If selected, users accessing the device using SNMP meeting access profile criteria are permitted or denied access to the device.

-HTTP — Assigns HTTP access to the rule. If selected, users accessing the device using HTTP meeting access profile criteria are permitted or denied access to the device.

-Secure HTTP (SSL) — Assigns HTTPS access to the rule. If selected, users accessing the device using HTTPS meeting access profile criteria are permitted or denied access to the device.

-Secure Telnet (SSH) — Assigns SSH access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device.

Source IP Address — Defines the interface source IP address to which the rule applies.

Prefix Length — Defines the number of bits that comprise the source IP address prefix, or the network mask of the source IP address.

Action — Defines the action attached to the rule. The possible field values are:

-Permit — Permits access to the device.

-Deny — Denies access to the device. This is the default.

STEP 2 Click the Add button. TheAdd Profile Rule Page opens:

ESW 500 Series Switches Administration Guide

133

Configuring Device Security

Defining Access Methods

Add Profile Rule Page

The Add Profile Rule Page contains the following fields:

Access Profile Name — Defines the access profile name. The access profile name can contain up to 32 characters.

Rule Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access. The rule number is essential to matching packets to rules, as packets are matched on a first-fitbasis. The rule priorities are assigned in the Profile Rules Page.

Management Method — Defines the management method for which the rule is defined. Users with this access profile can access the device using the management method selected. The possible field values are:

-All — Assigns all management methods to the rule.

-Telnet — Assigns Telnet access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device.

-SNMP — Assigns SNMP access to the rule. If selected, users accessing the device using SNMP meeting access profile criteria are permitted or denied access to the device.

ESW 500 Series Switches Administration Guide

134

Configuring Device Security

Defining Access Methods

-HTTP — Assigns HTTP access to the rule. If selected, users accessing the device using HTTP meeting access profile criteria are permitted or denied access to the device.

-Secure HTTP (SSL) — Assigns HTTPS access to the rule. If selected, users accessing the device using HTTPS meeting access profile criteria are permitted or denied access to the device.

-Secure Telnet (SSH) — Assigns SSH access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device.

Interface — Defines the interface on which the access profile is defined. The possible field values are:

-Port — Specifies the port on which the access profile is defined.

-EtherChannel — Specifies the EtherChannel on which the access profile is defined.

-VLAN — Specifies the VLAN on which the access profile is defined.

Source IP Address — Defines the interface source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork.

Network Mask — Determines what subnet the source IP Address belongs to in the network.

Prefix Length — Defines the number of bits that comprise the source IP address prefix, or the network mask of the source IP address.

Action — Defines the action attached to the rule. The possible field values are:

-Permit — Permits access to the device.

-Deny — Denies access to the device. This is the default.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The profile rule is added, and the device is updated.

Modifying Profile Rules

STEP 1 Click Security > Access Method > Profile Rules. TheProfile Rules Page opens:

STEP 2 Click the Edit button. TheEdit Profile Rule Page opens:

ESW 500 Series Switches Administration Guide

135

Configuring Device Security

Defining Access Methods

Edit Profile Rule Page

The Edit Profile Rule Page contains the following fields:

Access Profile Name — Defines the access profile name. The access profile name can contain up to 32 characters.

Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access. The rule number is essential to matching packets to rules, as packets are matched on a first-fitbasis. The rule priorities are assigned in the Profile Rules Page.

Management Method — Defines the management method for which the rule is defined. Users with this access profile can access the device using the management method selected. The possible field values are:

-All — Assigns all management methods to the rule.

-Telnet — Assigns Telnet access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device.

-SNMP — Assigns SNMP access to the rule. If selected, users accessing the device using SNMP meeting access profile criteria are permitted or denied access to the device.

ESW 500 Series Switches Administration Guide

136

Configuring Device Security

Defining Traffic Control

-HTTP — Assigns HTTP access to the rule. If selected, users accessing the device using HTTP meeting access profile criteria are permitted or denied access to the device.

-Secure HTTP (SSL) — Assigns HTTPS access to the rule. If selected, users accessing the device using HTTPS meeting access profile criteria are permitted or denied access to the device.

-Secure Telnet (SSH) — Assigns SSH access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device.

Interface — Defines the interface on which the access profile is defined. The possible field values are:

-Port — Specifies the port on which the access profile is defined.

-EtherChannel — Specifies the EtherChannel on which the access profile is defined.

-VLAN — Specifies the VLAN on which the access profile is defined.

Source IP Address — Defines the interface source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork.

Network Mask — Determines what subnet the source IP Address belongs to in the network.

Prefix Length — Defines the number of bits that comprise the source IP address prefix, or the network mask of the source IP address.

Action — Defines the action attached to the rule. The possible field values are:

-Permit — Permits access to the device.

-Deny — Denies access to the device. This is the default.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The profile rules are defined, and the device is updated.

Defining Traffic Control

The Traffic Control section contains the following pages:

ESW 500 Series Switches Administration Guide

137

Configuring Device Security

Defining Traffic Control

Defining Storm Control

Defining Port Security

Defining Storm Control

Storm Control enables limiting the amount of Multicast and Broadcast frames accepted and forwarded by the device. When Layer 2 frames are forwarded, Broadcast and Multicast frames are flooded to all ports on the relevant VLAN. This occupies bandwidth, and loads all nodes connected on all ports.

A Broadcast Storm is a result of an excessive amount of broadcast messages simultaneously transmitted across a network by a single port. Forwarded message responses are heaped onto the network, straining network resources or causing the network to time out.

Storm Control is enabled per all ports by defining the packet type and the rate the packets are transmitted. The system measures the incoming Broadcast and Multicast frame rates separately on each port and discards the frames when the rate exceeds a user-definedrate.

NOTE Storm Control is enabled per port on GE devices, and per system on FE devices (not applicable to ESW520-8Pdevices).

The Storm Control Page provides fields for configuring Broadcast Storm Control.

To define storm control:

ESW 500 Series Switches Administration Guide

138

Configuring Device Security

Defining Traffic Control

STEP 1 Click Security > Traffic Control > Storm Control. TheStorm Control Page opens:

Storm Control Page

The Storm Control Page contains the following fields:

Unknown Unicast Group Control — On ESW 520 devices, sets the Unknown Unicast Control as the Broadcast Mode globally defined on the device.

Rate Threshold — On FE devices, sets the maximum rate (packets per second) at which unknown packets are forwarded. The range rate is 3500100,000 Kbps.

Copy From Entry Number — Copies the storm control configuration from the specified table entry.

To Entry Number(s) — Assigns the copied storm control configuration to the specified table entry.

Port — Indicates the port from which storm control is enabled.

Enable Broadcast Control — Indicates if Broadcast packet types are forwarded on the specific interface. The possible field values are:

-Enable — Enables Broadcast packet types to be forwarded. This is the default value.

ESW 500 Series Switches Administration Guide

139

Configuring Device Security

Defining Traffic Control

-Disable — Disables Broadcast packet types to be forwarded.

Broadcast Rate Threshold — Indicates the maximum rate (kilobits per second) at which unknown packets are forwarded.

-For FE ports, the rate is 70 - 100,000 Kbps.

-For GE ports, the rate is 3,500 - 100,000 Kbps.

Broadcast Mode — Specifies the Broadcast mode currently enabled on the device. The possible field values are:

-Multicast & Broadcast — Counts Broadcast and Multicast traffic together.

-Broadcast Only — Counts only Broadcast traffic.

-Unknown Unicast — Counts only Unknown Unicast. Relevant on ESW 540, ESW 520, and ESW520-8pdevices.

STEP 2 Define the relevant fields.

STEP 3 Click Apply. Storm control is enabled, and the device is updated.

Modifying Storm Control

STEP 1 Click Security > Traffic Control > Storm Control. TheStorm Control Page opens:

STEP 2 Click the Edit Button. TheEdit Storm Control Page opens:

Edit Storm Control Page

The Edit Storm Control Page contains the following fields:

ESW 500 Series Switches Administration Guide

140

Configuring Device Security

Defining Traffic Control

Port — Indicates the port from which storm control is enabled.

Enable Broadcast Control — Indicates if Broadcast packet types are forwarded on the specific interface. The possible field values are:

-Checked — Enables Broadcast packet types to be forwarded.

-Unchecked — Disables Broadcast packet types to be forwarded.

Broadcast Mode — Specifies the Broadcast mode currently enabled on the interface. The possible field values are:

-Multicast & Broadcast — Counts Broadcast and Multicast traffic together.

-Broadcast Only — Counts only Broadcast traffic.

-Unknown Unicast, Multicast & Broadcast — Counts Unknown Unicast, Broadcast and Multicast traffic together. This option is available on GE ports only. On FE devices, this option can only be set globally for the device from the Storm Control Page. Relevant on ESW-540, ESW-520, and ESW-520-8p devices.

Broadcast Rate Threshold — Displays the maximum rate (packets per second) at which unknown packets are forwarded.

-For FE ports, the rate is 70 - 100,000 Kbps.

-For GE ports, the rate is 3,500 - 100,000 Kbps.

STEP 3 Modify the relevant fields.

STEP 4 Click Apply. Storm control is modified, and the device is updated.

Defining Port Security

Network security can be increased by limiting access on a specific port only to users with specific MAC addresses. The MAC addresses can be dynamically learned or statically configured. Locked port security monitors both received and learned packets that are received on specific ports. Access to the locked port is limited to users with specific MAC addresses. These addresses are either manually defined on the port, or learned on that port up to the point when it is

ESW 500 Series Switches Administration Guide

141

Configuring Device Security

Defining Traffic Control

locked. When a packet is received on a locked port, and the packet source MAC address is not tied to that port (either it was learned on a different port, or it is unknown to the system), the protection mechanism is invoked, and can provide various options. Unauthorized packets arriving at a locked port are either:

Forwarded

Discarded with no trap

Discarded with a trap

Cause the port to be shut down.

Locked port security also enables storing a list of MAC addresses in the configuration file. The MAC address list can be restored after the device has been reset. Disabled ports are activated from the Port Security Page.

NOTE To configure port lock, 802.1x multiple host mode must be enabled.

To define port security:

ESW 500 Series Switches Administration Guide

142

Configuring Device Security

Defining Traffic Control

STEP 1 Click Security > Traffic Control > Port Security. ThePort Security Page opens:

Port Security Page

The Port Security Page contains the following fields:

Ports Radio Button — Indicates the Port on which port security is configured.

EtherChannels Radio Button — Indicates the EtherChannel on which port security is configured.

Interface — Displays the port or EtherChannel name.

Interface Status — Indicates the port security status. The possible field values are:

-Unlocked — Indicates the port is currently unlocked. This is the default value.

-Locked — Indicates the port is currently locked.

Learning Mode — Defines the locked port type. The Learning Mode field is enabled only if Locked is selected in the Interface Status field. In order to change theLearning Mode, the Lock Interface must be set toUnlocked. Once the mode is changed, the Lock Interface can be reinstated.The possible field values are:

ESW 500 Series Switches Administration Guide

143

Configuring Device Security

Defining Traffic Control

-Classic Lock — Locks the port using the classic lock mechanism. The port is immediately locked, regardless of the number of addresses that have already been learned.

-Limited Dynamic Lock — Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both relearning and aging MAC addresses are enabled.

NOTE For the port transitioning from classic lock to limited dynamic lock, previously learned MAC addresses are not deleted but are converted to a static MAC address.

Max Entries — Specifies the number of MAC addresses that can be learned on the port. The Max Entries field is enabled only if Locked is selected in the Interface Status field. In addition, the Limited Dynamic Lock mode is selected. The possible range is 1-128.The default is 1.

Action — Indicates the action to be applied to packets arriving on a locked port. The possible field values are:

-Discard — Discards packets from any unlearned source. This is the default value.

-Forward — Forwards packets from an unknown source without learning the MAC address.

-Shutdown — Discards packets from any unlearned source and shuts down the port. The port remains shut down until reactivated, or until the device is reset.

Trap — Enables traps when a packet is received on a locked port. The possible field values are:

-Enable — Enables traps.

-Disable — Disables traps.

Trap Frequency (Sec) — Displays the amount of time (in seconds) between traps. The default value is 10 seconds.

STEP 2 Define the relevant fields.

STEP 3 Click Apply. Port security is defined, and the device is updated.

ESW 500 Series Switches Administration Guide

144

Configuring Device Security

Defining Traffic Control

Modifying Port Security

STEP 1 Click Security > Traffic Control > Port Security. ThePort Security Page opens:

STEP 2 Click the Edit Button. TheEdit Port Security Page opens:

Edit Port Security Page

The Edit Port Security Page contains the following fields:

Interface — Select the port or EtherChannel name.

Lock Interface — Indicates the port security status. The possible field values are:

-Unchecked — Indicates the port is currently unlocked. This is the default value.

-Checked — Indicates the port is currently locked.

Learning Mode — Defines the locked port type. The Learning Mode field is enabled only if Locked is selected in the Interface Status field. In order to change the Learning Mode, the Lock Interface must be set to Unlocked. Once the mode is changed, the Lock Interface can be reinstated. The possible field values are:

-Classic Lock — Locks the port using the classic lock mechanism. The port is immediately locked, regardless of the number of addresses that have already been learned.

-Limited Dynamic Lock — Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the

ESW 500 Series Switches Administration Guide

145

Configuring Device Security

Defining 802.1x

maximum addresses allowed on the port. Both relearning and aging MAC addresses are enabled. Previously learned MAC addresses are not deleted but are converted to a static MAC address.

Max Entries — Specifies the number of MAC addresses that can be learned on the port. The Max Entries field is enabled only if Locked is selected in the Interface Status field. In addition, the Limited Dynamic Lock mode is selected. The possible range is 1-128.The default is 1.

Action on Violation — Indicates the action to be applied to packets arriving on a locked port. The possible field values are:

-Discard — Discards packets from any unlearned source. This is the default value.

-Forward — Forwards packets from an unknown source without learning the MAC address.

-Shutdown — Discards packets from any unlearned source and shuts down the port. The port remains shut down until reactivated, or until the device is reset.

Enable Trap — Enables traps when a packet is received on a locked port. The possible field values are:

-Checked — Enables traps.

-Unchecked — Disables traps.

Trap Frequency — Displays the amount of time (in seconds) between traps. The default value is 10 seconds.

STEP 3 Modify the relevant fields.

STEP 4 Click Apply. Port security is modified, and the device is updated.

Defining 802.1x

Port based authentication enables authenticating system users on a per-portbasis via a external server. Only authenticated and approved system users can transmit and receive data. Ports are authenticated via the RADIUS server using theExtensible Authentication Protocol (EAP). Port Authentication includes:

ESW 500 Series Switches Administration Guide

146

Configuring Device Security

Defining 802.1x

Authenticators — Specifies the port, which is authenticated before permitting system access.

Supplicants — Specifies host connected to the authenticated port requesting to access the system services.

Authentication Server — Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the supplicant is authorized to access system services.

Port based authentication creates two access states:

Controlled Access — Permits communication between the supplicant and the system, if the supplicant is authorized.

Uncontrolled Access — Permits uncontrolled communication regardless of the port state.

The 802.1x section contains the following pages:

Defining 802.1X Properties

Defining Port Authentication

Defining Authentication

Defining Authenticated Host

Defining 802.1X Properties

The 802.1X Properties Page provides parameters for enabling port authentication, and selecting the authentication method. To define port based authentication:

ESW 500 Series Switches Administration Guide

147

Configuring Device Security

Defining 802.1x

STEP 1 Click Security > 802.1X > Properties. The802.1X Properties Page opens:

802.1X Properties Page

The 802.1X Properties Page contains the following fields:

Port Based Authentication State — Enables Port-basedAuthentication on the device. The possible field values are:

-Enable — Enablesport-basedauthentication on the device.

-Disable — Disablesport-basedauthentication on the device.

Authentication Method — Defines the user authentication methods. The possible field values are:

-RADIUS, None — Indicates port authentication is performed first via the RADIUS server. If no response is received from RADIUS (for example, if the server is down), then theNone option is used, and the session is permitted.

-RADIUS — Authenticates the user at the RADIUS server.

-None — No authentication method is used to authenticate the port.

Guest VLAN — Specifies whether the Guest VLAN is enabled on the device. The possible field values are:

ESW 500 Series Switches Administration Guide

148

Configuring Device Security

Defining 802.1x

-Checked — Enables using a Guest VLAN for unauthorized ports. If a Guest VLAN is enabled, the unauthorized port automatically joins the VLAN selected in theVLAN List field.

-Unchecked — Disables use of a Guest VLAN for unauthorized ports. This is the default.

Guest VLAN ID — Contains a list of VLANs. The Guest VLAN is selected from the VLAN list.

STEP 2 Define the relevant fields.

STEP 3 Click Apply. The 802.1X properties are defined, and the device is updated.

Defining Port Authentication

The 802.1X Port Authentication Page provides parameters for defining 802.1X on ports.

ESW 500 Series Switches Administration Guide

149

Configuring Device Security

Defining 802.1x

STEP 1 Click Security > 802.1X > Port Authentication. The802.1X Port Authentication Page opens:

802.1X Port Authentication Page

The 802.1X Port Authentication Page contains the following fields:

Copy From Entry Number — Copies the port authentication configuration from the specified table entry.

To Entry Number(s) — Assigns the copied port authentication configuration to the specified table entry.

Port — Displays the list of interfaces.

User Name — Displays the user name.

Current Port Control — Displays the current port authorization state.

Guest VLAN — Displays the Guest VLAN.

Authentication Method — Displays the authentication method in use. The possible field values are:

-802.1x Only — Enables only 802.1x authentication on the device.

-MAC Only — Enables only MAC Authentication on the device.

ESW 500 Series Switches Administration Guide

150

Configuring Device Security

Defining 802.1x

-802.1x & MAC — Enables 802.1x + MAC Authentication on the device. In the case of 802.1x + MAC, 802.1x takes precedence.

Periodic Reauthentication — Enables port reauthentication. The default value is disabled.

Reauthentication Period — Specifies the number of seconds in which the selected port is reauthenticated (Range: 300-4294967295).The field default is 3600 seconds.

Authenticator State — Specifies the port authorization state. The possible field values are as follows:

-Force-Authorized — Indicates the controlled port state is set to ForceAuthorized (forward traffic).

-Force-Unauthorized — Indicates the controlled port state is set to ForceUnauthorized (discard traffic).

-Initialize — Enablesport-basedauthentication on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client.

Quiet Period — Specifies the number of seconds that the switch remains in the quiet state following a failed authentication exchange (Range: 0-65535).

Resending EAP — Specifies the number of seconds that the switch waits for a response to an EAP - request/identity frame, from the supplicant (client), before resending the request.

Max EAP Requests — Indicates the total amount of EAP requests sent. If a response is not received after the defined period, the authentication process is restarted. The field default is 2 retries.

Supplicant Timeout — Displays the number of seconds that lapses before EAP requests are resent to the supplicant (Range: 1-65535).The field default is 30 seconds.

Server Timeout — Specifies the number of seconds that lapses before the switch resends a request to the authentication server (Range: 1-65535).The field default is 30 seconds.

Termination Cause — Indicates the reason for which the port authentication was terminated.

STEP 2 Define the relevant fields

ESW 500 Series Switches Administration Guide

151

Configuring Device Security

Defining 802.1x

STEP 3 Click Apply. The 802.1X port authentication settings are defined, and the device is updated.

Modifying 8021X Security

STEP 1 Click Security > 802.1X > Port Authentication. The802.1X Properties Page opens:

STEP 2 Click the Edit button. The Port Authentication Settings Pageopens:

Port Authentication Settings Page

The Port Authentication Settings Page contains the following fields:

Port — Indicates the port on which port-basedauthentication is enabled.

User Name — Displays the user name.

Current Port Control — Displays the current port authorization state.

Admin Port Control — Defines the admin port authorization state. The possible field values are:

ESW 500 Series Switches Administration Guide

152

Configuring Device Security

Defining 802.1x

-auto — Enablesport-basedauthentication on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client.

-forceAuthorized— Indicates the interface is in an authorized state without being authenticated. The interfacere-sendsand receives normal traffic without clientport-basedauthentication.

-forceUnauthorized — Denies the selected interface system access by moving the interface into unauthorized state. The device cannot provide authentication services to the client through the interface.

Enable Guest VLAN — Specifies whether the Guest VLAN is enabled on the device. The possible field values are:

-Checked — Enables using a Guest VLAN for unauthorized ports. If a Guest VLAN is enabled, the unauthorized port automatically joins the VLAN selected in theVLAN List field.

-Unchecked — Disablesport-basedauthentication on the device. This is the default.

Authentication Method — Defines the user authentication method. The possible field values are:

-802.1x Only — Enables only 802.1x authentication on the device.

-MAC Only — Enables only MAC Authentication on the device.

-802.1x & MAC — Enables 802.1x + MAC Authentication on the device. In the case of 802.1x + MAC, 802.1x takes precedence.

Enable Periodic Reauthentication — Permits port reauthentication during the specified Reauthentication Period (see below). The possible field values are:

-Checked — Enables immediate port reauthentication. This is the default value.

-Unchecked — Disables port reauthentication.

Reauthentication Period — Specifies the number of seconds in which the selected port is reauthenticated (Range: 300-4294967295).The field default is 3600 seconds.

Reauthenticate Now — Specifies that authentication is applied on the device when the Apply button is pressed.

-Checked — Enables immediate port reauthentication.

ESW 500 Series Switches Administration Guide

153

Configuring Device Security

Defining 802.1x

-Unchecked — Port authentication according to the Reauthentication settings above.

Authenticator State — Specifies the port authorization state. The possible field values are as follows:

-Initialize — Enablesport-basedauthentication on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client.

-Force-Authorized — Indicates the controlled port state is set to ForceAuthorized (forward traffic).

-Force-Unauthorized — Indicates the controlled port state is set to ForceUnauthorized (discard traffic).

Quiet Period — Specifies the number of seconds that the switch remains in the quiet state following a failed authentication exchange (Range: 0-65535).

Resending EAP — Specifies the number of seconds that the switch waits for a response to an EAP - request/identity frame, from the supplicant (client), before resending the request.

Max EAP Requests — Displays the total amount of EAP requests sent. If a response is not received after the defined period, the authentication process is restarted. The field default is 2 retries.

Supplicant Timeout — Displays the number of seconds that lapses before EAP requests are resent to the supplicant (Range: 1-65535).The field default is 30 seconds.

Server Timeout — Specifies the number of seconds that lapses before the switch resends a request to the authentication server (Range: 1-65535).The field default is 30 seconds.

Termination Cause — Indicates the reason for which the port authentication was terminated, if applicable.

STEP 3 Modify the relevant fields.

STEP 4 Click Apply. The port authentication settings are defined, and the device is updated.

ESW 500 Series Switches Administration Guide

154

Configuring Device Security

Defining 802.1x

Defining Authentication

The 802.1X Authentication Page allows network managers to configure advancedport-basedauthentication settings for specific ports and VLANs.

STEP 1 Click Security > 802.1X > Authentication. The802.1X Authentication Page opens:

802.1X Authentication Page

The 802.1X Authentication Page contains the following fields:

Port — Displays the port number for which the Multiple Hosts configuration is displayed.

Host Authentication— Defines the Host Authentication mode. The possible field values are:

-Single — Only the authorized host can access the port.

-Multiple Host — Multiple hosts can be attached to a single 802.1xenabled port. Only one host must be authorized for all hosts to access the network. If the host authentication fails, or anEAPOL-logoffmessage is received, all attached clients are denied access to the network.

-Multi Session — Enables number of specific authorized hosts to get access to the port. Filtering is based on the source MAC address.

ESW 500 Series Switches Administration Guide

155

Configuring Device Security

Defining 802.1x

Action on Violation — Defines the action to be applied to packets arriving in single-hostmode, from a host whose MAC address is not the supplicant MAC address. The possible field values are:

-Forward — Forwards the packet.

-Discard — Discards the packets. This is the default value.

-Shut Down — Discards the packets and shuts down the port. The ports remains shut down until reactivated, or until the device is reset.

Traps — Indicates if traps are enabled for Multiple Hosts. The possible field values are:

-Enable — Indicates that traps are enabled for Multiple hosts.

-Disable — Indicates that traps are disabled for Multiple hosts.

Trap Frequency — Defines the time period by which traps are sent to the host. The Trap Frequency (1-1000000)field can be defined only if multiple hosts are disabled. The default is 10 seconds.

Status — Indicates the host status. If there is an asterisk *, the port is either not linked or is down. The possible field values are:

-Not in Auto Mode — Indicates the port is not linked or is down.

-Unauthorized — Indicates that either the port control is Force Unauthorized and the port link is down, or the port control is Auto but a client has not been authenticated via the port.

-Force-AuthorizedIndicates that the port control is Forced Authorized, and clients have full port access.

-Single-host Lock — Indicates that the port control is Auto and only a single client has been authenticated via the port.

-Multiple Hosts — Indicates that the port control is Auto and Multiple Hosts mode is enabled. One client has been authenticated.

-Multiple Sessions — Indicates that the port control is Auto and Multiple Sessions mode is enabled. At least one client has been authenticated.

Number of Violations — Indicates the number of packets that arrived on the interface in single-hostmode, from a host whose MAC address is not the supplicant MAC address.

ESW 500 Series Switches Administration Guide

156

Configuring Device Security

Defining 802.1x

Modifying Authentication Settings

STEP 1 Click Security > 802.1X > Authentication. The802.1X Port Authentication Page opens:

STEP 2 Click theEdit button. TheEdit Authentication Page opens:

Edit Authentication Page

The Edit Authentication Page contains the following fields:

Port — Displays the port number for which advanced port-basedauthentication is enabled.

Host Authentication — Defines the Host Authentication mode. The possible field values are:

-Single — Only the authorized host can access the port.

-Multiple Host — Multiple hosts can be attached to a single 802.1xenabled port. Only one host must be authorized for all hosts to access the network. If the host authentication fails, or anEAPOL-logoffmessage is received, all attached clients are denied access to the network.

-Multi Session — Enables number of specific authorized hosts to get access to the port. Filtering is based on the source MAC address.

Action on Violation — Defines the action to be applied to packets arriving in single-hostmode, from a host whose MAC address is not the supplicant MAC address. The possible field values are:

-Forward — Forwards the packet.

ESW 500 Series Switches Administration Guide

157

Configuring Device Security

Defining 802.1x

-Discard — Discards the packets. This is the default value.

-Shut Down — Discards the packets and shuts down the port. The ports remains shut down until reactivated, or until the device is reset.

Enable Traps — Indicates if traps are enabled for Multiple Hosts. The possible field values are:

-Checked — Indicates that traps are enabled for Multiple hosts.

-Unchecked — Indicates that traps are disabled for Multiple hosts.

Trap Frequency — Defines the time period by which traps are sent to the host. The Trap Frequency (1-1000000)field can be defined only if multiple hosts are disabled. The default is 10 seconds.

STEP 3 Modify the relevant fields.

STEP 4 Click Apply. The authentication settings are defined, and the device is updated.

Authenticated Hosts

The Authenticated Hosts Page contains a list of authenticated users.

ESW 500 Series Switches Administration Guide

158

Configuring Device Security

Defining 802.1x

STEP 1 Click Security > 802.1X > Authenticated Hosts. TheAuthenticated Host Page opens:

Authenticated Hosts Page

The Authenticated Hosts Page contains the following fields:

User Name — Lists the supplicants that were authenticated, and are permitted on each port.

Port — Displays the port number.

Session time — Displays the amount of time (in seconds) the supplicant was logged on the port.

Authentication Method — Displays the method by which the last session was authenticated. The possible field values are:

-Remote — Indicates the 802.1x authentication is not used on this port (port isforced-authorized).

-None — Indicates the supplicant was not authenticated.

ESW 500 Series Switches Administration Guide

159

Configuring Device Security

Defining Access Control

-RADIUS — Indicates the supplicant was authenticated by a RADIUS server.

MAC Address — Displays the supplicant MAC address.

Defining Access Control

Access Control Lists (ACL) allow network managers to define classification actions and rules for specific ingress ports. Your switch supports up to 256 ACLs. Packets entering an ingress port, with an active ACL, are either admitted or denied entry. If they are denied entry, the user can disable the port. ACLs are composed ofAccess Control Entries (ACEs) that are made of the filters that determine traffic classifications. The total number of ACEs that can be defined in all ACLs together is 256.

The Access Control section contains the following pages:

Defining MAC Based ACL

Defining IP Based ACL

Defining ACL Binding

Defining MAC Based ACL

The MAC Based ACL Pageallows a MAC-based Access Control List(ACL) to be defined. The table lists Access Control Elements(ACE) rules, which can be added only if the ACL is not bound to an interface.

To define the MAC Based ACL:

STEP 1 Click Security > Access Control Lists (ACL) > MAC Based ACL. TheMAC Based ACL Page opens:

ESW 500 Series Switches Administration Guide

160

Configuring Device Security

Defining Access Control

MAC Based ACL Page

The MAC Based ACL Page contains the following fields:

ACL Name — Displays the user-definedMAC based ACLs.

Priority — Indicates the ACE priority, which determines which ACE is matched to a packet on a first-matchbasis. The possible field values are1-2147483647.

Source MAC Address — Defines the source MAC address to match the ACE.

Source MAC Mask — Defines the source MAC mask to match the ACE.

Destination MAC Address — Defines the destination MAC address to match the ACE.

Destination MAC Mask — Defines the destination MAC mask to the which packets are matched.

VLAN ID — Matches the packet’s VLAN ID to the ACE. The possible field values are 1 to 4093.

Inner VLAN — Matches the ACE to the inner VLAN ID of a double tagged packet.

802.1p — Displays the packet tag value.

ESW 500 Series Switches Administration Guide

161

Configuring Device Security

Defining Access Control

802.1p Mask — Displays the wildcard bits to be applied to the CoS.

Ethertype — Displays the Ethernet type of the packet.

Action — Indicates the ACL forwarding action. For example, the port can be shut down, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding. Possible field values are:

-Permit — Forwards packets which meet the ACL criteria.

-Deny — Drops packets which meet the ACL criteria.

-Shutdown — Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed. Ports are reactivated from the Edit Interface Settings Page.

STEP 2 Click theAdd ACL button. TheAdd MAC Based ACL Page opens:

Add MAC Based ACL Page

The Add MAC Based ACL Page contains the following fields:

ACL Name — Displays the user-definedMAC based ACLs.

New Rule Priority — Indicates the ACE priority, which determines which ACE is matched to a packet on a first-matchbasis. The possible field values are 1- 2147483647.

Source MAC Address:

ESW 500 Series Switches Administration Guide

162

Configuring Device Security

Defining Access Control

-MAC Address — Matches the source MAC address from which packets are addressed to the ACE.

-Wildcard Mask — Indicates the source MAC Address wild card mask. Wildcards are used to mask all or part of a source MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the source MAC address 09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.

Destination MAC Address:

-MAC Address — Matches the destination MAC address to which packets are addressed to the ACE.

-Wildcard Mask — Indicates the destination MAC Address wild card mask. Wildcards are used to mask all or part of a destination MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the destination IP address 09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.

VLAN ID — Matches the packet’s VLAN ID to the ACE. The possible field values are 1 to 4095.

Inner VLAN — Matches the ACE to the inner VLAN ID of a double tagged packet.

802.1p — Displays the packet tag value.

802.1p Mask — Displays the wildcards bits to be applied to the CoS.

Ethertype — Displays the Ethernet type of the packet.

Action — Indicates the ACL forwarding action. The possible field values are:

-Permit — Forwards packets which meet the ACL criteria.

-Deny — Drops packets which meet the ACL criteria.

-Shutdown — Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed.

ESW 500 Series Switches Administration Guide

163

Configuring Device Security

Defining Access Control

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The MAC Based ACL is defined, and the device is updated.

Adding Rule to MAC Based ACL

STEP 1 Click Security > Access Control Lists (ACL) > MAC Based ACL. TheMAC Based ACL Page opens.

STEP 2 Select an existing ACL from theACL Name drop-downlist.

STEP 3 Click the Add Rule button. TheAdd Rule Page opens:

Add MAC Based Rule Page

The Add MAC Based Rule Page contains the following fields:

ACL Name — Displays the user-definedMAC based ACLs.

New Rule Priority — Indicates the ACE priority, which determines which ACE is matched to a packet on a first-matchbasis. The possible field values are 1- 2147483647.

Source MAC Address

ESW 500 Series Switches Administration Guide

164

Configuring Device Security

Defining Access Control

-MAC Address — Matches the source MAC address from which packets are addressed to the ACE.

-Wildcard Mask — Indicates the source MAC Address wild card mask. Wildcards are used to mask all or part of a source MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the source MAC address 09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.

Destination MAC Address

-MAC Address — Matches the destination MAC address to which packets are addressed to the ACE.

-Wildcard Mask — Indicates the destination MAC Address wild card mask. Wildcards are used to mask all or part of a destination MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the destination IP address 09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.

VLAN ID — Matches the packet’s VLAN ID to the ACE. The possible field values are 1 to 4095.

Inner VLAN — Matches the ACE to the inner VLAN ID of a double tagged packet.

802.1p — Displays the packet tag value.

802.1p Mask — Displays the wildcard bits to be applied to the CoS.

Ethertype — Displays the Ethernet type of the packet.

Action — Indicates the ACL forwarding action. The possible field values are:

-Permit — Forwards packets which meet the ACL criteria.

-Deny — Drops packets which meet the ACL criteria.

-Shutdown — Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed.

ESW 500 Series Switches Administration Guide

165

Configuring Device Security

Defining Access Control

STEP 4 Define the relevant fields.

STEP 5 Click Apply. The ACL Rule is defined, and the device is updated.

Modifying MAC Based ACL

STEP 1 Click Security > Access Control Lists (ACL) > MAC Based ACL. TheMAC Based ACL Page opens.

STEP 2 Click the Edit button. TheRule Settings Page opens:

Rule Settings Page

The Rule Settings Page contains the following fields:

ACL Name — Displays the user-definedMAC based ACLs.

Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-matchbasis.

Source MAC Address:

-MAC Address — Matches the source MAC address from which packets are addressed to the ACE.

ESW 500 Series Switches Administration Guide

166

Configuring Device Security

Defining Access Control

-Wildcard Mask — Indicates the source MAC Address wild card mask. Wildcards are used to mask all or part of a source MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the source MAC address 09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.

Destination MAC Address:

-MAC Address — Matches the destination MAC address to which packets are addressed to the ACE.

-Wildcard Mask — Indicates the destination MAC Address wild card mask. Wildcards are used to mask all or part of a destination MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the destination IP address 09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.

VLAN ID — Matches the packet’s VLAN ID to the ACE. The possible field values are 1 to 4095.

Inner VLAN — Matches the ACE to the inner VLAN ID of a double tagged packet.

802.1p — Displays the packet tag value.

802.1p Mask — Displays the wildcard bits to be applied to the CoS.

Ethertype — Displays the Ethernet type of the packet.

Action — Indicates the ACL forwarding action. The possible field values are:

-Permit — Forwards packets which meet the ACL criteria.

-Deny — Drops packets which meet the ACL criteria.

-Shutdown — Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed.

STEP 3 Define the relevant fields,

ESW 500 Series Switches Administration Guide

167

Configuring Device Security

Defining Access Control

STEP 4 Click Apply. The MAC Based ACL is modified, and the device is updated.

Defining IP Based ACL

The IP Based ACL Page page contains information for defining IP Based ACLs, including defining the ACEs defined for IP Based ACLs.

To define an IP based ACL:

STEP 1 Click Security > Access Control Lists (ACL) > IP Based ACL. TheIP Based ACL Page opens:

IP Based ACL Page

The IP Based ACL Page contains the following fields:

ACL Name — Displays the user-definedIP based ACLs.

Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-matchbasis.

ESW 500 Series Switches Administration Guide

168

Configuring Device Security

Defining Access Control

Protocol — Creates an ACE based on a specific protocol. The possible field values are:

-ICMP Internet Control Message Protocol (ICMP). The ICMP allows the gateway or destination host to communicate with the source host. For example, to report a processing error.

-IGMP Internet Group Management Protocol(IGMP). Allows hosts to notify their local switch or router that they want to receive transmissions assigned to a specific multicast group.

-IP Internet Protocol (IP). Specifies the format of packets and their addressing method. IP addresses packets and forwards the packets to the correct port.

-TCP Transmission Control Protocol(TCP). Enables two hosts to communicate and exchange data streams. TCP guarantees packet delivery, and guarantees packets are transmitted and received in the order the are sent.

-EGP Exterior Gateway Protocol (EGP). Permits exchanging routing information between two neighboring gateway hosts in an autonomous systems network.

-IGP Interior Gateway Protocol (IGP). Allows for routing information exchange between gateways in an autonomous network.

-UDP User Datagram Protocol (UDP). Communication protocol that transmits packets but does not guarantee their delivery.

-HMP Host Mapping Protocol (HMP). Collects network information from various networks hosts. HMP monitors hosts spread over the internet as well as hosts in a single network.

-RDP Remote Desktop Protocol (RDP). Allows a clients to communicate with the Terminal Server over the network.

-IDPR — Matches the packet to theInter-Domain Policy Routing (IDPR) protocol.

-RSVP — Matches the packet to theReSerVation Protocol (RSVP).

-GRE —Matchesthe packet to the Generic Routing Encapsulation (GRE) protocol.

-ESP —Matchesthe packet to the Encapsulating Security Payload (ESP) protocol.

ESW 500 Series Switches Administration Guide

169

Configuring Device Security

Defining Access Control

-AH Authentication Header (AH). Provides source host authentication and data integrity.

-EIGRP Enhanced Interior Gateway Routing Protocol(EIGRP). Provides fast convergence, support for variable-length subnet mask, and supports multiple network layer protocols.

-OSPF — TheOpen Shortest Path First (OSPF) protocol is alink-state,hierarchicalInterior Gateway Protocol (IGP) for network routing Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs to operateVirtual Private Networks (VPNs).

-IPIP IP over IP (IPIP). Encapsulates IP packets to create tunnels between two routers. This ensure that IPIP tunnel appears as a single interface, rather than several separate interfaces. IPIP enables tunnel intranets occur the internet, and provides an alternative to source routing.

-PIM — Matches the packet to Protocol Independent Multicast(PIM).

-L2TP — Matches the packet to Layer 2 Internet Protocol(L2IP).

-ISIS Intermediate System - Intermediate System(ISIS). Distributes IP routing information throughout a single Autonomous System in IP networks.

-ANY — Matches the protocol to any protocol.

Source Port — Defines the TCP/UDP source port to which the ACE is matched. This field is active only if 800/6-TCPor800/17-UDPare selected in the Select from Listdrop-downlist. The possible field range is 0 - 65535.

Destination Port — Defines the TCP/UDP destination port. This field is active only if 800/6-TCPor800/17-UDPare selected in the Select from List dropdown list. The possible field range is 0 - 65535.

Flag Set — Sets the indicated TCP EtherChannel that can be triggered.

ICMP Type — Filters packets by ICMP message type. The field values is 0-255.

ICMP Code — Indicates and ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code.

IGMP Type — Filters packets by IGMP message or message types.

Source

ESW 500 Series Switches Administration Guide

170

Configuring Device Security

Defining Access Control

-IP Address — Displays the source port IP address to which packets are addressed to the ACE.

-Wildcard Mask — Displays the source IP address wildcard mask. Wildcard masks specify which bits are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all the bits are important. For example, if the source IP address 149.36.184.198 and the wildcard mask is 255.36.184.00, the first eight bits of the IP address are ignored, while the last eight bits are used.

Destination

-IP Address — Displays the destination IP address to which packets are addressed to the ACE.

-Wildcard Mask — Displays the destination IP address wildcard mask.

DCSP — Matches the packets DSCP value.

IP Prec — Matches the packet IP Precedence value to the ACE. Either the DSCP value or the IP Precedence value is used to match packets to ACLs. The possible field range is 0-7.

Action — Indicates the action assigned to the packet matching the ACL. Packets are forwarded or dropped. In addition, the port can be shut down, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding. The options are as follows:

-Permit — Forwards packets which meet the ACL criteria.

-Deny — Drops packets which meet the ACL criteria.

-Shutdown — Drops packet that meets the ACL criteria, and disables the port to which the packet was addressed. Ports are reactivated from the

Port Management page.

-Match IP Precedence — Matches the packet IP Precedence value to the ACE. Either the DSCP value or the IP Precedence value is used to match packets to ACLs. The possible field range is0-7.

Delete ACL button — To remove an ACL, click the Delete ACL button.

Delete Rule button — To remove an ACE rule, click the rule’s checkbox and click the Delete Rule button.

STEP 2 Click the Add ACL button. TheAdd IP Based ACL Page opens:

ESW 500 Series Switches Administration Guide

171

Configuring Device Security

Defining Access Control

Add IP Based ACL Page

The Add IP Based ACL Page contains the following fields:

ACL Name — Defines the user-definedIP based ACLs.

New Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-matchbasis.

Protocol — Creates an ACE based on a specific protocol. For a list of available protocols, see the Protocol field description in the IP Based ACL Page above.

Source Port — Defines the TCP/UDP source port to which the ACE is matched. This field is active only if 800/6-TCPor800/17-UDPare selected in the Select from Listdrop-downlist. The possible field range is 0 - 65535.

Destination Port — Defines the TCP/UDP destination port. This field is active only if 800/6-TCPor800/17-UDPare selected in the Select from List dropdown list. The possible field range is 0 - 65535.

TCP Flags — Filters packets by TCP EtherChannel. Filtered packets are either forwarded or dropped. Filtering packets by TCP EtherChannels increases packet control, which increases network security. Once the box is checked, there are other parameters that can be selected from the dropdown menu:

-Urg — Urgent

-Ack — Acknowledgement

ESW 500 Series Switches Administration Guide

172

Configuring Device Security

Defining Access Control

-Psh — Push

-Rst — Reset

-Syn — Synchronize

-Fin — Final

ICMP — Indicates if ICMP packets are permitted on the network. The possible field values are as follows:

ICMP Code — Indicates and ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code.

ICMP Type — Filters packets by IGMP message or message types

IGMP — Filters packets by IGMP message or message types.

Source

-IP Address — Matches the source port IP address from which packets are addressed to the ACE.

-Wildcard Mask — Defines the source IP address wildcard mask. Wildcard masks specify which bits are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all the bits are important. For example, if the source IP address 149.36.184.198 and the wildcard mask is 255.36.184.00, the first eight bits of the IP address are ignored, while the last eight bits are used.

Destination

-IP Address — Matches the destination port IP address to which packets are addressed to the ACE.

-Wildcard Mask — Defines the destination IP address of the wildcard mask.

Select either Match DSCP or Match IP Precedence.

Match DSCP — Matches the packet to the DSCP tag value. The possible field range is 0-63.

Match IP Precedence — Matches the packet IP Precedence value to the ACE. Either the DSCP value or the IP Precedence value is used to match packets to ACLs. The possible field range is 0-7.

ESW 500 Series Switches Administration Guide

173

Configuring Device Security

Defining Access Control

Traffic Class — Indicates the traffic class to which the packets are matched. The possible field values are:

-Checked — Matches packets to traffic classes.

-Unchecked — Does not match packets to traffic classes.

Action — Indicates the action assigned to the packet matching the ACL. Packets are forwarded or dropped. In addition, the port can be shut down, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding. The options are as follows:

-Permit — Forwards packets which meet the ACL criteria.

-Deny — Drops packets which meet the ACL criteria.

-Shutdown — Drops packet that meets the ACL criteria, and disables the port to which the packet was addressed. Ports are reactivated from the

Port Management page.

STEP 3 Define the relevant fields,

STEP 4 Click Apply. The IP Based ACL is defined, and the device is updated.

Modifying IP Based ACL

STEP 1 Click Security > Access Control Lists (ACL) > IP Based ACL. TheIP Based ACL Page opens.

STEP 2 Click the Edit button. TheEdit IP Based ACL Page opens:

ESW 500 Series Switches Administration Guide

174

Configuring Device Security

Defining Access Control

Edit IP Based ACL Page

The Edit IP Based ACL Page contains the following fields:

ACL Name — Displays the user-definedbased ACLs.

New Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-matchbasis.

Protocol — Creates an ACE based on a specific protocol. For a list of available protocols, see the Protocol field description in the ACL Page above.

Source Port — Defines the TCP/UDP source port to which the ACE is matched. This field is active only if 800/6-TCPor800/17-UDPare selected in the Select from Listdrop-downlist. The possible field range is 0 - 65535.

Destination Port — Defines the TCP/UDP destination port. This field is active only if 800/6-TCPor800/17-UDPare selected in the Select from List dropdown list. The possible field range is 0 - 65535.

TCP Flags — Filters packets by TCP EtherChannel. Filtered packets are either forwarded or dropped. Filtering packets by TCP EtherChannels increases packet control, which increases network security.

ICMP — Indicates if ICMP packets are permitted on the network. The possible field values are as follows:

ESW 500 Series Switches Administration Guide

175

Configuring Device Security

Defining Access Control

ICMP Code — Indicates and ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code.

IGMP — Filters packets by IGMP message or message types.

Source

-IP Address — Matches the source port IP address from which packets are addressed to the ACE.

-Wildcard Mask — Defines the source IP address wildcard mask. Wildcard masks specify which bits are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all the bits are important. For example, if the source IP address 149.36.184.198 and the wildcard mask is 255.36.184.00, the first eight bits of the IP address are ignored, while the last eight bits are used.

Destination

-IP Address — Matches the destination port IP address to which packets are addressed to the ACE.

-Wildcard Mask — Defines the destination IP address of the wildcard mask.

Select either Match DSCP or Match IP Precedence.

Match DSCP — Matches the packet to the DSCP tag value.

Match IP Precedence — Matches the packet IP Precedence value to the ACE. Either the DSCP value or the IP Precedence value is used to match packets to ACLs. The possible field range is 0-7.

Traffic Class — Indicates the traffic class to which the packet is matched.

Action — Indicates the action assigned to the packet matching the ACL. Packets are forwarded or dropped. In addition, the port can be shut down, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding. The options are as follows:

-Permit — Forwards packets which meet the ACL criteria.

-Deny — Drops packets which meet the ACL criteria.

-Shutdown — Drops packet that meets the ACL criteria, and disables the port to which the packet was addressed. Ports are reactivated from the

Port Management page.

ESW 500 Series Switches Administration Guide

176

Configuring Device Security

Defining Access Control

STEP 3 Define the relevant fields,

STEP 4 Click Apply. The IP Based ACL is modified, and the device is updated.

Adding an IP Based Rule

STEP 1 Click Security > Access Control Lists (ACL) > IP Based ACL. TheIP Based ACL Page opens:

STEP 2 Select an ACL from the ACL Namedrop-downlist.

STEP 3 Click the Add Rule button. TheAdd IP Based Rule Page opens:

Add IP Based Rule Page

The Add IP Based Rule Page contains the following fields:

ACL Name — Displays the user-definedIP based ACLs.

New Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-matchbasis.

Protocol — Creates an ACE based on a specific protocol. For a list of available protocols, see the Protocol field description in the IP Based ACL Page above.

ESW 500 Series Switches Administration Guide

177

Configuring Device Security

Defining Access Control

Source Port — Defines the TCP/UDP source port to which the ACE is matched. This field is active only if 800/6-TCPor800/17-UDPare selected in the Select from Listdrop-downlist. The possible field range is 0 - 65535.

Destination Port — Defines the TCP/UDP destination port. This field is active only if 800/6-TCPor800/17-UDPare selected in the Select from List dropdown list. The possible field range is 0 - 65535.

TCP Flags — Filters packets by TCP EtherChannel. Filtered packets are either forwarded or dropped. Filtering packets by TCP EtherChannels increases packet control, which increases network security.

ICMP — Indicates if ICMP packets are permitted on the network. The possible field values are as follows:

ICMP Code — Indicates and ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code.

IGMP — Filters packets by IGMP message or message types.

Source IP Address — Matches the source port IP address to which packets are addressed to the ACE.

Dest. IP Address — Matches the destination port IP address to which packets are addressed to the ACE.

Traffic Class — Indicates the traffic class to which the packet is matched.

Select either Match DSCP or Match IP:

Match DSCP — Matches the packet to the DSCP tag value.

Match IP Precedence — Matches the packet IP Precedence value to the ACE. Either the DSCP value or the IP Precedence value is used to match packets to ACLs. The possible field range is 0-7.

Action — Indicates the action assigned to the packet matching the ACL. Packets are forwarded or dropped. In addition, the port can be shutdown, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding. The options are as follows:

-Permit — Forwards packets which meet the ACL criteria.

-Deny — Drops packets which meet the ACL criteria.

-Shutdown — Drops packet that meets the ACL criteria, and disables the port to which the packet was addressed. Ports are reactivated from the

Port Management page.

ESW 500 Series Switches Administration Guide

178

Configuring Device Security

Defining Access Control

STEP 4 Define the relevant fields,

STEP 5 Click Apply. The IP Based ACL is modified, and the device is updated.

Defining ACL Binding

When an ACL is bound to an interface, all the ACE rules that have been defined are applied to the selected interface. Whenever an ACL is assigned on a port or a EtherChannel flows from that ingress interface that do not match the ACL are matched to the default rule, which is Drop unmatched packets. To bind ACLs to an interface:

STEP 1 Click Security > Access Control Lists (ACL) > ACL Binding. TheACL Binding Page opens:

ACL Binding Page

The ACL Binding Page contains the following fields:

Copy From Entry Number — Copies the ACL binding configuration from the specified table entry.

ESW 500 Series Switches Administration Guide

179

Configuring Device Security

Defining Access Control

To Entry Number(s) — Assigns the copied ACL binding configuration to the specified table entry.

Ports/EtherChannels — Indicates the interface to which the ACL is bound. For each entry, an interface has a bound ACL.

Interface — Indicates the interface to which the associated ACL is bound.

ACL Name — Indicates the ACL which is bound to the associated interface.

Type — Indicates the ACL type to which is bound to the interface.

Modifying ACL Binding

STEP 1 Click Security > Access Control Lists (ACL) > ACL Binding. TheACL Binding Page opens:

STEP 2 Click theEdit button. TheEdit ACL Binding Page opens:

Edit ACL Binding Page

The Edit ACL Binding Page contains the following fields:

Interface — Indicates the interface to which the ACL is bound.

Select MAC Based ACL — Indicates the MAC based ACL which is bound to the interface.

Select IP Based ACL — Indicates the IP based ACL which is bound to the interface.

STEP 3 Define the relevant fields.

ESW 500 Series Switches Administration Guide

180

Configuring Device Security

Defining DoS Prevention

STEP 4 Click Apply. The ACL binding is defined, and the device is updated.

Defining DoS Prevention

Denial of Service (DOS) increases network security by preventing packets with invalid IP addresses from entering the network. DoS eliminates packets from malicious networks which can compromise a network’s stability.

The device provides a Security Suite that allows administrators to match, discard, and redirect packets based on packet header values. Packets which are redirected are analyzed for viruses and Trojans.

DoS enables network managers to:

Deny packets that contain reserved IP addresses

Prevent TCP connections from a specific interface

Discard echo requests from a specific interface

Discard IP fragmented packets from a specific interface

The DoS Prevention section contains the following pages:

DoS Global Settings

Defining Martian Addresses

DoS Global Settings

The Global Settings Page allows network managers to enable and define global DoS attack prevention parameters on the device. To open theGlobal Settings Page:

ESW 500 Series Switches Administration Guide

181

Configuring Device Security

Defining DoS Prevention

STEP 1 Click Security > DoS Prevention > Global Settings. TheGlobal Settings Page opens:

Global Settings Page

The Global Settings Page contains the following fields:

Security Suite Status — Indicates if DoS security is enabled on the device. The possible field values are:

Enable — Enables DoS security.

Disable — Disables DoS security on the device. This is the default value.

Denial of Service Protection — Indicates if any of the services listed below are enabled. If the service protection is disabled, the Stacheldraht Distribution,

Invasor Trojan, and Back Orifice Trojanfields are disabled.

Stacheldraht Distribution — Discards TCP packets with source TCP port equal to 16660

Invasor Trojan — Discards TCP packets with destination TCP port equal to 2140 and source TCP port equal to 1024.

ESW 500 Series Switches Administration Guide

182

Configuring Device Security

Defining DoS Prevention

Back Orifice Trojan — Discards UDP packets with destination UDP port equal to 31337 and source UDP port equal to 1024.

STEP 2 Define the relevant fields.

STEP 3 Click Apply. The DoS prevention global settings are defined, and the device is updated.

Defining Martian Addresses

Martian Address Filtering enables discarding IP packets from invalid IP addresses. Martian addresses include packets from a source IP addresses outside or not used within the configured network. Martian addresses include any address within the following ranges:

0.0.0.0/8 (Except 0.0.0.0/32 as a Source Address) — Addresses in this block refer to source hosts on this network.

127.0.0.0/8 — Used as the Internet host loopback address.

192.0.2.0/24 — Used as theTEST-NETin documentation and example codes.

224.0.0.0/4 (As a Source IP Address) — Used in Multicast address assignments, and This formerly known as Class D Address Space.

240.0.0.0/4 (Except 255.255.255.255/32 as a Destination Address)

Reserved address range, and is formerly known as Class E Address Space.

To define Martian Addresses:

ESW 500 Series Switches Administration Guide

183

Configuring Device Security

Defining DoS Prevention

STEP 1 Click Security > DoS Prevention > Martian Addresses. TheMartian Addresses Page opens:

Martian Addresses Page

The Martian Addresses Page contains the following fields:

Include Reserved Martian Addresses — Indicates that packets arriving from Martian addresses are dropped. Enabled is the default value. When enabled, the following IP addresses are included:

-0.0.0.0/8 (except 0.0.0.0/32), 127.0.0.0/8

-192.0.2.0/24 , 224.0.0.0/4

-240.0.0.0/4 ( except 255.255.255.255/32)

IP Address — Displays the IP addresses for which DoS attack is enabled.

Mask — Displays the Mask for which DoS attack is enabled.

Delete — To remove a Martian address, click the entry’s checkbox and click the delete button.

STEP 2 Click the Add button. TheAdd Martian Addresses Page opens:

ESW 500 Series Switches Administration Guide

184

Configuring Device Security

Defining DHCP Snooping

Add Martian Addresses Page

The Add Martian Addresses Page contains the following fields:

IP Address — Enter the Martian IP addresses for which DoS attack is enabled. The possible values are:

-One of the addresses in the Martian IP address list.

-New IP Address — Enter an IP Address that is not on the list.

Mask — Enter the Mask for which DoS attack is enabled.

Prefix Length — Defines the IP route prefix for the destination IP.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The martian addresses are added, and the device is updated.

Defining DHCP Snooping

DHCP Snooping enables network administrators to differentiate between trusted interfaces connected to the DHCP servers and untrusted interfaces connected to a DHCP client.

DHCP Snooping filters untrusted messages. DHCP Snooping creates and maintains a DHCP Snooping Table which contains information received from untrusted packets. Interfaces are untrusted if the packet is received from an interface from outside the network or from a interface beyond the network firewall. Trusted interfaces receive packets only from within the network or the network firewall.

ESW 500 Series Switches Administration Guide

185

Configuring Device Security

Defining DHCP Snooping

The DHCP Snooping Table contains the untrusted interfaces MAC address, IP address, Lease Time, VLAN ID, and interface information.

The DHCP Snooping section contains the following topics:

Defining DHCP Snooping Properties

Defining DHCP Snooping on VLANs

Defining Trusted Interfaces

Binding Addresses to the DHCP Snooping Database

Defining IP Source Guard

Defining DHCP Snooping Properties

The DHCP Snooping Properties Page contains parameters for enabling DHCP Snooping on the device. To define the DHCP Snooping general properties:

ESW 500 Series Switches Administration Guide

186

Configuring Device Security

Defining DHCP Snooping

STEP 1 Click Security > DHCP Snooping > Properties. TheDHCP Snooping Properties Page opens:

DHCP Snooping Properties Page

The DHCP Snooping Properties Page contains the following fields:

Enable DHCP Snooping — Indicates if DHCP Snooping is enabled on the device. The possible field values are:

-Checked — Enables DHCP Snooping on the device.

-Unchecked — Disables DHCP Snooping on the device. This is the default value.

Option 82 Passthrough — Indicates if the device forwards or rejects packets that include Option 82 information, while DHCP Snooping is enabled.

-Checked — Device forwards packets containing Option 82 information.

-Unchecked — Device rejects packets containing Option 82 information.

Verify MAC Address — Indicates if the MAC address is verified. The possible field values are:

ESW 500 Series Switches Administration Guide

187

Configuring Device Security

Defining DHCP Snooping

-Checked — Verifies (on an untrusted port) that the source MAC address of the Layer 2 header matches the client hardware address as appears in the DHCP Header (part of the payload).

-Unchecked — Disables verifying that the source MAC address of the Layer 2 header matches the client hardware address as appears in the DHCP Header. This is the default value.

Backup Database — Indicates if the DHCP Snooping Database learning and update is enabled. All changes to the binding storage file are implemented only if the device’s system clock is synchronized with the SNTP Server. The possible field values are:

-Checked — Enables backing up of the allotted IP address in the DHCP Snooping Database.

-Unchecked — Disables backing up to the allotted IP address in the DHCP Snooping Database. This is the default value.

Database Update Interval — Indicates how often the DHCP Snooping Database is backed up. The possible field range is 600 – 86400 seconds. The field default is 1200 seconds.

STEP 2 Define the relevant fields.

STEP 3 ClickApply. The DHCP Snooping configuration is defined and the device is updated.

Defining DHCP Snooping on VLANs

The DHCP Snooping VLAN Settings Page allows network managers to enable

DHCP snooping on VLANs. To enable DHCP Snooping on a VLAN, ensure DHCP

Snooping is enabled on the device.

To define DHCP Snooping on VLANs:

ESW 500 Series Switches Administration Guide

188

Configuring Device Security

Defining DHCP Snooping

STEP 1 Click Security > DHCP Snooping > VLAN Settings. TheDHCP Snooping VLAN Settings Page opens:

DHCP Snooping VLAN Settings Page

The DHCP Snooping VLAN Settings Page contains the following fields:

VLAN ID — Indicates the VLAN to be added to the Enabled VLAN list.

Enabled VLANs — Contains a list of VLANs for which DHCP Snooping is enabled.

STEP 2 Enter the VLAN name from the VLAN ID list and click Add. This VLAN name then appears in the Enabled VLANs list.

Defining Trusted Interfaces

The Trusted Interfaces Page allows network managers to define Trusted interfaces. The device transfers all DHCP requests to trusted interfaces.

To define trusted interfaces:

ESW 500 Series Switches Administration Guide

189

Configuring Device Security

Defining DHCP Snooping

STEP 1 Click Security > DHCP Snooping > Trusted Interfaces. TheTrusted Interfaces Page opens:

Trusted Interfaces Page

The Trusted Interfaces Page contains the following fields:

Ports — Displays the ports which can be defined as trusted.

EtherChannels — Displays the EtherChannels which can be defined as trusted.

Trusted Interface Table

Interface — Contains a list of existing interfaces.

Trust — Indicates whether the interface is a Trusted interface.

STEP 2 From the global Interface field, select either Ports or EtherChannels radio button.

STEP 3 In the table, select an interface and click Edit. TheEdit Trusted Interface Page opens.

ESW 500 Series Switches Administration Guide

190

Configuring Device Security

Defining DHCP Snooping

Edit Trusted Interface Page

The Edit Trusted Interface Page contains the following field:

Interface — Contains a list of existing interfaces.

Trust Status — Indicates whether the interface is a Trusted Interface.

-Enable — Interface is in trusted mode.

-Disable — Interface is in untrusted mode.

STEP 4 Define the fields.

STEP 5 ClickApply. The Trusted Interfaces configuration is defined and the device is updated.

Binding Addresses to the DHCP Snooping Database

The Binding Database Page contains parameters for querying and adding IP addresses to the DHCP Snooping Database. To bind addresses to the DHCP Snooping database:

ESW 500 Series Switches Administration Guide

191

Configuring Device Security

Defining DHCP Snooping

STEP 1 Click Security > DHCP Snooping > Binding Database. TheBinding Database Page opens:

Binding Database Page

STEP 2 Define any of the following fields as a query filter:

Query By

MAC Address — Indicates the MAC addresses recorded in the DHCP Database. The Database can be queried by MAC address.

IP Address — Indicates the IP addresses recorded in the DHCP Database The Database can be queried by IP address.

VLAN — Indicates the VLANs recorded in the DHCP Database. The Database can be queried by VLAN.

Interface — Contains a list of interface by which the DHCP Database can be queried. The possible field values are:

-Ports — Queries the VLAN database by a port number.

ESW 500 Series Switches Administration Guide

192

Configuring Device Security

Defining DHCP Snooping

- EtherChannel — Queries the VLAN database by EtherChannel number.

STEP 3 Click Query. The results appear in theQuery Results table.

Query Results

The Query Results table contains the following fields:

MAC Address — Indicates the MAC address found during the query.

VLAN ID — Displays the VLAN ID to which the IP address is attached in the DHCP Snooping Database.

IP Address — Indicates the IP address found during the query.

Interface — Indicates the specific interface connected to the address found during the query.

Type — Displays the IP address binding type. The possible field values are:

-Static — Indicates the IP address is static.

-Dynamic — Indicates the IP address is defined as a dynamic address in the DHCP database.

-Learned — Indicates the IP address is dynamically defined by the DHCP server. (This field appears as aread-onlyfield in the table).

Lease Time — Displays the lease time. The Lease Time defines the amount of time the DHCP Snooping entry is active. Addresses whose lease times are expired are deleted from the database. The possible values are 10 – 4294967295 seconds. In the Add DHCP Snooping Entry Page, select Infinite if the DHCP Snooping entry never expires.

STEP 4 Click Add. The Add DHCP Snooping Entry Pageopens.

ESW 500 Series Switches Administration Guide

193

Configuring Device Security

Defining DHCP Snooping

Add DHCP Snooping Entry Page

The window displays the following fields:

Type — Displays the IP address binding type. The possible field values are:

-Static — Indicates the IP address is static.

-Dynamic — Indicates the IP address is defined as a dynamic address in the DHCP database.

VLAN ID — Displays the VLAN ID to which the IP address is attached in the DHCP Snooping Database.

IP Address — Indicates the IP address found during the query.

Interface — Indicates the specific interface connected to the address found during the query.

Lease Time — Displays the lease time.

STEP 5 Define the fields.

STEP 6 ClickApply. The bound address is added to the DHCP Snooping database and the device is updated.

STEP 7 ClickDelete to delete the data from theQuery Results Table.

STEP 8 To remove dynamic addresses from theQuery Results table, click Clear Dynamic.

ESW 500 Series Switches Administration Guide

194

Configuring Device Security

Defining DHCP Snooping

Defining IP Source Guard

IP Source Guard is a security feature that restricts the client IP traffic to those source IP addresses configured in the DHCP Snooping Binding Database and in manually configured IP source bindings. For example, IP Source Guard can help prevent traffic attacks caused when a host tries to use the IP address of its neighbor.

DHCP snooping must be enabled on the device’s untrusted interfaces and on the relevant VLAN, in order to activate the IP source guard feature.

IP Source Guard must be enabled globally in the IP Source Guard Properties Page before it can be enabled on the device interfaces.

IP Source Guard uses Ternary Content Addressable Memory (TCAM) resources, requiring use of 1 TCAM rule per 1 IP Source Guard address entry. If the number of IP Source Guard entries exceeds the number of available TCAM rules, new IP source guard addresses remain inactive.

IP Source Guard cannot be configured on routed ports.

If IP Source Guard and MAC address filtering is enabled on a port, Port Security cannot be activated on the same port.

If a port is trusted, filtering of static IP addresses can be configured, although IP Source Guard is not active in that condition.

If a port’s status changes from untrusted to trusted, the static IP address filtering entries remain but become inactive.

The IP Source Guard section contains the following topics:

Configuring IP Source Guard Properties

Defining IP Source Guard Interface Settings

Querying the IP Source Binding Database

Configuring IP Source Guard Properties

The IP Source Guard Properties Page allows network managers to enable the use of IP Source Guard on the device. IP Source Guard must be enabled for the device before it can be enabled on individual ports or EtherChannels. To enable IP Source Guard:

ESW 500 Series Switches Administration Guide

195

Configuring Device Security

Defining DHCP Snooping

STEP 1 Click Security > DHCP Snooping > IP Source Guard > Properties. TheIP Source Guard Properties Page opens:

IP Source Guard Properties Page

The IP Source Guard Properties Page contains the following fields:

IP Source Guard Status — Enables the use of IP Source Guard status on the device.

-Enable — Indicates that IP Source Guard is enabled for the device.

-Disable — Indicates that IP Source Guard is disabled for the device.

STEP 2 Enable or Disable use of IP Source Guard on the device.

STEP 3 Click Apply. The IP Source Guard configuration is modified, and the device is updated.

ESW 500 Series Switches Administration Guide

196

Configuring Device Security

Defining DHCP Snooping

Defining IP Source Guard Interface Settings

In the IP Source Guard Interface Settings Page, IP Source Guard can be enabled on DHCP Snooping untrusted interfaces, permitting the transmission of DHCP packets allowed by DHCP Snooping. If source IP address filtering is enabled, packet transmission is permitted as follows:

IPv4 traffic — Only IPv4 traffic with a source IP address that is associated with the specific port is permitted.

Non IPv4 traffic — All non-IPv4traffic is permitted.

NOTE: IP Source Guard must be enabled globally in theIP Source Guard Properties Page before it can be enabled on the device interfaces.

If a port is trusted, filtering of static IP addresses can be configured, although IP Source Guard is not active in that condition.

If a port’s status changes from untrusted to trusted, the static IP address filtering entries remain but become inactive.

ESW 500 Series Switches Administration Guide

197

Configuring Device Security

Defining DHCP Snooping

STEP 1 Click Security > DHCP Snooping > IP Source Guard > Interface Settings. TheIP Source Guard Interface Settings Page opens:

IP Source Guard Interface Settings Page

The IP Source Guard Interface Settings Page contains the following radio buttons and fields:

Ports — Displays the port on which the IP source guard is enabled.

EtherChannels — Displays the EtherChannels on which the IP source guard is enabled.

Interface — Indicates the port’s or EtherChannel’s number.

Status — Indicates if IP Source Guard is enabled or disabled.

-Enable — Indicates that IP Source Guard is enabled on the interface.

-Disable — Indicates that IP Source Guard is disabled on the interface. This is the default value.

STEP 2 Click Edit. The Edit Interface Settings Pageopens:

ESW 500 Series Switches Administration Guide

198

Configuring Device Security

Defining DHCP Snooping

Edit Interface Settings Page

STEP 3 Define the fields.

STEP 4 Click Apply. The new IP Source Guard Interface configuration is added, and the device is updated.

Querying the IP Source Binding Database

The IP Source Guard Binding Database Page enables network managers to query and view information about inactive addresses recorded in the DHCP Database. To query the IP Source Guard Database:

ESW 500 Series Switches Administration Guide

199

Configuring Device Security

Defining DHCP Snooping

STEP 1 Click Security > DHCP Snooping > IP Source Guard > Binding Database. TheIP Source Guard Binding Database Page opens:

IP Source Guard Binding Database Page

The IP Source Guard Binding Database Pagecontains the following fields:

TCAM Resources

Insert Inactive — The IP Source Guard Database uses the TCAM resources for managing the database. If TCAM resources are not available, IP source guard addresses may become inactive. The switch can try to activate inactive addresses in various time intervals:

-Retry Frequency — Try to activate inactive addresses at a specified interval. The possible values are 10 - 600 seconds.

-Never — Never try to activate inactive addresses.

-Retry Now — Try to activate inactive addresses immediately

ESW 500 Series Switches Administration Guide

200

Configuring Device Security

Defining DHCP Snooping

Query By

STEP 2 In the Query By section, select and define the preferred filter for searching the IP Source Guard Database:

MAC Address — Queries the database by MAC address.

IP Address — Queries the database by IP address.

VLAN — Queries the database by VLAN ID.

Interface — Queries the database by interface number. The possible field values are:

-Port — Queries the database by a specific port number.

-EtherChannel — Queries the VLAN database by EtherChannel number.

STEP 3 Click Query. The results appear in the Query Results table.

Query Results

The Query Results table contains the following fields:

Interface — Displays the interface number.

Status — Displays the current interface status. The possible field values are:

-Active — Indicates the interface is currently active.

-Inactive — Indicates the interface is currently inactive.

IP Address — Indicates IP address of the interface.

VLAN — Indicates if the address is associated with a VLAN.

MAC Address — Displays the MAC address of the interface.

Type — Displays the IP address type. The possible field values are:

-Dynamic — Indicates the IP address is dynamically created.

-Static — Indicates the IP address is a static IP address.

-Learned — Indicates the IP address is dynamically defined by the DHCP server. (This field appears as aread-onlyfield in the table).

Reason — Displays the reason an IP source address is inactive. The possible field options are:

-No Problem — Indicates the IP address is active.

ESW 500 Series Switches Administration Guide

201

Configuring Device Security

Defining Dynamic ARP Inspection

-

-

-

VLAN — Indicates that DHCP Snooping is not enabled on the VLAN.

Trusted Port — Indicates the port is a trusted port.

Resource Problem — Indicates that the TCAM is full.

STEP 4 Define the relevant fields. Click Apply and the device is updated.

Defining Dynamic ARP Inspection

Dynamic Address Resolution Protocol (ARP) is a TCP/IP protocol for translating IP addresses into MAC addresses. Classic ARP does the following:

Permits two hosts on the same network to communicates and send packets.

Permits two hosts on different packets to communicate via a gateway.

Permits routers to send packets via a host to a different router on the same network.

Permits routers to send packets to a destination host via a local host.

ARP Inspection intercepts, discards, and logs ARP packets that contain invalid IP- to-MACaddress bindings. This eliminatesman-in-the-middleattacks, where false ARP packets are inserted into the subnet. Packets are classified as:

Trusted — Indicates that the interface IP and MAC address are recognized, and recorded in the ARP Inspection List. Trusted packets are forward without ARP Inspection.

Untrusted — Indicates that the packet arrived from an interface that does not have a recognized IP and MAC addresses. The packet is checked for:

-Source MAC — Compares the packet’s source MAC address in the Ethernet header against the sender’s MAC address in the ARP request. This check is performed on both ARP requests and responses.

-Destination MAC — Compares the packet’s destination MAC address in the Ethernet header against the destination interface’s MAC address. This check is performed for ARP responses.

-IP Addresses — Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast addresses.

ESW 500 Series Switches Administration Guide

202

Configuring Device Security

Defining Dynamic ARP Inspection

If the packet’s IP address was not found in the ARP Inspection List, and DHCP snooping is enabled for a VLAN, a search of the DHCP Snooping Database is performed. If the IP address is found, the packet is valid and is forwarded.

NOTE ARP inspection is performed only on untrusted interfaces.

The ARP Inspection section contains the following topics:

Defining ARP Inspection Properties

Defining ARP Inspection Trusted Interfaces

Defining ARP Inspection List

Assigning ARP Inspection VLAN Settings

Defining ARP Inspection Properties

The ARP Inspection Properties Page provides parameters for enabling and setting global Dynamic ARP Inspection parameters, as well as defining ARP Inspection Log parameters.

To define ARP Inspection properties:

ESW 500 Series Switches Administration Guide

203

Configuring Device Security

Defining Dynamic ARP Inspection

STEP 1 Click Security > ARP Inspection > Properties. TheARP Inspection Properties Page opens:

ARP Inspection Properties Page

The ARP Inspection Properties Page contains the following fields:

Enable ARP Inspection — Enables ARP Inspection on the device. The possible field values are:

-Checked — Enables ARP Inspection on the device.

-Unchecked — Disables ARP Inspection on the device. This is the default value.

ARP Inspection Validate — Enables ARP Inspection Validation on the device. The possible field values are:

-Checked — Enables ARP Inspection Validation on the device. Source MAC, Destination MAC, and IP addresses are checked in ARP requests and responses.

-Unchecked — Disable ARP Inspection Validation on the device. This is the default value.

ESW 500 Series Switches Administration Guide

204

Configuring Device Security

Defining Dynamic ARP Inspection

Log Buffer Interval — Defines the minimal interval between successive Syslog messages. The possible field values are:

-Retry Frequency — Frequency at which the log is updated. The possible range is0-86400seconds. 0 seconds specifies immediate transmissions of Syslog messages. The default value is 5 seconds.

-Never — Log is never updated.

STEP 2 Define the fields.

STEP 3 Click Apply. The ARP Inspection settings are modified, and the device is updated.

Defining ARP Inspection Trusted Interfaces

The ARP Inspection Trusted Interfaces Pageallows network managers to define trusted and untrusted interfaces. These settings are independent of the trusted interface settings defined for DHCP snooping. ARP Inspection is enabled only on untrusted interfaces.

To define trusted interfaces:

ESW 500 Series Switches Administration Guide

205

Configuring Device Security

Defining Dynamic ARP Inspection

STEP 1 Click Security > ARP Inspection > Trusted Interfaces. TheARP Inspection Trusted Interfaces Page opens:

ARP Inspection Trusted Interfaces Page

The ARP Inspection Trusted Interfaces Pagecontains the following fields:

Ports — Specifies the Port on which ARP Inspection Trust mode can be enabled.

EtherChannels — Specifies the EtherChannel for which the Trusted Interface settings are displayed.

Interface — Displays the interface on which edits can be made.

Trust — Enables or disables ARP Inspection Trust mode on the interface. The possible field values are:

-Enable — Indicates the port or EtherChannel is a trusted interface, and ARP inspection is not performed on the ARP requests/replies sent to/ from the interface.

-Disable — Indicates the port or EtherChannel is not a trusted interface, and ARP inspection is performed on the ARP requests/replies sent to/ from the interface. This is the default value.

ESW 500 Series Switches Administration Guide

206

Configuring Device Security

Defining Dynamic ARP Inspection

STEP 2 Click Edit. The Edit Interface Settings Pageopens:

Edit Interface Settings Page

STEP 3 Define the fields.

STEP 4 Click Apply. The Trusted Interface’s configuration is modified, and the device is updated.

Defining ARP Inspection List

The ARP Inspection List Page provides information for creating static ARP Binding Lists. ARP Binding Lists contain the List Name, IP address and MAC address which are validated against ARP requests and replies.

To add an ARP Inspection List entry:

ESW 500 Series Switches Administration Guide

207

Configuring Device Security

Defining Dynamic ARP Inspection

STEP 1 Click Security > ARP Inspection > ARP Inspection List. TheARP Inspection List Page opens:

ARP Inspection List Page

The ARP Inspection List Page contains the following fields:

ARP Inspection List Name — Pull-downlists name of the Inspection List.

Delete and Add Buttons — Delete or Add user-definedARP Inspection Lists.

Static ARP Inspection Table

IP Address — Specifies IP address included in ARP Binding Lists which is checked against ARP requests and replies.

MAC Address — Specifies MAC address included in ARP Binding Lists which is checked against ARP requests and replies.

NOTE The Binding list cannot be added until an ARP list is added.

STEP 2 Click Add under ARP Inspection List Name. TheAdd ARP list Page opens:

ESW 500 Series Switches Administration Guide

208

Configuring Device Security

Defining Dynamic ARP Inspection

Add ARP list Page

STEP 3 Define the fields and click Apply. The new ARP Inspection List is added and the device is updated.

Adding a Binding List entry

STEP 1 Select an ARP Inspection List Name from thedrop-downlist.

STEP 2 Click Add under Static ARP Table. TheAdd ARP Binding Page opens:

Add ARP Binding Page

STEP 3 Define the fields.

STEP 4 Click Apply. The add ARP Binding entry is added, and the device is updated.

ESW 500 Series Switches Administration Guide

209

Configuring Device Security

Defining Dynamic ARP Inspection

Assigning ARP Inspection VLAN Settings

The ARP Inspection VLAN Settings Page contains fields for enabling ARP Inspection on VLANs. In the Enabled VLAN table, users assign static ARP Inspection Lists to enabled VLANs. When a packet passes through an untrusted interface which is enabled for ARP Inspection, the device performs the following checks in order:

Determines if the packet’s IP address and MAC address exist in the static ARP Inspection list. If the addresses match, the packet passes through the interface.

If the device does not find a matching IP address, but DHCP Snooping is enabled on the VLAN, the device checks the DHCP Snooping database for the IP address-VLANmatch. If the entry exists in the DHCP Snooping database, the packet passes through the interface.

If the packet’s IP address is not listed in the ARP Inspection List or the DHCP Snooping database, the device rejects the packet.

NOTE To define ARP Inspection on VLANs, ARP Inspection List(s) must be defined before continuing.

In the following example, the List Name field is empty on the Add VLAN Settings page. If you add a list in the steps above, then the list will be populated with all the entries.

To define ARP Inspection on VLANs:

ESW 500 Series Switches Administration Guide

210

Configuring Device Security

Defining Dynamic ARP Inspection

STEP 1 Click Security > ARP Inspection > VLAN Settings. TheARP Inspection VLAN Settings Page opens:

ARP Inspection VLAN Settings Page

The ARP Inspection VLAN Settings Page contains the following fields:

VLAN ID — A user-definedVLAN ID to add to the Enabled VLANs list.

List Name — Contains a list of VLANs in which ARP Inspection is enabled.

Enabled VLAN Table

VLAN ID— Indicates the VLAN which is bound to the ARP Inspection List.

List Name — Displays names of static ARP Inspection Lists that were assigned to VLANs. These lists are defined in the ARP Inspection List Page.

STEP 2 Enter the name of a VLAN ID from the VLAN ID list and click Add. This VLAN ID then appears in the list. TheAdd ARP VLAN Settings Page opens:

ESW 500 Series Switches Administration Guide

211

Configuring Device Security

Defining Dynamic ARP Inspection

Add ARP VLAN Settings Page

The Add ARP VLAN Settings Page contains the following fields:

VLAN ID — Select the VLAN which includes the specified ARP Inspection List.

List Name — Select a static ARP Inspection List to assign to the VLAN. These lists are defined in the ARP Inspection List Page.

STEP 3 Define the fields.

STEP 4 Click Apply. The new ARP VLAN configuration is defined, and the device is updated.

ESW 500 Series Switches Administration Guide

212

Configuring Ports

Port Settings

Configuring Ports

Port Settings

The Port Settings Page contains fields for defining port parameters. To define port settings:

STEP 1 Click VLAN & Port Settings > Port Management > Port Settings. ThePort Settings Page opens:

Port Settings Page

The Port Settings Page contains the following fields:

Copy From Entry Number — Copies the port configuration from the specified table entry.

To Entry Number(s) — Assigns the copied port configuration to the specified table entry.

Interface — Displays the port number.

ESW 500 Series Switches Administration Guide

213

Configuring Ports

Port Settings

Port Type — Displays the port type. The possible field values are:

-100M — Copper

-1000M — Copper (copper cable).

-1000M — ComboC (combo port with copper cable 3).

-1000M — ComboF (combo port with optic fiber cable).

-1000M FiberOptics — Indicates the port has a fiber optic port connection.

Port Status — Displays the port connection status. The possible field values are:

-Up — Port is connected.

-Down — Port is disconnected.

Port Speed — Displays the current port speed.

Duplex Mode — Displays the port duplex mode. This field is configurable only when auto negotiation is disabled, and the port speed is set to 10M or 100M. This field cannot be configured on EtherChannels. The possible field values are:

-Full — Indicates that the interface supports transmission between the device and the client in both directions simultaneously.

-Half — Indicates that the interface supports transmission between the device and the client in only one direction at a time.

PVE — Indicates that this port is protected by an uplink, so that the forwarding decisions are overwritten by those of the port that protects it.

EtherChannel — Defines if the port is part of a Link Aggregation Group (EtherChannel).

STEP 2 To copy the settings from one interface to another, enter the specific interface numbers in theCopy From Entry Number and To Entry Number(s) fields.

STEP 3 Click Apply.The Port Settings are defined, and the device is updated.

ESW 500 Series Switches Administration Guide

214

Configuring Ports

Port Settings

Modifying Port Settings

STEP 1 Click VLAN & Port Settings > Port Management > Port Settings. ThePort Settings Page opens:

STEP 2 Click a specific entry’sEdit button. TheEdit Port Page opens:

Edit Port Page

The Edit Port Page contains the following fields:

Port — Displays the port number.

Description — Use this field to optionally define a name for the port.

Port Type — Displays the port type. The possible field values are:

ESW 500 Series Switches Administration Guide

215

Configuring Ports

Port Settings

-100M — Copper

-1000M — Copper (copper cable).

-1000M — ComboC (combo port with copper cable 3).

-1000M — ComboF (combo port with optic fiber cable).

-1000M FiberOptics — Indicates the port has a fiber optic port connection.

Admin Status — Indicates whether the port is currently operational or nonoperational. The possible field values are:

-Up — Indicates the port is currently operating.

-Down — Indicates the port is currently not operating.

Current Port Status — Displays the port connection status.

Reactivate Suspended Port — Reactivates a port if the port has been disabled through the locked port security option or through Access Control List configurations.

Operational Status — Indicates whether the port is currently active or inactive.

Admin Speed — Displays the configured rate for the port. The port type determines what speed setting options are available. You can designate Admin Speed only when the portauto-negotiationis disabled.

Current Port Speed — Displays the current port speed.

Admin Duplex — Defines the port duplex mode. This field is configurable only when auto negotiation is disabled, and the port speed is set to 10M or 100M. This field cannot be configured on EtherChannels. The possible field values are:

-Full — Indicates that the interface supports transmission between the device and the client in both directions simultaneously.

-Half — Indicates that the interface supports transmission between the device and the client in only one direction at a time.

Current Duplex Mode — Displays the port current duplex mode.

Auto Negotiation — Enables or Disables Auto Negotiation on the port. Auto Negotiation enables a port to advertise its transmission rate, duplex mode and flow control abilities to its partner.

Current Auto Negotiation — Displays the Auto Negotiation status on the port.

ESW 500 Series Switches Administration Guide

216

Configuring Ports

Port Settings

Admin Advertisement — Specifies the capabilities to be advertised by the Port. The possible field values are:

-Max Capability — Indicates that all port speeds and Duplex mode settings can be accepted.

-10 Half — Indicates that the port is advertising a 10 mbps speed and half Duplex mode setting.

-10 Full — Indicates that the port is advertising a 10 mbps speed and full Duplex mode setting.

-100 Half — Indicates that the port is advertising a 100 mbps speed and half Duplex mode setting.

-100 Full — Indicates that the port is advertising a 100 mbps speed and full Duplex mode setting.

-1000 Full — Indicates that the port is advertising a 1000 mbps speed and full Duplex mode setting.

Current Advertisement — The port advertises its capabilities to its neighbor port to start the negotiation process. The possible field values are those specified in the Admin Advertisement field.

Neighbor Advertisement — Displays the neighbor port (the port to which the selected interface is connected) advertises its capabilities to the port to start the negotiation process. The possible values are those specified in the Admin Advertisement field.

Admin Back Pressure — Enables Back Pressure mode on the port. Back Pressure mode is used with Half Duplex mode to disable ports from receiving messages. The Back Pressure mode is configured for ports currently in the Half Duplex mode.

Current Back Pressure — Displays the Back Pressure mode on the port.

Admin Flow Control — Enables or disables flow control or enables the auto negotiation of flow control on the port. Select from Enable, Disable, AutoNegotiation.

Current Flow Control — Displays the current Flow Control setting. Select from Enable, Disable, Auto-Negotiation.

Admin MDI/MDIX — Displays the Media Dependent Interface (MDI)/Media Dependent Interface with Crossover (MDIX) status on the port. Hubs and switches are deliberately wired opposite the way end stations are wired, so that when a hub or switch is connected to an end station, a straight through

ESW 500 Series Switches Administration Guide

217

Configuring Ports

Port Settings

Ethernet cable can be used, and the pairs are matched up properly. When two hubs or switches are connected to each other, or two end stations are connected to each other, a crossover cable is used to ensure that the correct pairs are connected. The possible field values are:

-MDIX — Use for hubs and switches.

-Auto — Use to automatically detect the cable type.

-MDI — Use for end stations.

Current MDI/MDIX — Displays the current MDI/MDIX setting.

EtherChannel — Defines if the port is part of a Link Aggregation Group (EtherChannel).

PVE — Indicates that this port is protected by an uplink, so that the forwarding decisions are overwritten by those of the port that protects it.

STEP 3 Make the appropriate selections and click Apply. The device is updated.

ESW 500 Series Switches Administration Guide

218

Configuring VLANs

Configuring VLANs

VLANs are logical subgroups with a Local Area Network (LAN) which combine user stations and network devices into a single unit, regardless of the physical LAN segment to which they are attached. VLANs allow network traffic to flow more efficiently within subgroups. VLANs use software to reduce the amount of time it takes for network changes, additions, and moves to be implemented.

VLANs have no minimum number of ports, and can be created per unit, per device, or through any other logical connection combination, since they are softwarebased and not defined by physical attributes.

VLANs function at Layer 2. Since VLANs isolate traffic within the VLAN, a Layer 3 router working at a protocol level is required to allow traffic flow between VLANs. Layer 3 routers identify segments and coordinate with VLANs. VLANs are Broadcast and Multicast domains. Broadcast and Multicast traffic is transmitted only in the VLAN in which the traffic is generated.

VLAN tagging provides a method of transferring VLAN information between VLAN groups. VLAN tagging attaches a 4-bytetag to packet headers. The VLAN tag indicates to which VLAN the packets belong. VLAN tags are attached to the VLAN by either the end station or the network device. VLAN tags also contain VLAN network priority information.

Combining VLANs and Generic Attribute Registration Protocol(GARP) allows network managers to define network nodes into Broadcast domains. The VLAN Management section contains the following topics:

This section contains the following topics:

Defining VLAN Properties

Defining VLAN Membership

Assigning Ports to Multiple VLANs

Defining Interface Settings

Defining GVRP Settings

Defining Protocol Groups

Defining a Protocol Port

ESW 500 Series Switches Administration Guide

219

Configuring VLANs

Defining VLAN Properties

Defining VLAN Properties

The VLAN Properties Page provides information and global parameters for configuring and working with VLANs.

To define VLAN properties:

STEP 1 Click VLAN & Port Settings > VLAN Management > Properties. TheVLAN Properties Page opens.

VLAN Properties Page

The VLAN Properties Page contains the following fields:

VLAN ID — Displays the VLAN ID.

VLAN Name — Displays the user-definedVLAN name.

Type — Displays the VLAN type. The possible field values are:

-Dynamic — Indicates the VLAN was dynamically created through GVRP.

-Static — Indicates the VLAN isuser-defined.

-Default — Indicates the VLAN is the default VLAN.

ESW 500 Series Switches Administration Guide

220

Configuring VLANs

Defining VLAN Properties

Authentication — Indicates whether unauthorized users can access a Guest VLAN. The possible field values are:

-

-

Enable — Enables unauthorized users to use the Guest VLAN.

Disable — Disables unauthorized users from using the Guest VLAN.

STEP 2 Click theAdd button. TheAdd VLAN Range Page opens:

Add VLAN Range Page

The Add VLAN Range Page allows network administrators to define and configure new VLANs, and contains the following fields:

VLAN — Specifies that a specific VLAN is to be defined. The possible field values are:

-VLAN ID — Defines the VLAN ID.

-VLAN Name — Defines a VLAN name.

Range — Specifies that a range of VLAN IDs is to be defined. The possible field values are:

-VLAN Range — Defines the lower and upper bounds of the VLAN range.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The VLAN Settings are defined, and the device is updated.

ESW 500 Series Switches Administration Guide

221

Configuring VLANs

Defining VLAN Properties

Modifying VLANs

STEP 1 Click VLAN & Port Settings > VLAN Management> Properties. The VLAN Properties Page opens.

STEP 2 Click Edit. TheEdit VLAN Page opens:

Edit VLAN Page

The Edit VLAN Page contains information for enabling VLAN guest authentication, and includes the following fields:

VLAN ID — Displays the VLAN ID.

VLAN Name — Defines the VLAN name.

Disable Authentication — Indicates whether unauthorized users can access a Guest VLAN. The possible field values are:

-Checked — Enables unauthorized users to use the Guest VLAN.

-Unchecked — Disables unauthorized users from using the Guest VLAN.

Port List — Available ports on the device. Select ports from this list to include in the VLAN.

VLAN Members — Ports included in the VLAN.

ESW 500 Series Switches Administration Guide

222

Configuring VLANs

Defining VLAN Properties

STEP 3 Define the relevant fields.

STEP 4 In the Port List, select the ports to include in the VLAN and click the adjacent right arrow. The selected ports then appear in the VLAN Members list.

STEP 5 Click Apply. The VLAN Settings are defined, and the device is updated.

Defining VLAN Membership

The Port to VLAN Page contains a table that maps VLAN parameters to ports. Ports are assigned VLAN membership by toggling through the Port Control settings.

STEP 1 Click VLAN & Port Settings > VLAN Management > Port to VLAN. ThePort to VLAN Page opens:

Port to VLAN Page

The Port to VLAN Page contains the following fields:

VLAN ID — Selects the VLAN ID.

ESW 500 Series Switches Administration Guide

223

Configuring VLANs

Defining VLAN Properties

VLAN Name — Displays the VLAN name.

VLAN Type — Indicates the VLAN type. The possible field values are:

-Dynamic — Indicates the VLAN was dynamically created through GVRP.

-Static — Indicates the VLAN isuser-defined.

-Default — Indicates the VLAN is the default VLAN.

Ports — Indicates that ports are described in the page.

EtherChannels — Indicates that EtherChannels are described in the page.

Interface — Displays the interface configuration being displayed.

Interface Status — Indicates the interface’s membership status in the VLAN. The possible field values are:

-Untagged — Indicates the interface is an untagged VLAN member. Packets forwarded by the interface are untagged.

-Tagged — Indicates the interface is a tagged member of a VLAN. All packets forwarded by the interface are tagged. The packets contain VLAN information.

-Exclude — Excludes the interface from the VLAN. However, the interface can be added to the VLAN through GARP.

-Forbidden — Denies the interface VLAN membership, even if GARP indicates the port is to be added.

STEP 2 Select VLAN ID fromdrop-downlist and then EDIT ports.

Modifying VLAN Membership

STEP 3 Click VLAN & Port Settings > VLAN Management > Port to VLAN. ThePort to VLAN Page opens:

STEP 4 Click theEdit button. TheEdit Interface Status Page opens:

ESW 500 Series Switches Administration Guide

224

Configuring VLANs

Defining VLAN Properties

Edit Interface Status Page

The Edit Interface Status Page contains the following fields:

VLAN ID — Displays the VLAN ID.

VLAN Name — Displays the VLAN name.

Interface — Defines the port or EtherChannel attached to the VLAN.

Interface Status — Defines the current interface’s membership status in the VLAN. The possible field values are:

-Untagged — Indicates the interface is an untagged VLAN member. Packets forwarded by the interface are untagged.

-Tagged — Indicates the interface is a tagged member of a VLAN. All packets forwarded by the interface are tagged. The packets contain VLAN information.

-Exclude — Excludes the interface from the VLAN. However, the interface can be added to the VLAN through GARP.

-Forbidden — Denies the interface VLAN membership, even if GARP indicates the port is to be added.

Type — Indicates the VLAN type, Dynamic indicates the VLAN was dynamically created through GARP, Static indicates the VLAN is user defined.

STEP 5 Define the relevant fields.

STEP 6 Click Apply. VLAN Membership is modified, and the device is updated.

ESW 500 Series Switches Administration Guide

225

Configuring VLANs

Assigning Ports to Multiple VLANs

Assigning Ports to Multiple VLANs

Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you want it to carry traffic for one or more VLANs, and any intermediate network devices or the host at the other end of the connection supports VLANs. Then assign ports on the other VLAN-awarenetwork devices along the path that will carry this traffic to the same VLAN(s), either manually or dynamically using GVRP. However, if you want a port on this switch to participate in one or more VLANs, but none of the intermediate network devices nor the host at the other end of the connection supports VLANs, then you should add this port to the VLAN as an untagged port.

Note: VLAN-taggedframes can pass throughVLAN-awareorVLAN-unawarenetwork interconnection devices, but the VLAN tags should be stripped off before passing it on to anyend-nodehost that does not support VLAN tagging.

The VLAN To Port Page contains fields for configuring VLANs to ports. The network administrator allows the user to assign a single port to multiple VLANS.

To add VLAN membership to a port:

ESW 500 Series Switches Administration Guide

226

Configuring VLANs

Assigning Ports to Multiple VLANs

STEP 1 Click VLAN & Port Settings > VLAN Management > VLAN to Port. TheVLAN To Port Page opens:

VLAN To Port Page

The VLAN To Port Page contains the following fields:

Ports — Indicates that ports are described in the page.

EtherChannels — Indicates that EtherChannels are described in the page.

Port — Displays the port number.

Mode — Indicates the port mode. The possible values are:

-General — Indicates the port belongs to VLANs, and each VLAN is userdefined as tagged or untagged (full IEEE802.1q mode).

-Access — Indicates a port belongs to a single untagged VLAN.

-Trunk — Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged.

-Customer — The port belongs to a VLAN in which all ports are untagged.

ESW 500 Series Switches Administration Guide

227

Configuring VLANs

Assigning Ports to Multiple VLANs

Join VLAN — Defines the VLANs to which the interface is joined. Pressing the Join VLAN button displays the Join VLAN to Port Page.

Select the VLAN to which to add the port, select the VLANs to be tagged or untagged and click >>. To remove the VLAN allocation to the port, select the VLAN already assigned to the port and click <<.

VLANs — Specifies the VLAN in which the port is a member.

EtherChannel — if the port is a member of a EtherChannel, the EtherChannel number is displayed. A member of a EtherChannel cannot be configured to a VLAN, but that same EtherChannel can be configured to a VLAN.

STEP 2 In theVLAN To Port table, click Join VLAN in the relevant port entry. TheJoin VLAN To Port Page opens.

Join VLAN To Port Page

STEP 3 Define the selected VLAN asTagged orUntagged.

STEP 4 From the left list, select the relevant VLAN and click >>. The selected VLAN then appears in the right list. Up to 20 VLANs at a single time may be joined to the port.

STEP 5 Click Apply. VLAN to Port setting is defined, and the device is updated.

ESW 500 Series Switches Administration Guide

228

Configuring VLANs

Defining Interface Settings

Defining Interface Settings

The VLAN Interface Setting Page provides parameters for managing ports that are part of a VLAN. The port default VLAN ID (PVID) is configured on the VLANPort Settings page. All untagged packets arriving to the device are tagged by the ports PVID.

STEP 1 Click VLAN & Port Settings > VLAN Management > Interface Settings. TheVLAN Interface Settings Page opens:

VLAN Interface Setting Page

The VLAN Interface Setting Page contains the following fields:

Copy From Entry Number — Copies VLAN configuration from the specified table entry.

To Entry Number(s) — Assigns the copied VLAN configuration to the specified table entry.

Ports — Indicates that ports are described in the page.

EtherChannels — Indicates that EtherChannels are described in the page.

ESW 500 Series Switches Administration Guide

229

Configuring VLANs

Defining Interface Settings

Interface — The port number included in the VLAN.

Interface VLAN Mode — Indicates the port mode. Possible values are:

-General — The port belongs to VLANs, and each VLAN isuser-definedas tagged or untagged (full 802.1Q mode).

-Access — The port belongs to a single untagged VLAN. When a port is in Access mode, the packet types which are accepted on the port (packet type) cannot be designated. It is also not possible to enable/ disable ingress filtering on an access port.

-Trunk — The port belongs to VLANs in which all ports are tagged (except for an optional single native VLAN).

-Customer — The port belongs to VLANs. In Customer mode, the added tag provides a VLAN ID to each customer, ensuring private and segregated network traffic.

PVID — Assigns a VLAN ID to untagged packets. The possible values are 1 to 4095. Packets classified to the Discard VLAN are dropped.

Frame Type — Packet type accepted on the port. Possible values are:

-Admit Tag Only — Indicates that only tagged packets are accepted on the port.

-Admit All — Indicates that both tagged and untagged packets are accepted on the port.

Ingress Filtering — Ingress filtering discards packets which do not include an ingress port. The possible values are:

-Enable — Ingress filtering is activated on the port.

-Disable — Ingress filtering is not activated on the port.

Modifying VLAN Interface Settings

STEP 2 Click VLAN & Port Settings > VLAN Management > Interface Settings. TheVLAN Interface Settings Page opens:

STEP 3 Click theEdit button. TheEdit VLAN Port Page opens:

ESW 500 Series Switches Administration Guide

230

Configuring VLANs

Defining Interface Settings

Edit VLAN Port Page

The Edit VLAN Port Page contains the following fields:

Interface — The port or EtherChannel associated with this VLAN interface configuration.

VLAN Mode — Indicates the port mode. Possible values are:

-General — The port belongs to VLANs, and each VLAN isuser-definedas tagged or untagged (full 802.1Q mode).

-Access — The port belongs to a single untagged VLAN. When a port is in Access mode, the packet types which are accepted on the port (packet type) cannot be designated. It is also not possible to enable/ disable ingress filtering on an access port.

-Trunk — The port belongs to VLANs in which all ports are tagged (except for an optional single native VLAN).

-Customer — The port belongs to VLANs. In Customer mode, the added tag provides a VLAN ID to each customer, ensuring private and segregated network traffic.

PVID — Assigns a VLAN ID to untagged packets. The possible values are 1 to 4095. Packets classified to the Discard VLAN are dropped.

Frame Type — Packet type accepted on the port. Possible values are:

-Admit Tag Only — Indicates that only tagged packets are accepted on the port.

-Admit All — Indicates that both tagged and untagged packets are accepted on the port.

ESW 500 Series Switches Administration Guide

231

Configuring VLANs

Defining GVRP Settings

Ingress Filtering — Ingress filtering discards packets which do not include an ingress port. The possible values are:

-

-

Enable — Ingress filtering is activated on the port.

Disable — Ingress filtering is not activated on the port.

STEP 4 Define the relevant fields.

STEP 5 Click Apply. The VLAN Interface settings are modified, and the device is updated.

Defining GVRP Settings

GARP VLAN Registration Protocol (GVRP) is specifically provided for automatic distribution of VLAN membership information amongVLAN-awarebridges. GVRP allowsVLAN-awarebridges to automatically learn VLANs to bridge ports mapping, without having to individually configure each bridge and register VLAN membership.

The Global System EtherChannel information displays the same field information as the ports, but represents the EtherChannel GVRP information.

To define GVRP:

ESW 500 Series Switches Administration Guide

232

Configuring VLANs

Defining GVRP Settings

STEP 1 Click VLAN & Port Settings > VLAN Management > GVRP Settings. TheGVRP Settings Page opens:

GVRP Settings Page

The GVRP Settings Page contains the following fields:

GVRP Global Status — Indicates if GVRP is enabled on the device. The possible field values are:

-Enable — Enables GVRP on the device.

-Disable — Disables GVRP on the device.

Copy From Entry Number — Copies GVRP parameters from the specified table entry.

To Entry Number(s) — Assigns the copied GVRP parameters to the specified table entry.

Ports — Indicates that ports are described on the page.

EtherChannels — Indicates that EtherChannels are described on the page.

Interface — Interface described by the GVRP settings entry.

ESW 500 Series Switches Administration Guide

233

Configuring VLANs

Defining GVRP Settings

GVRP State — Indicates if GVRP is enabled on the interface. The possible field values are:

-Enabled — Enables GVRP on the selected interface.

-Disabled — Disables GVRP on the selected interface.

Dynamic VLAN Creation — Indicates if Dynamic VLAN creation is enabled on the interface. The possible field values are:

-Enabled — Enables Dynamic VLAN creation on the interface.

-Disabled — Disables Dynamic VLAN creation on the interface.

GVRP Registration — Indicates if VLAN registration through GVRP is enabled on the device. The possible field values are:

-Enabled — Enables GVRP registration on the device.

-Disabled — Disables GVRP registration on the device.

STEP 2 Define the relevant fields.

STEP 3 Click Apply. The GVRP Settings are defined, and the device is updated.

Modifying GVRP Settings

STEP 1 Click VLAN & Port Settings > VLAN Management > GVRP Settings. TheGVRP Settings Page opens:

STEP 2 Click theEdit button. TheEdit GVRP Page opens:

ESW 500 Series Switches Administration Guide

234

Configuring VLANs

Defining GVRP Settings

Edit GVRP Page

The Edit GVRP Page contains the following fields:

Interface — Port or EtherChannel described by the GVRP settings entry.

GVRP State — Indicates if GVRP is enabled on the interface. The possible field values are:

-Enable — Enables GVRP on the selected interface.

-Disable — Disables GVRP on the selected interface.

Dynamic VLAN Creation — Indicates if Dynamic VLAN creation is enabled on the interface. The possible field values are:

-Enable — Enables Dynamic VLAN creation on the interface.

-Disable — Disables Dynamic VLAN creation on the interface.

GVRP Registration — Indicates if VLAN registration through GVRP is enabled on the device. The possible field values are:

-Enable — Enables GVRP registration on the device.

-Disable — Disables GVRP registration on the device.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. GVRP settings are modified, and the device is updated.

ESW 500 Series Switches Administration Guide

235

Configuring VLANs

Defining Protocol Groups

Defining Protocol Groups

The Protocol Group Page contains information which describes the protocol names and the VLAN Ethernet type. Interfaces can be classified as a specific protocol based interface.

STEP 1 Click VLAN & Port Settings > VLAN Management > Protocol Group. TheProtocol Group Page opens:

Protocol Group Page

The Protocol Group Page contains the following fields:

Frame Type — Displays the packet type.

Protocol Value — Displays the User-definedprotocol name.

Group ID (Hex) — Defines the Protocol group ID to which the interface is added. Range is 1-2147483647.

STEP 2 Click the Add Button. TheAdd Protocol Group Page opens:

ESW 500 Series Switches Administration Guide

236

Configuring VLANs

Defining Protocol Groups

Add Protocol Group Page

The Add Protocol Group Page provides information for configuring new VLAN protocol groups. TheAdd Protocol Group Page contains the following fields.

Frame Type — Displays the packet type.

Protocol Value — Defines the User-definedprotocol value. The options are as follows:

-Protocol Value — The possible values are IP, IPX, or ARP.

-Ethernet-Based Protocol Value — Specify the value in hexadecimal format.

Group ID — Defines the Protocol group ID to which the interface is added. The possible value range is 1-2147483647in hexadecimal format.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The Protocol Group is added, and the device is updated.

Modifying Protocol Groups

The Edit Protocol Group Page provides information for configuring existing VLAN protocol groups

STEP 1 Click VLAN & Port Settings > VLAN Management > Protocol Group. TheProtocol Group Page opens:

STEP 2 Click the Edit Button. TheEdit Protocol Group Page opens:

ESW 500 Series Switches Administration Guide

237

Configuring VLANs

Defining a Protocol Port

Edit Protocol Group Page

The Edit Protocol Group Page contains the following fields.

Frame Type — Displays the packet type.

Protocol Value — Displays the User-definedprotocol value.

Group ID (Hex) — Defines the Protocol group ID to which the interface is added. The possible value range is 1-2147483647in hexadecimal format.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The Protocol group is modified, and the device is updated.

Defining a Protocol Port

The Protocol Port Page adds interfaces to Protocol groups.

To define the protocol port:

ESW 500 Series Switches Administration Guide

238

Configuring VLANs

Defining a Protocol Port

STEP 1 Click VLAN & Port Settings > VLAN Management > Protocol Port. TheProtocol Port Page opens:

Protocol Port Page

The Protocol Port Page contains the following fields.

Interface — Port or EtherChannel number added to a protocol group.

Protocol Group ID — Protocol group ID to which the interface is added. Protocol group IDs are defined in the Protocol Group Table.

VLAN ID — Attaches the interface to a user-definedVLAN ID. Protocol ports can either be attached to a VLAN ID or a VLAN name.

STEP 2 Click the Add Button. TheAdd Protocol Port to VLAN Page opens:

The Add Protocol Port to VLAN Page provides parameters for adding protocol port configurations.

ESW 500 Series Switches Administration Guide

239

Configuring VLANs

Defining a Protocol Port

Add Protocol Port to VLAN Page

The Add Protocol Port to VLAN Page contains the following fields.

Interface — Port or EtherChannel number added to a protocol group.

Group ID — Protocol group ID to which the interface is added. Protocol group IDs are defined in the Protocol Group Table.

VLAN ID — Attaches the interface to a user-definedVLAN ID.

VLAN Name — Attaches the interface to a user-definedVLAN Name.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The protocol ports are mapped to VLANs, and the device is updated.

ESW 500 Series Switches Administration Guide

240

Configuring IP Information

IP Addressing

Configuring IP Information

The IP address and default gateway can be either dynamically or statically configured. In Layer 2, a static IP address is configured on the IPv4 Interface Page. The Management VLAN is set to VLAN 1 by default, but can be modified.

This section provides information for defining device IP addresses, and includes the following topics:

IP Addressing

Defining DHCP Relay

Defining DHCP Relay Interfaces

ARP

Domain Name System

IP Addressing

The IP address and default gateway can be either dynamically or statically configured. In Layer 2, a static IP address is configured on the IPv4 Interface Page. The Management VLAN is set to VLAN 1 by default, but can be modified.

The IPv4 Interface Page contains fields for assigning IPv4 addresses. Packets are forwarded to the default IP when frames are sent to a remote network. The configured IP address must belong to the same IP address subnet of one of the IP interfaces.

ESW 500 Series Switches Administration Guide

241

Configuring IP Information

IP Addressing

STEP 1 Click Monitor & Device Properties > System Management > IP Addressing > IPv4 Interface. TheIPv4 Interface Page opens:

IPv4 Interface Page

The IPv4 Interface Page contains the following fields:

Get Dynamic IP from DHCP Server — Retrieves the IP addresses using DHCP.

Static IP Address — Permanent IP addresses are defined by the administrator. IP addresses are either configured on the Default VLAN or are user-defined.

Management VLAN — Sets the management VLAN. The switch uses this VLAN to watch for management packets from Telnet and web browser management sessions. Management VLAN is set to 1 or 100 by default.

IP Address — The currently configured IP address.

Network Mask — Displays the currently configured IP address mask.

Prefix Length — Specifies the prefix length. The range is 5 -128(64 in the caseEUI-64parameter is used).

User Defined Default Gateway — Manually defined default gateway IP address.

ESW 500 Series Switches Administration Guide

242

Configuring IP Information

Defining DHCP Relay

Active Default Gateway — Active default gateway’s IP Address.

Remove User Defined — Removes the selected IP address from the interface. The possible field values are:

-Checked — Removes the IP address from the interface.

-Unchecked — Maintains the IP address assigned to the Interface.

STEP 2 Define the relevant fields.

STEP 3 Click Apply. The IP information is defined, and the device is updated.

Defining DHCP Relay

The DHCP Server Page enables users to establish a DHCP configuration with multiple DHCP servers to ensure redundancy.

The DHCP servers act as a DHCP relay if the parameter is not equal to 0.0.0.0. DHCP requests are relayed only if their SEC field is greater or equal to the threshold value. This allows local DHCP Servers to respond first.

To define the DHCP Relay configuration:

ESW 500 Series Switches Administration Guide

243

Configuring IP Information

Defining DHCP Relay

STEP 1 Click Monitor & Device Properties > System Management > IP Addressing > DHCP Relay > DHCP Server. TheDHCP Server Page opens:

DHCP Server Page

The DHCP Server Page Server contains the following fields:

DHCP Relay — Enable or disable DHCP Server on the device. The possible values are:

-Enable — Enables DHCP Relay on the device.

-Disable — Disables DHCP Relay on the device.

Option 82 — Indicates if Option 82 is enabled for DHCP. The possible values are:

-Enable — Enables Option 82 for DHCP.

-Disable — Disables Option 82 for DHCP.

DHCP Server — Display the IP address of the DHCP server.

STEP 2 Click the Add button. TheAdd DHCP Server Page opens:

ESW 500 Series Switches Administration Guide

244

Configuring IP Information

Defining DHCP Relay Interfaces

Add DHCP Server Page

The Add DHCP Server Page contains the following field:

DHCP Server IP Address — Defines the IP address assigned to the DHCP server.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The DHCP Server is defined, and the device is updated.

Defining DHCP Relay Interfaces

Enabling Relay functionality provides multiple interfaces to be configured for establishing a DHCP Configuration with multiple DHCP servers to ensure redundancy. IP Addresses are controlled and distributed one-by-oneto avoid storming the device.

To define the DHCP Relay configuration:

ESW 500 Series Switches Administration Guide

245

Configuring IP Information

Defining DHCP Relay Interfaces

STEP 1 Click Monitor & Device Properties > System Management > IP Addressing > DHCP Relay > DHCP Interfaces. TheDHCP Interfaces Page opens:

DHCP Interfaces Page

The DHCP Interfaces Page contains the following fields:

Check Box — Removes DHCP relay from an interface. The possible field values are:

-Checked — Check this box and press Delete to remove the selected DHCP Relay interface.

-Unchecked — Maintains the selected DHCP Relay interface.

Interface — Displays the interface selected for relay functionality.

STEP 2 Click the Add button. TheAdd DHCP Interface Page opens:

ESW 500 Series Switches Administration Guide

246

Configuring IP Information

Managing ARP

Add DHCP Interface Page

The Add DHCP Interface Page contains the following field:

Interface — Selects the interface to define DHCP Relay. The possible field value is:

-VLAN — Defines the DHCP Relay on the selected VLAN.

STEP 3 Select the Interface on which to define a DHCP Relay.

STEP 4 Click Apply. A DHCP Relay Interface is defined, and the device is updated.

Managing ARP

The Address Resolution Protocol (ARP) is a TCP/IP protocol that converts IP addresses into physical addresses. The ARP table is used to maintain a correlation between each MAC address and its corresponding IP address. The ARP table can be filled in statically by the user. When a static ARP entry is defined, a permanent entry is put in the table, which the system uses to translate IP addresses to MAC addresses.

To define ARP:

ESW 500 Series Switches Administration Guide

247

Configuring IP Information

Managing ARP

STEP 1 Click Monitor & Device Properties > System Management > IP Addressing > ARP. TheARP Page opens:

ARP Page

The ARP Page contains the following fields.

ARP Entry Age Out — Defines the amount of time (seconds) that pass between ARP requests about an ARP table entry. After this period, the entry is deleted from the table. The range is 1 - 40000000, where zero indicates that entries are never cleared from the cache. The default value is 60,000 seconds.

Clear ARP Table Entries — Indicates the type of ARP entries that are cleared on all devices. The possible values are:

-None — ARP entries are not cleared.

-All — All ARP entries are cleared.

-Dynamic — Only dynamic ARP entries are cleared.

-Static — Only static ARP entries are cleared.

ESW 500 Series Switches Administration Guide

248

Configuring IP Information

Managing ARP

ARP Table

Interface — Indicates the interface for which the ARP parameters are defined.

IP Address — Indicates the station IP address, which is associated with the MAC address.

MAC Address — Indicates the station MAC address, which is associated in the ARP table with the IP address.

Status — Indicates the ARP Table entry status. Possible field values are:

-Dynamic — Indicates the ARP entry was learned dynamically.

-Static — Indicates the ARP entry is a static entry.

STEP 2 Click Add. TheAdd ARP Page opens:

Add ARP Page

The Add ARP Page contains the following fields:

VLAN — Indicates the ARP-enabledinterface.

IP Address — Indicates the station IP address, which is associated with the MAC address filled in below.

MAC Address — Indicates the station MAC address, which is associated in the ARP table with the IP address.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The ARP Settings are defined, and the device is updated.

ESW 500 Series Switches Administration Guide

249

Configuring IP Information

Managing ARP

Modifying ARP Settings

STEP 1 Click Monitor & Device Properties > System Management > IP Addressing > ARP. TheARP Page opens:

STEP 2 Click the Edit button. TheEdit ARP Page opens:

Edit ARP Page

The Edit ARP Page contains the following fields:

VLAN — Indicates the ARP-enabledinterface.

IP Address — Indicates the station IP address, which is associated with the MAC address filled in below.

MAC Address — Indicates the station MAC address, which is associated in the ARP table with the IP address.

Status — Defines the ARP Table entry status. Possible field values are:

-Dynamic — Indicates the ARP entry is learned dynamically.

-Static — Indicates the ARP entry is a static entry.

STEP 3 Define the relevant fields.

STEP 4 Click Apply. The ARP Settings are modified, and the device is updated.

ESW 500 Series Switches Administration Guide

250