Allnet ALL-SG8826PMX-10G operation manual

24-Port 10/100/1000Base-T + 2-Port

10G SFP+ Full Management High

Power PoE Switch

ALL-SG8826PMX-10G

User’s Manual

FCC Warning

This Equipment has been tested and found to comply with the limits for a Class-A digital device,

pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection

against harmful interference in a residential installation. This equipment generates, uses, and can

radiate radio frequency energy. It may cause harmful interference to radio communications if the

equipment is not installed and used in accordance with the instructions. However, there is no

guarantee that interference will not occur in a particular installation. If this equipment does cause

harmful interference to radio or television reception, which can be determined by turning the

equipment off and on, the user is encouraged to try to correct the interference by one or more of

the following measures:

- Reorient or relocate the receiving antenna.

- Increase the separation between the equipment and receiver.

- Connect the equipment into an outlet on a circuit different from that to which the receiver is

connected.

- Consult the dealer or an experienced radio/TV technician for help.

CE Mark Warning

This is a Class-A product. In a domestic environment this product may cause radio interference in

which case the user may be required to take adequate measures.

Default-IP

192.168.2.1

Password:

admin

2

Table of Contents

1. Product Overview .............................................................................................................................. 8

1.1. Major Management Features .................................................................................................... 9

1.2. Specification ................................................................................................................................ 10

1.3. Packet Contents .......................................................................................................................... 13

2. Hardware Description ..................................................................................................................... 14

3. Preparation for Management ....................................................................................................... 16

3.1. Preparation for Serial Console ................................................................................................ 17

3.2. Preparation for Web Interface ................................................................................................ 19

3.3. Preparation for Telnet/SSH Interface ..................................................................................... 21

4. Feature Configuration - Web UI ................................................................................................... 23

4.1. System Configuration ............................................................................................................... 23

4.1.1. System Information ............................................................................................................. 23

4.1.2. IP Configuration .................................................................................................................... 24

4.1.3. IPv6 Configuration ................................................................................................................ 25

4.1.4. NTP Configuration: ............................................................................................................... 26

4.1.5. System Log Configuration: ................................................................................................. 27

4.2. Power Reduction ........................................................................................................................ 28

4.2.1. EEE Configuration: ................................................................................................................ 28

4.3. Port Configuration: .................................................................................................................... 29

4.4. Security Configuration: ............................................................................................................ 31

4.4.1. Security / Switch .................................................................................................................... 31

4.4.1.1. Security / Switch / Users Configuration ...................................................................... 31

4.4.1.2. Security / Switch / Privilege Levels Configuration: .................................................. 33

4.4.1.3. Security / Switch / Auth Method .................................................................................. 34

4.4.1.4. Security /Switch / SSH Configuration .......................................................................... 35

4.4.1.5. Security / Switch / HTTPS Configuration ..................................................................... 36

4.4.1.6. Security / Switch / Access Management Configuration .......................................... 37

4.4.1.7. Security / Switch / SNMP ................................................................................................ 39

4.4.1.8. RMON Statistics Configuration .................................................................................... 49

4.4.2. Security /Network ................................................................................................................. 55

4.4.2.1. Port Security Limit Control Configuration ................................................................ 55

4.4.2.2. Security / Network / Network Access Server Configuration .................................. 59

4.4.2.3. Security / Network / Access Control List Configuration ......................................... 69

4.4.2.4. Switch / Network / DHCP Configuration ..................................................................... 87

4.4.2.5. IP Source Guard Configuration ..................................................................................... 90

4.4.2.6. ARP Inspection .................................................................................................................. 92

4.4.3. Security / AAA Authentication Server Configuration .................................................. 94

4.5. Aggregation Configuration ..................................................................................................... 97

4.5.1. Static Aggregation ............................................................................................................... 97

3

4.5.2. LACP - Dynamic Aggregation ............................................................................................. 99

4.6. Loop Protection ........................................................................................................................ 100

4.7. Spanning Tree ............................................................................................................................ 102

4.7.1. Spanning Tree / Bridge Setting ........................................................................................ 103

4.7.2. Spanning Tree / MSTI Mapping ........................................................................................ 105

4.7.3. Spanning Tree / MSTI Priorities ........................................................................................ 106

4.7.4. Spanning Tree / CIST Ports ................................................................................................. 107

4.7.5. Spanning Tree MSTI Ports .................................................................................................. 109

4.8. MVR (Multicast VLAN Registration) ..................................................................................... 110

4.9. IPMC (IP Multicast) ................................................................................................................... 112

4.9.1. IGMP Snooping Configuration ......................................................................................... 112

4.9.1.1. Basic Configuration ....................................................................................................... 112

4.9.1.2. IGMP Snooping VLAN Configuration ........................................................................ 114

4.9.1.3. IGMP Snooping / Port Group Filtering ...................................................................... 116

4.9.2. MLD Snooping Configuration .......................................................................................... 117

4.9.2.1. Basic Configuration ....................................................................................................... 117

4.9.2.2. MLD Snooping VLAN Configuration .......................................................................... 119

4.9.2.3. IPMC / MLD Snooping / Port Group Filtering ........................................................... 121

4.10. LLDP Parameters .................................................................................................................... 122

4.10.1. LLDP Configuration .......................................................................................................... 122

4.10.2. LLDP Media Configuration.............................................................................................. 125

4.11. sFlow Configuration .............................................................................................................. 133

4.12. MAC Address Table Configuration ..................................................................................... 135

4.13. VLAN (Virtual LAN) ................................................................................................................ 137

4.13.1. VLAN Membership Configuration ................................................................................. 137

4.13.2. VLAN Port Configuration ................................................................................................ 140

4.14. Private VLANs ......................................................................................................................... 142

4.14.1. Port Isolation Configuration .......................................................................................... 143

4.15. VCL ............................................................................................................................................. 144

4.15.1. VCL / MAC-Based VLAN Configuration ......................................................................... 144

4.15.2. VCL / Protocol-based VLAN ............................................................................................. 146

4.15.3. VCL / IP Subnet-based VLAN ........................................................................................... 150

4.16. Voice VLAN Configuration ................................................................................................... 152

4.16.1. Voice VLAN / Configuration ............................................................................................ 152

4.16.2 Voice VLAN / OUI Configuration ..................................................................................... 154

4.17. QoS ............................................................................................................................................ 155

4.17.1. QoS / Ingress Port Classification .................................................................................... 155

4.17.2. QoS / Ingress Port Policy Config .................................................................................... 156

4.17.3. QoS / Port Scheduler ......................................................................................................... 157

4.17.4. QoS / Egress Port Shapers ............................................................................................... 158

4.17.5. QoS / Port Tag Remarking ............................................................................................... 159

4

4.17.6. QoS / Port DSCP Configuration ...................................................................................... 160

4.17.7. QoS / DSCP based QoS Ingress Classification ............................................................. 162

4.17.8. QoS / DSCP Translation .................................................................................................... 164

4.17.9. QoS / DSCP Classification ................................................................................................ 166

4.17.10. QoS / Control List Configuration ................................................................................. 167

4.17.11. QoS / Storm Control Configuration ............................................................................ 170

4.18. Mirroring Configuration ....................................................................................................... 171

4.19. UPnP Configuration ............................................................................................................... 172

4.20. Stack Configuration .............................................................................................................. 173

5. Feature Configuration - CLI ......................................................................................................... 176

5.1. System Configuration ............................................................................................................. 177

5.2. Stack Configuration ................................................................................................................. 181

5.3. Power Reduction ...................................................................................................................... 183

5.4. Port Configuration ................................................................................................................... 184

5.5. Security Configuration ........................................................................................................... 186

5.6. Aggregation Configuration ................................................................................................... 197

5.7. Loop Protection ........................................................................................................................ 198

5.8. Spanning Tree ............................................................................................................................ 199

5.9. MVR ............................................................................................................................................. 202

5.10. IPMC .......................................................................................................................................... 203

5.11. LLDP Configuration ............................................................................................................... 205

5.12. sFlow Configuration .............................................................................................................. 206

5.13. MAC Address Table Configuration ..................................................................................... 207

5.14. VLAN Configuration .............................................................................................................. 208

5.15. Private VLAN Configuration ................................................................................................ 209

5.16. VCL Configuration ................................................................................................................. 210

5.17. Voice VLAN Configuration ................................................................................................... 211

5.18. QoS Configuration ................................................................................................................. 212

5.19. Mirroring Configuration ....................................................................................................... 215

5.20. UPnP Configuration ............................................................................................................... 216

5.21 Diagnostic Commands ........................................................................................................... 217

5.22. Maintenance Commands ...................................................................................................... 218

6. Web Configuration - Monitor, Diagnostic, Maintenance ..................................................... 220

6.1. Monitor ......................................................................................................................................... 220

6.1.1. Monitor / System ................................................................................................................. 220

6.1.1.1. Monitor / System / Information .................................................................................. 220

6.1.1.2. CPU Load .......................................................................................................................... 221

6.1.1.3. System Log Information .............................................................................................. 222

6.1.1.4. System / Detailed Log ................................................................................................... 223

6.1.2. Monitor / Port State ............................................................................................................ 224

6.1.2.1. Port State ......................................................................................................................... 224

5

6.1.2.2. Traffic Overview ............................................................................................................. 225

6.1.2.3. QoS Statistics .................................................................................................................. 226

6.1.2.4. QCL Status ....................................................................................................................... 227

6.1.2.5. Detailed Port Statistics ................................................................................................. 229

6.1.3. Monitor / Security ............................................................................................................... 232

6.1.3.1. Security / Access Management Statistics ................................................................. 232

6.1.3.2. Security / Network ......................................................................................................... 233

6.1.3.3. Security / AAA ................................................................................................................. 255

6.1.3.4. Switch / SNMP / RMON .................................................................................................. 263

6.1.4. LACP System Status ............................................................................................................ 269

6.1.4.1. System Status ................................................................................................................. 269

6.1.4.2. LACP Port Status ............................................................................................................ 270

6.1.4.3. LACP statistics ................................................................................................................ 271

6.1.5. Loop Protection ................................................................................................................... 272

6.1.6. STP Bridge Status ................................................................................................................ 273

6.1.6.1. Bridge Status .................................................................................................................. 273

6.1.6.2. STP Port Status ............................................................................................................... 274

6.1.6.3. STP Port Statistics .......................................................................................................... 275

6.1.7. MVR Status ........................................................................................................................... 276

6.1.7.1. Statistics .......................................................................................................................... 276

6.1.7.2. MVR Group Table ........................................................................................................... 277

6.1.8. Monitor / IPMC / IGMP Snooping ..................................................................................... 278

6.1.8.1. IGMP Snooping ............................................................................................................... 278

6.1.8.2. MLD Snooping Status ................................................................................................... 283

6.1.9. Monitor / LLDP ..................................................................................................................... 287

6.1.9.1. LLDP / Neighbor .............................................................................................................. 287

6.1.9.2. LLDP MED Neighbors .................................................................................................... 289

6.1.9.3. LLDP EEE ........................................................................................................................... 293

6.1.9.4. LLDP Statistics ................................................................................................................ 295

6.1.10. Dynamic MAC Table .......................................................................................................... 297

6.1.11. VLAN Membership Status ............................................................................................... 299

6.1.12. VCL MAC-Based VLAN Status ......................................................................................... 303

6.1.13. sFlow .................................................................................................................................... 304

6.2. Diagnostic .................................................................................................................................. 305

6.2.1. Ping ........................................................................................................................................ 305

6.2.2. Ping6 ...................................................................................................................................... 306

6.2.3. VeriPHY Cable Diagnostic .................................................................................................. 307

6.3. Maintenance .............................................................................................................................. 308

6.3.1. Restart Device ...................................................................................................................... 308

6.3.2 Factory Defaults ................................................................................................................... 308

6.3.3. Software Upload ................................................................................................................. 309

6

6.3.3.1. Firmware Update ........................................................................................................... 309

6.3.3.2 Image Select ..................................................................................................................... 310

6.3.4. Configuration....................................................................................................................... 311

7. Safety Warnings ............................................................................................................................. 313

8. CE ....................................................................................................................................................... 314



7

1. Product Overview

Introduction

ALL-SG8826PMX-10G is 24-port 10/100/1000Base-T and two

10G SFP+ for Stacking and two 10G SFP+ Open Slot

Rack-mount L2+ Full Management Network Switch that is

designed for medium or large network environment to

strengthen its network connection. ALL-SG8826PMX-10G

supports 136G non-blocking switch fabric, the 24 gigabit ports and 2 10G ports can transmit and

receive data traffic without any lost. The EEE feature reduces the power consumption when there is

no traffic forwarding even port is still connected. The 10G uplink port design is available and

important for high bandwidth uplink request when cascaded with other switch.

ALL-SG8826PMX-10G also supports Layer 2+ full management software features. These features are

powerful to provide network control, management, monitor and security feature requests.

Including rack-mount brackets, the 19" size fits into your rack environment. It is a superb choice to

boost your network with better performance and efficiency.

Two 10 Gigabit SFP+ Open Slots

ALL-SG8826PMX-10G equips with 2 10G SFP+ open slots as the uplink ports, the 10G uplink design

provides an excellent solution for expanding your network from 1G to 10G. By 10G speed, this

product provides high flexibility and high bandwidth connectivity to another 10G switch or the

Servers, Workstations and other attached devices which support 10G interface. The user can also

aggregate the 10G ports as Trunk group to enlarge the bandwidth.

Stacking Features

ALL-SG8826PMX-10Ges include a stacking feature by using 2 SFP+ ports that allows multiple

switches to operate as a single unit. A single switch in the stack can manages all the units in the

stack and uses a single IP address which allows the user to manage every port in the stack from this

one address. These stacks can include up to 16 switches, or total 384 gigabit ports plus 32 ports 10G

in a switch.

Full Layer 2 Management Features

ALL-SG8826PMX-10G includes full Layer 2+ Management features. The software set includes up to

4K 802.1Q VLAN and advanced Protocol VLAN, Private VLAN, MVR…features. There are 8 physical

queriers Quality of Service, IPv4/v6 Multicast filtering, Rapid Spanning Tree protocol to avoid

network loop, Multiple Spanning Tree Protocol to integrate VLAN and Spanning Tree, LACP, LLDP;

sFlow, port mirroring, cable diagnostic and advanced Network Security features. It also provides

Console CLI for out of band management and SNMP, Web GUI for in band Management.

8

Advanced Security

ALL-SG8826PMX-10G supports advanced security features. For switch management, there are

secured HTTPS and SSH, the login password, configuration packets are secured. The port binding

allows to bind specific MAC address to the port, only the MAC has the privilege to access the

network. The 802.1X port based Access Control, every user should be authorized first when they

want to access the network. AAA is the short of the Authentication, Authorization and Accounting

with RADIUS, TACAS+ server. Layer 2+ Access Control List allows user to define the access privilege

based on IP, MAC, Port number…etc.

1.1. Major Management Features

 24 10/100/1000Base RJ-45 plus 4 10G Base SFP

 Up to 88Gbps switching capacity, 32K MAC Address Table

 Per-Port Power Management Feature supports Enable/Disable, Priority Setting, Overloading

Protection and Power Level settings

 IEEE 802.1D STP and IEEE 802.1w RSTP

 IEEE 802.1Q VLAN, up to 4K VLAN Group

 Port Based VLAN, MAC Based VLAN, Protocol Based VLAN, MVRP and QinQ

 IEEE 802.2ad LACP, Static Trunk support up to 14 trunks, up to 8 ports per trunk

 IGMP Snooping V1/V2/V3 and Querier port

 Up to 10K Jumbo Frame

 Rate Control and Strom Control for Broadcast/Multicast/Un-known Unicast

 QoS supports up to 8 priority queriers per port, 802.1p/IP Precedence, IP ToS, IP DSCP,

DiffServ, the querier scheduling supports WRR, Strict Priority and Hybrid

 Advanced Security supports IEEE 802.1x, RADIUS, TACAS+, IP/MAC Filter

 Support Command Line, Web Management, SNMP V1/V2c/V3, RMON, Secured

Management supports HTTPS, SSL and SSHv2

 sFlow, NTP, LLDP, Port Mirroring, Cable Diagnostic, UPnP...

 IPv6 Features

 Note: Please see the most updated datasheet for the detail product specification. You can

check the web site or contact the sales of the supplier.

Note: Please see the most updated datasheet for the detail product specification. You can
check the web site or contact the sales of the supplier.

9

1.2. Specification

Hardware Specification

Interface

LED

System

Total Port

10/100/1000 Mbps

1G SFP/10G SFP

10G SFP+ Port for Stacking

Auto-negotiation and Auto-MDIX

Flow Control

Console (RS-232)

System (State / Color)

Port (State: Link/Act / Color)

CPU

Flash

SDRAM

Packet Buffer

Switching Capacity

Forwarding Architecture

28

24

2

2

Yes

Backpressure for half duplex,

802.3x for full duplex

Yes

Y

Y

416MHz

16MB

128MB

4MB

128 Gbps non-blocking

Store and forward

Package Forwarding Rate

MAC Address Table

Jumbo Frame

Power

Requirement /

Consumption

Environment

Mechanical

Regular

Compliance CE, FCC Part 15 Class A

AC Input

Consumption - not include PSE

Operating Temperature/ Degree C

Relative Humidity at operating

Storage Temperature / Degree C

Relative Humidity at storage

Dimension mm(H*W*D)

Weight

100-240V AC, 50/60Hz

5~90% (non-condensing)

5~90% (non-condensing)

95.2Mpps

32K

10K

25W

0~40

-20~80

44.5*310*440mm

3.0kg

Yes

10

Software Specification

IEEE 802.3 - 10Base-T

IEEE 802.3u - 100Base-TX

IEEE 802.3ab - 1000Base-T

IEEE 802.3z - 1000Base-SX/LX

IEEE 802.3x - Flow Control

IEEE 802.1Q - VLAN

Standard

Port Configuration

VLAN

IEEE 802.1p - Class of Service

IEEE 802.1D - Spanning Tree

IEEE 802.1w - Rapid Spanning Tree

IEEE 802.1s - Multiple Spanning Tree

IEEE 802.3ad - Link Aggregation Control Protocol (LACP)

IEEE802.1v - Protocol VLAN

IEEE 802.1AB - LLDP (Link Layer Discovery Protocol)

IEEE 802.1X - Access Control

Link State, Speed/Duplex, Auto-Negotiation, Flow Control

Rate Control/Limit

Port based and 802.1Q Tag based VLAN

Maximum 4K VLAN Group, 4096 VLANs ID

QinQ

Private VLAN

MVR (Multicast VLAN Registration)

MAC based VLAN

IP Subnet-based VLAN

IEEE802.1v Protocol VLAN

Voice VLAN

8 Physical priority queriers

Scheduling – WRR, Strict, WRR+SP

QoS

CoS: Port based, 802.1p, DSCP, TCP/UDP Port based

Storm Control (Broadcast, Multicast, unknown Unicast)

Up to 14 trunks/ up to 8 ports per trunk

Static and 802.3ad LACP

Link Aggregation

Static Trunk

Hash Algorithm Type (DA, SA, DA+SA MAC-based, SIP…)

Loop Protection Protect the unexpected network loop by shutdown port

IEEE 802.1D – Legacy Spanning Tree

IEEE 802.1w – Rapid Spanning Tree

Spanning tree

IEEE 802.1s – Multiple Spanning Tree

BPDU Guard, BPDU Filtering

11

IGMP Snooping v1/v2/v3, MLD(Ipv6) Snooping v1/v2

Multicast

Traffic Mirroring

MAC Address Table

Security

Maximum 32 K Multicast Groups

IGMP/MLD Querier, Router Port, Proxy, Immediate Leave

Port Mirror (1 to 1, 1 to N, N to 1)

sFlow

Dynamic MAC address management

Static MAC address

Port Security (MAC-Port, IP-MAC-Port Binding)

802.1x authentication (Port based, MAC address based)
User Name Password Authentication by Local/Radius…

Stacking Unit: max 16

Up to 15 User Privilege Levels

Access Management by IP

IP Source Guard

RADIUS

TACACS+

Guest VLAN

DoS Defense

SSHv1/SSHv2

SSLv2/SSLv3/TLSv1

Access Control List (L2/L3/L4)

Web GUI Management, CLI (Console/Telnet/SSH)

DHCP Client, Snooping, Relay/Option 82, BOOTP

SNMP V1/V2c/V3, Trap, RMON

Management

Maintenance

Note: We reserve the right to change the detail parameters listed in manual without
earlier inform. Please always see the most updated datasheet for the detail product
specification. You can check the web site or contact the sales of the supplier.

Firmware upgrade by TFTP/HTTP

Configuration Backup/Reload

Link Layer Discovery Protocol (LLDP) by lPv4/v6 types

System Log for event, warning and information

NTP/SNTP

VeriPHY Diagnostic

IPv4/V6 Ping Diagnostics

CPU Monitor

PD Status monitoring

12

1.3. Packet Contents

Before you start to install this switch, please verify your package that contains the following items:

 One Network Switch

 One Power Cord

 One User Manual CD

 One pair Rack-mount kit + 8 Screws

13

2. Hardware Description

This section mainly describes the hardware of ALL-SG8826PMX-10G and gives a physical and

functional overview on the certain switch.

Front Panel

The front panel of the L2 management switch consists of 24 10/100/1000 Base-TX RJ-45 ports, 2

gigabit uplink SFP ports, and 2 10G SFP+ stacking ports. The LED Indicators are also located on the

front panel.

LED Indicators

The LED Indicators present real-time information of systematic operation status. The following

table provides description of LED status and their meaning.

LED Color / Status Description No. of LEDs

Power Amber On Power on Power

10/100/1000M

SFP

Green On Link Up

Green Blinking Data Activating

Green On

Green Blinking Data Activating 25~26

linked to Power

Device

24(1~24)

25~26

Rear Panel

The 3-pronged power plug is placed at the rear panel of ALL-SG8826PMX-10G right side shown as
below.

14

Hardware Installation

ALL-SG8826PMX-10G is usually mounted in the 19” rack, the rack is usually installed in IT room or

other secured place. ALL-SG8826PMX-10G supports AC power input and rack mounting. Make sure

all the power cables, Ethernet cables, screws and the air circulation are well prepared and installed

as below description.

AC Power Input

Connect the attached power cord to the AC power input connector, the available AC power input

is range from 100-264VAC.

Ethernet cable Request

The wiring cable types are as below.

 10 Base-T: 2-pair UTP/STP Cat. 3, 4, 5 cable, EIA/TIA-568 100-ohm (Max. 100m)

 100 Base-TX: 2-pair UTP/STP Cat. 5 cable, EIA/TIA-568 100-ohm (Max. 100m)

 1000 Base-T: 4-pair UTP/STP Cat. 5 cable, EIA/TIA-568 100-ohm (Max. 100m)

SFP Installation

While install the SFP transceiver, make sure the SFP type of the 2 ends is the same and the

transmission distance, wavelength, fiber cable can meet your request. It is suggested to purchase

the SFP transceiver with ALL-SG8826PMX-10G provider to avoid any incompatible issue.

The way to connect the SFP transceiver is to Plug in SFP fiber transceiver fist. The SFP transceiver has

2 plug for fiber cable, one is TX (transmit), the other is RX (receive). Cross-connect the transmit

channel at each end to the receive channel at the opposite end.

Rackmount Installation

Attach the brackets to the device by using the screws provided in the Rack Mount kit. Mount the

device in the 19‟ rack by using four rack-mounting screws provided by the rack manufacturer.

15

3. Preparation for Management

ALL-SG8826PMX-10G provides both in-band and out-bands configuration methods.

Out-band Management: You can configure ALL-SG8826PMX-10G via RS232 console cable if you

don’t attach your admin PC to your network, or if you lose network connection to your switch. It

wouldn’t be affected by network performance. This is so-called out-band management.

In-Band Management: You can remotely manage ALL-SG8826PMX-10G via the Web browser, such

as Microsoft Internet Explorer, or Mozilla Firefox, to configure and interrogate

ALL-SG8826PMX-10G from anywhere on the network.

Following topics are covered in this chapter:

3.1 Preparation for Serial Console

3.2 Preparation for Web Interface

16

3.1. Preparation for Serial Console

In the package, there is one RS-232 console cable. Please attach one end of the console cable to

your PC COM port, the other end to the console port of the switch.

1. Go to Start -> Program -> Accessories -> Communication -> Hyper Terminal

2. Give a name to the new console connection.

3. Choose the COM name

4. Select correct serial settings. The serial settings of the switch are as below:

Baud Rate: 115200 / Parity: None / Data Bit: 8 / Stop Bit: 1

5. After connected, you can see Switch login request.

6. Login the switch. The default username is “admin”, and the default password is “admin”.

Note: The Win 7 or later OS version doesn't provide Console Terminal tool, please download the
tool, Hyper Terminal from Microsoft web site or other terminal tools, such as PuTTY for console
connection. Type Hyper Terminal or Putty in Google web site, thus you can find link to download
it.

Figure 3-2 Putty Configuration

17

Figure 3-3 Putty Login Screen

18

3.2. Preparation for Web Interface

The web management page allows you to use a standard web-browser such as Microsoft Internet

Explorer, Google Chrome or Mozilla Firefox, to configure and interrogate the switch from

anywhere on the network.

Before you attempt to use the web user interface to manage switch operation, verify that your

Switch is properly installed on your network and that every PC on this network can access the

switch via the web browser.

1. Verify that your network interface card (NIC) is operational, and that your operating system

supports TCP/IP protocol.

2. Wire the switch power and connect your computer to the switch.

3. The switch default IP address is 192.168.2.1. The Switch and the connected PC should locate

within the same IP Subnet.

4. Change your computer's IP address to 192.168.2.XX or other IP address which is located in the

192.168.2.x (For example: IP Address: 192.168.2.30; Subnet Mask: 255.255.255.0) subnet.

Launch the web browser and Login.

5. Launch the web browser (Internet Explorer or Mozilla Firefox) on the PC.

6. Type http://192.168.2.1 (or the IP address of the switch). And then press Enter.

7. The login screen will appear next.

8. Key in the password. Default user name and password are both admin.

19

If you can't login the switch, the following steps can help you to identify the problem.

1. Switch to DOS command mode and type the "ipconfig" to check the NIC's setting. Type the

"ping 192.168.2.1" to verify a normal response time.

2. Check the security & firewall settings of your computer.

3. Try different Web-browser, like the Mozilla Firefox.

20

3.3. Preparation for Telnet/SSH Interface

If your Window OS is Win XP, Win 2000 or early version, you can access the Telnet console by

default command. If your OS is Window 7 or later version, please download the terminal tool, such

as HyperTeminal or Putty.

The switch support both Telnet and SSH console. The SSH console can be treated as secured Telnet

connection, need to enable the SSH feature in "Security / Switch / SSH".

Tradition way for Telnet Connection

1. Go to Start -> Run -> cmd. And then press Enter

2. Type the Telnet 192.168.2.1 (or the IP address of the switch). And then press Enter.

Access Telnet or SSH by Terminal tool, Putty.

1. Open Telnet/SSH Client/PuTTY

In the Session configuration, choose the Telnet/SSH in Protocol field.

In the Session configuration, enter the Host Name (IP Address of your switch) and Port number

(default Telnet =23, SSH = 22).

Then click on “Open” to start the SSH session console.

2. After click on Open, then you can see the cipher information in the popup screen. Press Yes to

accept the Security Alert.

If you choose Telnet connection, there is no such cipher information and window. It goes to next

step directly.

21

3. After few seconds, the Telnet/SSH connection is established, the login page of Telnet/SSH is the

same as console. The command line of Telnet, SSH and console are all the same.

22

4. Feature Configuration - Web UI

The switch provides Abundant software features, after login the switch, you can start configuring

the settings or monitoring the status. There would be a question mark on the right top of the

screen, and you can also click the question mark to get help from the system.

Following are the Web UI configuration guide for your reference.

4.1. System Configuration

4.1.1. System Information

This page shows the system information and allows you to configure the new settings.

System Contact

The textual identification of the contact person for this managed node, together with
information on how to contact this person. The allowed string length is 0 to 255, and the
allowed content is the ASCII characters from 32 to 126.

System Name

An administratively assigned name for this managed node. By convention, this is the node's
fully-qualified domain name. A domain name is a text string drawn from the alphabet (A-Z or
a-z), digits (0-9), minus sign (-). No space characters are permitted as part of a name. The first
character must be an alpha character. And the first or last character must not be a minus sign.
The allowed string length is 0 to 255.

System Location

The physical location of this node (e.g., telephone closet, 3rd floor). The allowed string length is
0 to 255, and the allowed content is the ASCII characters from 32 to 126.

Time zone Offset

Provide the time zone offset relative to UTC/GMT.
The offset is given in minutes east of GMT. The valid range is from -720 to 720 minutes.

Buttons:

Save: Click to save changes
Reset: Click to undo any changes made locally and revert to previously saved values

23

4.1.2. IP Configuration

Configure the switch-managed IP information on this page.

The Configured column is used to view or change the IP configuration.

The Current column is used to show the active IP configuration.

DHCP Client

Enable the DHCP client by checking this box. If DHCP fails and the configured IP address is zero,
DHCP will retry. If DHCP fails and the configured IP address is non-zero, DHCP will stop and the
configured IP settings will be used. The DHCP client will announce the configured System Name
as hostname to provide DNS lookup.

IP Address

Provide the IP address of this switch in dotted decimal notation.

IP Mask

Provide the IP mask of this switch dotted decimal notation.

IP Router

Provide the IP address of the router in dotted decimal notation.

NTP:

Provide the IP address of the NTP Server in dotted decimal notation.

DNS Server

Provide the IP address of the DNS Server in dotted decimal notation.

VLAN ID

Provide the managed VLAND ID. The allowed range is 1 to 4095.

DNS Proxy

When DNS proxy is enabled, the switch will relay DNS requests to the current configured DNS
server on the switch, and reply as a DNS resolver to the client device on the network.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values
Renew: Click to renew DHCP. This button is only available if DHCP is enabled.

24

4.1.3. IPv6 Configuration

Configure the switch-managed IPv6 information on this page:

The Configured column is used to view or change the IPv6 configuration.

The Current column is used to show the active IPv6 configuration.

Auto Configuration

Enable IPv6 auto-configuration by checking this box. If fails, the configured IPv6 address is zero.
The router may delay responding to a router solicitation for a few seconds, the total time
needed to complete auto-configuration can be significantly longer.

Address

Provide the IPv6 address of this switch. IPv6 address is in 128-bit records represented as eight
fields of up to four hexadecimal digits with a colon separating each field (:). For example,
'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can be used as a shorthand way
of representing multiple 16-bit groups of contiguous zeros; but it can only appear once. It can
also represent a legally valid IPv4 address. For example, '::192.1.2.34'.

Prefix

Provide the IPv6 Prefix of this switch. The allowed range is 1 to 128.

Router

Provide the IPv6 gateway address of this switch. IPv6 address is in 128-bit records represented as
eight fields of up to four hexadecimal digits with a colon separating each field (:). For example,
'fe80::215:c5ff:fe03:4dc7'.

The symbol '::' is a special syntax that can be used as a shorthand way of representing multiple
16-bit groups of contiguous zeros; but it can only appear once. It can also represent a legally
valid IPv4 address. . For example, '::192.1.2.34'.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values
Renew: Click to renew IPv6 AUTOCONF. This button is only available if IPv6 AUTOCONF is

enabled.

25

4.1.4. NTP Configuration:

NTP is short of Network Time Protocol. Network Time Protocol (NTP) is used to synchronize time

clocks on the internet. You can configure NTP Servers' IP address here to synchronize the clocks of

the remote time server on the network.

This page indicates the NTP mode operation:

Mode

The Possible modes are:

Enable NTP mode operation. When NTP mode operation is enabled, the agent forwards NTP

messages between the clients and the server when they are not on the same subnet domain.

Disable NTP mode operation.

Server #

Provide the NTP IPv4 or IPv6 address of this switch. IPv6 address is in 128-bit records represented
as eight fields of up to four hexadecimal digits with a colon separating each field (:). For example,
'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can be used as a shorthand way
of representing multiple 16-bit groups of contiguous zeros; but it can only appear once. It can
also represent a legally valid IPv4 address. For example, '::192.1.2.34'.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

26

4.1.5. System Log Configuration:

System Log is useful to provide system administrator monitor switch events history. The switch

supports system log (syslog) server mode. User can install the syslog server in one computer, then

configure the server address and event types in the switch's system log configuration. When the

events occur, the switch will send information or warning message to the system log (syslog)

server. The administrators can analysis the system logs recorded in the system log (syslog) server

to find out the cause of the issues.

The switch Web UI allows you to Enable the Syslog Server, assign the IP address and assign the

syslog level.

Server Mode

Indicates the server mode operation. When the mode operation is enabled, the syslog message
will send out to syslog server. The syslog protocol is based on UDP communication and received
on UDP port 514 and the syslog server will not send acknowledgments back sender since UDP is a
connectionless protocol and it does not provide acknowledgments. The syslog packet will always
send out even if the syslog server does not exist. Possible modes are:

Enable server mode operation.

Disable server mode operation.

Server Address

Indicates the IPv4 host address of syslog server. If the switch provide DNS feature, it also can be a
host name.

Syslog Level

Indicates what kind of message will send to syslog
server. Possible modes are:

Info: Send information, warnings and errors.
Warning: Send warnings and errors.
Error: Send errors.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

27

4.2. Power Reduction

4.2.1. EEE Configuration:

This page allows the user to inspect and configure the current EEE port settings:

EEE is a power saving option that reduces the power usage when there is very low traffic

utilization (or no traffic).

EEE works by powering down circuits when there is no traffic. When a port gets data to be

transmitted all circuits are powered up. The time it takes to power up the circuits is named

wakeup time. The default wakeup time is 17 us for 1Gbit links and 30 us for other link speeds.

EEE devices must agree upon the value of the wakeup time in order to make sure that both the

receiving and transmitting device has all circuits powered up when traffic is transmitted. The

devices can exchange information about the devices wakeup time using the LLDP protocol.

For maximizing the power saving, the circuit isn't started at once transmit data are ready for a

port, but is instead querierd until 3000 bytes of data are ready to be transmitted. For not

introducing a large delay in case that data less then 3000 bytes shall be transmitted, data are

always transmitted after 48 us, giving a maximum latency of 48 us + the wakeup time.

If desired it is possible to minimize the latency for specific frames, by mapping the frames to a

specific querier (done with QOS), and then mark the querier as an urgent querier. When an

urgent querier gets data to be transmitted, the circuits will be powered up at once and the

latency will be reduced to the wakeup time.

Port

The switch port number of the logical EEE port.

EEE Enabled

Controls whether EEE is enabled for this switch port.

EEE Urgent Queriers

Queriers set will activate transmission of frames as soon as any data is available. Otherwise the
querier will postpone the transmission until 3000 bytes are ready to be transmitted.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

28

4.3. Port Configuration:

This page displays current port configurations and link status. Some of the Ports' settings can also

be configured here.

Port

This is the port number for this row.

Link

The current link state is displayed graphically.

Green indicates the link is up and red that it is down.

Current Link Speed

Provides the current link speed of the port.

Ex: 1Gfdx: 1G indicates the Gigabit Speed, fdx indicates the Full Duplex Mode.

Configured Link Speed

Select any available link speed for the given switch port.

Auto Speed: selects the highest speed that is compatible with a link partner.

Disabled: disables the switch port operation.

Fiber Speed

Configure speed for fiber port.

Note: Port speed for the Copper ports will automatically be set to Auto when dual media is

selected.

Disable SFPs (Copper port only).

SFP-Auto automatically determines the speed at the SFP.

Note: There is no standardized way to do SFP auto detect, so here it is done by reading the SFP

rom. Due to the missing standardized way of doing SFP auto detect some SFPs might not be
detectable.
1000-X force SFP speed to 1000-X.
100-FX force SFP speed to 100-FX.

29

Flow Control

When Auto Speed is selected on a port, this section indicates the flow control capability that is
advertised to the link partner.
When a fixed-speed setting is selected, that is what is used. The Current Rx column indicates
whether pause frames on the port are obeyed, and the Current Tx column indicates whether pause
frames on the port are transmitted. The Rx and Tx settings are determined by the result of the last
Auto-Negotiation.
Check the configured column to use flow control. This setting is related to the setting for
Configured Link Speed.

Maximum Frame Size

Enter the maximum frame size allowed for the switch port, including FCS.

The switch supports up to 10K Jumbo Frame.

Excessive Collision Mode

Configure port transmit collision behavior.

Discard: Discard frame after 16 collisions (default).
Restart: Restart backoff algorithm after 16 collisions.

Power Control

The Usage column shows the current percentage of the power consumption per port. The
Configured column allows for changing the power savings mode parameters per port.
Disabled: All power savings mechanisms disabled.

ActiPHY: Link down power savings enabled.
PerfectReach: Link up power savings enabled.
Enabled: Both link up and link down power savings enabled.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

Refresh: Click to refresh the page. Any changes made locally will be undone.

30

4.4. Security Configuration:

The Security Configuration feature includes 3 sub-titles, Switch, Network and AAA.

4.4.1. Security / Switch

The switch settings includes User Database, Privilege Levels, Authentication Method, SSH, HTTPs,

Access Management, SNMP and RMON setting. Following are the topic and configuration guide.

4.4.1.1. Security / Switch / Users Configuration

This page provides an overview of the current users. Currently the only way to login as another

user on the web server is to close and reopen the browser.

This page configures a user: This is also a link to Add User & Edit User

Add New User/Edit User

Click "Add New User", the configuration page goes to "Add User" screen. You can see the User
Setting table, follow the below instruction to fill the table.

Click the created User Name, the page goes to "Edit User" screen, you can change the settings
on it.

User Name

A string identifying the user name that this entry should belong to. The allowed string length is
1 to 32. The valid user name is a combination of letters, numbers and underscores.

31

Password

The password of the user. The allowed string length is 0 to 32.

Privilege Level

The privilege level of the user. The allowed range is 1 to 15.

If the privilege level value is 15, it can access all groups, i.e. that is granted the fully control of
the device. But others value need to refer to each group privilege level. User's privilege should
be same or greater than the group privilege level to have the access of that group.

By default setting, most groups privilege level 5 has the read-only access and privilege level 10
has the read-write access. And the system maintenance (software upload, factory defaults and
etc.) need user privilege level 15. Generally, the privilege level 15 can be used for an
administrator account, privilege level 10 for a standard user account and privilege level 5 for a
guest account.

Check the next chapter to see how to configure privilege level.

Buttons

Add new user: Click to add a new user.

32

4.4.1.2. Security / Switch / Privilege Levels Configuration:

This page provides an overview of the privilege levels.

Group Name

The name identifying the privilege group. In most cases, a privilege level group consists of a
single module (e.g. LACP, RSTP or QoS), but a few of them contains more than one.
The following description defines these privilege level groups in details:

System: Contact, Name, Location, Time zone, Log.
Security: Authentication, System Access Management, Port (contains Dot1x port, MAC based

and the MAC Address Limit), ACL, HTTPS, SSH, ARP Inspection and IP source guard.

IP: Everything except 'ping'.
Port: Everything except 'VeriPHY'.
Diagnostics: 'ping' and 'VeriPHY'.
Maintenance: CLI- System Reboot, System Restore Default, System Password, Configuration

Save, Configuration Load and Firmware Load. Web- Users, Privilege Levels and everything in
Maintenance.

Debug: Only present in CLI.

Privilege Levels

Every group has an authorization Privilege level for the following sub groups: configuration
read-only, configuration/execute read-write, status/statistics read-only, and status/statistics
read-write (e.g. for clearing of statistics).

User Privilege should be same or greater than the authorization Privilege level to have the
access to that group.

Insufficient Privilege Level: If you login with lower level privilege and try to access the high
privilege level configuration feature, the following message, Insufficient Privilege Level will
appear. If you want continue, be sure that you have the privilege.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

33

4.4.1.3. Security / Switch / Auth Method

This page allows you to configure how a user is authenticated when he logs into the switch via

one of the management client interfaces.

The table has one row for each client type and a number of columns, which are:

Client

The management client for which the configuration below applies.

Authentication Method

Authentication Method can be set to one of the
following values:

none: authentication is disabled and login is not

possible.

local: use the local user database on the switch for

authentication.

RADIUS: use a remote RADIUS server for

authentication.

TACACS+ : use a remote TACACS server for authentication.

Fallback

Enable fallback to local authentication by checking this box.
If none of the configured authentication servers are alive, the local user database is used for
authentication.
This is only possible if the Authentication Method is set to a value other than 'none' or 'local'.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

34

4.4.1.4. Security /Switch / SSH Configuration

With SSH, you can remotely connect to the switch by command line interface. The SSH

connection can secure all the configuration commands you sent to the switch. It is also known as

secured Telnet console.

To access the switch by SSH, you should install SSH client on your computer, such as PuTTY

console tool. In the switch side, the switch acts as SSH server for user login, and you can Enable

or Disable SSH on this page.

Please check the chapter 3.3 Preparation for Telnet/SSH connection to see how to manage the

switch through SSH console.

Mode

Indicates the SSH mode operation. Possible modes are:

Enable: Enable SSH mode operation.

Disabled: Disable SSH mode operation.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

35

4.4.1.5. Security / Switch / HTTPS Configuration

The web management page also provides secured management HTTPS login. All the

configuration commands will be secured and will be hard for the hackers to sniff the login

password and configuration commands.

This page allows you to configure HTTPS mode.

Mode

Indicates the HTTPS mode operation. Possible modes are:

Enable: Enable HTTPS mode operation.

Disabled: Disable HTTPS mode operation.

Automatic Redirect

Indicates the HTTPS redirect mode operation. Automatically redirect web browser to HTTPS

when HTTPS mode is enabled. Possible modes are:

Enable: Enable HTTPS redirect mode operation.

Disabled: Disable HTTPS redirect mode operation.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

36

4.4.1.6. Security / Switch / Access Management Configuration

The Access Management mode allows user to limit the switch access with specific range of IP

address and disable some remote management service, such HTTP, HTTPS, SNMP, Telnet and SSH.

This feature is important while user installed the switch on network. After enabled the Access

Management, only the pre-configured IP address or a range of IP address can access the switch

management interface, and only the available service can be accessed.

Configure access management table on this page. The maximum entry number is 16. If the

application's type matches any one of the access management entries, it will allow access to the

switch.

Example of the below figure, only the IP Addresses range from 192.168.2.101 to 192.168.2.200

can access the switch's management interface. The available services are HTTP, HTTPS, SNMP,

Telnet and SSH. If there is one IP address, 192.168.2.201 try to open the web management

interface, it is not allowed.

Mode

Indicates the access management mode operation. Possible modes are:

Enable: Enable access management mode operation.

Disabled: Disable access management mode operation.

Delete

Check to delete the entry. It will be deleted during the next save.

Start IP address

Indicates the start IP address for the access management entry.

End IP address

Indicates the end IP address for the access management entry.

With the Start and End IP address, you can assign a range of IP addresses.

HTTP/HTTPS

Indicates that the host can access the switch from HTTP/HTTPS interface if the host IP address

matches the IP address range provided in the entry.

SNMP

Indicates that the host can access the switch from SNMP interface if the host IP address matches

the IP address range provided in the entry.

TELNET / SSH

Indicates that the host can access the switch from TELNET/SSH interface if the host IP address

matches the IP address range provided in the entry.

37

Buttons

Add New Entry: Click to add a new group entry

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

38

4.4.1.7. Security / Switch / SNMP

Simple Network Management Protocol (SNMP) is a protocol used for exchanging

management information between network devices. The switch supports SNMP and equips lots

of OIDs for remote management. All the OIDs are unique and corresponding to one

feature/command.

The switch can support SNMP V1, V2c and V3. The following commands show how to configure

SNMP and its related parameters.

Mode

Indicates the SNMP mode operation. Possible modes are:

Enable: Enable SNMP mode operation.

Disabled: Disable SNMP mode operation.

Version

Indicates the SNMP supported version. Possible versions are:

SNMPv1: Set SNMP supported version 1.

SNMPv2c: Set SNMP supported version 2c.

SNMPv3: Set SNMP supported version 3.

Read Community

Indicates the community read access string to permit access to SNMP agent. The allowed string

length is 0 to 255, and the allowed content is the ASCII characters from 33 to 126.

The field is applicable only when SNMP version is SNMPv1 or SNMPv2c. If SNMP version is

SNMPv3, the community string will be associated with SNMPv3 communities table. It provides

more flexibility to configure security name than a SNMPv1 or SNMPv2c community string. In

addition to community string, a particular range of source addresses can be used to restrict

source subnet.

39

Write Community

Indicates the community write access string to permit access to SNMP agent. The allowed string

length is 0 to 255, and the allowed content is the ASCII characters from 33 to 126.

The field is applicable only when SNMP version is SNMPv1 or SNMPv2c. If SNMP version is

SNMPv3, the community string will be associated with SNMPv3 communities table. It provides

more flexibility to configure security name than a SNMPv1 or SNMPv2c community string. In

addition to community string, a particular range of source addresses can be used to restrict

source subnet.

Engine ID

Indicates the SNMPv3 engine ID. The string must contain an even number(in hexadecimal

format) with number of digits between 10 and 64, but all-zeros and all-'F's are not allowed.

Change of the Engine ID will clear all original local users.

SNMP Trap Configuration

Configure SNMP trap on this page.

Trap Mode

Indicates the SNMP trap mode operation. Possible modes are:

Enable: Enable SNMP trap mode operation.

Disabled: Disable SNMP trap mode operation.

Trap Version

Indicates the SNMP trap supported version. Possible versions are:

SNMPv1: Set SNMP trap supported version 1.

SNMPv2c:Set SNMP trap supported version 2c.

SNMPv3: Set SNMP trap supported version 3.

Trap Community

Indicates the community access string when sending SNMP trap packet. The allowed string

length is 0 to 255, and the allowed content is ASCII characters from 33 to 126.

Trap Destination Address

Indicates the SNMP trap destination address.

40

Trap Destination IPv6 Address

Provide the trap destination IPv6 address of this switch. IPv6 address is in 128-bit records

represented as eight fields of up to four hexadecimal digits with a colon separating each field

(:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can be used as

a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it can only

appear once. It can also represent a legally valid IPv4 address. For example, '::192.1.2.34'.

Trap Authentication Failure

Indicates that the SNMP entity is permitted to generate authentication failure traps. Possible

modes are:

Enable: SNMP trap authentication failure.

Disabled: Disable SNMP trap authentication failure.

Trap Link-up and Link-down

Indicates the SNMP trap link-up and link-down mode operation. Possible modes are:

Enable: Enable SNMP trap link-up and link-down mode operation.

Disabled: Disable SNMP trap link-up and link-down mode operation.

Trap Inform Mode

Indicates the SNMP trap inform mode operation. Possible modes are:

Enable: Enable SNMP trap inform mode operation.

Disabled: Disable SNMP trap inform mode operation.

Trap Inform Timeout (seconds)

Indicates the SNMP trap inform timeout. The allowed range is 0 to 2147.

Trap Inform Retry Times

Indicates the SNMP trap inform retry times. The allowed range is 0 to 255.

Trap Probe Security Engine ID

Indicates the SNMP trap probe security engine ID mode of operation. Possible values are:

Enable: Enable SNMP trap probe security engine ID mode of operation.

Disabled: Disable SNMP trap probe security engine ID mode of operation.

Trap Security Engine ID

Indicates the SNMP trap security engine ID. SNMPv3 sends traps and informs using USM for

authentication and privacy. A unique engine ID for these traps and informs is needed. When

"Trap Probe Security Engine ID" is enabled, the ID will be probed automatically. Otherwise, the

ID specified in this field is used. The string must contain an even number(in hexadecimal format)

with number of digits between 10 and 64, but all-zeros and all-'F's are not allowed.

Trap Security Name

Indicates the SNMP trap security name. SNMPv3 traps and informs using USM for

authentication and privacy. A unique security name is needed when traps and informs are

enabled.

Buttons

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

41

SNMPv3 Community Configuration

In SNMP V3, it is start to support User Name and its privilege. You can configure SNMPv3

community table on this page:

The entry index key is Community.

Delete

Check to delete the entry. It will be deleted during the next save.

Community

Indicates the community access string to permit access to SNMPv3 agent. The allowed string

length is 1 to 32, and the allowed content is ASCII characters from 33 to 126. The community

string will be treated as security name and map a SNMPv1 or SNMPv2c community string.

Source IP

Indicates the SNMP access source address. A particular range of source addresses can be used to

restrict source subnet when combined with source mask.

Source Mask

Indicates the SNMP access source address mask.

Buttons

Add new community: Click to add a new community entry

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

42

SNMPv3 User Configuration

Configure SNMPv3 user table on this page. The entry index keys are Engine ID and User

Name.

Delete

Check to delete the entry. It will be deleted during the next save.

Engine ID

An octet string identifying the engine ID that this entry should belong to. The string must

contain an even number(in hexadecimal format) with number of digits between 10 and 64, but

all-zeros and all-'F's are not allowed. The SNMPv3 architecture uses the User-based Security

Model (USM) for message security and the View-based Access Control Model (VACM) for access

control. For the USM entry, the usm User Engine ID and usm User Name are the entry's keys. In

a simple agent, usm User Engine ID is always that agent's own snmp Engine ID value. The value

can also take the value of the snmp Engine ID of a remote SNMP engine with which this user

can communicate. In other words, if user engine ID equal system engine ID then it is local user;

otherwise it's remote user.

User Name

A string identifying the user name that this entry should belong to. The allowed string length is

1 to 32, and the allowed content is ASCII characters from 33 to 126.

Security Level

Indicates the security model that this entry should belong to. Possible security models are:

NoAuth, NoPriv: No authentication and no privacy.

Auth, NoPriv: Authentication and no privacy.

Auth, Priv: Authentication and privacy.

The value of security level cannot be modified if entry already exists. That means it must first

be ensured that the value is set correctly.

Authentication Protocol

Indicates the authentication protocol that this entry should belong to. Possible authentication

protocols are:

None: No authentication protocol.

MD5: An optional flag to indicate that this user uses MD5 authentication protocol.

SHA: An optional flag to indicate that this user uses SHA authentication protocol.

43

The value of security level cannot be modified if entry already exists. That means must first

ensure that the value is set correctly.

Authentication Password

A string identifying the authentication password phrase. For MD5 authentication protocol, the

allowed string length is 8 to 32. For SHA authentication protocol, the allowed string length is 8

to 40. The allowed content is ASCII characters from 33 to 126.

Privacy Protocol

Indicates the privacy protocol that this entry should belong to. Possible privacy protocols are:

None: No privacy protocol.

DES: An optional flag to indicate that this user uses DES authentication protocol.

Privacy Password

A string identifying the privacy password phrase. The allowed string length is 8 to 32, and the

allowed content is ASCII characters from 33 to 126.

Buttons

Add new user: Click to add a new user entry

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

44

SNMPv3 Group Configuration

Configure SNMPv3 group table on this page:

The entry index keys are Security Mode and Security Name.

Delete

Check to delete the entry. It will be deleted during the next save.

Security Model

Indicates the security model that this entry should belong to. Possible security models are:

v1: Reserved for SNMPv1.

v2c: Reserved for SNMPv2c.

usm: User-based Security Model (USM).

Security Name

A string identifying the security name that this entry should belong to. The allowed string

length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.

Group Name

A string identifying the group name that this entry should belong to. The allowed string length

is 1 to 32, and the allowed content is ASCII characters from 33 to 126.

Buttons

Add new group: Click to add a new group entry

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

45

SNMPv3 View Configuration

Configure SNMPv3 view table on this page.

The entry index keys are View Name and OID Sub-tree.

Delete

Check to delete the entry. It will be deleted during the next save.

View Name

A string identifying the view name that this entry should belong to. The allowed string length

is 1 to 32, and the allowed content is ASCII characters from 33 to 126.

View Type

Indicates the view type that this entry should belong to. Possible view types are:

Included: An optional flag to indicate that this view sub-tree should be included.

excluded: An optional flag to indicate that this view sub-tree should be excluded.

In general, if a view entry's view type is 'excluded', there should be another view entry existing

with view type as 'included' and it's OID sub-tree should overstep the 'excluded' view entry.

OID Subtree

The OID defining the root of the sub-tree to add to the named view. The allowed OID length is

1 to 128. The allowed string content is digital number or asterisk(*).

Buttons

Add new view: Click to add a new view entry

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

46

SNMPv3 Access Configuration

Configure SNMPv3 access table on this page. The entry index keys are Group Name, Security

Model, and Security Level.

Delete

Check to delete the entry. It will be deleted during the next save.

Group Name

A string identifying the group name that this entry should belong to. The allowed string length

is 1 to 32, and the allowed content is ASCII characters from 33 to 126.

Security Model

Indicates the security model that this entry should belong to. Possible security models are:

Any: Any security model accepted(v1|v2c|usm).

V1:Reserved for SNMPv1.

V2c: Reserved for SNMPv2c.

Usm: User-based Security Model (USM).

Security Level : Indicates the security model that this entry should belong to.

Possible security models are:

NoAuth, NoPriv: No authentication and no privacy.

Auth, NoPriv: Authentication and no privacy.

Auth, Priv: Authentication and privacy.

47

Read View Name

The name of the MIB view defining the MIB objects for which this request may request the

current values. The allowed string length is 1 to 32, and the allowed content is ASCII characters

from 33 to 126.

Write View Name

The name of the MIB view defining the MIB objects for which this request may potentially set

new values. The allowed string length is 1 to 32, and the allowed content is ASCII characters

from 33 to 126.

Buttons

Add new access: Click to add a new access entry

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

48

4.4.1.8. RMON Statistics Configuration

RMON is short of Remote Monitoring On Network. An RMON implementation typically operates

in a client/server model. Monitoring device (Probe) contains RMON software agents that collect

information of the system and ports. The RMON software agent acts as server, and the network

management system (NMS) that communicate with it acts as client. The RMON agent of the

switch supports 4 groups, such as the Statistics, History, Alarm and Event.

RMON Group Function Elements

Statistics Contains statistics measured

by the probe for each
monitored interface on this
device.

Real-time LAN statistics e.g.
utilization, collisions, CRC
errors

History Records periodic statistical

Packets dropped, packets sent, bytes
sent (octets), broadcast packets,
multicast packets, CRC errors, undersize
packets, oversize packets, fragments,
jabbers, collisions, and counters for
packets ranging from 64, 65 to 127, 128
to 255, 256 to 511, 512 to 1023, and
1024 to 1518 bytes.

History of above Statistics.
samples from a network and
stores for retrieval.

Alarm Definitions for RMON SNMP

traps to be sent when statistics
exceed defined thresholds

Interval for sampling, particular

variable, sample type, value of statistics

during the last sampling period, startup

alarm, rising threshold, rising index,

Events Controls the generation and

notification of events from
this device.

falling threshold, falling index.

Event index, log index, event log time,

event description

The NMS can get the above information through remotely polling. The information from the

switch can be collected, analyzed and displayed as table or graphic...etc.

49

RMON Statistics Configuration

Configure RMON Statistics table on this page. The entry index key is ID.

Delete

Check to delete the entry. It will be deleted during the next save.

ID

Indicates the index of the entry. The range is from 1 to 65535.

Data Source

Indicates the port ID which wants to be monitored. If in stacking switch, the value must add

1000*(switch ID-1), for example, if the port is switch 3 port 5, the value is 2005

Buttons

Add new entry: Click to add a new community entry

Save: Click to save changes

Reset: Click to undo any changes made locally and revert to previously saved values

50

RMON History Configuration

Configure RMON History table on this page. The entry index key is ID

Delete

Check to delete the entry. It will be deleted during the next save.

ID

Indicates the index of the entry. The range is from 1 to 65535.

Data Source

Indicates the port ID which wants to be monitored. If in stacking switch, the value must add

1000*(switch ID-1), for example, if the port is switch 3 port 5, the value is 2005.

Interval

Indicates the interval in seconds for sampling the history statistics data. The range is from 1 to

3600, default value is 1800 seconds.

Buckets

Indicates the maximum data entries associated this History control entry stored in RMON. The

range is from 1 to 3600, default value is 50.

Buckets Granted

The number of data shall be saved in the RMON.

Buttons

Add new entry: Click to add a new community entry.

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

51

RMON Alarm Configuration

Configure RMON Alarm table on this page. The entry index key is ID.

Delete

Check to delete the entry. It will be deleted during the next save.

ID

Indicates the index of the entry. The range is from 1 to 65535.

Interval

Indicates the interval in seconds for sampling and comparing the rising and falling threshold.

The range is from 1 to 2^31-1.

Variable

Indicates the particular variable to be sampled, the possible variables are:

InOctets: The total number of octets received on the interface, including framing characters.

InUcastPkts: The number of uni-cast packets delivered to a higher-layer protocol.

InNUcastPkts: The number of broad-cast and multi-cast packets delivered to a higher-layer

protocol.

InDiscards: The number of inbound packets that are discarded even the packets are normal.

InErrors: The number of inbound packets that contained errors preventing them from being

deliverable to a higher-layer protocol.

InUnknownProtos: The number of the inbound packets that were discarded because of the

unknown or un-support protocol.

OutOctets: The number of octets transmitted out of the interface , including framing

characters.

OutUcastPkts: The number of uni-cast packets that request to transmit.

OutNUcastPkts: The number of broad-cast and multi-cast packets that request to transmit.

OutDiscards: The number of outbound packets that are discarded event the packets is normal.

OutErrors: The number of outbound packets that could not be transmitted because of errors.

OutQlen: The length of the output packet querier (in packets).

52

Sample Type

The method of sampling the selected variable and calculating the value to be compared

against the thresholds, possible sample types are:

Absolute: Get the sample directly.

Delta: Calculate the difference between samples (default).

Value

The value of the statistic during the last sampling period.

Startup Alarm

The method of sampling the selected variable and calculating the value to be compared

against the thresholds, possible sample types are:

Rising Trigger alarm when the first value is larger than the rising threshold.

Falling Trigger alarm when the first value is less than the falling threshold.

RisingOrFalling Trigger alarm when the first value is larger than the rising threshold or less

than the falling threshold (default).

Rising Threshold

Rising threshold value (-2147483648-2147483647).

Rising Index

Rising event index (1-65535).

Falling Threshold

Falling threshold value (-2147483648-2147483647)

Falling Index

Falling event index (1-65535).

Buttons

Add new entry: Click to add a new community entry.

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

53

RMON Event Configuration

Configure RMON Event table on this page. The entry index key is ID.

Delete

Check to delete the entry. It will be deleted during the next save.

ID

Indicates the index of the entry. The range is from 1 to 65535.

Desc

Indicates this event, the string length is from 0 to 127, default is a null string.

Type

Indicates the notification of the event, the possible types are:

None: The total number of octets received on the interface, including framing characters.

Log: The number of uni-cast packets delivered to a higher-layer protocol.

Snmptrap: The number of broad-cast and multi-cast packets delivered to a higher-layer

protocol.

Logandtrap: The number of inbound packets that are discarded even the packets are normal.

community

Specify the community when trap is sent, the string length is from 0 to 127, default is "public".

Event Last Time

Indicates the value of sysUp Time at the time this event entry last generated an event.

Buttons

Add new entry: Click to add a new community entry.

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

54

4.4.2. Security /Network

4.4.2.1. Port Security Limit Control Configuration

This page allows you to configure the Port Security Limit Control system and port settings.

Limit Control allows for limiting the number of users on a given port. A user is identified by a

MAC address and VLAN ID. If Limit Control is enabled on a port, the limit specifies the maximum

number of users on the port. If this number is exceeded, an action is taken. The action can be

one of the four different actions as described below.

The Limit Control module utilizes a lower-layer module, Port Security module, which manages

MAC addresses learnt on the port.

The Limit Control configuration consists of two sections, a system- and a port-wide.

55

System

Configuration

Mode

Indicates if Limit Control is globally enabled or disabled on the switch. If globally disabled, other

modules may still use the underlying functionality, but limit checks and corresponding actions

are disabled.

Aging Enabled

If checked, secured MAC addresses are subject to aging as discussed under Aging Period.

Aging Period

If Aging Period is checked, then the aging period is controlled with this input. If other modules

are using the underlying port security for securing MAC addresses, they may have other

requirements to the aging period. The underlying port security will use the shorter requested

aging period of all modules that use the functionality.

The Aging Period can be set to a number between 10 and 10,000,000 seconds.

To understand why aging may be desired, consider the following scenario: Suppose an end-host

is connected to a 3rd party switch or hub, which in turn is connected to a port on this switch on

which Limit Control is enabled. The end-host will be allowed to forward if the limit is not

exceeded. Now suppose that the end-host logs off or powers down. If it wasn't for aging, the

end-host would still take up resources on this switch and will be allowed to forward. To

overcome this situation, enable aging. With aging enabled, a timer is started once the end-host

gets secured. When the timer expires, the switch starts looking for frames from the end-host,

and if such frames are not seen within the next Aging Period, the end-host is assumed to be

disconnected, and the corresponding resources are freed on the switch.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

56

Port Configuration

The table allows you to configure the Port Configuration parameters, which are:

Port

The port number to which the configuration below applies.

Mode

Controls whether Limit Control is enabled on this port. Both this and the Global Mode must be

set to Enabled for Limit Control to be in effect. Notice that other modules may still use the

underlying port security features without enabling Limit Control on a given port.

Limit

The maximum number of MAC addresses that can be secured on this port. This number cannot

exceed 1024. If the limit is exceeded, the corresponding action is taken.

The switch is "born" with a total number of MAC addresses from which all ports draw whenever

a new MAC address is seen on a Port Security-enabled port. Since all ports draw from the same

pool, it may happen that a configured maximum cannot be granted, if the remaining ports have

already used all available MAC addresses.

Action

If Limit is reached, the switch can take one of the following actions:

None: Do not allow more than Limit MAC addresses on the port, but take no further action.

Trap: If Limit+ 1 MAC addresses is seen on the port, send an SNMP trap. If Aging is disabled, only

one SNMP trap will be sent, but with Aging enabled, new SNMP traps will be sent every time the

limit gets exceeded.

Shutdown: If Limit + 1 MAC addresses is seen on the port, shut down the port. This implies that

all secured MAC addresses will be removed from the port, and no new address will be learned.

Even if the link is physically disconnected and reconnected on the port (by disconnecting the

cable), the port will remain shut down. There are three ways to re-open the port:

1) Boot the switch,

2) Disable and re-enable Limit Control on the port or the switch,

3) Click the Reopen button.

Trap & Shutdown: If Limit + 1 MAC addresses is seen on the port, both the "Trap" and the

"Shutdown" actions described above will be taken.

57

State

This column shows the current state of the port as seen from the Limit Control's point of view.

The state takes one of four values:

Disabled: Limit Control is either globally disabled or disabled on the port.

Ready: The limit is not yet reached. This can be shown for all actions.

Limit Reached: Indicates that the limit is reached on this port. This state can only be shown if

Action is set to None or Trap.

Shutdown: Indicates that the port is shut down by the Limit Control module. This state can only

be shown if Action is set to Shutdown or Trap & Shutdown.

Re-open Button

If a port is shutdown by this module, you may reopen it by clicking this button, which will only

be enabled if this is the case. For other methods, refer to Shutdown in the Action section.

Note that clicking the reopen button causes the page to be refreshed, so non-committed

changes will be lost.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

58

4.4.2.2. Security / Network / Network Access Server Configuration

This page allows you to configure the IEEE802.1X and MAC-based authentication system and

port settings.

The IEEE 802.1X standard defines a port-based access control procedure that prevents

unauthorized access to a network by requiring users to first submit credentials for

authentication. One or more central servers, the backend servers, determine whether the user is

allowed access to the network. These backend (RADIUS) servers are configured on the

"Configuration→Security→AAA" page. The IEEE802.1X standard defines port-based operation,

but non-standard variants overcome security limitations as shall be explored below.

MAC-based authentication allows for authentication of more than one user on the same port,

and doesn't require the user to have special 802.1X supplicant software installed on his system.

The switch uses the user's MAC address to authenticate against the backend server. Intruders

can create counterfeit MAC addresses, which makes MAC-based authentication less secure than

802.1X authentication.

The NAS configuration consists of two sections, a system- and a port-wide.

59

System Configuration

Mode

Indicates if NAS is globally enabled or disabled on the switch. If globally disabled, all ports are

allowed forwarding of frames.

Re-authentication Enabled

If checked, successfully authenticated supplicants/clients are re-authenticated after the interval

specified by the Re-authentication Period. Re-authentication for 802.1X-enabled ports can be

used to detect if a new device is plugged into a switch port or if a supplicant is no longer

attached.

For MAC-based ports, re-authentication is only useful if the RADIUS server configuration has

changed. It does not involve communication between the switch and the client, and therefore

doesn't imply that a client is still present on a port (see Aging Period below).

Re-authentication Period

Determines the period, in seconds, after which a connected client must be re-authenticated. This

is only active if the Re-authentication Enabled checkbox is checked. Valid values are in the range

1 to 3600 seconds.

EAPOL Timeout

Determines the time for retransmission of Request Identity EAPOL frames.

Valid values are in the range 1 to 65535 seconds. This has no effect for MAC-based ports.

Aging Period

This setting applies to the following modes, i.e. modes using the Port Security functionality to

secure MAC addresses:

• Single 802.1X

• Multi 802.1X

• MAC-Based Auth.

When the NAS module uses the Port Security module to secure MAC addresses, the Port Security

module needs to check for activity on the MAC address in question at regular intervals and free

resources if no activity is seen within a given period of time. This parameter controls exactly this

period and can be set to a number between 10 and 1000000 seconds.

If re-authentication is enabled and the port is in an 802.1X-based mode, this is not so critical,

since supplicants that are no longer attached to the port will get removed upon the next

re-authentication, which will fail. But if re-authentication is not enabled, the only way to free

resources is by aging the entries.

For ports in MAC-based Auth. mode, re-authentication doesn't cause direct communication

between the switch and the client, so this will not detect whether the client is still attached or

not, and the only way to free any resources is to age the entry.

60

Hold Time

This setting applies to the following modes, i.e. modes using the Port Security functionality to

secure MAC addresses:

• Single 802.1X

• Multi 802.1X

• MAC-Based Auth.

If a client is denied access - either because the RADIUS server denies the client access or because

the RADIUS server request times out (according to the timeout specified on the

"Configuration→Security→AAA" page) - the client is put on hold in the Unauthorized state. The

hold timer does not count during an on-going authentication.

In MAC-based Auth. mode, the switch will ignore new frames coming from the client during the

hold time.

The Hold Time can be set to a number between 10 and 1000000 seconds.

RADIUS-Assigned QoS Enabled

RADIUS-assigned QoS provides a means to centrally control the traffic class to which traffic

coming from a successfully authenticated supplicant is assigned on the switch. The RADIUS

server must be configured to transmit special RADIUS attributes to take advantage of this

feature (see RADIUS-Assigned QoS Enabled below for a detailed description).

The "RADIUS-Assigned QoS Enabled" checkbox provides a quick way to globally enable/disable

RADIUS-server assigned QoS Class functionality. When checked, the individual ports' ditto

setting determine whether RADIUS-assigned QoS Class is enabled on that port. When unchecked,

RADIUS-server assigned QoS Class is disabled on all ports.

RADIUS-Assigned VLAN Enabled

RADIUS-assigned VLAN provides a means to centrally control the VLAN on which a successfully

authenticated supplicant is placed on the switch. Incoming traffic will be classified to and

switched on the RADIUS-assigned VLAN. The RADIUS server must be configured to transmit

special RADIUS attributes to take advantage of this feature (see RADIUS-Assigned VLAN Enabled

below for a detailed description).

The "RADIUS-Assigned VLAN Enabled" checkbox provides a quick way to globally enable/disable

RADIUS-server assigned VLAN functionality. When checked, the individual ports' ditto setting

determine whether RADIUS-assigned VLAN is enabled on that port. When unchecked,

RADIUS-server assigned VLAN is disabled on all ports.

61

Guest VLAN Enabled

A Guest VLAN is a special VLAN - typically with limited network access - on which

802.1X-unaware clients are placed after a network administrator-defined timeout. The switch

follows a set of rules for entering and leaving the Guest VLAN as listed below.

The "Guest VLAN Enabled" checkbox provides a quick way to globally enable/disable Guest

VLAN functionality. When checked, the individual ports' ditto setting determines whether the

port can be moved into Guest VLAN. When unchecked, the ability to move to the Guest VLAN is

disabled on all ports.

Guest VLAN ID

This is the value that a port's Port VLAN ID is set to if a port is moved into the Guest VLAN. It is

only changeable if the Guest VLAN option is globally enabled.

Valid values are in the range [1; 4095].

Max. Reauth. Count

The number of times the switch transmits an EAPOL Request Identity frame without response

before considering entering the Guest VLAN is adjusted with this setting. The value can only be

changed if the Guest VLAN option is globally enabled.

Valid values are in the range [1; 255].

Allow Guest VLAN if EAPOL Seen

The switch remembers if an EAPOL frame has been received on the port for the life-time of the

port. Once the switch considers whether to enter the Guest VLAN, it will first check if this option

is enabled or disabled. If disabled (unchecked; default), the switch will only enter the Guest

VLAN if an EAPOL frame has not been received on the port for the life-time of the port. If

enabled (checked), the switch will consider entering the Guest VLAN even if an EAPOL frame has

been received on the port for the life-time of the port.

The value can only be changed if the Guest VLAN option is globally enabled.

62

Port Configuration

The table has number of columns which allows you to configure the port mode based on IEEE

802.1X standard. Select the port and configure the settings.

Port

The port number for which the configuration below applies.

Admin State

If NAS is globally enabled, this selection controls the port's authentication mode. The following

modes are available:

Force Authorized

In this mode, the switch will send one EAPOL Success frame when the port link comes up, and

any client on the port will be allowed network access without authentication.

Force Unauthorized

In this mode, the switch will send one EAPOL Failure frame when the port link comes up, and

any client on the port will be disallowed network access.

63

Port-based 802.1X

In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and the

RADIUS server is the authentication server. The authenticator acts as the man-in-the-middle,

forwarding requests and responses between the supplicant and the authentication server.

Frames sent between the supplicant and the switch are special 802.1X frames, known as EAPOL

(EAP Over LANs) frames.

EAPOL frames encapsulate EAP PDUs (RFC3748). Frames sent between the switch and the

RADIUS server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together with

other attributes like the switch's IP address, name, and the supplicant's port number on the

switch. EAP is very flexible, in that it allows for different authentication methods, like

MD5-CHALLENGE, PEAP, and TLS. The important thing is that the authenticator (the switch)

doesn't need to know which authentication method the supplicant and the authentication

server are using, or how many information exchange frames are needed for a particular method.

The switch simply encapsulates the EAP part of the frame into the relevant type (EAPOL or

RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends a special packet containing a success

or failure indication. Besides forwarding this decision to the supplicant, the switch uses it to

open up or block traffic on the switch port connected to the supplicant.

Note: Suppose two backend servers are enabled and that the server timeout is configured to X

seconds (using the AAA configuration page), and suppose that the first server in the list is

currently down (but not considered dead). Now, if the supplicant retransmits EAPOL Start

frames at a rate faster than X seconds, then it will never get authenticated, because the switch

will cancel on-going backend authentication server requests whenever it receives a new EAPOL

Start frame from the supplicant. And since the server hasn't yet failed (because the X seconds

haven't expired), the same server will be contacted upon the next backend authentication server

request from the switch. This scenario will loop forever. Therefore, the server timeout should be

smaller than the supplicant's EAPOL Start frame retransmission rate.

Single 802.1X

In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port,

the whole port is opened for network traffic. This allows other clients connected to the port (for

instance through a hub) to piggy-back on the successfully authenticated client and get network

access even though they really aren't authenticated. To overcome this security breach, use the

Single 802.1X variant.

Single 802.1X is really not an IEEE standard, but features many of the same characteristics as

does port-based 802.1X. In Single 802.1X, at most one supplicant can get authenticated on the

port at a time. Normal EAPOL frames are used in the communication between the supplicant

and the switch. If more than one supplicant is connected to a port, the one that comes first

when the port's link comes up will be the first one considered. If that supplicant doesn't provide

64

valid credentials within a certain amount of time, another supplicant will get a chance. Once a

supplicant is successfully authenticated, only that supplicant will be allowed access. This is the

most secure of all the supported modes. In this mode, the Port Security module is used to secure

a supplicant's MAC address once successfully authenticated.

Multi 802.1X

Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant that features many of

the same characteristics. In Multi 802.1X, one or more supplicants can get authenticated on the

same port at the same time. Each supplicant is authenticated individually and secured in the

MAC table using the Port Security module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC address as destination MAC

address for EAPOL frames sent from the switch towards the supplicant, since that would cause

all supplicants attached to the port to reply to requests sent from the switch. Instead, the switch

uses the supplicant's MAC address, which is obtained from the first EAPOL Start or EAPOL

Response Identity frame sent by the supplicant. An exception to this is when no supplicants are

attached. In this case, the switch sends EAPOL Request Identity frames using the BPDU multicast

MAC address as destination - to wake up any supplicants that might be on the port.

The maximum number of supplicants that can be attached to a port can be limited using the

Port Security Limit Control functionality. MAC-based Auth.

Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a

best-practices method adopted by the industry. In MAC-based authentication, users are called

clients, and the switch acts as the supplicant on behalf of clients. The initial frame (any kind of

frame) sent by a client is snooped by the switch, which in turn uses the client's MAC address as

both username and password in the subsequent EAP exchange with the RADIUS server. The

6-byte MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx", that is, a

dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only

supports the MD5-Challenge authentication method, so the RADIUS server must be configured

accordingly.

When authentication is complete, the RADIUS server sends a success or failure indication, which

in turn causes the switch to open up or block traffic for that particular client, using the

Port-Security module. Only then will frames from the client be forwarded on the switch. There

are no EAPOL frames involved in this authentication, and therefore, MAC-based Authentication

has nothing to do with the 802.1X standard.

The advantage of MAC-based authentication over 802.1X-based authentication is that the

clients don't need special supplicant software to authenticate. The disadvantage is that MAC

addresses can be spoofed by malicious users - equipment whose MAC address is a valid RADIUS

user can be used by anyone. Also, only the MD5-Challenge method is supported. The maximum

number of clients that can be attached to a port can be limited using the Port Security Limit

Control functionality.

65

RADIUS-Assigned QoS Enabled

When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given port,

the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet

transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and

valid, traffic received on the supplicant's port will be classified to the given QoS Class. If

(re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or it's

invalid, or the supplicant is otherwise no longer present on the port, the port's QoS Class is

immediately reverted to the original QoS Class (which may be changed by the administrator in

the meanwhile without affecting the RADIUS-assigned).

This option is only available for single-client modes, i.e.

• Port-based 802.1X

• Single 802.1X0

RADIUS attributes used in identifying a QoS Class:

The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS

Class in an Access-Accept packet.

Only the first occurrence of the attribute in the packet will be considered, and to be valid, it

must follow this rule:

• All 8 octets in the attribute's value must be identical and consist of ASCII characters in the

range '0' - '3', which translates into the desired QoS Class in the range [0; 3].

RADIUS-Assigned VLAN Enabled

When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given port,

the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet

transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and

valid, the port's Port VLAN ID will be changed to this VLAN ID, the port will be set to be a

member of that VLAN ID, and the port will be forced into VLAN unaware mode. Once assigned,

all traffic arriving on the port will be classified and switched on the RADIUS-assigned VLAN ID.

If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID or it's

invalid, or the supplicant is otherwise no longer present on the port, the port's VLAN ID is

immediately reverted to the original VLAN ID (which may be changed by the administrator in

the meanwhile without affecting the RADIUS-assigned).

This option is only available for single-client modes, i.e.

• Port-based 802.1X

• Single 802.1X

For trouble-shooting VLAN assignments, use the "Monitor→VLANs→VLAN Membership and

VLAN Port" pages. These pages show which modules have (temporarily) overridden the current

Port VLAN configuration.

66

RADIUS attributes used in identifying a VLAN ID:

RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN ID in an

Access-Accept packet. The following criteria are used:

• The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-IDattributes must all be

present at least once in the Access-Accept packet.

• The switch looks for the first set of these attributes that have the same Tag value and fulfill the

following requirements (if Tag == 0 is used, the Tunnel-Private-Group-IDdoes not need to

include a Tag):

- Value of Tunnel-Medium-Type must be set to "IEEE-802" (ordinal 6).

- Value of Tunnel-Type must be set to "VLAN" (ordinal 13).

- Value of Tunnel-Private-Group-ID must be a string of ASCII chars in the range '0' - '9', which is

interpreted as a decimal string representing the VLAN ID. Leading '0's are discarded. The final

value must be in the range [1; 4095].

Guest VLAN Enabled

When Guest VLAN is both globally enabled and enabled (checked) for a given port, the switch

considers moving the port into the Guest VLAN according to the rules outlined below.

This option is only available for EAPOL-based modes, i.e.:

• Port-based 802.1X

• Single 802.1X

• Multi 802.1X

For trouble-shooting VLAN assignments, use the "Monitor→VLANs→VLAN Membership and

VLAN Port" pages. These pages show which modules have (temporarily) overridden the current

Port VLAN configuration.

Guest VLAN Operation:

When a Guest VLAN enabled port's link comes up, the switch starts transmitting EAPOL Request

Identity frames. If the number of transmissions of such frames exceeds Max, Reauth, Count and

no EAPOL frames have been received in the meanwhile, the switch considers entering the Guest

VLAN. The interval between transmissions of EAPOL Request Identity frames is configured with

EAPOL Timeout. If

Allow guest VLAN if EAPOL Seen is enabled, the port will now be placed in the Guest VLAN. If

disabled, the switch will first check its history to see if an EAPOL frame has previously been

received on the port (this history is cleared if the port link goes down or the port's Admin State

is changed), and if not, the port will be placed in the Guest VLAN. Otherwise it will not move to

the Guest VLAN, but continue transmitting EAPOL Request Identity frames at the rate given by

EAPOL Timeout.

Once in the Guest VLAN, the port is considered authenticated, and all attached clients on the

port are allowed access on this VLAN. The switch will not transmit an EAPOL Success frame when

67

entering the Guest VLAN.

While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if one such frame

is received, the switch immediately takes the port out of the Guest VLAN and starts

authenticating the supplicant according to the port mode. If an EAPOL frame is received, the

port will never be able to go back into the Guest VLAN if the "Allow Guest VLAN if EAPOL Seen"

is disabled.

Port State

The current state of the port. It can undertake one of the following values:

Globally Disabled: NAS is globally disabled.

Link Down: NAS is globally enabled, but there is no link on the port.

Authorized: The port is in Force Authorized or a single-supplicant mode and the supplicant is

authorized.

Unauthorized: The port is in Force Unauthorized or a single-supplicant mode and the

supplicant is not successfully authorized by the RADIUS server.

X Auth/Y Unauth: The port is in a multi-supplicant mode. Currently X clients are authorized

and Y are unauthorized.

Restart

Two buttons are available for each row. The buttons are only enabled when authentication is

globally enabled and the port's Admin State is in an EAPOL-based or MAC-based mode.

Clicking these buttons will not cause settings changed on the page to take effect.

Reauthenticate: Schedules a re-authentication whenever the quiet-period of the port runs

out(EAPOL-based authentication).For MAC-based authentication, re-authentication will be

attempted immediately.

The button only has effect for successfully authenticated clients on the port and will not cause

the clients to get temporarily unauthorized.

Reinitialize: Forces a re-initialization of the clients on the port and thereby a re-authentication

immediately. The clients will transfer to the unauthorized state while the re-authentication is in

progress.

Buttons

Refresh: Click to refresh the page.

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

68

4.4.2.3. Security / Network / Access Control List Configuration

Configure the ACL parameters (ACE) of each switch port. These parameters will affect frames

received on a port unless the frame matches a specific ACE.

The settings relate to the currently selected stack unit, as reflected by the page header.

Port

The logical port for the settings contained in the same row.

Policy ID

Select the policy to apply to this port. The allowed values are 0 through 255. The default value is

0.

Action

Select whether forwarding is permitted ("Permit") or denied ("Deny"). The default value is

"Permit".

69

Rate Limiter ID

Select which rate limiter to apply on this port. The allowed values are Disabled or the values 1

through 16. The default value is "Disabled".

SelectDisabledPort Copy

Select which port frames are copied on. The allowed values are Disabled or a specific port

number. The default value is "Disabled".

Mirror

Specify the mirror operation of this port. The allowed values are:

Enabled: Frames received on the port are mirrored.

Disabled: Frames received on the port are not mirrored.

The default value is "Disabled".

Logging

Specify the logging operation of this port. The allowed values are:

Enabled: Frames received on the port are stored in the System Log.

Disabled : Frames received on the port are not logged.

The default value is "Disabled". Please note that the System Log memory size and logging rate is

limited.

Shutdown

Specify the port shut down operation of this port. The allowed values are:

Enabled: If a frame is received on the port, the port will be disabled.

Disabled: Port shut down is disabled.

The default value is "Disabled".

Counter

Counts the number of frames that match this ACE.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

Refresh: Click to refresh the page. Any changes made locally will be undone..

Clear: Click to clear the counter

70

ACL Rate Limiters Configuration

Configure the rate limiter for the ACL of the switch

Rate Limiter ID

The rate limiter ID for the settings contained in the same row.

Rate

The allowed values are: 0-3276700 in pps

Or 0,100,200,300,…,1000000 in kbps.

Unit

Specify the rate unit. The allowed values are:

pps: packets per second.

kbps: Kbits per second.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

71

Access Control List Configuration

This page shows the Access Control List (ACL), which is made up of the ACEs defined on this

switch. Each row describes the ACE that is defined. The maximum number of ACEs is 256 on

each switch.

Click on the lowest plus sign to add a new ACE to the list. The reserved ACEs used for internal

protocol, cannot be edited or deleted, the order sequence cannot be changed and the priority is

highest.

Ingress Port

Indicates the ingress port of the ACE. Possible values are:

All: The ACE will match all ingress port.

Port: The ACE will match a specific ingress port.

Policy / Bitmask

Indicates the policy number and bitmask of the ACE.

72

Frame Type

Indicates the frame type of the ACE. Possible values are:

Any: The ACE will match any frame type.

EType: The ACE will match Ethernet Type frames. Note that an Ethernet Type based ACE will

not get matched by IP and ARP frames.

ARP: The ACE will match ARP/RARP frames.

IPv4: The ACE will match all IPv4 frames.

IPv4/ICMP: The ACE will match IPv4 frames with ICMP protocol.

IPv4/UDP: The ACE will match IPv4 frames with UDP protocol.

IPv4/TCP: The ACE will match IPv4 frames with TCP protocol.

IPv4/Other: The ACE will match IPv4 frames, which are not ICMP/UDP/TCP.

IPv6: The ACE will match all IPv6 standard frames.

Action

Indicates the forwarding action of the ACE.

Permit:: Frames matching the ACE may be forwarded and learned.

Deny: Frames matching the ACE are dropped.

Rate Limiter

Indicates the rate limiter number of the ACE. The allowed range is 1 to 16. When Disabled is

displayed, the rate limiter operation is disabled.

Port Copy

Indicates the port copy operation of the ACE. Frames matching the ACE are copied to the port

number. The allowed values are Disabled or a specific port number. When Disabled is

displayed, the port copy operation is disabled.

Mirror

Specify the mirror operation of this port. Frames matching the ACE are mirrored to the

destination mirror port. The allowed values are:

Enabled: Frames received on the port are mirrored.

Disabled: Frames received on the port are not mirrored.

The default value is "Disabled".

Counter

The counter indicates the number of times the ACE was hit by a frame.

Modification Buttons

You can modify each ACE (Access Control Entry) in the table using the following buttons:

: Inserts a new ACE before the current row.

: Edits the ACE row.

: Moves the ACE up the list.

: Moves the ACE down the list.

: Deletes the ACE.

: The lowest plus sign adds a new entry at the bottom of the ACE listings.

73

Buttons

Auto-refresh: Check this box to refresh the page automatically. Automatic refresh occurs at

regular intervals.

Refresh: Click to refresh the page. Note that non-committed changes will be lost.

Clear: Click to clear the counter

Remove All: Click to remove all ACEs

74

ACE Configuration

Configure an ACE (Access Control Entry) on this page.

An ACE consists of several parameters. These parameters vary according to the frame type that

you select. First select the ingress port for the ACE, and then select the frame type. Different

parameter options are displayed depending on the frame type selected.

A frame that hits this ACE matches the configuration that is defined here.

Ingress Port

Select the ingress port for which this ACE applies.

All: The ACE applies to all port.

Port n: The ACE applies to this port number, where n is the number of the switch port. You can

select one port or select multiple ports for the entry.

Policy Filter

Specify the policy number filter for this ACE. The policy ID should be the same when you want

apply it to the ACL or Port.

Any: No policy filter is specified. (policy filter status is "don't-care".)

Specific: If you want to filter a specific policy with this ACE, choose this value. Two field for

entering an policy value and bitmask appears.

Policy Value

When "Specific" is selected for the policy filter, you can enter a specific policy value. The

allowed range is 0 to 255.

Policy Bitmask

When "Specific" is selected for the policy filter, you can enter a specific policy bitmask. The

allowed range is 0x0 to 0xff.

Select the switch to which this ACE applies. This parameter is reserved to the Stacking model. If

the switch doesn't support stacking, the parameter will not display here.

Any: The ACE applies to any port.

Switch n: The ACE applies to this switch number, where n is the number of the switch.

75

Frame Type

Select the frame type for this ACE. These frame types are mutually exclusive.

Any: Any frame can match this ACE.

Ethernet Type: Only Ethernet Type frames can match this ACE. The IEEE 802.3 describes the

value of Length/Type Field specifications to be greater than or equal to 1536 decimal (equal to

0600 hexadecimal).

ARP: Only ARP frames can match this ACE. Notice the ARP frames won't match the ACE with

Ethernet type.

IPv4: Only IPv4 frames can match this ACE. Notice the IPv4 frames won't match the ACE with

Ethernet type.

IPv6: Only IPv6 frames can match this ACE. Notice the IPv6 frames won't match the ACE with

Ethernet type.

Action

Specify the action to take with a frame that hits this ACE.

Permit: The frame that hits this ACE is granted permission for the ACE operation.

Deny: The frame that hits this ACE is dropped.

Rate Limiter

Specify the rate limiter in number of base units. The allowed range is 1 to 16. Disabled

indicates that the rate limiter operation is disabled.

Port Copy

Frames that hit the ACE are copied to the port number specified here. The allowed range is the

same as the switch port number range. Disabled indicates that the port copy operation is

disabled.

Mirror

Specify the mirror operation of this port. Frames matching the ACE are mirrored to the

destination mirror port. The allowed values are:

Enabled: Frames received on the port are mirrored.

Disabled: Frames received on the port are not mirrored.

76

The default value is "Disabled".

Logging

Specify the logging operation of the ACE. The allowed values are:

Enabled: Frames matching the ACE are stored in the System Log.

Disabled: Frames matching the ACE are not logged.

Please note that the System Log memory size and logging rate is limited.

Shutdown

Specify the port shut down operation of the ACE. The allowed values are:

Enabled: If a frame matches the ACE, the ingress port will be disabled.

Disabled: Port shut down is disabled for the ACE.

Counter

The counter indicates the number of times the ACE was hit by a frame.

MAC Parameters

SMAC Filter

(Only displayed when the frame type is Ethernet Type or ARP.)

Specify the source MAC filter for this ACE.

Any: No SMAC filter is specified. (SMAC filter status is "don't-care".)

Specific: If you want to filter a specific source MAC address with this ACE, choose this value. A

field for entering an SMAC value appears.

SMAC Value

When "Specific" is selected for the SMAC filter, you can enter a specific source MAC address. The

legal format is "xx-xx-xx-xx-xx-xx". A frame that hits this ACE matches this SMAC value.

DMAC Filter

Specify the destination MAC filter for this ACE.

Any: No DMAC filter is specified. (DMAC filter status is "don't-care".)

MC: Frame must be multicast.

BC: Frame must be broadcast.

UC: Frame must be unicast.

Specific: If you want to filter a specific destination MAC address with this ACE, choose this value.

A field for entering a DMAC value appears.

DMAC Value

When "Specific" is selected for the DMAC filter, you can enter a specific destination MAC

address. The legal format is "xx-xx-xx-xx-xx-xx". A frame that hits this ACE matches this DMAC

value.

77

VLAN Parameters

802.1Q Tagged

Specify whether frames can hit the action according to the 802.1Q tagged. The allowed values

are:

Any: Any value is allowed ("don't-care").

Enabled: Tagged frame only.

Disabled: Untagged frame only.

The default value is "Any".

VLAN ID Filter

Specify the VLAN ID filter for this ACE.

Any: No VLAN ID filter is specified. (VLAN ID filter status is "don't-care".)

Specific: If you want to filter a specific VLAN ID with this ACE, choose this value. A field for

entering a VLAN ID number appears.

VLAN ID

When "Specific" is selected for the VLAN ID filter, you can enter a specific VLAN ID number. The

allowed range is 1 to 4095. A frame that hits this ACE matches this VLAN ID value.

Tag Priority

Specify the tag priority for this ACE. A frame that hits this ACE matches this tag priority. The

allowed number range is 0 to 7. The value Any means that no tag priority is specified (tag

priority is "don't-care".)

78

ARP Parameters

The ARP parameters can be configured when Frame Type "ARP" is selected.

ARP/RARP

Specify the available ARP/RARP opcode (OP) flag for this ACE.

Any: No ARP/RARP OP flag is specified. (OP is "don't-care".)

ARP: Frame must have ARP/RARP opcode set to ARP.

RARP: Frame must have ARP/RARP opcode set to RARP.

Other: Frame has unknown ARP/RARP Opcode flag.

Request/Reply

Specify the available ARP/RARP opcode (OP) flag for this ACE.

Any: No ARP/RARP OP flag is specified. (OP is "don't-care".)

Request: Frame must have ARP Request or RARP Request OP flag set.

Reply: Frame must have ARP Reply or RARP Reply OP flag.

Sender IP Filter

Specify the sender IP filter for this ACE.

Any: No sender IP filter is specified. (Sender IP filter is "don't-care".)

Host: Sender IP filter is set to Host. Specify the sender IP address in the SIP Address field that

appears.

Network: Sender IP filter is set to Network. Specify the sender IP address and sender IP mask in

the SIP Address and SIP Mask fields that appear.

Sender IP Address

When "Host" or "Network" is selected for the sender IP filter, you can enter a specific sender IP

address in dotted decimal notation.

Sender IP Mask

When "Network" is selected for the sender IP filter, you can enter a specific sender IP mask in

dotted decimal notation.

Target IP Filter

Specify the target IP filter for this specific ACE.

Any: No target IP filter is specified. (Target IP filter is "don't-care".)

Host: Target IP filter is set to Host. Specify the target IP address in the Target IP Address field

that appears.

Network: Target IP filter is set to Network. Specify the target IP address and target IP mask in

the Target IP Address and Target IP Mask fields that appear.

Target IP Address

When "Host" or "Network" is selected for the target IP filter, you can enter a specific target IP

address in dotted decimal notation.

Target IP Mask

When "Network" is selected for the target IP filter, you can enter a specific target IP mask in

dotted decimal notation.

79

ARP SMAC Match

Specify whether frames can hit the action according to their sender hardware address field (SHA)

settings.

0: ARP frames where SHA is not equal to the SMAC address.

1: ARP frames where SHA is equal to the SMAC address.

Any: Any value is allowed ("don't-care").

RARP DMAC Match

Specify whether frames can hit the action according to their target hardware address field (THA)

settings.

0: RARP frames where THA is not equal to the DMAC address.

1: RARP frames where THA is equal to the DMAC address.

Any: Any value is allowed ("don't-care").

IP/Ethernet Length

Specify whether frames can hit the action according to their ARP/RARP hardware address length

(HLN) and protocol address length (PLN) settings.

0: ARP/RARP frames where the HLN is not equal to Ethernet (0x06) or the (PLN) is not equal to

IPv4 (0x04).

1: ARP/RARP frames where the HLN is equal to Ethernet (0x06) and the (PLN) is equal to IPv4

(0x04).

Any: Any value is allowed ("don't-care").

IP

Specify whether frames can hit the action according to their ARP/RARP hardware address space

(HRD) settings.

0: ARP/RARP frames where the HLD is not equal to Ethernet (1).

1: ARP/RARP frames where the HLD is equal to Ethernet (1).

Any: Any value is allowed ("don't-care").

Ethernet

Specify whether frames can hit the action according to their ARP/RARP protocol address space

(PRO) settings.

0: ARP/RARP frames where the PRO is not equal to IP (0x800).

1: ARP/RARP frames where the PRO is equal to IP (0x800).

Any: Any value is allowed ("don't-care").

80

IP Parameters

The IP parameters can be configured when Frame Type "IPv4" is selected.

IP Protocol Filter

Specify the IP protocol filter for this ACE.

Any: No IP protocol filter is specified ("don't-care").

Specific: If you want to filter a specific IP protocol filter with this ACE, choose this value. A field

for entering an IP protocol filter appears.

ICMP: Select ICMP to filter IPv4 ICMP protocol frames. Extra fields for defining ICMP parameters

will appear. These fields are explained later in this help file.

UDP: Select UDP to filter IPv4 UDP protocol frames. Extra fields for defining UDP parameters will

appear. These fields are explained later in this help file.

TCP: Select TCP to filter IPv4 TCP protocol frames. Extra fields for defining TCP parameters will

appear. These fields are explained later in this help file.

IP Protocol Value

When "Specific" is selected for the IP protocol value, you can enter a specific value. The allowed

range is 0 to 255. A frame that hits this ACE matches this IP protocol value.

IP TTL

Specify the Time-to-Live settings for this ACE.

zero: IPv4 frames with a Time-to-Live field greater than zero must not be able to match this

entry.

non-zero: IPv4 frames with a Time-to-Live field greater than zero must be able to match this

entry.

Any: Any value is allowed ("don't-care").

IP Fragment

Specify the fragment offset settings for this ACE. This involves the settings for the More

Fragments (MF) bit and the Fragment Offset (FRAG OFFSET) field for an IPv4 frame.

No: IPv4 frames where the MF bit is set or the FRAG OFFSET field is greater than zero must not

be able to match this entry.

Yes: IPv4 frames where the MF bit is set or the FRAG OFFSET field is greater than zero must be

able to match this entry.

Any: Any value is allowed ("don't-care").

IP Option

Specify the options flag setting for this ACE.

No: IPv4 frames where the options flag is set must not be able to match this entry.

Yes: IPv4 frames where the options flag is set must be able to match this entry.

Any: Any value is allowed ("don't-care").

81

SIP Filter

Specify the source IP filter for this ACE.

Any: No source IP filter is specified. (Source IP filter is "don't-care".)

Host: Source IP filter is set to Host. Specify the source IP address in the SIP Address field that

appears.

Network: Source IP filter is set to Network. Specify the source IP address and source IP mask in

the SIP Address and SIP Mask fields that appear.

SIP Address

When "Host" or "Network" is selected for the source IP filter, you can enter a specific SIP

address in dotted decimal notation.

SIP Mask

When "Network" is selected for the source IP filter, you can enter a specific SIP mask in dotted

decimal notation.

DIP Filter

Specify the destination IP filter for this ACE.

Any: No destination IP filter is specified. (Destination IP filter is "don't-care".)

Host: Destination IP filter is set to Host. Specify the destination IP address in the DIP Address

field that appears.

Network: Destination IP filter is set to Network. Specify the destination IP address and

destination IP mask in the DIP Address and DIP Mask fields that appear.

DIP Address

When "Host" or "Network" is selected for the destination IP filter, you can enter a specific DIP

address in dotted decimal notation.

DIP Mask

When "Network" is selected for the destination IP filter, you can enter a specific DIP mask in

dotted decimal notation.

82

ICMP Parameters

ICMP Type Filter

Specify the ICMP filter for this ACE.

Any: No ICMP filter is specified (ICMP filter status is "don't-care").

Specific: If you want to filter a specific ICMP filter with this ACE, you can enter a specific ICMP

value. A field for entering an ICMP value appears.

ICMP Type Value

When "Specific" is selected for the ICMP filter, you can enter a specific ICMP value. The allowed

range is0 to 255. A frame that hits this ACE matches this ICMP value.

ICMP Code Filter

Specify the ICMP code filter for this ACE.

Any: No ICMP code filter is specified (ICMP code filter status is "don't-care").

Specific: If you want to filter a specific ICMP code filter with this ACE, you can enter a specific

ICMP code value. A field for entering an ICMP code value appears.

ICMP Code Value

When "Specific" is selected for the ICMP code filter, you can enter a specific ICMP code value.

The allowed range is 0 to 255. A frame that hits this ACE matches this ICMP code value.

83

TCP/UDP Parameters

TCP/UDP Source Filter

Specify the TCP/UDP source filter for this ACE.

Any: No TCP/UDP source filter is specified (TCP/UDP source filter status is "don't-care").

Specific: If you want to filter a specific TCP/UDP source filter with this ACE, you can enter a

specific TCP/UDP source value. A field for entering a TCP/UDP source value appears.

Range: If you want to filter a specific TCP/UDP source range filter with this ACE, you can enter a

specific TCP/UDP source range value. A field for entering a TCP/UDP source value appears.

TCP/UDP Source No.

When "Specific" is selected for the TCP/UDP source filter, you can enter a specific TCP/UDP

source value. The allowed range is 0 to 65535. A frame that hits this ACE matches this TCP/UDP

source value.

TCP/UDP Source Range

When "Range" is selected for the TCP/UDP source filter, you can enter a specific TCP/UDP source

range value. The allowed range is 0 to 65535. A frame that hits this ACE matches this TCP/UDP

source value.

TCP/UDP Destination Filter

Specify the TCP/UDP destination filter for this ACE.

Any: No TCP/UDP destination filter is specified (TCP/UDP destination filter status is "don't-care").

Specific: If you want to filter a specific TCP/UDP destination filter with this ACE, you can enter a

specific TCP/UDP destination value. A field for entering a TCP/UDP destination value appears.

Range: If you want to filter a specific range TCP/UDP destination filter with this ACE, you can

enter a specific TCP/UDP destination range value. A field for entering a TCP/UDP destination

value appears.

TCP/UDP Destination Number

When "Specific" is selected for the TCP/UDP destination filter, you can enter a specific TCP/UDP

destination value. The allowed range is 0 to 65535. A frame that hits this ACE matches this

TCP/UDP destination value.

TCP/UDP Destination Range

When "Range" is selected for the TCP/UDP destination filter, you can enter a specific TCP/UDP

destination range value. The allowed range is 0 to 65535. A frame that hits this ACE matches

this TCP/UDP destination value.

TCP FIN

Specify the TCP "No more data from sender" (FIN) value for this ACE.

0: TCP frames where the FIN field is set must not be able to match this entry.

1: TCP frames where the FIN field is set must be able to match this entry.

Any: Any value is allowed ("don't-care").

84

TCP SYN

Specify the TCP "Synchronize sequence numbers" (SYN) value for this ACE.

0: TCP frames where the SYN field is set must not be able to match this entry.

1: TCP frames where the SYN field is set must be able to match this entry.

Any: Any value is allowed ("don't-care").

TCP RST

Specify the TCP "Reset the connection" (RST) value for this ACE.

0: TCP frames where the RST field is set must not be able to match this entry.

1: TCP frames where the RST field is set must be able to match this entry.

Any: Any value is allowed ("don't-care").

TCP PSH

Specify the TCP "Push Function" (PSH) value for this ACE.

0: TCP frames where the PSH field is set must not be able to match this entry.

1: TCP frames where the PSH field is set must be able to match this entry.

Any: Any value is allowed ("don't-care").

TCP ACK

Specify the TCP "Acknowledgment field significant" (ACK) value for this ACE.

0: TCP frames where the ACK field is set must not be able to match this entry.

1: TCP frames where the ACK field is set must be able to match this entry.

Any: Any value is allowed ("don't-care").

TCP URG

Specify the TCP "Urgent Pointer field significant" (URG) value for this ACE.

0: TCP frames where the URG field is set must not be able to match this entry.

1: TCP frames where the URG field is set must be able to match this entry.

Any: Any value is allowed ("don't-care").

85

Ethernet Type Parameters

The Ethernet Type parameters can be configured when Frame Type "Ethernet Type" is selected.

EtherType Filter

Specify the Ethernet type filter for this ACE.

Any: No EtherType filter is specified (EtherType filter status is "don't-care").

Specific: If you want to filter a specific EtherType filter with this ACE, you can enter a specific

EtherType value. A field for entering a EtherType value appears.

Ethernet Type Value

When "Specific" is selected for the EtherType filter, you can enter a specific EtherType value.

The allowed range is 0x600 to 0xFFFF but excluding 0x800(IPv4), 0x806(ARP) and 0x86DD(IPv6).

A frame that hits this ACE matches this EtherType value.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

Cancel: Return to the previous page.

86

4.4.2.4. Switch / Network / DHCP Configuration

DHCP Snooping Configuration

Configure DHCP Snooping on this page.

Snooping Mode

Indicates the DHCP snooping mode operation. Possible modes are:

Enabled: Enable DHCP snooping mode operation. When DHCP snooping mode operation is

enabled, the DHCP request messages will be forwarded to trusted ports and only allow reply

packets from trusted ports.

Disabled: Disable DHCP snooping mode operation.

Port Mode

Indicates the DHCP snooping port mode. Possible port modes are:

Trusted: Configures the port as trusted source of the DHCP messages.

Untrusted: Configures the port as untrusted source of the DHCP messages.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

87

DHCP Relay Configuration

Configure DHCP Relay on this page.

Relay Mode

Indicates the DHCP relay mode operation. Possible modes are:

Enabled: Enable DHCP relay mode operation. When DHCP relay mode operation is enabled, the

agent forwards and transfers DHCP messages between the clients and the server when they are

not in the same subnet domain. And the DHCP broadcast message won't be flooded for security

considerations.

Disabled: Disable DHCP relay mode operation.

Relay Server

Indicates the DHCP relay server IP address. A DHCP relay agent is used to forward and to transfer

DHCP messages between the clients and the server when they are not in the same subnet

domain.

Relay Information Mode

Indicates the DHCP relay information mode option operation. The option 82 circuit ID format as

"[vlan_id][module_id][port_no]". The first four characters represent the VLAN ID, the fifth and

sixth characters are the module ID(in standalone device it always equal 0, in stackable device it

means switch ID). ), and the last two characters are the port number. For example, "00030108"

means the DHCP message receive form VLAN ID 3, switch ID 1, port No 8. And the option 82

remote ID value is equal the switch MAC address.

88

Possible modes are:

Enabled: Enable DHCP relay information mode operation. When DHCP relay information mode

operation is enabled, the agent inserts specific information (option 82) into a DHCP message

when forwarding to DHCP server and removes it from a DHCP message when transferring to

DHCP client. It only works when DHCP relay operation mode is enabled.

Disabled: Disable DHCP relay information mode operation.

Relay Information Policy

Indicates the DHCP relay information option policy. When DHCP relay information mode

operation is enabled, if agent receives a DHCP message that already contains relay agent

information it will enforce the policy. And it only works under DHCP if relay information

operation mode is enabled. Possible policies are:

Replace: Replace the original relay information when a DHCP message that already contains it

is received.

Keep: Keep the original relay information when a DHCP message that already contains it is

received.

Drop: Drop the package when a DHCP message that already contains relay information is

received.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

89

4.4.2.5. IP Source Guard Configuration

IP Source Guard Configuration

This page provides IP Source Guard related configuration.

Mode of IP Source Guard Configuration

Enable the Global IP Source Guard or disable the Global IP Source Guard. All configured ACEs

will be lost when the mode is enabled.

Port Mode Configuration

Specify IP Source Guard is enabled on which ports. Only when both Global Mode and Port Mode

on a given port are enabled, IP Source Guard is enabled on this given port.

Max Dynamic Clients

Specify the maximum number of dynamic clients that can be learned on given port. This value

can be 0, 1, 2 or unlimited. If the port mode is enabled and the value of max dynamic client is

equal to 0, it means only allow the IP packets forwarding that are matched in static entries on

the specific port.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

Translate dynamic to static: Click to translate all dynamic entries to static entries.

90

Static IP Source Guard Tab le

Delete

Check to delete the entry. It will be deleted during the next save.

Port

The logical port for the settings.

VLAN ID

The vlan id for the settings.

IP Address

Allowed Source IP address.

MAC address

Allowed Source MAC address.

Adding new entry

Click to add a new entry to the Static IP Source Gurard table. Specify the Port, VLAN ID, IP

address, and IP Mask for the new entry. Click "Save".

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

91

4.4.2.6. ARP Inspection

ARP Inspection

This page provides ARP Inspection related configuration.

Mode of ARP Inspection Configuration

Enable the Global ARP Inspection or disable the Global ARP Inspection.

Port Mode Configuration

Specify ARP Inspection is enabled on which ports. Only when both Global Mode and Port Mode

on a given port are enabled, ARP Inspection is enabled on this given port.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

Translate dynamic to static: Click to translate all dynamic entries to static entries.

92

Static ARP Inspection Tab le

Delete

Check to delete the entry. It will be deleted during the next save.

Port

The logical port for the settings.

VLAND ID

The vlan id for the settings.

MAC Address

Allowed Source MAC address in ARP request packets.

IP Address

Allowed Source IP address in ARP request packets.

Adding new entry

Click to add a new entry to the Static ARP Inspection table. Specify the Port, VLAN ID, MAC

address, and IP address for the new entry. Click "Save".

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

93

4.4.3. Security / AAA Authentication Server Configuration

This page allows you to configure the Authentication Servers.

Common Server Configuration

These setting are common for all of the Authentication Servers.

Timeout

The Timeout, which can be set to a number between 3 and 3600 seconds, is the maximum time to

wait for a reply from a server. If the server does not reply within this timeframe, we will consider

it to be dead and continue with the next enabled server (if any).

RADIUS servers are using the UDP protocol, which is unreliable by design. In order to cope with

lost frames, the timeout interval is divided into 3 subintervals of equal length. If a reply is not

received within the subinterval, the request is transmitted again. This algorithm causes the

RADIUS server to be queried up to 3 times before it is considered to be dead.

Dead Time

The Dead Time, which can be set to a number between 0 and 3600 seconds, is the period during

which the switch will not send new requests to a server that has failed to respond to a previous

request. This will stop the switch from continually trying to contact a server that it has already

determined as dead.

Setting the Dead Time to a value greater than 0 (zero) will enable this feature, but only if more

than one server has been configured.

94

RADIUS Authentication Server Configuration

The table has one row for each RADIUS Authentication Server and a number of columns, which

are:

#

The RADIUS Authentication Server number for which the configuration below applies.

Enabled

Enable the RADIUS Authentication Server by checking this box.

IP Address/Hostname

The IP address or hostname of the RADIUS Authentication Server. IP address is expressed in dotted

decimal notation.

Port

The UDP port to use on the RADIUS Authentication Server. If the port is set to 0 (zero), the default

port (1812) is used on the RADIUS Authentication Server.

Secret

The secret - up to 29 characters long - shared between the RADIUS Authentication Server and the

switch.

RADIUS Accounting Server Configuration

The table has one row for each RADIUS Accounting Server and a number of columns, which are:

#

The RADIUS Accounting Server number for which the configuration below applies.

Enabled

Enable the RADIUS Accounting Server by checking this box.

IP Address/Hostname

The IP address or hostname of the RADIUS Accounting Server. IP address is expressed in dotted

decimal notation.

Port

The UDP port to use on the RADIUS Accounting Server. If the port is set to 0 (zero), the default

port (1813) is used on the RADIUS Accounting Server.

Secret

The secret - up to 29 characters long - shared between the RADIUS Accounting Server and the

switch.

95

TACACS+ Authentication Server Configuration

The table has one row for each TACACS+ Authentication Server and a number of columns, which

are:

#

The TACACS+ Authentication Server number for which the configuration below applies.

Enabled

Enable the TACACS+ Authentication Server by checking this box.

IP Address/Hostname

The IP address or hostname of the TACACS+ Authentication Server. IP address is expressed in

dotted decimal notation.

Port

The TCP port to use on the TACACS+ Authentication Server. If the port is set to 0 (zero), the

default port (49) is used on the TACACS+ Authentication Server.

Secret

The secret - up to 29 characters long - shared between the TACACS+ Authentication Server and

the switch.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

96

4.5. Aggregation Configuration

Link Aggregation is also known as Port Trunking. It allows user using multiple ports in parallel to

increase the link speed beyond the limits of a port and to increase the redundancy for higher

availability. The switch support both Static and Dynamic link aggregation, LACP. The switch also

supports different Hash mechanism to forward traffic according to the MAC address or IP, Protocol

Port Number.

4.5.1. Static Aggregation

This page is used to configure the Aggregation hash mode and the aggregation group.

The aggregation hash mode settings are global, whereas the aggregation group relate to the

currently selected stack unit, as reflected by the page header.

Hash Code Contributors

Source MAC Address

The Source MAC address can be used to calculate the destination port for the frame. Check to

enable the use of the Source MAC address, or uncheck to disable. By default, Source MAC Address

is enabled.

Destination MAC Address

The Destination MAC Address can be used to calculate the destination port for the frame. Check

to enable the use of the Destination MAC Address, or uncheck to disable. By default, Destination

MAC Address is disabled.

IP Address

The IP address can be used to calculate the destination port for the frame. Check to enable the

use of the IP Address, or uncheck to disable. By default, IP Address is enabled.

TCP/UDP Port Number

The TCP/UDP port number can be used to calculate the destination port for the frame. Check to

enable the use of the TCP/UDP Port Number, or uncheck to disable. By default, TCP/UDP Port

Number is enabled

.

97

Aggregation Group Configuration

Group ID

Indicates the group ID for the settings contained in the same row. Group ID "Normal" indicates

there is no aggregation. Only one group ID is valid per port.

Port Members

Each switch port is listed for each group ID. Select a radio button to include a port in an

aggregation, or clear the radio button to remove the port from the aggregation. By default, no

ports belong to any aggregation group. Only full duplex ports can join an aggregation and ports

must be in the same speed in each group.

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

98

4.5.2. LACP - Dynamic Aggregation

This page allows the user to inspect the current LACP port configurations, and possibly change

them as well.

Port

The switch port number.

LACP Enabled

Controls whether LACP is enabled on this switch port. LACP will form an aggregation when 2 or

more ports are connected to the same partner. LACP can form max 12 LLAGs per switch and 2

GLAGs per stack.

Key

The Key value incurred by the port, range 1-65535 . The Autosetting will set the key as

appropriate by the physical link speed, 10Mb = 1, 100Mb = 2, 1Gb = 3. Using the Specific setting,

a user-defined value can be entered. Ports with the same Key value can participate in the same

aggregation group, while ports with different keys cannot.

Role

The Role shows the LACP activity status. The Active will transmit LACP packets each second,

while Passive will wait for a LACP packet from a partner (speak if spoken to).

Buttons

Save: Click to save changes.

Reset: Click to undo any changes made locally and revert to previously saved values.

99

4.6. Loop Protection

This page allows the user to inspect the current Loop Protection configurations, and possibly

change them as well. The loop protection feature is very important to protect the unexpected

network loop, especially when you install the switch on the internet. The incorrect installation,

failure media, or hacker attacking may create network loop.

The switch supports the Loop Protection feature, the port can be shutdown or log information

per your configuration when the switch do detect the network loop. After the port is shutdown,

it may hard to manually reconnect it, so that there is a shutdown time timeout design can help

re-enable the port link automatically. With the Loop Protection feature, it can help you to avoid

the failure and protect your network.

General Settings

Enable Loop Protection

Controls whether loop protections is enabled (as a whole).

Transmission Time

The interval between each loop protection PDU sent on each port. valid values are 1 to 10

seconds.

Shutdown Time

The period (in seconds) for which a port will be kept disabled in the event of a loop is detected

(and the port action shuts down the port). Valid values are 0 to 604800 seconds (7 days). A value

of zero will keep a port disabled (until next device restart).

100