Page 1
USER MANUAL
L G B11X X S E R I E S
GIGABIT
MANAGED
ENET SWITCH
24/7 TECHNICAL SUPPORT AT 1.877.877.2269 OR VISIT BLACKBOX.COM
Page 2
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TABLE OF CONTENTS
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
REVISION HISTORY .......................................................................................................................................................................... 7
1. INTRODUCTION ............................................................................................................................................................................ 8
1.1 Ove r vie w .................................................................................................................................................................................................... 8
1.2 Available Models ......................................................................................................................................................................................8
1.3 Features ....................................................................................................................................................................................................8
2. OPERATION OF WEB-BASED MANAGEMENT ............................................................................................................................ 9
2.1 Initial Configuration .................................................................................................................................................................................. 9
3. SYSTEM CONFIGURATION ......................................................................................................................................................... 11
3.1 System ..................................................................................................................................................................................................... 11
3.1.1 Info rmation ......................................................................................................................................................................................................... 11
3.1.2 I P ..........................................................................................................................................................................................................................12
3.1.3 N TP ......................................................................................................................................................................................................................14
3.1.4 T ime .....................................................................................................................................................................................................................16
3.1.5 Log ....................................................................................................................................................................................................................... 19
3.2 Green Ethernet ........................................................................................................................................................................................ 20
3.3 Ports Configuration ...............................................................................................................................................................................22
3.3.1 Ports ....................................................................................................................................................................................................................22
3.3.2 Ports Description .............................................................................................................................................................................................24
3.4 DHCP ....................................................................................................................................................................................................... 25
3.4.1 Server ..................................................................................................................................................................................................................25
3.4.1.1 Mode ...........................................................................................................................................................................................................25
3.4.1.2 Excluded IP ................................................................................................................................................................................................26
3.4 .1. 3 Po ol .............................................................................................................................................................................................................27
3.4.2 Snooping ............................................................................................................................................................................................................28
3.4.3 Relay ...................................................................................................................................................................................................................30
3.5 Security ...................................................................................................................................................................................................31
3.5.1 Switch .................................................................................................................................................................................................................31
3.5 .1.1 Use rs ........................................................................................................................................................................................................... 31
3.5.1.2 Privilege Level ...........................................................................................................................................................................................32
3.5.1.3 Authentication Method ...........................................................................................................................................................................33
3.5 .1.4 SSH .............................................................................................................................................................................................................34
3.5.1.5 HTTPs.........................................................................................................................................................................................................35
3.5.1.6 Access Management ..............................................................................................................................................................................36
3.5.1.7 SNMP ..........................................................................................................................................................................................................37
3.5 .1. 8 RM O N .........................................................................................................................................................................................................47
3.5.2 Network ..............................................................................................................................................................................................................51
3.5.2.1 Limit Control .............................................................................................................................................................................................51
3.5.2.2 NAS .............................................................................................................................................................................................................54
3.5.2.3 ACL .............................................................................................................................................................................................................61
3.5.2.4 IP Source Guard .......................................................................................................................................................................................67
3.5.2.5 ARP Inspection .........................................................................................................................................................................................69
2
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 3
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TABLE OF CONTENTS
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5.3 AAA ........................................................................................................................................................................................................................... 74
3.5.3.1 RADIUS ......................................................................................................................................................................................................74
3.5.3.2 TACACS+ ................................................................................................................................................................................................... 76
3.6 Aggregation ............................................................................................................................................................................................77
3.6.1 Static ...................................................................................................................................................................................................................77
3.6.2 LACP ...................................................................................................................................................................................................................79
3.7 Loop Protection ......................................................................................................................................................................................80
3.8 Spanning Tree ......................................................................................................................................................................................... 82
3.8.1 Bridge Setting ....................................................................................................................................................................................................83
3.8.2 MSTI Mapping ..................................................................................................................................................................................................84
3.8.3 MSTI Priorities ..................................................................................................................................................................................................86
3.8.4 CIST Ports .........................................................................................................................................................................................................87
3.8.5 MSTI Ports ........................................................................................................................................................................................................88
3.9 IPMC Profile ............................................................................................................ ................................................................................90
3.9.1 Profile Table .......................................................................................................................................................................................................90
3.9.2 Address Entry ....................................................................................................................................................................................................92
3.10 MVR .......................................................................................................................................................................................................93
3.11 I PMC ......................................................................................................................................................................................................95
3.11.1 IG MP S nooping ...............................................................................................................................................................................................95
3.11.1.1 Bas ic C onfi gur ati on ................................................................................................................................................................................95
3.11.1. 2 VLAN Conf igu rat ion ...............................................................................................................................................................................96
3.11.1.3 Port Filtering Profile ...............................................................................................................................................................................98
3.11.2 MLD Snooping .................................................................................................................................................................................................99
3.11.2.1 Basic Configuration .............................................................................................................................................................................100
3.11.2.2 VLAN Configuration ............................................................................................................................................................................102
3.11.2.3 Port Filtering Profile .............................................................................................................................................................................103
3.12 LLDP.....................................................................................................................................................................................................105
3.12.1 LLDP Configuration ......................................................................................................................................................................................105
3.12.2 LLDP-MED Configuration ...........................................................................................................................................................................107
3.13 MAC Table ........................................................................................................................................................................................... 112
3.14 VLANs ..................................................................................................................................................................................................114
3.15 Private VLANs ..................................................................................................................................................................................... 117
3.15.1 VLAN Membership .......................................................................................................................................................................................117
3.15.2 Port Isolation .................................................................................................................................................................................................118
3.16 V CL ....................................................................................................................................................................................................... 119
3.16.1 M AC-based VL AN ........................................................................................................................................................................................ 119
3.16.2 Protocol-based VLAN ..................................................................................................................................................................................120
3.16.2.1 Protocol to Group .................................................................................................................................................................................120
3.16.2.2 Group to VLAN .....................................................................................................................................................................................122
3.16.3 IP Subnet-based VLAN ...............................................................................................................................................................................123
3.17 Voice VLAN .........................................................................................................................................................................................124
3.17.1 C onfi guration .................................................................................................................................................................................................124
3.17. 2 OUI ...................................................................................................................................................................................................................126
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
3
Page 4
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TABLE OF CONTENTS
3.18 Qo S ......................................................................................................................................................................................................127
3.18.1 Port Classification ........................................................................................................................................................................................127
3.18.2 Port Policing ..................................................................................................................................................................................................129
3.18.3 Port Schedulers ............................................................................................................................................................................................130
3.18.4 Port Shaping ..................................................................................................................................................................................................132
3.18.5 Port Tag Remarking .....................................................................................................................................................................................134
3.18.6 Port DSCP ......................................................................................................................................................................................................136
3.18.7 DSCP-Based QoS .........................................................................................................................................................................................137
3.18.8 DSCP Translation .........................................................................................................................................................................................139
3.18.9 DSCP Classification .....................................................................................................................................................................................140
3.18.10 QoS Control List Configuration................................................................................................................................................................141
3.18.11 S torm Cont rol ............................................................................................................................................................................................. 14 4
3.19 M irro r ...................................................................................................................................................................................................145
3.20 UPnP ....................................................................................................................................................................................................146
3.21 GCRP ...................................................................................................................................................................................................147
3.21.1 Global Config .................................................................................................................................................................................................147
3.21.2 Port Config ....................................................................................................................................................................................................149
3.22 sFlow ...................................................................................................................................................................................................150
3.23 Switch2go ..........................................................................................................................................................................................152
3.23.1 Switch2go Setting ........................................................................................................................................................................................152
3.23.2 User Link Management ..............................................................................................................................................................................153
3.23.3 Port Name Service ......................................................................................................................................................................................154
3.24 SMTP Configuration .......................................................................................................................................................................... 155
4. MONITOR .................................................................................................................................................................................. 156
4.1 S yste m ...................................................................................................................................................................................................156
4.1.1 Info rmation .......................................................................................................................................................................................................156
4.1.2 IP Status ...........................................................................................................................................................................................................157
4.1.3 L og .....................................................................................................................................................................................................................159
4.1.4 Detailed Log .....................................................................................................................................................................................................160
4.2 Green Ethernet ...................................................................................................................................................................................... 161
4.3 Ports ......................................................................................................................................................................................................162
4.3.1 Traffic Overview ..............................................................................................................................................................................................162
4.3.2 QoS Statistics .................................................................................................................................................................................................163
4.3.3 QCL Status ......................................................................................................................................................................................................164
4.3.4 Detailed Statistics ..........................................................................................................................................................................................165
4.3.5 SFP Information .............................................................................................................................................................................................168
4.4 DHCP ............................................................................................................ .........................................................................................169
4.4.1 Server ................................................................................................................................................................................................................169
4.4.1.1 Statistics ...................................................................................................................................................................................................169
4.4.1.2 Binding ......................................................................................................................................................................................................170
4.4.1.3 Declined IP ...............................................................................................................................................................................................171
4.4.2 Snooping Table ...............................................................................................................................................................................................171
4.4.3 Relay Statistics ...............................................................................................................................................................................................172
4.4.4 Detailed Statistics ..........................................................................................................................................................................................173
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
4
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 5
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TABLE OF CONTENTS
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
4.5 Security .................................................................................................................................................................................................174
4.5.1 Access Management Statistics ..................................................................................................................................................................174
4.5.2 Network ............................................................................................................................................................................................................175
4.5.2.1 Port Security ...........................................................................................................................................................................................175
4.5.2.2 NAS ...........................................................................................................................................................................................................178
4.5.2.3 ACL Status ..............................................................................................................................................................................................181
4.5.2.4 ARP Inspection .......................................................................................................................................................................................183
4.5.2.5 IP Source Guard .....................................................................................................................................................................................184
4.5.3 AAA ...................................................................................................................................................................................................................185
4.5.3.1 RADIUS Overview ..................................................................................................................................................................................185
4.5.3.2 RADIUS Details.......................................................................................................................................................................................186
4.5.4 Switch ..............................................................................................................................................................................................................192
4.6 LACP ...................................................................................................................................................................................................... 197
4.6.1 System Status .................................................................................................................................................................................................197
4.6.2 Port Status ......................................................................................................................................................................................................198
4.6.3 Port Statistics .................................................................................................................................................................................................199
4.7 Loop Protection ................................................................................................................................................................................... 200
4.8 Spanning Tree ...................................................................................................................................................................................... 201
4.8.1 Bridge Status .................................................................................................................................................................................................. 201
4.8.2 Port Status ..................................................................................................................................................................................................... 202
4.8.3 Port Statistics ................................................................................................................................................................................................ 203
4.9 MVR ...................................................................................................................................................................................................... 204
4.9.1 Statistics .......................................................................................................................................................................................................... 204
4.9.2 MVR Channels Groups ................................................................................................................................................................................. 205
4.9.3 MVR SFM Information ................................................................................................................................................................................. 206
4.10 IP MC ................................................................................................................................................................................................... 207
4.10.1 IGMP Snooping ............................................................................................................................................................................................ 207
4.10.1.1 Status ..................................................................................................................................................................................................... 207
4.10.1.2 G rou p In for mat ion ............................................................................................................................................................................... 209
4.10.1.3 IPv4 SFM Information .........................................................................................................................................................................210
4.10.2 MLD Snooping ..............................................................................................................................................................................................2 11
4.10.2.1 Status .....................................................................................................................................................................................................211
4.10.2.2 Group Information ...............................................................................................................................................................................212
4.10.2.3 IPv6 SFM Information .........................................................................................................................................................................213
4.11 LLDP .....................................................................................................................................................................................................214
4.11.1 Ne igh bor .........................................................................................................................................................................................................214
4.11.2 LLDP-MED Neighbor ....................................................................................................................................................................................216
4.11.3 EEE ...................................................................................................................................................................................................................219
4.11.4 Port Statistics ............................................................................................................................................................................................... 220
4.12 MAC Table .......................................................................................................................................................................................... 222
4.13 VLANs ................................................................................................................................................................................................. 223
4.13.1 VLAN Membership ...................................................................................................................................................................................... 223
4.13.2 VLAN Port ..................................................................................................................................................................................................... 225
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
5
Page 6
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TABLE OF CONTENTS
4.14 VC L ...................................................................................................................................................................................................... 226
4.14.1 MAC-based VLAN ....................................................................................................................................................................................... 226
4.14.2 Protocol-based VLAN................................................................................................................................................................................. 227
4.14.2.1 Protocol to Group ................................................................................................................................................................................ 227
4.14.2.2 Group to VLAN .................................................................................................................................................................................... 228
4.14.3 IP Subnet-based VLAN .............................................................................................................................................................................. 229
4.15 s Flow ................................................................................................................................................................................................... 231
5. DIAGNOSTICS ............................................................................................................................................................................ 233
5.1 Ping ....................................................................................................................................................................................................... 233
5.2 Ping6 .................................................................................................................................................................................................... 234
5.3 VeriPHY ................................................................................................................................................................................................ 235
5.4 Traceroute ............................................................................................................................................................................................ 236
6. MAINTENANCE ......................................................................................................................................................................... 237
6.1 Restart Device ............................................................................................................ .......................................................................... 237
6.2 Factory Defaults .................................................................................................................................................................................. 238
6.3 Firmware .............................................................................................................................................................................................. 239
6.3.1 Firmware Upgrade......................................................................................................................................................................................... 239
6.3.2 Firmware Selection ....................................................................................................................................................................................... 240
6.4 Configuration ........................................................................................................................................................................................241
6.4.1 Save startup-config .......................................................................................................................................................................................241
6.4.2 Upload ..............................................................................................................................................................................................................242
6.4.3 Download ........................................................................................................................................................................................................ 243
6.4.4 Activate ............................................................................................................................................................................................................ 244
6.4.5 Delete ............................................................................................................................................................................................................... 245
7. DMS MANAGEMENT ................................................................................................................................................................. 246
7.1 Information ........................................................................................................................................................................................... 246
7.2 Device List .............................................................................................................................................................................................247
8. DMS GRAPHIC MONITORING .................................................................................................................................................. 249
8.1 Topology View.......................................................................................................................................................................................249
8.2 Floor View .............................................................................................................................................................................................251
8.3 Map View ............................................................................................................................................................................................. 252
9. DMS MAINTENANCE.................................................................................................................................................................253
9.1 Floor Image .......................................................................................................................................................................................... 253
9.2 Troubleshooting .................................................................................................................................................................................. 254
9.3 Traffic Chart ......................................................................................................................................................................................... 255
10. COMPLIANCE .......................................................................................................................................................................... 256
10.1 FC C...................................................................................................................................................................................................... 256
10.1.1 F C C WARNI N G ........................................................................................................................................................................... 256
10.1.2 FCC CAUTION ............................................................................................................................................................................ 256
10.2 CE ........................................................................................................................................................................................................ 256
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
6
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 7
REVISION HISTORY
REVISION HISTORY
RELE ASE: V6.38
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
7
Page 8
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 1: INTRODUCTION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
1.1 O V E R V I E W
This user’s manual explains how to install and connect your network system and configure and monitor the Gigabit Managed Ethernet
Switch through the web via an RJ-45 serial interface and Ethernet ports.
The Gigabit Managed Ethernet Switch provides a reliable infrastructure for your business network. These switches deliver the intelligent
features you need to improve the availability of your critical business applications, protect your sensitive information, and optimize
your network bandwidth. The switches are ideal for entry-level networking, including small business and enterprise applications.
1.2 AVAILABLE MODELS
Three Gigabit Managed Ethernet Switch models are available:
Gigabit Managed Ethernet Switch - 10-Ports (LGB1110A)
Gigabit Managed Ethernet Switch - 26-Ports (LGB1126A-R2)
Gigabit Managed Ethernet Switch - 52-Ports (LGB1152A)
1.3 FEATURES
All Gigabit Managed Ethernet Switch provide these functions:
L2+ features provide better manageability, security, QoS, and performance.
IPv4/IPv6 dual stack management
SSH/SSL secured management
SNMP v1/v2c/v3
RMON groups 1,2,3,9
sFlow
IGMP v1/v2/v3 Snooping
MLD v1/v2 Snooping
RADIUS and TACACS+ authentication
IP Source Guard
DHCP Relay (Option 82)
DHCP Snooping
ACL and QCL for traffic filtering
802.1d (STP), 802.1w (RSTP) and 802.1s (MSTP)
LACP and static link aggregation
Q-in-Q double tag VLAN
GVRP dynamic VLAN
8
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 9
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 2: OPERATION OF WEB-BASED MANAGEMENT
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
2.1 INITIAL CONFIGURATION
This chapter instructs you how to configure and manage the Gigabit Managed Ethernet Switch through the web user interface. It
enables you to easily access and monitor, through any one port of the switch, MIBs status, each port activity, Spanning tree status, port
aggregation status, multicast traffic, VLAN and priority status, illegal access records, and so on.
THE DEFAULT VALUES OF THE GIGABIT MANAGED ETHERNET SWITCH ARE LISTED BELOW:
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.254
Username: admin
Password: blank
After the Gigabit Managed Ethernet Switch finishes configuring the IT interface, you can browse it. For instance, type http://192.168.1.1
in the address row in a browser, and it will show the following screen and ask you to input the username and password to login
and access authentication.
FIGURE 2-1. LOGIN SCREEN
The default username is “admin” and password is blank. For first-time use, enter the default username and password, and then click the
<Login> button. The login process now is completed. In this login menu, input the complete username and password respectively, the
Gigabit Managed Ethernet Switch will not give you a shortcut to username automatically. This looks inconvenient, but safer.
In the Gigabit Managed Ethernet Switch, two or more users can use the administrator’s identity to manage this switch.
NOTE: When you log in to the Switch Web/CLI, you must first type the username (admin). Password is blank, so after you type admin, just
press enter in the management page to enter the Web/CLI.
When you log in to the Gigabit Managed Ethernet Switch series switch Web UI management, you can use both ipv4 and ipv6 login.
To optimize the display, we recommend that you use Microsoft IE 6.0 or above, Netscape V7.1 or above or Firefox V1.00 above with
resolution of 1024 x 768 or above.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
9
Page 10
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 2: OPERATION OF WEB-BASED MANAGEMENT
NOTE: The Gigabit Managed Ethernet Switch enables DHCP, so If you do not have a DHCP server to provide ip addresses to the switch, use
the Switch default ip 192.168.1.1
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
10
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 11
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
This chapter describes basic configuration tasks, including the System Information and switch management (e.g. Time, Account,
IP, Syslog and NTP.)
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.1 SYS T E M
You can identify the system by configuring the contact information, name, and location of the switch.
3.1.1 INFORMATION
The switch system’s contact information is provided here.
WEB INTERFACE
To configure System Information in the web interface:
1. Click Configuration, System, and Information.
2. Type in System Contact, System Name, and System Location information in this page.
3. Click Apply.
FIGURE 3-1. SYSTEM INFORMATION SCREEN
Parameter description:
System Contact: The textual identification of the contact person for this managed node, together with information on how to
contact this person. The allowed string length is 0 to 128, and the allowed content includes ASCII characters from 32 to 126.
System name: An administratively-assigned name for this managed node. By convention, this is the node’s fully qualified domain
name. A domain name is a text string drawn from the alphabet (A-Z, a-z), digits (0-9), and minus sign (-). No space characters are
permitted as part of a name. The first character must be an alpha character. And the first or last character must not be a minus
sign. The allowed string length is 0 to 128.
System Location: The physical location of this node(e.g., telephone closet, 3rd floor). The allowed string length is 0 to 128, and the
allowed content is ASCII characters from 32 to 126.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
11
Page 12
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
3.1.2 I P
The IPv4 address for the switch can be obtained via DHCP Server for VLAN 1. To manually configure an address, you need to
change the switch’s default settings to values that are compatible with your network. You may also need to establish a default
gateway between the switch and management stations that exist on another network segment.
Configure the switch-managed IP information on this page.
Configure IP basic settings, control IP interfaces and IP routes.
The maximum number of interfaces supported is 8 and the maximum number of routes is 32.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
WEB INTERFACE
To configure an IP address in the web interface:
1. Click Configuration, System, IP.
2. Click Add Interface, then you can create new Interface on the switch.
3. Click Add Route, then you can create new Route on the switch.
4. Click Apply.
12
FIGURE 3-2. IP CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 13
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
Parameter description:
IP Configuration
Mode: Configure whether the IP stack should act as a Host or a Router. In Host mode, IP traffic between interfaces will not be routed.
In Router mode, traffic is routed between all interfaces.
DNS Server: This setting controls the DNS name set for the switch. The following modes are supported:
- From any DHCP interfaces: The first DNS server offered from a DHCP lease to a DHCP-enabled interface will be used.
- No DNS server: No DNS server will be used.
- Configured: Explicitly provide the IP address of the DNS Server in dotted decimal notation.
- From this DHCP interface: Specify from which DHCP-enabled interface a provided DNS server should be preferred.
• DNS Proxy: When DNS proxy is enabled, the system will relay DNS requests to the currently configured DNS server, and reply as a DNS
resolver to the client devices on the network.
IP Interfaces
Delete: Select this option to delete an existing IP interface.
VLAN: The VLAN associated with the IP interface. Only ports in this VLAN will be able to access the IP interface. This field is only
available for input when creating an new interface.
IPv4 DHCP Enabled: Enable the DHCP client by checking this box. If this option is enabled, the system will configure the IPv4 address
and mask of the interface using the DHCP protocol. The DHCP client will announce the configured System Name as hostname to
provide DNS lookup.
IPv4 DHCP Fallback Timeout: The number of seconds the switch will try to obtain a DHCP lease. After this period expires, a configured
IPv4 address will be used as IPv4 interface address. A value of zero disables the fallback mechanism, so DHCP will keep retrying until
a valid lease is obtained. Legal values are 0 to 4294967295 seconds.
IPv4 DHCP Current Lease: For DHCP interfaces with an active lease, this column shows the current interface address, as provided by
the DHCP server.
IPv4 Address: The IPv4 address of the interface in dotted decimal notation. If DHCP is enabled, this field is not used. The field may
also be left blank if IPv4 operation on the interface is not desired.
IPv4 Mask: The IPv4 network mask, in number of bits (prefix length). Valid values are between 0 and 30 bits for a IPv4 address. If
DHCP is enabled, this field is not used. The field may also be left blank if IPv4 operation on the interface is not desired.
IPv6 Address: The IPv6 address of the interface. An IPv6 address is in 128-bit records represented as eight fields of up to four
hexadecimal digits with a colon separating each field (:). For example, fe80::215:c5ff:fe03:4dc7. The symbol :: is a special syntax that
can be used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it can appear only once. It can also
represent a legally valid IPv4 address. For example, ::192.1.2.34.
The field may be left blank if IPv6 operation on the interface is not desired.
IPv6 Mask: The IPv6 network mask, in number of bits (prefix length). Valid values are between 1 and 128 bits for a IPv6 address. The
field may be left blank if IPv6 operation on the interface is not desired.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
13
Page 14
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
IP Routes
Delete: Select this option to delete an existing IP route.
Network: The destination IP network or host address of this route. Valid format is dotted decimal notation or a valid IPv6 notation. A
default route can use the value 0.0.0.0or IPv6 :: notation.
Mask Length: The destination IP network or host mask, in number of bits (prefix length). It defines how much of a network address
that must match, in order to qualify for this route. Valid values are between 0 and 32 bits, respectively, 128 for IPv6 routes. Only a
default route will have a mask length of 0 (as it will match anything).
Gateway: The IP address of the IP gateway. Valid format is dotted decimal notation, or a valid IPv6 notation. Gateway and Network
must be of the same type.
Next Hop VLAN (Only for IPv6): The VLAN ID (VID) of the specific IPv6 interface associated with the gateway.
The given VID ranges from 1 to 4094 and will be effective only when the corresponding IPv6 interface is valid.
If the IPv6 gateway address is link-local, it must specify the next hop VLAN for the gateway.
If the IPv6 gateway address is not link-local, the system ignores the next hop VLAN for the gateway.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
Buttons
Add Interface: Click to add a new IP interface. A maximum of 8 interfaces is supported.
Add Route: Click to add a new IP route. A maximum of 32 routes is supported.
Apply: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
3.1.3 N T P
NTP is Network Time Protocol and is used to sync the network time based Greenwich Mean Time (GMT). If you use the NTP mode and
select a built-in NTP time server or manually specify an user-defined NTP server as well as Time Zone, the switch will sync the time
shortly after pressing <Apply> button. Though it synchronizes the time automatically, NTP does not update the time periodically without
user’s processing.
Time Zone is an offset time off GMT. You have to select the time zone first and then perform time sync via NTP, because the switch will
combine this time zone offset and updated NTP time to result as the local time; otherwise, you will not able to get the correct time. The
switch supports configurable time zone from –12 to +13 step 1 hour.
Default Time zone: +8 Hrs.
WEB INTERFACE
To configure NTP in the web interface:
1. Click Configuration, System, NTP.
2. Specify the Time parameter in manual parameters.
3. Click Apply.
14
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 15
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-3. NTP CONFIGURATION SCREEN
Parameter description:
Mode: Indicates the NTP mode operation. Possible modes are:
Enabled: Enable NTP client mode operation.
Disabled: Disable NTP client mode operation.
Server 1 to 5: Provide the NTP IPv4 or IPv6 address of this switch. IPv6 address is in 128-bit records represented as eight fields of
up to four hexadecimal digits with a colon separating each field (:). For example, ‘fe80::215:c5ff:fe03:4dc7’. The symbol ‘::’ is a special
syntax that can be used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it can only appear once. It
can also represent a legally valid IPv4 address. For example, ‘::192.1.2.34’.
Buttons: These buttons are displayed on the NTP page:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
15
Page 16
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
3.1.4 TI M E
The switch provides manual and automatic ways to set the system time via NTP. Manual setting is simple—just input “Year”, “Month”,
“Day”, “Hour” and “Minute” within the valid value range indicated in each item.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
WEB INTERFACE
To configure Time in the web interface:
1. Click Configuration, System and Time.
2. Specify the Time parameter.
3. Click Apply.
FIGURE 3-4. TIME CONFIGURATION SCREEN
16
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 17
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-5. DAYLIGHT SAVINGS TIME CONFIGURATION SCREEN
Parameter description:
Time Configuration
Clock Source: There are two modes for configuring how the Clock Source from. Select “Use Local Settings” : Clock Source from Local
Time. Select “Use NTP Server” : Clock Source from NTP Server.
System Date: Show the current time of the system. The system year is a value between 2011 and 2037.
Time Zone Configuration
Time Zone: Lists various Time Zones worldwide. Select the appropriate Time Zone from the drop-down box and click Apply to set.
Acronym: The user can set the acronym of the time zone. This acronym identifies the time zone. (Range: Up to 16 characters)
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
17
Page 18
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Daylight Savings Time Configuration
Daylight Savings Time: Use this to set the clock forward or backward according to the configurations set below for a defined Daylight
Savings Time duration. Select “Disable” to disable the Daylight Savings Time configuration. Select “Recurring” and configure the
Daylight Savings Time duration to repeat the configuration every year. Select “Non-Recurring” and configure the Daylight Saving Time
duration for a single time configuration. (Default: Disabled ).
Recurring Configuration
Start time settings:
- Week - Select the starting week number.
- Day - Select the starting day.
- Month - Select the starting month.
- Hours - Select the starting hour.
- Minutes - Select the starting minute.
• End time settings:
- Week - Select the ending week number.
- Day - Select the ending day.
- Month - Select the ending month.
- Hours - Select the ending hour.
- Minutes - Select the ending minute.
Offset settings: Offset - Enter the number of minutes to add during Daylight Saving Time. (Range: 1 to 1440)
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
NOTE: “Start Time Settings” and “End Time Settings” display what you set in the “Start Time Settings” and “End Time Settings” fields.
Buttons: These buttons are displayed on the NTP page:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
18
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 19
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.1.5 LOG
The log is a standard for logging program messages . It allows separation of the software that generates messages from the system
that stores them and the software that reports and analyzes them. It can be used as well as generalized informational, analysis, and
debugging messages. It is supported by a wide variety of devices and receivers across multiple platforms.
WEB INTERFACE
To configure log configuration in the web interface:
1. Click Configuration, System and log.
2.Specify the syslog parameters, including the IP Address of the Syslog server and Port number.
3. Select the Syslog to enable it.
4. Click Apply.
FIGURE 3-6. SYSTEM LOG CONFIGURATION SCREEN
Parameter description:
Server Mode: Indicates the server mode operation. When the mode operation is enabled, the syslog message will be sent out to the
syslog server. The syslog protocol is based on UDP communication and received on UDP port 514. The syslog server will not send
acknowledgments back to the sender since UDP is a connectionless protocol and it does not provide acknowledgments. The syslog
packet will always be sent ou,t even if the syslog server does not exist. Possible modes are:
- Enabled: Enable server mode operation.
- Disabled: Disable server mode operation.
• Server Address: Indicates the IPv4 hosts address of the syslog server. If the switch provides a DNS feature, it also can be a host name.
• Syslog Level: Indicates what kind of message will be sent to a syslog server. Possible modes are:
- Info: Send information, warnings, and errors.
- Warning: Send warnings and errors.
- Error: Send errors.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
19
Page 20
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Buttons: These buttons are displayed on the NTP page:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.2 GREEN ETHERNET
EEE is a power-saving option that reduces the power usage when there is low or no traffic use.
EEE works by powering down circuits when there is no traffic. When a port gets data to be transmitted, all circuits are powered up.
The time it takes to power up the circuits is named wakeup time. The default wakeup time is 17 µs for 1-Gbit links and 30 µs for
other link speeds. EEE devices must agree upon the value of the wakeup time to make sure that both the receiving and transmitting
devices have all circuits powered up when traffic is transmitted. The devices can exchange wakeup time information using the
LLDP protocol.
EEE works for ports in auto-negotiation mode, where the port is negotiated to either 1G or 100 Mbit full-duplex mode.
For ports that are not EEE-capable, the corresponding EEE checkboxes are grayed out; so you cannot enable EEE for these ports.
When a port is powered down to save power, outgoing traffic is stored in a buffer until the port is powered up again. Because there
is some overhead in powering the port off and on, more power can be saved if the traffic can be buffered until a large burst of
traffic can be transmitted. Buffering traffic will give some latency in the traffic.
WEB INTERFACE
To configure a Port Power Saving Configuration in the web interface:
1. Click Configuration, Green Ethernet.
2. Enable or disable the ActiPHY, PerfectReach, EEE, and EEE Urgent Queues.
3. Click Apply.
20
FIGURE 3-7. PORT POWER SAVING CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 21
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
Optimize EEE for: The switch can be set to optimize EEE for either best power saving or least traffic latency.
Port: The switch port number of the logical port.
ActiPHY: Link down power savings enabled. ActiPHY works by lowering the power for a port when there is no link. The port is
powered up for a short moment to determine if cable is inserted.
PerfectReach: Cable length power savings enabled. PerfectReach works by determining the cable length and lowering the power for
ports with short cables.
EEE: Controls whether EEE is enabled for this switch port.
To maximize power savings, the circuit isn’t started once transmit data is ready for a port, but is instead queued until a burst of data
is ready to be transmitted. This will give some traffic latency.
If desired, you can minimize the latency for specific frames by mapping the frames to a specific queue (done with QOS), and then
mark the queue as an urgent queue. When an urgent queue gets data to be transmitted, the circuits will be powered up and the
latency will be reduced to the wakeup time.
EEE Urgent Queues: Queues set will activate transmission of frames as soon as data is available. Otherwise, the queue will postpone
transmission until a burst of frames can be transmitted.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
21
Page 22
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.3 PORTS CONFIGURATION
The section describes how to configure the detailed port parameters of the switch. You can use Port configure to enable or disable
a switch port. Monitor the ports content or status in the function.
3.3.1 PORTS
This page displays current port configurations. Ports can also be configured here.
WEB INTERFACE
To configure a Current Port Configuration in the web interface:
1. Click Configuration, Ports Configuration, and Ports.
2. Specify the Speed Configured, Flow Control, Maximum Frame size, Excessive Collision mode, and Power Control.
3. Click Apply.
FIGURE 3-8. PORT CONFIGURATION SCREEN
Parameter description:
Port: This is the logical port number for this row.
Link: The current link state is displayed graphically. Green indicates the link is up and red that it is down.
Current Link Speed: Provides the current link speed of the port.
Configured Link Speed: Selects any available link speed for the given switch port. Only speeds supported by the specific port are
shown. Possible speeds are:
- Disabled - Disables the switch port operation.
- Auto - Port autonegotiates speed with the link partner and selects the highest speed that is compatible with the link partner.
22
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 23
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
- 10-Mbps HDX - Forces the copper port to 10-Mbps half- duplex mode.
- 10-Mbps FDX - Forces the copper port to 10-Mbps full-duplex mode.
- 100-Mbps HDX - Forces the copper port to 100-Mbps half-duplex mode.
- 100-Mbps FDX - Forces the copper port to 100-Mbps full-duplex mode.
- 1-Gbps FDX - Forces the port in 1-Gbps full-duplex mode.
- 2.5-Gbps FDX - Forces the port to 2.5-Gbps full-duplex mode.
- SFP_Auto_AMS - Automatically determines the speed of the SFP.
NOTE: There is no standardized way to do SFP auto detect, so here it is done by reading the SFP rom. SFP auto detect for some SFPs may
not work. The port is set in AMS mode. The copper port is set in Auto mode.
- 100-FX - The SFP port is in 100-FX speed. The copper port is disabled.
- 100-FX_AMS - Port in AMS mode. The SFP port is in 100-FX speed. The copper port is in Auto mode.
- 1000-X - The SFP port is in 1000-X speed. The copper port is disabled.
- 1000-X_AMS - Port in AMS mode. The SFP port is in 1000-X speed. The copper port is in Auto mode. Ports in AMS mode with 1000-X
speed have the copper port preferred. Ports in AMS mode with 100-FX speed have the fiber port preferred.
Flow Control: When Auto Speed is selected on a port, this section indicates the flow control capability that is advertised to the link
partner. When a fixed-speed setting is selected, that is what is used. The Current Rx column indicates whether pause frames on the
port are obeyed, and the Current Tx column indicates whether pause frames on the port are transmitted. The Rx and Tx settings are
determined by the result of the last Auto-Negotiation.
Check the configured column to use flow control. This setting is related to the setting for Configured Link Speed.
Maximum Frame Size: Enter the maximum frame size allowed for the switch port, including FCS.
Excessive Collision Mode: Configure the port transmit collision behavior.
- Discard: Discard frame after 16 collisions (default).
- Restart: Restart the backoff algorithm after 16 collisions.
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
Upper right icon (Refresh): Click the icon to for refresh the Port link Status manually.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
23
Page 24
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.3.2 PORTS DESCRIPTION
The section describes how to configure the Port’s alias or any descriptions for the Port Identity. The user must provide an
alphanumeric string describing the full name and version identification for the system’s hardware type, software version, and
networking application.
WEB INTERFACE
To configure a Port Description in the web interface:
1. Click Configuration, Port, then Port Description.
2. Specify a detailed Port alias or an alphanumeric string describing the full name and version for the system’s hardware type, software
version, and networking application.
3. Click Apply.
FIGURE 3-9. PORT CONFIGURATION SCREEN
Parameter description:
Port: This is the logical port number for this row.
Description: Enter up to 47 characters for the name that identifies this port.
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
24
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 25
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.4 DHCP
The section describes how to configure the switch’s DHCP Snooping parameters. The DHCP Snooping can prevent attackers from
adding their own DHCP servers to the network.
3.4.1 SERVER
3.4.1.1 MO D E
This page configures global mode and VLAN mode to enable/disable a DHCP server per system and per VLAN.
WEB INTERFACE
To configure a DHCP server mode in the web interface:
1. Click Configuration, DHCP, Server, Mode.
2. Select “Enabled” in the Global Mode of DHCP Server Mode Configuration.
3. Add a Vlan range.
4. Click Apply.
FIGURE 3-10. DHCP SERVER MODE SCREEN
Parameter description:
Mode: Configure the operation mode per system. Possible modes are:
- Enabled: Enable DHCP server per system.
- Disabled: Disable DHCP server pre system.
VLAN Range: Indicate the VLAN range in which the DHCP server is enabled or disabled. The first VLAN ID must be smaller than or
equal to the second VLAN ID. But, if the VLAN range contains only 1 VLAN ID, then you can just input it into either one of the first
and second VLAN ID fields or both.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
25
Page 26
CHAPTER 3: SYSTEM CONFIGURATION
On the other hand, if you want to disable an existing VLAN range, follow these steps:
1.Press “ADD VLAN Range” to add a new VLAN range.
2. input the VLAN range that you want to disable.
3. Choose Mode to be Disabled.
4. Press Apply to apply the change.
Then, you will see the disabled VLAN range is removed from the DHCP Server mode configuration page.
Mode: Indicates the operation mode per VLAN. Possible modes are:
- Enabled: Enable DHCP server per VLAN.
- Disabled: Disable DHCP server pre VLAN.
Buttons:
- Add VLAN Range - Click to add a new VLAN range.
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.4.1.2 EXCLUDED IP
This page configures excluded IP addresses. A DHCP server will not allocate these excluded IP addresses to a DHCP client.
WEB INTERFACE
To configure a DHCP server excluded IP in the web interface:
1. Click Configuration, DHCP, Server, Excluded IP.
2. Click Add IP Range, then you can create a new IP Range on the switch.
3. Click Apply.
26
FIGURE 3-11. DHCP SERVER EXCLUDED IP SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 27
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
IP Range: Define the IP range to be excluded IP addresses. The first excluded IP must be smaller than or equal to the second excluded
IP. But, if the IP range contains only 1 excluded IP, then you can just input it to either one of the first and second excluded IP fields or
both.
Buttons:
- Add IP Range - Click to add a new excluded IP range.
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.4.1.3 PO O L
This page manages DHCP pools. According to the DHCP pool, a DHCP server will allocate IP addresses and deliver configuration
parameters to DHCP client.
WEB INTERFACE
To configure a DHCP server pool in the web interface:
1. Click Configuration, DHCP, Server, Pool.
2. Click Add New Pool then you can create a new Pool on the switch.
3. Click Apply.
FIGURE 3-12. DHCP SERVER POOL SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
27
Page 28
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
Pool Setting: Add or delete pools. Add a pool and give a name to create a new pool with the ”default” configuration. If you want to
configure all settings including type, IP subnet mask and lease time, you can click the pool name to go into the configuration page.
Name: Configure the pool name that accepts all printable characters, except white space. If you want to configure detailed settings,
you can click the pool name to go into the configuration page.
Type: Display the type of pool.
- Network: Defines a pool of IP addresses to service more than one DHCP client.
- Host: Defines services for a specific DHCP client identified by a client identifier or hardware address. If “-” is displayed, the services are
not defined.
IP: Display the network number of the DHCP address pool. If “-” is displayed, the network number is not defined.
Subnet Mask: Displays the subnet mask of the DHCP address pool. If “-” is displayed, the subnet mask is not defined.
Lease Time: Displays the lease time of the pool.
Buttons:
- Add New Pool - Click to add a new DHCP pool.
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.4.2 SNOOPING
DHCP Snooping blocks intruders on the untrusted ports of the switch when they try to intervene by injecting a bogus DHCP reply
packet to a legitimate conversation between the DHCP client and server.
The section describes how to configure the DHCP Snooping parameters of the switch. DHCP Snooping can prevent attackers from
adding their own DHCP servers to the network.
28
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 29
CHAPTER 3: SYSTEM CONFIGURATION
WEB INTERFACE
To configure DHCP snooping in the web interface:
1. Click Configuration, DHCP, Snooping.
2. Select “Enabled” in the DHCP Snooping Configuration mode.
3. Select “Trusted” for the specific port in the Port Mode Configuration.
4. Click Apply.
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-13. DHCP SNOOPING CONFIGURATION SCREEN
Parameter description:
Snooping Mode: Indicates the DHCP snooping mode operation. Possible modes are:
- Enabled: Enable DHCP snooping mode operation. When DHCP snooping mode operation is enabled, the DHCP request messages will be
forwarded to trusted ports and only allow reply packets from trusted ports.
- Disabled: Disable DHCP snooping mode operation.
Port Mode Configuration: Indicates the DHCP snooping port mode. Possible port modes are:
- Trusted: Configures the port as a trusted source of the DHCP messages.
- Untrusted: Configures the port as an untrusted source of the DHCP messages.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
29
Page 30
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.4.3 RELAY
A DHCP relay agent is used to forward and to transfer DHCP messages between the clients and the server when they are not in the
same subnet domain. It stores the incoming interface IP address in the GIADDR field of the DHCP packet. The DHCP server can use
the value of the GIADDR field to determine the assigned subnet. Be sure to configure the VLAN interface IP address and PVID (Port
VLAN ID) correctly.
WEB INTERFACE
To configure DHCP Relay in the web interface:
1. Click Configuration, DHCP, Relay.
2. Specify the Relay Mode, Relay server, Relay Information Mode, Relay Information.
3. Click Apply.
FIGURE 3-14. DHCP RELAY CONFIGURATION SCREEN
Parameter description:
Relay Mode: Indicates the DHCP relay mode operation. Possible modes are:
- Enabled: Enable DHCP relay mode operation. When DHCP relay mode operation is enabled, the agent forwards and transfers DHCP
messages between the clients and the server when they are not in the same subnet domain. And the DHCP broadcast message won’t be
flooded for security considerations.
- Disabled: Disable DHCP relay mode operation.
Relay Server: Indicates the DHCP relay server’s IP address.
Relay Information Mode: Indicates the DHCP relay information mode option operation. The option 82 circuit ID is formatted as
“[vlan_id][module_id][port_no]”. The first four characters represent the VLAN ID, the fifth and sixth characters are the module ID (in
a standalone device it always equal 0, in a stackable device it is the switch ID), and the last two characters are the port number. For
example, “00030108” means the DHCP message is received from VLAN ID 3, switch ID 1, port No 8. The Option 82 remote ID value
equals the switch MAC address. Possible modes are:
- Enabled: Enable DHCP relay information mode operation. When DHCP relay information mode operation is enabled, the agent inserts specific
information (option 82) into a DHCP message when forwarding to DHCP server and removes it from a DHCP message when transferring to
DHCP client. It only works when DHCP relay operation mode is enabled.
- Disabled: Disable DHCP relay information mode operation.
Relay Information Policy: Indicates the DHCP relay information option policy. When DHCP relay information mode operation is
enabled, if the agent receives a DHCP message that already contains relay agent information, it will enforce the policy. The ‘Replace’
policy is invalid when relay information mode is disabled. Possible policies are:
- Replace: Replace the original relay information when a DHCP message that already contains it is received.
- Keep: Keep the original relay information when a DHCP message that already contains it is received.
30
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 31
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
- Drop: Drop the package when a DHCP message that already contains relay information is received.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
3.5 SECURITY
This section shows you how to configure the Port Security settings of the Switch. You can use the Port Security feature to restrict
input to an interface by limiting and identifying MAC addresses.
3.5.1 SWITCH
3.5 .1.1 US E RS
This page provides an overview of the current users. Currently the only way to login as another user on the web server is to close
and reopen the browser.
WEB INTERFACE
To configure User in the web interface:
1. Click Configuration, Security, Switch, Users.
2. Click Add new user.
3. Specify the User Name parameter.
4. Click Apply.
FIGURE 3-15. USERS CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
31
Page 32
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
User Name: The name identifying the user. This is also a link to Add/Edit User.
Password: Type the password. The allowed string length is 0 to 255, and the allowed content is the ASCII characters from 32 to 126.
Password (again): Type the password again. You must type the same password again in the field.
Privilege Level: The privilege level of the user. The allowed range is 1 to 15. If the privilege level value is 15, the user can access all
groups for full control of the device. Other values need to refer to each group privilege level. A user’s privilege level should be same
or greater than the group privilege level to have the access of that group. By default settings, most groups with privilege level 5 have
read-only access, and groups with privilege level 10 have read-write access. System maintenance users (software upload, factory
defaults and etc.) need user privilege level 15. Use privilege level 15 for an administrator account, privilege level 10 for a standard user
account, and privilege level 5 for a guest account.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
- Cancel - Click to undo any changes made locally and return to the Users.
- Delete User - Delete the current user. This button is not available for new configurations (Add new user).
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5.1.2 PRIVILEGE LEVEL
This page provides an overview of the privilege levels. The switch enables the user to set Account, Aggregation, Diagnostics, EEE,
GARP, GVRP, IP, IPMC Snooping, LACP, LLDP, LLDP, MED, MAC Table, MRP, MVR, MVRP, Maintenance, Mirroring, Ports, Private
VLANs, QoS, SMTP, SNMP, Security, Spanning Tree, System Trap Event, VCL, VLANs, Voice VLAN Privilege Levels from 1 to 15 .
WEB INTERFACE
To configure Privilege Level in the web interface:
1. Click System, Account, Privilege Level.
2. Specify the Privilege parameter.
3. Click Apply.
32
FIGURE 3-16. PRIVILEGE LEVEL CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 33
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
Parameter description:
Group Name: The name identifying the privilege group. In most cases, a privilege level group consists of a single module (e.g. LACP,
RSTP, or QoS), but a few of them contain more than one. The following description defines these privilege level groups in detail:
- System: Contact, Name, Location, Timezone, Daylight Saving Time, Log.
- Security: Authentication, System Access Management, Port (contains Dot1x port, MAC based and the MAC Address Limit), ACL, HTTPS,
SSH, ARP Inspection, IP source guard.
- IP: Everything except “ping.”
- Port: Everything except “VeriPHY.”
- Diagnostics: “ping” and “VeriPHY.”
- Maintenance: CLI- System Reboot, System Restore Default, System Password, Configuration Save, Configuration Load, and Firmware
Load. Web- Users, Privilege Levels, and everything in Maintenance.
- Debug: Only present in CLI.
Privilege Levels: Every group has an authorization Privilege level for the following sub groups: configuration read-only, configuration/
execute read-write, status/statistics read-only, status/statistics read-write (e.g. to clear statistics). User Privilege should be the same
or greater than the authorization Privilege level to have access to that group.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
3.5.1.3 AUTHENTICATION METHOD
This page shows how to configure a user as authenticated when he logs into the switch via one of the management client interfaces.
WEB INTERFACE
To configure an Authentication Method Configuration in the web interface:
1. Specify the Client (console, telent, ssh, web) that you want to monitor.
2. Specify the Authentication Method (none, local, radius, tacacs+)
3. Check Fallback.
4. Click Apply.
FIGURE 3-17. AUTHENTICATION METHOD CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
33
Page 34
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
Client: The management client for which the configuration below applies.
Authentication Method: Authentication Method can be set to one of the following values:
- none: authentication is disabled and login is not possible.
- local: use the local user database on the switch for authentication.
- radius: use a remote RADIUS server for authentication.
- tacacs+: use a remote TACACS+ server for authentication.
Methods that involve remote servers are timed out if the remote servers are offline. In this case, the switch tries the next method. The
switch tries each method from left to right and continues until a method either approves or rejects a user. If a remote server is used
for primary authentication, we recommend that you configure secondary authentication as ‘local’. This will enable the management
client to login via the local user database if none of the configured authentication servers are alive.
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5 .1.4 SS H
This section shows you how to use SSH (Secure SHell) to securely access the Switch. SSH is a secure communication protocol
that combines authentication and data encryption to provide secure encrypted communication.
WEB INTERFACE
To configure an SSH Configuration in the web interface:
1. Select “Enabled” in the SSH Configuration Mode field.
2. Click Apply.
FIGURE 3-18. SSH CONFIGURATION SCREEN
Parameter description:
Mode: Indicates the SSH mode operation. Possible modes are:
- Enabled: Enable SSH mode operation.
- Disabled: Disable SSH mode operation.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
34
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 35
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5.1.5 HTTPS
This section shows you how to use HTTPS to securely access the Switch. HTTPS is a secure communication protocol that combines
authentication and data encryption to provide secure encrypted communication via the browser.
WEB INTERFACE
To set HTTPS Configuration in the web interface:
1. Select “Enabled” in the HTTPS Configuration Mode field.
2. Select “Enabled” in the Automatic Redirect of HTTPS Configuration field.
3. Click Apply.
FIGURE 3-19. HTTPS CONFIGURATION SCREEN
Parameter description:
Mode: Indicates the HTTPS mode operation. Possible modes are:
- Enabled: Enable HTTPS mode operation.
- Disabled: Disable HTTPS mode operation.
Automatic Redirect: Indicates the HTTPS redirect mode operation. Automatically redirect web browser to HTTPS when HTTPS mode
is enabled. Possible modes are:
- Enabled: Enable HTTPS redirect mode operation.
- Disabled: Disable HTTPS redirect mode operation.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
35
Page 36
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5.1.6 ACCESS MANAGEMENT
This section shows you how to configure the switch’s access management table HTTP/HTTPS, SNMP, and TELNET/SSH settings.
You can manage the Switch over an Ethernet LAN, or over the Internet.
WEB INTERFACE
To configure Access Management in the web interface:
1. Select “Enabled” in the Access Management Configuration Mode.
2. Click “Add new entry.”
3. Specify the Start IP Address, End IP Address.
4. Check the Access Managment method (HTTP/HTTPS, SNMP, and TELNET/SSH).
5. Click Apply.
FIGURE 3-20. ACCESS MANAGEMENT CONFIGURATION SCREEN
Parameter description:
Mode: Indicates the access management mode operation. Possible modes are:
- Enabled: Enable access management mode operation.
- Disabled: Disable access management mode operation.
VLAN ID: Indicates the VLAN ID for the access management entry.
Delete: Check to delete the entry. It will be deleted during the next save.
Start IP address: Indicates the start IP address for the access management entry.
End IP address: Indicates the end IP address for the access management entry.
•HTTP/HTTPS: Indicates that the host can access the switch from HTTP/HTTPS interface if the host IP address matches the IP
address range provided in the entry.
SNMP: Indicates that the host can access the switch from the SNMP interface if the host IP address matches the IP address range
provided in the entry.
TELNET/SSH: Indicates that the host can access the switch from the TELNET/SSH interface if the host IP address matches the IP
address range provided in the entry.
Buttons:
- Add New Entry – Click to add a new access management entry.
- Apply – Click to save changes.
- Reset – Click to undo any changes made locally and revert to previously saved values.
36
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 37
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5 .1.7 S NM P
Any Network Management System (NMS) running the Simple Network Management Protocol (SNMP) can manage the Managed
devices equipped with an SNMP agent, provided that the Management Information Base (MIB) is installed correctly on the managed
devices. The SNMP is a protocol that is used to govern the transfer of information between SNMP manager and agent and traverses
the Object Identity (OID) of the management Information Base (MIB), described in the form of SMI syntax. An SNMP agent is running
on the switch to respond to the request issued by the SNMP manager.
The SNMP agent is passive, except for issuing the trap information. The switch can turn on or off the SNMP agent. If you set the
field SNMP “Enable, ” the SNMP agent will start up. All supported MIB OIDs, including RMON MIB, can be accessed via the SNMP
manager. If the SNMP field is set to “Disable,” the SNMP agent will be deactivated, and the related Community Name, Trap Host IP
Address, Trap, and all MIB counters will be ignored.
SYSTEM
This section describes how to configure the SNMP System on the switch. This function is used to configure SNMP settings,
community name, trap host, and public traps, as well as SNMP throttle. An SNMP manager must pass the authentication by
identifying both community names, then it can access the MIB information of the target device. Both parties must have the same
community name. Once completing the setting, click the <Apply> button, and the setting takes effect.
WEB INTERFACE
To configure the SNMP System in the web interface:
1. Click SNMP, System.
2. Select Enable or Disable in the SNMP State field to enable or disable the SNMP function.
3. Specify the Engine ID.
4. Click Apply.
FIGURE 3-21. SNMP SYSTEM CONFIGURATION SCREEN
Parameter description:
Mode: Indicates the SNMP mode operation. Possible modes are:
- Enabled: Enable SNMP mode operation.
- Disabled: Disable SNMP mode operation.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
37
Page 38
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Version: Indicates the SNMP supported version. Possible versions are:
- SNMP v1: Set SNMP supported version 1.
- SNMP v2c: Set SNMP supported version 2c.
- SNMP v3: Set SNMP supported version 3.
Read Community: Indicates the community read access string to permit access to an SNMP agent. The allowed string length is 0 to
255, and the allowed content is the ASCII characters from 33 to 126.
The field is applicable only when the SNMP version is SNMPv1 or SNMPv2c. If the SNMP version is SNMPv3, the community string
will be associated with SNMPv3 communities table. This provides more flexibility to configure security name than an SNMPv1 or
SNMPv2c community string. In addition to community string, a particular range of source addresses can be used to restrict source
subnet.
Write Community: This indicates the community write access string to permit access to an SNMP agent. The allowed string length is
0 to 255, and the allowed content is the ASCII characters from 33 to 126.
The field applies only when SNMP version is SNMPv1 or SNMPv2c. If SNMP version is SNMPv3, the community string will be
associated with SNMPv3 communities table. This provides more flexibility to configure security name than an SNMPv1 or SNMPv2c
community string. In addition to community string, a particular range of source addresses can be used to restrict the source subnet.
• Engine ID: This indicates the SNMPv3 engine ID. The string must contain an even number (in hexadecimal format) with the number
of digits between 10 and 64, but all-zeros and all-’F’s are not allowed. Changing the Engine ID will clear all original local users.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
38
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 39
CHAPTER 3: SYSTEM CONFIGURATION
TRAP
Configure SNMP trap on this page.
Global Settings
Configure SNMP trap on this page.
WEB INTERFACE
To display the configure SNMP Trap Configuration in the web interface:
1. Click Configuration, Switch, SNMP, Trap.
2. Click Add New Entry, then you can create a new SNMP Trap on the switch.
3. Click Apply.
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-22. SNMP TRAP CONFIGURATION SCREEN
Trap Mode: Indicates the trap mode operation. Possible modes are:
- Enabled: Enable SNMP trap mode operation.
- Disabled: Disable SNMP trap mode operation.
Trap Destination Configurations: Configure trap destinations on this page.
Name: Indicates the trap Configuration’s name. Indicates the trap destination’s name.
Enable: Indicates the trap destination mode operation. Possible modes are:
- Enabled: Enable SNMP trap mode operation.
- Disabled: Disable SNMP trap mode operation.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
39
Page 40
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Version: Indicates the SNMP trap supported version. Possible versions are:
SNMPv1: Set SNMP trap supported version 1.
SNMPv2c: Set SNMP trap supported version 2c.
SNMPv3: Set SNMP trap supported version 3.
Trap Community: Indicates the community access string when sending an SNMP trap packet. The allowed string length is 0 to 255,
and the allowed content is ASCII characters from 33 to 126.
• Destination Address: Indicates the SNMP trap destination address. It allows a valid IP address in dotted decimal notation (‘x.y.z.w’).
It also allows a valid hostname. A valid hostname is a string drawn from the alphabet (A-Z, a-z), digits (0-9), dot (.), dash (-). Spaces are not
allowed, the first character must be an alpha character, and the first and last characters must not be a dot or a dash.
It indicates the SNMP trap destination IPv6 address. The IPv6 address is in 128-bit records represented as eight fields of up to four
hexadecimal digits with a colon separating each field (:). For example, ‘fe80::215:c5ff:fe03:4dc7’. The symbol ‘::’ is a special syntax that can
be used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it can appear only once. It can also represent a
legally valid IPv4 address. For example, ‘::192.1.2.34’.
Destination port: Indicates the SNMP trap destination port. An SNMP Agent will send an SNMP message via this port; the port range
is 1–65535.
• Trap Inform Mode: Indicates the SNMP trap inform mode operation. Possible modes are:
- Enabled: Enable SNMP trap inform mode operation.
- Disabled: Disable SNMP trap inform mode operation.
• Trap Inform Timeout (seconds): Indicates the SNMP trap inform timeout. The allowed range is 0 to 2147.
• Trap Inform Retry Times: Indicates the SNMP trap inform retry times. The allowed range is 0 to 255.
• Trap Probe Security Engine ID: Indicates the SNMP trap probe security engine ID mode of operation. Possible values are:
- Enabled: Enable SNMP trap probe security engine ID mode of operation.
- Disabled: Disable SNMP trap probe security engine ID mode of operation.
Trap Security Engine ID: Indicates the SNMP trap security engine ID. SNMPv3 sends traps and informs using USM for authentication
and privacy. A unique engine ID for these traps and informs is needed. When “Trap Probe Security Engine ID” is enabled, the ID will
be probed automatically. Otherwise, the ID specified in this field is used. The string must contain an even number (in hexadecimal
format) with number of digits between 10 and 64, but all-zeros and all-’F’s are not allowed.
Trap Security Name: Indicates the SNMP trap security name. SNMPv3 traps and informs using USM for authentication and privacy. A
unique security name is needed when traps and informs are enabled.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
COMMUNITIES
The function is used to configure SNMPv3 communities. The Community and UserName is unique. To create a new community
account, check the <Add new community> button, enter the account information. then check <Save>. Max Group Number: 4.
WEB INTEFACE
To display the configure SNMP Communities in the web interface:
1. Click SNMP, Communities.
2. Click Add new community.
3. Specify the SNMP communities parameters.
4. Click Apply.
5. If you want to modify or clear the setting, then click Reset.
40
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 41
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
FIGURE 3-23. SNMPV1/V2 COMMUNITIES SECURITY CONFIGURATION SCREEN
Parameter description:
Delete: Check to delete the entry. It will be deleted during the next save.
Community: Indicates the community access string to permit access to SNMPv3 agent. The allowed string length is 1 to 32, and the
allowed content is ASCII characters from 33 to 126. The community string will be treated as a security name and map an SNMPv1 or
SNMPv2c community string.
Source IP: Indicates the SNMP access source address. A particular range of source addresses can be used to restrict source subnet
when combined with a source mask.
Source Mask: Indicates the SNMP access source address mask
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
USERS
The function is used to configure an SNMPv3 user. The Entry index key is UserName. To create a new UserName account, check the
<Add new user> button, enter the user information, then check <Save>. Max Group Number: 10.
WEB INTERFACE
To display the configure SNMP Users in the web interface:
1. Click SNMP, Users.
2. Specify the Privilege parameter.
3. Click Apply.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
41
Page 42
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-24. SNMP USERS CONFIGURATION SCREEN
Parameter description:
Delete: Check to delete the entry. It will be deleted during the next save.
Engine ID: An octet string identifying the engine ID that this entry should belong to. The string must contain an even number (in
hexadecimal format) with the number of digits between 10 and 64, but all-zeros and all-’F’s are not allowed. The SNMPv3 architecture
uses the User-based Security Model (USM) for message security and the View-based Access Control Model (VACM) for access
control. For the USM entry, the usmUserEngineID and usmUserName are the entry’s keys. In a simple agent, usmUserEngineID is
always that agent’s own snmpEngineID value. The value can also take the value of the snmpEngineID of a remote SNMP engine with
which this user can communicate. In other words, if the user engine ID equals the system engine ID, then it is a local user; otherwise
it’s a remote user.
User Name: A string identifying the user name that this entry should belong to. The allowed string length is 1 to 32, and the allowed
content is ASCII characters from 33 to 126.
Security Level: Indicates the security model that this entry should belong to. Possible security models are:
- NoAuth, NoPriv: No authentication and no privacy.
- Auth, NoPriv: Authentication and no privacy.
- Auth, Priv: Authentication and privacy.
The value of the security level cannot be modified if an entry already exists. First, make sure that the value is set correctly.
Authentication Protocol: Indicates the authentication protocol that this entry should belong to. Possible authentication protocols are:
- None: No authentication protocol.
- MD5: An optional flag to indicate that this user uses the MD5 authentication protocol.
- SHA: An optional flag to indicate that this user uses the SHA authentication protocol.
The value of the security level cannot be modified if an entry already exists. First, make sure that the value is set correctly.
Authentication Password: A string identifying the authentication password phrase. For MD5 authentication protocol, the allowed string
length is 8 to 32. For SHA authentication protocol, the allowed string length is 8 to 40. The allowed content is ASCII characters from
33 to 126.
42
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 43
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
• Privacy Protocol: Indicates the privacy protocol that this entry should belong to. Possible privacy protocols are:
- None: No privacy protocol.
- DES: An optional flag to indicate that this user uses the DES authentication protocol.
Privacy Password: A string identifying the privacy password phrase. The allowed string length is 8 to 32, and the allowed content is
ASCII characters from 33 to 126.
GROUP
The function is used to configure an SNMPv3 group. The Entry index keys are Security Model and Security Name. To create a new
group account, check the <Add new group> button, enter the group information, then check <Save>. Max Group Number: v1: 2, v2: 2,
v3:10.
WEB INTERFACE
To display the configure SNMP Groups in the web interface:
1. Click SNMP, Groups.
2. Specify the Privilege parameter.
3. Click Apply.
FIGURE 3-25. SNMP GROUPS CONFIGURATION SCREEN
Parameter description:
Delete: Check to delete the entry. It will be deleted during the next save.
Security Model: Indicates the security model that this entry should belong to. Possible security models are:
- v1: Reserved for SNMPv1.
- v2c: Reserved for SNMPv2c.
- usm: User-based Security Model (USM).
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
43
Page 44
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Security Name: A string identifying the security name that this entry should belong to. The allowed string length is 1 to 32, and the
allowed content is ASCII characters from 33 to 126.
Group Name: A string identifying the group name that this entry should belong to. The allowed string length is 1 to 32, and the allowed
content is ASCII characters from 33 to 126.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
VIEWS
The function is used to configure the SNMPv3 view. The Entry index keys are OID Subtree and View Name. To create a new view
account, check the <Add new view> button, enter the view information, then check <Save>. Max Group Number: 28.
Configure SNMPv3 view table on this page. The entry index keys are View Name and OID Subtree.
WEB INTERFACE
To display the configure SNMP views in the web interface:
1. Click SNMP, Views.
2. Click Add new View.
3. Specify the SNMP View parameters.
4. Click Apply.
5. If you want to modify or clear the setting, then click Reset.
FIGURE 3-26. SNMP VIEWS CONFIGURATION SCREEN
Parameter description:
Delete: Check to delete the entry. It will be deleted during the next save.
View Name: A string identifying the view name that this entry should belong to. The allowed string length is 1 to 32, and the allowed
content is ASCII characters from 33 to 126.
View Type: Indicates the view type that this entry should belong to. Possible view types are:
- included: An optional flag to indicate that this view subtree should be included.
- excluded: An optional flag to indicate that this view subtree should be excluded.
44
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 45
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
In general, if a view entry’s view type is ‘excluded’, there should be another view entry existing with view type as ‘included’ and its OID
subtree should overstep the ‘excluded’ view entry.
OID Subtree: The OID defining the root of the subtree to add to the named view. The allowed OID length is 1 to 128. The allowed string
content is digital number or asterisk(*).
ACCESS
The function is used to configure SNMPv3 accesses. The Entry index key are Group Name, Security Model and Security level. To
create a new access account, please check <Add new access> button, and enter the access information then check <Save>. Max
Group Number : 14
WEB INTERFACE
To display the configure SNMP Access in the web interface:
1. Click SNMP, Accesses.
2. Click Add new Access.
3. Specify the SNMP Access parameters.
4. Click Apply.
5. If you want to modify or clear the setting, then click Reset.
FIGURE 3-27. SNMP ACCESSES CONFIGURATION SCREEN
Parameter description:
Delete: Check to delete the entry. It will be deleted during the next save.
Group Name: A string identifying the group name that this entry should belong to. The allowed string length is 1 to 32, and the allowed
content is ASCII characters from 33 to 126.
Security Model: Indicates the security model that this entry should belong to. Possible security models are:
- any: Any security model accepted(v1|v2c|usm).
- v1: Reserved for SNMPv1.
- v2c: Reserved for SNMPv2c.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
45
Page 46
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
- usm: User-based Security Model (USM).
Security Level: Indicates the security model that this entry should belong to. Possible security models are:
- NoAuth, NoPriv: No authentication and no privacy.
- Auth, NoPriv: Authentication and no privacy.
- Auth, Priv: Authentication and privacy.
Read View Name: The name of the MIB view defining the MIB objects for which this request may request the current values. The
allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Write View Name: The name of the MIB view defining the MIB objects for which this request may potentially set new values. The
allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
TRAP EVENT SEVERITY
This page displays current trap event severity configurations. Trap event severity can also be configured here.
WEB INTERFACE
To display the configure Trap Event Severity in the web interface:
1. Click SNMP, Trap Event Severity.
2. Scroll to select the Group name and Severity Level.
3. Click Apply to save the setting.
4. If you want to cancel the setting, then you need to click the Reset button. It will revert to previously saved values.
FIGURE 3-28. TRAP EVENT SEVERITY CONFIGURATION SCREEN
Parameter description:
Group Name: The name identifying the severity group.
Severity Level: Every group has a severity level. The following level types are supported:
<0> Information: Information messages.
<1> Warning: Warning conditions.
<2> Error: Error conditions.
46
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 47
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
Syslog: Enable - Select this Group Name in Syslog.
Trap: Enable - Select this Group Name in Trap.
SMTP: Enable - Select this Group Name in SMTP.
3.5.1.8 RMON
An RMON implementation typically operates in a client/server model. Monitoring devices contain RMON software agents that collect
information and analyze packets. These probes act as servers and the Network Management applications that communicate with
them act as clients.
STATISTIC S
Configure the RMON Statistics table on this page. The entry index key is ID.
WEB INTERFACE
To display the configure RMON configuration in the web interface:
1. Click RMON, Statistics.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
FIGURE 3-29. RMON Statics Configuration screen
Parameter description:
These parameters are displayed on the RMON Statistics Configuration page:
Delete: Check to delete the entry. It will be deleted during the next save.
ID: Indicates the index of the entry. The range is from 1 to 65535.
Data Source: Indicates the port ID which wants to be monitored. If in stacking switch, the value must add 1000*(switch ID-1), for
example, if the port is switch 3 port 5, the value is 2005
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
47
Page 48
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Interval: Indicates the interval in seconds for sampling the history statistics data. The range is from 1 to 3600, default value is 1800
seconds.
Buckets: Indicates the maximum data entries associated this History control entry stored in RMON. The range is from 1 to 3600,
default value is 50.
Buckets Granted: The number of data will be saved in the RMON.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
HISTORY
Configure the RMON History table on this page. The entry index key is ID.
WEB INTERFACE
To display the configure RMON History in the web interface:
1. Click RMON, History.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
FIGURE 3-30. RMON HISTORY CONFIGURATION SCREEN
Parameter description:
These parameters are displayed on the RMON History Configuration page:
Delete: Check to delete the entry. It will be deleted during the next save.
ID: Indicates the index of the entry. The range is from 1 to 65535.
Data Source: Indicates the port ID to be monitored. If a stacking switch, the value must add 1000*(switch ID-1), for example, if the port
is switch 3 port 5, the value is 2005.
Interval: Indicates the interval in seconds for sampling the history statistics data. The range is from 1 to 3600, default value is 1800
seconds.
Buckets: Indicates the maximum data entries associated with this History control entry stored in RMON. The range is from 1 to 3600;
default value is 50.
• Buckets Granted: The number of data saved in the RMON.
48
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 49
CHAPTER 3: SYSTEM CONFIGURATION
RMON
Configure the RMON Alarm table on this page. The entry index key is ID.
WEB INTERFACE
To display the configure RMON Alarm in the web interface:
1. Click RMON, Alarm.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-31. RMON ALARM CONFIGURATION SCREEN
Parameter description:
These parameters are displayed on the RMON Alarm Configuration page:
Delete: Check to delete the entry. It will be deleted during the next save.
ID: Indicates the index of the entry. The range is from 1 to 65535.
Interval: Indicates the interval in seconds for sampling and comparing the rising and falling threshold. The range is from 1 to 2^31-1.
Variable: Indicates the particular variable to be sampled, the possible variables are:
- InOctets: The total number of octets received on the interface, including framing characters.
- InUcastPkts: The number of unicast packets delivered to a higher-layer protocol.
- InNUcastPkts: The number of broadcast and multicast packets delivered to a higher-layer protocol.
- InDiscards: The number of inbound packets that are discarded even when the packets are normal.
- InErrors: The number of inbound packets that contained errors preventing them from being delivered to a higher-layer protocol.
- InUnknownProtos: the number of the inbound packets that were discarded because of an unknown or unsupported protocol.
- OutOctets: The number of octets transmitted out of the interface , including framing characters.
- OutUcastPkts: The number of unicast packets that request to transmit.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
49
Page 50
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
- OutNUcastPkts: The number of broadcast and multicast packets that request to transmit.
- OutDiscards: The number of outbound packets that are discarded even when the packets is normal.
- OutErrors: The number of outbound packets that could not be transmitted because of errors.
- OutQLen: The length of the output packet queue (in packets).
Sample Type: The method of sampling the selected variable and calculating the value to be compared against the thresholds; possible
sample types are:
- Absolute: Get the sample directly.
- Delta: Calculate the difference between samples (default).
Value: The value of the statistic during the last sampling period.
Startup Alarm: The method of sampling the selected variable and calculating the value to be compared against the thresholds,
possible sample types are:
- RisingTrigger alarm when the first value is larger than the rising threshold.
- FallingTrigger alarm when the first value is less than the falling threshold.
- RisingOrFallingTrigger alarm when the first value is larger than the rising threshold or less than the falling threshold (default).
• Rising Threshold: Rising threshold value (-2147483648-2147483647).
• Rising Index: Rising event index (1–65535).
• Falling Threshold: Falling threshold value (-2147483648–2147483647)
• Falling Index: Falling event index (1–65535).
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
EVENT
Configure RMON Event table on this page. The entry index key is ID.
WEB INTERFACE
To display the configure RMON Event in the web interface:
1. Click RMON, Event.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
FIGURE 3-32. RMON EVENT CONFIGURATION SCREEN
50
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 51
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
These parameters are displayed on the RMON History Configuration page:
Delete: Check to delete the entry. It will be deleted during the next save.
ID: Indicates the index of the entry. The range is from 1 to 65535.
Desc: Indicates this event; the string length is from 0 to 127; default is a null string.
Type: Indicates the notification of the event; the possible types are:
- none: No SNMP log is created, no SNMP trap is sent.
- log: Create SNMP log entry when the event is triggered.
- snmptrap: Send SNMP trap when the event is triggered.
- logandtrap: Create SNMP log entry and send SNMP trap when the event is triggered.
Community: Specify the community when a trap is sent; the string length is from 0 to 127; default is “public.”
Event Last Time: Indicates the value of sysUpTime at the time this event entry last generated an event.
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5.2 NETWORK
3.5.2.1 LIMIT CONTROL
This section shows you to to configure the Port Security settings of the Switch. You can use the Port Security feature to restrict input
to an interface by limiting and identifying MAC addresses.
WEB INTERFACE
To configure Limit Control in the web interface:
1. Select “Enabled” in the System Configuration Mode.
2. Check Aging Enabled.
3. Set Aging Period (Default is 3600 seconds).
To configure Limit Control Port in the web interface:
1. Select “Enabled” in the Port Configuration Mode.
2. Specify the maximum number of MAC addresses in the Port Configuration Limit.
3. Set Action (Trap, Shutdown, Trap & Shutdown)
4. Click Apply.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
51
Page 52
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
52
FIGURE 3-33. PORT SECURITY LIMIT CONTROL CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 53
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
Parameter description:
System Configuration
Mode: Indicates if Limit Control is globally enabled or disabled on the switch. If globally disabled, other modules may still use the
underlying functionality, but limit checks and corresponding actions are disabled.
Aging Enabled: If checked, secured MAC addresses are subject to aging as discussed under Aging Period .
Aging Period: If Aging Enabled is checked, then the aging period is controlled with this input. If other modules are using the underlying
port security for securing MAC addresses, they may have other requirements for the aging period. The underlying port security will
use the shorter requested aging period of all modules that use the functionality.
The Aging Period can be set to a number between 10 and 10,000,000 seconds.
To understand why aging may be desired, consider the following scenario: Suppose an end-host is connected to a 3rd party switch
or hub, which in turn is connected to a port on this switch on which Limit Control is enabled. The end-host will be allowed to forward
if the limit is not exceeded. Now suppose that the end-host logs off or powers down. If it wasn’t for aging, the end-host would still
take up resources on this switch and will be allowed to forward. To overcome this situation, enable aging. With aging enabled, a timer
starts once the end-host gets secured. When the timer expires, the switch starts looking for frames from the end-host, and if such
frames are not seen within the next Aging Period, the end-host is assumed to be disconnected, and the corresponding resources are
freed on the switch.
Port Configuration
The table has one row for each port on the selected switch and a number of columns, which are:
Port: The port number to which the configuration below applies.
Mode: Controls whether Limit Control is enabled on this port. Both this and the Global Mode must be set to Enabled for Limit Control
to be in effect. Other modules may still use the underlying port security features without enabling Limit Control on a given port.
Limit: The maximum number of MAC addresses that can be secured on this port. This number cannot exceed 1024. If the limit is
exceeded, the corresponding action is taken.
The switch is “born” with a total number of MAC addresses from which all ports draw whenever a new MAC address is seen on a Port
Security-enabled port. Since all ports draw from the same pool, it may happen that a configured maximum cannot be granted, if the
remaining ports have already used all available MAC addresses.
Action: If Limit is reached, the switch can take one of the following actions:
- None: Do not allow more than Limit MAC addresses on the port, but take no further action.
- Trap: If Limit + 1 MAC addresses are seen on the port, send an SNMP trap. If Aging is disabled, only one SNMP trap will be sent; but
with Aging enabled, new SNMP traps will be sent every time the limit is exceeded.
- Shutdown: If Limit + 1 MAC addresses are seen on the port, shut down the port. This implies that all secured MAC addresses will be
removed from the port, and no new address will be learned. Even if the link is physically disconnected and reconnected on the port
(by disconnecting the cable), the port will remain shut down. There are three ways to re-open the port:
1. Boot the switch.
2. Disable and re-enable Limit Control on the port or the switch.
3. Click the Reopen button.
- Trap & Shutdown: If Limit + 1 MAC addresses are seen on the port, both the “Trap” and the “Shutdown” actions described above will
be taken.
State: This column shows the current state of the port as seen from the Limit Control’s point of view. The state takes one of four
values:
- Disabled: Limit Control is either globally disabled or disabled on the port.
- Ready: The limit is not yet reached. This can be shown for all actions.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
53
Page 54
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
- Limit Reached: Indicates that the limit is reached on this port. This state can only be shown if Action is set to None or Trap.
- Shutdown: Indicates that the port is shut down by the Limit Control module. This state can only be shown if Action is set to
Shutdown or Trap & Shutdown.
Re-open Button: If a port is shut down by this module, you may reopen it by clicking this button, which will only be enabled if this is the
case. For other methods, refer to Shutdown in the Action section.
NOTE: Clicking the reopen button causes the page to be refreshed, so non-committed changes will be lost.
Upper right icon (Refresh): You can click on this icon to refresh the Port Security information manually.
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5.2.2 NAS
The section describes how to configure the NAS parameters of the switch. The NAS server can be employed to connect users to a
variety of resources, including Internet access, conference calls, printing documents on shared printers, or by simply logging on to
the Internet.
WEB INTERFACE
To configure a Network Access Server in the web interface:
1. Select “Enabled” in the Network Access Server Configuration Mode.
2. Check Reauthentication Enabled.
3. Set Reauthentication Period (Default is 3600 seconds).
4. Set EAPOL Timeout (Default is 30 seconds).
5. Set Aging Period (Default is 300 seconds).
6. Set Hold Time (Default is 10 seconds).
7. Check RADIUS-Assigned QoS Enabled.
8. Check RADIUS-Assigned VLAN Enabled.
9. Check Guest VLAN Enabled.
10. Specify Guest VLAN ID.
11. Specify Max. Reauth. Count.
12. Check Allow Guest VLAN if EAPOL Seen.
13. Click Apply.
54
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 55
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-34. NETWORK ACCESS SERVER CONFIGURATION SCREEN
Parameter description:
Mode: Indicates if NAS is globally enabled or disabled on the switch. If globally disabled, all ports are allowed to forward frames.
Reauthentication Enabled: If checked, successfully authenticated supplicants/clients are reauthenticated after the interval specified by
the Reauthentication Period. Reauthentication for 802.1X-enabled ports can be used to detect if a new device is plugged into a switch
port or if a supplicant is no longer attached.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
55
Page 56
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
For MAC-based ports, reauthentication is only useful if the RADIUS server configuration has changed. It does not involve
communication between the switch and the client, and therefore doesn’t imply that a client is still present on a port (see Aging Period
below).
Reauthentication Period: Determines the period, in seconds, after which a connected client must be reauthenticated. This is only
active if the Reauthentication Enabled checkbox is checked. Valid values are in the range 1 to 3600 seconds.
EAPOL Timeout: Determines the time for retransmission of Request Identity EAPOL frames. Valid values range from 1 to 255
seconds. This has no effect for MAC-based ports.
Aging Period: This setting applies to the following modes, i.e. modes using the Port Security function to secure MAC addresses:
- Single 802.1X
- Multi 802.1X
- MAC-Based Auth.
When the NAS module uses the Port Security module to secure MAC addresses, the Port Security module needs to check for activity
on the MAC address in question at regular intervals and free resources if no activity is seen within a given period of time. This
parameter controls exactly this period and can be set to a number between 10 and 1000000 seconds.
If reauthentication is enabled and the port is in an 802.1X-based mode, this is not so critical, since supplicants that are no longer
attached to the port will get removed upon the next reauthentication, which will fail. But if reauthentication is not enabled, the only
way to free resources is by aging the entries.
For ports in MAC-based Auth. mode, reauthentication doesn’t cause direct communication between the switch and the client, so this
will not detect whether the client is still attached or not, and the only way to free any resources is to age the entry.
Hold Time: This setting applies to the following modes, i.e. modes using the Port Security functionality to secure MAC addresses:
- Single 802.1X
- Multi 802.1X
- MAC-Based Auth.
If a client is denied access—either because the RADIUS server denies the client access or because the RADIUS server request times
out (according to the timeout specified on the “Configuration→Security→AAA” page)—the client is put on hold in the Unauthorized
state. The hold timer does not count during an ongoing authentication.
In MAC-based Auth. mode, the switch will ignore new frames coming from the client during the hold time.
The Hold Time can be set to a number between 10 and 1000000 seconds.
RADIUS-Assigned QoS Enabled: RADIUS-assigned QoS provides a means to centrally control the traffic class to which traffic coming
from a successfully authenticated supplicant is assigned on the switch. The RADIUS server must be configured to transmit special
RADIUS attributes to take advantage of this feature (see RADIUS-Assigned QoS Enabled below for a detailed description)
The “RADIUS-Assigned QoS Enabled” checkbox provides a quick way to globally enable/disable RADIUS-server assigned QoS Class
functionality. When checked, the individual port‘s ditto setting determines whether RADIUS-assigned QoS Class is enabled on that
port. When unchecked, RADIUS-server assigned QoS Class is disabled on all ports.
RADIUS-Assigned VLAN Enabled: RADIUS-assigned VLAN provides a means to centrally control the VLAN on which a successfully
authenticated supplicant is placed on the switch. Incoming traffic will be classified to and switched on the RADIUS-assigned VLAN.
The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this feature (see RADIUS-Assigned
VLAN Enabled below for a detailed description).
The “RADIUS-Assigned VLAN Enabled” checkbox provides a quick way to globally enable/disable RADIUS-server assigned VLAN
functionality. When checked, the individual port‘s ditto setting determines whether RADIUS-assigned VLAN is enabled on that port.
When unchecked, RADIUS-server assigned VLAN is disabled on all ports.
Guest VLAN Enabled: A Guest VLAN is a special VLAN —typically with limited network access—on which 802.1X-unaware clients are
placed after a network administrator-defined timeout. The switch follows a set of rules for entering and leaving the Guest VLAN as
listed below.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
56
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 57
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
The “Guest VLAN Enabled” checkbox provides a quick way to globally enable/disable Guest VLAN functionality. When checked, the
individual port‘s ditto setting determines whether the port can be moved into a Guest VLAN. When unchecked, the ability to move to
the Guest VLAN is disabled on all ports.
Guest VLAN ID: This is the value that a port’s Port VLAN ID is set to if a port is moved into the Guest VLAN. It is only changeable if the
Guest VLAN option is globally enabled. Valid values are in the range [1; 4095].
Max. Reauth. Count: The number of times the switch transmits an EAPOL Request Identity frame without response before considering
entering the Guest VLAN is adjusted with this setting. The value can only be changed if the Guest VLAN option is globally enabled.
Valid values are in the range [1; 255].
Allow Guest VLAN if EAPOL Seen: The switch remembers if an EAPOL frame has been received on the port for the lifetime of the
port. Once the switch considers whether to enter the Guest VLAN, it will first check if this option is enabled or disabled. If disabled
(unchecked, default), the switch will only enter the Guest VLAN if an EAPOL frame has not been received on the port for the lifetime of
the port. If enabled (checked), the switch will consider entering the Guest VLAN even if an EAPOL frame has been received on the port
for the lifetime of the port. The value can only be changed if the Guest VLAN option is globally enabled.
Port Configuration: The table has one row for each port on the selected switch and a number of columns.
Port: The port number for which the configuration below applies.
Admin State: If NAS is globally enabled, this selection controls the port’s authentication mode. Several modes are available.
Force Authorized: In this mode, the switch will send one EAPOL Success frame when the port link comes up, and any client on the port
will be allowed network access without authentication.
Force Unauthorized: In this mode, the switch will send one EAPOL Failure frame when the port link comes up, and any client on the
port will be disallowed network access.
Port-based 802.1X: In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and the RADIUS server is the
authentication server. The authenticator acts as the man-in-the-middle, forwarding requests and responses between the supplicant
and the authentication server. Frames sent between the supplicant and the switch are special 802.1X frames, known as EAPOL (EAP
Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames sent between the switch and the RADIUS server
are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together with other attributes like the switch’s IP address, name,
and the supplicant’s port number on the switch. EAP is very flexible, in that it allows for different authentication methods, like MD5Challenge, PEAP, and TLS. The important thing is that the authenticator (the switch) doesn’t need to know which authentication
method the supplicant and the authentication server are using, or how many information exchange frames are needed for a particular
method. The switch simply encapsulates the EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a success or failure indication. Besides
forwarding this decision to the supplicant, the switch uses it to open up or block traffic on the switch port connected to the
supplicant.
NOTE: Suppose two back-end servers are enabled and that the server timeout is configured to X seconds (using the AAA
configuration page), and suppose that the first server in the list is currently down (but not considered dead).
If the supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then it will never get authenticated, because
the switch will cancel ongoing back-end authentication server requests whenever it receives a new EAPOL Start frame from the
supplicant.
And since the server hasn’t yet failed (because the X seconds haven’t expired), the same server will be contacted upon the next backend authentication server request from the switch. This scenario will loop forever. So, the server timeout should be smaller than the
supplicant‘s EAPOL Start frame retransmission rate.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
57
Page 58
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Single 802.1X: In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is opened
for network traffic. This allows other clients connected to the port (for instance through a hub) to piggyback on the successfully
authenticated client and get network access even though they really aren’t authenticated. To overcome this security breach, use the
Single 802.1X variant. Single 802.1X is really not an IEEE standard, but features many of the same characteristics as does port-based
802.1X. In Single 802.1X, at most one supplicant can get authenticated on the port at a time. Normal EAPOL frames are used in the
communication between the supplicant and the switch. If more than one supplicant is connected to a port, the one that comes first
when the port’s link comes up will be the first one considered. If that supplicant doesn’t provide valid credentials within a certain
amount of time, another supplicant will get a chance. Once a supplicant is successfully authenticated, only that supplicant will be
allowed access. This is the most secure of all the supported modes. In this mode, the Port Security module is used to secure a
supplicant’s MAC address once successfully authenticated.
Multi 802.1X: In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is opened
for network traffic. This allows other clients connected to the port (for instance through a hub) to piggyback on the successfully
authenticated client and get network access even though they really aren’t authenticated. To overcome this security breach, use the
Multi 802.1X variant.
Multi 802.1X is really not an IEEE standard, but features many of the same characteristics as does port-based 802.1X. Multi 802.1X
is—like Single 802.1X— not an IEEE standard, but a variant that features many of the same characteristics. In Multi 802.1X, one or
more supplicants can get authenticated on the same port at the same time. Each supplicant is authenticated individually and secured
in the MAC table using the Port Security module.
In Multi 802.1X, it is not possible to use the multicast BPDU MAC address as destination MAC address for EAPOL frames sent from
the switch towards the supplicant, since that would cause all supplicants attached to the port to reply to requests sent from the
switch. Instead, the switch uses the supplicant‘s MAC address, which is obtained from the first EAPOL Start or EAPOL Response
Identity frame sent by the supplicant. An exception to this is when no supplicants are attached. In this case, the switch sends EAPOL
Request Identity frames using the BPDU multicast MAC address as destination—to wake up any supplicants that might be on the
port.
The maximum number of supplicants that can be attached to a port can be limited using the Port Security Limit Control functionality.
MAC-based Auth.: Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a best-practices method
adopted by the industry. In MAC-based authentication, users are called clients, and the switch acts as the supplicant on behalf of
clients. The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses the client’s MAC address as
both username and password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a
string on the following form “xx-xx-xx-xx-xx-xx”, that is, a dash (-) is used as separator between the lower-cased hexadecimal digits.
The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication, which in turn causes the switch to open
up or block traffic for that particular client, using the Port Security module. Only then will frames from the client be forwarded on the
switch. There are no EAPOL frames involved in this authentication, and therefore, MAC-based Authentication has nothing to do with
the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that several clients can be connected to the same port (e.g.
through a 3rd party switch or a hub) and still require individual authentication, and that the clients don’t need special supplicant
software to authenticate. The advantage of MAC-based authentication over 802.1X-based authentication is that the clients don’t
need special supplicant software to authenticate. The disadvantage is that MAC addresses can be spoofed by malicious users—
equipment whose MAC address is a valid RADIUS user can be used by anyone. Also, only the MD5-Challenge method is supported.
The maximum number of clients that can be attached to a port can be limited using the Port Security Limit Control functionality.
RADIUS-Assigned QoS Enabled: When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given port, the
switch reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a
supplicant is successfully authenticated. If present and valid, traffic received on the supplicant’s port will be classified to the given
QoS Class. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or it‘s invalid, or the
supplicant is otherwise no longer present on the port, the port‘s QoS Class is immediately reverted to the original QoS Class (which
may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned).
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
58
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 59
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
This option is only available for single-client modes, i.e.
- Port-based 802.1X
- Single 802.1X
RADIUS attributes used in identifying a QoS Class:
Refer to the written documentation for a description of the RADIUS attributes needed in order to successfully identify a QoS Class.
The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and to be valid, it must follow this rule:
All 8 octets in the attribute’s value must be identical and consist of ASCII characters in the range 0 - 3, which translates into the desired
QoS Class in the range [0; 3].
RADIUS-Assigned VLAN Enabled: When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given port,
the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a
supplicant is successfully authenticated. If present and valid, the port‘s Port VLAN ID will be changed to this VLAN ID, the port will be
set to be a member of that VLAN ID, and the port will be forced into VLAN unaware mode. Once assigned, all traffic arriving on the
port will be classified and switched on the RADIUS-assigned VLAN ID.
If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID or it‘s invalid, or the supplicant is
otherwise no longer present on the port, the port‘s VLAN ID immediately reverts to the original VLAN ID (which may be changed by
the administrator in the meantime without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
Port-based 802.1X
Single 802.1X
For troubleshooting VLAN assignments, use the “Monitor→VLANs→VLAN Membership and VLAN Port” pages. These pages show
which modules have (temporarily) overridden the current Port VLAN configuration.
RADIUS attributes used in identifying a VLAN ID:
RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN ID in an Access-Accept packet. The following
criteria are used:
The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-ID attributes must all be present at least once in the Access-Accept
packet.
The switch looks for the first set of these attributes that have the same Tag value and fulfill the following requirements (if Tag == 0 is
used, the Tunnel-Private-Group-ID does not need to include a Tag):
- Value of Tunnel-Medium-Type must be set to “IEEE-802” (ordinal 6).
- Value of Tunnel-Type must be set to “VLAN” (ordinal 13).
- Value of Tunnel-Private-Group-ID must be a string of ASCII chars in the range 0 – 9, which is interpreted as a decimal string
representing the VLAN ID. Leading “0“s are discarded. The final value must be in the range [1; 4095].
Guest VLAN Enabled: When Guest VLAN is both globally enabled and enabled (checked) for a given port, the switch considers moving
the port into the Guest VLAN according to the rules outlined below.
This option is only available for EAPOL-based modes, i.e.:
Port-based 802.1X
Single 802.1X
Multi 802.1X
For troubleshooting VLAN assignments, use the “Monitor—>VLAN—>VLAN Membership and VLAN Port” pages. These pages show
which modules have (temporarily) overridden the current Port VLAN configuration.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
59
Page 60
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Guest VLAN Operation: When a Guest VLAN enabled port‘s link comes up, the switch starts transmitting EAPOL Request Identity
frames. If the number of transmissions of such frames exceeds Max. Reauth. Count and no EAPOL frames have been received in
the meantime, the switch considers entering the Guest VLAN. The interval between transmission of EAPOL Request Identity frames
is configured with EAPOL Timeout. If Allow Guest VLAN if EAPOL Seen is enabled, the port will now be placed in the Guest VLAN.
If disabled, the switch will first check its history to see if an EAPOL frame has previously been received on the port (this history
is cleared if the port link goes down or the port’s Admin State is changed), and if not, the port will be placed in the Guest VLAN.
Otherwise, it will not move to the Guest VLAN, but continue transmitting EAPOL Request Identity frames at the rate given by EAPOL
Timeout.
Once in the Guest VLAN, the port is considered authenticated, and all attached clients on the port are allowed access on this VLAN.
The switch will not transmit an EAPOL Success frame when entering the Guest VLAN.
While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if one such frame is received, the switch immediately
takes the port out of the Guest VLAN and starts authenticating the supplicant according to the port mode. If an EAPOL frame is
received, the port will never be able to go back into the Guest VLAN if “Allow Guest VLAN if EAPOL Seen” is disabled.
Port State: The current state of the port. It can be one of the following values:
- Globally Disabled: NAS is globally disabled.
- Link Down: NAS is globally enabled, but there is no link on the port.
- Authorized: The port is in Force Authorized or a in single-supplicant mode and the supplicant is authorized.
- Unauthorized: The port is in Force Unauthorized or a in single-supplicant mode and the supplicant is not successfully authorized by
the RADIUS server.
- X Auth/Y Unauth: The port is in a multi-supplicant mode. Currently X clients are authorized and Y are unauthorized.
Restart: Two buttons are available for each row. The buttons are only enabled when authentication is globally enabled and the port’s
Admin State is in an EAPOL-based or MAC-based mode.
Clicking these buttons will not cause settings changed on the page to take effect.
Reauthenticate: Schedules a reauthentication whenever the quiet-period of the port runs out (EAPOL-based authentication). For MACbased authentication, reauthentication will be attempted immediately.
The button only affects successfully authenticated clients on the port and will not cause the clients to be temporarily unauthorized.
Reinitialize: Forces a reinitialization of the clients on the port and thereby a reauthentication immediately. The clients will transfer to
the unauthorized state while the reauthentication is in progress.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
• Upper right icon (Refresh): Click this icon to refresh the NAS Configuration manually.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
60
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 61
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5.2.3 ACL
The L2+ Managed switch access control list (ACL) is probably the most commonly used object in the IOS. It is used for packet
filtering but also for selecting types of traffic to be analyzed, forwarded, or influenced in some way. The ACLs are divided into Ether
Types. IPv4, ARP protocol, MAC and VLAN parameters etc. Here we will just go over the standard and extended access lists for TCP/
IP. As you create ACEs for ingress classification, you can assign a policy for each port; the policy number is 1-8, however, each policy
can be applied to any port. This makes it very easy to determine what type of ACL policy you will be working with.
Ports
The section describes how to configure the ACL parameters (ACE) for each switch port. These parameters will affect frames
received on a port unless the frame matches a specific ACE
Web Interface
To configure the ACL Ports Configuration in the web interface:
1. Click Configuration, ACL, then Ports.
2. Scroll to the specific parameter value to select the correct value for port ACL setting.
3. Click save to save the setting.
4. If you want to cancel the setting, click the reset button. It will revert to previously saved values.
5. After you finish the configuration, then you can see the port Counter. Click refresh to update the counter or click Clear to clear the
information.
FIGURE 3-35. ACL PORTS CONFIGURATION SCREEN
Parameter description:
Port: The logical port for the settings contained in the same row.
Policy ID: Select the policy to apply to this port. The allowed values are 1 through 8. The default value is 1.
Action: Select whether forwarding is permitted (“Permit”) or denied (“Deny”). The default value is “Permit.”
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
61
Page 62
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Rate Limiter ID: Select which rate limiter to apply on this port. The allowed values are Disabled or the values 1 through 16. The default
value is “Disabled.”
Port Redirect: Select which port frames are redirected on. The allowed values are Disabled or a specific port number and it can’t be
set when action is permitted. The default value is “Disabled.”
Mirror: Specify the mirror operation of this port. The allowed values are:
- Enabled: Frames received on the port are mirrored.
- Disabled: Frames received on the port are not mirrored.
The default value is “Disabled.”
Logging: Specify the logging operation of this port. The allowed values are:
- Enabled: Frames received on the port are stored in the System Log.
- Disabled: Frames received on the port are not logged.
The default value is “Disabled.”
NOTE: The System Log memory size and logging rate is limited.
Shutdown: Specify the port shutdown operation. The allowed values are:
- Enabled: If a frame is received on the port, the port will be disabled.
- Disabled: Port shutdown is disabled.
The default value is “Disabled.”
State: Specify the state of this port. The allowed values are:
- Enabled: Reopen ports by changing the volatile port configuration of the ACL user module.
- Disabled: Close ports by changing the volatile port configuration of the ACL user module.
The default value is “Enabled.”
Counter: Counts the number of frames that match this ACE.
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
Upper right icon (Refresh, clear): Click on these icons to refresh the ACL Port Configuration or clear it manually.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
RATE LIMITERS
This section describes how to configure the switch’s ACL Rate Limiter parameters. The Rate Limiter Level ranges from 1 to 16 pps or
kbps.
WEB INTERFACE
To configure ACL Rate Limiter in the web interface:
1. Click Configuration, ACL, then Rate Limiter.
2. Specify the Rate field and the range from 0 to 3276700.
3. Scroll the Unit with pps or kbps.
4. Click Apply to save the setting.
5. To cancel the setting, click the reset button. It will revert to previously saved values.
62
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 63
CHAPTER 3: SYSTEM CONFIGURATION
FIGURE 3-36. ACL RATE LIMITER CONFIGUR ATION SCREEN
Parameter description:
Rate Limiter ID: The rate limiter ID for the settings contained in the same row.
Rate: The allowed values are: 0–3276700 in pps or 0, 100, 200, 300, ..., 1000000 in kbps.
Unit: Specify the rate unit. The allowed values are:
- pps: packets per second.
- kbps: Kbits per second.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
ACCESS CONTROL LIST
The section describes how to configure Access Control List rule. An Access Control List (ACL) is a sequential list of permit or deny
conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress packets against the
conditions in an ACL one-by-one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a
deny rule. If no rules match, the frame is accepted. Other actions can also be invoked when a matching packet is found, including rate
limiting, copying matching packets to another port or to the system log, or shutting down a port.
This page shows the Access Control List (ACL), which is made up of the ACEs defined on this switch. Each row describes the ACE
that is defined. The maximum number of ACEs is 256 on each switch. Click on the lowest plus sign to add a new ACE to the list. The
reserved ACEs used for internal protocol cannot be edited or deleted, and the order sequence cannot be changed when the priority is
highest.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
63
Page 64
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
WEB INTERFACE
To configure Access Control List in the web interface:
1. Click Configuration, ACL, then Configuration.
2. Click the “+” button to add a new ACL, or use the other ACL modification buttons to specify the editing action (i.e., edit, delete, or
moving the relative position of entry in the list).
3. Specify the ACE parameter.
4. Click save to save the setting.
5. To cancel the setting, click the reset button. It will revert to previously saved values.
6. When editing an entry on the ACE Configuration page, note that the Items displayed depend on various selections, such as Frame
Type and IP Protocol Type. Specify the relevant criteria to be matched for this rule, and set the actions to take when a rule is matched
(such as Rate Limiter, Port Copy, Logging, and Shutdown).
64
FIGURE 3-37. ACCESS CONTROL LIST CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 65
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
Parameter description:
Ingress Port: Indicates the ingress port of the ACE. Possible values are:
- Any: The ACE will match any ingress port.
- Policy: The ACE will match ingress ports with a specific policy.
- Port: The ACE will match a specific ingress port.
• Policy/Bitmask: Indicates the policy number and bitmask of the ACE.
• Frame Type: Indicates the frame type of the ACE. Possible values are:
- Any: The ACE will match any frame type.
- EType: The ACE will match Ethernet Type frames.
NOTE: An Ethernet Type based ACE will not get matched by IP and ARP frames.
- ARP: The ACE will match ARP/RARP frames.
- IPv4: The ACE will match all IPv4 frames.
- IPv4/ICMP: The ACE will match IPv4 frames with ICMP protocol.
- IPv4/UDP: The ACE will match IPv4 frames with UDP protocol.
- IPv4/TCP: The ACE will match IPv4 frames with TCP protocol.
- IPv4/Other: The ACE will match IPv4 frames, which are not ICMP/UDP/TCP.
- IPv6: The ACE will match all IPv6 standard frames.
Action: Indicates the forwarding action of the ACE.
- Permit: Frames matching the ACE may be forwarded and learned.
- Deny: Frames matching the ACE are dropped.
- Filter: Frames matching the ACE are filtered.
Rate Limiter: Indicates the rate limiter number of the ACE. The allowed range is 1 to 16. When Disabled is displayed, the rate limiter
operation is disabled.
Port Copy: Indicates the port copy operation of the ACE. Frames matching the ACE are copied to the port number. The allowed values
are Disabled or a specific port number. When Disabled is displayed, the port copy operation is disabled.
Mirror: Specify the mirror operation of this port. The allowed values are:
- Enabled: Frames received on the port are mirrored.
- Disabled: Frames received on the port are not mirrored. The default value is “Disabled”.
Logging: Indicates the logging operation of the ACE. Possible values are:
- Enabled: Frames matching the ACE are stored in the System Log.
- Disabled: Frames matching the ACE are not logged.
NOTE: The System Log memory size and logging rate is limited.
Shutdown: Indicates the port shutdown operation of the ACE. Possible values are:
- Enabled: If a frame matches the ACE, the ingress port will be disabled.
- Disabled: Port shutdown is disabled for the ACE.
• Counter: The counter indicates the number of times the ACE was hit by a frame.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
65
Page 66
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Modification Buttons
You can modify each ACE (Access Control Entry) in the table using the following buttons:
+ Inserts a new ACE before the current row.
o Edits the ACE row.
up-arrow Moves the ACE up the list.
down-arrow Moves the ACE down the list.
x Deletes the ACE.
+ The lowest plus sign adds a new entry at the bottom of the + ACE listings.
MAC Parameter:
SMAC Filter: (Only displayed when the frame type is Ethernet Type or ARP.) Specify the source MAC filter for this ACE.
- Any: No SMAC filter is specified. (SMAC filter status is “don’t-care”.)
- Specific: If you want to filter a specific source MAC address with this ACE, choose this value. A field for entering an SMAC value appears.
SMAC Value: When “Specific” is selected for the SMAC filter, you can enter a specific source MAC address. The legal format is “xx-xx-
xx-xx-xx-xx” or “xx.xx.xx.xx.xx.xx” or “xxxxxxxxxxxx” (x is a hexadecimal digit). A frame that hits this ACE matches this SMAC value.
DMAC Filter: Specify the destination MAC filter for this ACE.
- Any: No DMAC filter is specified. (DMAC filter status is “don’t-care.”)
- MC: Frame must be multicast.
- BC: Frame must be broadcast.
- UC: Frame must be unicast.
- Specific: If you want to filter a specific destination MAC address with this ACE, choose this value. A field for entering a DMAC value
appears.
DMAC Value: When “Specific” is selected for the DMAC filter, you can enter a specific destination MAC address. The legal format is
“xx-xx-xx-xx-xx-xx” or “xx.xx.xx.xx.xx.xx” or “xxxxxxxxxxxx” (x is a hexadecimal digit). A frame that hits this ACE matches this DMAC
value.
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
Auto-refresh: Select auto-refresh to refresh the information automatically.
Upper right icon (Refresh, clear, Remove All): Click to refresh the ACL configuration or clear manually. Click remove all to clean up all
ACL configurations on the table.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
66
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 67
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5.2.4 IP SOURCE GUARD
The section describes how to configure the IP Source Guard detail parameters of the switch. You could use the IP Source Guard
configure to enable or disable a switch port.
Configuration
This section describes how to configure IP Source Guard settings including:
Mode (Enabled and Disabled)
Maximum Dynamic Clients (0, 1, 2, Unlimited)
WEB INTERFACE
To configure an IP Source Guard Configuration in the web interface:
1. Select “Enabled” in the IP Source Guard Configuration Mode.
2. Select “Enabled” for the specific port in the Port Mode Configuration.
3. Select Maximum Dynamic Clients (0, 1, 2, Unlimited) for the specific port in the Port Mode Configuration.
4. Click Apply.
FIGURE 3-38. IP SOURCE GUARD CONFIGURATION SCREEN
Parameter description:
IP Source Guard Configuration Mode: Enable the Global IP Source Guard or disable the Global IP Source Guard. All configured ACEs
will be lost when the mode is enabled.
Port Mode Configuration: Specify IP Source Guard as enabled on which ports. Only when both Global Mode and Port Mode on a given
port are enabled will IP Source Guard be enabled on this given port.
Max Dynamic Clients: Specify the maximum number of dynamic clients that can be learned on a given port. This value can be 0, 1, 2,
or unlimited. If the port mode is enabled and the value of max dynamic client is equal to 0, only IP packets that match static entries on
the specific port are forwarded.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
67
Page 68
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
STATIC TABLE
The section describes how to configure the Static IP Source Guard Table switch parameters. Use the Static IP Source Guard Table to
manage the entries.
WEB INTERFACE
To configure a Static IP Source Guard Table Configuration in the web interface:
1. Click “Add new entry.”
2. Specify the Port, VLAN ID, IP Address, and MAC address in the entry.
3. Click Apply.
FIGURE 3-39. STATIC IP SOURCE GUARD TABLE SCREEN
Parameter description:
Delete: Check to delete the entry. It will be deleted during the next save.
Port: The logical port for the settings.
VLAN ID: The vlan id for the settings.
IP Address: Allowed Source IP address.
MAC address: Allowed Source MAC address.
Adding new entry: Click to add a new entry to the Static IP Source Guard table. Specify the Port, VLAN ID, IP address, and IP Mask for
the new entry. Click “Save.”
68
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 69
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5.2.5 ARP INSPECTION
The section describes how to configure the ARP Inspection parameters of the switch. You can use the ARP Inspection configure to manage
the ARP table.
CONFIGURATION
This section describes how to configure ARP Inspection settings.
Mode (Enabled and Disabled)
Port (Enabled and Disabled)
WEB INTERFACE
To configure an ARP Inspection Configuration in the web interface:
1. Select “Enabled” in the ARP Inspection Configuration Mode.
2. Select “Enabled” for the specific port in the Port Mode Configuration.
3. Click Apply.
FIGURE 3-40. ARP INSPECTION CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
69
Page 70
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
ARP Inspection Configuration Mode: Enable the Global ARP Inspection or disable the Global ARP Inspection.
Port Mode Configuration: Specify ARP Inspection as enabled on which ports. Only when both Global Mode and Port Mode on a given
port are enabled, will ARP Inspection be enabled on this given port. Possible modes are:
- Enabled: Enable ARP Inspection operation.
- Disabled: Disable ARP Inspection operation.
If you want to inspect the VLAN configuration, you have to enable the “Check VLAN” setting. The default setting of “Check VLAN” is
disabled. When the setting of “Check VLAN” is disabled, the log type of ARP Inspection will refer to the port setting. When the setting
of “Check VLAN” is enabled, the log type of ARP Inspection will refer to the VLAN setting. Possible settings of “Check VLAN” are:
- Enabled: Enable check VLAN operation.
- Disabled: Disable check VLAN operation.
Only when the Global Mode and Port Mode on a given port are enabled and the setting of “Check VLAN” is disabled, will the log type
of ARP Inspection refer to the port setting. There are four log types:
- None: Log nothing.
- Deny: Log denied entries.
- Permit: Log permitted entries.
- ALL: Log all entries.
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
VLAN MODE CONFIGURATION
Each page shows up to 9999 entries (the default is 20) from the VLAN table selected through the “entries per page” input field. When
first visited, the web page will show the first 20 entries from the beginning of the VLAN Table. The first displayed will be the one with
the lowest VLAN ID found in the VLAN Table.
The “VLAN” input fields allow the user to select the starting point in the VLAN Table. Clicking the button will update the displayed
table starting from that or the closest next VLAN Table match. The switch will use the next entry of the currently displayed VLAN
entry as a basis for the next lookup. When the end is reached, the warning message is shown in the displayed table. Use the button to
start over.
WEB INTERFACE
To configure a VLAN Mode Configuration in the web interface:
1. Click “Add new entry.”
2. Specify the VLAN ID, Log Type.
3. Click Apply.
70
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 71
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-41. VLAN MODE CONFIGURATION SCREEN
Parameter description:
VLAN Mode Configuration: Specify ARP Inspection as enabled on which VLANs. First, you have to enable the port setting on Port
mode configuration web page. Only when both Global Mode and Port Mode on a given port are enabled, will ARP Inspection be
enabled on this given port. Second, you can specify which VLAN will be inspected on VLAN mode configuration web page. The log
type also can be configured on a per VLAN setting. Possible types are:
- None: Log nothing.
- Deny: Log denied entries.
- Permit: Log permitted entries.
- ALL: Log all entries.
Buttons:
- Add New Entry: Click to add a new VLAN to the ARP Inspection VLAN table.
- Apply: Click to save changes.
- Reset: Click to undo any changes made locally and revert to previously saved values.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
71
Page 72
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
STATIC TABLE
The section describes how to configure the Static ARP Inspection Table parameters of the switch. You can use the Static ARP
Inspection Table configure to manage the ARP entries.
WEB INTERFACE
To configure a Static ARP Inspection Table Configuration in the web interface:
1. Click “Add new entry.”
2. Specify the Port, VLAN ID, IP Address, and MAC address in the entry.
3. Click Apply.
FIGURE 3-42. STATIC ARP INSPECTION TABLE
Parameter description:
Delete: Check to delete the entry. It will be deleted during the next save.
Port: The logical port for the settings.
VLAN ID: The vlan id for the settings.
MAC Address: The allowed Source MAC address in ARP request packets.
IP Address: The allowed Source IP address in ARP request packets.
Adding new entry: Click to add a new entry to the Static ARP Inspection table. Specify the Port, VLAN ID, MAC address, and IP address
for the new entry. Click “Save.”
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
72
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 73
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
DYNAMIC TABLE
Entries in the Dynamic ARP Inspection Table are shown on this page. The Dynamic ARP Inspection Table contains up to 1024 entries,
and is sorted first by port, then by VLAN ID, then by MAC address, and then by IP address.
Navigating the ARP Inspection Table
Each page shows up to 99 entries (the default is 20) from the Dynamic ARP Inspection table selected through the “entries per page”
input field. When first visited, the web page will show the first 20 entries from the beginning of the Dynamic ARP Inspection Table.
The “Start from port address,” “VLAN,” “MAC address” and “IP address” input fields allow the user to select the starting point in the
Dynamic ARP Inspection Table. Clicking the button will update the displayed table starting from that or the closest next Dynamic
ARP Inspection Table match. In addition, the two input fields will—upon a button click—assume the value of the first displayed entry,
allowing for continuous refresh with the same start address.
The switch will use the last entry of the currently displayed table as a basis for the next lookup. When the end is reached the text “No
more entries” is shown in the displayed table. Use the button to start over.
WEB INTERFACE
You can configure a Dynamic ARP Inspection Table Configuration in the web interface.
FIGURE 3-43. DYNAMIC ARP INSPECTION TABLE
Parameter description:
ARP Inspection Table Columns
Port: Switch Port Number for which the entries are displayed.
VLAN ID: VLAN-ID in which the ARP traffic is permitted.
MAC Address: User MAC address of the entry.
IP Address: User IP address of the entry.
Translate to static: Select the checkbox to translate the entry to static entry.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
73
Page 74
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
- Auto-refresh: Check this box to refresh the page automatically. Automatic refresh occurs every 3 seconds.
- Refresh: Refreshes the displayed table starting from the input fields.
- Save: Click to save changes.
- Reset: Click to undo any changes made locally and revert to previously saved values.
<<: Updates the table starting from the first entry in the Dynamic ARP Inspection Table.
>>: Updates the table, starting with the entry after the last entry currently displayed
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.5.3 AAA
This section shows you to use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network.
The AAA server can be a TACACS+ or RADIUS server to create and manage objects that contain settings for using AAA servers.
3.5.3.1 RADIUS
Web Interface
You can configure a Common Configuration of AAA, RADIUS in the web interface.
74
FIGURE 3-44. RADIUS AUTHENTICATION SERVER CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 75
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
Global Configuration
These settings are common for all of the RADIUS servers.
Timeout: Timeout is the number of seconds, in the range 1 to 1000, to wait for a reply from a RADIUS server before retransmitting the
request.
Retransmit: Retransmit is the number of times, in the range 1 to 1000, a RADIUS request is retransmitted to a server that is not
responding. If the server has not responded after the last retransmit it is considered to be dead.
Deadtime: Deadtime, which can be set to a number between 0 to 1440 minutes, is the period during which the switch will not send
new requests to a server that has failed to respond to a previous request. This will stop the switch from continually trying to contact a
server that it has already determined as dead.
Setting the Deadtime to a value greater than 0 (zero) will enable this feature, but only if more than one server has been configured.
Key: The secret key—up to 63 characters long—shared between the RADIUS server and the switch.
NAS-IP-Address (Attribute 4): The IPv4 address to be used as attribute 4 in RADIUS Access-Request packets. If this field is left blank,
the IP address of the outgoing interface is used.
NAS-IPv6-Address (Attribute 95): The IPv6 address to be used as attribute 95 in RADIUS Access-Request packets. If this field is left
blank, the IP address of the outgoing interface is used.
NAS-Identifier (Attribute 32): The identifier—up to 255 characters long—to be used as attribute 32 in RADIUS Access-Request packets.
If this field is left blank, the NAS-Identifier is not included in the packet.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
Server Configuration
The table has one row for each RADIUS server and a number of columns.
Delete: To delete a RADIUS server entry, check this box. The entry will be deleted during the next Save.
Hostname: The IP address or hostname of the RADIUS server.
Auth Port: The UDP port to use on the RADIUS server for authentication.
Acct Port: The UDP port to use on the RADIUS server for accounting.
Timeout: This optional setting overrides the global timeout value. Leaving it blank will use the global timeout value.
Retransmit: This optional setting overrides the global retransmit value. Leaving it blank will use the global retransmit value.
Key: This optional setting overrides the global key. Leaving it blank will use the global key.
Adding a New Server: Click to add a new RADIUS server. An empty row is added to the table, and the RADIUS server can be
configured as needed. Up to 5 servers are supported. The button can be used to undo the addition of the new server.
Buttons
- Apply: Click to save changes.
- Reset: Click to undo any changes made locally and revert to previously saved values.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
75
Page 76
CHAPTER 3: SYSTEM CONFIGURATION
3.5.3.2 TACACS+
WEB INTERFACE
You can configure a Common Configuration of AAA, TACACS+ in the web interface.
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-45. TACACS+ AUTHENTICATION SERVER CONFIGURATION SCREEN
Parameter description:
Global Configuration
These settings are common for all of the TACACS+ servers.
Timeout: Timeout is the number of seconds, in the range 1 to 1000, to wait for a reply from a TACACS+ server before it is considered
to be dead.
Deadtime: Deadtime, which can be set to a number between 0 to 1440 minutes, is the period during which the switch will not send
new requests to a server that has failed to respond to a previous request. This will stop the switch from continually trying to contact a
server that it has already determined as dead.
Setting the Deadtime to a value greater than 0 (zero) will enable this feature, but only if more than one server has been configured.
Key: The secret key—up to 63 characters long—shared between the TACACS+ server and the switch.
Server Configuration
The table has one row for each TACACS+ server and a number of columns, which are:
Delete: To delete a TACACS+ server entry, check this box. The entry will be deleted during the next Save.
Hostname: The IP address or hostname of the TACACS+ server.
Port: The TCP port to use on the TACACS+ server for authentication.
76
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 77
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Timeout: This optional setting overrides the global timeout value. Leaving it blank will use the global timeout value.
Key: This optional setting overrides the global key. Leaving it blank will use the global key.
Adding a New Server
Click to add a new TACACS+ server. An empty row is added to the table, and the TACACS+ server can be configured as needed. Up
to 5 servers are supported.
The button can be used to undo the addition of the new server.
Buttons
- Apply: Click to save changes.
- Reset: Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.6 AG GREG ATION
Aggregation is used to configure the settings of Link Aggregation. You can bundle more than one port with the same speed, full
duplex and the same MAC to be a single logical port, thus the logical port aggregates the bandwidth of these ports. This means you
can apply your current Ethernet equipment’s to build the bandwidth aggregation. For example, if there are three Fast Ethernet ports
aggregated in a logical port, then this logical port has bandwidth three times as high as a single Fast Ethernet port has.
3.6.1 STATIC
Ports using Static Trunk as their trunk method can choose their unique Static GroupID to form a logical “trunked port.” The benefit
of using Static Trunk method is that a port can immediately become a member of a trunk group without any handshaking with
its peer port. This is also a disadvantage because the peer ports of your static trunk group may not know that they should be
aggregated together to form a “logical trunked port.” Using Static Trunk on both ends of a link is strongly recommended.
NOTE: Low-speed links will stay in a “not ready” state when using static trunk to aggregate with high speed links.
WEB INTERFACE
To configure the Trunk Aggregation Hash mode and Aggregation Group in the web interface:
1. Click Configuration, Aggregation, Static and then Aggregation Mode Configuration.
2. Enable or disable the aggregation mode function.
Evoke Aggregation Group ID and Port members.
3. Click save to save the setting.
4. To cancel the setting, click the reset button. It will revert to previously saved values.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
77
Page 78
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-46. AGGREGATION MODE CONFIGURATION SCREEN
Parameter description:
Hash Code Contributors
Source MAC Address: The Source MAC address can be used to calculate the destination port for the frame. Check to enable the use
of the Source MAC address, or uncheck to disable. By default, Source MAC Address is enabled.
Destination MAC Address: The Destination MAC Address can be used to calculate the destination port for the frame. Check to enable
the use of the Destination MAC Address, or uncheck to disable. By default, the Destination MAC Address is disabled.
IP Address: The IP address can be used to calculate the destination port for the frame. Check to enable the use of the IP Address, or
uncheck to disable. By default, IP Address is enabled.
TCP/UDP Port Number: The TCP/UDP port number can be used to calculate the destination port for the frame. Check to enable the
use of the TCP/UDP Port Number, or uncheck to disable. By default, TCP/UDP Port Number is enabled.
78
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 79
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Aggregation Group Configuration
Group ID: Indicates the group ID for the settings contained in the same row. Group ID “Normal” indicates there is no aggregation. Only
one group ID is valid per port.
Port Members: Each switch port is listed for each group ID. Select a radio button to include a port in an aggregation, or clear the radio
button to remove the port from the aggregation. By default, no ports belong to any aggregation group. Only full duplex ports can join
an aggregation and ports must be in the same speed in each group.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.6.2 LACP
This page allows the user to inspect the current LACP port configurations, and possibly change them as well. An LACP trunk group
with more than one ready member-ports is a “real trunked” group. An LACP trunk group with only one or less than one ready memberports is not a “real trunked” group.
WEB INTERFACE
To configure the Trunk Aggregation LACP parameters in the web interface:
1. Click Configuration, LACP, Configuration.
2. Enable or disable the LACP on the port of the switch.
3. Scroll the Key parameter with Auto or Specific. Default is Auto.
4. Scroll the Role with Active or Passive. Default is Active.
5. Click save to save the setting.
6. To cancel the setting, click the reset button. It will revert to previously saved values.
FIGURE 3-47. LACP PORT CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
79
Page 80
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
Port: The switch port number.
LACP Enabled: Controls whether LACP is enabled on this switch port. LACP will form an aggregation when 2 or more ports are
connected to the same partner.
Key: The Key value incurred by the port; range 1–65535 . The Auto setting will set the key as appropriate by the physical link speed,
10Mb = 1, 100Mb = 2, 1Gb = 3. Using the Specific setting, you can enter a user-defined value. Ports with the same Key value can
participate in the same aggregation group, while ports with different keys cannot.
Role: The Role shows the LACP activity status. Active will transmit LACP packets each second, while Passive will wait for a LACP
packet from a partner (speak if spoken to).
Timeout: Timeout controls the period between BPDU transmissions. Fast will transmit LACP packets each second, while Slow will
wait for 30 seconds before sending an LACP packet.
Prio: Prio controls the priority of the port. If the LACP partner wants to form a larger group than is supported by this device, then this
parameter will control which ports will be active and which ports will be in a backup role. A lower number means greater priority.
Buttons:
- Apply – Click to save changes.
- Reset – Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.7 LOOP PROTECTION
Loop Protection is used to detect the presence of traffic. When a switch receives a packet‘s (looping detection frame) MAC
address the same as itself from a port, show Loop Protection happens. The port will be locked when it receives looping Protection
frames. If you want to unlock the port, find out the looping path and remove the looping path, then select the locked port and click
on “Resume” to turn on the locked port.
WEB INTERFACE
To configure the Loop Protection parameters in the web interface:
1. Click Configuration, Loop Protection.
2. Enable or disable the port loop Protection.
3. Click save to save the setting.
4. To cancel the setting, click the Reset button. It will revert to previously saved values.
80
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 81
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-48. LOOP PROTECTION CONFIGURATION SCREEN
Parameter description:
Enable Loop Protection: Controls whether loop protection is enabled (as a whole).
Transmission Time: The interval between each loop protection PDU sent on each port. Valid values are 1 to 10 seconds.
Shutdown Time: The period (in seconds) for which a port will be kept disabled if a loop is detected (and the port action shuts down the
port). Valid values are 0 to 604800 seconds (7 days). A value of zero will keep a port disabled (until next device restart).
Port No: The switch port number.
Enable: Controls whether loop protection is enabled on this switch port.
Action: Configures the action performed when a loop is detected on a port. Valid values are Shutdown Port, Shutdown Port and Log, or
Log Only.
Tx Mode: Controls whether the port is actively generating loop protection PDUs, or whether it is just passively looking for looped PDUs.
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
81
Page 82
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.8 SPANNING TREE
The Spanning Tree Protocol (STP) can be used to detect and disable network loops, and to provide backup links between switches,
bridges, or routers. This allows the switch to interact with other bridging devices (that is, an STP-compliant switch, bridge, or
router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links that
automatically take over when a primary link goes down.
STP—STP uses a distributed algorithm to select a bridging device (STP-compliant switch, bridge, or router) that serves as the root
of the spanning tree network. It selects a root port on each bridging device (except for the root device) that incurs the lowest path
cost when forwarding a packet from that device to the root device. Then it selects a designated bridging device from each LAN that
incurs the lowest path cost when forwarding a packet from that LAN to the root device. All ports connected to designated bridging
devices are assigned as designated ports. After determining the lowest cost spanning tree, it enables all root ports and designated
ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports,
eliminating any possible network loops.
FIGURE 3-49. STP CONFIGURATION
Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted
from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that
the link to the Root Bridge is down. This bridge will then initiate negotiations with other bridges to reconfigure the network to
reestablish a valid network topology.
82
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 83
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.8.1 BRIDGE SETTING
The section describes how to configure the Spanning Tree Bridge and STP System settings. It allows you to configure STP System
settings used by all STP Bridge instance in the switch.
WEB INTERFACE
To configure the Spanning Tree Bridge Settings parameters in the web interface:
1. Click Configuration, Spanning Tree, Bridge Settings.
2. Scroll to select the parameters and write down available value of parameters in blank field in Basic Settings.
3. Enable or disable the parameters and write down the available value of parameters in the blank field in Advanced settings.
4. Click apply to save the setting.
5. To cancel the setting, click the Reset button. It will revert to previously saved values.
FIGURE 3-50. STP BRIDGE CONFIGURATION SCREEN
Parameter description:
Basic Settings
Protocol Version: The STP protocol version setting. Valid values are STP, RSTP, and MSTP.
Bridge Priority: Controls the bridge priority. Lower numeric values have better priority. The bridge priority plus the MSTI instance
number, concatenated with the 6-byte MAC address of the switch forms a Bridge Identifier. For MSTP operation, this is the priority of
the CIST. Otherwise, this is the priority of the STP/RSTP bridge.
Forward Delay: The delay used by STP Bridges to transit Root and Designated Ports to Forwarding (used in STP compatible mode).
Valid values are in the range 4 to 30 seconds.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
83
Page 84
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Max Age: The maximum age of the information transmitted by the Bridge when it is the Root Bridge. Valid values are in the range 6 to
40 seconds, and MaxAge must be <= (FwdDelay-1)*2.
Maximum Hop Count: This defines the initial value of remaining Hops for MSTI information generated at the boundary of an MSTI
region. It defines how many bridges a root bridge can distribute its BPDU information to. Valid values are in the range 6 to 40 hops.
Transmit Hold Count: The number of BPDU’s a bridge port can send per second. When exceeded, transmission of the next BPDU will
be delayed. Valid values are in the range 1 to 10 BPDUs per second.
Advanced Settings
Edge Port BPDU Filtering: Control whether a port explicitly configured as Edge will transmit and receive BPDUs.
Edge Port BPDU Guard: Control whether a port explicitly configured as Edge will disable itself when it receives a BPDU. The port will
enter the error-disabled state, and will be removed from the active topology.
Port Error Recovery: Control whether a port in the error-disabled state automatically will be enabled after a certain time. If recovery is
not enabled, ports have to be disabled and re-enabled for normal STP operation. The condition is also cleared by a system reboot.
Port Error Recovery Timeout: The time to pass before a port in the error-disabled state can be enabled. Valid values are between 30
and 86400 seconds (24 hours).
Buttons:
- Apply – Click to save changes.
- Reset – Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.8.2 MSTI MAPPING
When you implement a Spanning Tree protocol on the switch as the bridge instance, the CIST is not available for explicit mapping,
as it will receive the VLANs not explicitly mapped. Due to the reason that you need to set the list of VLANs mapped to the MSTI. The
VLANs must be separated with comma and/or space. A VLAN can only be mapped to one MSTI. An unused MSTI should just be left
empty. (I.e. not having any VLANs mapped to it.)
This section describes it allows the user to inspect the current STP MSTI bridge instance priority configurations, and possibly change
them as well.
WEB INTERFACE
To configure the Spanning Tree MSTI Mapping parameters in the web interface:
1. Click Configuration, Spanning Tree, MSTI Mapping.
2. Specify the configuration identification parameters in the field. Specify the VLANs Mapped blank field.
3. Click save to save the setting.
4. To cancel the setting, click the Reset button. It will revert to previously saved values.
84
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 85
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-51. MSTI CONFIGURATION SCREEN
Parameter description:
Configuration Identification
Configuration Name: The name identifying the VLAN to MSTI mapping. Bridges must share the name and revision, as well as the
VLAN-to-MSTI mapping configuration in order to share spanning trees for MSTIs (Intra-region). The name is at most 32 characters.
Configuration Revision: The revision of the MSTI configuration named above. This must be an integer between 0 and 65535.
MSTI: The bridge instance. The CIST is not available for explicit mapping, because it will receive the VLANs not explicitly mapped.
VLANs Mapped: The list of VLANs mapped to the MSTI. The VLANs can be given as a single (xx, xx is between 1 and 4094) VLAN, or
a range (xx-yy), each of which must be separated with comma and/or space. A VLAN can only be mapped to one MSTI. An unused
MSTI should just be left empty. (I.e. not having any VLANs mapped to it.) Example: 2,5,20-40.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
85
Page 86
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.8.3 MSTI PRIORITIES
When you implement a Spanning Tree protocol on the switch as a bridge instance, the CIST is the default instance which is always
active. It controls the bridge priority. Lower numeric values have better priority. The bridge priority plus the MSTI instance number,
concatenated with the 6-byte MAC address of the switch forms a Bridge Identifier.
The section describes how to inspect the current STP MSTI bridge instance priority configurations, and possibly change them as
well.
WEB INTERFACE
To configure the Spanning Tree MSTI Priorities parameters in the web interface:
1. Click Configuration, Spanning Tree, MSTI Priorities.
2. Scroll to the Priority; the maximum is 240. The default is 128.
3. Click save to save the setting.
4. To cancel the setting, click the Reset button. It will revert to previously saved values.
FIGURE 3-52. MSTI CONFIGURATION SCREEN
Parameter description:
MSTI: The bridge instance. The CIST is the default instance, which is always active.
Priority: Controls the bridge priority. Lower numeric values have better priority. The bridge priority plus the MSTI instance number,
concatenated with the 6-byte MAC address of the switch forms a Bridge Identifier.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
86
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 87
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.8.4 CIST PORTS
When you implement a Spanning Tree protocol on the switch that is the bridge instance, you need to configure the CIST Ports. The
section describes how to inspect the to inspect the current STP CIST port configurations, and possibly change them as well.
WEB INTERFACE
To configure the Spanning Tree CIST Ports parameters in the web interface:
1. Click Configuration, Spanning Tree, CIST Ports.
2. Scroll and set all parameters of CIST Aggregated Port Configuration.
3. Enable or disable the STP, then scroll to set all parameters of the CIST normal Port configuration.
4. Click apply to save the setting.
5. To cancel the setting, click the Reset button. It will revert to previously saved values.
FIGURE 3-53. STP CIST PORT CONFIGURATION SCREEN
Parameter description:
Port: The switch port number of the logical STP port.
STP Enabled: Controls whether STP is enabled on this switch port.
Path Cost: Controls the path cost incurred by the port. The Auto setting will set the path cost as appropriate by the physical link speed,
using the 802.1D recommended values. Using the Specific setting, a user-defined value can be entered. The path cost is used when
establishing the active topology of the network. Lower path cost ports are chosen as forwarding ports in favor of higher path cost
ports. Valid values are in the range 1 to 200000000.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
87
Page 88
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Priority: Controls the port priority. This can be used to control priority of ports that have identical port cost.
operEdge (state flag): Operational flag describing whether the port is connecting directly to edge devices. (No Bridges attached).
Transition to the forwarding state is faster for edge ports (when operEdge is true) than for other ports.The value of this flag is based
on AdminEdge and AutoEdge fields. This flag is displayed as Edge in Monitor->Spanning Tree -> STP Detailed Bridge Status.
AdminEdge: Controls whether the operEdge flag should start as set or cleared. (This is the initial operEdge state when a port is
initialized).
AutoEdge: Controls whether the bridge should enable automatic edge detection on the bridge port. This allows operEdge to be derived
from whether BPDUs are received on the port or not.
Restricted Role: If enabled, this causes the port not to be selected as the Root Port for the CIST or any MSTI, even if it has the best
spanning tree priority vector. Such a port will be selected as an Alternate Port after the Root Port has been selected. If set, it can cause
lack of spanning tree connectivity. It can be set by a network administrator to prevent bridges external to a core region of the network
influencing the spanning tree active topology, possibly because those bridges are not under the full control of the administrator. This
feature is also known as Root Guard.
Restricted TCN: If enabled, causes the port not to propagate received topology change notifications and topology changes to other
ports. If set it can cause temporary loss of connectivity after changes in a spanning tree’s active topology as a result of persistently
incorrect learned station location information. It is set by a network administrator to prevent bridges external to a core region of the
network, causing address flushing in that region, possibly because those bridges are not under the full control of the administrator or
the physical link state of the attached LANs transits frequently.
BPDU Guard: If enabled, this causes the port to disable itself when it receives valid BPDUs. Contrary to the similar bridge setting, the
port Edge status does not affect this setting. A port entering error-disabled state caused by this setting is subject to the bridge Port
Error Recovery setting as well.
Point to Point: Controls whether the port connects to a point-to-point LAN rather than to a shared medium. This can be automatically
determined, or forced either true or false. Transition to the forwarding state is faster for point-to-point LANs than for shared media.
Buttons:
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.8.5 MSTI PORTS
The section describes how to inspect the current STP MSTI port configurations, and possibly change them as well.
An MSTI port is a virtual port, which is instantiated separately for each active CIST (physical) port for each MSTI instance configured
on and applicable to the port. The MSTI instance must be selected before displaying actual MSTI port configuration options. It
contains MSTI port settings for physical and aggregated ports.
WEB INTERFACE
To configure the Spanning Tree MSTI Port Configuration parameters in the web interface:
1. Click Configuration, Spanning Tree, MSTI Ports.
2. Scroll to select the MST1 or other MSTI Port.
3. Click Get to set detailed parameters of the MSTI Ports.
4. Scroll to set all parameters of the MSTI Port configuration.
5. Click save to save the setting.
6. To cancel the setting, click the Reset button. It will revert to previously saved values.
88
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 89
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-54. MSTI PORT CONFIGURATION SCREEN
Parameter description:
Port: The switch port number of the corresponding STP CIST (and MSTI) port.
Path Cost: Controls the path cost incurred by the port. The Auto setting will set the path cost as appropriate by the physical link speed,
using the 802.1D recommended values. Using the Specific setting, a user-defined value can be entered. The path cost is used when
establishing the active topology of the network. Lower path cost ports are chosen as forwarding ports in favor of higher path cost
ports. Valid values range from 1 to 200000000.
Priority: Controls the port priority. This can be used to control priority of ports having identical port cost. (See above).
Buttons
- Apply – Click to save changes.
- Reset- Click to undo any changes made locally and revert to previously saved values.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
89
Page 90
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.9 IPMC PROFILE
This page provides IPMC Profile related configurations.
3.9.1 PROFILE TABLE
The IPMC profile is used to deploy the access control on IP multicast streams. It is allowed to create at maximum 64 profiles with
at maximum of 128 corresponding rules for each.
WEB INTERFACE
To configure the IPMC Profile Configuration in the web interface, refer to the next figure.
90
FIGURE 3-55. IPMC PROFILE CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 91
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
Port: The switch port number of the corresponding STP CIST (and MSTI) port.
Global Profile Mode: Enable/Disable the Global IPMC Profile. The system starts to do filtering based on profile settings only when the
global profile mode is enabled.
Delete: Check to delete the entry. The designated entry will be deleted during the next save.
Profile Name: The name used for indexing the profile table. Each entry has the unique name composed of at maximum 16 alphabetic
and numeric characters. At least one alphabetic character must be present.
Profile Description: Additional description about the profile, which is composed of at maximum 64 alphabetic and numeric characters.
No blank or space characters are permitted as part of the description. Use “_” or “-” to separate the description sentence.
Rule: When you create the profile, click the edit button to enter the rule setting page for the designated profile. Click the View button to
show a summary about the designated profile. You can manage or inspect the rules of the designated profile by using the following
buttons:
- eye button: List the rules associated with the designated profile.
- circle e button: Adjust the rules associated with the designated profile.
Buttons
- Add New IPMC Profile – Click to add new IPMC profile. Specify the name and configure the new entry. Click “Save”.
- Apply – Click to save changes.
- Reset – Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.9.1.1 IPMC PROFILE RULE SETTINGS TABLE
This page provides the filtering rule settings for a specific IPMC profile. It displays the configured rule entries in precedence order.
First rule entry has highest priority in lookup, while the last rule entry has lowest priority in lookup.
Profile Name: The name of the designated profile to be associated. This field is not editable.
Entry Name: The name used to specify the address range used for this rule. Only the existing profile address entries will be chosen in
the selected box. This field is not allowed to be selected as none (“-”) while the Rule Settings Table is committed.
Address Range: The corresponding address range of the selected profile entry. This field is not editable and will be adjusted
automatically according to the selected profile entry.
Action: Indicates the learning action upon receiving the Join/Report frame that has the group address matches the address range of
the rule.
- Permit: Group address that matches the range specified in the rule will be learned.
- Deny: Group address that matches the range specified in the rule will be dropped.
Log: Indicates the logging preference upon receiving the Join/Report frame that has the group address matches the address range of
the rule.
- Enable: Corresponding information of the group address that matches the range specified in the rule will be logged.
- Disable: Corresponding information of the group address that matches the range specified in the rule will not be logged.
Rule Management Buttons: You can manage rules and the corresponding precedence order by using the following buttons:
+: Insert a new rule before the current entry of rule.
x: Delete the current entry of rule.
up-arrow: Moves the current entry of rule up in the list.
down-arrow: Moves the current entry of rule down in the list.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
91
Page 92
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
• Buttons:
- Add Last Rule – Click to add a new rule in the end of the specific profile’s rule list. Specify the address entry and configure the new
entry. Click “Commit.”
- Commit – Click to commit rule changes for the designated profile.
- Reset – Click to undo any changes made locally and revert to previously saved values.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.9.2 ADDRESS ENTRY
This page provides address range settings used in the IPMC profile.
The address entry is used to specify the address range that will be associated with the IPMC Profile. You can create at maximum 128
address entries in the system.
WEB INTERFACE
You can configure the IPMC Profile Address Configuration in the web interface.
FIGURE 3-56. IPMC PROFILE ADDRESS CONFIGURATION SCREEN
Parameter description:
Delete: Check to delete the entry. The designated entry will be deleted during the next save.
Entry Name: The name used for indexing the address entry table. Each entry has a unique name composed of at maximum 16
alphabetic and numeric characters. At least one alphabetic character must be present.
Start Address: The starting IPv4/IPv6 Multicast Group Address that will be used as an address range.
End Address: The ending IPv4/IPv6 Multicast Group Address that will be used as an address range.
Buttons:
- Add New Address (Range) Entry – Click to add a new address range. Specify the name and configure the addresses. Click “Save.”
- Apply – Click to save changes.
92
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 93
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Reset – Click to undo any changes made locally and revert to previously saved values.
- Refresh – Refreshes the displayed table starting from the input fields.
<< – Updates the table starting from the first entry in the IPMC Profile Address Configuration.
>> – Updates the table, starting with the entry after the last entry currently displayed.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.10 M V R
The MVR feature enables multicast traffic forwarding on the Multicast VLAN. In a multicast television application, a PC or a
television with a set-top box can receive the multicast stream. Multiple set-top boxes or PCs can be connected to one subscriber
port, which is a switch port configured as an MVR receiver port. When a subscriber selects a channel, the set-top box or PC sends
an IGMP join message to Switch A to join the appropriate multicast. Uplink ports that send and receive multicast data to and from
the multicast VLAN are called MVR source ports.
WEB INTERFACE
To configure the MVR Configuration in the web interface:
1. Click Configuration, MVR, Configuration.
2. Scroll the MVR mode to enable or disable and Scroll to set all parameters.
3. Click save to save the setting.
4. To cancel the setting, click the Reset button. It will revert to previously saved values.
FIGURE 3-57. MVR CONFIGURATION SCREEN
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
93
Page 94
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
Parameter description:
MVR Mode Enable/Disable the Global MVR. Unregistered Flooding control depends on the current configuration in IGMP/MLD
Snooping. We suggest enabling Unregistered Flooding control when the MVR group table is full.
Delete: Check to delete the entry. The designated entry will be deleted during the next save.
MVR VID: Specify the Multicast VLAN ID.
CAUTION: MVR source ports are not recommended to be overlapped with management VLAN ports.
MVR Name: MVR Name is an optional attribute to indicate the name of the specific MVR VLAN. Maximum length of the MVR VLAN
Name string is 32. MVR VLAN Name can only contain alphabets or numbers. When the optional MVR VLAN name is given, it should
contain at least one alphabetic character. MVR VLAN name can be edited for the existing MVR VLAN entries or it can be added to the
new entries.
IGMP Address: Define the IPv4 address as a source address used in IP header for IGMP control frames.
The default IGMP address is not set (0.0.0.0).
When the IGMP address is not set, the system uses the IPv4 management address of the IP interface associated with this VLAN.
When the IPv4 management address is not set, the system uses the first available IPv4 management address.
Otherwise, the system uses a predefined value. By default, this value will be 192.0.2.1.
Mode: Specify the MVR mode of operation. In Dynamic mode, MVR allows dynamic MVR membership reports on source ports. In
Compatible mode, MVR membership reports are forbidden on source ports. The default is Dynamic mode.
Tagging: Specify whether the traversed IGMP/MLD control frames will be sent as Untagged or Tagged with MVR VID. The default is
Tagged.
Priority: Specify how the traversed IGMP/MLD control frames will be sent in a prioritized manner. The default Priority is 0.
LLQI: Define the maximum time to wait for IGMP/MLD report memberships on a receiver port before removing the port from multicast
group membership. The value is in units of tenths of a seconds. The range is from 0 to 31744. The default LLQI is 5 tenths or one-half
second.
Interface Channel Setting: When the MVR VLAN is created, click the Edit symbol to expand the corresponding multicast channel
settings for the specific MVR VLAN. Summary about the Interface Channel Setting (of the MVR VLAN) will be shown beside the Edit
symbol.
Port: The logical port for the settings.
Port Role: Configure an MVR port of the designated MVR VLAN as one of the following roles.
- Inactive: The designated port does not participate in MVR operations.
- Source: Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to
source ports.
- Receiver: Configure a port as a receiver port if it is a subscriber port and should only receive multicast data. It does not receive data
unless it becomes a member of the multicast group by issuing IGMP/MLD messages.
CAUTION: MVR source ports are not recommended to be overlapped with management VLAN ports. Select the port role by clicking
the Role symbol to switch the setting. I indicates Inactive; S indicates Source; R indicates Receiver. The default Role is Inactive.
Immediate Leave: Enable the fast leave on the port.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
94
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 95
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.11 IPMC
ICMP is an acronym for Internet Control Message Protocol. It is a protocol that generates the error response for diagnostic or
routing purposes. ICMP messages generally contain information about routing difficulties or simple exchanges such as time-stamp
or echo transactions.
3.11.1 IGMP SNOOPING
The function is used to establish multicast groups to forward multicast packets to the member ports. It prevents wasting
bandwidth when IP multicast packets are running over the network. This is because a switch that does not support IGMP or IGMP
Snooping cannot tell a multicast packet from a broadcast packet, so it can only treat them all as the broadcast packets. Without
IGMP Snooping, a multicast packet is forwarded in the same way as a broadcast packet.
The switch supports IGMP Snooping with query, report and leave functions. This enables a type of packet exchanged between an
IP Multicast Router/Switch and an IP Multicast Host to be updated in the Multicast table information when a member (port) joins
or leaves an IP Multicast Destination Address. With this function, once a switch receives an IP multicast packet, it will forward the
packet to the members who joined in a specified IP multicast group before.
The packets will be discarded by IGMP Snooping if the user transmits multicast packets to the multicast group that was not built
up in advance. IGMP mode enables the switch to issue an IGMP function to enable IGMP proxy or snooping on the switch, which
connects to a router closer to the root of the tree. This interface is the upstream interface. The router on the upstream interface
should be running IGMP.
3.11.1.1 BASIC CONFIGURATION
The section describes how to set basic IGMP snooping on the switch, which connects to a router closer to the root of the tree. This
interface is the upstream interface. The router on the upstream interface should be running IGMP.
WEB INTERFACE
To configure the IGMP Snooping parameters in the web interface:
1. Click Configuration, IPMC, IGMP Snooping, Basic Configuration.
2. Select enable or disable Global configuration.
3. Select a port to become a Router Port or enable/ disable the Fast Leave function.
4. Scroll to set the Throttling parameter.
5. Click apply to save the setting.
6. To cancel the setting, click the Reset button. It will revert to previously saved values.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
95
Page 96
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
FIGURE 3-58. IGMP SNOOPING CONFIGURATION SCREEN
Parameter description:
Snooping Enabled: Enable the Global IGMP Snooping.
Unregistered IPMCv4 Flooding enabled: Enable unregistered IPMCv4 traffic flooding.
IGMP SSM Range: SSM (Source-Specific Multicast) Range allows the SSM-aware hosts and routers to run the SSM service model for
the groups in the address range. Format: (IP address/ sub mask)
Leave Proxy Enable: Enable IGMP Leave Proxy. This feature can be used to avoid forwarding unnecessary leave messages to the
router side.
Proxy Enabled: Enable IGMP Proxy. This feature can be used to avoid forwarding unnecessary join and leave messages to the router
side.
Port: This shows the physical Port index of the switch.
Router Port: Specify which ports act as router ports. A router port is a port on the Ethernet switch that leads towards the Layer 3
multicast device or IGMP querier.
If an aggregation member port is selected as a router port, the whole aggregation will act as a router port.
Fast Leave: Enable fast leave on the port.
Throttling: Enable to limit the number of multicast groups to which a switch port can belong.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.11.1.2 VLAN CONFIGURATION
This section describes the VLAN configuration setting process integrated with the IGMP Snooping function. Each setting page
shows up to 99 entries from the VLAN table, default is 20, selected through the “entries per page” input field. When first visited, the
web page will show the first 20 entries from the beginning of the VLAN Table. The first displayed entry will be the one with the lowest
VLAN ID found in the VLAN Table. The “VLAN” input fields allow the user to select the starting point in the VLAN Table. Clicking the
button will update the displayed table starting from that or the next closest VLAN Table match.
WEB INTERFACE
To configure the IGMP Snooping VLAN Configuration in the web interface:
1. Click Configuration, IPMC, IGMP Snooping, VLAN Configuration.
2. Enable or disable Snooping , IGMP Querier. Specify the parameters in the blank field.
3. Click refresh to update the data or click << or >> to display the previous entry or next entry.
96
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 97
CHAPTER 3: SYSTEM CONFIGURATION
4. Click save to save the setting.
5. To cancel the setting, click the Reset button. It will revert to previously saved values.
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-59. IGMP SNOOPING VLAN CONFIGURATION SCREEN
Parameter description:
Delete: Check to delete the entry. The designated entry will be deleted during the next save.
VLAN ID: Displays the VLAN ID of the entry.
IGMP Snooping Enabled: Enable the per-VLAN IGMP Snooping. Only up to 32 VLANs can be selected.
Querier Election: Enable to join the IGMP Querier election in the VLAN. Disable to act as an IGMP Non-Querier.
Querier Address: Define the IPv4 address as the source address used in the IP header for IGMP Querier election.
When the Querier address is not set, the system uses the IPv4 management address of the IP interface associated with this VLAN.
When the IPv4 management address is not set, the system uses the first available IPv4 management address.
Otherwise, the system uses a pre-defined value. By default, this value will be 192.0.2.1.
Compatibility: Compatibility is maintained by hosts and routers taking appropriate actions depending on the versions of IGMP
operating on hosts and routers within a network. The allowed selection is IGMP-Auto, Forced IGMPv1, Forced IGMPv2, Forced
IGMPv3, and the default compatibility value is IGMP-Auto.
PRI: Priority of Interface. This indicates the IGMP control frame priority level generated by the system. These values can be used to
prioritize different classes of traffic. The allowed range is 0 (best effort) to 7 (highest); default interface priority value is 0.
Rv: Robustness Variable. The Robustness Variable allows tuning for the expected packet loss on a network. The allowed range is 1 to
255; default robustness variable value is 2.
QI: Query Interval. The Query Interval is the interval between General Queries sent by the Querier. The allowed range is 1 to 31744
seconds; default query interval is 125 seconds.
QRI: Query Response Interval. The Max Response Time used to calculate the Max Resp Code inserted into the periodic General
Queries. The allowed range is 0 to 31744 in tenths of seconds; default query response interval is 100 in tenths of seconds (10
seconds).
LLQI (LMQI for IGMP): Last Member Query Interval. The Last Member Query Time is the time value represented by the Last Member
Query Interval, multiplied by the Last Member Query Count. The allowed range is 0 to 31744 in tenths of seconds; default last member
query interval is 10 in tenths of seconds (1 second).
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
97
Page 98
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
CHAPTER 3: SYSTEM CONFIGURATION
URI: Unsolicited Report Interval. The Unsolicited Report Interval is the time between repetitions of a host‘s initial report of membership
in a group. The allowed range is 0 to 31744 seconds; default unsolicited report interval is 1 second.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
• Upper right icon (Refresh, |<<, >>): Click to refresh the displayed table starting from the “VLAN” input fields. Or click “|<<” to update
the table starting from the first entry in the VLAN table, i.e. the entry with the lowest VLAN ID. Click “>> “ to update the table, starting
with the entry after the last entry currently displayed.
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
3.11.1.3 PORT FILTERING PROFILE
The section describes how to set the IGMP Port Group Filtering. With the IGMP filtering feature, an user can exert this type of control.
In some network Application environments, such as metropolitan or multiple-dwelling unit (MDU) installations, a user might want to
control the multicast groups to which a user on a switch port can belong. This allows the user to control the distribution of multicast
services, such as IP/TV, based on some type of subscription or service plan.
With this feature, you can filter multicast joins on a per-port basis by configuring IP multicast profiles and associating them with
individual switch ports. An IGMP profile can contain one or more multicast groups and specifies whether access to the group
is permitted or denied. If an IGMP profile denying access to a multicast group is applied to a switch port, the IGMP join report
requesting the stream of IP multicast traffic is dropped, and the port is not allowed to receive IP multicast traffic from that group. If
the filtering action permits access to the multicast group, the IGMP report from the port is forwarded for normal processing.
IGMP filtering controls only IGMP membership join reports and has no relationship to the function that directs the forwarding of IP
multicast traffic.
WEB INTERFACE
To configure the IGMP Snooping Port Group Configuration in the web interface:
1. Click Configuration, IPMC, IGMP Snooping, Port Group Filtering.
2. Click Add new Filtering Group.
3. Scroll to the Port to enable the Port Group Filtering. Specify the Filtering Groups in the blank field.
4. Click save to save the setting.
5. To cancel the setting, click the Reset button. It will revert to previously saved values.
98
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Page 99
CHAPTER 3: SYSTEM CONFIGURATION
FIGURE 3-60. IGMP SNOOPING PORT GROUP FILTERING PROFILE SCREEN
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
Parameter description:
Port: The logical port for the settings.
Filtering Profile: Select the IPMC Profile as the filtering condition for the specific port. Summary about the designated profile will be
shown by clicking the view button.
Profile Management Button: You can inspect the rules of the designated profile by using the eye button. It lists the rules associated
with the designated profile.
Buttons:
- Apply – Click to save changes.
- Reset - Click to undo any changes made locally and revert to previously saved values.
3.11.2 MLD SNOOPING
A network node that acts as a source of IPv6 multicast traffic is only an indirect participant in MLD snooping—it just provides
multicast traffic, and MLD doesn’t interact with it.
NOTE: In an application such as desktop conferencing, a network node may act as both a source and an MLD host; but MLD interacts
with that node only in its role as an MLD host.
A source node creates multicast traffic by sending packets to a multicast address. In IPv6, addresses with the first eight bits set (that
is, “FF” as the first two characters of the address) are multicast addresses, and any node that listens to such an address will receive
the traffic sent to that address. Application software running on the source and destination systems cooperates to determine what
multicast address to use.
NOTE: This is a function of the application software, not of MLD.
When MLD snooping is enabled on a VLAN, the switch acts to minimize unnecessary multicast traffic. If the switch receives
multicast traffic destined for a given multicast address, it forwards that traffic only to ports on the VLAN that have MLD hosts for that
address. It drops that traffic for ports on the VLAN that have no MLD hosts.
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
99
Page 100
CHAPTER 3: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TE CH TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 877. 87 7.2 26 9
FIGURE 3-61. MLD SNOOPING ENABLED
3.11.2.1 BASIC CONFIGURATION
The section explains how to configure the MLD Snooping basic configuration and the parameters.
WEB INTERFACE
To configure the MLD Snooping Configuration in the web interface:
1. Click Configuration, MLD Snooping, Basic Configuration.
2. Enable or disable the Global configuration parameters. Select the port to join Router port and Fast Leave.
3. Scroll to select the Throttling mode as unlimited or 1 to 10.
4. Click save to save the setting.
5. To cancel the setting, click the Reset button. It will revert to previously saved values.
100
1. 8 7 7. 8 7 7. 2 2 6 9 BLACKB OX.COM
Loading...