Digisol DG-FS4526 Management Manual

As our product undergoes continuous development the specifications are subject to change without prior notice

DG-FS4526

MUSTANG 4000 SWITCH SERIES

=MANAGEMENT GUIDE

V1.1

2010-09-28

COPYRIGHT

Copyright © 2010 by SNSL. All rights reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language or computer language, in any form or by any means, electronic,
mechanical, magnetic, optical, chemical, manual or otherwise, without the prior
written permission of SNSL.

SNSL makes no representations or warranties, either expressed or implied, with
respect to the contents hereof and specifically disclaims any warranties, mer­chantability or fitness for any particular purpose. Any software described in this
manual is sold or licensed “as is”. Should the programs prove defective following
their purchase, the buyer (and not SNSL, its distributor, or its dealer) assumes the
entire cost of all necessary servicing, repair, and any incidental or consequential
damages resulting from any defect in the software. Further, SNSL reserves the
right to revise this publication and to make changes from time to time in the con­tents thereof without obligation to notify any person of such revision or changes.

SNSL an abbreviation of Smartlink Network Systems Ltd.

DG-FS4526 User Manual

User Manual

DG-FS4526 L2 Fast Ethernet Switch

Layer 2 Standalone Switch
with 24 10/100BASE-TX (RJ-45) Ports,
and 2 Combination Gigabit (RJ-45/SFP) Ports

DG-FS4526
E092010-CS-R01
F1.1.0.5
149xxxxxxxxxx

i

www.digisol.com

Contents

Chapter 1: Introduction 1-1

Key Features 1-1
Description of Software Features 1-2
System Defaults 1-6

Chapter 2: Initial Configuration 2-1

Connecting to the Switch 2-1

Configuration Options 2-1
Required Connections 2-2
Remote Connections 2-3

Basic Configuration 2-3

Console Connection 2-3
Setting Passwords 2-4
Setting an IP Address 2-4

Manual Configuration 2-4
Dynamic Configuration 2-5

Enabling SNMP Management Access 2-6

Community Strings (for SNMP version 1 and 2c clients) 2-6
Trap Receivers 2-7
Configuring Access for SNMP Version 3 Clients 2-8

Saving Configuration Settings 2-8

Managing System Files 2-9

Chapter 3: Configuring the Switch 3-1

Using the Web Interface 3-1
Navigating the Web Browser Interface 3-2

Home Page 3-2

Configuration Options 3-3
Panel Display 3-3
Main Menu 3-4
Basic Configuration 3-11

Displaying System Information 3-11

Displaying Switch Hardware/Software Versions 3-12

Displaying Bridge Extension Capabilities 3-14

Setting the Switch’s IP Address 3-15

Manual Configuration 3-16

Using DHCP/BOOTP 3-17
Enabling Jumbo Frames 3-18
Managing Firmware 3-18

Downloading System Software from a Server 3-19

Contents

ii

www.digisol.com

Saving or Restoring Configuration Settings 3-20

Downloading Configuration Settings from a Server 3-21
Console Port Settings 3-22
Telnet Settings 3-25
Configuring Event Logging 3-27

Displaying Log Messages 3-27

System Log Configuration 3-27

Remote Log Configuration 3-29

Simple Mail Transfer Protocol 3-30
Resetting the System 3-32
Setting the System Clock 3-33

Configuring SNTP 3-33

Setting the Time Zone 3-34

Setting the Time Manually 3-34

Simple Network Management Protocol 3-35

Setting Community Access Strings 3-36
Specifying Trap Managers and Trap Types 3-37
Enabling SNMP Agent Status 3-38
Configuring SNMPv3 Management Access 3-39

Setting the Local Engine ID 3-39

Specifying a Remote Engine ID 3-41
Configuring SNMPv3 Users 3-41
Configuring Remote SNMPv3 Users 3-43
Configuring SNMPv3 Groups 3-44
Setting SNMPv3 Views 3-46

User Authentication 3-48

Configuring User Accounts 3-48
Configuring Local/Remote Logon Authentication 3-50
AAA Authorization and Accounting 3-54

Configuring AAA RADIUS Group Settings 3-55

Configuring AAA TACACS+ Group Settings 3-55

Configuring AAA Accounting 3-56

AAA Accounting Update 3-58

AAA Accounting 802.1X Port Settings 3-58

AAA Accounting Exec Command Privileges 3-59

AAA Accounting Exec Settings 3-61

AAA Accounting Summary 3-61

Authorization Settings 3-63

Authorization EXEC Settings 3-64

Authorization Summary 3-64
Configuring HTTPS 3-65

Replacing the Default Secure-site Certificate 3-66
Configuring the Secure Shell 3-67

Configuring the SSH Server 3-69

Generating the Host Key Pair 3-70

DG-FS4526 User Manual

iii

www.digisol.com

Configuring Port Security 3-72
Configuring 802.1X Port Authentication 3-73

Displaying 802.1X Global Settings 3-75
Configuring 802.1X Global Settings 3-75
Configuring Port Settings for 802.1X 3-76
Displaying 802.1X Statistics 3-79

Web Authentication 3-80

Configuring Web Authentication 3-81
Configuring Web Authentication for Ports 3-82
Displaying Web Authentication Port Information 3-83
Re-authenticating Web Authenticated Ports 3-84

Network Access – MAC Address Authentication 3-84

Configuring the MAC Authentication Reauthentication Time 3-85
Configuring MAC Authentication for Ports 3-86
Displaying Secure MAC Address Information 3-88

Access Control Lists 3-89

Configuring Access Control Lists 3-89

Setting the ACL Name and Type 3-90
Configuring a Standard IP ACL 3-90
Configuring an Extended IP ACL 3-91

Configuring a MAC ACL 3-94
Binding a Port to an Access Control List 3-95
Filtering IP Addresses for Management Access 3-96

Port Configuration 3-98

Displaying Connection Status 3-98
Configuring Interface Connections 3-100
Creating Trunk Groups 3-103

Statically Configuring a Trunk 3-104

Enabling LACP on Selected Ports 3-105

Configuring LACP Parameters 3-107

Displaying LACP Port Counters 3-109

Displaying LACP Settings and Status for the Local Side 3-110

Displaying LACP Settings and Status for the Remote Side 3-112
Setting Broadcast Storm Thresholds 3-113
Configuring Port Mirroring 3-115
Configuring Rate Limits 3-116

Rate Limit Configuration 3-116
Showing Port Statistics 3-117

Address Table Settings 3-122

Setting Static Addresses 3-122
Displaying the Address Table 3-123
Changing the Aging Time 3-125

Spanning Tree Algorithm Configuration 3-125

Displaying Global Settings 3-126
Configuring Global Settings 3-129

Contents

iv

www.digisol.com

Displaying Interface Settings 3-132
Configuring Interface Settings 3-135
Configuring Multiple Spanning Trees 3-137
Displaying Interface Settings for MSTP 3-139
Configuring Interface Settings for MSTP 3-141

VLAN Configuration 3-143

IEEE 802.1Q VLANs 3-143

Enabling or Disabling GVRP (Global Setting) 3-146
Displaying Basic VLAN Information 3-147
Displaying Current VLANs 3-147
Creating VLANs 3-149
Adding Static Members to VLANs (VLAN Index) 3-150
Adding Static Members to VLANs (Port Index) 3-152
Configuring VLAN Behavior for Interfaces 3-153

Configuring IEEE 802.1Q Tunneling 3-155

Enabling QinQ Tunneling on the Switch 3-158
Adding an Interface to a QinQ Tunnel 3-160

Private VLANs 3-162

Displaying Current Private VLANs 3-162
Configuring Private VLANs 3-163
Associating VLANs 3-164
Displaying Private VLAN Interface Information 3-165
Configuring Private VLAN Interfaces 3-166

Protocol VLANs 3-168

Protocol VLAN Group Configuration 3-168
Configuring Protocol VLAN Interfaces 3-169

Link Layer Discovery Protocol 3-170

Setting LLDP Timing Attributes 3-170
Configuring LLDP Interface Attributes 3-172
Displaying LLDP Local Device Information 3-175
Displaying LLDP Remote Port Information 3-176
Displaying LLDP Remote Information Details 3-177
Displaying Device Statistics 3-178
Displaying Detailed Device Statistics 3-180

Class of Service Configuration 3-180

Layer 2 Queue Settings 3-181

Setting the Default Priority for Interfaces 3-181
Mapping CoS Values to Egress Queues 3-182
Selecting the Queue Mode 3-184
Setting the Service Weight for Traffic Classes 3-184

Layer 3/4 Priority Settings 3-186

Mapping Layer 3/4 Priorities to CoS Values 3-186
Enabling IP DSCP Priority 3-186
Mapping DSCP Priority 3-187
Mapping IP Port Priority 3-188

DG-FS4526 User Manual

v

www.digisol.com

Mapping IP Precedence Priority 3-190

Mapping IP TOS Priority 3-192

Mapping CoS Values to ACLs 3-194

Quality of Service 3-195

Configuring Quality of Service Parameters 3-195

Configuring a Class Map 3-196

Creating QoS Policies 3-198

Attaching a Policy Map to Ingress Queues 3-201

VoIP Traffic Configuration 3-202

Configuring VoIP Traffic 3-202
Configuring VoIP Traffic Port 3-203
Configuring Telephony OUI 3-205

Multicast Filtering 3-207

Layer 2 IGMP (Snooping and Query) 3-207

Configuring IGMP Snooping and Query Parameters 3-208

Enabling IGMP Immediate Leave 3-210

Displaying Interfaces Attached to a Multicast Router 3-211

Specifying Static Interfaces for a Multicast Router 3-212

Displaying Port Members of Multicast Services 3-213

Assigning Ports to Multicast Services 3-214
IGMP Filtering and Throttling 3-215

Enabling IGMP Filtering and Throttling 3-216

Configuring IGMP Filter Profiles 3-216

Configuring IGMP Filtering and Throttling for Interfaces 3-218

Multicast VLAN Registration 3-220

Configuring Global MVR Settings 3-221
Displaying MVR Interface Status 3-222
Displaying Port Members of Multicast Groups 3-223
Configuring MVR Interface Status 3-224
Assigning Static Multicast Groups to Interfaces 3-226

DHCP Snooping 3-227

DHCP Snooping Configuration 3-228
DHCP Snooping VLAN Configuration 3-228
DHCP Snooping Information Option Configuration 3-229
DHCP Snooping Port Configuration 3-230

IP Source Guard 3-231

IP Source Guard Port Configuration 3-231
Static IP Source Guard Binding Configuration 3-232
Dynamic IP Source Guard Binding Information 3-233

Switch Clustering 3-234

Cluster Configuration 3-235
Cluster Member Configuration 3-236
Cluster Member Information 3-237
Cluster Candidate Information 3-238

UPnP 3-239

Contents

vi

www.digisol.com

UPnP Configuration 3-239

Chapter 4: Command Line Interface 4-1

Using the Command Line Interface 4-1

Accessing the CLI 4-1
Console Connection 4-1
Telnet Connection 4-2

Entering Commands 4-3

Keywords and Arguments 4-3
Minimum Abbreviation 4-3
Command Completion 4-3
Getting Help on Commands 4-3
Showing Commands 4-4
Partial Keyword Lookup 4-5
Negating the Effect of Commands 4-5
Using Command History 4-5
Understanding Command Modes 4-5
Exec Commands 4-6
Configuration Commands 4-7

Command Line Processing 4-8
Command Groups 4-9
Line Commands 4-10

line 4-11

login 4-11

password 4-12

timeout login response 4-13

exec-timeout 4-13

password-thresh 4-14

silent-time 4-15

databits 4-15

parity 4-16

speed 4-17

stopbits 4-17

disconnect 4-18

show line 4-18
General Commands 4-19

enable 4-19

disable 4-20

configure 4-21

show history 4-21

reload 4-22

end 4-22

exit 4-23

quit 4-23

DG-FS4526 User Manual

vii

www.digisol.com

System Management Commands 4-24

Device Designation Commands 4-24

prompt 4-24
hostname 4-25

Banner 4-25

banner configure 4-26
banner configure company 4-27
banner configure dc-power-info 4-28
banner configure department 4-28
banner configure equipment-info 4-29
banner configure equipment-location 4-30
banner configure ip-lan 4-30
banner configure lp-number 4-31
banner configure manager-info 4-32
banner configure mux 4-32
banner configure note 4-33
show banner 4-34

User Access Commands 4-35

username 4-35
enable password 4-36

IP Filter Commands 4-37

management 4-37
show management 4-38

Web Server Commands 4-39

ip http port 4-39
ip http server 4-39
ip http secure-server 4-40
ip http secure-port 4-41

Telnet Server Commands 4-42

ip telnet port 4-42
ip telnet server 4-42

Secure Shell Commands 4-43

ip ssh server 4-45
ip ssh timeout 4-46
ip ssh authentication-retries 4-46
ip ssh server-key size 4-47
delete public-key 4-47
ip ssh crypto host-key generate 4-48
ip ssh crypto zeroize 4-48
ip ssh save host-key 4-49
show ip ssh 4-49
show ssh 4-50
show public-key 4-51

Event Logging Commands 4-52

logging on 4-52

Contents

viii

www.digisol.com

logging history 4-53
logging host 4-54
logging facility 4-54
logging trap 4-55
clear logging 4-55
show logging 4-56
show log 4-57

SMTP Alert Commands 4-58

logging sendmail host 4-58
logging sendmail level 4-59
logging sendmail source-email 4-60
logging sendmail destination-email 4-60
logging sendmail 4-61
show logging sendmail 4-61

Time Commands 4-62

sntp client 4-62
sntp server 4-63
sntp poll 4-64
show sntp 4-64
clock timezone 4-65
calendar set 4-65
show calendar 4-66

System Status Commands 4-66

show startup-config 4-66
show running-config 4-68
show system 4-70
show users 4-70
show version 4-71

Frame Size Commands 4-72

jumbo frame 4-72

Flash/File Commands 4-73

copy 4-73

delete 4-75

dir 4-76

whichboot 4-77

boot system 4-77
Authentication Commands 4-78

Authentication Sequence 4-79

authentication login 4-79
authentication enable 4-80

RADIUS Client 4-81

radius-server host 4-81
radius-server auth-port 4-82
radius-server acct-port 4-82
radius-server key 4-83

DG-FS4526 User Manual

ix

www.digisol.com

radius-server retransmit 4-83
radius-server timeout 4-84
show radius-server 4-84

TACACS+ Client 4-85

tacacs-server host 4-85
tacacs-server port 4-86
tacacs-server key 4-86
tacacs-server retransmit 4-87
tacacs-server timeout 4-87

show tacacs-server 4-87
AAA Commands 4-88
aaa group server 4-89
server 4-89
aaa accounting dot1x 4-90
aaa accounting exec 4-91
aaa accounting commands 4-92
aaa accounting update 4-93
accounting dot1x 4-93
accounting exec 4-94
accounting commands 4-94
aaa authorization exec 4-95
authorization exec 4-96
show accounting 4-96
Port Security Commands 4-97

port security 4-98

802.1X Port Authentication 4-99

dot1x system-auth-control 4-99

dot1x default 4-100

dot1x max-req 4-100

dot1x port-control 4-101

dot1x operation-mode 4-101

dot1x re-authenticate 4-102

dot1x re-authentication 4-102

dot1x timeout quiet-period 4-103

dot1x timeout re-authperiod 4-104

dot1x timeout tx-period 4-104

dot1x intrusion-action 4-105

show dot1x 4-105
Network Access – MAC Address Authentication 4-108

network-access mode 4-108

network-access max-mac-count 4-109

mac-authentication intrusion-action 4-110

mac-authentication max-mac-count 4-110

network-access dynamic-vlan 4-111

network-access guest-vlan 4-111

Contents

x

www.digisol.com

mac-authentication reauth-time 4-112
clear network-access 4-113
show network-access 4-113
show network-access mac-address-table 4-114

Web Authentication 4-115

web-auth login-attempts 4-116
web-auth quiet-period 4-116
web-auth session-timeout 4-117
web-auth system-auth-control 4-117
web-auth 4-118
show web-auth 4-118
show web-auth interface 4-119
web-auth re-authenticate (Port) 4-119
web-auth re-authenticate (IP) 4-120
show web-auth summary 4-120

Access Control List Commands 4-122

IP ACLs 4-123

access-list ip 4-123
permit, deny (Standard ACL) 4-124
permit, deny (Extended ACL) 4-125
show ip access-list 4-126
ip access-group 4-127
show ip access-group 4-127

MAC ACLs 4-128

access-list mac 4-128
permit, deny (MAC ACL) 4-129
show mac access-list 4-130
mac access-group 4-131
show mac access-group 4-131

ACL Information 4-132

show access-list 4-132
show access-group 4-132

SNMP Commands 4-133

snmp-server 4-134
show snmp 4-134
snmp-server community 4-135
snmp-server contact 4-136
snmp-server location 4-136
snmp-server host 4-137
snmp-server enable traps 4-139
snmp-server engine-id 4-140
show snmp engine-id 4-141
snmp-server view 4-142
show snmp view 4-143
snmp-server group 4-144

DG-FS4526 User Manual

xi

www.digisol.com

show snmp group 4-145
snmp-server user 4-146
show snmp user 4-148

Interface Commands 4-150

interface 4-150
description 4-151
speed-duplex 4-151
negotiation 4-152
capabilities 4-153
flowcontrol 4-154
shutdown 4-155
broadcast byte-rate 4-156
switchport broadcast 4-156
clear counters 4-157
show interfaces status 4-157
show interfaces counters 4-158
show interfaces switchport 4-159

Mirror Port Commands 4-162

port monitor 4-162
show port monitor 4-163

Rate Limit Commands 4-164

rate-limit 4-164

Link Aggregation Commands 4-165

channel-group 4-166
lacp 4-167
lacp system-priority 4-168
lacp admin-key (Ethernet Interface) 4-169
lacp admin-key (Port Channel) 4-170
lacp port-priority 4-171
show lacp 4-171

Address Table Commands 4-175

mac-address-table static 4-175
clear mac-address-table dynamic 4-176
show mac-address-table 4-176
mac-address-table aging-time 4-177
show mac-address-table aging-time 4-178

LLDP Commands 4-178

lldp 4-180
lldp holdtime-multiplier 4-180
lldp medFastStartCount 4-181
lldp notification-interval 4-181
lldp refresh-interval 4-182
lldp reinit-delay 4-183
lldp tx-delay 4-183
lldp admin-status 4-184

Contents

xii

www.digisol.com

lldp notification 4-184
lldp mednotification 4-185
lldp basic-tlv management-ip-address 4-186
lldp basic-tlv port-description 4-186
lldp basic-tlv system-capabilities 4-187
lldp basic-tlv system-description 4-187
lldp basic-tlv system-name 4-188
lldp dot1-tlv proto-ident 4-188
lldp dot1-tlv proto-vid 4-189
lldp dot1-tlv pvid 4-189
lldp dot1-tlv vlan-name 4-190
lldp dot3-tlv link-agg 4-190
lldp dot3-tlv mac-phy 4-191
lldp dot3-tlv max-frame 4-191
lldp dot3-tlv poe 4-192
lldp medtlv extpoe 4-192
lldp medtlv inventory 4-193
lldp medtlv location 4-193
lldp medtlv med-cap 4-194
lldp medtlv network-policy 4-194
show lldp config 4-195
show lldp info local-device 4-197
show lldp info remote-device 4-198
show lldp info statistics 4-199

Spanning Tree Commands 4-201

spanning-tree 4-202
spanning-tree mode 4-202
spanning-tree forward-time 4-203
spanning-tree hello-time 4-204
spanning-tree max-age 4-205
spanning-tree priority 4-205
spanning-tree pathcost method 4-206
spanning-tree transmission-limit 4-207
spanning-tree mst-configuration 4-207
mst vlan 4-208
mst priority 4-208
name 4-209
revision 4-210
max-hops 4-210
spanning-tree spanning-disabled 4-211
spanning-tree cost 4-211
spanning-tree port-priority 4-212
spanning-tree edge-port 4-213
spanning-tree portfast 4-213
spanning-tree link-type 4-214

DG-FS4526 User Manual

xiii

www.digisol.com

spanning-tree mst cost 4-215
spanning-tree mst port-priority 4-216
spanning-tree protocol-migration 4-217
show spanning-tree 4-217
show spanning-tree mst configuration 4-219

VLAN Commands 4-220

GVRP and Bridge Extension Commands 4-220

bridge-ext gvrp 4-221

show bridge-ext 4-221

switchport gvrp 4-222

show gvrp configuration 4-222

garp timer 4-223

show garp timer 4-224
Editing VLAN Groups 4-224

vlan database 4-224

vlan 4-225
Configuring VLAN Interfaces 4-226

interface vlan 4-226

switchport mode 4-227

switchport acceptable-frame-types 4-228

switchport ingress-filtering 4-228

switchport native vlan 4-229

switchport allowed vlan 4-230

switchport forbidden vlan 4-231
Displaying VLAN Information 4-232

show vlan 4-232
Configuring IEEE 802.1Q Tunneling 4-233

dot1q-tunnel system-tunnel-control 4-233

switchport dot1q-tunnel mode 4-234

switchport dot1q-tunnel tpid 4-235

show dot1q-tunnel 4-235
Configuring Private VLANs 4-236

private-vlan 4-238

private vlan association 4-238

switchport mode private-vlan 4-239

switchport private-vlan host-association 4-240

switchport private-vlan isolated 4-240

switchport private-vlan mapping 4-241

show vlan private-vlan 4-242
Configuring Protocol-based VLANs 4-243

protocol-vlan protocol-group (Configuring Groups) 4-243

protocol-vlan protocol-group (Configuring Interfaces) 4-244

show protocol-vlan protocol-group 4-245

show interfaces protocol-vlan protocol-group 4-246

Priority Commands 4-247

Contents

xiv

www.digisol.com

Priority Commands (Layer 2) 4-247

queue mode 4-247
switchport priority default 4-248
queue bandwidth 4-249
queue cos-map 4-250
show queue mode 4-251
show queue bandwidth 4-251
show queue cos-map 4-252

Priority Commands (Layer 3 and 4) 4-253

map ip dscp 4-253
map ip port 4-254
map ip precedence 4-255
map ip tos 4-256
map access-list ip 4-257
map access-list mac 4-257
show map ip dscp 4-258
show map ip port 4-258
show map ip precedence 4-259
show map ip tos 4-259
show map access-list 4-260

Quality of Service Commands 4-261

class-map 4-262
match 4-263
policy-map 4-264
class 4-264
set 4-265
police 4-266
service-policy 4-267
show class-map 4-268
show policy-map 4-268
show policy-map interface 4-269

Voice VLAN Commands 4-269

voice vlan 4-270
voice vlan aging 4-271
voice vlan mac-address 4-271
switchport voice vlan 4-272
switchport voice vlan rule 4-273
switchport voice vlan security 4-273
switchport voice vlan priority 4-274
show voice vlan 4-275

Multicast Filtering Commands 4-276

IGMP Snooping Commands 4-276

ip igmp snooping 4-276
ip igmp snooping vlan static 4-277
ip igmp snooping version 4-277

DG-FS4526 User Manual

xv

www.digisol.com

ip igmp snooping leave-proxy 4-278

ip igmp snooping immediate-leave 4-279

show ip igmp snooping 4-279

show mac-address-table multicast 4-280
IGMP Query Commands (Layer 2) 4-281

ip igmp snooping querier 4-281

ip igmp snooping query-count 4-282

ip igmp snooping query-interval 4-282

ip igmp snooping query-max-response-time 4-283

ip igmp snooping router-port-expire-time 4-284
Static Multicast Routing Commands 4-284

ip igmp snooping vlan mrouter 4-285

show ip igmp snooping mrouter 4-285
IGMP Filtering and Throttling Commands 4-286

ip igmp filter (Global Configuration) 4-286

ip igmp profile 4-287

permit, deny 4-288

range 4-288

ip igmp filter (Interface Configuration) 4-289

ip igmp max-groups 4-289

ip igmp max-groups action 4-290

show ip igmp filter 4-291

show ip igmp profile 4-291

show ip igmp throttle interface 4-292

Multicast VLAN Registration Commands 4-292

mvr (Global Configuration) 4-293
mvr (Interface Configuration) 4-294
show mvr 4-296

IP Interface Commands 4-298

ip address 4-298
ip default-gateway 4-299
ip dhcp restart 4-300
show ip interface 4-300
show ip redirects 4-301
ping 4-301

DHCP Snooping Commands 4-303

ip dhcp snooping 4-303
ip dhcp snooping vlan 4-305
ip dhcp snooping trust 4-306
ip dhcp snooping verify mac-address 4-307
ip dhcp snooping information option 4-307
ip dhcp snooping information policy 4-308
ip dhcp snooping database flash 4-309
show ip dhcp snooping 4-309
show ip dhcp snooping binding 4-310

Contents

xvi

www.digisol.com

IP Source Guard Commands 4-310

ip source-guard 4-310
ip source-guard binding 4-312
show ip source-guard 4-313
show ip source-guard binding 4-313

Switch Cluster Commands 4-314

cluster 4-314
cluster commander 4-315
cluster ip-pool 4-315
cluster member 4-316
rcommand 4-317
show cluster 4-317
show cluster members 4-318
show cluster candidates 4-318

UPnP Commands 4-318

upnp device 4-319
upnp device ttl 4-319
upnp device advertise duration 4-320
show upnp 4-320

Appendix A: Software Specifications A-1

Software Features A-1
Management Features A-2
Standards A-2
Management Information Bases A-3

Appendix B: Troubleshooting B-1

Problems Accessing the Management Interface B-1
Using System Logs B-2

Glossary

Index

xvii

www.digisol.com

Tables

Table 1-1 Key Features 1-1
Table 1-2 System Defaults 1-6
Table 3-1 Configuration Options 3-3
Table 3-2 Main Menu 3-4
Table 3-3 Logging Levels 3-28
Table 3-5 Supported Notification Messages 3-44
Table 3-6 HTTPS System Support 3-65
Table 3-7 802.1X Statistics 3-79
Table 3-8 LACP Port Counters 3-109
Table 3-9 LACP Internal Configuration Information 3-110
Table 3-10 LACP Neighbor Configuration Information 3-112
Table 3-11 Port Statistics 3-117
Table 3-12 Mapping CoS Values to Egress Queues 3-182
Table 3-13 CoS Priority Levels 3-182
Table 3-14 IP DSCP to CoS Queue Mapping 3-187
Table 3-15 Mapping IP Precedence Values to CoS Priority Queues 3-190
Table 3-16 Mapping IP TOS Values to CoS Priority Queues 3-192
Table 4-1 Command Modes 4-6
Table 4-2 Configuration Modes 4-7
Table 4-3 Command Line Processing 4-8
Table 4-4 Command Groups 4-9
Table 4-5 Line Commands 4-10
Table 4-6 General Commands 4-19
Table 4-7 System Management Commands 4-24
Table 4-8 Device Designation Commands 4-24
Table 4-9 Banner Commands 4-25
Table 4-10 User Access Commands 4-35
Table 4-11 Default Login Settings 4-35
Table 4-12 IP Filter Commands 4-37
Table 4-13 Web Server Commands 4-39
Table 4-14 HTTPS System Support 4-40
Table 4-15 Telnet Server Commands 4-42
Table 4-16 SSH Commands 4-43
Table 4-17 show ssh - display description 4-50
Table 4-18 Event Logging Commands 4-52
Table 4-19 Logging Levels 4-53
Table 4-20 show logging flash/ram - display description 4-56
Table 4-21 show logging trap - display description 4-57
Table 4-22 SMTP Alert Commands 4-58
Table 4-23 Time Commands 4-62
Table 4-24 System Status Commands 4-66
Table 4-25 Frame Size Commands 4-72

Tables

xviii

www.digisol.com

Table 4-26 Flash/File Commands 4-73
Table 4-27 File Directory Information 4-77
Table 4-28 Authentication Commands 4-78
Table 4-29 Authentication Sequence 4-79
Table 4-30 RADIUS Client Commands 4-81
Table 4-31 TACACS+ Commands 4-85
Table 4-33 Port Security Commands 4-97
Table 4-34 802.1X Port Authentication 4-99
Table 4-35 Network Access 4-108
Table 4-36 Web Authentication 4-115
Table 4-37 Access Control Lists 4-122
Table 4-38 IP ACLs 4-123
Table 4-39 MAC ACL Commands 4-128
Table 4-40 ACL Information 4-132
Table 4-41 SNMP Commands 4-133
Table 4-42 show snmp engine-id - display description 4-141
Table 4-43 show snmp view - display description 4-143
Table 4-44 show snmp group - display description 4-146
Table 4-45 show snmp user - display description 4-148
Table 4-46 Interface Commands 4-150
Table 4-47 Interfaces Switchport Statistics 4-160
Table 4-48 Mirror Port Commands 4-162
Table 4-49 Rate Limit Commands 4-164
Table 4-50 Link Aggregation Commands 4-165
Table 4-51 show lacp counters - display description 4-172
Table 4-52 show lacp internal - display description 4-173
Table 4-53 show lacp neighbors - display description 4-174
Table 4-54 show lacp sysid - display description 4-174
Table 4-55 Address Table Commands 4-175
Table 4-56 LLDP Commands 4-178
Table 4-57 Spanning Tree Commands 4-201
Table 4-58 VLANs 4-220
Table 4-59 GVRP and Bridge Extension Commands 4-220
Table 4-60 Editing VLAN Groups 4-224
Table 4-61 Configuring VLAN Interfaces 4-226
Table 4-62 Show VLAN Commands 4-232
Table 4-63 IEEE 802.1Q Tunneling Commands 4-233
Table 4-64 Private VLAN Commands 4-236
Table 4-65 Protocol-based VLAN Commands 4-243
Table 4-66 Priority Commands 4-247
Table 4-67 Priority Commands (Layer 2) 4-247
Table 4-68 Default CoS Values to Egress Queues 4-250
Table 4-69 Priority Commands (Layer 3 and 4) 4-253
Table 4-70 IP DSCP to CoS Queue 4-253
Table 4-71 Mapping IP Precedence to CoS Queues 4-255

DG-FS4526 User Manual

xix

www.digisol.com

Table 4-72 IP TOS to CoS Queue 4-256
Table 4-73 Quality of Service Commands 4-261
Table 4-74 Voice VLAN Commands 4-269
Table 4-75 Multicast Filtering Commands 4-276
Table 4-76 IGMP Snooping Commands 4-276
Table 4-77 IGMP Query Commands (Layer 2) 4-281
Table 4-78 Static Multicast Routing Commands 4-284
Table 4-79 IGMP Filtering and Throttling Commands 4-286
Table 4-80 Multicast VLAN Registration Commands 4-293
Table 4-81 show mvr - display description 4-296
Table 4-82 show mvr interface - display description 4-297
Table 4-83 show mvr members - display description 4-297
Table 4-84 IP Interface Commands 4-298
Table 4-85 DHCP Snooping Commands 4-303
Table 4-86 IP Source Guard Commands 4-310
Table 4-87 Switch Cluster Commands 4-314
Table B-1 Troubleshooting Chart B-1

Tables

xx

www.digisol.com

xxi

www.digisol.com

Figures

Figure 3-1 Home Page 3-2
Figure 3-2 Panel Display 3-3
Figure 3-3 System Information 3-11
Figure 3-4 Switch Information 3-13
Figure 3-5 Bridge Extension Configuration 3-14
Figure 3-6 Manual IP Configuration 3-16
Figure 3-7 DHCP IP Configuration 3-17
Figure 3-8 Jumbo Frames Configuration 3-18
Figure 3-9 Copy Firmware 3-19
Figure 3-10 Setting the Startup Code 3-19
Figure 3-11 Deleting Files 3-20
Figure 3-12 Downloading Configuration Settings for Startup 3-21
Figure 3-13 Setting the Startup Configuration Settings 3-22
Figure 3-14 Console Port Settings 3-24
Figure 3-15 Enabling Telnet 3-26
Figure 3-16 Displaying Logs 3-27
Figure 3-17 System Logs 3-28
Figure 3-18 Remote Logs 3-30
Figure 3-19 Enabling and Configuring SMTP 3-31
Figure 3-20 Resetting the System 3-32
Figure 3-21 SNTP Configuration 3-33
Figure 3-22 Setting the System Clock 3-34
Figure 3-23 Setting the Current Date and Time 3-35
Figure 3-24 Configuring SNMP Community Strings 3-37
Figure 3-25 Configuring IP Trap Managers 3-38
Figure 3-26 Enabling SNMP Agent Status 3-39
Figure 3-27 Setting an Engine ID 3-40
Figure 3-28 Setting a Remote Engine ID 3-41
Figure 3-29 Configuring SNMPv3 Users 3-42
Figure 3-30 Configuring Remote SNMPv3 Users 3-43
Figure 3-31 Configuring SNMPv3 Groups 3-46
Figure 3-32 Configuring SNMPv3 Views 3-47
Figure 3-33 Access Levels 3-49
Figure 3-34 Authentication Settings 3-52
Figure 3-35 AAA Radius Group Settings 3-55
Figure 3-36 AAA TACACS+ Group Settings 3-56
Figure 3-37 AAA Accounting Settings 3-57
Figure 3-38 AAA Accounting Update 3-58
Figure 3-39 AAA Accounting 802.1X Port Settings 3-59
Figure 3-40 AAA Accounting Exec Command Privileges 3-60
Figure 3-41 AAA Accounting Exec Settings 3-61
Figure 3-42 AAA Accounting Summary 3-62

Figures

xxii

www.digisol.com

Figure 3-43 AAA Authorization Settings 3-63
Figure 3-44 AAA Authorization Exec Settings 3-64
Figure 3-45 AAA Authorization Summary 3-65
Figure 3-46 HTTPS Settings 3-66
Figure 3-47 SSH Server Settings 3-69
Figure 3-48 SSH Host-Key Settings 3-71
Figure 3-49 Configuring Port Security 3-73
Figure 3-50 802.1X Global Information 3-75
Figure 3-51 802.1X Global Configuration 3-76
Figure 3-52 802.1X Port Configuration 3-77
Figure 3-53 Displaying 802.1X Port Statistics 3-80
Figure 3-54 Web Authentication Configuration 3-81
Figure 3-55 Web Authentication Port Configuration 3-82
Figure 3-56 Web Authentication Port Information 3-83
Figure 3-57 Web Authentication Port Re-authentication 3-84
Figure 3-58 Network Access Configuration 3-86
Figure 3-59 Network Access Port Configuration 3-87
Figure 3-60 Network Access MAC Address Information 3-88
Figure 3-61 Selecting ACL Type 3-90
Figure 3-62 Configuring Standard IP ACLs 3-91
Figure 3-63 Configuring Extended IP ACLs 3-93
Figure 3-64 Configuring MAC ACLs 3-95
Figure 3-65 Configuring ACL Port Binding 3-96
Figure 3-66 Creating an IP Filter List 3-97
Figure 3-67 Displaying Port/Trunk Information 3-99
Figure 3-68 Port/Trunk Configuration 3-101
Figure 3-69 Configuring Static Trunks 3-104
Figure 3-70 LACP Trunk Configuration 3-106
Figure 3-71 LACP Port Configuration 3-108
Figure 3-72 LACP - Port Counters Information 3-110
Figure 3-73 LACP - Port Internal Information 3-111
Figure 3-74 LACP - Port Neighbors Information 3-113
Figure 3-75 Port Broadcast Control 3-114
Figure 3-76 Mirror Port Configuration 3-116
Figure 3-77 Input Rate Limit Port Configuration 3-117
Figure 3-78 Port Statistics 3-121
Figure 3-79 Configuring a Static Address Table 3-123
Figure 3-80 Configuring a Dynamic Address Table 3-124
Figure 3-81 Setting the Address Aging Time 3-125
Figure 3-82 Displaying Spanning Tree Information 3-128
Figure 3-83 Configuring Spanning Tree 3-131
Figure 3-84 Displaying Spanning Tree Port Information 3-134
Figure 3-85 Configuring Spanning Tree per Port 3-137
Figure 3-86 Configuring Multiple Spanning Trees 3-138
Figure 3-87 Displaying MSTP Interface Settings 3-140

DG-FS4526 User Manual

xxiii

www.digisol.com

Figure 3-88 Displaying MSTP Interface Settings 3-143
Figure 3-89 Globally Enabling GVRP 3-146
Figure 3-90 Displaying Basic VLAN Information 3-147
Figure 3-91 Displaying Current VLANs 3-148
Figure 3-92 Configuring a VLAN Static List 3-150
Figure 3-93 Configuring a VLAN Static Table 3-151
Figure 3-94 VLAN Static Membership by Port 3-152
Figure 3-95 Configuring VLANs per Port 3-154
Figure 3-96 802.1Q Tunnel Status and Ethernet Type 3-159
Figure 3-97 Tunnel Port Configuration 3-161
Figure 3-98 Private VLAN Information 3-163
Figure 3-99 Private VLAN Configuration 3-164
Figure 3-100 Private VLAN Association 3-165
Figure 3-101 Private VLAN Port Information 3-166
Figure 3-102 Private VLAN Port Configuration 3-167
Figure 3-103 Protocol VLAN Configuration 3-169
Figure 3-104 Protocol VLAN Port Configuration 3-170
Figure 3-105 LLDP Configuration 3-172
Figure 3-106 LLDP Port Configuration 3-174
Figure 3-107 LLDP Local Device Information 3-175
Figure 3-108 LLDP Remote Port Information 3-176
Figure 3-109 LLDP Remote Information Details 3-177
Figure 3-110 LLDP Device Statistics 3-179
Figure 3-111 LLDP Device Statistics Details 3-180
Figure 3-112 Port Priority Configuration 3-181
Figure 3-113 Traffic Classes 3-183
Figure 3-114 Queue Mode 3-184
Figure 3-115 Configuring Queue Scheduling 3-185
Figure 3-116 IP DSCP Priority Status 3-186
Figure 3-117 Mapping IP DSCP Priority Values 3-187
Figure 3-118 Globally Enabling the IP Port Priority Status 3-188
Figure 3-119 IP Port Priority 3-189
Figure 3-120 Globally Enabling the IP Precedence Priority Status 3-190
Figure 3-121 Mapping IP Precedence to Class of Service Queues 3-191
Figure 3-122 Globally Enabling the IP TOS Priority Status 3-192
Figure 3-123 Mapping IP TOS to Class of Service Queues 3-193
Figure 3-124 Mapping CoS Values to ACLs 3-194
Figure 3-125 Configuring Class Maps 3-197
Figure 3-126 Configuring Policy Maps 3-200
Figure 3-127 Service Policy Settings 3-201
Figure 3-128 Configuring VoIP Traffic 3-203
Figure 3-129 VoIP Traffic Port Configuration 3-204
Figure 3-130 Telephony OUI List 3-206
Figure 3-131 IGMP Configuration 3-210
Figure 3-132 IGMP Immediate Leave 3-211

Figures

xxiv

www.digisol.com

Figure 3-133 Displaying Multicast Router Port Information 3-212
Figure 3-134 Static Multicast Router Port Configuration 3-213
Figure 3-135 IP Multicast Registration Table 3-214
Figure 3-136 IGMP Member Port Table 3-215
Figure 3-137 Enabling IGMP Filtering and Throttling 3-216
Figure 3-138 IGMP Profile Configuration 3-218
Figure 3-139 IGMP Filter and Throttling Port Configuration 3-219
Figure 3-140 MVR Global Configuration 3-222
Figure 3-141 MVR Port Information 3-223
Figure 3-142 MVR Group IP Information 3-224
Figure 3-143 MVR Port Configuration 3-225
Figure 3-144 MVR Group Member Configuration 3-226
Figure 3-145 DHCP Snooping Configuration 3-228
Figure 3-146 DHCP Snooping VLAN Configuration 3-229
Figure 3-147 DHCP Snooping Information Option Configuration 3-230
Figure 3-148 DHCP Snooping Port Configuration 3-230
Figure 3-149 IP Source Guard Port Configuration 3-232
Figure 3-150 Static IP Source Guard Binding Configuration 3-233
Figure 3-151 Dynamic IP Source Guard Binding Information 3-234
Figure 3-152 Cluster Member Choice 3-235
Figure 3-153 Cluster Configuration 3-236
Figure 3-154 Cluster Member Configuration 3-237
Figure 3-155 Cluster Member Information 3-237
Figure 3-156 Cluster Candidate Information 3-238
Figure 3-157. UPnP Configuration 3-239

1-1

www.digisol.com

Chapter 1: Introduction

This switch provides a broad range of features for Layer 2 switching. It includes a
management agent that allows you to configure the features listed in this manual.
The default configuration can be used for most of the features provided by this
switch. However, there are many options that you should configure to maximize the
switch’s performance for your particular network environment.

Key Features

Table 1-1 Key Features

Feature Description

Configuration Backup and
Restore

Backup to TFTP server

Authentication AAA – Authentication, Authorization, and Accounting

Console, Telnet, web – User name / password, RADIUS, TACACS+
Web – HTTPS
Teln et – SS H
SNMP v1/2c - Community strings
SNMP version 3 – MD5 or SHA password
Port – IEEE 802.1X, MAC address filtering

Access Control Lists Supports IP and MAC ACLs, 100 rules per system

DHCP Client Supported

DHCP Snooping Supported with Option 82 relay information

Port Configuration Speed, duplex mode and flow control

Rate Limiting Input rate limiting per port

Port Mirroring One port mirrored to a single analysis port

Port Trunking Supports up to 12 trunks using either static or dynamic trunking (LACP)

Broadcast Storm Control Supported

Static Address Up to 8K MAC addresses in the forwarding table

IEEE 802.1D Bridge Supports dynamic data switching and addresses learning

Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames

Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple

Spanning Trees (MSTP)

Virtual LANs Up to 255 using IEEE 802.1Q, port-based, private VLANs, protocol VLANs,

QinQ tunneling, Voice VLAN

Traffic Prioritization Default port priority, traffic class map, queue scheduling, or Differentiated

Services Code Point (DSCP), IP Precedence, IP TOS, and TCP/UDP Port

Quality of Service Supports Differentiated Services (DiffServ)

Introduction

1-2

1

www.digisol.com

Description of Software Features

The switch provides a wide range of advanced performance enhancing features.
Flow control eliminates the loss of packets due to bottlenecks caused by port
saturation. Broadcast storm suppression prevents broadcast traffic storms from
engulfing the network. Port-based and private VLANs, plus support for automatic
GVRP VLAN registration provide traffic security and efficient use of network
bandwidth. CoS priority queueing ensures the minimum delay for moving real-time
multimedia data across the network. While multicast filtering provides support for
real-time network applications. Some of the management features are briefly
described below.

Configuration Backup and Restore – You can save the current configuration
settings to a file on a TFTP server, and later download this file to restore the switch
configuration settings.

Authentication – The switch supports Authentication, authorization, and accounting
(AAA) as the main framework for configuring access control on the switch. AAA
provides accounting and billing for IEEE 802.1X authenticated users that access the
network, and for users that access management interfaces through the console and
Telnet. Authorization is provided for users that access management interfaces on
the switch through the console and Telnet. The AAA features use RADIUS or
TACACS+ server groups for centralized and robust administration control.

Other authentication options include HTTPS for secure management access via the
web, SSH for secure management access over a Telnet-equivalent connection, IP
address filtering for SNMP/web/Telnet management access, and MAC address
filtering for port access.

Access Control Lists – ACLs provide packet filtering for IP frames (based on
address, protocol, or TCP/UDP port number) or any frames (based on MAC address
or Ethernet type). ACLs can be used to improve performance by blocking
unnecessary network traffic or to implement security controls by restricting access to
specific network resources or protocols.

Port Configuration – You can manually configure the speed, duplex mode, and
flow control used on specific ports, or use auto-negotiation to detect the connection
settings used by the attached device. Use the full-duplex mode on ports whenever
possible to double the throughput of switch connections. Flow control should also be
enabled to control network traffic during periods of congestion and prevent the loss
of packets when port buffer thresholds are exceeded. The switch supports flow
control based on the IEEE 802.3x standard.

Multicast Filtering Supports IGMP snooping and query, as well as Multicast VLAN Registration

Switch Clustering Supports up to 36 Member switches in a cluster

Table 1-1 Key Features

Feature Description

DG-FS4526 User Manual

1-3

1

www.digisol.com

Rate Limiting – This feature controls the maximum rate for traffic received on an
interface. Rate limiting is configured on interfaces at the edge of a network to limit
traffic into the network. Packets that exceed the acceptable amount of traffic are
dropped.

Port Mirroring – The switch can unobtrusively mirror traffic from any port to a
monitor port. You can then attach a protocol analyzer or RMON probe to this port to
perform traffic analysis and verify connection integrity.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can
be manually set up or dynamically configured using IEEE 802.3ad Link Aggregation
Control Protocol (LACP). The additional ports dramatically increase the throughput
across any connection, and provide redundancy by taking over the load if a port in
the trunk should fail. The switch supports up to 12 trunks.

Broadcast Storm Control – Broadcast suppression prevents broadcast traffic from
overwhelming the network. When enabled on a port, the level of broadcast traffic
passing through the port is restricted. If broadcast traffic rises above a pre-defined
threshold, it will be throttled until the level falls back beneath the threshold.

Static Addresses – A static address can be assigned to a specific interface on this
switch. Static addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be ignored and
will not be written to the address table. Static addresses can be used to provide
network security by restricting access for a known host to a specific port.

IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The
address table facilitates data switching by learning addresses, and then filtering or
forwarding traffic based on this information. The address table supports up to 8K
addresses.

Store-and-Forward Switching – The switch copies each frame into its memory
before forwarding them to another port. This ensures that all frames are a standard
Ethernet size and have been verified for accuracy with the cyclic redundancy check
(CRC). This prevents bad frames from entering the network and wasting bandwidth.

To avoid dropping frames on congested ports, the switch provides 2 Mbits for frame
buffering. This buffer can queue packets awaiting transmission on congested
networks.

Spanning Tree Algorithm – The switch supports these spanning tree protocols:

Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection
and recovery by allowing two or more redundant connections to be created between
a pair of LAN segments. When there are multiple physical paths between segments,
this protocol will choose a single path and disable all others to ensure that only one
route exists between any two stations on the network. This prevents the creation of
network loops. However, if the chosen path should fail for any reason, an alternate
path will be activated to maintain the connection.

Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the
convergence time for network topology changes to 3 to 5 seconds, compared to 30

Introduction

1-4

1

www.digisol.com

seconds or more for the older IEEE 802.1D STP standard. It is intended as a
complete replacement for STP, but can still interoperate with switches running the
older standard by automatically reconfiguring ports to STP-compliant mode if they
detect STP protocol messages from attached devices.

Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct
extension of RSTP. It can provide an independent spanning tree for different VLANs.
It simplifies network management, provides for even faster convergence than RSTP
by limiting the size of each region, and prevents VLAN members from being
segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).

Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection
of network nodes that share the same collision domain regardless of their physical
location or connection point in the network. The switch supports tagged VLANs
based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically
learned via GVRP, or ports can be manually assigned to a specific set of VLANs.
This allows the switch to restrict traffic to the VLAN groups to which a user has been
assigned. By segmenting your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a flat network.

• Simplify network management for node changes/moves by remotely configuring
VLAN membership for any port, rather than having to manually change the network
connection.

• Provide data security by restricting all traffic to the originating VLAN.

• Use private VLANs to restrict traffic to pass only between data ports and the uplink
ports, thereby isolating adjacent ports within the same VLAN, and allowing you to
limit the total number of VLANs that need to be configured.

• Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.

Note: The switch allows 255 user-manageable VLANs. One other VLAN (VLAN ID 4093)

is reserved for switch clustering.

Traffic Prioritization – This switch prioritizes each packet based on the required
level of service, using four priority queues with strict, Weighted Round Robin, or
hybrid queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic
based on input from the end-station application. These functions can

be used to

provide independent priorities for delay-sensitive data and best-effort data.

This switch also supports several common methods of prioritizing layer 3/4 traffic to
meet application requirements. Traffic can be prioritized based on the IPv4 header
Type-of-Service field using DSCP, IP Precedence, IP TOS values, or TCP/UDP port
numbers. When these services are enabled, the priorities are mapped to a Class of
Service output queue.

Quality of Service – Differentiated Services (DiffServ) provides policy-based
management mechanisms used for prioritizing network resources to meet the
requirements of specific traffic types on a per-hop basis. Each packet is classified
upon entry into the network based on access lists, IP Precedence or DSCP values,
or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3,

DG-FS4526 User Manual

1-5

1

www.digisol.com

or Layer 4 information contained in each packet. Based on network policies, different
kinds of traffic can be marked for different kinds of forwarding.

Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to
ensure that it does not interfere with normal network traffic and to guarantee
real-time delivery by setting the required priority level for the designated VLAN. The
switch uses IGMP Snooping and Query to manage multicast group registration. It
also supports Multicast VLAN Registration (MVR) which allows common multicast
traffic, such as television channels, to be transmitted across a single network-wide
multicast VLAN shared by hosts residing in other standard or private VLAN groups,
while preserving security and data isolation for normal traffic.

Switch Clustering – Clustering allows up to 36 switches to be grouped together for
centralized management through a single unit. Switches can be included in a cluster
regardless of physical location or switch type, as long as they support clustering and
are connected to the same local network.

Link Layer Discovery Protocol (LLDP) – LLDP is used to discover basic
information about neighboring devices within the local broadcast domain. LLDP is a
Layer 2 protocol that advertises information about the sending device and collects
information gathered from neighboring network nodes it discovers.

Advertised information is represented in Type Length Value (TLV) format according
to the IEEE 802.1ab standard, and can include details such as device identification,
capabilities and configuration settings. Media Endpoint Discovery (LLDP-MED) is an
extension of LLDP intended for managing endpoint devices such as Voice over IP
phones and network switches. The LLDP-MED TLVs advertise information such as
network policy, power, inventory, and device location details. The LLDP and
LLDP-MED information can be used by SNMP applications to simplify
troubleshooting, enhance network management, and maintain an accurate network
topology.

Introduction

1-6

1

www.digisol.com

System Defaults

The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as
the startup configuration file (page 3-20).

The following table lists some of the basic system defaults.

Table 1-2 System Defaults

Function Parameter Default

Console Port
Connection

Baud Rate 9600

Data bits 8

Stop bits 1

Parity none

Local Console Timeout 0 (disabled)

Authentication Privileged Exec Level Username “admin”

Password “admin”

Normal Exec Level Username “guest”

Password “guest”

Enable Privileged Exec from Normal
Exec Level

Password “super”

RADIUS Authentication Disabled

TACACS Authentication Disabled

802.1X Port Authentication Disabled

HTTPS Enabled

SSH Disabled

Port Security Disabled

IP Filtering Disabled

Web Management HTTP Server Enabled

HTTP Port Number 80

HTTP Secure Server Enabled

HTTP Secure Port Number 443

SNMP Community Strings “public” (read only)

“private” (read/write)

Traps Authentication traps: enabled

Link-up-down events: enabled

DG-FS4526 User Manual

1-7

1

www.digisol.com

Port Configuration Admin Status Enabled

Auto-negotiation Enabled

Flow Control Disabled

Rate Limiting Input limits Disabled

Port Trunking Static Trunks None

LACP (all ports) Disabled

Broadcast Storm
Protection

Status Enabled (all ports)

Broadcast Limit Rate 5k octets per second

Spanning Tree
Algorithm

Status Enabled, RSTP

(Defaults: All values based on IEEE 802.1w)

Fast Forwarding (Edge Port) Disabled

Address Table Aging Time 300 seconds

Virtual LANs Default VLAN 1

PVID 1

Acceptable Frame Type All

Ingress Filtering Enabled

Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames

GVRP (global) Disabled

GVRP (port interface) Disabled

Traffic Prioritization Ingress Port Priority 0

Weighted Round Robin Queue: 0 1 2 3

Weight: 1 2 4 8

IP DSCP Priority Disabled

IP Precedence Priority Disabled

IP TOS Priority Disabled

IP Port Priority Disabled

IP Settings IP Address DHCP assigned, otherwise 192.168.1.1

Subnet Mask 255.255.255.0

Default Gateway 0.0.0.0

DHCP Client: Enabled

BOOTP Disabled

Table 1-2 System Defaults (Continued)

Function Parameter Default

Introduction

1-8

1

www.digisol.com

Multicast Filtering IGMP Snooping Snooping: Enabled

Querier: Enabled

Multicast VLAN Registration Disabled

System Log Status Enabled

Messages Logged Levels 0-6 (all)

Messages Logged to Flash Levels 0-3

SMTP Email Alerts Event Handler Enabled (but no server defined)

SNTP Clock Synchronization Disabled

DHCP Snooping Status Disabled

IP Source Guard Status Disabled (all ports)

Switch Clustering Status Enabled

Commander Disabled

Table 1-2 System Defaults (Continued)

Function Parameter Default

2-1

www.digisol.com

Chapter 2: Initial Configuration

Connecting to the Switch

Configuration Options

The switch includes a built-in network management agent. The agent offers a variety
of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a
web-based interface. A PC may also be connected directly to the switch for
configuration and monitoring via a command line interface (CLI).

Note: The IP address for this switch is obtained via DHCP by default. To change this

address, see “Setting an IP Address” on page 2-4.

The switch’s HTTP web agent allows you to configure switch parameters, monitor
port connections, and display statistics using a standard web browser such as
Netscape version 6.2 and higher or Microsoft IE version 5.0 and higher. The switch’s
web management interface can be accessed from any computer attached to the
network.

The CLI program can be accessed by a direct connection to the RS-232 serial
console port on the switch, or remotely by a Telnet connection over the network.

The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be managed from
any system in the network using network management software.

The switch’s web interface, CLI configuration program, and SNMP agent allow you
to perform the following management functions:

• Set user names and passwords

• Set an IP interface for a management VLAN

• Configure SNMP parameters

• Enable/disable any port

• Set the speed/duplex mode for any port

• Configure the bandwidth of any port by limiting input rates

• Control port access through IEEE 802.1X security or static address filtering

• Filter packets using Access Control Lists (ACLs)

• Configure up to 255 IEEE 802.1Q VLANs

• Enable GVRP automatic VLAN registration

• Configure IGMP multicast filtering

• Upload and download system firmware via TFTP

• Upload and download switch configuration files via TFTP

• Configure Spanning Tree parameters

• Configure Class of Service (CoS) priority queuing

• Configure up to 12 static or LACP trunks

Initial Configuration

2-2

2

www.digisol.com

• Enable port mirroring

• Set broadcast storm control on any port

• Display system information and statistics

Required Connections

The switch provides an RS-232 serial port that enables a connection to a PC or
terminal for monitoring and configuring the switch. A null-modem console cable is
provided with the switch.

Attach a VT100-compatible terminal, or a PC running a terminal emulation program
to the switch. You can use the console cable provided with this package, or use a
null-modem cable that complies with the wiring assignments shown in the
Installation Guide.

To connect a terminal to the console port, complete the following steps:

1. Connect the console cable to the serial port on a terminal, or a PC running

terminal emulation software, and tighten the captive retaining screws on the
DB-9 connector.

2. Connect the other end of the cable to the RS-232 serial port on the switch.

3. Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or COM port 2).

• Set the baud rate to 9600 bps.

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• When using HyperTerminal, select Terminal keys, not Windows keys.

Notes: 1. Refer to “Line Commands” on page 4-10 for a complete description of

console configuration options.

2. Once you have set up the terminal correctly, the console login screen will be
displayed.

For a description of how to use the CLI, see “Using the Command Line Interface” on
page 4-1. For a list of all the CLI commands and detailed information on using the
CLI, refer to “Command Groups” on page 4-9.

DG-FS4526 User Manual

2-3

2

www.digisol.com

Remote Connections

Prior to accessing the switch’s onboard agent via a network connection, you must
first configure it with a valid IP address, subnet mask, and default gateway using a
console connection, DHCP or BOOTP protocol.

The IP address for this switch is obtained via DHCP by default. To manually
configure this address or enable dynamic address assignment via DHCP or BOOTP,
see “Setting an IP Address” on page 2-4.

Note: This switch supports four concurrent Telnet/SSH sessions.

After configuring the switch’s IP parameters, you can access the onboard
configuration program from anywhere within the attached network. The onboard
configuration program can be accessed using Telnet from any computer attached to
the network. The switch can also be managed by any computer using a web
browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above), or from a
network computer using SNMP network management software.

Note: The onboard program only provides access to basic configuration functions. To

access the full range of SNMP management functions, you must use
SNMP-based network management software.

Basic Configuration

Console Connection

The CLI program provides two different command levels — normal access level
(Normal Exec) and privileged access level (Privileged Exec). The commands
available at the Normal Exec level are a limited subset of those available at the
Privileged Exec level and allow you to only display information and use basic
utilities. To fully configure the switch parameters, you must access the CLI at the
Privileged Exec level.

Access to both CLI levels are controlled by user names and passwords. The switch
has a default user name and password for each level. To log into the CLI at ]the
Privileged Exec level using the default user name and password, perform these
steps:

1. To initiate your console connection, press <Enter>. The “User Access
Verification” procedure starts.

2. At the Username prompt, enter “admin.”

3. At the Password prompt, also enter “admin.” (The password characters are not
displayed on the console screen.)

4. The session is opened and the CLI displays the “Console#” prompt indicating
you have access at the Privileged Exec level.

Initial Configuration

2-4

2

www.digisol.com

Setting Passwords

Note: If this is your first time to log into the CLI program, you should define new

passwords for both default user names using the “username” command, record
them and put them in a safe place.

Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
To prevent unauthorized access to the switch, set the passwords as follows:

1. Open the console interface with the default user name and password “admin” to
access the Privileged Exec level.

2. Type “configure” and press <Enter>.

3. Type “username guest password 0 password,” for the Normal Exec level, where
password is your new password. Press <Enter>.

4. Type “username admin password 0 password,” for the Privileged Exec level,
where password is your new password. Press <Enter>.

Note: ‘0’ specifies the password in plain text, ‘7’ specifies the password in encrypted

form.

Setting an IP Address

You must establish IP address information for the stack to obtain management
access through the network. This can be done in either of the following ways:

Manual — You have to input the information, including IP address and subnet mask.
If your management station is not in the same IP subnet as the stack’s master unit,
you will also need to specify the default gateway router.

Dynamic — The switch sends IP configuration requests to BOOTP or DHCP
address allocation servers on the network.

Manual Configuration

You can manually assign an IP address to the switch. You may also need to specify
a default gateway that resides between this device and management stations that
exist on another network segment. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.

Note: The IP address for this switch is obtained via DHCP by default.

Username: admin
Password:

CLI session with the DG-FS4526 is opened.
To end the CLI session, enter [Exit].

Console#configure
Console(config)#username guest password 0 [password]
Console(config)#username admin password 0 [password]
Console(config)#

DG-FS4526 User Manual

2-5

2

www.digisol.com

Before you can assign an IP address to the switch, you must obtain the following
information from your network administrator:

• IP address for the switch

• Default gateway for the network

• Network mask for this network

To assign an IP address to the switch, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type
“interface vlan 1” to access the interface-configuration mode. Press <Enter>.

2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP
address and “netmask” is the network mask for the network. Press <Enter>.

3. Type “exit” to return to the global configuration mode prompt. Press <Enter>.

4. To set the IP address of the default gateway for the network to which the switch
belongs, type “ip default-gateway gateway,” where “gateway” is the IP address
of the default gateway. Press <Enter>.

Dynamic Configuration

If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until
a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp
restart” command to start broadcasting service requests. Requests will be sent
periodically in an effort to obtain IP configuration information. (BOOTP and DHCP
values can include the IP address, subnet mask, and default gateway.)

If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the
switch will start broadcasting service requests as soon as it is powered on.

To automatically configure the switch by communicating with BOOTP or DHCP
address allocation servers on the network, complete the following steps:

1. From the Global Configuration mode prompt, type “interface vlan 1” to access
the interface-configuration mode. Press <Enter>.

2. At the interface-configuration mode prompt, use one of the following commands:

• To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.

• To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.

3. Type “end” to return to the Privileged Exec mode. Press <Enter>.

4. Type “ip dhcp restart” to begin broadcasting service requests. Press <Enter>.

Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254
Console(config)#

Initial Configuration

2-6

2

www.digisol.com

5. Wait a few minutes, and then check the IP configuration settings by typing the
“show ip interface” command. Press <Enter>.

6. Then save your configuration changes by typing “copy running-config
startup-config.” Enter the startup file name and press <Enter>.

Enabling SNMP Management Access

The switch can be configured to accept management commands from Simple
Network Management Protocol (SNMP) applications. You can configure the switch
to (1) respond to SNMP requests or (2) generate SNMP traps.

When SNMP management stations send requests to the switch (either to return
information or to set a parameter), the switch provides the requested data or sets the
specified parameter. The switch can also be configured to send information to
SNMP managers (without being requested by the managers) through trap
messages, which inform the manager that certain events have occurred.

The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3
clients. To provide management access for version 1 or 2c clients, you must specify
a community string. The switch provides a default MIB View (i.e., an SNMPv3
construct) for the default “public” community string that provides read access to the
entire MIB tree, and a default view for the “private” community string that provides
read/write access to the entire MIB tree. However, you may assign new views to
version 1 or 2c community strings that suit your specific security requirements (see
page 3-46).

Community Strings (for SNMP version 1 and 2c clients)

Community strings are used to control management access to SNMP version 1 and
2c stations, as well as to authorize SNMP stations to receive trap messages from
the switch. You therefore need to assign community strings to specified users, and
set the access level.

Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#ip dhcp restart
Console#show ip interface
IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

DG-FS4526 User Manual

2-7

2

www.digisol.com

The default strings are:

• public - with read-only access. Authorized management stations are only able to
retrieve MIB objects.

• private - with read-write access. Authorized management stations are able to both
retrieve and modify MIB objects.

To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is
recommended that you change the default community strings.

To configure a community string, complete the following steps:

1. From the Privileged Exec level global configuration mode prompt, type

“snmp-server community string mode,” where “string” is the community access
string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that
the default mode is read only.)

2. To remove an existing string, simply type “no snmp-server community string,”

where “string” is the community access string to remove. Press <Enter>.

Note: If you do not intend to support access to SNMP version 1 and 2c clients, we

recommend that you delete both of the default community strings. If there are no
community strings, then SNMP management access from SNMP v1 and v2c
clients is disabled.

Trap Receivers

You can also specify SNMP stations that are to receive traps from the switch. To
configure a trap receiver, use the “snmp-server host” command. From the Privileged
Exec level global configuration mode prompt, type:

“snmp-server host host-address community-string

[version {1 | 2c | 3 {auth | noauth | priv}}]”

where “host-address” is the IP address for the trap receiver, “community-string”
specifies access rights for a version 1/2c host, or is the user name of a version 3
host, “version” indicates the SNMP client version, and “auth | noauth | priv” means
that authentication, no authentication, or authentication and privacy is used for v3
clients. Then press <Enter>. For a more detailed description of these parameters,
see “snmp-server host” on page 4-137. The following example creates a trap host
for each type of SNMP client.

Console(config)#snmp-server community admin rw 4-135
Console(config)#snmp-server community private
Console(config)#

Console(config)#snmp-server host 10.1.19.23 batman 4-137
Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth
Console(config)#

Initial Configuration

2-8

2

www.digisol.com

Configuring Access for SNMP Version 3 Clients

To configure management access for SNMPv3 clients, you need to first create a
view that defines the portions of MIB that the client can read or write, assign the view
to a group, and then assign the user to a group. The following example creates one
view called “mib-2” that includes the entire MIB-2 tree branch, and then another view
that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/
write views to a group call “r&d” and specifies group authentication via MD5 or SHA.
In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for
authentication, provides the password “greenpeace” for authentication, and the
password “einstien” for encryption.

For a more detailed explanation on how to configure the switch for access from
SNMP v3 clients, refer to “Simple Network Management Protocol” on page 3-35, or
refer to the specific CLI commands for SNMP starting on page 4-133.

Saving Configuration Settings

Configuration commands only modify the running configuration file and are not
saved when the switch is rebooted. To save all your configuration changes in
nonvolatile storage, you must copy the running configuration file to the start-up
configuration file using the “copy” command.

To save the current configuration settings, enter the following command:

1. From the Privileged Exec mode prompt, type “copy running-config
startup-config” and press <Enter>.

2. Enter the name of the start-up file. Press <Enter>.

Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included 4-142
Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included
Console(config)#snmp-server group r&d v3 auth mib-2 802.1d 4-144
Console(config)#snmp-server user steve group r&d v3 auth md5

greenpeace priv des56 einstien 4-146

Console(config)#

Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.

\Write to FLASH finish.
Success.

Console#

DG-FS4526 User Manual

2-9

2

www.digisol.com

Managing System Files

The switch’s flash memory supports three types of system files that can be managed
by the CLI program, web interface, or SNMP. The switch’s file system allows files to
be uploaded and downloaded, copied, deleted, and set as a start-up file.

The three types of files are:

• Configuration — This file stores system configuration information and is created
when configuration settings are saved. Saved configuration files can be selected
as a system start-up file or can be uploaded via TFTP to a server for backup. A file
named “Factory_Default_Config.cfg” contains all the system default settings and
cannot be deleted from the system. See “Saving or Restoring Configuration
Settings” on page 3-20 for more information.

• Operation Code — System software that is executed after boot-up, also known as
run-time code. This code runs the switch operations and provides the CLI and web
management interfaces. See “Managing Firmware” on page 3-18 for more
information.

• Diagnostic Code — Software that is run during system boot-up, also known as
POST (Power On Self-Test).

Due to the size limit of the flash memory, the switch supports only two operation
code files. However, you can have as many diagnostic code files and configuration
files as available flash memory space allows.

In the system flash memory, one file of each type must be set as the start-up file.
During a system boot, the diagnostic and operation code files set as the start-up file
are run, and then the start-up configuration file is loaded.

Note that configuration files should be downloaded using a file name that reflects the
contents or usage of the file settings. If you download directly to the running-config,
the system will reboot, and the settings will have to be copied from the
running-config to a permanent file.

Initial Configuration

2-10

2

www.digisol.com

3-1

www.digisol.com

Chapter 3: Configuring the Switch

Using the Web Interface

This switch provides an embedded HTTP web agent. Using a web browser you can
configure the switch and view statistics to monitor network activity. The web agent
can be accessed by any computer on the network using a standard web browser
(Internet Explorer 5.0 or above, or Netscape 6.2 or above).

Note:

You can also use the Command Line Interface (CLI) to manage the switch over a
serial connection to the console port or via Telnet. For more information on using
the CLI, refer to Chapter 4: “Command Line Interface.”

Prior to accessing the switch from a web browser, be sure you have first performed
the following tasks:

1. Configure the switch with a valid IP address, subnet mask, and default gateway

using an out-of-band serial connection, BOOTP or DHCP protocol. (See
“Setting an IP Address” on page 2-4.)

2. Set user names and passwords using an out-of-band serial connection. Access

to the web agent is controlled by the same user names and passwords as the
onboard configuration program. (See “Setting Passwords” on page 2-4.)

3. After you enter a user name and password, you will have access to the system

configuration program.

Notes: 1.

You are allowed three attempts to enter the correct password; on the third
failed attempt the current connection is terminated.

2.

If you log into the web interface as guest (Normal Exec level), you can view
the configuration settings or change the guest password. If you log in as
“admin” (Privileged Exec level), you can change the settings on any page.

3.

If the path between your management station and this switch does not pass
through any device that uses the Spanning Tree Algorithm, then you can set
the switch port attached to your management station to fast forwarding (i.e.,
enable Admin Edge Port) to improve the switch’s response time to
management commands issued through the web interface. See “Configuring
Interface Settings” on page 3-135.

Configuring the Switch

3-2

3

www.digisol.com

Navigating the Web Browser Interface

To access the web-browser interface you must first enter a user name and
password. The administrator has Read/Write access to all configuration parameters
and statistics. The default user name and password for the administrator is “admin.”

Home Page

When your web browser connects with the switch’s web agent, the home page is
displayed as shown below. The home page displays the Main Menu on the left side
of the screen and System Information on the right side. The Main Menu links are
used to navigate to other menus, and display configuration parameters and
statistics.

Figure 3-1 Home Page

DG-FS4526 User Manual

3-3

3

www.digisol.com

Configuration Options

Configurable parameters have a dialog box or a drop-down list. Once a configuration
change has been made on a page, be sure to click on the Apply button to confirm
the new setting. The following table summarizes the web page configuration
buttons.

Notes: 1.

To ensure proper screen refresh, be sure that Internet Explorer is configured
so that the setting “Check for newer versions of stored pages” reads “Every
visit to the page”.
Internet Explorer 6.x and earlier: This option is available under the menu
“Tools / Internet Options / General / Temporary Internet Files / Settings”.
Internet Explorer 7.x: This option is available under “Tools / Internet Options
/ General / Browsing History / Settings / Temporary Internet Files”.

2.

You may have to manually refresh the screen after making configuration
changes by pressing the browser’s refresh button.

Panel Display

The web agent displays an image of the switch’s ports. The Mode can be set to
display different information for the ports, including Active (i.e., up or down), Duplex
(i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on
the image of a port opens the Port Configuration page as described on page 3-100.

Figure 3-2 Panel Display

Table 3-1 Configuration Options

Button Action

Revert Cancels specified values and restores current values prior to pressing Apply.

Apply Sets specified values to the system.

Help Links directly to webhelp.

Configuring the Switch

3-4

3

www.digisol.com

Main Menu

Using the onboard web agent, you can define system parameters, manage and
control the switch, and all its ports, or monitor network conditions. The following
table briefly describes the selections available from this program.

Table 3-2 Main Menu

Menu Description Page

System 3-11

System Information Provides basic system description, including contact information 3-11

Switch Information Shows the number of ports, hardware/firmware version

numbers, and power status

3-12

Bridge Extension
Configuration

Shows the bridge extension parameters 3-14

IP Configuration Sets the IP address for management access 3-15

Jumbo Frames Enables jumbo frame packets. 3-18

File Management 3-18

Copy Operation Allows the transfer and copying files 3-18

Delete Allows deletion of files from the flash memory 3-19

Set Start-Up Sets the startup file 3-19

Line 3-22

Console Sets console port connection parameters 3-22

Telnet Sets Telnet connection parameters 3-25

Log 3-27

Logs Stores and displays error messages 3-27

System Logs Sends error messages to a logging process 3-27

Remote Logs Configures the logging of messages to a remote logging process 3-29

SMTP Sends an SMTP client message to a participating server. 3-30

Reset Restarts the switch 3-32

Calendar Manually sets the system clock date and time 3-34

SNTP 3-33

Configuration Configures SNTP client settings, including broadcast mode or a

specified list of servers

3-33

Clock Time Zone Sets the local time zone for the system clock 3-34

SNMP 3-35

Configuration Configures community strings and related trap functions 3-36

Agent Status Enables or disables SNMP Agent Status 3-38

DG-FS4526 User Manual

3-5

3

www.digisol.com

SNMPv3 3-39

Engine ID Sets the SNMP v3 engine ID on this switch 3-39

Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-41

Users Configures SNMP v3 users on this switch 3-41

Remote Users Configures SNMP v3 users from a remote device 3-43

Groups Configures SNMP v3 groups 3-44

Views Configures SNMP v3 views 3-46

Security 3-48

User Accounts Assigns a new password for the current user 3-48

Authentication Settings Configures authentication sequence, RADIUS and TACACS 3-50

AAA 3-54

RADIUS Group Settings Defines the configured RADIUS servers to use for accounting 3-55

TACACS+ Group Settings Defines the configured TACACS+ servers to use for accounting 3-55

Accounting

Settings Configures accounting of requested services for billing or

security purposes

3-58

Periodic Update Sets the interval at which accounting updates are sent to

RADIUS AAA servers

3-55

802.1X Port Settings Applies the specified accounting method to an interface 3-58

Exec Settings Specifies console or Telnet authentication method 3-61

Summary Displays accounting information and statistics 3-61

Authorization 3-63

Settings Configures authorization of requested services 3-63

EXEC Settings Specifies console or Telnet authorization method 3-64

Summary Displays authorization information 3-64

HTTPS Settings Configures secure HTTP settings 3-65

SSH 3-67

Settings Configures Secure Shell server settings 3-72

Host-Key Settings Generates the host key pair (public and private) 3-70

Port Security Configures per port security, including status, response for

security breach, and maximum allowed MAC addresses

3-72

802.1X 3-73

Information Displays global configuration settings for 802.1X Port

authentication

3-75

Table 3-2 Main Menu (Continued)

Menu Description Page

Configuring the Switch

3-6

3

www.digisol.com

Configuration Configures the global configuration settings 3-75

Port Configuration Sets parameters for individual ports 3-76

Statistics Displays protocol statistics for the selected port 3-79

Web Authentication 3-80

Configuration Configures Web Authentication settings 3-81

Port Configuration Enables Web Authentication for individual ports 3-82

Port Information Displays status information for individual ports 3-83

Re-authentication Forces a host to re-authenticate itself immediately 3-84

Network Access 3-84

Configuration Configures global Network Access parameters 3-85

Port Configuration Configures Network Access parameters for individual ports 3-86

MAC Address Information Displays Network Access statistics sorted by various attributes 3-88

ACL 3-89

Configuration Configures packet filtering based on IP or MAC addresses 3-89

Port Binding Binds a port to the specified ACL 3-95

IP Filter Sets IP addresses of clients allowed management access via

the web, SNMP, and Telnet

3-96

Port 3-98

Port Information Displays port connection status 3-98

Trunk Information Displays trunk connection status 3-98

Port Configuration Configures port connection settings 3-100

Trunk Configuration Configures trunk connection settings 3-100

Trunk Membership Specifies ports to group into static trunks 3-104

LACP 3-105

Configuration Allows ports to dynamically join trunks 3-105

Aggregation Port Configures parameters for link aggregation group members 3-107

Port Counters Information Displays statistics for LACP protocol messages 3-109

Port Internal Information Displays settings and operational state for the local side 3-110

Port Neighbors Information Displays settings and operational state for the remote side 3-112

Port Broadcast Control Sets the broadcast storm threshold for each port 3-113

Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-113

Mirror Port Configuration Sets the source and target ports for mirroring 3-115

Table 3-2 Main Menu (Continued)

Menu Description Page

DG-FS4526 User Manual

3-7

3

www.digisol.com

Rate Limit 3-116

Input Port Configuration Sets the input rate limit for each port 3-116

Output Port Configuration Sets the output rate limit for ports 3-116

Port Statistics Lists Ethernet and RMON port statistics 3-117

Address Table 3-122

Static Addresses Displays entries for interface, address or VLAN 3-122

Dynamic Addresses Displays or edits static entries in the Address Table 3-123

Address Aging Sets timeout for dynamically learned entries 3-125

Spanning Tree 3-125

STA 3-125

Information Displays STA values used for the bridge 3-126

Configuration Configures global bridge settings for STA and RSTP 3-129

Port Information Displays individual port settings for STA 3-132

Trunk Information Displays individual trunk settings for STA 3-132

Port Configuration Configures individual port settings for STA 3-135

Trunk Configuration Configures individual trunk settings for STA 3-135

MSTP 3-137

VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-137

Port Information Displays port settings for a specified MST instance 3-139

Trunk Information Displays trunk settings for a specified MST instance 3-139

Port Configuration Configures port settings for a specified MST instance 3-141

Trunk Configuration Configures trunk settings for a specified MST instance 3-141

VLAN 3-143

802.1Q VLAN 3-143

GVRP Status Enables GVRP on the switch 3-146

802.1Q Tunnel
Configuration

Enables 802.1Q (QinQ) Tunneling 3-158

Basic Information Displays information on the VLAN type supported by this switch 3-147

Current Table Shows the current port members of each VLAN and whether or

not the port is tagged or untagged

3-147

Static List Used to create or remove VLAN groups 3-149

Static Table Modifies the settings for an existing VLAN 3-150

Static Membership by Port Configures membership type for interfaces, including tagged,

untagged or forbidden

3-152

Table 3-2 Main Menu (Continued)

Menu Description Page

Configuring the Switch

3-8

3

www.digisol.com

Port Configuration Specifies default PVID and VLAN attributes 3-153

Trunk Configuration Specifies default trunk VID and VLAN attributes 3-153

Tunnel Port Configuration Adds an interface to a QinQ Tunnel 3-160

Tunnel Trunk Configuration Adds an interface to a QinQ Tunnel 3-160

Private VLAN 3-162

Information Displays Private VLAN feature information 3-162

Configuration This page is used to create/remove primary or community

VLANs

3-163

Association Each community VLAN must be associated with a primary VLAN 3-164

Port Information Shows VLAN port type, and associated primary or secondary

VLANs

3-165

Port Configuration Sets the private VLAN interface type, and associates the

interfaces with a private VLAN

3-166

Protocol VLAN 3-168

Configuration Configures protocol VLANs 3-168

System Configuration Configures protocol VLAN groups and associated protocol

VLANs

3-169

LLDP 3-170

Configuration Configures global LLDP timing parameters 3-170

Port Configuration Configures parameters for individual ports 3-172

Trunk Configuration Configures parameters for trunks 3-172

Local Information Displays LLDP information about the local device 3-175

Remote Port Information Displays LLDP information about a remote device connected to

a port on this switch

3-176

Remote Trunk Information Displays LLDP information about a remote device connected to

a trunk on this switch

3-176

Remote Information Details Displays detailed LLDP information about a remote device

connected to this switch

3-177

Device Statistics Displays LLDP statistics for all connected remote devices 3-178

Device Statistics Details Displays LLDP statistics for remote devices on a selected port or

trunk

3-180

Priority 3-180

Default Port Priority Sets the default priority for each port 3-181

Default Trunk Priority Sets the default priority for each trunk 3-181

Traffic Classes Maps IEEE 802.1p priority tags to output queues 3-182

Queue Mode Sets queue mode to strict, Weighted Round-Robin, or hybrid 3-184

Table 3-2 Main Menu (Continued)

Menu Description Page

DG-FS4526 User Manual

3-9

3

www.digisol.com

Queue Scheduling Configures Weighted Round Robin queueing 3-184

IP DSCP Priority Status Globally enables DSCP priority 3-186

IP DSCP Priority Sets IP Differentiated Services Code Point priority, mapping a

DSCP tag to a class-of-service queue

3-187

IP Port Priority Status Globally enables IP port priority 3-188

IP Port Priority Sets IP port priority, mapping TCP/UDP ports to class-of-service

queues

3-188

IP Precedence Priority Status Globally enables IP precedence priority 3-190

IP Precedence Priority Sets IP precedence priority, mapping IP precedence values to

class-of-service queues

3-190

IP TOS Priority Status Globally enables IP ToS priority 3-192

IP TOS Priority Sets IP ToS priority, mapping IP ToS values to class-of-service

queues

3-192

ACL CoS Priority Sets ACL priority, mapping IP and MAC ACLs to class-of-service

queues

3-194

QoS 3-195

DiffServ 3-195

Class Map Sets Class Maps 3-196

Policy Map Sets Policy Maps 3-198

Service Policy Defines service policy settings for ports 3-201

VoIP 3-202

Configuration Sets a Voice VLAN ID and enables VoIP traffic detection 3-202

Port Configuration Configures port VoIP traffic mode, security, and priority 3-203

OUI Configuration Configures VoIP device OUI identification 3-205

IGMP Snooping 3-207

IGMP Configuration Enables multicast filtering; configures parameters for multicast

query

3-208

IGMP Filter Configuration Configures IGMP filtering 3-216

IGMP Immediate Leave Enables the immediate leave function 3-210

Multicast Router
Port Information

Displays the ports that are attached to a neighboring multicast
router for each VLAN ID

3-211

Static Multicast Router Port
Configuration

Assigns ports that are attached to a neighboring multicast router 3-212

IP Multicast Registration
Table

Displays all multicast groups active on this switch, including
multicast IP addresses and VLAN ID

3-213

IGMP Member Port Table Indicates multicast addresses associated with the selected

VLAN

3-214

Table 3-2 Main Menu (Continued)

Menu Description Page

Configuring the Switch

3-10

3

www.digisol.com

IGMP Filter Profile
Configuration

Configures IGMP Filter Profiles 3-216

IGMP Filter/Throttling Port
Configuration

Configures IGMP Filtering and Throttling for ports 3-218

IGMP Filter/Throttling Trunk
Configuration

Configures IGMP Filtering and Throttling for trunks 3-218

MVR 3-220

Configuration Globally enables MVR, sets the MVR VLAN, adds multicast

stream addresses

3-221

Port Information Displays MVR interface type, MVR operational and activity

status, and immediate leave status

3-222

Trunk Information Displays MVR interface type, MVR operational and activity

status, and immediate leave status

3-222

Group IP Information Displays the ports attached to an MVR multicast stream 3-223

Port Configuration Configures MVR interface type and immediate leave status 3-224

Trunk Configuration Configures MVR interface type and immediate leave status 3-224

Group Member Configuration Statically assigns MVR multicast streams to an interface 3-226

DHCP Snooping 3-227

Configuration Enables DHCP Snooping and DHCP Snooping MAC-Address

Verification

3-228

VLAN Configuration Enables DHCP Snooping for a VLAN 3-228

Information Option
Configuration

Enables DHCP Snooping Information Option 3-229

Port Configuration Selects the DHCP Snooping Information Option policy 3-230

Binding Information Displays the DHCP Snooping binding information 3-231

IP Source Guard 3-231

Port Configuration Enables IP source guard and selects filter type per port 3-231

Static Configuration Adds a static addresses to the source-guard binding table 3-232

Dynamic Information Displays the source-guard binding table for a selected interface 3-233

Cluster 3-234

Configuration Globally enables clustering for the switch 3-235

Member Configuration Adds switch Members to the cluster 3-236

Member Information Displays cluster Member switch information 3-237

Candidate Information Displays network Candidate switch information 3-238

UPNP 3-239

Configuration Enables UPNP and defines timeout values 3-239

Table 3-2 Main Menu (Continued)

Menu Description Page

DG-FS4526 User Manual

3-11

3

www.digisol.com

Basic Configuration

Displaying System Information

You can easily identify the system by displaying the device name, location and
contact information.

Field Attributes

• System Name – Name assigned to the switch system.

• Object ID – MIB II object ID for switch’s network management subsystem.

• Location – Specifies the system location.

• Contact – Administrator responsible for the system.

• System Up Time – Length of time the management agent has been up.

These additional parameters are displayed for the CLI.

• MAC Address – The physical layer address for this switch.

• Web server – Shows if management access via HTTP is enabled.

• Web server port – Shows the TCP port number used by the web interface.

• Web secure server – Shows if management access via HTTPS is enabled.

• Web secure server port – Shows the TCP port used by the HTTPS interface.

• Telnet server – Shows if management access via Telnet is enabled.

• Telnet port – Shows the TCP port used by the Telnet interface.

• Jumbo Frame – Shows if jumbo frames are enabled.

• POST result – Shows results of the power-on self-test.

Web – Click System, System Information. Specify the system name, location, and
contact information for the system administrator, then click Apply. (This page also
includes a Telnet button that allows access to the Command Line Interface via Telnet.)

Figure 3-3 System Information

Configuring the Switch

3-12

3

www.digisol.com

CLI – Specify the hostname, location and contact information.

Displaying Switch Hardware/Software Versions

Use the Switch Information page to display hardware/firmware version numbers for
the main board and management software, as well as the power status of the system.

Field Attributes

Main Board

• Serial Number – The serial number of the switch.

• Number of Ports – Number of built-in RJ-45 ports.

• Hardware Version – Hardware version of the main board.

• Internal Power Status – Displays the status of the internal power supply.

Management Software

• EPLD Version – Version number of the Electronically Programmable Logic Device
code.

• Loader Version – Version number of loader code.

• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code.

• Operation Code Version – Version number of runtime code.

• Role – Shows that this switch is operating as Master or Slave.

Console(config)#hostname R&D 5 4-25
Console(config)#snmp-server location WC 9 4-136
Console(config)#snmp-server contact Ted 4-136
Console(config)#exit
Console#show system 4-70
System Description: 24 Port 10/100Mbps Layer 2 Switch with 2 Gigabit
Combo Ports
System OID String: 1.3.6.1.4.1.36293.1.1.1.3
System Information
System Up Time: 0 days, 0 hours, 57 minutes, and 56.69 seconds
System Name: R&D 5
System Location: WC 9
System Contact: Ted
MAC Address (Unit1): 00-17-7C-0A-C9-F1
Web Server: Enabled
Web Server Port: 80
Web Secure Server: Enabled
Web Secure Server Port: 443
Telnet Server: Enable
Telnet Server Port: 23
Jumbo Frame: Disabled

POST Result:

9yMMY Test 1 ................. PASS

UART Loopback Test ........... PASS

DRAM Test .................... PASS

Switch Int Loopback Test ..... PASS

Done All Pass.
Console#

DG-FS4526 User Manual

3-13

3

www.digisol.com

Web – Click System, Switch Information.

Figure 3-4 Switch Information

CLI – Use the following command to display version information.

Console#show version 4-71
Serial Number: A830023620
Service Tag:
Hardware Version: R01
EPLD Version: 0.00
Number of Ports: 26
Main Power Status: Up
Loader Version: 1.0.0.2
Boot ROM Version: 1.0.0.5
Operation Code Version: 1.1.0.5

Console#

Configuring the Switch

3-14

3

www.digisol.com

Displaying Bridge Extension Capabilities

The Bridge MIB includes extensions for managed devices that support Multicast
Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to
display default settings for the key variables.

Field Attributes

• Extended Multicast Filtering Services – This switch does not support the filtering
of individual multicast addresses based on GMRP (GARP Multicast Registration
Protocol).

• Traffic Classes – This switch provides mapping of user priorities to multiple traffic
classes. (Refer to “Class of Service Configuration” on page 3-180.)

• Static Entry Individual Port – This switch allows static filtering for unicast and
multicast addresses. (Refer to “Setting Static Addresses” on page 3-122.)

• VLAN Learning – This switch uses Shared VLAN Learning (SVL), where all
VLANs share the same address table.

• Configurable PVID Tagging – This switch allows you to override the default Port
VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or
Untagged) on each port. (Refer to “VLAN Configuration” on page 3-143.)

• Local VLAN Capable – This switch does not support multiple local bridges outside
of the scope of 802.1Q defined VLANs.

• GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to
register endstations with multicast groups. This switch does not support GMRP; it
uses the Internet Group Management Protocol (IGMP) to provide automatic
multicast filtering.

Web – Click System, Bridge Extension Configuration.

Figure 3-5 Bridge Extension Configuration

DG-FS4526 User Manual

3-15

3

www.digisol.com

CLI – Enter the following command.

Setting the Switch’s IP Address

This section describes how to configure an IP interface for management access
over the network. The IP address for the stack is obtained via DHCP by default. To
manually configure an address, you need to change the switch’s default settings
(IP address 192.168.1.1 and netmask 255.255.255.0) to values that are compatible
with your network. You may also need to a establish a default gateway between the
stack and management stations that exist on another network segment.

You can manually configure a specific IP address, or direct the device to obtain an
address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal
numbers, 0 to 255, separated by periods. Anything outside this format will not be
accepted by the CLI program.

Command Attributes

• Management VLAN – ID of the configured VLAN (1-4094, no leading zeroes). By

default, all ports on the switch are members of VLAN 1. However, the management
station can be attached to a port belonging to any VLAN, as long as that VLAN has
been assigned an IP address.

• IP Address Mode – Specifies whether IP functionality is enabled via manual

configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot
Protocol (BOOTP). If DHCP/BOOTP is enabled, IP will not function until a reply has
been received from the server. Requests will be broadcast periodically by the
switch for an IP address. (DHCP/BOOTP values can include the IP address,
subnet mask, and default gateway.)

• IP Address – Address of the VLAN interface that is allowed management access.

Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
(Default: 0.0.0.0)

• Subnet Mask – This mask identifies the host address bits used for routing to

specific subnets. (Default: 255.0.0.0)

• Gateway IP address – IP address of the gateway router between this device and

management stations that exist on other network segments. (Default: 0.0.0.0)

• MAC Address – The physical layer address for this switch.

• Restart DHCP – Requests a new IP address from the DHCP server.

Console#show bridge-ext 4-221
Max Support VLAN Numbers: 256
Max Support VLAN ID: 4094
Extended Multicast Filtering Services: No
Static Entry Individual Port: Yes
VLAN Learning: IVL
Configurable PVID Tagging: Yes
Local VLAN Capable: No
Traffic Classes: Enabled
Global GVRP Status: Disabled
GMRP: Disabled
Console#

Configuring the Switch

3-16

3

www.digisol.com

Manual Configuration

Web – Click System, IP Configuration. Select the VLAN through which the
management station is attached, set the IP Address Mode to “Static,” enter the IP
address, subnet mask and gateway, then click Apply.

Figure 3-6 Manual IP Configuration

CLI – Specify the management interface, IP address and default gateway.

Console#config
Console(config)#interface vlan 1 4-150
Console(config-if)#ip address 192.168.1.1 255.255.255.0 4-298
Console(config-if)#exit
Console(config)#ip default-gateway 0.0.0.0 4-299
Console(config)#

DG-FS4526 User Manual

3-17

3

www.digisol.com

Using DHCP/BOOTP

If your network provides DHCP/BOOTP services, you can configure the switch to be
dynamically configured by these services.

Web – Click System, IP Configuration. Specify the VLAN to which the management
station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to
save your changes. Then click Restart DHCP to immediately request a new
address. Note that the switch will also broadcast a request for IP configuration
settings on each power reset.

Figure 3-7 DHCP IP Configuration

Note:

If you lose your management connection, use a console connection and enter
“show ip interface” to determine the new switch address.

CLI – Specify the management interface, and set the IP address mode to DHCP or
BOOTP, and then enter the “ip dhcp restart” command.

Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a
specific period of time. If the address expires or the switch is moved to another
network segment, you will lose management access to the switch. In this case, you
can reboot the switch or submit a client request to restart DHCP service via the CLI.

Web – If the address assigned by DHCP is no longer functioning, you will not be
able to renew the IP settings via the web interface. You can only restart DHCP
service via the web interface if the current address is still available.

Console#config
Console(config)#interface vlan 1 4-150
Console(config-if)#ip address dhcp 4-298
Console(config-if)#end
Console#ip dhcp restart 4-300
Console#show ip interface 4-300
IP address and netmask: 192.168.1.1 255.255.255.0 on VLAN 1,
and address mode: User specified.
Console#

Configuring the Switch

3-18

3

www.digisol.com

CLI – Enter the following command to restart DHCP service.

Enabling Jumbo Frames

You can enable jumbo frames to support data packets up to 9000 bytes in size.

Command Attributes

• Jumbo Packet Status – Check the box to enable jumbo frames.

Web – Click System, Jumbo Frames.

Figure 3-8 Jumbo Frames Configuration

CLI – Enter the following command.

Managing Firmware

You can upload/download firmware to or from a TFTP server, or copy files to and
from switch units in a stack. By saving runtime code to a file on a TFTP server, that
file can later be downloaded to the switch to restore operation. You can also set the
switch to use new firmware without overwriting the previous version. You must
specify the method of file transfer, along with the file type and file names as required.

Command Attributes

• File Transfer Method – The firmware copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to tftp – Copies a file from the switch to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify opcode (operational code) to copy firmware.

• File Name –

The file name should not contain slashes (\ or /),

the leading letter of
the file name should not be a period (.), and the maximum length for file names on
the TFTP server is 127 characters or 31 characters for files on the switch.
(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Console#ip dhcp restart 4-300
Console#

Console#config
Console(config)#jumbo frame
Console(config)#

DG-FS4526 User Manual

3-19

3

www.digisol.com

Note:

Up to two copies of the system software (i.e., the runtime firmware) can be stored
in the file directory on the switch. The currently designated startup version of this
file cannot be deleted.

Downloading System Software from a Server

When downloading runtime code, you can specify the destination file name to
replace the current image, or first download the file using a different name from the
current runtime code file, and then set the new file as the startup file.

Web –Click System, File Management, Copy Operation. Select “tftp to file” as the file
transfer method, enter the IP address of the TFTP server, set the file type to
“opcode,” enter the file name of the software to download, select a file on the switch
to overwrite or specify a new file name, then click Apply. If you replaced the current
firmware used for startup and want to start using the new operation code, reboot the
system via the System/Reset menu.

Figure 3-9 Copy Firmware

If you download to a new destination file, go to the System/File/Set Start-Up menu,
mark the operation code file used at startup, and click Apply. To start the new
firmware, reboot the system via the System/Reset menu.

Figure 3-10 Setting the Startup Code

Configuring the Switch

3-20

3

www.digisol.com

To delete a file select System, File, Delete. Select the file name from the given list by
checking the tick box and click Apply. Note that t

he file currently designated as the

startup code cannot be deleted.

Figure 3-11 Deleting Files

CLI – To download new firmware form a TFTP server, enter the IP address of the
TFTP server, select “opcode” as the file type, then enter the source and destination
file names. When the file has finished downloading, set the new file to start up the
system, and then restart the switch.

To start the new firmware, enter the “reload” command or reboot the system.

Saving or Restoring Configuration Settings

You can upload/download configuration settings to/from a TFTP server. The
configuration files can be later downloaded to restore the switch’s settings.

Command Attributes

• File Transfer Method – The configuration copy operation includes these options:

- file to file – Copies a file within the switch directory, assigning it a new name.

- file to running-config – Copies a file in the switch to the running configuration.

- file to startup-config – Copies a file in the switch to the startup configuration.

- file to tftp – Copies a file from the switch to a TFTP server.

- running-config to file – Copies the running configuration to a file.

- running-config to startup-config – Copies the running config to the startup config.

- running-config to tftp – Copies the running configuration to a TFTP server.

- startup-config to file – Copies the startup configuration to a file on the switch.

Console#copy tftp file 4-73
TFTP server ip address: 192.168.1.23
Choose file type:

1. config: 2. opcode: <1-2>: 2
Source file name: V1.0.1.4.bix
Destination file name: V1014.F
\Write to FLASH Programming.

-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode:V1014.F 4-77
Console(config)#exit
Console#reload 4-22

DG-FS4526 User Manual

3-21

3

www.digisol.com

- startup-config to running-config – Copies the startup config to the running config.

- startup-config to tftp – Copies the startup configuration to a TFTP server.

- tftp to file – Copies a file from a TFTP server to the switch.

- tftp to running-config – Copies a file from a TFTP server to the running config.

- tftp to startup-config – Copies a file from a TFTP server to the startup config.

• TFTP Server IP Address – The IP address of a TFTP server.

• File Type – Specify config (configuration) to copy configuration settings.

•

File Name

— The file name should not contain slashes (\ or /),

the leading letter of
the file name should not be a period (.), and the maximum length for file names on
the TFTP server is 127 characters or 31 characters for files on the switch. (Valid
characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Note:

The maximum number of user-defined configuration files is limited only by
available flash memory space.

Downloading Configuration Settings from a Server

You can download the configuration file under a new file name and then set it as the
startup file, or you can specify the current startup configuration file as the destination
file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be
copied to the TFTP server, but cannot be used as the destination on the switch.

Web – Click System, File, Copy Operation. Select “tftp to startup-config” or “tftp to
file” and enter the IP address of the TFTP server. Specify the name of the file to
download and select a file on the switch to overwrite or specify a new file name, then
click Apply.

Figure 3-12 Downloading Configuration Settings for Startup

If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file
is automatically set as the start-up configuration file. To use the new settings, reboot
the system via the System/Reset menu.

Configuring the Switch

3-22

3

www.digisol.com

Note:

You can also select any configuration file as the start-up configuration by using the
System/File/Set Start-Up page.

Figure 3-13 Setting the Startup Configuration Settings

CLI – Enter the IP address of the TFTP server, specify the source file on the server,
set the startup file name on the switch, and then restart the switch.

To select another configuration file as the start-up configuration, use the boot
system command and then restart the switch.

Console Port Settings

You can access the onboard configuration program by attaching a VT100
compatible device to the switch’s serial console port. Management access through
the console port is controlled by various parameters, including a password, timeouts,
and basic communication settings. These parameters can be configured via the web
or CLI interface.

Command Attributes

• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0-300 seconds; Default: 0 seconds)

Console#copy tftp startup-config 4-73
TFTP server ip address: 192.168.1.19
Source configuration file name: config-1
Startup configuration file name [] : startup
\Write to FLASH Programming.

-Write to FLASH finish.
Success.

Console#reload

Console#config
Console(config)#boot system config: startup-new 4-77
Console(config)#exit
Console#reload 4-22

DG-FS4526 User Manual

3-23

3

www.digisol.com

• Exec Timeout – Sets the interval that the system waits until user input is detected.

If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0-65535 seconds; Default: 600 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the

number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)

• Silent Time – Sets the amount of time the management console is inaccessible

after the number of unsuccessful logon attempts has been exceeded.
(Range: 0-65535; Default: 0)

• Data Bits – Sets the number of data bits per character that are interpreted and

generated by the console port. If parity is being generated, specify 7 data bits per
character. If no parity is required, specify 8 data bits per character. (Default: 8 bits)

• Parity – Defines the generation of a parity bit. Communication protocols provided

by some terminals can require a specific parity bit setting. Specify Even, Odd, or
None. (Default: None)

• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive

(from terminal). Set the speed to match the baud rate of the device connected to
the serial port. (Range: 9600, 19200, 38400 baud, or Auto; Default: Auto)

• Stop Bits – Sets the number of the stop bits transmitted per byte.

(Range: 1-2; Default: 1 stop bit)

• Password

1

– Specifies a password for the line connection. When a connection is
started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt.
(Default: No password)

• Login1 – Enables password checking at login. You can select authentication by a
single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)

Web – Click System, Line, Console. Specify the console port connection parameters
as required, then click Apply.

1. CLI only.

Configuring the Switch

3-24

3

www.digisol.com

Figure 3-14 Console Port Settings

CLI – Enter Line Configuration mode for the console, then specify the connection
parameters as required. To display the current console port settings, use the show
line command from the Normal Exec level.

Console(config)#line console 4-11
Console(config-line)#login local 4-11
Console(config-line)#password 0 secret 4-12
Console(config-line)#timeout login response 0 4-13
Console(config-line)#exec-timeout 0 4-13
Console(config-line)#password-thresh 3 4-14
Console(config-line)#silent-time 60 4-15
Console(config-line)#databits 8 4-15
Console(config-line)#parity none 4-16
Console(config-line)#speed 19200 4-17
Console(config-line)#stopbits 1 4-17
Console(config-line)#end
Console#show line 4-18
Console configuration:
Password threshold: 3 times
Interactive timeout: Disabled
Login timeout: Disabled
Silent time: 60
Baudrate: 19200
Databits: 8
Parity: none
Stopbits: 1

VTY configuration:
Password threshold: 3 times
Interactive timeout: 600 sec
Login timeout: 300 sec
Console#

DG-FS4526 User Manual

3-25

3

www.digisol.com

Telnet Settings

You can access the onboard configuration program over the network using Telnet
(i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and
other various parameters set, including the TCP port number, timeouts, and a
password. These parameters can be configured via the web or CLI interface.

Command Attributes

• Telnet Status – Enables or disables Telnet access to the switch.

(Default: Enabled)

• Telnet Port Number – Sets the TCP port number for Telnet on the switch.
(Default: 23)

• Login Timeout – Sets the interval that the system waits for a user to log into the
CLI. If a login attempt is not detected within the timeout interval, the connection is
terminated for the session. (Range: 0-300 seconds; Default: 300 seconds)

• Exec Timeout – Sets the interval that the system waits until user input is detected.
If user input is not detected within the timeout interval, the current session is
terminated. (Range: 0-65535 seconds; Default: 600 seconds)

• Password Threshold – Sets the password intrusion threshold, which limits the
number of failed logon attempts. When the logon attempt threshold is reached, the
system interface becomes silent for a specified amount of time (set by the Silent
Time parameter) before allowing the next logon attempt.
(Range: 0-120; Default: 3 attempts)

• Password

2

– Specifies a password for the line connection. When a connection is
started on a line with password protection, the system prompts for the password.
If you enter the correct password, the system shows a prompt. (Default: No
password)

• Login

2

– Enables password checking at login. You can select authentication by a

single global password as configured for the Password parameter, or by
passwords set up for specific user-name accounts. (Default: Local)

2. CLI only.

Configuring the Switch

3-26

3

www.digisol.com

Web – Click System, Line, Telnet. Specify the connection parameters for Telnet
access, then click Apply.

Figure 3-15 Enabling Telnet

CLI – Enter Line Configuration mode for a virtual terminal, then specify the
connection parameters as required. To display the current virtual terminal settings,
use the show line command from the Normal Exec level.

Console(config)#line vty 4-11
Console(config-line)#login local 4-11
Console(config-line)#password 0 secret 4-12
Console(config-line)#timeout login response 300 4-13
Console(config-line)#exec-timeout 600 4-13
Console(config-line)#password-thresh 3 4-14
Console(config-line)#end
Console#show line 4-18
Console configuration:
Password threshold: 3 times
Interactive timeout: Disabled
Login timeout: Disabled
Silent time: Disabled
Baudrate: 9600
Databits: 8
Parity: none
Stopbits: 1

VTY configuration:
Password threshold: 3 times
Interactive timeout: 600 sec
Login timeout: 300 sec
Console#

DG-FS4526 User Manual

3-27

3

www.digisol.com

Configuring Event Logging

The switch allows you to control the logging of error messages, including the type of
events that are recorded in switch memory, logging to a remote System Log (syslog)
server, and displays a list of recent event messages.

Displaying Log Messages

The Logs page allows you to scroll through the logged system and event messages.
The switch can store up to 2048 log entries in temporary random access memory
(RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent
flash memory.

Web – Click System, Log, Logs.

Figure 3-16 Displaying Logs

CLI – This example shows the event message stored in RAM.

System Log Configuration

The system allows you to enable or disable event logging, and specify which levels
are logged to RAM or flash memory.

Severe error messages that are logged to flash memory are permanently stored in
the switch to assist in troubleshooting network problems. Up to 4096 log entries can
be stored in the flash memory, with the oldest entries being overwritten first when the
available log memory (256 kilobytes) has been exceeded.

The System Logs page allows you to configure and limit system messages that are
logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to
flash and levels 0 to 6 to be logged to RAM.

Console#show log ram 4-56
[1] 00:00:27 2001-01-01
"VLAN 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
[0] 00:00:25 2001-01-01
"System coldStart notification."
level: 6, module: 5, function: 1, and event no.: 1
Console#

Configuring the Switch

3-28

3

www.digisol.com

Command Attributes

• System Log Status – Enables/disables the logging of debug or error messages to
the logging process. (Default: Enabled)

• Flash Level – Limits log messages saved to the switch’s permanent flash memory
for all levels up to the specified level. For example, if level 3 is specified, all
messages from level 0 to level 3 will be logged to flash. (Range: 0-7, Default: 3)

• RAM Level – Limits log messages saved to the switch’s temporary RAM memory
for all levels up to the specified level. For example, if level 7 is specified, all
messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 6)

Note:

The Flash Level must be equal to or less than the RAM Level.

Web – Click System, Log, System Logs. Specify System Log Status,

set the level of

event messages to be logged to RAM and flash memory, then click Apply.

Figure 3-17 System Logs

Table 3-3 Logging Levels

Level Severity Name Description

7 Debug Debugging messages

6 Informational Informational messages only

5 Notice Normal but significant condition, such as cold start

4 Warning Warning conditions (e.g., return false, unexpected return)

3 Error Error conditions (e.g., invalid input, default used)

2 Critical Critical conditions (e.g., memory allocation, or free memory

error - resource exhausted)

1 Alert Immediate action needed

0 Emergency System unusable

* There are only Level 2, 5 and 6 error messages for the current firmware release.

DG-FS4526 User Manual

3-29

3

www.digisol.com

CLI – Enable system logging and then specify the level of messages to be logged to
RAM and flash memory. Use the show logging command to display the current
settings.

Remote Log Configuration

The Remote Logs page allows you to configure the logging of messages that are
sent to syslog servers or other management stations. You can also limit the error
messages sent to only those messages below a specified level.

Command Attributes

• Remote Log Status – Enables/disables the logging of debug or error messages

to the remote logging process. (Default: Enabled)

• Logging Facility – Sets the facility type for remote logging of syslog messages.

There are eight facility types specified by values of 16 to 23. The facility type is
used by the syslog server to dispatch log messages to an appropriate service.

The attribute specifies the facility type tag sent in syslog messages. (See RFC

3164.) This type has no effect on the kind of messages reported by the switch.
However, it may be used by the syslog server to process messages, such as
sorting or storing messages in the corresponding database. (Range: 16-23,
Default: 23)

• Logging Trap – Limits log messages that are sent to the remote syslog server for

all levels up to the specified level. For example, if level 3 is specified, all messages
from level 0 to level 3 will be sent to the remote server. (Range: 0-7, Default: 6)

• Host IP List – Displays the list of remote server IP addresses that receive the

syslog messages. The maximum number of host IP addresses allowed is five.

• Host IP Address – Specifies a new server IP address to add to the Host IP List.

Console(config)#logging on 4-52
Console(config)#logging history ram 0 4-53
Console(config)#end
Console#show logging flash 4-56
Syslog logging: Enabled
History logging in FLASH: level emergencies
Console#

Configuring the Switch

3-30

3

www.digisol.com

Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List,
type the new IP address in the Host IP Address box, and then click Add. To delete
an IP address, click the entry in the Host IP List, and then click Remove.

Figure 3-18 Remote Logs

CLI – Enter the syslog server host IP address, choose the facility type and set the
logging trap.

Simple Mail Transfer Protocol

SMTP (Simple Mail Transfer Protocol) is used to send email messages between
servers. The messages can be retrieved using POP or IMAP clients.

Command Attributes

• Admin Status – Enables/disables the SMTP function. (Default: Enabled)

• Email Source Address – This command specifies SMTP servers email addresses
that can send alert messages.

Console(config)#logging host 192.168.1.15 4-54
Console(config)#logging facility 23 4-54
Console(config)#logging trap 4 4-55
Console(config)#end
Console#show logging trap 4-55
Syslog logging: Enabled
REMOTELOG status: Enabled
REMOTELOG facility type: local use 7
REMOTELOG level type: Warning conditions
REMOTELOG server ip address: 192.168.1.15
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
REMOTELOG server ip address: 0.0.0.0
Console#

DG-FS4526 User Manual

3-31

3

www.digisol.com

• Severity – Specifies the degree of urgency that the message carries.

• Debugging – Sends a debugging notification. (Level 7)

• Information – Sends informatative notification only. (Level 6)

• Notice – Sends notification of a normal but significant condition, such as a cold
start. (Level 5)

• Warning – Sends notification of a warning condition such as return false, or
unexpected return. (Level 4)

• Error – Sends notification that an error conditions has occurred, such as invalid
input, or default used. (Level 3)

• Critical – Sends notification that a critical condition has occurred, such as
memory allocation, or free memory error - resource exhausted. (Level 2)

• Alert – Sends urgent notification that immediate action must be taken. (Level 1)

• Emergency – Sends an emergency notification that the system is now unusable.
(Level 0)

• SMTP Server List – Specifies a list of recipient SMTP servers.

• SMTP Server – Specifies a new SMTP server address to add to the SMTP Server
List.

• Email Destination Address List – Specifies a list of recipient Email Destination
Address.

• Email Destination Address – This command specifies SMTP servers that may
receive alert messages.

Web – Click System, Log, SMTP. To add an IP address to the Server IP List, type
the new IP address in the Server IP Address box, and then click Add. To delete an IP
address, click the entry in the Server IP List, and then click Remove.

Figure 3-19 Enabling and Configuring SMTP

Configuring the Switch

3-32

3

www.digisol.com

CLI – Enter the host ip address, followed by the mail severity level, source and
destination email addresses and enter the sendmail command to complete the
action. Use the show logging command to display SMTP information.

Resetting the System

Web – Click System, Reset. Click the Reset button to reboot the switch. When
prompted, confirm that you want reset the switch.

Figure 3-20 Resetting the System

CLI – Use the reload command to restart the switch. When prompted, confirm that
you want to reset the switch.

Note:

When restarting the system, it will always run the Power-On Self-Test.

Console(config)#logging sendmail host 192.168.1.19
Console(config)#logging sendmail level 3
Console(config)#logging sendmail source-email
bill@this-company.com
Console(config)#logging sendmail destination-email
ted@this-company.com
Console(config)#logging sendmail
Console#

Console#reload 4-22
System will be restarted, continue <y/n>? y

DG-FS4526 User Manual

3-33

3

www.digisol.com

Setting the System Clock

Simple Network Time Protocol (SNTP) allows the switch to set its internal clock
based on periodic updates from a time server (SNTP or NTP). Maintaining an
accurate time on the switch enables the system log to record meaningful dates and
times for event entries. You can also set the clock manually (see “Setting the Time
Manually” on page 3-34). If the clock is not set, the switch will only record the time
from the factory default set at the last bootup.

When the SNTP client is enabled, the switch periodically sends a request for a time
update to a configured time server. You can configure up to three time server IP
addresses. The switch will attempt to poll each server in the configured sequence.

Configuring SNTP

You can configure the switch to send time synchronization requests to time servers.

Command Attributes

• SNTP Client – Configures the switch to operate as an SNTP client. This requires
at least one time server to be specified in the SNTP Server field. (Default: Disabled)

• SNTP Poll Interval – Sets the interval between sending requests for a time update
from a time server. (Range: 16-16384 seconds; Default: 16 seconds)

• SNTP Server – Sets the IP address for up to three time servers. The switch
attempts to update the time from the first server, if this fails it attempts an update
from the next server in the sequence.

Web – Select SNTP, Configuration. Modify any of the required parameters, and click
Apply.

Figure 3-21 SNTP Configuration

CLI – This example configures the switch to operate as an SNTP unicast client and
then displays the current time and settings.

Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-63
Console(config)#sntp poll 60 4-64
Console(config)#sntp client 4-62
Console(config)#exit
Console#show sntp
Current time: Jan 6 14:56:05 2004
Poll interval: 60
Current mode: unicast
SNTP status : Enabled
SNTP server 10.1.0.19 137.82.140.80 128.250.36.2
Current server: 128.250.36.2
Console#

Configuring the Switch

3-34

3

www.digisol.com

Setting the Time Zone

SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time,
or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To
display a time corresponding to your local time, you must indicate the number of
hours and minutes your time zone is east (before) or west (after) of UTC.

Command Attributes

• Current Time – Displays the current time.

• Name – Assigns a name to the time zone. (Range: 1-29 characters)

• Hours (0-12) – The number of hours before/after UTC.

• Minutes (0-59) – The number of minutes before/after UTC.

• Direction – Configures the time zone to be before (east) or after (west) UTC.

Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to
the UTC, and click Apply.

Figure 3-22 Setting the System Clock

CLI - This example shows how to set the time zone for the system clock.

Setting the Time Manually

You can set the system time on the switch manually without using SNTP.

Web – Select System, Calendar. Set the current date and time using the fields
provided. Click the Apply to start using the configured time.

Console(config)#clock timezone Atlantic hours 4 minute 0

before-UTC 4-65

Console(config)#

DG-FS4526 User Manual

3-35

3

www.digisol.com

Figure 3-23 Setting the Current Date and Time

CLI – This example sets the system clock time and then displays the current time
and date.

Simple Network Management Protocol

SNMP is a communication protocol designed specifically for managing devices on a
network. Equipment commonly managed with SNMP includes switches, routers and
host computers. SNMP is typically used to configure these devices for proper
operation in a network environment, as well as to monitor them to evaluate
performance or detect potential problems.

Managed devices supporting SNMP contain software, which runs locally on the
device and is referred to as an agent. A defined set of variables, known as managed
objects, is maintained by the SNMP agent and used to manage the device. These
objects are defined in a Management Information Base (MIB) that provides a
standard presentation of the information controlled by the agent. SNMP defines both
the format of the MIB specifications and the protocol used to access this information
over the network.

The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3.
This agent continuously monitors the status of the switch hardware, as well as the
traffic passing through its ports. A network management station can access this
information using software such as HP OpenView. Access to the onboard agent
from clients using SNMP v1 and v2c is controlled by community strings. To
communicate with the switch, the management station must first submit a valid
community string for authentication.

Console#calendar set 17 46 00 october 18 2007 4-65
Console#show calendar 4-66
17:46:11 October 18 2007
Console#

Configuring the Switch

3-36

3

www.digisol.com

Access to the switch using from clients using SNMPv3 provides additional security
features that cover message integrity, authentication, and encryption; as well as
controlling user access to specific areas of the MIB tree.

The SNMPv3 security structure consists of security models, with each model having
it’s own security levels. There are three security models defined, SNMPv1,
SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a
security model and specified security levels. Each group also has a defined security
access to set of MIB objects for reading and writing, which are known as “views.”
The switch has a default view (all MIB objects) and default groups defined for
security models v1 and v2c. The following table shows the security models and
levels available and the system default settings.

Note:

The predefined default groups and view can be deleted from the system. You can
then define customized groups and views for the SNMP clients that require access.

Setting Community Access Strings

You may configure up to five community strings authorized for management access.
All community strings used for IP Trap Managers should be listed in this table. For
security reasons, you should consider removing the default strings.

Command Attributes

• SNMP Community Capability – Indicates that the switch supports up to five
community strings.

Table 3-4 SNMPv3 Security Models and Levels

Model Level Group Read View Write View Notify View Security

v1 noAuthNoPriv public

(read only)

defaultview none none Community string only

v1 noAuthNoPriv private

(read/write)

defaultview defaultview none Community string only

v1 noAuthNoPriv user defined user defined user defined user defined Community string only

v2c noAuthNoPriv public

(read only)

defaultview none none Community string only

v2c noAuthNoPriv private

(read/write)

defaultview defaultview none Community string only

v2c noAuthNoPriv user defined user defined user defined user defined Community string only

v3 noAuthNoPriv user defined user defined user defined user defined A user name match only

v3 AuthNoPriv user defined user defined user defined user defined Provides user

authentication via MD5 or
SHA algorithms

v3 AuthPriv user defined user defined user defined user defined Provides user

authentication via MD5 or
SHA algorithms and data
privacy using DES 56-bit
encryption

DG-FS4526 User Manual

3-37

3

www.digisol.com

• Community String – A community string that acts like a password and permits

access to the SNMP protocol.
Default strings: “public” (read-only), “private” (read/write)
Range: 1-32 characters, case sensitive

• Access Mode

- Read-Only – Specifies read-only access. Authorized management stations are
only able to retrieve MIB objects.

- Read/Write – Specifies read-write access. Authorized management stations are
able to both retrieve and modify MIB objects.

Web – Click SNMP, Configuration. Add new community strings as required, select
the access rights from the Access Mode drop-down list, then click Add.

Figure 3-24 Configuring SNMP Community Strings

CLI – The following example adds the string “spiderman” with read/write access.

Specifying Trap Managers and Trap Types

Traps indicating status changes are issued by the switch to specified trap managers.
You must specify trap managers so that key events are reported by this switch to
your management station (using network management platforms such as HP
OpenView). You can specify up to five management stations that will receive
authentication failure messages and other trap messages from the switch.

Command Attributes

• Trap Manager Capability – This switch supports up to five trap managers.

• Current – Displays a list of the trap managers currently configured.

• Trap Manager IP Address – IP address of the host (the targeted recipient).

• Trap Manager Community String – Community string sent with the notification
operation. (Range: 1-32 characters, case sensitive)

• Trap UDP Port – Sets the UDP port number. (Default: 162)

Console(config)#snmp-server community spiderman rw 4-135
Console(config)#

Configuring the Switch

3-38

3

www.digisol.com

• Trap Version – Specifies whether to send notifications as SNMP v1, v2c, or v3
traps. (The default is version 1.)

• Trap Security Level – Specifies the security level.

• Enable Authentication Traps – Issues a trap message whenever an invalid
community string is submitted during the SNMP access authentication process.
(Default: Enabled)

• Enable Link-up and Link-down Traps – Issues a trap message whenever a port
link is established or broken. (Default: Enabled)

Web – Click SNMP, Configuration. Fill in the IP address and community string for
each trap manager that will receive trap messages, and then click Add. Select the
trap types required using the check boxes for Authentication and Link-up/down
traps, and then click Apply.

Figure 3-25 Configuring IP Trap Managers

CLI – This example adds a trap manager and enables both authentication and
link-up, link-down traps.

Enabling SNMP Agent Status

Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3).

Command Attributes

• SNMP Agent Status – Check the box to enable or disable the SNMP Agent.

Console(config)#snmp-server host 192.168.1.19 private version 2c 4-137
Console(config)#snmp-server enable traps 4-139

DG-FS4526 User Manual

3-39

3

www.digisol.com

Web – Click SNMP, Agent Status.

Figure 3-26 Enabling SNMP Agent Status

Configuring SNMPv3 Management Access

To configure SNMPv3 management access to the switch, follow these steps:

1. If you want to change the default engine ID, it must be changed first before

configuring other parameters.

2. Specify read and write access views for the switch MIB tree.

3. Configure SNMP user groups with the required security model (i.e., SNMP v1,

v2c or v3) and security level (i.e., authentication and privacy).

4. Assign SNMP users to groups, along with their specific authentication and

privacy passwords.

Setting the Local Engine ID

An SNMPv3 engine is an independent SNMP agent that resides on the switch. This
engine protects against message replay, delay, and redirection. The engine ID is
also used in combination with user passwords to generate the security keys for
authenticating and encrypting SNMPv3 packets.

A local engine ID is automatically generated that is unique to the switch. This is
referred to as the default engine ID. If the local engine ID is deleted or changed, all
SNMP users will be cleared. You will need to reconfigure all existing users.

A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to
32 octets in hexadecimal format). If an odd number of characters are specified, a
trailing zero is added to the value to fill in the last octet. For example, entering the
value “123456789” sets the engine ID as “1234567890”.

Configuring the Switch

3-40

3

www.digisol.com

Web – Click SNMP, SNMPv3, Engine ID.

Figure 3-27 Setting an Engine ID

DG-FS4526 User Manual

3-41

3

www.digisol.com

Specifying a Remote Engine ID

To send inform messages to an SNMPv3 user on a remote device, you must first
specify the engine identifier for the SNMP agent on the remote device where the
user resides. The remote engine ID is used to compute the security digest for
authenticating and encrypting packets sent to a user on the remote host.

SNMP passwords are localized using the engine ID of the authoritative agent. For
informs, the authoritative SNMP agent is the remote agent. You therefore need to
configure the remote agent’s SNMP engine ID before you can send proxy requests
or informs to it.

The engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32
octets in hexadecimal format). If an odd number of characters are specified, a
trailing zero is added to the value to fill in the last octet. For example, entering the
value “123456789” sets the engine ID as “1234567890”.

Web – Click SNMP, SNMPv3, Remote Engine ID.

Figure 3-28 Setting a Remote Engine ID

Configuring SNMPv3 Users

Each SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read, write, and notify view.

Command Attributes

• User Name – The name of user connecting to the SNMP agent.

(Range: 1-32 characters)

• Group Name – The name of the SNMP group to which the user is assigned.

(Range: 1-32 characters)

• Model – The user security model; SNMP v1, v2c or v3.

• Level – The security level used for the user:

- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications. (This is the default for SNMPv3.)

- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).

• Authentication – The method used for user authentication.
(Options: MD5, SHA; Default: MD5)

Configuring the Switch

3-42

3

www.digisol.com

• Authentication Password – A minimum of eight plain text characters is required.

• Privacy – The encryption algorithm use for data privacy; only 56-bit DES is
currently available.

• Actions – Enables the user to be assigned to another SNMPv3 group.

Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the
New User page, define a name and assign it to a group, then click Add to save the
configuration and return to the User Name list. To delete a user, check the box next
to the user name, then click Delete. To change the assigned group of a user, click
Change Group in the Actions column of the users table and select the new group.

Figure 3-29 Configuring SNMPv3 Users

DG-FS4526 User Manual

3-43

3

www.digisol.com

Configuring Remote SNMPv3 Users

Each SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts users to
a specific read, write, and notify view.

To send inform messages to an SNMPv3 user on a remote device, you must first
specify the engine identifier for the SNMP agent on the remote device where the
user resides. The remote engine ID is used to compute the security digest for
authenticating and encrypting packets sent to a user on the remote host.

Command Attributes

• User Name – The name of user connecting to the SNMP agent.

(Range: 1-32 characters)

• Group Name – The name of the SNMP group to which the user is assigned.

(Range: 1-32 characters)

• Engine ID – The engine identifier for the SNMP agent on the remote device where

the remote user resides. Note that the remote engine identifier must be specified
before you configure a remote user. (See “Specifying a Remote Engine ID” on
page 44.)

• Model – The user security model; SNMP v1, v2c or v3.

• Level – The security level used for the user:

- noAuthNoPriv – There is no authentication or encryption used in SNMP
communications. (This is the default for SNMPv3.)

- AuthNoPriv – SNMP communications use authentication, but the data is not
encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only
available for the SNMPv3 security model).

• Authentication – The method used for user authentication.
(Options: MD5, SHA; Default: MD5)

• Privacy – The encryption algorithm use for data privacy; only 56-bit DES is
currently available.

Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name.
In the New User page, define a name and assign it to a group, then click Add to save
the configuration and return to the User Name list. To delete a user, check the box
next to the user name, then click Delete.

Figure 3-30 Configuring Remote SNMPv3 Users

Configuring the Switch

3-44

3

www.digisol.com

Configuring SNMPv3 Groups

An SNMPv3 group sets the access policy for its assigned users, restricting them to
specific read, write, and notify views. You can use the pre-defined default groups or
create new groups to map a set of SNMP users to SNMP views.

Command Attributes

• Group Name – The name of the SNMP group to which the user is assigned.
(Range: 1-32 characters)

• Model – The user security model; SNMP v1, v2c or v3.

• Level – The security level used for the group:

- noAuthNoPriv – There is no authentication or encryption used in SNMP

communications. (This is the default for SNMPv3.)

- AuthNoPriv – SNMP communications use authentication, but the data is not

encrypted (only available for the SNMPv3 security model).

- AuthPriv – SNMP communications use both authentication and encryption (only

available for the SNMPv3 security model).

• Read View – The configured view for read access. (Range: 1-64 characters)

• Write View – The configured view for write access. (Range: 1-64 characters)

• Notify View – The configured view for notifications. (Range: 1-64 characters)

Table 3-5 Supported Notification Messages

Object Label Object ID Description

RFC 1493 Traps

newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending

agent has become the new root of the Spanning
Tree; the trap is sent by a bridge soon after its
election as the new root, e.g., upon expiration of
the Topology Change Timer immediately
subsequent to its election.

topologyChange 1.3.6.1.2.1.17.0.2 A topologyChange trap is sent by a bridge when

any of its configured ports transitions from the
Learning state to the Forwarding state, or from
the Forwarding state to the Discarding state.
The trap is not sent if a newRoot trap is sent for
the same transition.

SNMPv2 Traps

coldStart 1.3.6.1.6.3.1.1.5.1 A coldStart trap signifies that the SNMPv2

entity, acting in an agent role, is reinitializing
itself and that its configuration may have been
altered.

warmStart 1.3.6.1.6.3.1.1.5.2 A warmStart trap signifies that the SNMPv2

entity, acting in an agent role, is reinitializing
itself such that its configuration is unaltered.

DG-FS4526 User Manual

3-45

3

www.digisol.com

linkDown

a

1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity,
acting in an agent role, has detected that the
ifOperStatus object for one of its
communication links is about to enter the down
state from some other state (but not from the
notPresent state). This other state is indicated
by the included value of ifOperStatus.

linkUp 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity,

acting in an agent role, has detected that the
ifOperStatus object for one of its
communication links left the down state and
transitioned into some other state (but not into
the notPresent state). This other state is
indicated by the included value of ifOperStatus.

authenticationFailure 1.3.6.1.6.3.1.1.5.5 An authenticationFailure trap signifies that the

SNMPv2 entity, acting in an agent role, has
received a protocol message that is not
properly authenticated. While all
implementations of the SNMPv2 must be
capable of generating this trap, the
snmpEnableAuthenTraps object indicates
whether this trap will be generated.

RMON Events (V2)

risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an

alarm entry crosses its rising threshold and
generates an event that is configured for
sending SNMP traps.

fallingAlarm 1.3.6.1.2.1.16.0.2 The SNMP trap that is generated when an

alarm entry crosses its falling threshold and
generates an event that is configured for
sending SNMP traps.

Private Traps

swPowerStatus
ChangeTrap

1.3.6.1.4.1.36293.1.1.1.3.2.1.0.1 This trap is sent when the power state changes.

swIpFilterRejectTrap 1.3.6.1.4.1.36293.1.1.1.3.2.1.0.40This trap is sent when an incorrect IP address is

rejected by the IP Filter.

a. These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps
on the SNMP Configuration menu.

Table 3-5 Supported Notification Messages (Continued)

Object Label Object ID Description

Configuring the Switch

3-46

3

www.digisol.com

Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the
New Group page, define a name, assign a security model and level, and then select
read and write views. Click Add to save the new group and return to the Groups list.
To delete a group, check the box next to the group name, then click Delete.

Figure 3-31 Configuring SNMPv3 Groups

Setting SNMPv3 Views

SNMPv3 views are used to restrict user access to specified portions of the MIB tree.
The predefined view “defaultview” includes access to the entire MIB tree.

Command Attributes

• View Name – The name of the SNMP view. (Range: 1-64 characters)

• View OID Subtrees – Shows the currently configured object identifiers of branches
within the MIB tree that define the SNMP view.

• Edit OID Subtrees – Allows you to configure the object identifiers of branches
within the MIB tree. Wild cards can be used to mask a specific portion of the OID
string.

DG-FS4526 User Manual

3-47

3

www.digisol.com

• Type – Indicates if the object identifier of a branch within the MIB tree is included

or excluded from the SNMP view.

Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New
View page, define a name and specify OID subtrees in the switch MIB to be included
or excluded in the view. Click Back to save the new view and return to the SNMPv3
Views list. For a specific view, click on View OID Subtrees to display the current
configuration, or click on Edit OID Subtrees to make changes to the view settings. To
delete a view, check the box next to the view name, then click Delete.

Figure 3-32 Configuring SNMPv3 Views

Configuring the Switch

3-48

3

www.digisol.com

User Authentication

You can restrict management access to this switch using the following options:

• User Accounts – Manually configure access rights on the switch for specified users.

• Authentication Settings – Use remote authentication to configure access rights.

• HTTPS Settings – Provide a secure web connection.

• SSH Settings – Provide a secure shell (for secure Telnet access).

• Port Security – Configure secure addresses for individual ports.

• 802.1X – Use IEEE 802.1X port authentication to control access to specific ports.

• IP Filter – Filters management access to the web, SNMP or Telnet interface.

Configuring User Accounts

The guest only has read access for most configuration parameters. However, the
administrator has write access for all parameters governing the onboard agent. You
should therefore assign a new administrator password as soon as possible, and
store it in a safe place.

The default guest name is “guest” with the password “guest.” The default
administrator name is “admin” with the password “admin.”

Command Attributes

• Account List – Displays the current list of user accounts and associated access
levels. (Defaults: admin, and guest)

• New Account – Displays configuration settings for a new account.

- User Name – The name of the user.

(Maximum length: 8 characters; maximum number of users: 16)

- Access Level – Specifies the user level.

(Options: Normal and Privileged)

- Password – Specifies the user password.

(Range: 0-8 characters plain text, case sensitive)

• Change Password – Sets a new password for the specified user name.

• Add/Remove – Adds or removes an account from the list.

DG-FS4526 User Manual

3-49

3

www.digisol.com

Web – Click Security, User Accounts. To configure a new user account, specify a
user name, select the user’s access level, then enter a password and confirm it.
Click Add to save the new user account and add it to the Account List. To change the
password for a specific user, enter the user name and new password, confirm the
password by entering it again, then click Apply.

Figure 3-33 Access Levels

CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the
password.

Console(config)#username bob access-level 15 4-35
Console(config)#username bob password 0 smith
Console(config)#

Configuring the Switch

3-50

3

www.digisol.com

Configuring Local/Remote Logon Authentication

Use the Authentication Settings menu to restrict management access based on
specified user names and passwords. You can manually configure access rights on
the switch, or you can use a remote access authentication server based on RADIUS
or TACACS+ protocols.

Remote Authentication Dial-in
User Service (RADIUS) and
Terminal Access Controller
Access Control System Plus
(TACACS+) are logon
authentication protocols that
use software running on a
central server to control
access to RADIUS-aware or
TACACS-aware devices on the
network. An authentication
server contains a database of
multiple user name/password pairs with associated privilege levels for each user
that requires management access to the switch.

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery,
while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts
only the password in the access-request packet from the client to the server, while
TACACS+ encrypts the entire body of the packet.

Command Usage

• By default, management access is always checked against the authentication
database stored on the local switch. If a remote authentication server is used, you
must specify the authentication sequence and the corresponding parameters for
the remote authentication protocol. Local and remote logon authentication control
management access via the console port, web browser, or Telnet.

• RADIUS and TACACS+ logon authentication assign a specific privilege level for
each user name/password pair. The user name, password, and privilege level
must be configured on the authentication server.

• You can specify up to three authentication methods for any user to indicate the
authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and
(3) Local, the user name and password on the RADIUS server is verified first. If the
RADIUS server is not available, then authentication is attempted using the
TACACS+ server, and finally the local user name and password is checked.

Web
Telnet

RADIUS/
TACACS+
server

console

1. Client attempts management access.

2. Switch contacts authentication server.

3. Authentication server challenges client.

4. Client responds with proper password or key.

5. Authentication server approves access.

6. Switch grants management access.

DG-FS4526 User Manual

3-51

3

www.digisol.com

Command Attributes

• Authentication – Select the authentication, or authentication sequence required:

- Local – User authentication is performed only locally by the switch.

- Radius – User authentication is performed using a RADIUS server only.

- TACACS – User authentication is performed using a TACACS+ server only.

- [authentication sequence] – User authentication is performed by up to three
authentication methods in the indicated sequence.

• RADIUS Settings

- Global – Provides globally applicable RADIUS settings.

- ServerIndex – Specifies one of five RADIUS servers that may be configured.
The switch attempts authentication using the listed sequence of servers. The
process ends when a server either approves or denies access to a user.

- Server IP Address – Address of the RADIUS server.

- Server Port Number – Network (UDP) port of authentication server used for
authentication messages. (Range: 1-65535; Default: 1812)

- Secret Text String – Encryption key used to authenticate logon access for
client. Do not use blank spaces in the string. (Maximum length: 48 characters)

- Number of Server Transmits – Number of times the switch tries to authenticate
logon access via the authentication server. (Range: 1-30; Default: 2)

- Timeout for a reply – The number of seconds the switch waits for a reply from
the RADIUS server before it resends the request. (Range: 1-65535; Default: 5)

• TACACS Settings

- Global – Provides globally applicable TACACS+ settings.

- ServerIndex – Specifies the index number of the server to be configured. The
switch currently supports only one TACACS+ server.

- Server IP Address – Address of the TACACS+ server.

- Server Port Number – Network (TCP) port of TACACS+ server used for
authentication messages. (Range: 1-65535; Default: 49)

- Number of Server Transmits – Number of times the switch attempts to send
an authentication request to the server. (Range: 1-30; Default: 2)

- Timeout for a reply – The number of seconds the switch waits for a reply from
the server before it resends the request. (Range: 1-540 seconds; Default: 5)

- Secret Text String – Encryption key used to authenticate logon access for
client. Do not use blank spaces in the string. (Maximum length: 48 characters)

Note:

The local switch user database has to be set up by manually entering user names
and passwords using the CLI. (See “username” on page 4-35)

Configuring the Switch

3-52

3

www.digisol.com

Web – Click Security, Authentication Settings. To configure local or remote
authentication preferences, specify the authentication sequence (i.e., one to three
methods), fill in the parameters for RADIUS or TACACS+ authentication if selected,
and click Apply.

Figure 3-34 Authentication Settings

DG-FS4526 User Manual

3-53

3

www.digisol.com

CLI – Specify all the required parameters to enable logon authentication.

Console(config)#authentication login radius 4-79
Console(config)#radius-server auth-port 181 4-82
Console(config)#radius-server key green 4-83
Console(config)#radius-server retransmit 5 4-83
Console(config)#radius-server timeout 10 4-84
Console(config)#radius-server 1 host 192.168.1.25 4-81
Console(config)#end
Console#show radius-server 4-84

Global Settings:
Communication Key with RADIUS Server:
Auth-Port: 181
Acct-port: 1813
Retransmit Times: 5
Request Timeout: 10

Server 1:
Server IP Address: 192.168.1.25
Communication Key with RADIUS Server: *****
Auth-Port: 181
Acct-port: 1813
Retransmit Times: 5
Request Timeout: 10

Radius server group:
Group Name Member Index

--------------------- ------------­radius 1
Console#

Console#configure
Console(config)#authentication login tacacs 4-79
Console(config)#tacacs-server 1 host 10.20.30.40 4-85
Console(config)#tacacs-server port 200 4-86
Console(config)#tacacs-server retransmit 5 4-87
Console(config)#tacacs-server timeout 10 4-87
Console(config)#tacacs-server key blue 4-86
Console#show tacacs-server 4-87

Remote TACACS+ server configuration:

Global Settings:
Communication Key with TACACS+ Server:
Server Port Number: 200
Retransmit Times : 5
Request Times : 10

Server 1:
Server IP address: 10.20.30.40
Communication key with TACACS+ server: ****
Server port number: 200
Retransmit Times : 5
Request Times : 10

Tacacs server group:
Group Name Member Index

--------------------- ------------­tacacs+ 1
Console(config)#

Configuring the Switch

3-54

3

www.digisol.com

AAA Authorization and Accounting

The Authentication, authorization, and accounting (AAA) feature provides the main
framework for configuring access control on the switch. The three security functions
can be summarized as follows:

• Authentication — Identifies users that request access to the network.

• Authorization — Determines if users can access specific services.

• Accounting — Provides reports, auditing, and billing for services that users have
accessed on the network.

The AAA functions require the use of configured RADIUS or TACACS+ servers in
the network. The security servers can be defined as sequential groups that are then
applied as a method for controlling user access to specified services. For example,
when the switch attempts to authenticate a user, a request is sent to the first server
in the defined group, if there is no response the second server will be tried, and so
on. If at any point a pass or fail is returned, the process stops.

The switch suports the following AAA features:

• Accounting for IEEE 802.1X authenticated users that access the network through
the switch.

• Accounting for users that access management interfaces on the switch through the
console and Telnet.

• Accounting for commands that users enter at specific CLI privilege levels.

• Authorization of users that access management interfaces on the switch through
the console and Telnet.

To configure AAA on the switch, you need to follow this general process:

1. Configure RADIUS and TACACS+ server access parameters. See “Configuring

Local/Remote Logon Authentication” on page 3-50.

2. Define RADIUS and TACACS+ server groups to support the accounting and

authorization of services.

3. Define a method name for each service to which you want to apply accounting

or authorization and specify the RADIUS or TACACS+ server groups to use.

4. Apply the method names to port or line interfaces.

Note:

This guide assumes that RADIUS and TACACS+ servers have already been
configured to support AAA. The configuration of RADIUS and TACACS+ server
software is beyond the scope of this guide, refer to the documentation provided
with the RADIUS or TACACS+ server software.