Digisol DG-GS1500E series Management Manual

Download

Page 1

AZTECA 1000 Web Managed Switch Series

DG-GS1500E Series

Gigabit Ethernet Web Managed Switch

Management Guide

V1.0

2014-03-05

As our products undergo continuous development the specifications are subject to change without prior notice

Page 2

ANAGEMENT

UIDE

DG-GS1510HPE GIGABIT ETHERNET SWITCH

Layer 2 Gigabit Ethernet PoE Switch with 8 10/100/1000BASE-T Ports (RJ-45) and 2 Gigabit SFP Ports

DG-GS1526HPE GIGABIT ETHERNET SWITCH

Layer 2 Gigabit Ethernet PoE Switch with 24 10/100/1000BASE-T Ports (RJ-45) and 2 Gigabit SFP Ports

DG-GS1526E GIGABIT ETHERNET SWITCH

Layer 2 Gigabit Ethernet Switch with 24 10/100/1000BASE-T Ports (RJ-45) and 2 Gigabit SFP Ports

Page 3

ABOUT THIS GUIDE

PURPOSE This guide gives specific information on how to operate and use the

management functions of the switch.

AUDIENCE The guide is intended for use by network administrators who are

responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).

CONVENTIONS The following conventions are used throughout this guide to show

information:

OTE

Emphasizes important information or calls your attention to related

features or instructions.

AUTION

damage the system or equipment.

ARNING

Alerts you to a potential hazard that could cause loss of data, or

Alerts you to a potential hazard that could cause personal injury.

RELATED PUBLICATIONS The following publication details the hardware features of the switch,

including the physical and performance-related characteristics, and how to install the switch:

The Installation Guide

Also, as part of the switch’s software, there is an online web-based help that describes all management related features.

– 3 –

Page 4

ABOUT THIS GUIDE 3

ONTENTS 4

IGURES 10

ABLES 15

SECTION I GETTING STARTED 16

1INTRODUCTION 17

Key Features 17

Description of Software Features 18

System Defaults 22

2INITIAL SWITCH CONFIGURATION 25

SECTION II WEB CONFIGURATION 27

3USING THE WEB INTERFACE 28

Navigating the Web Browser Interface 28

Home Page 28

Configuration Options 29

Panel Display 29

Main Menu 29

4CONFIGURING THE SWITCH 39

Configuring System Information 39

Setting an IP Address 40

Setting an IPv4 Address 40

Setting an IPv6 Address 41

Configuring NTP Service 44

Configuring the Time Zone and Daylight Savings Time 45

Configuring Remote Log Messages 47

Configuring Power Reduction 48

– 4 –

Page 5

ONTENTS

Reducing Power to Idle Queue Circuits 48

Configuring Port Connections 49

Configuring Security 52

Configuring User Accounts 52

Configuring User Privilege Levels 54

Configuring The Authentication Method For Management Access 56

Configuring SSH 59

Configuring HTTPS 60

Filtering IP Addresses for Management Access 61

Using Simple Network Management Protocol 62

Remote Monitoring 73

Configuring Port Limit Controls 78

Configuring Authentication Through Network Access Servers 81

Filtering Traffic with Access Control Lists 93

Configuring DHCP Snooping 103

Configuring DHCP Relay and Option 82 Information 106

Configuring IP Source Guard 107

Configuring ARP Inspection 111

Specifying Authentication Servers 114

Creating Trunk Groups 116

Configuring Static Trunks 116

Configuring LACP 119

Configuring Loop Protection 121

Configuring the Spanning Tree Algorithm 123

Configuring Global Settings for STA 125

Configuring Multiple Spanning Trees 129

Configuring Spanning Tree Bridge Priorities 131

Configuring STP/RSTP/CIST Interfaces 132

Configuring MIST Interfaces 136

Multicast VLAN Registration 137

Configuring General MVR Settings 138

Configuring MVR Channel Settings 140

IGMP Snooping 142

Configuring Global and Port-Related Settings for IGMP Snooping 142

Configuring VLAN Settings for IGMP Snooping and Query 146

Configuring IGMP Filtering 148

– 5 –

Page 6

ONTENTS

MLD Snooping 149

Configuring Global and Port-Related Settings for MLD Snooping 149

Configuring VLAN Settings for MLD Snooping and Query 152

Configuring MLD Filtering 154

Link Layer Discovery Protocol 155

Configuring LLDP Timing and TLVs 155

Configuring LLDP-MED TLVs 158

Power over Ethernet 164

Configuring the MAC Address Table 167

IEEE 802.1Q VLANs 169

Assigning Ports to VLANs 170

Configuring VLAN Attributes for Port Members 171

Configuring Private VLANs 174

Using Port Isolation 175

Configuring MAC-based VLANs 176

Protocol VLANs 177

Configuring Protocol VLAN Groups 178

Mapping Protocol Groups to Ports 179

Configuring IP Subnet-based VLANs 180

Managing VoIP Traffic 182

Configuring VoIP Traffic 182

Configuring Telephony OUI 184

Quality of Service 185

Configuring Port Classification 186

Configuring Port Policiers 188

Configuring Egress Port Scheduler 189

Configuring Egress Port Shaper 192

Configuring Port Remarking Mode 193

Configuring Port DSCP Translation and Rewriting 196

Configuring DSCP-based QoS Ingress Classification 197

Configuring DSCP Translation 198

Configuring DSCP Classification 199

Configuring QoS Control Lists 200

Configuring Storm Control 204

Configuring Local Port Mirroring 205

Configuring Remote Port Mirroring 207

– 6 –

Page 7

ONTENTS

Configuring UPnP 211

Configuring sFlow 213

5MONITORING THE SWITCH 216

Displaying Basic Information About the System 216

Displaying System Information 216

Displaying CPU Utilization 217

Displaying Log Messages 218

Displaying Log Details 220

Displaying Information About Ports 220

Displaying Port Status On the Front Panel 220

Displaying an Overview of Port Statistics 221

Displaying QoS Statistics 221

Displaying QCL Status 222

Displaying Detailed Port Statistics 223

Displaying Information About Security Settings 226

Displaying Access Management Statistics 226

Displaying Information About Switch Settings for Port Security 227

Displaying Information About Learned MAC Addresses 228

Displaying Port Status for Authentication Services 229

Displaying Port Statistics for 802.1X or Remote Authentication Service 230

Displaying ACL Status 234

Displaying Statistics for DHCP Snooping 236

Displaying DHCP Relay Statistics 237

Displaying MAC Address Bindings for ARP Packets 238

Displaying Entries in the IP Source Guard Table 239

Displaying Information on Authentication Servers 240

Displaying a List of Authentication Servers 240

Displaying Statistics for Configured Authentication Servers 241

Displaying Information on RMON 245

Displaying RMON Statistics 245

Displaying RMON Historical Samples 246

Displaying RMON Alarm Settings 247

Displaying RMON Event Settings 248

Displaying Information on LACP 249

Displaying an Overview of LACP Groups 249

Displaying LACP Port Status 249

– 7 –

Page 8

ONTENTS

Displaying LACP Port Statistics 250

Displaying Information on Loop Protection 251

Displaying Information on the Spanning Tree 252

Displaying Bridge Status for STA 252

Displaying Port Status for STA 255

Displaying Port Statistics for STA 255

Displaying MVR Information 256

Displaying MVR Statistics 256

Displaying MVR Group Information 257

Displaying MVR SFM Information 258

Showing IGMP Snooping Information 259

Showing IGMP Snooping Status 259

Showing IGMP Snooping Group Information 260

Showing IPv4 SFM Information 261

Showing MLD Snooping Information 262

Showing MLD Snooping Status 262

Showing MLD Snooping Group Information 263

Showing IPv6 SFM Information 264

Displaying LLDP Information 265

Displaying LLDP Neighbor Information 265

Displaying LLDP-MED Neighbor Information 266

Displaying LLDP Neighbor PoE Information 268

Displaying LLDP Neighbor EEE Information 269

Displaying LLDP Port Statistics 271

Displaying PoE Status 272

Displaying the MAC Address Table 273

Displaying Information About VLANs 274

VLAN Membership 274

VLAN Port Status 275

Displaying Information About MAC-based VLANs 276

Displaying Information About Flow Sampling 277

6PERFORMING BASIC DIAGNOSTICS 279

Pinging an IPv4 or IPv6 Address 279

Running Cable Diagnostics 281

7PERFORMING SYSTEM MAINTENANCE 282

Restarting the Switch 282

– 8 –

Page 9

ONTENTS

Restoring Factory Defaults 283

Upgrading Firmware 283

Activating the Alternate Image 284

Managing Configuration Files 285

Saving Configuration Settings 285

Restoring Configuration Settings 285

SECTION III APPENDICES 287

ASOFTWARE SPECIFICATIONS 288

Software Features 288

Management Features 289

Standards 290

Management Information Bases 290

BTROUBLESHOOTING 292

Problems Accessing the Management Interface 292

Using System Logs 293

GLOSSARY 294

NDEX 301

– 9 –

Page 10

FIGURES

Figure 1: Home Page 28

Figure 2: Front Panel Indicators 29

Figure 3: System Information Configuration 39

Figure 4: IP Configuration 41

Figure 5: IPv6 Configuration 43

Figure 6: NTP Configuration 44

Figure 7: Time Zone and Daylight Savings Time Configuration 46

Figure 8: Configuring Settings for Remote Logging of Error Messages 48

Figure 9: Configuring EEE Power Reduction 49

Figure 10: Port Configuration 51

Figure 11: Showing User Accounts 53

Figure 12: Configuring User Accounts 54

Figure 13: Configuring Privilege Levels 56

Figure 14: Authentication Server Operation 57

Figure 15: Authentication Method for Management Access 58

Figure 16: SSH Configuration 59

Figure 17: HTTPS Configuration 61

Figure 18: Access Management Configuration 62

Figure 19: SNMP System Configuration 67

Figure 20: SNMPv3 Community Configuration 68

Figure 21: SNMPv3 User Configuration 70

Figure 22: SNMPv3 Group Configuration 71

Figure 23: SNMPv3 View Configuration 72

Figure 24: SNMPv3 Access Configuration 73

Figure 25: RMON Statistics Configuration 74

Figure 26: RMON History Configuration 75

Figure 27: RMON Alarm Configuration 77

Figure 28: RMON Event Configuration 78

Figure 29: Port Limit Control Configuration 81

Figure 30: Using Port Security 82

Figure 31: Network Access Server Configuration 92

– 10 –

Page 11

IGURES

Figure 32: ACL Port Configuration 94

Figure 33: ACL Rate Limiter Configuration 95

Figure 34: Access Control List Configuration 103

Figure 35: DHCP Snooping Configuration 105

Figure 36: DHCP Relay Configuration 107

Figure 37: Configuring Global and Port-based Settings for IP Source Guard 109

Figure 38: Configuring Static Bindings for IP Source Guard 110

Figure 39: Configuring Global and Port Settings for ARP Inspection 112

Figure 40: Configuring Static Bindings for ARP Inspection 113

Figure 41: Authentication Configuration 115

Figure 42: Static Trunk Configuration 119

Figure 43: LACP Port Configuration 121

Figure 44: Loop Protection Configuration 123

Figure 45: STP Root Ports and Designated Ports 124

Figure 46: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree 124

Figure 47: Common Internal Spanning Tree, Common Spanning Tree, Internal

Spanning Tree125

Figure 48: STA Bridge Configuration 129

Figure 49: Adding a VLAN to an MST Instance 131

Figure 50: Configuring STA Bridge Priorities 132

Figure 51: STP/RSTP/CIST Port Configuration 135

Figure 52: MSTI Port Configuration 137

Figure 53: MVR Concept 137

Figure 54: Configuring General MVR Settings 140

Figure 55: Configuring MVR Channel Settings 141

Figure 56: Configuring Global and Port-related Settings for IGMP Snooping 145

Figure 57: Configuring VLAN Settings for IGMP Snooping and Query 148

Figure 58: IGMP Snooping Port Group Filtering Configuration 148

Figure 59: Configuring Global and Port-related Settings for MLD Snooping 152

Figure 60: Configuring VLAN Settings for MLD Snooping and Query 154

Figure 61: MLD Snooping Port Group Filtering Configuration 155

Figure 62: LLDP Configuration 158

Figure 63: LLDP-MED Configuration 164

Figure 64: Configuring PoE Settings 167

Figure 65: MAC Address Table Configuration 169

Figure 66: VLAN Membership Configuration 171

Figure 67: VLAN Port Configuration 174

– 11 –

Page 12

IGURES

Figure 68: Private VLAN Membership Configuration 175

Figure 69: Port Isolation Configuration 176

Figure 70: Configuring MAC-Based VLANs 177

Figure 71: Configuring Protocol VLANs 179

Figure 72: Assigning Ports to Protocol VLANs 180

Figure 73: Assigning Ports to an IP Subnet-based VLAN 181

Figure 74: Configuring Global and Port Settings for a Voice VLAN 184

Figure 75: Configuring an OUI Telephony List 185

Figure 76: Configuring Ingress Port QoS Classification 187

Figure 77: Configuring Ingress Port Tag Classification 188

Figure 78: Configuring Ingress Port Policing 189

Figure 79: Displaying Egress Port Schedulers 191

Figure 80: Configuring Egress Port Schedulers and Shapers 192

Figure 81: Displaying Egress Port Shapers 193

Figure 82: Displaying Port Tag Remarking Mode 194

Figure 83: Configuring Port Tag Remarking Mode 195

Figure 84: Configuring Port DSCP Translation and Rewriting 197

Figure 85: Configuring DSCP-based QoS Ingress Classification 198

Figure 86: Configuring DSCP Translation and Re-mapping 199

Figure 87: Mapping DSCP to CoS/DPL Values 200

Figure 88: QoS Control List Configuration 204

Figure 89: Storm Control Configuration 205

Figure 90: Mirror Configuration 207

Figure 91: Configuring Remote Port Mirroring 207

Figure 92: Mirror Configuration (Source) 210

Figure 93: Mirror Configuration (Intermediate) 210

Figure 94: Mirror Configuration (Destination) 211

Figure 95: UPnP Configuration 212

Figure 96: sFlow Configuration 215

Figure 97: System Information 217

Figure 98: CPU Load 218

Figure 99: System Log Information 219

Figure 100: Detailed System Log Information 220

Figure 101: Port State Overview 220

Figure 102: Port Statistics Overview 221

Figure 103: Queueing Counters 222

– 12 –

Page 13

IGURES

Figure 104: QoS Control List Status 223

Figure 105: Detailed Port Statistics 225

Figure 106: Access Management Statistics 226

Figure 107: Port Security Switch Status 228

Figure 108: Port Security Port Status 229

Figure 109: Network Access Server Switch Status 230

Figure 110: NAS Statistics for Specified Port 234

Figure 111: ACL Status 235

Figure 112: DHCP Snooping Statistics 237

Figure 113: DHCP Relay Statistics 238

Figure 114: Dynamic ARP Inspection Table 239

Figure 115: Dynamic IP Source Guard Table 239

Figure 116: RADIUS Overview 240

Figure 117: RADIUS Details 244

Figure 118: RMON Statistics 246

Figure 119: RMON History Overview 247

Figure 120: RMON Alarm Overview 248

Figure 121: RMON Event Overview 248

Figure 122: LACP System Status 249

Figure 123: LACP Port Status 250

Figure 124: LACP Port Statistics 251

Figure 125: Loop Protection Status 252

Figure 126: Spanning Tree Bridge Status 254

Figure 127: Spanning Tree Detailed Bridge Status 254

Figure 128: Spanning Tree Port Status 255

Figure 129: Spanning Tree Port Statistics 256

Figure 130: MVR Statistics 257

Figure 131: MVR Group Information 258

Figure 132: MVR SFM Information 259

Figure 133: IGMP Snooping Status 260

Figure 134: IGMP Snooping Group Information 261

Figure 135: IPv4 SFM Information 262

Figure 136: MLD Snooping Status 263

Figure 137: MLD Snooping Group Information 264

Figure 138: IPv6 SFM Information 265

Figure 139: LLDP Neighbor Information 266

– 13 –

Page 14

IGURES

Figure 140: LLDP-MED Neighbor Information 268

Figure 141: LLDP Neighbor PoE Information 269

Figure 142: LLDP Neighbor EEE Information 270

Figure 143: LLDP Port Statistics 272

Figure 144: Power over Ethernet Status 273

Figure 145: MAC Address Table 274

Figure 146: Showing VLAN Members 275

Figure 147: Showing VLAN Port Status 276

Figure 148: Showing MAC-based VLAN Membership Status 277

Figure 149: Showing sFlow Statistics 278

Figure 150: ICMP Ping 280

Figure 151: VeriPHY Cable Diagnostics 281

Figure 152: Restart Device 282

Figure 153: Factory Defaults 283

Figure 154: Software Upload 284

Figure 155: Software Image Selection 284

Figure 156: Configuration Save 285

Figure 157: Configuration Upload 286

– 14 –

Page 15

TABLES

Table 1: Key Features 17

Table 2: System Defaults 22

Table 3: Web Page Configuration Buttons 29

Table 4: Main Menu 29

Table 5: HTTPS System Support 60

Table 6: SNMP Security Models and Levels 63

Table 7: Dynamic QoS Profiles 85

Table 8: QCE Modification Buttons 97

Table 9: Recommended STA Path Cost Range 133

Table 10: Recommended STA Path Costs 133

Table 11: Default STA Path Costs 133

Table 12: QCE Modification Buttons 201

Table 13: System Capabilities 265

Table 14: Troubleshooting Chart 292

– 15 –

Page 16

ECTION

GETTING STARTED

This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.

This section includes these chapters:

• "Introduction" on page 17

• "Initial Switch Configuration" on page 25

– 16 –

Page 17

1 INTRODUCTION

This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.

KEY FEATURES

Table 1: Key Features

Feature Description

Configuration Backup and Restore

Backup to management station using Web

Authentication Telnet, Web – user name/password, RADIUS, TACACS+

Web – HTTP S Teln e t – S S H SNMP v1/2c - Community strings SNMP version 3 – MD5 or SHA password Port – IEEE 802.1X, MAC address filtering

General Security Measures

Access Control Lists Supports up to 256 rules

DHCP Client

DNS Client and Proxy service

Port Configuration Speed, duplex mode, flow control, MTU, response to excessive

Rate Limiting Input rate limiting per port (manual setting or ACL)

Port Mirroring 1 sessions, up to 10 source port to one analysis port per session

Port Trunking Supports up to 5 trunks – static or dynamic trunking (LACP)

Congestion Control Throttling for broadcast, multicast, unknown unicast storms

Address Table 8K MAC addresses in the forwarding table, 1000 static MAC

IP Version 4 and 6 Supports IPv4 and IPv6 addressing, management, and QoS

Private VLANs Port Authentication Port Security DHCP Snooping (with Option 82 relay information) IP Source Guard

collisions, power saving mode

addresses, 1K L2 IGMP multicast groups and 128 MVR groups

IEEE 802.1D Bridge Supports dynamic data switching and addresses learning

Store-and-Forward Switching

Supported to ensure wire-speed switching while eliminating bad frames

– 17 –

Page 18

HAPTER

Description of Software Features

| Introduction

Table 1: Key Features (Continued)

Feature Description

Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and

Virtual LANs Up to 4K using IEEE 802.1Q, port-based, protocol-based, private

Multiple Spanning Trees (MSTP)

VLANs, and voice VLANs, and QinQ tunnel

Traffic Prioritization Queue mode and CoS configured by Ethernet type, VLAN ID, TCP/

Quality of Service Supports Differentiated Services (DiffServ), and DSCP remarking

Link Layer Discovery Protocol

Multicast Filtering Supports IGMP snooping and query, MLD snooping, and Multicast

DESCRIPTION OF SOFTWARE FEATURES

The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Storm suppression prevents broadcast, multicast, and unknown unicast traffic storms from engulfing the network. Untagged (port-based), tagged, and protocol-based VLANs provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering provides support for real-time network applications.

Some of the management features are briefly described below.

UDP port, DSCP, ToS bit, VLAN tag priority, or port

Used to discover basic information about neighboring devices

VLAN Registration

CONFIGURATION

BACKUP AND RESTORE

You can save the current configuration settings to a file on the management station (using the web interface) or a TFTP server (using the console interface through Telnet), and later download this file to restore the switch configuration settings.

AUTHENTICATION This switch authenticates management access via a web browser. User

names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).

Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/Telnet/web management access, and MAC address filtering for port access.

– 18 –

Page 19

HAPTER

Description of Software Features

| Introduction

ACCESS CONTROL

LISTS

ACLs provide packet filtering for IP frames (based on protocol, TCP/UDP port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast or multicast, or based on VLAN ID or VLAN tag priority). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Policies can be used to differentiate service for client ports, server ports, network ports or guest ports. They can also be used to strictly control network traffic by only allowing incoming frames that match the source MAC and source IP on specific port.

PORT CONFIGURATION You can manually configure the speed and duplex mode, and flow control

used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard (now incorporated in IEEE 802.3-2002).

RATE LIMITING This feature controls the maximum rate for traffic transmitted or received

on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.

PORT MIRRORING The switch can unobtrusively mirror traffic from any port to a monitor port.

You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.

PORT TRUNKING Ports can be combined into an aggregate connection. Trunks can be

manually set up or dynamically configured using Link Aggregation Control Protocol (LACP – IEEE 802.3-2005). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 5 trunks.

STORM CONTROL Broadcast, multicast and unknown unicast storm suppression prevents

traffic from overwhelming the network.When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.

STATIC ADDRESSES A static address can be assigned to a specific interface on this switch.

Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will

– 19 –

Page 20

HAPTER

Description of Software Features

| Introduction

be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.

IEEE 802.1D BRIDGE The switch supports IEEE 802.1D transparent bridging. The address table

facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses.

STORE-AND-FORWARD

SWITCHING

SPANNING TREE

ALGORITHM

The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth.

To avoid dropping frames on congested ports, the switch provides 8 MB for frame buffering. This buffer can queue packets awaiting transmission on congested networks.

The switch supports these spanning tree protocols:

• Spanning Tree Protocol (STP, IEEE 802.1D) – Supported by using the

STP backward compatible mode provided by RSTP. STP provides loop detection. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.

• Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol

reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the older IEEE

802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices.

• Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is

a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).

– 20 –

Page 21

HAPTER

Description of Software Features

| Introduction

VIRTUAL LANS The switch supports up to 4096 VLANs. A Virtual LAN is a collection of

network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can:

• Eliminate broadcast storms which severely degrade performance in a

flat network.

• Simplify network management for node changes/moves by remotely

configuring VLAN membership for any port, rather than having to manually change the network connection.

• Provide data security by restricting all traffic to the originating VLAN.

• Use private VLANs to restrict traffic to pass only between data ports

and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.

IEEE 802.1Q

TUNNELING (QINQ)

TRAFFIC

PRIORITIZATION

• Use protocol VLANs to restrict traffic to specified interfaces based on

protocol type.

This feature is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. This is accomplished by inserting Service Provider VLAN (SPVLAN) tags into the customer’s frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network.

This switch prioritizes each packet based on the required level of service, using four priority queues with strict or Weighted Round Robin queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can provide independent priorities for delay-sensitive data and best-effort data.

This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.

be used to

– 21 –

Page 22

HAPTER

System Defaults

| Introduction

QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management

mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.

MULTICAST

FILTERING

SYSTEM DEFAULTS

Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration for IPv4 traffic, and MLD Snooping for IPv6 traffic. It also supports Multicast VLAN Registration (MVR) which allows common multicast traffic, such as television channels, to be transmitted across a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, while preserving security and data isolation for normal traffic.

The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file.

The following table lists some of the basic system defaults.

Table 2: System Defaults

Function Parameter Default

Authentication User Name “admin”

Password “admin”

RADIUS Authentication Disabled

TACACS+ Authentication Disabled

802.1X Port Authentication Disabled

HTTPS Enabled

SSH Enabled

Port Security Disabled

IP Filtering Disabled

Web Management HTTP Server Enabled

HTTP Port Number 80

HTTP Secure Server Disabled

HTTP Secure Server Redirect Disabled

– 22 –

Page 23

HAPTER

Table 2: System Defaults (Continued)

Function Parameter Default

SNMP SNMP Agent Disabled

| Introduction

System Defaults

Community Strings “public” (read only)

Traps Global: disabled

SNMP V3 View: default_view

Port Configuration Admin Status Enabled

Auto-negotiation Enabled

Flow Control Disabled

Rate Limiting Input and output limits Disabled

Port Trunking Static Trunks None

LACP (all ports) Disabled

Storm Protection Status Broadcast: Enabled (1 kpps)

Spanning Tree Algorithm Status Enabled, RSTP

Edge Ports Enabled

Address Table Aging Time 300 seconds

Virtual LANs Default VLAN 1

PVID 1

Acceptable Frame Type All

“private” (read/write)

Authentication traps: enabled Link-up-down events: enabled

Group: default_rw_group

Multicast: disabled Unknown unicast: disabled

(Defaults: RSTP standard)

Ingress Filtering Disabled

Switchport Mode (Egress Mode) Access

Traffic Prioritization Ingress Port Priority 0

Queue Mode Strict

Weighted Round Robin Queue: 0 1 2 3 4 5 6 7

Weight: Disabled in strict mode

Ethernet Type Disabled

VLAN ID Disabled

VLAN Priority Tag Disabled

ToS P r i o r i t y D i sab l e d

IP DSCP Priority Disabled

TCP/UDP Port Priority Disabled

LLDP Status Enabled

– 23 –

Page 24

HAPTER

| Introduction

System Defaults

Table 2: System Defaults (Continued)

Function Parameter Default

IP Settings Management. VLAN VLAN 1

IP Address 192.168.1.10

Subnet Mask 255.255.255.0

Default Gateway 0.0.0.0

DHCP Client: Disabled

DNS Proxy service: Disabled

Multicast Filtering IGMP Snooping Snooping: Disabled

MLD Snooping Disabled

Multicast VLAN Registration Disabled

System Log (console only)

NTP Clock Synchronization Disabled

Status Disabled

Messages Logged to Flash All levels

Snooping: Disabled

Querier: Disabled

– 24 –

Page 25

2 INITIAL SWITCH CONFIGURATION

This chapter includes information on connecting to the switch and basic configuration procedures.

To make use of the management features of your switch, you must first configure it with an IP address that is compatible with the network in which it is being installed. This should be done before you permanently install the switch in the network.

Follow this procedure:

1. Place the switch close to the PC that you intend to use for configuration.

It helps if you can see the front panel of the switch while working on your PC.

2. Connect the Ethernet port of your PC to any port on the front panel of

the switch. Connect power to the switch and verify that you have a link by checking the front-panel LEDs.

3. Check that your PC has an IP address on the same subnet as the

switch. The default IP address of the switch is 192.168.1.10 and the subnet mask is 255.255.255.0, so the PC and switch are on the same subnet if they both have addresses that start 192.168.1.x. If the PC and switch are not on the same subnet, you must manually set the PC’s IP address to 192.168.1.x (where “x” is any number from 1 to 254, except 10).

4. Open your web browser and enter the address http://192.168.1.10. If

your PC is properly configured, you will see the login page of the switch. If you do not see the login page, repeat step 3.

5. Enter “admin” for the user name and password, and then click on the

6. From the menu, click System, and then IP. To request an address from

a local DHCP Server, mark the DHCP Client check box. To configure a static address, enter the new IP Address, IP Mask, and other optional parameters for the switch, and then click on the Save button.

If you need to configure an IPv6 address, select IPv6 from the System menu, and either submit a request for an address from a local DHCPv6 server by marking the Auto Configuration check box, or configure a static address by filling in the parameters for an address, network prefix length, and gateway router.

No other configuration changes are required at this stage, but it is recommended that you change the administrator’s password before

– 25 –

Page 26

HAPTER

| Initial Switch Configuration

logging out. To change the password, click Security and then Users. Select “admin” from the User Configuration list, fill in the Password fields, and then click Save.

– 26 –

Page 27

ECTION

WEB CONFIGURATION

This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.

This section includes these chapters:

• "Using the Web Interface" on page 28

• "Configuring the Switch" on page 39

• "Monitoring the Switch" on page 216

• "Performing Basic Diagnostics" on page 279

• "Performing System Maintenance" on page 282

– 27 –

Page 28

3 USING THE WEB INTERFACE

This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0, Mozilla Firefox

2.0.0.0, or more recent versions).

NAVIGATING THE WEB BROWSER INTERFACE

To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.”

HOME PAGE When your web browser connects with the switch’s web agent, the home

page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and an image of the front panel on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics.

Figure 1: Home Page

– 28 –

Page 29

DG-GS1510HPE/DG-GS1526E/DG-GS1526HPE

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

CONFIGURATION

OPTIONS

Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Save button to confirm the new setting. The following table summarizes the web page configuration buttons.

Table 3: Web Page Configuration Buttons

Button Action

Save Sets specified values to the system.

Reset Cancels specified values and restores current values prior to pressing

“Save.”

Logs out of the management interface.

Displays help for the selected page.

PANEL DISPLAY The web agent displays an image of the switch’s ports. The refresh mode is

disabled by default. Click Auto-refresh to refresh the data displayed on the screen approximately once every 5 seconds, or click Refresh to refresh the screen right now. Clicking on the image of a port opens the Detailed Statistics page as described on page 223.

Figure 2: Front Panel Indicators

MAIN MENU Using the onboard web agent, you can define system parameters, manage

and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.

Table 4: Main Menu

Menu Description Page

Basic Configuration

System 39

Information Configures system contact, name and location 39

IP Configures IPv4 and SNTP settings 40

IPv6 Configures IPv6 and SNTP settings 41

NTP Enables NTP, and configures a list of NTP servers 44

Time Configures the time zone and daylight savings time 45

– 29 –

Page 30

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

Log Configures the logging of messages to a remote logging

Ports Configures port connection settings 49

Aggregation 116

Static Specifies ports to group into static trunks 116

LACP Allows ports to dynamically join trunks 119

Spanning Tree 123

Bridge Settings Configures global bridge settings for STP, RSTP and MSTP;

MSTI Mapping Maps VLANs to a specific MSTP instance 129

MSTI Priorities Configures the priority for the CIST and each MISTI 131

CIST Ports Configures interface settings for STA 132

MSTI Ports Configures interface settings for an MST instance 136

process, specifies the remote log server, and limits the type of system log messages sent

also configures edge port settings for BPDU filtering, BPDU guard, and port error recovery

125

MAC Table Configures address aging, dynamic learning, and static

VLANs Virtual LANs 169

VLAN Membership Configures VLAN groups 170

Ports Specifies default PVID and VLAN attributes 171

Mirroring & RSPAN Sets source and target ports for local or remote mirroring 205

Advanced Configuration

System

Power Reduction 48

Ports

Security 52

Information Configures system contact, name and location 39

IP Configures IPv4 and SNTP settings 40

IPv6 Configures IPv6 and SNTP settings 41

NTP Enables NTP, and configures a list of NTP servers 44

Time Configures the time zone and daylight savings time 45

Log Configures the logging of messages to a remote logging

EEE Configures Energy Efficient Ethernet for specified queues,

Switch 52

addresses

process, specifies the remote log server, and limits the type of system log messages sent

and specifies urgent queues which are to transmit data after maximum latency expires regardless queue length

Configures port connection settings 49

167

Users Configures user names, passwords, and access levels 52

Privilege Levels Configures privilege level for specific functions 54

Auth Method Configures authentication method for management access

via local database, RADIUS or TACACS+

– 30 –

Page 31

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

SSH Configures the Secure Shell server 59

HTTPS Configures secure HTTP settings 60

Access Management

SNMP Simple Network Management Protocol 62

System Configures read-only and read/write community strings for

Communities Configures community strings 67

Users Configures SNMP v3 users on this switch 68

Groups Configures SNMP v3 groups 70

Views Configures SNMP v3 views 71

Access Assigns security model, security level, and read/write views

RMON Remote Monitoring 73

Statistics Enables collection of statistics on a physical interface 73

Sets IP addresses of clients allowed management access via HTTP/HTTPS, and SNMP, and Telnet/SSH

SNMP v1/v2c, engine ID for SNMP v3, and trap parameters

to SNMP groups

History Periodically samples statistics on a physical interface 74

Alarm Sets threshold bounds for a monitored variable 75

Event Creates a response for an alarm 77

Network

Limit Control Configures port security limit controls, including secure

NAS Configures global and port settings for IEEE 802.1X 81

ACL Access Control Lists 93

Ports Assigns ACL, rate limiter, and other parameters to ports 93

Rate Limiters Configures rate limit policies 94

Access Control List

DHCP Dynamic Host Configuration Protocol

Snooping Enables DHCP snooping globally; and sets the trust mode for

Relay Configures DHCP relay information status and policy 106

IP Source Guard Filters IP traffic based on static entries in the IP Source

Configuration Enables IP source guard and sets the maximum number of

Static Table Adds a static addresses to the source-guard binding table 109

ARP Inspection Address Resolution Protocol Inspection 111

address aging; and per port security, including maximum allowed MAC addresses, and response for security breach

Configures ACLs based on frame type, destination MAC type, VLAN ID, VLAN priority tag; and the action to take for matching packets

each port

Guard table, or dynamic entries in the DHCP Snooping table

clients that can learned dynamically

103

107

Configuration Enables inspection globally, and per port 112

Static Table Adds static entries based on port, VLAN ID, and source MAC

address and IP address in ARP request packets

– 31 –

113

Page 32

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

AAA Configures RADIUS authentication server, RADIUS

Aggregation

Static Specifies ports to group into static trunks 116

LACP Allows ports to dynamically join trunks 119

Loop Protection Detects general loopback conditions caused by hardware

Spanning Tree

Bridge Settings Configures global bridge settings for STP, RSTP and MSTP;

MSTI Mapping Maps VLANs to a specific MSTP instance 129

MSTI Priorities Configures the priority for the CIST and each MISTI 131

CIST Ports Configures interface settings for STA 132

MSTI Ports Configures interface settings for an MST instance 136

accounting server, and TACACS+ authentication server settings

116

121

problems or faulty protocol settings

114

also configures edge port settings for BPDU filtering, BPDU

123

125

guard, and port error recovery

MVR Configures Multicast VLAN Registration, including global

status, MVR VLAN, port mode, and immediate leave

137

IPMC IP Multicast

IGMP Snooping Internet Group Management Protocol Snooping 142

Basic Configuration

VLAN Configuration

Port Group

Configures global and port settings for multicast filtering 142

Configures IGMP snooping per VLAN interface 146

Configures multicast groups to be filtered on specified port 148

Filtering

MLD Snooping Multicast Listener Discovery Snooping 149

Basic

Configures global and port settings for multicast filtering 149

Configuration

VLAN Configuration

Port Group Filtering

Configures MLD snooping per VLAN interface 152

Configures multicast groups to be filtered on specified port 154

LLDP Link Layer Discovery Protocol 155

LLDP Configures global LLDP timing parameters, and port-specific

TLV attributes

LLDP-MED Configures LLDP-MED attributes, including device location,

155

158

emergency call server, and network policy discovery

MAC Table

VLANs

Configures address aging, dynamic learning, and static addresses

167

Virtual LANs 169

VLAN Membership Configures VLAN groups 170

Ports Specifies default PVID and VLAN attributes 171

Private VLANs

– 32 –

Page 33

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

PVLAN Membership

Port Isolation Prevents communications between designated ports within

PoE

VCL VLAN Control List

MAC-based VLAN Maps traffic with specified source MAC address to a VLAN 176

Protocol-based VLAN

Protocol to Group

Group to VLAN Maps a protocol group to a VLAN for specified ports 179

IP Subnet-based VLAN

Voice VLAN 182

Configuration Configures global settings, including status, voice VLAN ID,

Configures PVLAN groups 174

the same private VLAN

Configures Power-over-Ethernet settings for each port 164

Creates a protocol group, specifying supported protocols 178

Maps traffic for a specified IP subnet to a VLAN 180

VLAN aging time, and traffic priority; also configures port settings, including the way in which a port is added to the Voice VLAN, and blocking non-VoIP addresses

175

177

182

OUI Maps the OUI in the source MAC address of ingress packets

QoS 185

Port Classification Configures default traffic class, drop priority, user priority,

Port Policing Controls the bandwidth provided for frames entering the

Port Scheduler Provides overview of QoS Egress Port Schedulers, including

Port Shaping Provides overview of QoS Egress Port Shapers, including the

Port Tag Remarking

Port DSCP Configures ingress translation and classification settings and

DSCP-Based QoS Configures DSCP-based QoS ingress classification settings 197

DSCP Translation Configures DSCP translation for ingress traffic or DSCP re-

to the VoIP device manufacturer

drop eligible indicator, classification mode for tagged frames, and DSCP-based QoS classification

ingress queue of specified ports.

the queue mode and weight; also configures egress queue mode, queue shaper (rate and access to excess bandwidth), and port shaper

rate for each queue and port; also configures egress queue mode, queue shaper (rate and access to excess bandwidth), and port shaper

Provides overview of QoS Egress Port Tag Remarking; also sets the remarking mode (classified PCP/DEI values, default PCP/DEI values, or mapped versions of QoS class and drop priority)

egress re-writing of DSCP values

mapping for egress traffic

184

186

188

189

192

193

196

198

DSCP Classification

QoS Control List Configures QoS policies for handling ingress packets based

Maps DSCP values to a QoS class and drop precedence level 199

on Ethernet type, VLAN ID, TCP/UDP port, DSCP, ToS, or VLAN priority tag

– 33 –

200

Page 34

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

Storm Control Sets limits for broadcast, multicast, and unknown unicast

Mirroring & RSPAN

UPnP Enables UPNP and defines timeout values 211

sFlow Samples traffic flows, and forwards data to designated

Monitor 216

System 216

traffic

Sets source and target ports for local or remote mirroring 205

collector

204

213

Information Displays basic system description, switch’s MAC address,

CPU Load Displays graphic scale of CPU utilization 217

Log Displays logged messages based on severity 218

Detailed Log Displays detailed information on each logged message 220

Ports 220

State Displays a graphic image of the front panel indicating active

Traffic Overview Shows basic Ethernet port statistics 221

QoS Statistics Shows the number of packets entering and leaving the

QCL Status Shows the status of QoS Control List entries 222

Detailed Statistics Shows detailed Ethernet port statistics 223

Security 226

Access Management Statistics

Network

Port Security

Switch Shows information about MAC address learning for each

Port Shows the entries authorized by port security services,

NAS Shows global and port settings for IEEE 802.1X

Switch Shows port status for authentication services, including

Port Displays authentication statistics for the selected port –

ACL Status Shows the status for different security modules which use

DHCP Dynamic Host Configuration Protocol

system time, and software version

port connections

egress queues

Displays the number of packets used to manage the switch via HTTP, HTTPS, and SNMP, Telnet, and SSH

port, including the software module requesting port security services, the service state, the current number of learned addresses, and the maximum number of secure addresses allowed

including MAC address, VLAN ID, the service state, time added to table, age, and hold state

802.1X security state, last source address used for authentication, and last ID

either for 802.1X protocol or for the remote authentication server depending on the authentication method

ACL filtering, including ingress port, frame type, and forwarding action

216

220

221

226

227

228

229

230

234

– 34 –

Page 35

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

Snooping Statistics

Relay Statistics

Shows statistics for various types of DHCP protocol packets 236

Displays server and client statistics for packets affected by the relay information policy

237

ARP Inspection Displays entries in the ARP inspection table, sorted first by

IP Source Guard Displays entries in the IP Source Guard table, sorted first by

AAA Authentication, Authorization and Accounting 240

RADIUS Overview

RADIUS Details Displays the traffic and status associated with each

Switch

RMON Remote Monitoring 245

Statistics Shows sampled data for each entry in the statistics group 245

History Shows sampled data for each entry in the history group 246

Alarm Shows all configured alarms 247

Event Shows all logged events 248

LACP Link Aggregation Control Protocol 249

System Status Displays administration key and associated local ports for

Port Status Displays administration key, LAG ID, partner ID, and partner

Port Statistics Displays statistics for LACP protocol messages 250

Loop Protection Displays settings, current status, and time of last detected

port, then VLAN ID, MAC address, and finally IP address

Displays status of configured RADIUS authentication and accounting servers

configured RADIUS server

each partner

ports for each local port

loop

238

239

240

241

249

251

Spanning Tree 252

Bridge Status Displays global bridge and port settings for STA 252

Port Status Displays STA role, state, and uptime for each port 255

Port Statistics Displays statistics for RSTP, STP and TCN protocol packets 255

MVR Multicast VLAN Registration 256

Statistics Shows statistics for IGMP protocol messages used by MVR 256

MVR Channel Groups

MVR SFM Information

IPMC IP Multicast

IGMP Snooping 259

Status Displays statistics related to IGMP packets passed upstream

Group Information

Shows information about the interfaces associated with multicast groups assigned to the MVR VLAN

Displays MVR Source-Filtered Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny)

to the IGMP Querier or downstream to multicast clients

Displays active IGMP groups 260

– 35 –

257

258

259

Page 36

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

IPv4 SFM Information

MLD Snooping Multicast Listener Discovery Snooping 262

Status Displays MLD querier status and protocol statistics 262

Group Information

Displays IGMP Source-Filtered Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny)

261

Displays active MLD groups 263

IPv6 SFM Information

Displays MLD Source-Filtered Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny)

264

LLDP Link Layer Discovery Protocol 265

Neighbors Displays LLDP information about a remote device connected

LLDP-MED Neighbors

to a port on this switch

Displays information about a remote device connected to a port on this switch which is advertising LLDP-MED TLVs, including network connectivity device, endpoint device,

265

266

capabilities, application type, and policy

PoE

EEE Displays Energy Efficient Ethernet information advertised

Displays status of all LLDP PoE neighbors, including power device type (PSE or PD), source of power, power priority, and maximum required power

268

269

through LLDP messages

Port Statistics Displays statistics for all connected remote devices, and

PoE

MAC Table Displays dynamic and static address entries associated with

statistics for LLDP protocol packets crossing each port

Displays the status for all PoE ports, including the PD class, requested power, allocated power, power and current used, and PoE priority

the CPU and each port

271

272

273

VLANs Virtual LANs 274

VLAN Membership Shows the current port members for all VLANs configured by

a selected software module

VLAN Port Shows the VLAN attributes of port members for all VLANs

configured by a selected software module which uses VLAN management, including PVID, VLAN aware, ingress filtering, frame type, egress filtering, and PVID

274

275

VCL VLAN Control List

MAC-based VLAN Displays MAC address to VLAN map entries 276

sFlow Displays information on sampled traffic, including the owner,

receiver address, remaining sampling time, and statistics for UDP control packets and sampled traffic

277

Diagnostics 279

Ping Tests specified path using IPv4 ping 279

Ping6 Tests specified path using IPv6 ping 279

VeriPHY Performs cable diagnostics for all ports or selected port to

diagnose any cable faults (short, open etc.) and report the cable length

281

Maintenance 282

Restart Device Restarts the switch 282

– 36 –

Page 37

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

Factory Defaults Restores factory default settings 283

Software

Upload Updates software on the switch with a file specified on the

management station

283

Image Select Displays information about the active and alternate (backup)

firmware images in the switch, and allows you to revert to the alternate image

284

– 37 –

Page 38

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

Configuration 285

Save Saves configuration settings to a file on the management

Upload Restores configuration settings from a file on the

1. The Basic Configuration menu is a subset of Advanced Configuration. The following configuration chapter is therefore structured on the Advanced Configuration menu.

2. These menus are repeated from the Basic Configuration folder.

3. These menus are only provided for PoE switches.

station

management station

285

– 38 –

Page 39

4 CONFIGURING THE SWITCH

This chapter describes all of the basic configuration tasks.

CONFIGURING SYSTEM INFORMATION

Use the System Information Configuration page to identify the system by configuring contact information, system name, and the location of the switch.

PATH

Basic/Advanced Configuration, System, Information

PARAMETERS

These parameters are displayed:

• System Contact – Administrator responsible for the system.

(Maximum length: 255 characters)

• System Name – Name assigned to the switch system.

(Maximum length: 255 characters)

• System Location – Specifies the system location.

(Maximum length: 255 characters)

WEB INTERFACE

To configure System Information:

1. Click Configuration, System, Information.

2. Specify the contact information for the system administrator, as well as

the name and location of the switch.Click Save.

Figure 3: System Information Configuration

– 39 –

Page 40

HAPTER

Setting an IP Address

| Configuring the Switch

SETTING AN IP ADDRESS

This section describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.

SETTING AN IPV4

DDRESS

Use the IP Configuration page to configure an IPv4 address for the switch. The IP address for the switch is obtained via DHCP by default for VLAN 1. To manually configure an address, you need to change the switch's default settings to values that are compatible with your network. You may also need to a establish a default gateway between the switch and management stations that exist on another network segment.

OTE

An IPv4 address for this switch is obtained via DHCP by default. If the switch does not receive a response from a DHCP server, it will default to the IP address 192.168.1.10 and subnet mask 255.255.255.0.

You can manually configure a specific IP address, or direct the device to obtain an address from a DHCP server. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything other than this format will not be accepted by the CLI program.

PATH

Basic/Advanced Configuration, System, IP

PARAMETERS

These parameters are displayed:

IP Configuration

• DHCP Client – Specifies whether IP functionality is enabled via

Dynamic Host Configuration Protocol (DHCP). If DHCP is enabled, IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. DHCP values can include the IP address, subnet mask, and default gateway. (Default: Enabled)

• IP Address – Address of the VLAN specified in the VLAN ID field. This

should be the VLAN to which the management station is attached. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: 192.168.1.10)

• IP Mask – This mask identifies the host address bits used for routing

to specific subnets. (Default: 255.255.255.0)

– 40 –

Page 41

HAPTER

• IP Router – IP address of the gateway router between the switch and

management stations that exist on other network segments.

• VLAN ID – ID of the configured VLAN. By default, all ports on the

switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address. (Range: 1-4095; Default: 1)

• DNS Server – A Domain Name Server to which client requests for

mapping host names to IP addresses are forwarded.

IP DNS Proxy Configuration

• DNS Proxy – If enabled, the switch maintains a local database based

on previous responses to DNS queries forwarded on behalf of attached clients. If the required information is not in the local database, the switch forwards the DNS query to a DNS server, stores the response in its local cache for future reference, and passes the response back to the client.

| Configuring the Switch

Setting an IP Address

WEB INTERFACE

To configure an IP address:

1. Click Configuration, System, IP.

2. Specify the IPv4 settings, and enable DNS proxy service if required.

3. Click Save.

Figure 4: IP Configuration

SETTING AN IPV6

DDRESS

Use the IPv6 Configuration page to configure an IPv6 address for management access to the switch.

IPv6 includes two distinct address types - link-local unicast and global unicast. A link-local address makes the switch accessible over IPv6 for all devices attached to the same local subnet. Management traffic using this

– 41 –

Page 42

HAPTER

Setting an IP Address

| Configuring the Switch

kind of address cannot be passed by any router outside of the subnet. A link-local address is easy to set up, and may be useful for simple networks or basic troubleshooting tasks. However, to connect to a larger network with multiple segments, the switch must be configured with a global unicast address. A link-local address must be manually configured, but a global unicast address can either be manually configured or dynamically assigned.

PATH

Basic/Advanced Configuration, System, IPv6

USAGE GUIDELINES

• All IPv6 addresses must be formatted according to RFC 2373 “IPv6

Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.

• When configuring a link-local address, note that the prefix length is

fixed at 64 bits, and the host portion of the default address is based on the modified EUI-64 (Extended Universal Identifier) form of the interface identifier (i.e., the physical MAC address). You can manually configure a link-local address by entering the full address with the network prefix FE80.

• To connect to a larger network with multiple subnets, you must

configure a global unicast address. There are several alternatives to configuring this address type:

•

The global unicast address can be automatically configured by taking the network prefix from router advertisements observed on the local interface, and using the modified EUI-64 form of the interface identifier to automatically create the host portion of the address. This option can be selected by enabling the Auto Configuration option.

•

You can also manually configure the global unicast address by entering the full address and prefix length.

• The management VLAN to which the IPv6 address is assigned must be

specified on the IP Configuration page. See "Setting an IPv4 Address"

on page 40.

PARAMETERS

These parameters are displayed:

• Auto Configuration – Enables stateless autoconfiguration of IPv6

addresses on an interface and enables IPv6 functionality on the interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages, and the host portion is automatically generated using the modified EUI-64 form of the interface identifier; i.e., the switch's MAC address. (Default: Disabled)

– 42 –

Page 43

HAPTER

| Configuring the Switch

Setting an IP Address

• Address – Manually configures a global unicast address by specifying

the full address and network prefix length (in the Prefix field). (Default: ::192.168.1.10)

• Prefix – Defines the prefix length as a decimal value indicating how

many contiguous bits (starting at the left) of the address comprise the prefix; i.e., the network portion of the address. (Default: 96 bits)

Note that the default prefix length of 96 bits specifies that the first six colon-separated values comprise the network portion of the address.

• Router – Sets the IPv6 address of the default next hop router.

An IPv6 default gateway must be defined if the management station is located in a different IPv6 segment.

An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.

WEB INTERFACE

To configure an IPv6 address:

1. Click Configuration, System, IPv6.

2. Specify the IPv6 settings. The information shown below provides a

example of how to manually configure an IPv6 address.

3. Click Save.

Figure 5: IPv6 Configuration

– 43 –

Page 44

HAPTER

Configuring NTP Service

| Configuring the Switch

CONFIGURING NTP SERVICE

Use the NTP Configuration page to specify the Network Time Protocol (NTP) servers to query for the current time. NTP allows the switch to set its internal clock based on periodic updates from an NTP time server. Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.

When the NTP client is enabled, the switch periodically sends a request for a time update to a configured time server. You can configure up to five time server IP addresses. The switch will attempt to poll each server in the configured sequence.

PATH

Basic/Advanced Configuration, System, NTP

PARAMETERS

These parameters are displayed:

• Mode – Enables or disables NTP client requests.

• Server – Sets the IPv4 or IPv6 address for up to five time servers. The

switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence. The polling interval is fixed at 15 minutes.

WEB INTERFACE

To configure the NTP servers:

1. Click Configuration, System, NTP.

2. Enter the IP address of up to five time servers.

3. Click Save.

Figure 6: NTP Configuration

– 44 –

Page 45

HAPTER

Configuring the Time Zone and Daylight Savings Time

CONFIGURING THE TIME ZONE AND DAYLIGHT SAVINGS TIME

Use the Time Zone and Daylight Savings Time page to set the time zone and Daylight Savings Time.

Time Zone – NTP/SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. You can choose one of the 80 predefined time zone definitions, or your can manually configure the parameters for your local time zone.

Daylight Savings Time – In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Daylight Savings Time or Summer Time. Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.

| Configuring the Switch

PATH

Basic/Advanced Configuration, System, Time

PARAMETERS

These parameters are displayed:

Time Zone Configuration

• Time Zone – A drop-down box provides access to the 80 predefined

time zone configurations. Each choice indicates it’s offset from UTC and lists at least one major city or location covered by the time zone.

• Acronym – Sets the acronym of the time zone. (Range: Up to 16

alphanumeric characters, as well as the symbols ‘-’, ‘_’ or ‘.’)

Daylight Saving Time Configuration

• Mode – Selects one of the following configuration modes.

•

Disabled – Daylight Savings Time is not used.

•

Recurring – Sets the start, end, and offset times of summer time for the switch on a recurring basis. This mode sets the summertime zone relative to the currently configured time zone.

•

From – Start time for summer-time.

•

To – End time for summer-time.

•

Offset – The number of minutes to add during Daylight Saving Time. (Range: 1-1440)

•

Non-Recurring – Sets the start, end, and offset times of summer time for the switch on a one-time basis.

– 45 –

Page 46

HAPTER

Configuring the Time Zone and Daylight Savings Time

| Configuring the Switch

•

From – Start time for summer-time.

•

To – End time for summer-time.

•

Offset – The number of minutes to add during Daylight Saving Time. (Range: 1-1440)

WEB INTERFACE

To set the time zone or Daylight Savings Time:

1. Click Configuration, System, Time.

2. Select one of the predefined time zones.

3. Select the Daylight Savings Time mode, and then set the start, end and

offset times.

4. Click Save.

Figure 7: Time Zone and Daylight Savings Time Configuration

– 46 –

Page 47

CONFIGURING REMOTE LOG MESSAGES

Use the System Log Configuration page to send log messages to syslog servers or other management stations. You can also limit the event messages sent to specified types.

PATH

Basic/Advanced Configuration, System, Log

COMMAND USAGE

When remote logging is enabled, system log messages are sent to the designated server. The syslog protocol is based on UDP and received on UDP port 514. UDP is a connectionless protocol and does not provide acknowledgments. The syslog packet will always be sent out even if the syslog server does not exist.

PARAMETERS

These parameters are displayed:

HAPTER

| Configuring the Switch

Configuring Remote Log Messages

• Server Mode – Enables/disables the logging of debug or error

messages to the remote logging process. (Default: Disabled)

• Server Address – Specifies the IPv4 address or alias of a remote

server which will be sent syslog messages.

• Syslog Level – Limits log messages that are sent to the remote syslog

server for the specified types. Messages options include the following:

•

Info – Send informations, warnings and errors. (Default setting)

•

Warning – Send warnings and errors.

•

Error – Send errors.

WEB INTERFACE

To configure the logging of error messages to remote servers:

1. Click Configuration, System, Log.

2. Enable remote logging, enter the IP address of the remote server, and

specify the type of syslog messages to send.

3. Click Apply.

– 47 –

Page 48

HAPTER

Configuring Power Reduction

| Configuring the Switch

Figure 8: Configuring Settings for Remote Logging of Error Messages

CONFIGURING POWER REDUCTION

The switch provides power saving methods including powering down the circuitry for port queues when not in use.

REDUCING POWER TO IDLE QUEUE CIRCUITS

Use the EEE Configuration page to configure Energy Efficient Ethernet (EEE) for specified queues, and to specify urgent queues which are to transmit data after maximum latency expires regardless of queue length.

PATH

Advanced Configuration, Power Reduction, EEE

COMMAND USAGE

• EEE works by powering down circuits when there is no traffic. When a

port gets data to be transmitted all relevant circuits are powered up. The time it takes to power up the circuits is call the wakeup time. The default wakeup time is 17 µs for 1 Gbps links and 30 µs for other link speeds. EEE devices must agree upon the value of the wakeup time in order to make sure that both the receiving and transmitting devices have all circuits powered up when traffic is transmitted. The devices can exchange information about the device wakeup time using LLDP protocol.

To maximize power savings, the circuit is not started as soon as data is ready to be transmitted from a port, but instead waits until 3000 bytes of data is queued at the port. To avoid introducing a large delay when the queued data is less then 3000 bytes, data is always transmitted after 48 µs, giving a maximum latency of 48 µs plus the wakeup time.

• If required, it is possible to minimize the latency for specific frames by

mapping the frames to a specific queue (EEE Urgent Queues). When an urgent queue gets data to be transmitted, the circuits will be powered up at once and the latency will be reduced to the wakeup time.

PARAMETERS

These parameters are displayed:

• Port – Port identifier.

• Enabled – Enables or disables EEE for the specified port.

– 48 –

Page 49

HAPTER

| Configuring the Switch

Configuring Port Connections

• EEE Urgent Queues – Specifies which are to transmit data after the

maximum latency expires regardless queue length.

WEB INTERFACE

To configure the power reduction for idle queue circuits:

1. Click Configuration, Power Reduction, EEE.

2. Select the circuits which will use EEE.

3. If required, also specify urgent queues which will be powered up once

data is queued and the default wakeup time has passed.

4. Click Save.

Figure 9: Configuring EEE Power Reduction

CONFIGURING PORT CONNECTIONS

Use the Port Configuration page to configure the connection parameters for each port. This page includes options for enabling auto-negotiation or manually setting the speed and duplex mode, enabling flow control, setting the maximum frame size, specifying the response to excessive collisions, or enabling power saving mode.

PATH

Basic/Advanced Configuration, Ports

PARAMETERS

These parameters are displayed:

• Link – Indicates if the link is up or down.

• Speed – Sets the port speed and duplex mode using auto-negotiation

or manual selection. The following options are supported:

•

Disabled - Disables the interface. You can disable an interface due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also disable an interface for security reasons.

– 49 –

Page 50

HAPTER

Configuring Port Connections

| Configuring the Switch

•

Auto - Enables auto-negotiation. When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities.

•

1Gbps FDX - Supports 1 Gbps full-duplex operation

•

100Mbps FDX - Supports 100 Mbps full-duplex operation

•

100Mbps HDX - Supports 100 Mbps half-duplex operation

•

10Mbps FDX - Supports 10 Mbps full-duplex operation

•

10Mbps HDX - Supports 10 Mbps half-duplex operation

(Default: Autonegotiation enabled; Advertised capabilities for RJ-45: 1000BASE-T - 10half, 10full, 100half, 100full, 1000full; SFP: 1000BASE-SX/LX/LH - 1000full)

OTE

The 1000BASE-T standard does not support forced mode. Autonegotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.

• Flow Control – Flow control can eliminate frame loss by “blocking”

traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for halfduplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for fullduplex operation. (Default: Disabled)

When auto-negotiation is used, this parameter indicates the flow control capability advertised to the link partner. When the speed and duplex mode are manually set, the Current Rx field indicates whether pause frames are obeyed by this port, and the Current Tx field indicates if pause frames are transmitted from this port.

Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.

• Maximum Frame Size – Sets the maximum transfer unit for traffic

crossing the switch. Packets exceeding the maximum frame size are dropped. (Range: 9600-1518 bytes; Default: 9600 bytes)

• Excessive Collision Mode – Sets the response to take when excessive

transmit collisions are detected on a port.

•

Discard - Discards a frame after 16 collisions (default).

•

Restart - Restarts the backoff algorithm after 16 collisions.

– 50 –

Page 51

HAPTER

| Configuring the Switch

Configuring Port Connections

• Power Control – Adjusts the power provided to ports based on the

length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements.

IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can significantly reduce power used for cable lengths of 20 meters or less, and continue to ensure signal integrity.

The following options are supported:

•

Disabled – All power savings mechanisms disabled (default).

•

Enabled – Both link up and link down power savings enabled.

•

ActiPHY – Link down power savings enabled.

•

PerfectReach – Link up power savings enabled.

WEB INTERFACE

To configure port connection settings:

1. Click Configuration, Ports.

2. Make any required changes to the connection settings.

3. Click Save.

Figure 10: Port Configuration

– 51 –

Page 52

HAPTER

Configuring Security

| Configuring the Switch

CONFIGURING SECURITY

You can configure this switch to authenticate users logging into the system for management access or to control client access to the data ports.

Management Access Security (Switch menu) – Management access to the switch can be controlled through local authentication of user names and passwords stored on the switch, or remote authentication of users via a RADIUS or TACACS+ server. Additional authentication methods includes Secure Shell (SSH), Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), static configuration of client addresses, and SNMP.

General Security Measures (Network menu) – This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are supported by this switch. These include limiting the number of users accessing a port. The addresses assigned to DHCP clients can also be carefully controlled using static or dynamic bindings with DHCP Snooping and IP Source Guard commands. ARP Inspection can also be used to validate the MAC address bindings for ARP packets, providing protection against ARP traffic with invalid MAC to IP address bindings, which forms the basis for “man-in-themiddle” attacks.

CONFIGURING USER ACCOUNTS

Use the User Configuration page to control management access to the switch based on manually configured user names and passwords.

PATH

Advanced Configuration, Security, Switch, Users

COMMAND USAGE

• The default guest name is “guest” with the password “guest.” The

default administrator name is “admin” with the password “admin.”

• The guest only has read access for most configuration parameters.

However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place.

• The administrator has a privilege level of 15, with access to all process

groups and full control over the device. If the privilege level is set to any other value, the system will refer to each group privilege level. The user's privilege should be same or greater than the group privilege level to have the access of a group. By default, most of the group privilege levels are set to 5 which provides read-only access and privilege level 10 which also provides read/write access. To perform system maintenance (software upload, factory defaults, etc.) the user’s privilege level should be set to 15. Generally, the privilege level 15 can

– 52 –

Page 53

HAPTER

| Configuring the Switch

Configuring Security

be used for an administrator account, privilege level 10 for a standard user account, and privilege level 5 for a guest account.

PARAMETERS

These parameters are displayed:

• User Name – The name of the user.

(Maximum length: 8 characters; maximum number of users: 16)

• Password – Specifies the user password.

(Range: 0-8 characters plain text, case sensitive)

• Password (again) – Re-type the string entered in the previous field to

ensure no errors were made. The switch will not change the password if these two fields do not match.

• Privilege Level – Specifies the user level. (Options: 1 - 15)

Access to specific functions are controlled through the Privilege Levels configuration page (see page 54). The default settings provide four access levels:

•

1 – Read access of port status and statistics.

•

5 – Read access of all system functions except for maintenance and debugging

•

10 – read and write access of all system functions except for maintenance and debugging

•

15 – read and write access of all system functions including maintenance and debugging.

WEB INTERFACE

To show user accounts:

1. Click Advanced Configuration, Security, Switch, Users.

Figure 11: Showing User Accounts

To configure a user account:

1. Click Advanced Configuration, Security, Switch, Users.

2. Click “Add new user.”

3. Enter the user name, password, and privilege level.

– 53 –

Page 54

HAPTER

Configuring Security

| Configuring the Switch

4. Click Save.

Figure 12: Configuring User Accounts

CONFIGURING USER PRIVILEGE LEVELS

Use the Privilege Levels page to set the privilege level required to read or configure specific software modules or system settings.

PATH

Advanced Configuration, Security, Switch, Privilege Levels

PARAMETERS

These parameters are displayed:

• Group Name – The name identifying a privilege group. In most cases,

a privilege group consists of a single module (e.g., LACP, RSTP or QoS), but a few groups contains more than one module. The following describes the groups which contain multiple modules or access to various system settings:

•

System: Contact, Name, Location, Timezone, Log.

•

Security: Authentication, System Access Management, Port (contains Dot1x port, MAC based and the MAC Address Limit), ACL, HTTPS, SSH, ARP Inspection, and IP source guard.

•

IP: Everything except for ping.

•

Port: Everything except for VeriPHY.

•

Diagnostics: ping and VeriPHY.

•

Maintenance: CLI - System Reboot, System Restore Default, System Password, Configuration Save, Configuration Load and Firmware Load. Web - Users, Privilege Levels and everything in Maintenance.

•

Debug: Only present in CLI.

• Privilege levels – Every privilege level group can be configured to

access the following modules or system settings: Configuration Readonly, Configuration/Execute Read-write, Status/Statistics Read-only, and Status/Statistics Read-write (e.g., clearing statistics).

– 54 –

Page 55

HAPTER

| Configuring the Switch

Configuring Security

The default settings provide four access levels:

•

1 – Read access of port status and statistics.

•

5 – Read access of all system functions except for maintenance and debugging

•

10 – read and write access of all system functions except for maintenance and debugging

•

15 – read and write access of all system functions including maintenance and debugging.

WEB INTERFACE

To configure privilege levels:

1. Click Advanced Configuration, Security, Switch, Privilege Levels.

2. Set the required privilege level for any software module or functional

group.

3. Click Save.

– 55 –

Page 56

HAPTER

Configuring Security

| Configuring the Switch

Figure 13: Configuring Privilege Levels

CONFIGURING THE AUTHENTICATION METHOD FOR MANAGEMENT ACCESS

Use the Authentication Method Configuration page to specify the authentication method for controlling management access through the console, Telnet, SSH or HTTP/HTTPS. Access can be based on the (local) user name and password configured on the switch, or can be controlled with a RADIUS or TACACS+ remote access authentication server. Note that the RADIUS servers used to authenticate client access for IEEE 802.1X port authentication are also configured on this page (see page 81).

Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are logon authentication protocols that use software running on a central server to control access to RADIUS-aware or TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password

– 56 –

Page 57

Web

RADIUS/ TACACS+ server

1. Client attempts management access.

2. Switch contacts authentication server.

3.Authentication server challenges client.

4. Client responds with proper password or key.

5.Authentication server approves access.

6. Switch grants management access.

HAPTER

| Configuring the Switch

Configuring Security

pairs with associated privilege levels for each user that requires management access to the switch.

Figure 14: Authentication Server Operation

PATH

Advanced Configuration, Security, Switch, Auth Method

USAGE GUIDELINES

• The switch supports the following authentication services:

•

Authorization of users that access the Telnet, SSH, the web, or console management interfaces on the switch.

•

Accounting for users that access the Telnet, SSH, the web, or console management interfaces on the switch.

•

Accounting for IEEE 802.1X authenticated users that access the network through the switch. This accounting can be used to provide reports, auditing, and billing for services that users have accessed.

• By default, management access is always checked against the

authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication method and the corresponding parameters for the remote authentication protocol on the Network Access Server Configuration page. Local and remote logon authentication can be used to control management access via Telnet, SSH, a web browser, or the console interface.

• When using RADIUS or TACACS+ logon authentication, the user name

and password must be configured on the authentication server. The encryption methods used for the authentication process must also be configured or negotiated between the authentication server and logon client. This switch can pass authentication messages between the server and client that have been encrypted using MD5 (Message-Digest

5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer Security).

– 57 –

Page 58

HAPTER

Configuring Security

| Configuring the Switch

OTE

This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA. The configuration of RADIUS and TACACS+ server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS and TACACS+ server software.

PARAMETERS

These parameters are displayed:

• Client – Specifies how the administrator is authenticated when logging

into the switch via Telnet, SSH, or a web browser.

• Authentication Method – Selects the authentication method.

(Options: None, Local, RADIUS, TACACS+; Default: Local)

Selecting the option “None” disables access through the specified management interface.

• Fallback – Uses the local user database for authentication if none of

the configured authentication servers are alive. This is only possible if the Authentication Method is set to something else than “none” or “local.”

WEB INTERFACE

To configure authentication for management access:

1. Click Advanced Configuration, Security, Switch, Auth Method.

2. Configure the authentication method for management client types, and

specify whether or not to fallback to local authentication if no remote authentication server is available.

3. Click Save.

Figure 15: Authentication Method for Management Access

– 58 –

Page 59

HAPTER

| Configuring the Switch

Configuring Security

CONFIGURING SSH Use the SSH Configuration page to configure access to the Secure Shell

(SSH) management interface. SSH provides remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication. SSH also encrypts all data transfers passing between the switch and SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered.

PATH

Advanced Configuration, Security, Switch, SSH

USAGE GUIDELINES

• You need to install an SSH client on the management station to access

the switch for management via the SSH protocol. The switch supports both SSH Version 1.5 and 2.0 clients.

• SSH service on this switch only supports password authentication. The

password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the Auth Method menu (page 56).

To use SSH with password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client's keys.

• The SSH service on the switch supports up to four client sessions. The

maximum number of client sessions includes both current Telnet sessions and SSH sessions.

PARAMETERS

These parameters are displayed:

• Mode - Allows you to enable/disable SSH service on the switch.

(Default: Enabled)

WEB INTERFACE

To c o n f ig ur e SS H :

1. Click Advanced Configuration, Security, Switch, SSH.

2. Enable SSH if required.

3. Click Save.

Figure 16: SSH Configuration

– 59 –

Page 60

HAPTER

Configuring Security

| Configuring the Switch

CONFIGURING HTTPS Use the HTTPS Configuration page to enable the Secure Hypertext Transfer

Protocol (HTTPS) over the Secure Socket Layer (SSL). HTTPS provides secure access (i.e., an encrypted connection) to the switch's web interface.

PATH

Advanced Configuration, Security, Switch, HTTPS

USAGE GUIDELINES

• If you enable HTTPS, you must indicate this in the URL that you specify

in your browser: https://device[:port-number]

• When you start HTTPS, the connection is established in this way:

•

The client authenticates the server using the server's digital certificate.

•

The client and server negotiate a set of security protocols to use for the connection.

•

The client and server generate session keys for encrypting and decrypting data.

•

The client and server establish a secure encrypted connection.

A padlock icon should appear in the status bar for Internet Explorer

5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0 or above.

• The following web browsers and operating systems currently support

HTTPS:

Table 5: HTTPS System Support

Web Browser Operating System

Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a),

Netscape 6.2 or later Windows 98,Windows NT (with service pack 6a),

Mozilla Firefox 2.0.0.0 or later Windows 2000, Windows XP, Windows Vista, Linux

Windows 2000, Windows XP, Windows Vista, Windows 7

Windows 2000, Windows XP, Windows Vista, Solaris 2.6

PARAMETERS

These parameters are displayed:

• Mode - Enables HTTPS service on the switch. (Default: Enabled)

• Automatic Redirect - Sets the HTTPS redirect mode operation. When

enabled, management access to the HTTP web interface for the switch are automatically redirected to HTTPS. (Default: Disabled)

– 60 –

Page 61

HAPTER

| Configuring the Switch

Configuring Security

WEB INTERFACE

To c o n f ig ur e H TT PS :

1. Click Advanced Configuration, HTTPS.

2. Enable HTTPS if required and set the Automatic Redirect mode.

3. Click Save.

Figure 17: HTTPS Configuration

FILTERING IP ADDRESSES FOR MANAGEMENT ACCESS

Use the Access Management Configuration page to create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, or SNMP, or Telnet.

The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses. If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection.

PATH

Advanced Configuration, Security, Switch, Access Management

PARAMETERS

These parameters are displayed:

• Mode – Enables or disables filtering of management access based on

configured IP addresses. (Default: Disabled)

• Start IP Address – The starting address of a range.

• End IP Address – The ending address of a range.

• HTTP/HTTPS – Filters IP addresses for access to the web interface

over standard HTTP, or over HTTPS which uses the Secure Socket Layer (SSL) protocol to provide an encrypted connection.

• SNMP – Filters IP addresses for access through SNMP.

• TELNET/SSH – Filters IP addresses for access through Telnet, or

through Secure Shell which provides authentication and encryption.

WEB INTERFACE

To configure addresses allowed access to management interfaces on the switch:

– 61 –

Page 62

HAPTER

Configuring Security

| Configuring the Switch

1. Click Advanced Configuration, Security, Switch, Access Management.

2. Set the Mode to Enabled.

3. Click “Add new entry.”

4. Enter the start and end of an address range.

5. Mark the protocols to restrict based on the specified address range. The

following example shows how to restrict management access for all protocols to a specific address range.

6. Click Save.

Figure 18: Access Management Configuration

USING SIMPLE NETWORK MANAGEMENT

PROTOCOL

Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.

Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network.

The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as HP OpenView. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.

– 62 –

Page 63

HAPTER

| Configuring the Switch

Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.

The SNMPv3 security structure consists of security models, with each model having it's own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.

Table 6: SNMP Security Models and Levels

Model Level Community String Group Read View Write View Security

v1 noAuth

NoPriv

public default_ro_group default_view none Community string only

private default_rw_group default_view default_view Community string only

user defined user defined user defined user defined Community string only

Configuring Security

v2c noAuth

v3 noAuth

v3 Auth

v3 Auth Priv user defined user defined user defined user defined Provides user authentication

NoPriv

public default_ro_group default_view none Community string only

private default_rw_group default_view default_view Community string only

user defined user defined user defined user defined Community string only

user defined default_rw_group default_view default_view A user name match only

user defined user defined user defined user defined Provides user authentication

OTE

The predefined default groups and view can be deleted from the

via MD5 or SHA algorithms

via MD5 or SHA algorithms and data privacy using DES 56-bit encryption

system. You can then define customized groups and views for the SNMP clients that require access.

CONFIGURING SNMP SYSTEM AND TRAP SETTINGS

Use the SNMP System Configuration page to configure basic settings and traps for SNMP. To manage the switch through SNMP, you must first enable the protocol and configure the basic access parameters. To issue trap messages, the trap function must also be enabled and the destination host specified.

– 63 –

Page 64

HAPTER

Configuring Security

| Configuring the Switch

PATH

Advanced Configuration, Security, Switch, SNMP, System

PARAMETERS

These parameters are displayed:

SNMP System Configuration

• Mode - Enables or disables SNMP service. (Default: Disabled)

• Version - Specifies the SNMP version to use. (Options: SNMP v1,

SNMP v2c, SNMP v3; Default: SNMP v2c)

• Read Community - The community used for read-only access to the

SNMP agent. (Range: 0-255 characters, ASCII characters 33-126 only; Default: public)

This parameter only applies to SNMPv1 and SNMPv2c. SNMPv3 uses the User-based Security Model (USM) for authentication and privacy. This community string is associated with SNMPv1 or SNMPv2 clients in the SNMPv3 Communities table (page 67).

• Write Community - The community used for read/write access to the

SNMP agent. (Range: 0-255 characters, ASCII characters 33-126 only; Default: private)

• Engine ID - The SNMPv3 engine ID. (Range: 10-64 hex digits,

excluding a string of all 0’s or all F’s; Default: 800007e5017f000001)

An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.

A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all local SNMP users will be cleared. You will need to reconfigure all existing users.

SNMP Trap Configuration

• Trap Mode - Enables or disables SNMP traps. (Default: Disabled)

You should enable SNMP traps so that key events are reported by this switch to your management station. Traps indicating status changes can be issued by the switch to the specified trap manager by sending authentication failure messages and other trap messages.

– 64 –

Page 65

HAPTER

| Configuring the Switch

Configuring Security

• Trap Version - Indicates if the target user is running SNMP v1, v2c, or

v3. (Default: SNMP v1)

• Trap Community - Specifies the community access string to use when

sending SNMP trap packets. (Range: 0-255 characters, ASCII characters 33-126 only; Default: public)

• Trap Destination Address - IPv4 address of the management station

to receive notification messages.

• Trap Destination IPv6 Address - IPv6 address of the management

station to receive notification messages. An IPv6 address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields.

• Trap Authentication Failure - Issues a notification message to

specified IP trap managers whenever authentication of an SNMP request fails. (Default: Enabled)

• Trap Link-up and Link-down - Issues a notification message

whenever a port link is established or broken. (Default: Enabled)

• Trap Inform Mode - Enables or disables sending notifications as

inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used)

The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgment of receipt. Informs can be used to ensure that critical information is received by the host. However, note that informs consume more system resources because they must be kept in memory until a response is received. Informs also add to network traffic. You should consider these effects when deciding whether to issue notifications as traps or informs.

• Trap Inform Timeout - The number of seconds to wait for an

acknowledgment before resending an inform message. (Range: 0-2147 seconds; Default: 1 second)

• Trap Inform Retry Times - The maximum number of times to resend

an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 5)

• Trap Probe Security Engine ID (SNMPv3) - Specifies whether or not

to use the engine ID of the SNMP trap probe in trap and inform messages. (Default: Enabled)

• Trap Security Engine ID (SNMPv3) - Indicates the SNMP trap security

engine ID. SNMPv3 sends traps and informs using USM for authentication and privacy. A unique engine ID for these traps and informs is needed. When “Trap Probe Security Engine ID” is enabled, the ID will be probed automatically. Otherwise, the ID specified in this

– 65 –

Page 66

HAPTER

Configuring Security

| Configuring the Switch

field is used. (Range: 10-64 hex digits, excluding a string of all 0’s or all F’s)

OTE

The Trap Probe Security Engine ID must be disabled before an engine ID can be manually entered in this field.

• Trap Security Name (SNMPv3) - Indicates the SNMP trap security

name. SNMPv3 traps and informs use USM for authentication and privacy. A unique security name is needed when SNMPv3 traps or informs are enabled.

OTE

To select a name from this field, first enter an SNMPv3 user with the same Trap Security Engine ID in the SNMPv3 Users Configuration menu (see "Configuring SNMPv3 Users" on page 68).

WEB INTERFACE

To configure SNMP system and trap settings:

1. Click Advanced Configuration, Security, Switch, SNMP, System.

2. In the SNMP System Configuration table, set the Mode to Enabled to

enable SNMP service on the switch, specify the SNMP version to use, change the community access strings if required, and set the engine ID if SNMP version 3 is used.

3. In the SNMP Trap Configuration table, enable the Trap Mode to allow

the switch to send SNMP traps. Specify the trap version, trap community, and IP address of the management station that will receive trap messages either as an IPv4 or IPv6 address. Select the trap types to issue, and set the trap inform settings for SNMP v2c or v3 clients. For SNMP v3 clients, configure the security engine ID and security name used in v3 trap and inform messages.

4. Click Save.

– 66 –

Page 67

Figure 19: SNMP System Configuration

HAPTER

| Configuring the Switch

Configuring Security

SETTING SNMPV3 COMMUNITY ACCESS STRINGS

Use the SNMPv3 Community Configuration page to set community access strings. All community strings used to authorize access by SNMP v1 and v2c clients should be listed in the SNMPv3 Communities Configuration table. For security reasons, you should consider removing the default strings.

PATH

Advanced Configuration, Security, Switch, SNMP, Communities

PARAMETERS

These parameters are displayed:

• Community - Specifies the community strings which allow access to

the SNMP agent. (Range: 1-32 characters, ASCII characters 33-126 only; Default: public, private)

– 67 –

Page 68

HAPTER

Configuring Security

| Configuring the Switch

For SNMPv3, these strings are treated as a Security Name, and are mapped as an SNMPv1 or SNMPv2 community string in the SNMPv3 Groups Configuration table (see "Configuring SNMPv3 Groups" on

page 70).

• Source IP - Specifies the source address of an SNMP client.

• Source Mask - Specifies the address mask for the SNMP client.

WEB INTERFACE

To configure SNMP community access strings:

1. Click Advanced Configuration, Security, Switch, SNMP, Communities.

2. Set the IP address and mask for the default community strings.

Otherwise, you should consider deleting these strings for security reasons.

3. Add any new community strings required for SNMPv1 or v2 clients that

need to access the switch, along with the source address and address mask for each client.

4. Click Save.

Figure 20: SNMPv3 Community Configuration

CONFIGURING SNMPV3 USERS

Use the SNMPv3 User Configuration page to define a unique name and remote engine ID for each SNMPv3 user. Users must be configured with a specific security level, and the types of authentication and privacy protocols to use.

OTE

Any user assigned through this page is associated with the group assigned to the USM Security Model on the SNMPv3 Groups Configuration page (page 70), and the views assigned to that group in the SNMPv3 Access Configuration page (page 72).

PATH

Advanced Configuration, Security, Switch, SNMP, Users

– 68 –

Page 69

HAPTER

| Configuring the Switch

Configuring Security

PARAMETERS

These parameters are displayed:

• Engine ID - The engine identifier for the SNMP agent on the remote

device where the user resides. (Range: 10-64 hex digits, excluding a string of all 0’s or all F’s)

To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.

SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent's SNMP engine ID before you can send proxy requests or informs to it. (See "Configuring

SNMP System and Trap Settings" on page 63.)

• User Name - The name of user connecting to the SNMP agent.

(Range: 1-32 characters, ASCII characters 33-126 only)

• Security Level - The security level assigned to the user:

•

NoAuth, NoPriv - There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.)

•

Auth, NoPriv - SNMP communications use authentication, but the data is not encrypted.

•

Auth, Priv - SNMP communications use both authentication and encryption.

• Authentication Protocol - The method used for user authentication.

(Options: None, MD5, SHA; Default: MD5)

• Authentication Password - A plain text string identifying the

authentication pass phrase. (Range: 1-32 characters for MD5, 8-40 characters for SHA)

• Privacy Protocol - The encryption algorithm use for data privacy; only

56-bit DES is currently available. (Options: None, DES; Default: DES)

• Privacy Password - A string identifying the privacy pass phrase.

(Range: 8-40 characters, ASCII characters 33-126 only)

WEB INTERFACE

To configure SNMPv3 users:

1. Click Advanced Configuration, Security, Switch, SNMP, Users.

2. Click “Add new user” to configure a user name.

3. Enter a remote Engine ID of up to 64 hexadecimal characters

– 69 –

Page 70

HAPTER

Configuring Security

| Configuring the Switch

4. Define the user name, security level, authentication and privacy

settings.

5. Click Save.

Figure 21: SNMPv3 User Configuration

CONFIGURING SNMPV3 GROUPS

Use the SNMPv3 Group Configuration page to configure SNMPv3 groups. An SNMPv3 group defines the access policy for assigned users, restricting them to specific read and write views as defined on the SNMPv3 Access Configuration page (page 72). You can use the pre-defined default groups, or create a new group and the views authorized for that group.

PATH

Advanced Configuration, Security, Switch, SNMP, Groups

PARAMETERS

These parameters are displayed:

• Security Model - The user security model. (Options: SNMP v1, v2c, or

the User-based Security Model – usm).

• Security Name - The name of a user connecting to the SNMP agent.

(Range: 1-32 characters, ASCII characters 33-126 only)

The options displayed for this parameter depend on the selected Security Model. For SNMP v1 and v2c, the switch displays the names configured on the SNMPv3 Communities Configuration menu (see

page 67). For USM (or SNMPv3), the switch displays the names

configured with the local engine ID in the SNMPv3 Users Configuration menu (see page 68). To modify an entry for USM, the current entry must first be deleted.

• Group Name - The name of the SNMP group. (Range: 1-32 characters,

ASCII characters 33-126 only)

WEB INTERFACE

To configure SNMPv3 groups:

1. Click Advanced Configuration, Security, Switch, SNMP, Groups.

2. Click “Add new group” to set up a new group.

3. Select a security model.

– 70 –

Page 71

HAPTER

| Configuring the Switch

Configuring Security

4. Select the security name. For SNMP v1 and v2c, the security names

displayed are based on the those configured in the SNMPv3 Communities menu. For USM, the security names displayed are based on the those configured in the SNMPv3 Users Configuration menu.

5. Enter a group name. Note that the views assigned to a group must be

specified on the SNMP Accesses Configuration menu (see page 72).

6. Click Save.

Figure 22: SNMPv3 Group Configuration

CONFIGURING SNMPV3 VIEWS

Use the SNMPv3 View Configuration page to define views which restrict user access to specified portions of the MIB tree. The predefined view “default_view” includes access to the entire MIB tree.

PARAMETERS

These parameters are displayed:

• View Name - The name of the SNMP view. (Range: 1-32 characters,

ASCII characters 33-126 only)

• View Type - Indicates if the object identifier of a branch within the MIB

tree is included or excluded from the SNMP view. Generally, if the view type of an entry is “excluded,” another entry of view type “included” should exist and its OID subtree should overlap the “excluded” view entry.

• OID Subtree - Object identifiers of branches within the MIB tree. Note

that the first character must be a period (.). Wild cards can be used to mask a specific portion of the OID string using an asterisk. (Length: 1-128)

WEB INTERFACE

To configure SNMPv3 views:

1. Click Advanced Configuration, Security, Switch, SNMP, Views.

2. Click “Add new view” to set up a new view.

– 71 –

Page 72

HAPTER

Configuring Security

| Configuring the Switch

3. Enter the view name, view type, and OID subtree.

4. Click Save.

Figure 23: SNMPv3 View Configuration

CONFIGURING SNMPV3 GROUP ACCESS RIGHTS

Use the SNMPv3 Access Configuration page to assign portions of the MIB tree to which each SNMPv3 group is granted access. You can assign more than one view to a group to specify access to different portions of the MIB tree.

PATH

Advanced Configuration, Security, Switch, SNMP, Access

PARAMETERS

These parameters are displayed:

• Group Name - The name of the SNMP group. (Range: 1-32 characters,

ASCII characters 33-126 only)

• Security Model - The user security model. (Options: any, v1, v2c, or

the User-based Security Model – usm; Default: any)

• Security Level - The security level assigned to the group:

•

NoAuth, NoPriv - There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.)

•

Auth, NoPriv - SNMP communications use authentication, but the data is not encrypted.

•

Auth, Priv - SNMP communications use both authentication and encryption.

• Read View Name - The configured view for read access. (Range: 1-32

characters, ASCII characters 33-126 only)

• Write View Name - The configured view for write access.

(Range: 1-32 characters, ASCII characters 33-126 only)

WEB INTERFACE

To configure SNMPv3 group access rights:

1. Click Advanced Configuration, Security, Switch, SNMP, Access.

– 72 –

Page 73

HAPTER

| Configuring the Switch

Configuring Security

2. Click Add New Access to create a new entry.

3. Specify the group name, security settings, read view, and write view.

4. Click Save.

Figure 24: SNMPv3 Access Configuration

REMOTE MONITORING Remote Monitoring allows a remote device to collect information or

respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance. If an event is triggered, it can automatically notify the network administrator of a failure and provide historical information about the event. If it cannot connect to the management agent, it will continue to perform any specified tasks and pass data back to the management station the next time it is contacted.

The switch supports mini-RMON, which consists of the Statistics, History, Event and Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group. A management agent then periodically communicates with the switch using the SNMP protocol. However, if the switch encounters a critical event, it can automatically send a trap message to the management agent which can then respond to the event if so configured.

CONFIGURING RMON STATISTICAL SAMPLES

Use the RMON Statistics Configuration page to collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates.

PATH

Advanced Configuration, Security, RMON, Statistics

COMMAND USAGE

• If statistics collection is already enabled on an interface, the entry must

be deleted before any changes can be made.

• The information collected for each entry includes: drop events, input

octets, packets, broadcast packets, multicast packets, CRC alignment errors, undersize packets, oversize packets, fragments, jabbers, collisions, and frames of various sizes.

– 73 –

Page 74

HAPTER

Configuring Security

| Configuring the Switch

PARAMETERS

The following parameters are displayed:

• ID - Index to this entry. (Range: 1-65535)

• Data Source – Port identifier.

WEB INTERFACE

To enable regular sampling of statistics on a port:

1. Click Advanced Configuration, Security, Switch, RMON, Statistics.

2. Click Add New Entry.

3. Enter the index identifier and port number.

4. Click Save.

Figure 25: RMON Statistics Configuration

CONFIGURING RMON HISTORY SAMPLES

Use the RMON History Configuration page to collect statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems. The record can be used to establish normal baseline activity, which may reveal problems associated with high traffic levels, broadcast storms, or other unusual events. It can also be used to predict network growth and plan for expansion before your network becomes too overloaded.

PATH

Advanced Configuration, Security, RMON, History

COMMAND USAGE

The information collected for each sample includes: drop events, input octets, packets, broadcast packets, multicast packets, CRC alignment errors, undersize packets, oversize packets, fragments, jabbers, collisions, and network utilization.

PARAMETERS

The following parameters are displayed:

• ID - Index to this entry. (Range: 1-65535)

– 74 –

Page 75

HAPTER

• Data Source – Port identifier.

• Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800

seconds)

• Buckets - The number of buckets requested for this entry.

(Range: 1-3600; Default: 50)

• Buckets Granted - The number of buckets granted.

| Configuring the Switch

Configuring Security

WEB INTERFACE

To periodically sample statistics on a port:

1. Click Advanced Configuration, Security, Switch, RMON, History.

2. Click Add New Entry.

3. Enter the index identifier, port number, sampling interval, and

maximum number of buckets requested.

4. Click Save.

Figure 26: RMON History Configuration

CONFIGURING RMON ALARMS

Use the RMON Alarm Configuration page to define specific criteria that will generate response events. Alarms can be set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval). Alarms can be set to respond to rising or falling thresholds. However, note that after an alarm is triggered it will not be triggered again until the statistical value crosses the opposite bounding threshold and then back across the trigger threshold.

PATH

Advanced Configuration, Security, RMON, Alarm

PARAMETERS

The following parameters are displayed:

• ID – Index to this entry. (Range: 1-65535)

• Interval – The polling interval. (Range: 1-2^31 seconds)

– 75 –

Page 76

HAPTER

Configuring Security

| Configuring the Switch

• Variable – The object identifier of the MIB variable to be sampled.

Only variables of the type ifEntry.n.n may be sampled.

Note that ifEntry.n uniquely defines the MIB variable, and ifEntry.n.n defines the MIB variable, plus the ifIndex. For example,

1.3.6.1.2.1.2.2.1.1.10.1 denotes ifInOctets, plus the ifIndex of 1.

Possible variables (ifEntry.n, where n = 10-21) include: InOctets, InUcastPkts, InNUcastPkts, InDiscards, InErrors, InUnknownProtos, OutOctets, OutUcastPkts, OutNUcastPkts, OutDiscards, OutErrors, and OutQLen.

• Sample Type – Tests for absolute or relative changes in the specified

variable.

•

Absolute – The variable is compared directly to the thresholds at the end of the sampling period.

•

Delta – The last sample is subtracted from the current value and the difference is then compared to the thresholds.

• Value – The value of the statistic during the last sampling period.

• Startup Alarm – The method of sampling the selected variable and

calculating the value to be compared against the thresholds. Possible sample types include:

•

Rising – Trigger alarm when the first value is larger than the rising threshold.

•

Falling – Trigger alarm when the first value is less than the falling threshold.

•

Rising or Falling – Trigger alarm when the first value is larger than the rising threshold or less than the falling threshold (default).

• Rising Threshold – If the current value is greater than the rising

threshold, and the last sample value was less than this threshold, then an alarm will be generated. After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. (Range: -2147483647 to

2147483647)

• Rising Index – The index of the event to use if an alarm is triggered

by monitored variables crossing above the rising threshold. If there is no corresponding entry in the event control table, then no event will be generated. (Range: 1-65535)

• Falling Threshold – If the current value is less than the falling

threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising

– 76 –

Page 77

HAPTER

| Configuring the Switch

Configuring Security

threshold, and again moves back down to the failing threshold. (Range: -2147483647 to 2147483647)

• Falling Index – The index of the event to use if an alarm is triggered

by monitored variables crossing below the falling threshold. If there is no corresponding entry in the event control table, then no event will be generated. (Range: 1-65535)

WEB INTERFACE

To configure an RMON alarm:

1. Click Advanced Configuration, Security, Switch, RMON, Alarm.

2. Click Add New Entry.

3. Enter an index number, the polling interval, the MIB object to be polled

(etherStatsEntry.n.n), the sample type, the alarm startup type, the thresholds, and the event to trigger.

4. Click Save.

Figure 27: RMON Alarm Configuration

CONFIGURING RMON EVENTS

Use the RMON Event Configuration page to set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.

PATH

Advanced Configuration, Security, RMON, Event

PARAMETERS

The following parameters are displayed:

• ID – Index to this entry. (Range: 1-65535)

• Desc – A comment that describes this event. (Range: 0-127

characters)

• Type – Specifies the type of event to initiate:

•

none – No event is generated.

•

log – Generates an RMON log entry when the event is triggered. Log messages are processed based on the current configuration

– 77 –

Page 78

HAPTER

Configuring Security

| Configuring the Switch

settings for event logging (see "Configuring Remote Log Messages"

on page 47).

•

snmptrap – Sends a trap message to all configured trap managers (see "Configuring SNMP System and Trap Settings" on page 63).

•

logandtrap – Logs the event and sends a trap message.

• Community – A password-like community string sent with the trap

operation to SNMP v1 and v2c hosts.

Although the community string can be set on this configuration page, it is recommended that it be defined on the SNMP trap configuration page (see "Setting SNMPv3 Community Access Strings" on page 67) prior to configuring it here. (Range: 0-127 characters)

• Last Event Time – The value of sysUpTime when an event was last

generated for this entry.

WEB INTERFACE

To configure an RMON event:

CONFIGURING PORT LIMIT CONTROLS

1. Click Advanced Configuration, Security, Switch, RMON, Event.

2. Click Add New Entry.

3. Enter an index number, a brief description of the event, the type of

event to initiate, and the community string to send with trap messages.

4. Click Save.

Figure 28: RMON Event Configuration

Use the Port Security Limit Control Configuration page to limit the number of users accessing a given port. A user is identified by a MAC address and VLAN ID. If Limit Control is enabled on a port, the maximum number of users on the port is restricted to the specified limit. If this number is exceeded, the switch makes the specified response.

PATH

Advanced Configuration, Security, Network, Limit Control

PARAMETERS

The following parameters are displayed:

– 78 –

Page 79

HAPTER

| Configuring the Switch

Configuring Security

System Configuration

• Mode – Enables or disables Limit Control is globally on the switch. If

globally disabled, other modules may still use the underlying functionality, but limit checks and corresponding actions are disabled.

• Aging Enabled – If enabled, secured MAC addresses are subject to

aging as discussed under Aging Period.

With aging enabled, a timer is started once the end-host gets secured. When the timer expires, the switch starts looking for frames from the end-host, and if such frames are not seen within the next Aging Period, the end-host is assumed to be disconnected, and the corresponding resources are freed on the switch.

• Aging Period – If Aging Enabled is checked, then the aging period is

controlled with this parameter. If other modules are using the underlying port security for securing MAC addresses, they may have other requirements for the aging period. The underlying port security will use the shortest requested aging period of all modules that use this functionality. (Range: 10-10,000,000 seconds; Default: 3600 seconds)

Port Configuration

• Port – Port identifier.

• Mode – Controls whether Limit Control is enabled on this port. Both

this and the global Mode must be set to Enabled for Limit Control to be in effect. Notice that other modules may still use the underlying port security features without enabling Limit Control on a given port.

• Limit – The maximum number of MAC addresses that can be secured

on this port. This number cannot exceed 1024. If the limit is exceeded, the corresponding action is taken.

The switch is “initialized” with a total number of MAC addresses from which all ports draw whenever a new MAC address is seen on a Port Security-enabled port. Since all ports draw from the same pool, it may happen that a configured maximum cannot be granted if the remaining ports have already used all available MAC addresses.

• Action – If Limit is reached, the switch can take one of the following

actions:

•

None: Do not allow more than the specified Limit of MAC addresses on the port, but take no further action.

•

Trap: If Limit + 1 MAC addresses is seen on the port, send an SNMP trap. If Aging is disabled, only one SNMP trap will be sent, but with Aging enabled, new SNMP traps will be sent every time the limit is exceeded.

•

Shutdown: If Limit + 1 MAC addresses is seen on the port, shut down the port. This implies that all secured MAC addresses will be

– 79 –

Page 80

HAPTER

Configuring Security

| Configuring the Switch

removed from the port, and no new addresses will be learned. Even if the link is physically disconnected and reconnected on the port (by disconnecting the cable), the port will remain shut down. There are three ways to re-open the port:

•

Boot the switch,

•

Disable and re-enable Limit Control on the port or the switch,

•

Click the Reopen button.

•

Trap & Shutdown: If Limit + 1 MAC addresses is seen on the port, both the “Trap” and the “Shutdown” actions described above will be taken.

• State – This column shows the current state of the port as seen from

the Limit Control's point of view. The state takes one of four values:

•

Disabled: Limit Control is either globally disabled or disabled on the port.

•

Ready: The limit is not yet reached. This can be shown for all Actions.

•

Limit Reached: Indicates that the limit is reached on this port. This state can only be shown if Action is set to None or Trap.

•

Shutdown: Indicates that the port is shut down by the Limit Control module. This state can only be shown if Action is set to Shutdown or Trap & Shutdown.

• Re-open – If a port is shut down by this module, you may reopen it by

clicking this button, which will only be enabled if this is the case. For other methods, refer to Shutdown in the Action section.

Note, that clicking the Reopen button causes the page to be refreshed, so non-committed changes will be lost.

WEB INTERFACE

To configure port limit controls:

1. Click Advanced Configuration, Security, Network, Limit Control.

2. Set the system configuration parameters to globally enable or disable

limit controls, and configure address aging as required.

3. Set limit controls for any port, including status, maximum number of

addresses allowed, and the response to a violation.

4. Click Save.

– 80 –

Page 81

802.1x client

RADIUS server

1. Client attempts to access a switch port.

2. Switch sends client an identity request.

3. Client sends back identity information.

4. Switch forwards this to authentication server.

5. Authentication server challenges client.

6. Client responds with proper credentials.

7. Authentication server approves access.

8. Switch grants client access to this port.

HAPTER

Figure 29: Port Limit Control Configuration

| Configuring the Switch

Configuring Security

CONFIGURING AUTHENTICATION THROUGH NETWORK ACCESS SERVERS

Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.

Use the Network Access Server Configuration page to configure IEEE

802.1X port-based and MAC-based authentication settings. The 802.1X standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network.

Figure 30: Using Port Security

– 81 –

Page 82

HAPTER

Configuring Security

| Configuring the Switch

This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. These backend servers are configured on the AAA menu (see

page 114).

When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client. The EAP packet from the RADIUS server contains not only the challenge, but the authentication method to be used. The client can reject the authentication method and request another, depending on the configuration of the client software and the RADIUS server. The encryption method used by IEEE 802.1X to pass authentication messages can be MD5 (Message-Digest 5), TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). However, note that the only encryption method supported by MAC-Based authentication is MD5. The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked.

The operation of 802.1X on the switch requires the following:

• The switch must have an IP address assigned (see page 40).

• RADIUS authentication must be enabled on the switch and the IP

address of the RADIUS server specified. Backend RADIUS servers are configured on the Authentication Configuration page (see page 114).

• 802.1X / MAC-based authentication must be enabled globally for the

switch.

• The Admin State for each switch port that requires client authentication

must be set to 802.1X or MAC-based.

• When using 802.1X authentication:

•

Each client that needs to be authenticated must have dot1x client software installed and properly configured.

•

When using 802.1X authentication, the RADIUS server and 802.1X client must support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.)

•

The RADIUS server and client also have to support the same EAP authentication type - MD5, PEAP, TLS, or TTLS. (Native support for these encryption methods is provided in Windows 7, Windows Vista, Windows XP, and in Windows 2000 with Service Pack 4. To support

– 82 –

Page 83

HAPTER

| Configuring the Switch

Configuring Security

these encryption methods in Windows 95 and 98, you can use the AEGIS dot1x client or other comparable client software.)

MAC-based authentication allows for authentication of more than one user on the same port, and does not require the user to have special 802.1X software installed on his system. The switch uses the client's MAC address to authenticate against the backend server. However, note that intruders can create counterfeit MAC addresses, which makes MAC-based authentication less secure than 802.1X authentication.

PATH

Advanced Configuration, Security, Network, NAS

USAGE GUIDELINES

When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. These parameters are described in this section.

PARAMETERS

These parameters are displayed:

System Configuration

• Mode - Indicates if 802.1X and MAC-based authentication are globally

enabled or disabled on the switch. If globally disabled, all ports are allowed to forward frames.

• Reauthentication Enabled - Sets clients to be re-authenticated after

an interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled)

For MAC-based ports, reauthentication is only useful if the RADIUS server configuration has changed. It does not involve communication between the switch and the client, and therefore does not imply that a client is still present on a port (see Age Period below).

• Reauthentication Period - Sets the time period after which a

connected client must be re-authenticated. (Range: 1-3600 seconds; Default: 3600 seconds)

• EAPOL Timeout - Sets the time the switch waits for a supplicant

response during an authentication session before retransmitting a Request Identify EAPOL packet. (Range: 1-255 seconds; Default: 30 seconds)

• Aging Period - The period used to calculate when to age out a client

allowed access to the switch through Single 802.1X, Multi 802.1X, and MAC-based authentication as described below. (Range: 10-1000000 seconds; Default: 300 seconds)

– 83 –

Page 84

HAPTER

Configuring Security

| Configuring the Switch

When the NAS module uses the Port Security module to secure MAC addresses, the Port Security module needs to check for activity on the MAC address in question at regular intervals and free resources if no activity is seen within the given age period.

If reauthentication is enabled and the port is in a 802.1X-based mode, this is not so critical, since supplicants that are no longer attached to the port will get removed upon the next reauthentication, which will fail. But if reauthentication is not enabled, the only way to free resources is by aging the entries.

For ports in MAC-based Auth. mode, reauthentication does not cause direct communication between the switch and the client, so this will not detect whether the client is still attached or not, and the only way to free any resources is to age the entry.

• Hold Time - The time after an EAP Failure indication or RADIUS

timeout that a client is not allowed access. This setting applies to ports running Single 802.1X, Multi 802.1X, or MAC-based authentication. (Range: 10-1000000 seconds; Default: 10 seconds)

If the RADIUS server denies a client access, or a RADIUS server request times out (according to the timeout specified on the AAA menu on page 114), the client is put on hold in the Unauthorized state. In this state, the hold timer does not count down during an on-going authentication.

In MAC-based Authentication mode, the switch will ignore new frames coming from the client during the hold time.

• RADIUS-Assigned QoS Enabled - RADIUS-assigned QoS provides a

means to centrally control the traffic class to which traffic coming from a successfully authenticated supplicant is assigned on the switch. The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this feature.

The RADIUS-Assigned QoS Enabled checkbox provides a quick way to globally enable/disable RADIUS-server assigned QoS Class functionality. When checked, the individual port settings determine whether RADIUS-assigned QoS Class is enabled for that port. When unchecked, RADIUS-server assigned QoS Class is disabled for all ports.

When RADIUS-Assigned QoS is both globally enabled and enabled for a given port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, traffic received on the supplicant’s port will be classified to the given QoS Class. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or it's invalid, or the supplicant is otherwise no longer present on the port, the port's QoS Class is immediately reverted to the original QoS Class (which may be changed by the administrator in the meanwhile without affecting the RADIUSassigned setting).

This option is only available for single-client modes, i.e. port-based

802.1X and Single 802.1X.

– 84 –

Page 85

HAPTER

| Configuring the Switch

Configuring Security

RADIUS Attributes Used in Identifying a QoS Class

The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet.

Only the first occurrence of the attribute in the packet will be considered. To be valid, all 8 octets in the attribute's value must be identical and consist of ASCII characters in the range '0' - '3', which translates into the desired QoS Class in the range 0-3.

QoS assignments to be applied to a switch port for an authenticated user may be configured on the RADIUS server as described below:

•

The “Filter-ID” attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information:

Table 7: Dynamic QoS Profiles

Profile Attribute Syntax Example

DiffServ service-policy-in=policy-map-name service-policy-in=p1

Rate Limit rate-limit-input=rate rate-limit-input=100

802.1p switchport-priority-default=value switchport-priority-default=2

•

Multiple profiles can be specified in the Filter-ID attribute by using a

(in units of Kbps)

semicolon to separate each profile.

For example, the attribute “service-policy-in=pp1;rate-limitinput=100” specifies that the diffserv profile name is “pp1,” and the ingress rate limit profile value is 100 kbps.

•

If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used.

For example, if the attribute is “service-policy-in=p1;service-policyin=p2”, then the switch applies only the DiffServ profile “p1.”

•

Any unsupported profiles in the Filter-ID attribute are ignored.

For example, if the attribute is “map-ip-dscp=2:3;service-policyin=p1,” then the switch ignores the “map-ip-dscp” profile.

•

When authentication is successful, the dynamic QoS information may not be passed from the RADIUS server due to one of the following conditions (authentication result remains unchanged):

•

The Filter-ID attribute cannot be found to carry the user profile.

•

The Filter-ID attribute is empty.

•

The Filter-ID attribute format for dynamic QoS assignment is unrecognizable (can not recognize the whole Filter-ID attribute).

•

Dynamic QoS assignment fails and the authentication result changes from success to failure when the following conditions occur:

– 85 –

Page 86

HAPTER

Configuring Security

| Configuring the Switch

•

Illegal characters found in a profile value (for example, a nondigital character in an 802.1p profile value).

•

Failure to configure the received profiles on the authenticated port.

•

When the last user logs off on a port with a dynamic QoS assignment, the switch restores the original QoS configuration for the port.

•

When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.

•

While a port has an assigned dynamic QoS profile, any manual QoS configuration changes only take effect after all users have logged off the port.

• RADIUS-Assigned VLAN Enabled - RADIUS-assigned VLAN provides

a means to centrally control the VLAN on which a successfully authenticated supplicant is placed on the switch. Incoming traffic will be classified to and switched on the RADIUS-assigned VLAN. The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this feature.

The “RADIUS-Assigned VLAN Enabled” checkbox provides a quick way to globally enable/disable RADIUS-server assigned VLAN functionality. When checked, the individual port settings determine whether RADIUSassigned VLAN is enabled for that port. When unchecked, RADIUSserver assigned VLAN is disabled for all ports.

When RADIUS-Assigned VLAN is both globally enabled and enabled for a given port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, the port's Port VLAN ID will be changed to this VLAN ID, the port will be set to be a member of that VLAN ID, and the port will be forced into VLANunaware mode. Once assigned, all traffic arriving on the port will be classified and switched on the RADIUS-assigned VLAN ID.

If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID or it's invalid, or the supplicant is otherwise no longer present on the port, the port's VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned setting).

This option is only available for single-client modes, i.e. port-based

802.1X and Single 802.1X.

OTE

For trouble-shooting VLAN assignments, use the Monitor > VLANs > VLAN Membership and VLAN Port pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration.

– 86 –

Page 87

HAPTER

| Configuring the Switch

Configuring Security

RADIUS Attributes Used in Identifying a VLAN ID

RFC 2868 and RFC 3580 form the basis for the attributes used in identifying a VLAN ID in an Access-Accept packet. The following criteria are used:

•

Th e Tun n el- Med ium -Ty p e, Tu nn e l-Type, and Tunnel-Private-GroupID attributes must all be present at least once in the Access-Accept packet.

•

The switch looks for the first set of these attributes that have the same Tag value and fulfil the following requirements (if Tag == 0 is used, the Tunnel-Private-Group-ID does not need to include a Tag):

•

Value of Tunnel-Medium-Type must be set to “IEEE-802” (ordinal

6).

•

Value of Tunnel-Type must be set to “VLAN” (ordinal 13).

•

Value of Tunnel-Private-Group-ID must be a string of ASCII characters in the range 0-9, which is interpreted as a decimal string representing the VLAN ID. Leading '0's are discarded. The final value must be in the range 1-4095.

The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,3u” where “u” indicates an untagged VLAN and “t” a tagged VLAN.

• Guest VLAN Enabled - A Guest VLAN is a special VLAN - typically with

limited network access - on which 802.1X-unaware clients are placed after a network administrator-defined timeout. The switch follows a set of rules for entering and leaving the Guest VLAN as listed below.

The “Guest VLAN Enabled” checkbox provides a quick way to globally enable/disable Guest VLAN functionality. When checked, the individual port settings determine whether the port can be moved into Guest VLAN. When unchecked, the ability to move to the Guest VLAN is disabled for all ports.

When Guest VLAN is both globally enabled and enabled for a given port, the switch considers moving the port into the Guest VLAN according to the rules outlined below. This option is only available for EAPOL-based modes, i.e. Port-based 802.1X, Single 802.1X, and Multi

802.1X

OTE

For trouble-shooting VLAN assignments, use the Monitor > VLANs > VLAN Membership and VLAN Port pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration.

Guest VLAN Operation

When a Guest VLAN enabled port's link comes up, the switch starts transmitting EAPOL Request Identity frames. If the number of transmissions of such frames exceeds Max. Reauth. Count and no EAPOL frames have been received in the meanwhile, the switch considers entering the Guest VLAN. The interval between transmission

– 87 –

Page 88

HAPTER

Configuring Security

| Configuring the Switch

of EAPOL Request Identity frames is configured with EAPOL Timeout. If Allow Guest VLAN if EAPOL Seen is enabled, the port will now be placed in the Guest VLAN. If disabled, the switch will first check its history to see if an EAPOL frame has previously been received on the port (this history is cleared if the port link goes down or the port's Admin State is changed), and if not, the port will be placed in the Guest VLAN. Otherwise it will not move to the Guest VLAN, but continue transmitting EAPOL Request Identity frames at the rate given by EAPOL Timeout.

Once in the Guest VLAN, the port is considered authenticated, and all attached clients on the port are allowed access on this VLAN. The switch will not transmit an EAPOL Success frame after entering the Guest VLAN.

While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if one such frame is received, the switch immediately takes the port out of the Guest VLAN and starts authenticating the supplicant according to the port mode. If an EAPOL frame is received, the port will never be able to go back into the Guest VLAN if the “Allow Guest VLAN if EAPOL Seen” is disabled.

• Guest VLAN ID - This is the value that a port's Port VLAN ID is set to if

a port is moved into the Guest VLAN. It is only changeable if the Guest VLAN option is globally enabled. (Range: 1-4095)

• Max. Reauth. Count - The number of times that the switch transmits

an EAPOL Request Identity frame without receiving a response before adding a port to the Guest VLAN. The value can only be changed if the Guest VLAN option is globally enabled. (Range: 1-255)

• Allow Guest VLAN if EAPOL Seen - The switch remembers if an

EAPOL frame has been received on the port for the lifetime of the port. Once the switch considers whether to enter the Guest VLAN, it will first check if this option is enabled or disabled. If disabled (the default), the switch will only enter the Guest VLAN if an EAPOL frame has not been received on the port for the lifetime of the port. If enabled, the switch will consider entering the Guest VLAN even if an EAPOL frame has been received on the port for the lifetime of the port. The value can only be changed if the Guest VLAN option is globally enabled.

Port Configuration

• Port – Port identifier.

• Admin State - If NAS is globally enabled, this selection controls the

port's authentication mode. The following modes are available:

•

Force Authorized - The switch sends one EAPOL Success frame when the port link comes up. This forces the port to grant access to all clients, either dot1x-aware or otherwise. (This is the default setting.)

•

Force Unauthorized - The switch will send one EAPOL Failure frame when the port link comes up. This forces the port to deny access to all clients, either dot1x-aware or otherwise.

– 88 –

Page 89

HAPTER

•

Port-based 802.1X - Requires a dot1x-aware client to be

| Configuring the Switch

Configuring Security

authorized by the authentication server. Clients that are not dot1xaware will be denied access.

•

Single 802.1X - At most one supplicant can get authenticated on the port at a time. If more than one supplicant is connected to a port, the one that comes first when the port's link comes up will be the first one considered. If that supplicant doesn't provide valid credentials within a certain amount of time, another supplicant will get a chance. Once a supplicant is successfully authenticated, only that supplicant will be allowed access. This is the most secure of all the supported modes. In this mode, the Port Security module is used to secure a supplicant's MAC address once successfully authenticated.

•

Multi 802.1X - One or more supplicants can get authenticated on the same port at the same time. Each supplicant is authenticated individually and secured in the MAC table using the Port Security module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC address as the destination MAC address for EAPOL frames sent from the switch towards the supplicant, since that would cause all supplicants attached to the port to reply to requests sent from the switch. Instead, the switch uses the supplicant's MAC address, which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent by the supplicant. An exception to this is when no supplicants are attached. In this case, the switch sends EAPOL Request Identity frames using the BPDU multicast MAC address as the destination - to wake up any supplicants that might be on the port.

The maximum number of supplicants that can be attached to a port can be limited using the Port Security Limit Control functionality.

•

MAC-based Auth. - Enables MAC-based authentication on the port. The switch does not transmit or accept EAPOL frames on the port. Flooded frames and broadcast traffic will be transmitted on the port, whether or not clients are authenticated on the port, whereas unicast traffic from an unsuccessfully authenticated client will be dropped. Clients that are not (or not yet) successfully authenticated will not be allowed to transmit frames of any kind.

The switch acts as the supplicant on behalf of clients. The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC address as both user name and password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string on the following form “xx-xx-xx-xx-xx-xx”, that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly.

When authentication is complete, the RADIUS server sends a success or failure indication, which in turn causes the switch to open

– 89 –

Page 90

HAPTER

Configuring Security

| Configuring the Switch

up or block traffic for that particular client, using the Port Security module. Only then will frames from the client be forwarded on the switch. There are no EAPOL frames involved in this authentication, and therefore, MAC-based Authentication has nothing to do with the

802.1X standard.

The advantage of MAC-based authentication over port-based

802.1X is that several clients can be connected to the same port (e.g. through a 3rd party switch or a hub) and still require individual authentication, and that the clients don't need special supplicant software to authenticate. The advantage of MAC-based authentication over 802.1X-based authentication is that the clients don't need special supplicant software to authenticate. The disadvantage is that MAC addresses can be spoofed by malicious users - equipment whose MAC address is a valid RADIUS user can be used by anyone. Also, only the MD5-Challenge method is supported. The maximum number of clients that can be attached to a port can be limited using the Port Security Limit Control functionality.

Further Guidelines for Port Admin State

•

Port Admin state can only be set to Force-Authorized for ports participating in the Spanning Tree algorithm (see page 132).

•

When 802.1X authentication is enabled on a port, the MAC address learning function for this interface is disabled, and the addresses dynamically learned on this port are removed from the common address table.

•

Authenticated MAC addresses are stored as dynamic entries in the switch's secure MAC address table. Configured static MAC addresses are added to the secure address table when seen on a switch port (see page 167). Static addresses are treated as authenticated without sending a request to a RADIUS server.

•

When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored.

• RADIUS-Assigned QoS Enabled - Enables or disables this feature for

a given port. Refer to the description of this feature under the System Configuration section.

• RADIUS-Assigned VLAN Enabled - Enables or disables this feature

for a given port. Refer to the description of this feature under the System Configuration section.

• Guest VLAN Enabled - Enables or disables this feature for a given

port. Refer to the description of this feature under the System Configure section.

• Port State - The current state of the port:

– 90 –

Page 91

HAPTER

•

Globally Disabled - 802.1X and MAC-based authentication are

| Configuring the Switch

Configuring Security

globally disabled. (This is the default state.)

•

Link Down - 802.1X or MAC-based authentication is enabled, but there is no link on the port.

•

Authorized - The port is in Force Authorized mode, or a singlesupplicant mode and the supplicant is authorized.

•

Unauthorized - The port is in Force Unauthorized mode, or a single-supplicant mode and the supplicant is not successfully authorized by the RADIUS server.

•

X Auth/Y Unauth - The port is in a multi-supplicant mode. X clients are currently authorized and Y are unauthorized.

• Restart - Restarts client authentication using one of the methods

described below. Note that the restart buttons are only enabled when the switch’s authentication mode is globally enabled (under System Configuration) and the port's Admin State is an EAPOL-based or MACBased mode. Clicking these buttons will not cause settings changed on the page to take effect.

•

Reauthenticate - Schedules reauthentication to whenever the quiet-period of the port runs out (EAPOL-based authentication). For MAC-based authentication, reauthentication will be attempted immediately. The button only has effect for successfully authenticated clients on the port and will not cause the clients to get temporarily unauthorized.

•

Reinitialize - Forces a reinitialization of the clients on the port and thereby a reauthentication immediately. The clients will transfer to the unauthorized state while the reauthentication is in progress.

WEB INTERFACE

To configure 802.1X Port Security:

1. Click Advanced Configuration, Security, Network, NAS.

2. Modify the required attributes.

3. Click Save.

– 91 –

Page 92

HAPTER

Configuring Security

| Configuring the Switch

Figure 31: Network Access Server Configuration

FILTERING TRAFFIC

WITH ACCESS

CONTROL LISTS

An Access Control List (ACL) is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no rules match, the frame is accepted. Other actions can also be invoked when a matching packet is found, including rate limiting, copying matching packets to another port or to the system log, or shutting down a port.

ASSIGNING ACL POLICIES AND RESPONSES

Use the ACL Port Configuration page to define a port to which matching frames are copied, enable logging, or shut down a port when a matching frame is seen. Note that rate limiting (configured with the Rate Limiter menu, page 94) is implemented regardless of whether or not a matching packet is seen.

– 92 –

Page 93

HAPTER

| Configuring the Switch

Configuring Security

PATH

Advanced Configuration, Security, Network, ACL, Ports

PARAMETERS

These parameters are displayed:

• Port - Port Identifier.

• Policy ID - An ACL policy configured on the ACE Configuration page

(page 97). (Range: 1-8; Default: 1, which is undefined)

• Action - Permits or denies a frame based on whether it matches a rule

defined in the assigned policy. (Default: Permit)

• Rate Limiter ID - Specifies a rate limiter (page 94) to apply to the

port. (Range: 1-15; Default: Disabled)

• Port Redirect - Defines a port to which matching frames are re-

directed. (Range: 1-28; Default: Disabled)

To use this function, Action must be set to Deny for the local port.

• Mirror - Mirrors matching frames from this port. (Default: Disabled)

To use this function, the destination port to which traffic is mirrored must be configured on the Mirror Configuration page (see "Configuring

Local Port Mirroring" on page 205).

ACL-based port mirroring set by this parameter and port mirroring set on the general Mirror Configuration page are implemented independently. To use ACL-based mirroring, enable the Mirror parameter on the ACL Ports Configuration page. Then open the Mirror Configuration page, set the “Port to mirror on” field to the required destination port, and leave the “Mode” field Disabled.

• Logging - Enables logging of matching frames to the system log.

(Default: Disabled)

Open the System Log Information menu (page 218) to view any entries stored in the system log for this entry. Related entries will be displayed under the “Info” or “All” logging levels.

• Shutdown - Shuts down a port when a macthing frame is seen.

(Default: Disabled)

• State - Specify the port state:

•

Enabled - To reopen ports by changing the port configuration in the ACL configuration pages. (This is the default.)

•

Disabled - To close ports by changing the volatile port configuration of the ACL user module.

• Counter - The number of frames which have matched any of the rules

defined in the selected policy.

– 93 –

Page 94

HAPTER

Configuring Security

| Configuring the Switch

WEB INTERFACE

To configure ACL policies and responses for a port:

1. Click Advanced Configuration, Security, Network, ACL, Ports.

2. Assign an ACL policy configured on the ACE Configuration page, specify

the responses to invoke when a matching frame is seen, including the filter mode, copying matching frames to another port, logging matching frames, or shutting down the port. Note that the setting for rate limiting is implemented regardless of whether or not a matching packet is seen.

3. Repeat the preceding step for each port to which an ACL will be applied.

4. Click Save.

Figure 32: ACL Port Configuration

CONFIGURING RATE LIMITERS

Use the ACL Rate Limiter Configuration page to define the rate limits applied to a port (as configured either through the ACL Ports Configuration menu (page 93) or the Access Control List Configuration menu (page 95).

PATH

Advanced Configuration, Security, Network, ACL, Rate Limiters

PARAMETERS

These parameters are displayed:

• Rate Limiter ID - Rate limiter identifier. (Range: 0-14; Default: 1)

• Rate - The threshold above which packets are dropped.

(Options: 0-100 pps, or 0, 100, 2*100, 3*100,.. 1000000 kbps)

Due to an ASIC limitation, the enforced rate limits are slightly less than the listed options. For example: 1 Kpps translates into an enforced threshold of 1002.1 pps.

• Unit - Unit of measure. (Options: pps or kbps; Default: pps)

– 94 –

Page 95

HAPTER

| Configuring the Switch

Configuring Security

WEB INTERFACE

To configure rate limits which can be applied to a port:

1. Click Advanced Configuration, Security, Network, ACL, Rate Limiters.

2. For any of the rate limiters, select the maximum ingress rate that will

be supported on a port once a match has been found in an assigned ACL.

3. Click Save.

Figure 33: ACL Rate Limiter Configuration

CONFIGURING ACCESS CONTROL LISTS

Use the Access Control List Configuration page to define filtering rules for an ACL policy, for a specific port, or for all ports. Rules applied to a port take effect immediately, while those defined for a policy must be mapped to one or more ports using the ACL Ports Configuration menu (page 93).

PATH

Advanced Configuration, Security, Network, ACL, Access Control List

USAGE GUIDELINES

• Rules within an ACL are checked in the configured order, from top to

bottom. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no rules match, the frame is accepted.

• The maximum number of ACL rules that can be configured on the

switch is 128.

• The maximum number of ACL rules that can be bound to a port is 10.

• ACLs provide frame filtering based on any of the following criteria:

– 95 –

Page 96

HAPTER

Configuring Security

| Configuring the Switch

•

Any frame type (based on MAC address, VLAN ID, VLAN priority)

•

Ethernet type (based on Ethernet type value, MAC address, VLAN ID, VLAN priority)

•

ARP (based on ARP/RARP type, request/reply, sender/target IP, hardware address matches ARP/RARP MAC address, ARP/RARP hardware address length matches protocol address length, matches this entry when ARP/RARP hardware address is equal to Ethernet, matches this entry when ARP/RARP protocol address space setting is equal to IP (0x800)

•

IPv4 frames (based on destination MAC address, protocol type, TTL, IP fragment, IP option flag, source/destination IP, VLAN ID, VLAN priority)

PARAMETERS

These parameters are displayed:

ACCESS CONTROL LIST CONFIGURATION

• Ingress Port - The ingress port of the ACE:

•

All - The ACE will match all ingress ports.

•

Port - The ACE will match a specific ingress port.

• Policy / Bitmask - The policy number and bitmask of the ACE.

• Frame Type - The type of frame to match.

• Action - Shows whether a frame is permitted or denied when it

matches an ACL rule.

• Rate Limiter - Shows if rate limiting will be enabled or disabled when

matching frames are found.

• Port Redirect - Port to which frames matching the ACE are redirected.

• Mirror - Mirrors matching frames from this port. (Default: Disabled)

See "Configuring Local Port Mirroring" on page 205.

• Counter - Shows he number of frames which have matched any of the

rules defined for this ACL.

– 96 –

Page 97

HAPTER

| Configuring the Switch

Configuring Security

The following buttons are used to edit or move the ACL entry (ACE):

Table 8: QCE Modification Buttons

Button Description

Inserts a new ACE before the current row.

Edits the ACE.

Moves the ACE up the list.

Moves the ACE down the list.

Deletes the ACE.

The lowest plus sign adds a new entry at the bottom of the list.

ACE CONFIGURATION

Ingress Port and Frame Type

• Ingress Port - Any port, port identifier, or policy. (Options: Any port,

Port 1-10, Policy 1-8; Default: Any)

• Policy Filter - The policy number filter for this ACE:

•

Any - No policy filter is specified (i.e., don’t care).

•

Specific - If you want to filter a specific policy with this ACE, choose this value. Two fields for entering an policy value and bitmask appears.

• Frame Type - The type of frame to match. (Options: Any, Ethernet,

ARP, IPv4; Default: Any)

Filter Criteria Based on Selected Frame Type

• Ethernet:

• MAC Parameters

•

SMAC Filter - The type of source MAC address. (Options: Any, Specific - user defined; Default: Any)

•

DMAC Filter - The type of destination MAC address. (Options: Any, MC - multicast, BC - broadcast, UC - unicast, Specific - user defined; Default: Any)

• Ethernet Type Parameters

•

EtherType Filter - This option can only be used to filter Ethernet II formatted packets. (Options: Any, Specific (600-ffff hex); Default: Any)

– 97 –

Page 98

HAPTER

Configuring Security

| Configuring the Switch

•

A detailed listing of Ethernet protocol types can be found in RFC

1060. A few of the more common types include 0800 (IP), 0806 (ARP), 8137 (IPX).

• ARP:

• MAC Parameters

•

SMAC Filter - The type of source MAC address. (Options: Any, Specific - user defined; Default: Any)

•

DMAC Filter - The type of destination MAC address. (Options: Any, MC - multicast, BC - broadcast, UC - unicast; Default: Any)

• ARP Parameters

•

ARP/RARP - Specifies the type of ARP packet. (Options: Any - no ARP/RARP opcode flag is specified, ARP - frame must have ARP/ RARP opcode set to ARP, RARP - frame must have ARP/RARP opcode set to RARP, Other - frame has unknown ARP/RARP opcode flag; Default: Any)

•

Request/Reply - Specifies whether the packet is an ARP request, reply, or either type. (Options: Any - no ARP/RARP opcode flag is specified, Request - frame must have ARP Request or RARP Request opcode flag set, Reply - frame must have ARP Reply or RARP Reply opcode flag; Default: Any)

•

Sender IP Filter - Specifies the sender’s IP address. (Options: Any - no sender IP filter is specified, Host - specifies the sender IP address in the SIP Address field, Network - specifies the sender IP address and sender IP mask in the SIP Address and SIP Mask fields; Default: Any)

•

Target IP Filter - Specifies the destination IP address. (Options: Any - no target IP filter is specified, Host - specifies the target IP address in the Target IP Address field, Network - specifies the target IP address and target IP mask in the Target IP Address and Target IP Mask fields; Default: Any)

•

ARP Sender MAC Match - Specifies whether frames can be matched according to their sender hardware address (SHA) field settings. (0ptions: Any - any value is allowed, 0 - ARP frames where SHA is not equal to the SMAC address, 1 - ARP frames where SHA is equal to the SMAC address; Default: Any)

•

RARP Target MAC Match - Specifies whether frames can be matched according to their target hardware address (THA) field settings. (Options: Any - any value is allowed, 0 - RARP frames where THA is not equal to the DMAC address, 1 - RARP frames where THA is equal to the DMAC address; Default: Any)

•

IP/Ethernet Length - Specifies whether frames can be matched according to their ARP/RARP hardware address length (HLN) and

– 98 –

Page 99

HAPTER

| Configuring the Switch

Configuring Security

protocol address length (PLN) settings. (Options: Any - any value is allowed, 0 - ARP/RARP frames where the HLN is equal to Ethernet (0x06) and the (PLN) is equal to IPv4 (0x04) must not match this entry, 1 - ARP/RARP frames where the HLN is equal to Ethernet (0x06) and the (PLN) is equal to IPv4 (0x04) must match this entry; Default: Any)

•

IP - Specifies whether frames can be matched according to their ARP/RARP hardware address space (HRD) settings. (Options: Any any value is allowed, 0 - ARP/RARP frames where the HRD is equal to Ethernet (1) must not match this entry, 1 - ARP/RARP frames where the HRD is equal to Ethernet (1) must match this entry; Default: Any)

•

Ethernet - Specifies whether frames can be matched according to their ARP/RARP protocol address space (PRO) settings. (Options: Any - any value is allowed, 0 - ARP/RARP frames where the PRO is equal to IP (0x800) must not match this entry, 1 - ARP/ RARP frames where the PRO is equal to IP (0x800) must match this entry; Default: Any)

• IPv4:

• MAC Parameters

•

DMAC Filter - The type of destination MAC address. (Options: Any, MC - multicast, BC - broadcast, UC - unicast; Default: Any)

• IP Parameters

•

IP Protocol Filter - Specifies the IP protocol to filter for this rule. (Options: Any, ICMP, UDP, TCP, Other; Default: Any)

The following additional fields are displayed when these protocol filters are selected.

ICMP Parameters

•

ICMP Type Filter - Specifies the type of ICMP packet to filter for this rule. (Options: Any, Specific: 0-255; Default: Any)

•

ICMP Code Filter - Specifies the ICMP code of an ICMP packet to filter for this rule. (Options: Any, Specific (0-255); Default: Any)

UDP Parameters

•

Source Port Filter - Specifies the UDP source filter for this rule. (Options: Any, Specific (0-65535), Range (0-65535); Default: Any)

•

Dest. Port Filter - Specifies the UDP destination filter for this rule. (Options: Any, Specific (0-65535), Range (0-65535); Default: Any)

– 99 –

Page 100

HAPTER

Configuring Security

| Configuring the Switch

TCP Parameters

•

Source Port Filter - Specifies the TCP source filter for this rule. (Options: Any, Specific (0-65535), Range (0-65535); Default: Any)

•

Dest. Port Filter - Specifies the TCP destination filter for this rule. (Options: Any, Specific (0-65535), Range (0-65535); Default: Any)

•

TCP FIN - Specifies the TCP “No more data from sender” (FIN) value for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the FIN field is set must not match this entry, 1 - TCP frames where the FIN field is set must match this entry; Default: Any)

•

TCP SYN - Specifies the TCP “Synchronize sequence numbers” (SYN) value for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the SYN field is set must not match this entry, 1 - TCP frames where the SYN field is set must match this entry; Default: Any)

•

TCP RST - Specifies the TCP “Reset the connection” (RST) value for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the RST field is set must not match this entry, 1 TCP frames where the RST field is set must match this entry; Default: Any)

•

TCP PSH - Specifies the TCP “Push Function” (PSH) value for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the PSH field is set must not match this entry, 1 - TCP frames where the PSH field is set must match this entry; Default: Any)

•

TCP ACK - Specifies the TCP “Acknowledgment field significant” (ACK) value for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the ACK field is set must not match this entry, 1 - TCP frames where the ACK field is set must match this entry; Default: Any)

•

TCP URG - Specifies the TCP “Urgent Pointer field significant” (URG) value for this rule. (Options: Any - any value is allowed, 0 - TCP frames where the URG field is set must not match this entry, 1 - TCP frames where the URG field is set must match this entry; Default: Any)

•

IP TTL - Specifies the time-to-Live settings for this rule. (Options: Any - any value is allowed, Non-zero - IPv4 frames with a TTL field greater than zero must match this entry, Zero - IPv4 frames with a TTL field greater than zero must not match this entry; Default: Any)

•

IP Fragment - Specifies the fragment offset settings for this rule. This involves the settings for the More Fragments (MF) bit and the Fragment Offset (FRAG OFFSET) field for an IPv4 frame. (Options:

– 100 –

Digisol DG-GS1500E series Management Manual

DG-GS1500E Series

Gigabit Ethernet Web Managed Switch

Management Guide

As our products undergo continuous development the specifications are subject to change without prior notice

ABOUT THIS GUIDE

CONTENTS

FIGURES

TABLES

GETTING STARTED

KEY FEATURES

Description of Software Features

System Defaults

WEB CONFIGURATION

NAVIGATING THE WEB BROWSER INTERFACE

CONFIGURING SYSTEM INFORMATION

Setting an IP Address

Configuring NTP Service

Configuring the Time Zone and Daylight Savings Time

Configuring Remote Log Messages

Configuring Power Reduction

REDUCING POWER TO IDLE QUEUE CIRCUITS

Configuring Port Connections

Configuring Security

CONFIGURING USER ACCOUNTS

CONFIGURING USER PRIVILEGE LEVELS

CONFIGURING THE AUTHENTICATION METHOD FOR MANAGEMENT ACCESS

FILTERING IP ADDRESSES FOR MANAGEMENT ACCESS

CONFIGURING SNMP SYSTEM AND TRAP SETTINGS

SETTING SNMPV3 COMMUNITY ACCESS STRINGS

CONFIGURING SNMPV3 USERS

CONFIGURING SNMPV3 GROUPS

CONFIGURING SNMPV3 VIEWS

CONFIGURING SNMPV3 GROUP ACCESS RIGHTS

CONFIGURING RMON STATISTICAL SAMPLES

CONFIGURING RMON HISTORY SAMPLES

CONFIGURING RMON ALARMS

CONFIGURING RMON EVENTS

CONFIGURING PORT LIMIT CONTROLS

CONFIGURING AUTHENTICATION THROUGH NETWORK ACCESS SERVERS

ASSIGNING ACL POLICIES AND RESPONSES

CONFIGURING RATE LIMITERS

CONFIGURING ACCESS CONTROL LISTS