How it Works
Edge-Core
Loading...
ES4528V-38
Management Manual
396 pgs8.1 Mb0

Edge-Core ES4528V-38 Management Manual

Download
Page 1
28-Port Gigabit Ethernet Switch
Management Guide
www.edge-core.com
Page 2
Page 3
M
ANAGEMENT
G
ES4528V GIGABIT ETHERNET SWITCH
Layer 2 Switch with 24 10/100/1000BASE-T (RJ-45) Ports, and 4 Gigabit Combination Ports (RJ-45/SFP)
E072009/ST-R01
ES4528V
149100000014A
Page 4
Page 5
ABOUT THIS GUIDE
PURPOSE This guide gives specific information on how to operate and use the
management functions of the switch.
AUDIENCE The guide is intended for use by network administrators who are
responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
CONVENTIONS The following conventions are used throughout this guide to show
information:
N
OTE
:
Emphasizes important information or calls your attention to related
features or instructions.
C
RELATED
PUBLICATIONS
AUTION
damage the system or equipment.
W
ARNING
The following publication details the hardware features of the switch, including the physical and performance-related characteristics, and how to install the switch:
The Installation Guide
Also, as part of the switch’s software, there is an online web-based help that describes all management related features.
:
Alerts you to a potential hazard that could cause loss of data, or
:
Alerts you to a potential hazard that could cause personal injury.
REVISION HISTORY This section summarizes the changes in each revision of this guide.
JULY 2009 REVISION
This is the first version of this guide. This guide is valid for software release v1.12.
– 5 –
Page 6
A
BOUT THIS GUIDE
– 6 –
Page 7
CONTENTS
ABOUT THIS GUIDE 5
ONTENTS 7
C
IGURES 19
F
ABLES 23
T
SECTION I GETTING STARTED 25
1INTRODUCTION 27
Key Features 27
Description of Software Features 28
Configuration Backup and Restore 28
Authentication 28
Access Control Lists 29
Port Configuration 29
Rate Limiting 29
Port Mirroring 29
Port Trunking 29
Storm Control 29
Static Addresses 29
IEEE 802.1D Bridge 30
Store-and-Forward Switching 30
Spanning Tree Algorithm 30
Virtual LANs 31
Traffic Prioritization 31
Quality of Service 32
Multicast Filtering 32
System Defaults 33
2INITIAL SWITCH CONFIGURATION 35
Connecting to the Switch 35
Configuration Options 35
– 7 –
Page 8
C
ONTENTS
Required Connections 36
Remote Connections 37
Basic Configuration 38
Setting Passwords 38
Setting an IP Address 38
Enabling SNMP Management Access 41
Managing System Files 45
Saving or Restoring Configuration Settings 45
SECTION II WEB CONFIGURATION 47
3USING THE WEB INTERFACE 49
Connecting to the Web Interface 49
Navigating the Web Browser Interface 50
Home Page 50
Configuration Options 50
Panel Display 51
Main Menu 51
4CONFIGURING THE SWITCH 55
Configuring System Information 55
Setting an IP Address 56
Setting an IPv4 Address 56
Setting an IPv6 Address 58
Setting the System Password 61
Filtering IP Addresses for Management Access 61
Configuring Port Connections 63
Configuring Authentication for Management Access and 802.1X 65
Creating Trunk Groups 69
Configuring Static Trunks 70
Configuring LACP 73
Configuring the Spanning Tree Algorithm 76
Configuring Global Settings for STA 77
Configuring Interface Settings for STA 78
Configuring 802.1X Port Authentication 82
Configuring HTTPS 88
Configuring SSH 89
– 8 –
Page 9
C
ONTENTS
IGMP Snooping 90
Configuring IGMP Snooping and Query 91
Configuring IGMP Filtering 95
Configuring Link Layer Discovery Protocol 96
Configuring the MAC Address Table 99
IEEE 802.1Q VLANs 101
Assigning Ports to VLANs 102
Configuring VLAN Attributes for Port Members 103
Configuring Private VLANs 105
Using Port Isolation 106
Quality of Service 107
Configuring Port-Level Queue Settings 108
Configuring DSCP Remarking 109
Configuring QoS Control Lists 111
Configuring Rate Limiting 114
Configuring Storm Control 116
Access Control Lists 118
Assigning ACL Policies and Responses 118
Configuring Rate Limiters 119
Configuring Access Control Lists 120
Configuring Port Mirroring 128
Simple Network Management Protocol 130
Configuring SNMP System and Trap Settings 131
Setting SNMPv3 Community Access Strings 136
Configuring SNMPv3 Users 137
Configuring SNMPv3 Groups 138
Configuring SNMPv3 Views 140
Configuring SNMPv3 Group Access Rights 141
Configuring UPnP 142
Configuring DHCP Relay and Option 82 Information 144
5MONITORING THE SWITCH 147
Displaying Basic Information About the System 147
Displaying System Information 147
Displaying Log Messages 148
Displaying Log Details 150
Displaying Access Management Statistics 150
– 9 –
Page 10
C
ONTENTS
Displaying Information About Ports 151
Displaying Port Status On the Front Panel 151
Displaying an Overview of Port Statistics 152
Displaying QoS Statistics 153
Displaying Detailed Port Statistics 154
Displaying Information on Authentication Servers 157
Displaying a List of Authentication Servers 157
Displaying Statistics for Configured Authentication Servers 158
Displaying Information on LACP 163
Displaying an Overview of LACP Groups 163
Displaying LACP Port Status 163
Displaying LACP Port Statistics 165
Displaying Information on the Spanning Tree 166
Displaying Bridge Status for STA 166
Displaying Port Status for STA 168
Displaying Port Statistics for STA 169
Displaying Port Security Information 170
Displaying Port Security Status 170
Displaying Port Security Statistics 171
Showing IGMP Snooping Information 175
Displaying LLDP Information 176
Displaying LLDP Neighbor Information 176
Displaying LLDP Port Statistics 178
Displaying DHCP Relay Statistics 179
Displaying the MAC Address Table 181
6PERFORMING BASIC DIAGNOSTICS 183
Pinging an IPv4 or IPv6 Address 183
Running Cable Diagnostics 184
7PERFORMING SYSTEM MAINTENANCE 187
Resetting the Switch 187
Restoring Factory Defaults 188
Upgrading Firmware 188
Registering the Product 189
Managing Configuration Files 190
Saving Configuration Settings 190
Restoring Configuration Settings 190
– 10 –
Page 11
C
ONTENTS
SECTION III COMMAND LINE INTERFACE 193
8USING THE COMMAND LINE INTERFACE 195
Accessing the CLI 195
Console Connection 195
Telnet Connection 196
Entering Commands 197
Keywords and Arguments 197
Minimum Abbreviation 198
Getting Help on Commands 198
Partial Keyword Lookup 199
Using Command History 200
Command Line Processing 200
CLI Command Groups 201
9SYSTEM COMMANDS 203
system configuration 204
system reboot 204
system restore default 205
system contact 205
system name 205
system location 206
system password 206
system timezone 207
system log 207
system access configuration 208
system access mode 208
system access add 209
system access ipv6 add 210
system access delete 211
system access lookup 211
system access clear 211
system access statistics 211
10 IP COMMANDS 213
ip configuration 213
ip dhcp 214
ip setup 215
– 11 –
Page 12
C
ONTENTS
ip ping 216
ip dns 217
ip dns_proxy 217
ip sntp 218
ip ipv6 autoconfig 218
ip ipv6 setup 219
ip ipv6 ping6 220
ip ipv6 sntp 221
11 AUTHENTICATION COMMANDS 223
auth configuration 223
auth timeout 224
auth deadtime 225
auth radius 225
auth acct_radius 226
auth tacacs+ 228
auth client 229
auth statistics 230
12 PORT COMMANDS 233
port configuration 233
port state 235
port mode 235
port flow control 236
port maxframe 237
port power 237
port excessive 238
port statistics 239
port veriphy 240
port numbers 241
13 LINK AGGREGATION COMMANDS 243
aggr configuration 244
aggr add 245
aggr delete 245
aggr lookup 246
aggr mode 246
14 LACP COMMANDS 249
lacp configuration 251
– 12 –
Page 13
C
ONTENTS
lacp mode 251
lacp key 252
lacp role 252
lacp status 253
lacp statistics 253
15 RSTP COMMANDS 255
rstp configuration 256
rstp sysprio 256
rstp age 257
rstp delay 257
rstp txhold 258
rstp version 258
rstp mode 259
rstp cost 259
rstp priority 261
rstp edge 261
rstp autoedge 262
rstp p2p 263
rstp status 263
rstp statistics 264
rstp mcheck 264
16 IEEE 802.1X COMMANDS 267
dot1x configuration 267
dot1x mode 269
dot1x state 269
dot1x authenticate 270
dot1x reauthentication 271
dot1x period 272
dot1x timeout 272
dot1x clients 272
dot1x agetime 273
dot1x holdtime 274
dot1x statistics 274
17 IGMP COMMANDS 277
igmp configuration 277
igmp mode 279
– 13 –
Page 14
C
ONTENTS
igmp state 279
igmp querier 280
igmp fastleave 281
igmp leave proxy 282
igmp throttling 282
igmp filtering 283
igmp router 284
igmp flooding 284
igmp groups 285
igmp status 285
18 LLDP COMMANDS 287
lldp configuration 287
lldp mode 288
lldp optional_tlv 288
lldp interval 289
lldp hold 290
lldp delay 290
lldp reinit 291
lldp info 291
lldp statistics 292
lldp cdp_aware 293
19 MAC COMMANDS 295
mac configuration 295
mac add 296
mac delete 296
mac lookup 297
mac agetime 297
mac learning 297
mac dump 298
mac statistics 299
mac flush 299
20 VLAN COMMANDS 301
vlan configuration 301
vlan aware 302
vlan pvid 303
vlan frametype 303
– 14 –
Page 15
C
ONTENTS
vlan ingressfilter 304
vlan qinq 304
vlan add 305
vlan delete 305
vlan lookup 306
21 PVLAN COMMANDS 307
pvlan configuration 307
pvlan add 308
pvlan delete 308
pvlan lookup 309
pvlan isolate 309
22 QOS COMMANDS 311
qos configuration 312
qos default 312
qos tagprio 313
qos qcl port 313
qos qcl add 314
qos qcl delete 315
qos qcl lookup 316
qos mode 316
qos weight 317
qos rate limiter 317
qos shaper 318
qos storm unicast 319
qos storm multicast 319
qos storm broadcast 320
qos dscp remarking 320
qos dscp queue mapping 321
23 ACL COMMANDS 323
acl configuration 323
acl action 324
acl policy 325
acl rate 325
acl add 326
acl delete 329
acl lookup 329
– 15 –
Page 16
C
ONTENTS
acl clear 330
24 MIRROR COMMANDS 331
mirror configuration 331
mirror port 331
mirror mode 332
25 CONFIG COMMANDS 333
config save 333
config load 334
26 SNMP COMMANDS 335
snmp configuration 336
snmp mode 337
snmp version 338
snmp read community 338
snmp write community 339
snmp trap mode 339
snmp trap version 340
snmp trap community 340
snmp trap destination 341
snmp trap ipv6 destination 341
snmp trap authentication failure 341
snmp trap link-up 342
snmp trap inform mode 342
snmp trap inform timeout 343
snmp trap inform retry times 343
snmp trap probe security engine id 344
snmp trap security engine id 344
snmp trap security name 345
snmp engine id 345
snmp community add 346
snmp community delete 346
snmp community lookup 347
snmp user add 347
snmp user delete 348
snmp user changekey 349
snmp user lookup 349
snmp group add 350
– 16 –
Page 17
C
ONTENTS
snmp group delete 351
snmp group lookup 351
snmp view add 352
snmp view delete 352
snmp view lookup 353
snmp access add 353
snmp access delete 354
snmp access lookup 354
27 HTTPS COMMANDS 357
https configuration 357
https mode 357
https redirect 358
28 SSH COMMANDS 361
ssh configuration 361
ssh mode 361
29 UPNP COMMANDS 363
upnp configuration 363
upnp mode 363
upnp ttl 364
upnp advertising duration 365
30 DHCP COMMANDS 367
dhcp relay configuration 367
dhcp relay mode 367
dhcp relay server 368
dhcp relay information mode 368
dhcp relay information policy 369
dhcp relay statistics 369
31 FIRMWARE COMMANDS 371
firmware load 371
firmware ipv6 load 373
– 17 –
Page 18
C
ONTENTS
SECTION IV APPENDICES 375
ASOFTWARE SPECIFICATIONS 377
Software Features 377
Management Features 378
Standards 379
Management Information Bases 379
BTROUBLESHOOTING 381
Problems Accessing the Management Interface 381
Using System Logs 382
GLOSSARY 383
NDEX 391
I
– 18 –
Page 19
FIGURES
Figure 1: Home Page 50
Figure 2: Front Panel Indicators 51
Figure 3: System Information Configuration 56
Figure 4: IP & Time Configuration 58
Figure 5: IPv6 & Time Configuration 60
Figure 6: System Password 61
Figure 7: Access Management Configuration 62
Figure 8: Port Configuration 64
Figure 9: Authentication Configuration 68
Figure 10: Static Trunk Configuration 72
Figure 11: LACP Port Configuration 75
Figure 12: RSTP System Configuration 78
Figure 13: RSTP Port Configuration 81
Figure 14: Port Security Configuration 87
Figure 15: HTTPS Configuration 89
Figure 16: SSH Configuration 90
Figure 17: IGMP Snooping Configuration 94
Figure 18: IGMP Snooping Port Group Filtering Configuration 95
Figure 19: LLDP Configuration 99
Figure 20: MAC Address Table Configuration 101
Figure 21: VLAN Membership Configuration 103
Figure 22: VLAN Port Configuration 105
Figure 23: Private VLAN Membership Configuration 106
Figure 24: Port Isolation Configuration 107
Figure 25: Port QoS Configuration 109
Figure 26: DSCP Remarking Configuration 111
Figure 27: QoS Control List Configuration 114
Figure 28: Rate Limit Configuration 115
Figure 29: Storm Control Configuration 117
Figure 30: ACL Port Configuration 119
Figure 31: ACL Rate Limiter Configuration 120
– 19 –
Page 20
F
IGURES
Figure 32: Access Control List Configuration 127
Figure 33: Mirror Configuration 129
Figure 34: SNMP System Configuration 135
Figure 35: SNMPv3 Communities Configuration 136
Figure 36: SNMPv3 Users Configuration 138
Figure 37: SNMPv3 Group Configuration 139
Figure 38: SNMPv3 View Configuration 140
Figure 39: SNMPv3 Access Configuration 142
Figure 40: UPnP Configuration 144
Figure 41: DHCP Relay Configuration 146
Figure 42: System Information 148
Figure 43: System Log Information 149
Figure 44: Detailed System Log Information 150
Figure 45: Access Management Statistics 151
Figure 46: Port State Overview 151
Figure 47: Port Statistics Overview 152
Figure 48: Queuing Counters 153
Figure 49: Detailed Port Statistics 156
Figure 50: RADIUS Overview 158
Figure 51: RADIUS Details 162
Figure 52: LACP System Status 163
Figure 53: LACP Port Status 164
Figure 54: LACP Port Statistics 165
Figure 55: Spanning Tree Bridge Status 168
Figure 56: Spanning Tree Port Status 169
Figure 57: Spanning Tree Port Statistics 170
Figure 58: Port Security Status 171
Figure 59: Port Security Statistics 174
Figure 60: IGMP Snooping Status 176
Figure 61: LLDP Neighbor Information 177
Figure 62: LLDP Port Statistics 179
Figure 63: DHCP Relay Statistics 181
Figure 64: MAC Address Table 182
Figure 65: ICMP Ping 184
Figure 66: VeriPHY Cable Diagnostics 185
Figure 67: Reset Device 187
– 20 –
Page 21
F
IGURES
Figure 68: Factory Defaults 188
Figure 69: Software Upload 189
Figure 70: Register Product 189
Figure 71: Configuration Save 190
Figure 72: Configuration Upload 191
– 21 –
Page 22
F
IGURES
– 22 –
Page 23
TABLES
Table 1: Key Features 27
Table 2: System Defaults 33
Table 3: Web Page Configuration Buttons 50
Table 4: Main Menu 51
Table 5: Recommended STA Path Cost Range 79
Table 6: Recommended STA Path Costs 79
Table 7: Default STA Path Costs 79
Table 8: HTTPS System Support 88
Table 9: QCE Modification Buttons 112
Table 10: Mapping CoS Values to Egress Queues 113
Table 11: QCE Modification Buttons 122
Table 12: SNMP Security Models and Levels 131
Table 13: System Capabilities 177
Table 14: Keystroke Commands 200
Table 15: Command Group Index 201
Table 16: System Commands 203
Table 17: IP Commands 213
Table 18: Authentication Commands 223
Table 19: Port Commands 233
Table 20: Port Configuration 233
Table 21: Link Aggregation Commands 243
Table 22: LACP Commands 249
Table 23: RSTP Commands 255
Table 24: Recommended STA Path Cost Range 260
Table 25: Recommended STA Path Costs 260
Table 26: Default STA Path Costs 260
Table 27: IEEE 802.1X Commands 267
Table 28: 802.1X Configuration 268
Table 29: IGMP Commands 277
Table 30: IGMP Configuration 278
Table 31: LLDP Commands 287
– 23 –
Page 24
T
ABLES
Table 32: MAC Commands 295
Table 33: VLAN Commands 301
Table 34: PVLAN Commands 307
Table 35: QoS Commands 311
Table 36: Mapping CoS Values to Egress Queues 314
Table 37: ACL Commands 323
Table 38: Mirror Commands 331
Table 39: Configuration Commands 333
Table 40: SNMP Commands 335
Table 41: HTTPS Commands 357
Table 42: HTTPS System Support 358
Table 43: SSH Commands 361
Table 44: UPnP Commands 363
Table 45: DHCP Commands 367
Table 46: Firmware Commands 371
Table 47: Troubleshooting Chart 381
– 24 –
Page 25
S
ECTION
GETTING STARTED
This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
This section includes these chapters:
“Introduction” on page 27
“Initial Switch Configuration” on page 35
I
– 25 –
Page 26
S
ECTION
| Getting Started
– 26 –
Page 27
1 INTRODUCTION
This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
KEY FEATURES
Table 1: Key Features
Feature Description
Configuration Backup and Restore
Backup to management station or TFTP server
Authentication Console, Telnet, web – user name/password, RADIUS, TACACS+
Access Control Lists Supports up to 128 rules
DHCP Client Supported
DNS Proxy service
Port Configuration Speed, duplex mode, flow control, MTU, response to excessive
Rate Limiting Input rate limiting per port (using ACL)
Port Mirroring One or more ports mirrored to single analysis port
Port Trunking Supports up to 14 trunks using either static or dynamic trunking
Storm Control Throttling for broadcast, multicast, and unknown unicast storms
Address Table Up to 8K MAC addresses in the forwarding table, 1024 static MAC
IP Version 4 and 6 Supports IPv4 and IPv6 addressing, management, and QoS
IEEE 802.1D Bridge Supports dynamic data switching and addresses learning
Store-and-Forward Switching
Web – HTT PS Teln e t – SSH SNMP v1/2c - Community strings SNMP version 3 – MD5 or SHA password Port – IEEE 802.1X, MAC address filtering DHCP Snooping (with Option 82 relay information) IP Source Guard
collisions, power saving mode
(LACP)
addresses
Supported to ensure wire-speed switching while eliminating bad frames
Spanning Tree Algorithm Supports Rapid Spanning Tree Protocol (RSTP), which includes
STP backward compatible mode
– 27 –
Page 28
C
HAPTER
Description of Software Features
1
| Introduction
Table 1: Key Features (Continued)
Feature Description
Virtual LANs Up to 256 using IEEE 802.1Q, port-based, and private VLANs
Traffic Prioritization Queue mode and CoS configured by Ethernet type, VLAN ID, TCP/
Qualify of Service Supports Differentiated Services (DiffServ), and DSCP remarking
Multicast Filtering Supports IGMP snooping and query
DESCRIPTION OF SOFTWARE FEATURES
The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Storm suppression prevents broadcast, multicast, and unknown unicast traffic storms from engulfing the network. Untagged (port-based) and tagged VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering provides support for real-time network applications.
UDP port, DSCP, ToS bit, VLAN tag priority, or port
Some of the management features are briefly described below.
CONFIGURATION
BACKUP AND
RESTORE
You can save the current configuration settings to a file on the management station (using the web interface) or a TFTP server (using the console interface), and later download this file to restore the switch configuration settings.
AUTHENTICATION This switch authenticates management access via the console port, Telnet,
or a web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE
802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS server).
Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for web/SNMP/Telnet/SSH management access, and MAC address filtering for port access.
– 28 –
Page 29
C
HAPTER
Description of Software Features
1
| Introduction
ACCESS CONTROL
LISTS
ACLs provide packet filtering for IP frames (based on protocol, TCP/UDP port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast or multicast, or based on VLAN ID or VLAN tag priority). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Policies can be used to differentiate service for client ports, server ports, network ports or guest ports. They can also be used to strictly control network traffic by only allowing incoming frames that match the source MAC and source IP on specific port.
PORT CONFIGURATION You can manually configure the speed and duplex mode, and flow control
used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard (now incorporated in IEEE 802.3-2002).
RATE LIMITING This feature controls the maximum rate for traffic transmitted or received
on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
PORT MIRRORING The switch can unobtrusively mirror traffic from any port to a monitor port.
You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.
PORT TRUNKING Ports can be combined into an aggregate connection. Trunks can be
manually set up or dynamically configured using Link Aggregation Control Protocol (LACP – IEEE 802.3-2005). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 14 trunks.
STORM CONTROL Broadcast, multicast and unknown unicast storm suppression prevents
traffic from overwhelming the network.When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.
STATIC ADDRESSES A static address can be assigned to a specific interface on this switch.
Static addresses are bound to the assigned interface and will not be
– 29 –
Page 30
C
HAPTER
Description of Software Features
1
| Introduction
moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.
IEEE 802.1D BRIDGE The switch supports IEEE 802.1D transparent bridging. The address table
facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 8K addresses.
STORE-AND-FORWARD
SWITCHING
SPANNING TREE
ALGORITHM
The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth.
To avoid dropping frames on congested ports, the switch provides 0.75 MB for frame buffering. This buffer can queue packets awaiting transmission on congested networks.
The switch supports these spanning tree protocols:
Spanning Tree Protocol (STP, IEEE 802.1D) – Supported by using the
STP backward compatible mode provided by RSTP. STP provides loop detection. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.
Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol
reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the older IEEE
802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices.
– 30 –
Page 31
C
HAPTER
Description of Software Features
1
| Introduction
VIRTUAL LANS The switch supports up to 256 VLANs. A Virtual LAN is a collection of
network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be dynamically learned via GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can:
Eliminate broadcast storms which severely degrade performance in a
flat network.
Simplify network management for node changes/moves by remotely
configuring VLAN membership for any port, rather than having to manually change the network connection.
Provide data security by restricting all traffic to the originating VLAN.
Use private VLANs to restrict traffic to pass only between data ports
and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.
TRAFFIC
PRIORITIZATION
Use protocol VLANs to restrict traffic to specified interfaces based on
protocol type.
This switch prioritizes each packet based on the required level of service, using four priority queues with strict or Weighted Round Robin Queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can
be used to
provide independent priorities for delay-sensitive data and best-effort data.
This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.
– 31 –
Page 32
C
HAPTER
Description of Software Features
1
| Introduction
QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management
mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
MULTICAST FILTERING Specific multicast traffic can be assigned to its own VLAN to ensure that it
does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration.
– 32 –
Page 33
SYSTEM DEFAULTS
C
HAPTER
The following table lists some of the basic system defaults.
Table 2: System Defaults
Function Parameter Default
Console Port Connection Baud Rate 115200 bps
Data bits 8
Stop bits 1
Parity none
Local Console Timeout 0 (disabled)
Authentication User Name “admin”
Password none
RADIUS Authentication Disabled
1
| Introduction
System Defaults
TACACS Authentication Disabled
802.1X Port Authentication Disabled
HTTPS Disabled
SSH Disabled
Port Security Disabled
IP Filtering Disabled
Web Management HTTP Server Enabled
HTTP Port Number 80
HTTP Secure Server Disabled
HTTP Secure Server Redirect Disabled
SNMP SNMP Agent Disabled
Community Strings “public” (read only)
Traps Global: disabled
SNMP V3 View: default_view
Port Configuration Admin Status Enabled
“private” (read/write)
Authentication traps: enabled Link-up-down events: enabled
Group: default_rw_group
Rate Limiting Input and output limits Disabled
Po r t Tr u n k i n g St atic Trunks No n e
Storm Protection Status Broadcast: disabled
Auto-negotiation Enabled
Flow Control Disabled
LACP (all ports) Disabled
Multicast: disabled Unknown unicast: disabled
– 33 –
Page 34
C
HAPTER
1
| Introduction
System Defaults
Table 2: System Defaults (Continued)
Function Parameter Default
Spanning Tree Algorithm Status Enabled, RSTP
Edge Port Enabled
Address Table Aging Time 300 seconds
Virtual LANs Default VLAN 1
PVID 1
Acceptable Frame Type All
Ingress Filtering Disabled
Switchport Mode (Egress Mode) Tagged frames
Traffic Prioritization Ingress Port Priority 0
Queue Mode Strict
Weighted Round Robin Queue: 0 1 2 3
Ethernet Type Disabled
VLAN ID Disabled
VLAN Priority Tag Disabled
ToS P r i o rity Di s a b l e d
IP DSCP Priority Disabled
(Defaults: RSTP standard)
Weight: 1 2 4 8
TCP/UDP Port Priority Disabled
IP Settings Management. VLAN Any VLAN configured with an IP
IP Address DHCP assigned,
Subnet Mask 255.255.255.0
Default Gateway 0.0.0.0
DHCP Client: Enabled
DNS Disabled
Multicast Filtering IGMP Snooping Snooping: Enabled
System Log (console only)
SNTP Clock Synchronization Disabled
Status Disabled
Messages Logged to Flash All levels
address
fallback is 192.168.2.10
Querier: Disabled
– 34 –
Page 35
2 INITIAL SWITCH CONFIGURATION
This chapter includes information on connecting to the switch and basic configuration procedures.
CONNECTING TO THE SWITCH
The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web­based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
N
OTE
:
An IPv4 address for this switch is obtained via DHCP by default. To
change this address, see “Setting an IP Address” on page 38.
If the switch does not receive a response from a DHCP server, it will default to the IP address 192.168.2.10 and subnet mask 255.255.255.0.
CONFIGURATION
OPTIONS
The switch’s HTTP web agent allows you to configure switch parameters, monitor port connections, and display statistics using a standard web browser such as Internet Explorer 5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0 or above. The switch’s web management interface can be accessed from any computer attached to the network.
The CLI program can be accessed by a direct connection to the RS-232 serial console port on the switch, or remotely by a Telnet connection over the network.
The switch’s management agent also supports SNMP (Simple Network Management Protocol). This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView.
The switch’s web interface, console interface, and SNMP agent allow you to perform the following management functions:
Set the administrator password
Set an IP interface for a management VLAN
Configure SNMP parameters
Enable/disable any port
– 35 –
Page 36
C
HAPTER
Connecting to the Switch
2
| Initial Switch Configuration
Set the speed/duplex mode for any port
Configure the bandwidth of any port by limiting input or output rates
Control port access through IEEE 802.1X security or static address
filtering
Filter packets using Access Control Lists (ACLs)
Configure up to 256 IEEE 802.1Q VLANs
Configure IGMP multicast filtering
Upload and download system firmware or configuration files via HTTP
(using the web interface) or TFTP (using the command line interface)
Configure Spanning Tree parameters
Configure Class of Service (CoS) priority queuing
REQUIRED
CONNECTIONS
Configure up to 14 static or LACP trunks
Enable port mirroring
Set storm control on any port for excessive broadcast, multicast, or
unknown unicast traffic
Display system information and statistics
The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch.
Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.
To connect a terminal to the console port, complete the following steps:
1. Connect the console cable to the serial port on a terminal, or a PC
running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector.
2. Connect the other end of the cable to the RS-232 serial port on the
switch.
3. Make sure the terminal emulation software is set as follows:
Select the appropriate serial port (COM port 1 or COM port 2).
Set the baud rates to 115200 bps.
– 36 –
Page 37
C
HAPTER
Set the data format to 8 data bits, 1 stop bit, and no parity.
Set flow control to none.
Set the emulation mode to VT100.
When using HyperTerminal, select Terminal keys, not Windows
2
| Initial Switch Configuration
Connecting to the Switch
keys.
N
OTE
:
Once you have set up the terminal correctly, the console login screen
will be displayed.
For a description of how to use the CLI, see “Using the Command Line
Interface” on page 195. For a list of all the CLI commands and detailed
information on using the CLI, refer to “CLI Command Groups” on
page 201.
REMOTE
CONNECTIONS
Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, or DHCP protocol.
An IPv4 address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP, see “Setting an IP Address” on page 38.
If the switch does not receive a response from a DHCP server, it will default to the IP address 192.168.2.10 and subnet mask 255.255.255.0.
N
OTE
:
This switch supports four Telnet sessions or four SSH sessions.
Telnet and SSH cannot be used concurrently.
After configuring the switch’s IP parameters, you can access the onboard configuration program from anywhere within the attached network. The onboard configuration program can be accessed using Telnet from any computer attached to the network. The switch can also be managed by any computer using a web browser (Internet Explorer 5.0 or above, Netscape
6.2 or above, or Mozilla Firefox 2.0.0.0 or above), or from a network computer using SNMP network management software.
The onboard program only provides access to basic configuration functions. To access the full range of SNMP management functions, you must use SNMP-based network management software.
– 37 –
Page 38
C
HAPTER
Basic Configuration
2
| Initial Switch Configuration
BASIC CONFIGURATION
SETTING PASSWORDS If this is your first time to log into the console interface, you should define
a new password for access to the web interface, record it, and put it in a safe place. The password can consist of up to 8 alphanumeric characters and is case sensitive. To prevent unauthorized access to the switch, set the password as follows:
Type “system password password,” wh e re password is your new password.
>system password ? Description:
-----------­Set or show the system password.
Syntax:
------­System Password [<password>]
SETTING AN IP
ADDRESS
Parameters:
----------­<password>: System password or 'clear' to clear >system password admin >
You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways:
Manual — You have to input the information, including IP address and
subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.
Dynamic — The switch can send an IPv4 configuration request to
DHCP address allocation servers on the network, or can automatically generate a unique IPv6 host address based on the local subnet address prefix received in router advertisement messages.
MANUAL CONFIGURATION
You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.
N
OTE
:
An IPv4 address for this switch is obtained via DHCP by default.
– 38 –
Page 39
C
HAPTER
2
| Initial Switch Configuration
Basic Configuration
ASSIGNING AN IPV4 ADDRESS
Before you can assign an IP address to the switch, you must obtain the following information from your network administrator:
IP address for the switch
Network mask for this network
Default gateway for the network
To assign an IPv4 address to the switch, type
“ip setup ip-address ip-mask ip-router vid
where “ip-address” is the switch’s IP address, “ip-mask” is the mask for the network portion of the address, “ip-router” is the IP address of the default gateway, and “vid” is the VLAN identifier for the interface to which this address will be assigned. Press <Enter>.
>ip setup ? Description:
-----------­Set or show the IP setup.
Syntax:
------­IP Setup [<ip_addr>] [<ip_mask>] [<ip_router>] [<vid>]
Parameters:
----------­<ip_addr> : IP address (a.b.c.d), default: Show IP address <ip_mask> : IP subnet mask (a.b.c.d), default: Show IP mask <ip_router>: IP router (a.b.c.d), default: Show IP router <vid> : VLAN ID (1-4095), default: Show VLAN ID >ip setup 192.168.0.10 255.255.255.0 192.168.0.1 1 >
ASSIGNING AN IPV6 ADDRESS
This section describes how to configure a “global unicast” address by specifying the full IPv6 address (including network and host portions) and the length of the network prefix.
An IPv6 address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields.
Before you can assign an IPv6 address to the switch that will be used to connect to a multi-segment network, you must obtain the following information from your network administrator:
IP address for the switch
Length of the network prefix
Default gateway for the network
– 39 –
Page 40
C
HAPTER
Basic Configuration
2
| Initial Switch Configuration
When configuring the IPv6 address and gateway, one double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields. To generate an IPv6 global unicast address for the switch, type the following command, and press <Enter>.
“ip ipv6 setup ipv6-address ipv6-prefix ipv6-router vid
where “ipv6-address” is the full IPv6 address of the switch including the network prefix and host address bits. “ipv6-prefix” indicates the length of the network prefix, “ipv6-router” is the IPv6 address of the default next hop router to use when the management station is located on a different network segment, and “vid” is the VLAN identifier for the interface to which this address will be assigned.
>ip ipv6 setup ? Description:
-----------­Set or show the IPv6 setup.
Syntax:
------­IP IPv6 Setup [<ipv6_addr>] [<ipv6_prefix>] [<ipv6_router>] [<vid>]
>ip ipv6 setup 2001:DB8:2222:7272::72 64 2001:DB8:2222:7272::254 1 >ip ipv6 setup IPv6 AUTOCONFIG mode : Disabled IPv6 Address : 2001:db8:2222:7272::72 IPv6 Prefix : 64 IPv6 Router : 2001:db8:2222:7272::254 IPv6 VLAN ID : 1 >
DYNAMIC CONFIGURATION
OBTAINING AN IPV4 ADDRESS
If you enable the “IP DHCP” option, IP will be enabled but will not function until a DHCP reply has been received. Requests will be sent periodically in an effort to obtain IP configuration information. DHCP values can include the IP address, subnet mask, and default gateway.
If the IP DHCP option is enabled, the switch will start broadcasting service requests as soon as it is powered on.
To automatically configure the switch by communicating with DHCP address allocation servers on the network, type the following command, and press <Enter>. Wait a few minutes, and then check the IP configuration settings using the “ip dhcp” command.
“ip dhcp enable”
– 40 –
Page 41
C
HAPTER
>ip dhcp enable >ip dhcp DHCP Client : Enabled
Active Configuration: IP Address : 192.168.0.3 IP Mask : 255.255.255.0 IP Router : 0.0.0.0 DNS Server : 0.0.0.0 SNTP Server : >
N
OTE
:
Response time from DHCP servers vary considerably for different
2
| Initial Switch Configuration
Basic Configuration
network environments. If you do not get a response in a reasonable amount of time, try entering the “dhcp disable” command followed by the “dhcp enable” command. Otherwise, set the static IP address to a null address (see page 38), and then enter the “dhcp enable” command or reboot the switch.
ENABLING SNMP
M
ANAGEMENT ACCESS
OBTAINING AN IPV6 ADDRESS
To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages.
To dynamically generate an IPv6 host address for the switch, type the following command, and press <Enter>.
“ip ipv6 autoconfig enable”
>ip ipv6 autoconfig enable >ip ipv6 autoconfig IPv6 AUTOCONFIG mode : Enabled IPv6 Address : 2001:db8:2222:7272::72 IPv6 Prefix : 64 IPv6 Router : 2001:db8:2222:7272::254 IPv6 VLAN ID : 1 >
The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as HP OpenView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps.
When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred.
– 41 –
Page 42
C
HAPTER
Basic Configuration
2
| Initial Switch Configuration
The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e., an SNMPv3 construct) for the default “public” community string that provides read access to the entire MIB tree, and a default view for the “private” community string that provides read/write access to the entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see
“Configuring SNMPv3 Views” on page 140).
COMMUNITY STRINGS (FOR SNMP VERSION 1 AND 2C CLIENTS)
Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
The default strings are:
public - with read-only access. Authorized management stations are
only able to retrieve MIB objects.
private - with read/write access. Authorized management stations are
able to both retrieve and modify MIB objects.
To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
To change the read-only or read/write community string, type either of the following commands, and press <Enter>.
“snmp read community string” “snmp write community string”
where “string” is the community access string.
>snmp read community rd >snmp read community Read Community : rd >
N
OTE
:
If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
– 42 –
Page 43
C
HAPTER
2
| Initial Switch Configuration
Basic Configuration
TRAP RECEIVERS
You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, enter the “snmp trap” commands shown below, and press <Enter>.
“snmp trap version version” “snmp trap commuity community-string” “snmp trap destination host-address” “snmp trap mode enable” “snmp mode enable”
where “version” indicates the SNMP client version (1, 2c, 3), “community­string” specifies access rights for a version 1/2c host, and “host-address” is the IP address for the trap receiver. For a more detailed description of these parameters and other SNMP commands, see “SNMP Commands” on
page 335. The following example creates a trap host for a version 1 SNMP
client.
>snmp trap version 1 >snmp trap community remote_user >snmp trap destination 192.168.2.19 >snmp trap mode enable >snmp mode enable >snmp configuration SNMP Mode : Enabled SNMP Version : 1 Read Community : rd Write Community : private Trap Mode : Enabled Trap Version : 1 Trap Community : remote_user Trap Destination : 192.168.2.19 Trap IPv6 Destination : :: Trap Authentication Failure : Enabled Trap Link-up and Link-down : Enabled Trap Inform Mode : Disabled Trap Inform Timeout (seconds) : 1 Trap Inform Retry Times : 5 Trap Probe Security Engine ID : Enabled Trap Security Engine ID : Trap Security Name : None .
. .
– 43 –
Page 44
C
HAPTER
2
| Initial Switch Configuration
Basic Configuration
CONFIGURING ACCESS FOR SNMP VERSION 3 CLIENTS
To configure management access for SNMPv3 clients, you need to first create a user, assign the user to a group, create a view that defines the portions of MIB that the client can read or write, and then create an access entry with the group and view. The following example creates a user called Steve, indicating that MD5 will be used for authentication, and provides the passwords for both authentication and encryption. It assigns this user to a group called “r&d.” It then creates one view called “mib-2” that includes the entire MIB-2 tree branch, and another view that includes the IEEE
802.1d bridge MIB. In the last step, it assigns these respective read and read/write views to the group called “r&d.”
>snmp user add 800007e5017f000001 steve md5 greenearth des blueseas >snmp group add usm steve r&d >snmp view add mib-2 included .1.3.6.1.2.1 >snmp view add 802.1d included .1.3.6.1.2.1.17 >snmp access add r&d usm noauthnopriv mib-2 802.1d >snmp configuration .
. .
SNMPv3 Users Table: Idx Engine ID User Name Level Auth Priv
--- --------- -------------------------------- -------------- ---- ---­1 Local default_user NoAuth, NoPriv None None 2 Local steve Auth, Priv MD5 DES .
. .
SNMPv3 Groups Table; Idx Model Security Name Group Name
--- ----- -------------------------------- -------------------------------­1 v1 public default_ro_group 2 v1 private default_rw_group 3 v2c public default_ro_group 4 v2c private default_rw_group 5 usm default_user default_rw_group 6 usm steve r&d
. . .
SNMPv3 Views Table: Idx View Name View Type OID Subtree
--- -------------------------------- --------- -----------------------------­1 default_view included .1 2 mib-2 included .1.3.6.1.2.1 3 802.1d included .1.3.6.1.2.1.17 .
. .
For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “Simple Network Management Protocol” on
page 130, or refer to the specific CLI commands for SNMP starting on page 335.
– 44 –
Page 45
MANAGING SYSTEM FILES
The switch’s flash memory supports two types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded or downloaded.
The types of files are:
Configuration — This file type stores system configuration
information. Configuration files can be saved to a TFTP server for backup, or uploaded from a TFTP server to restore previous settings using the CLI. Configuration files can also be saved to or restored from a management station using the web interface. See “Managing
Configuration Files” on page 190 for more information.
Operation Code — System software that is executed after boot-up,
also known as run-time code. This code runs the switch operations and provides the CLI and web management interfaces. It can be uploaded from a TFTP server using the CLI or from a management station using the web interface. See “Upgrading Firmware” on page 188 for more information.
C
HAPTER
2
| Initial Switch Configuration
Managing System Files
SAVING OR
RESTORING
CONFIGURATION
SETTINGS
Configuration commands modify the running configuration, and are saved in nonvolatile storage. To save the current configuration settings to a backup server, enter the following command, and press <Enter>.
“config save tftp-server file-name”
where “tftp-server” is the ip address of the backup server, and “file-name” is the name under which the configuration settings are saved.
>config save 192.168.2.19 4528v.cfg >
To restore configuration settings from a backup server, enter the following command, and press <Enter>.
“config load tftp-server file-name”
>config load 192.168.2.19 4528v.cfg >
– 45 –
Page 46
C
HAPTER
2
| Initial Switch Configuration
Managing System Files
– 46 –
Page 47
S
ECTION
WEB CONFIGURATION
This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
This section includes these chapters:
“Using the Web Interface” on page 49
“Configuring the Switch” on page 55
“Monitoring the Switch” on page 147
“Performing Basic Diagnostics” on page 183
II
“Performing System Maintenance” on page 187
– 47 –
Page 48
S
ECTION
| Web Configuration
– 48 –
Page 49
3 USING THE WEB INTERFACE
This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0, Netscape 6.2, Mozilla Firefox 2.0.0.0, or more recent versions).
N
OTE
:
You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet. For more information on using the CLI, refer to “Using the Command Line Interface”
on page 195.
CONNECTING TO THE WEB INTERFACE
Prior to accessing the switch from a web browser, be sure you have first performed the following tasks:
1. Configured the switch with a valid IP address, subnet mask, and default
gateway using an out-of-band serial connection, or DHCP protocol. (See
“Setting an IP Address” on page 38.)
2. Set the system password using an out-of-band serial connection. (See
“Setting Passwords” on page 38.)
3. After you enter a user name and password, you will have access to the
system configuration program.
N
OTE
:
You are allowed three attempts to enter the correct password; on the third failed attempt the current connection is terminated.
N
OTE
:
If the path between your management station and this switch does not pass through any device that uses the Spanning Tree Algorithm, then you can set the switch port attached to your management station to fast forwarding (i.e., enable AdminEdge) to improve the switch’s response time to management commands issued through the web interface. See
“Configuring Interface Settings for STA” on page 78.
– 49 –
Page 50
C
HAPTER
Navigating the Web Browser Interface
3
| Using the Web Interface
NAVIGATING THE WEB BROWSER INTERFACE
To access the web-browser interface you must first enter a user name and password. By default, the user name is “admin” and there is no password.
HOME PAGE When your web browser connects with the switch’s web agent, the home
page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and an image of the front panel on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics.
Figure 1: Home Page
CONFIGURATION
OPTIONS
Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Save button to confirm the new setting. The following table summarizes the web page configuration buttons.
Table 3: Web Page Configuration Buttons
Button Action
Save Sets specified values to the system.
Reset Cancels specified values and restores current
values prior to pressing “Save.”
Links directly to web help.
– 50 –
Page 51
C
HAPTER
3
| Using the Web Interface
Navigating the Web Browser Interface
N
OTE
:
To ensure proper screen refresh, be sure that Internet Explorer is configured so that the setting “Check for newer versions of stored pages” reads “Every visit to the page.”
Internet Explorer 6.x and earlier: This option is available under the menu “Tools / Internet Options / General / Temporary Internet Files / Settings.”
Internet Explorer 7.x: This option is available under “Tools / Internet Options / General / Browsing History / Settings / Temporary Internet Files.”
PANEL DISPLAY The web agent displays an image of the switch’s ports. The refresh mode is
disabled by default. Click Auto-refresh to refresh the data displayed on the screen approximately once every 5 seconds, or click Refresh to refresh the screen right now. Clicking on the image of a port opens the Detailed Statistics page as described on page 154.
Figure 2: Front Panel Indicators
MAIN MENU Using the onboard web agent, you can define system parameters, manage
and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Table 4: Main Menu
Menu Description Page
Configuration 55
System
Information Configures system contact, name and location 55
IP & Time Configures IPv4 and SNTP settings 56
IPv6 & Time Configures IPv6 and SNTP settings 58
Password Configures system password 61
Access Management
Ports Configures port connection settings 63
Authentication Configures authentication method for management access
Aggregation 69
Static Specifies ports to group into static trunks 70
Sets IP addresses of clients allowed management access via HTTP/HTTPS, SNMP, and Telnet/SSH
via local database, RADIUS or TACACS+
61
65
– 51 –
Page 52
C
HAPTER
3
| Using the Web Interface
Navigating the Web Browser Interface
Table 4: Main Menu
Menu Description Page
LACP Allows ports to dynamically join trunks 73
Spanning Tree 76
System Configures global bridge settings for RSTP 77
Ports Configures individual port settings for RSTP 78
Port Security Configures global and port settings for IEEE 802.1X 82
HTTPS Configures secure HTTP settings 88
SSH Configures Secure Shell server 89
IGMP Snooping 90
Basic Configuration
Port Gro up Filtering
LLDP Configures global LLDP timing parameters, and port-specific
MAC Address Table Configures address aging, dynamic learning, and static
VLANs 101
VLAN Membership Configures VLAN groups 102
Ports Specifies default PVID and VLAN attributes 103
Private VLANs
PVLAN Membership
Port Isolation Prevents communications between designated ports within
QoS 107
Ports Configures default traffic class, user priority, queue mode,
DSCP Remarking Remarks DSCP values to standard CoS classes, best effort,
QoS Control List Configures QoS policies for handling ingress packets based
Configures global and port settings for multicast filtering 91
Configures multicast groups to be filtered on specified port 95
TLV attributes
addresses
Configures PVLAN groups 105
the same private VLAN
and queue weights
or expedited forwarding
on Ethernet type, VLAN ID, TCP/UDP port, DSCP, ToS, or VLAN priority tag
96
99
106
108
109
111
Rate Limiters Configures ingress and egress rate limits 114
Storm Control Sets limits for broadcast, multicast, and unknown unicast
ACL 118
Ports Assigns ACL, rate limiter, and other parameters to ports 118
Rate Limiters Configures rate limit policies 119
Access Control List Configures ACLs based on frame type, destination MAC type,
Mirroring Sets source and target ports for mirroring 128
traffic
116
120
VLAN ID, VLAN priority tag; and the action to take for matching packets
– 52 –
Page 53
C
HAPTER
3
| Using the Web Interface
Navigating the Web Browser Interface
Table 4: Main Menu
Menu Description Page
SNMP 130
System Configures read-only and read/write community strings for
SNMP v1/v2c, engine ID for SNMP v3, and trap parameters
Communities Configures community strings 136
Users Configures SNMP v3 users on this switch 137
Groups Configures SNMP v3 groups 138
Views Configures SNMP v3 views 140
Access Assigns security model, security level, and read/write views
to SNMP groups
UPnP Enables UPNP and defines timeout values 142
DHCP
Relay Configures DHCO relay information status and policy 144
Monitor 147
System 147
131
141
Information Displays basic system description, switch’s MAC address,
Log Limits the system messages logged based on severity;
Detailed Log Displays detailed information on each logged message 150
Access Management Statistics
Ports 151
State Displays a graphic image of the front panel indicating active
Traffic Overview Shows basic Ethernet port statistics 152
QoS Statistics Shows the number of packets entering and leaving the
Detailed Statistics Shows detailed Ethernet port statistics 154
Authentication 157
RADIUS Overview Displays status of configured RADIUS authentication and
RADIUS Details Displays the traffic and status associated with each
LACP 163
System Status Displays administration key and associated local ports for
system time, and software version
displays logged messages
Displays the number of packets used to manage the switch via HTTP, HTTPS, SNMP, Telnet, and SSH
port connections
egress queues
accounting servers
configured RADIUS server
each partner
147
148
150
151
153
157
158
163
Port Status Displays administration key, LAG ID, partner ID, and partner
Port Statistics Displays statistics for LACP protocol messages 165
Spanning Tree 166
Bridge Status Displays global bridge and port settings for STA 166
ports for each local port
– 53 –
163
Page 54
C
HAPTER
3
| Using the Web Interface
Navigating the Web Browser Interface
Table 4: Main Menu
Menu Description Page
Port Status Displays STA role, state, and uptime for each port 168
Port Statistics Displays statistics for RSTP, STP and TCN protocol packets 169
Port Security 170
Status Displays 802.1X security state of each port, last source
Statistics Displays 802.1X protocol statistics for the selected port 171
IGMP Snooping Displays statistics related to IGMP packets passed upstream
LLDP 176
Neighbors Displays LLDP information about a remote device connected
Port Statistics Displays statistics for all connected remote devices, and
DHCP
Relay Statistics Displays server and client statistics for packets affected by
MAC Address Table Displays dynamic and static address entries associated with
Diagnostics 183
Ping Tests specified path using IPv4 ping 183
Ping6 Tests specified path using IPv6 ping 183
VeriPHY Performs cable diagnostics for all ports or selected port to
Maintenance 187
Reset Device Restarts the switch 187
address used for authentication, and last ID
to the IGMP Querier or downstream to multicast clients
to a port on this switch
statistics for LLDP protocol packets crossing each port
the relay information policy
the CPU and each port
diagnose any cable faults (short, open etc.) and report the cable length
170
175
176
178
179
181
184
Factory Defaults Restores factory default settings 188
Software Upload Updates software on the switch with a file specified on the
Register Product Opens product registration page 189
Configuration 190
Save Saves configuration settings to a file on the management
Upload Restores configuration settings from a file on the
management station
station
management station
– 54 –
188
190
190
Page 55
4 CONFIGURING THE SWITCH
This chapter describes all of the basic configuration tasks.
CONFIGURING SYSTEM INFORMATION
You can identify the system by configuring the contact information, name, and location of the switch.
PARAMETERS
These parameters are displayed on the System Information page:
System Contact – Administrator responsible for the system.
(Maximum length: 255 characters)
System Name – Name assigned to the switch system.
(Maximum length: 255 characters)
System Location – Specifies the system location.
(Maximum length: 255 characters)
System Timezone Offset (minutes) – Sets the time zone as an offset
from Greenwich Mean Time (GMT). Negative values indicate a zone before (east of) GMT, and positive values indicate a zone after (west of) GMT.
– 55 –
Page 56
C
HAPTER
Setting an IP Address
4
| Configuring the Switch
WEB INTERFACE
To configure System Information in the web interface:
1. Click Configuration, System, Information.
2. Specify the contact information for the system administrator, as well as
the name and location of the switch. Also indicate the local time zone by configuring the appropriate offset.
3. Click Save.
Figure 3: System Information Configuration
SETTING AN IP ADDRESS
This section describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
SETTING AN IPV4
ADDRESS
The IPv4 address for the switch is obtained via DHCP by default for VLAN 1. To manually configure an address, you need to change the switch's default settings to values that are compatible with your network. You may also need to a establish a default gateway between the switch and management stations that exist on another network segment.
N
OTE
the switch does not receive a response from a DHCP server, it will default to the IP address 192.168.2.10 and subnet mask 255.255.255.0.
:
An IPv4 address for this switch is obtained via DHCP by default. If
– 56 –
Page 57
C
HAPTER
4
| Configuring the Switch
Setting an IP Address
You can manually configure a specific IP address, or direct the device to obtain an address from a DHCP server. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything other than this format will not be accepted by the CLI program.
PARAMETERS
The following parameters are displayed on the IP & Time page:
IP Configuration
DHCP Client – Specifies whether IP functionality is enabled via
Dynamic Host Configuration Protocol (DHCP). If DHCP is enabled, IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. DHCP values can include the IP address, subnet mask, and default gateway. (Default: Enabled)
IP Address – Address of the VLAN specified in the VLAN ID field. This
should be the VLAN to which the management station is attached. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: 192.168.2.10)
IP Mask – This mask identifies the host address bits used for routing
to specific subnets. (Default: 255.255.255.0)
IP Router – IP address of the gateway router between the switch and
management stations that exist on other network segments.
VLAN ID – ID of the configured VLAN. By default, all ports on the
switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address. (Range: 1-4095; Default: 1)
SNTP Server – Sets the IPv4 address for a time server (NTP or SNTP).
The switch attempts to periodically update the time from the specified server. The polling interval is fixed at 15 minutes.
DNS Server – A Domain Name Server to which client requests for
mapping host names to IP addresses are forwarded.
IP DNS Proxy Configuration
IP DNS Proxy – If enabled, the switch maintains a local database
based on previous responses to DNS queries forwarded on behalf of attached clients. If the required information is not in the local database, the switch forwards the DNS query to a DNS server, stores the response in its local cache for future reference, and passes the response back to the client.
– 57 –
Page 58
C
HAPTER
Setting an IP Address
4
| Configuring the Switch
WEB INTERFACE
To configure an IP address and SNTP in the web interface:
1. Click Configuration, System, IP & Time.
2. Specify the IPv4 settings, and enable DNS proxy service if required.
3. Click Save.
Figure 4: IP & Time Configuration
SETTING AN IPV6
A
DDRESS
This section describes how to configure an IPv6 interface for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types. For information on configuring the switch with an IPv4 address, see “Setting an IP Address” on
page 56.
IPv6 includes two distinct address types - link-local unicast and global unicast. A link-local address makes the switch accessible over IPv6 for all devices attached to the same local subnet. Management traffic using this kind of address cannot be passed by any router outside of the subnet. A link-local address is easy to set up, and may be useful for simple networks or basic troubleshooting tasks. However, to connect to a larger network with multiple segments, the switch must be configured with a global unicast address. A link-local address must be manually configured, but a global unicast address can either be manually configured or dynamically assigned.
– 58 –
Page 59
C
HAPTER
4
| Configuring the Switch
Setting an IP Address
USAGE GUIDELINES
All IPv6 addresses must be formatted according to RFC 2373 “IPv6
Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
When configuring a link-local address, note that the prefix length is
fixed at 64 bits, and the host portion of the default address is based on the modified EUI-64 (Extended Universal Identifier) form of the interface identifier (i.e., the physical MAC address). You can manually configure a link-local address by entering the full address with the network prefix FE80.
To connect to a larger network with multiple subnets, you must
configure a global unicast address. There are several alternatives to configuring this address type:
The global unicast address can be automatically configured by taking the network prefix from router advertisements observed on the local interface, and using the modified EUI-64 form of the interface identifier to automatically create the host portion of the address. This option can be selected by enabling the Auto Configuration option.
You can also manually configure the global unicast address by entering the full address and prefix length.
PARAMETERS
The following parameters are displayed on the IPv6 & Time page:
IPv6 Configuration
Auto Configuration – Enables stateless autoconfiguration of IPv6
addresses on an interface and enables IPv6 functionality on the interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages, and the host portion is automatically generated using the modified EUI-64 form of the interface identifier; i.e., the switch's MAC address. (Default: Disabled)
Address – Manually configures a global unicast address by specifying
the full address and network prefix length (in the Prefix field). (Default: ::192.168.2.10)
Prefix – Defines the prefix length as a decimal value indicating how
many contiguous bits (starting at the left) of the address comprise the prefix; i.e., the network portion of the address. (Default: 96 bits)
Note that the default prefix length of 96 bits specifies that the first six colon-separated values comprise the network portion of the address.
– 59 –
Page 60
C
HAPTER
Setting an IP Address
4
| Configuring the Switch
Router – Sets the IPv6 address of the default next hop router.
An IPv6 default gateway must be defined if the management station is located in a different IPv6 segment.
An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
VLAN ID – ID of the configured VLAN. By default, all ports on the
switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address. (Range: 1-4095; Default: 1)
SNTP Server – Sets the IPv6 address for a time server (NTP or SNTP).
The switch attempts to periodically update the time from the specified server. The polling interval is fixed at 15 minutes.
WEB INTERFACE
To configure an IPv6 address and SNTP in the web interface:
1. Click Configuration, System, IPv6 & Time.
2. Specify the IPv6 settings. The information shown below provides a
example of how to manually configure an IPv6 address.
3. Click Save.
Figure 5: IPv6 & Time Configuration
– 60 –
Page 61
SETTING THE SYSTEM PASSWORD
The administrator has read/write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place.
The administrator name “admin” is fixed, but there is no password by default. The input range for the password is 0-8 plain text characters, and is case sensitive.
WEB INTERFACE
To configure the System Password in the web interface:
1. Click Configuration, System, Password.
2. Enter the old password.
C
HAPTER
4
| Configuring the Switch
Setting the System Password
3. Enter the new password.
4. Enter the new password again to confirm your input.
5. Click Save.
Figure 6: System Password
FILTERING IP ADDRESSES FOR MANAGEMENT ACCESS
You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet.
The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses. If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection.
– 61 –
Page 62
C
HAPTER
Filtering IP Addresses for Management Access
4
| Configuring the Switch
PARAMETERS
The following parameters are displayed on the Access Management page:
Mode – Enables or disables filtering of management access based on
configured IP addresses. (Default: Disabled)
Start IP Address – The starting address of a range.
End IP Address – The ending address of a range.
HTTP/HTTPS – Filters IP addresses for access to the web interface
over standard HTTP, or over HTTPS which uses the Secure Socket Layer (SSL) protocol to provide an encrypted connection.
SNMP – Filters IP addresses for access through SNMP.
TELNET/SSH – Filters IP addresses for access through Telnet, or
through Secure Shell which provides authentication and encryption.
WEB INTERFACE
To configure Access Management controls in the web interface:
1. Click Configuration, System, Access Management.
2. Set the Mode to Enabled.
3. Enter the start and end of an address range.
4. Mark the protocols to restrict based on the specified address range.The
information shown below provides a example of how to restrict management access for all protocols to a specific address range.
5. Click Save.
Figure 7: Access Management Configuration
– 62 –
Page 63
CONFIGURING PORT CONNECTIONS
The Port Configuration page includes configuration options for enabling auto-negotiation or manually setting the speed and duplex mode, enabling flow control, setting the maximum frame size, specifying the response to excessive collisions, or enabling power saving mode.
PARAMETERS
The following parameters are displayed on the Port Configuration page:
Link – Indicates if the link is up or down.
Speed – Sets the port speed and duplex mode using auto-negotiation
or manual selection. The following options are supported:
Disable - Disables the interface. You can disable an interface due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also disable an interface for security reasons.
Auto - Enables auto-negotiation. When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities.
1G FDX - Supports 1 Gbps full-duplex operation
100Mbps FDX - Supports 100 Mbps full-duplex operation
100Mbps HDX - Supports 100 Mbps half-duplex operation
10Mbps FDX - Supports 10 Mbps full-duplex operation
10Mbps HDX - Supports 10 Mbps half-duplex operation
C
HAPTER
4
| Configuring the Switch
Configuring Port Connections
(Default: Autonegotiation enabled; Advertised capabilities for RJ-45: 1000BASE-T - 10half, 10full, 100half, 100full, 1000full; SFP: 1000BASE-SX/LX/LH - 1000full)
N
OTE
:
The 1000BASE-T standard does not support forced mode. Auto­negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
Flow Control – Flow control can eliminate frame loss by “blocking”
traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half­duplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for full­duplex operation. (Default: Disabled)
When auto-negotiation is used, this parameter indicates the flow control capability advertised to the link partner. When the speed and duplex mode are manually set, the Current Rx field indicates whether pause frames are obeyed by this port, and the Current Tx field indicates if pause frames are transmitted from this port.
– 63 –
Page 64
C
HAPTER
Configuring Port Connections
4
| Configuring the Switch
Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.
Maximum Frame – Sets the maximum transfer unit for traffic crossing
the switch. Packets exceeding the maximum frame size are dropped. (Range: 9600-1518 bytes; Default: 9600 bytes)
Excessive Collision Mode – Sets the response to take when excessive
transmit collisions are detected on a port.
Discard - Discards a frame after 16 collisions (default).
Restart - Restarts the backoff algorithm after 16 collisions.
Power Control – Adjusts the power provided to ports based on the
length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements.
IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can significantly reduce power used for cable lengths of 20 meters or less, and continue to ensure signal integrity.
The following options are supported:
Disabled – All power savings mechanisms disabled (default).
Enabled – Both link up and link down power savings enabled.
ActiPHY – Link down power savings enabled.
PerfectReach – Link up power savings enabled.
WEB INTERFACE
To configure port connection settings in the web interface:
1. Click Configuration, Ports.
2. Make any required changes to the connection settings.
3. Click Save.
Figure 8: Port Configuration
– 64 –
Page 65
C
HAPTER
Configuring Authentication for Management Access and 802.1X
4
| Configuring the Switch
CONFIGURING AUTHENTICATION FOR MANAGEMENT ACCESS AND 802.1X
Use the Authentication Configuration page to specify the authentication method for controlling management access through Telnet, SSH or HTTP/ HTTPS. Access can be based on the (local) user name and password configured on the switch, or can be controlled with a RADIUS or TACACS+ remote access authentication server. Note that the RADIUS servers used to authenticate client access for IEEE 802.1X port authentication are also configured on this page (see page 82).
Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are logon authentication protocols that use software running on a central server to control access to RADIUS-aware or TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch.
Web
console
Telnet
1. Client attempts management access.
2. Switch contacts authentication server.
RADIUS/ TACACS+ server
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.
USAGE GUIDELINES
The switch supports the following authentication services:
Authorization of users that access the Telnet, SSH, the web, or console management interfaces on the switch.
Accounting for users that access the Telnet, SSH, the web, or console management interfaces on the switch.
Accounting for IEEE 802.1X authenticated users that access the network through the switch. This accounting can be used to provide reports, auditing, and billing for services that users have accessed.
By default, management access is always checked against the
authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication method and the corresponding parameters for the remote authentication protocol. Local and remote logon authentication control management access via Telnet, SSH, a web browser, or the console interface.
– 65 –
Page 66
C
HAPTER
Configuring Authentication for Management Access and 802.1X
4
| Configuring the Switch
When using RADIUS or TACACS+ logon authentication, the user name
and password must be configured on the authentication server. The encryption methods used for the authentication process must also be configured or negotiated between the authentication server and logon client. This switch can pass authentication messages between the server and client that have been encrypted using MD5 (Message-Digest
5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer Security).
N
OTE
:
This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA. The configuration of RADIUS and TACACS+ server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS and TACACS+ server software.
PARAMETERS
The following parameters are displayed on the Authentication Configuration page:
Client Configuration
Client – Specifies how the administrator is authenticated when logging
into the switch via Telnet, SSH, a web browser, or the console interface.
Authentication Method – Selects the authentication method.
(Options: None, Local, RADIUS, TACACS+; Default: Local)
Selecting the option “None” disables access through the specified management interface.
Fallback – Uses the local user database for authentication if none of
the configured authentication servers are alive. This is only possible if the Authentication Method is set to something else than “none” or “local.”
Common Server Configuration
Timeout – The time the switch waits for a reply from an authentication
server before it resends the request. (Range: 3-3600 seconds; Default: 15 seconds)
Dead Time – The time after which the switch considers an
authentication server to be dead if it does not reply. (Range: 0-3600 seconds; Default: 300 seconds)
Setting the Dead Time to a value greater than 0 (zero) will cause the authentication server to be ignored until the Dead Time has expired. However, if only one server is enabled, it will never be considered dead.
RADIUS/TACACS+ Server Configuration
Enabled – Enables the server specified in this entry.
– 66 –
Page 67
C
HAPTER
Configuring Authentication for Management Access and 802.1X
4
| Configuring the Switch
IP Address – IP address or IP alias of authentication server.
Port – Network (UDP) port of authentication server used for
authentication messages. (Range: 1-65535; Default: 0)
If the UDP port is set to 0 (zero), the switch will use 1812 for RADIUS authentication servers, 1813 for RADIUS accounting servers, or 49 for TACACS+ authentication servers.
Secret – Encryption key used to authenticate logon access for the
client. (Maximum length: 29 characters)
To set an empty secret, use two quotes (“”). To use spaces in the secret, enquote the secret. Quotes in the secret are not allowed.
– 67 –
Page 68
C
HAPTER
Configuring Authentication for Management Access and 802.1X
4
| Configuring the Switch
WEB INTERFACE
To configure authentication for management access in the web interface:
1. Click Configuration, Authentication.
2. Configure the authentication method for management client types, the
common server timing parameters, and address, UDP port, and secret key for each required RADIUS or TACACS+ server.
3. Click Save.
Figure 9: Authentication Configuration
– 68 –
Page 69
CREATING TRUNK GROUPS
You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault­tolerant link between two switches.
The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP). Static trunks have to be manually configured at both ends of the link, and the switches must comply with the Cisco EtherChannel standard. On the other hand, LACP configured ports can automatically negotiate a trunked link with LACP-configured ports on another device. You can configure any number of ports on the switch to use LACP, as long as they are not already configured as part of a static trunk. If ports on another device are also configured to use LACP, the switch and the other device will negotiate a trunk between them. If an LACP trunk consists of more than eight ports, all other ports will be placed in standby mode. Should one link in the trunk fail, one of the standby ports will automatically be activated to replace it.
C
HAPTER
4
| Configuring the Switch
Creating Trunk Groups
USAGE GUIDELINES
Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, configure the trunk on the devices at both ends. When using a port trunk, take note of the following points:
Finish configuring port trunks before you connect the corresponding
network cables between switches to avoid creating a loop.
You can create up to 14 trunks on a switch, with up to 16 ports per
trunk.
The ports at both ends of a connection must be configured as trunk
ports.
When configuring static trunks on switches of different types, they
must be compatible with the Cisco EtherChannel standard.
The ports at both ends of a trunk must be configured in an identical
manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings.
Any of the Gigabit ports on the front panel can be trunked together,
including ports of different media types.
All the ports in a trunk have to be treated as a whole when moved
from/to, added or deleted from a VLAN.
STP, VLAN, and IGMP settings can only be made for the entire trunk.
– 69 –
Page 70
C
HAPTER
Creating Trunk Groups
4
| Configuring the Switch
CONFIGURING STATIC
TRUNKS
Use the Static Aggregation page to configure the aggregation mode and members of each static trunk group.
USAGE GUIDELINES
When configuring static trunks, you may not be able to link switches of
different types, depending on the manufacturer's implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
To avoid creating a loop in the network, be sure you add a static trunk
via the configuration interface before connecting the ports, and also disconnect the ports before removing a static trunk via the configuration interface.
When incoming data frames are forwarded through the switch to a
trunk, the switch must determine to which port link in the trunk an outgoing frame should be sent. To maintain the frame sequence of various traffic flows between devices in the network, the switch also needs to ensure that frames in each “conversation” are mapped to the same trunk link. To achieve this requirement and to distribute a balanced load across all links in a trunk, the switch uses a hash algorithm to calculate an output link number in the trunk. However, depending on the device to which a trunk is connected and the traffic flows in the network, this load-balance algorithm may result in traffic being distributed mostly on one port in a trunk. To ensure that the switch traffic load is distributed evenly across all links in a trunk, the hash method used in the load-balance calculation can be selected to provide the best result for trunk connections. The switch provides four load-balancing modes as described in the following section.
Aggregation Mode Configuration also applies to LACP (see “Configuring
LACP” on page 73).
PARAMETERS
The following parameters are displayed on the configuration page for static trunks:
Aggregation Mode Configuration
Hash Code Contributors – Selects the load-balance method to apply
to all trunks on the switch. If more than one option is selected, each factor is used in the hash algorithm to determine the port member within the trunk to which a frame will be assigned. The following options are supported:
Source MAC Address – All traffic with the same source MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from many different hosts. (One of the defaults.)
Destination MAC Address – All traffic with the same destination MAC address is output on the same link in a trunk. This mode works
– 70 –
Page 71
best for switch-to-switch trunk links where traffic through the switch is destined for many different hosts. Do not use this mode for switch-to-router trunk links where the destination MAC address is the same for all traffic.
IP Address – All traffic with the same source and destination IP address is output on the same link in a trunk. This mode works best for switch-to-router trunk links where traffic through the switch is destined for many different hosts. Do not use this mode for switch­to-server trunk links where the destination IP address is the same for all traffic. (One of the defaults.)
TCP/UDP Port Number – All traffic with the same source and destination TCP/UDP port number is output on the same link in a trunk. Avoid using his mode as a lone option. It may overload a single port member of the trunk for application traffic of a specific type, such as web browsing. However, it can be used effectively in combination with the IP Address option. (One of the defaults.)
Aggregation Group Configuration
C
HAPTER
4
| Configuring the Switch
Creating Trunk Groups
Group ID – Trunk identifier. (Range: 1-14)
Port Members – Port identifier. (Range: 1-28)
– 71 –
Page 72
C
HAPTER
Creating Trunk Groups
4
| Configuring the Switch
WEB INTERFACE
To configure a static trunk:
1. Click Configuration, Aggregation, Static.
2. Select one or more load-balancing methods to apply to the configured
trunks.
3. Assign port members to each trunk that will be used.
4. Click Save.
Figure 10: Static Trunk Configuration
– 72 –
Page 73
C
HAPTER
4
| Configuring the Switch
Creating Trunk Groups
CONFIGURING LACP Use the LACP Port Configuration page to enable LACP on selected ports,
configure the administrative key, and the protocol initiation mode.
USAGE GUIDELINES
To avoid creating a loop in the network, be sure you enable LACP before
connecting the ports, and also disconnect the ports before disabling LACP.
If the target switch has also enabled LACP on the connected ports, the
trunk will be activated automatically.
A trunk formed with another switch using LACP will automatically be
assigned the next available trunk ID.
If more than eight ports attached to the same target switch have LACP
enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
All ports on both ends of an LACP trunk must be configured for full
duplex, either by forced mode or auto-negotiation.
Trunks dynamically established through LACP will be shown on the
LACP System Status page (page 163) and LACP Port Status (page 163) pages under the Monitor menu.
Ports assigned to a common link aggregation group (LAG) must meet
the following criteria:
Ports must have the same LACP Admin Key. Using auto­configuration of the Admin Key will avoid this problem.
One of the ports at either the near end or far end must be set to active initiation mode.
Aggregation Mode Configuration located under the Static Aggregation
menu (see “Configuring Static Trunks” on page 70) also applies to LACP.
PARAMETERS
The following parameters are displayed on the configuration page for dynamic trunks:
Port – Port identifier. (Range: 1-28)
LACP Enabled – Controls whether LACP is enabled on this switch port.
LACP will form an aggregation when two or more ports are connected to the same partner. LACP can form up to 12 LAGs per switch.
Key – The LACP administration key must be set to the same value for
ports that belong to the same LAG. (Range: 0-65535; Default: Auto)
– 73 –
Page 74
C
HAPTER
Creating Trunk Groups
4
| Configuring the Switch
Select the Specific option to manually configure a key. Use the Auto selection to automatically set the key based on the actual link speed, where 10Mb = 1, 100Mb = 2, and 1Gb = 3.
Role – Configures active or passive LACP initiation mode. Use Active
initiation of LACP negotiation on a port to automatically send LACP negotiation packets (once each second). Use Passive initiation mode on a port to make it wait until it receives an LACP protocol packet from a partner before starting negotiations.
WEB INTERFACE
To configure a dynamic trunk:
1. Click Configuration, Aggregation, LACP.
2. Enable LACP on all of the ports to be used in an LAG.
3. Specify the LACP Admin Key to restrict a port to a specific LAG.
4. Set at least one of the ports in each LAG to Active initiation mode,
either at the near end or far end of the trunk.
5. Click Save.
– 74 –
Page 75
Figure 11: LACP Port Configuration
C
HAPTER
4
| Configuring the Switch
Creating Trunk Groups
– 75 –
Page 76
C
HAPTER
Configuring the Spanning Tree Algorithm
4
| Configuring the Switch
CONFIGURING THE SPANNING TREE ALGORITHM
The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
This switch supports Rapid Spanning Tree Protocol (RSTP), but is backward compatible with Spanning Tree Protocol (STP).
STP - STP uses a distributed algorithm to select a bridging device (STP­compliant switch, bridge or router) that serves as the root of the spanning tree network. It selects a root port on each bridging device (except for the root device) which incurs the lowest path cost when forwarding a packet from that device to the root device. Then it selects a designated bridging device from each LAN which incurs the lowest path cost when forwarding a packet from that LAN to the root device. All ports connected to designated bridging devices are assigned as designated ports. After determining the lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops.
Designated Root
x
x
Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down. This bridge will then initiate negotiations with other bridges to reconfigure the network to reestablish a valid network topology.
RSTP - RSTP is designed as a general replacement for the slower, legacy STP. RSTP is also incorporated into MSTP (Multiple Spanning Tree Protocol). RSTP achieves must faster reconfiguration (i.e., around 1 to 3 seconds, compared to 30 seconds or more for STP) by reducing the number of state changes before active ports start learning, predefining an alternate route that can be used when a node or port fails, and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs.
Designated Bridge
x x
Designated Port
x
Root Port
– 76 –
Page 77
C
HAPTER
Configuring the Spanning Tree Algorithm
4
| Configuring the Switch
CONFIGURING GLOBAL
SETTINGS FOR STA
Use the RSTP System Configuration page to configure settings for STA which apply globally to the switch.
PARAMETERS
The following parameters are displayed on the RSTP System Configuration page:
System Priority – Bridge priority is used in selecting the root device,
root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. Note that lower numeric values indicate higher priority. (Options: 0-61440, in steps of 4096; Default: 32768)
Max Age – The maximum time (in seconds) a device can wait without
receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (Note that references to “ports” in this section mean “interfaces,” which includes both ports and trunks.)
Minimum: The higher of 6 or [2 x (Hello Time + 1)] Maximum: The lower of 40 or [2 x (Forward Delay - 1)] Default: 20
Forward Delay – The maximum time (in seconds) this device will wait
before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result.
Minimum: The higher of 4 or [(Max. Message Age / 2) + 1] Maximum: 30 Default: 15
Transmit Hold Count – The number of BPDU's a bridge port can send
per second. When exceeded, transmission of the next BPDU will be delayed. (Range: 1-10; Default: 6)
Protocol Version – Specifies the type of spanning tree used on this
switch. (Options: Normal – RSTP, or Compatible – STP; Default: Normal)
RSTP supports connections to either RSTP or STP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below:
RSTP Mode - If RSTP is using 802.1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port.
– 77 –
Page 78
C
HAPTER
Configuring the Spanning Tree Algorithm
4
| Configuring the Switch
STP Compatible Mode - If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port's migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only
802.1D BPDUs.
WEB INTERFACE
To configure global settings for RSTP:
1. Click Configuration, Spanning Tree, System.
2. Modify the required attributes.
3. Click Save.
Figure 12: RSTP System Configuration
CONFIGURING
INTERFACE SETTINGS
FOR STA
Use the RSTP Port Configuration page to configure RSTP attributes for specific interfaces, including path cost, port priority, edge port (for fast forwarding), automatic detection of an edge port, and point-to-point link type.
PARAMETERS
The following parameters are displayed on the RSTP Port Configuration page:
Port – Port identifier. (Range: 1-28)
This field is not applicable to static trunks or dynamic trunks created through LACP. Also, note that only one set of interface configuration settings can be applied to all trunks.
RSTP Enabled – Enables RSTP on this interface. (Default: Enabled)
– 78 –
Page 79
C
HAPTER
4
| Configuring the Switch
Configuring the Spanning Tree Algorithm
Path Cost – This parameter is used by the STA to determine the best
path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.)
By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.
Table 5: Recommended STA Path Cost Range
Port Type IEEE 802.1D-1998 IEEE 802.1w-2001
Ethernet 50-600 200,000-20,000,000
Fast Ethernet 10-60 20,000-2,000,000
Gigabit Ethernet 3-10 2,000-200,000
Table 6: Recommended STA Path Costs
Port Type Link Type IEEE 802.1D-
Ethernet Half Duplex
Full Duplex Trunk
Fast Ethernet Half Duplex
Gigabit Ethernet Full Duplex
Table 7: Default STA Path Costs
Port Type Link Type IEEE 802.1w-2001
Ethernet Half Duplex
Fast Ethernet Half Duplex
Gigabit Ethernet Full Duplex
Full Duplex Trunk
Trunk
Full Duplex Tru nk
Full Duplex Tru nk
Tru nk
1998
100 95 90
19 18 15
4 3
2,000,000 1,000,000 500,000
200,000 100,000 50,000
10,000 5,000
IEEE 802.1w-2001
2,000,000 1,999,999 1,000,000
200,000 100,000 50,000
10,000 5,000
Priority – Defines the priority used for this port in the Spanning Tree
Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. (Range: 0-240, in steps of 16; Default: 128)
– 79 –
Page 80
C
HAPTER
Configuring the Spanning Tree Algorithm
4
| Configuring the Switch
Admin Edge (Fast Forwarding) – You can enable this option if an
interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state. Specifying edge ports provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems. However, remember that this feature should only be enabled for ports connected to an end­node device. (Default: Edge)
Auto Edge – Controls whether automatic edge detection is enabled on
a bridge port. When enabled, the bridge can determine that a port is at the edge of the network if no BPDU's received on the port. (Default: Enabled)
Point2Point – The link type attached to an interface can be set to
automatically detect the link type, or manually configured as point-to­point or shared medium. Transition to the forwarding state is faster for point-to-point links than for shared media. These options are described below:
Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared medium. (This is the default setting.)
Forced True – A point-to-point connection to exactly one other bridge.
Forced False – A shared connection to two or more bridges.
– 80 –
Page 81
C
HAPTER
Configuring the Spanning Tree Algorithm
WEB INTERFACE
To configure interface settings for RSTP:
1. Click Configuration, Spanning Tree, Ports.
2. Modify the required attributes.
3. Click Save.
Figure 13: RSTP Port Configuration
4
| Configuring the Switch
– 81 –
Page 82
C
HAPTER
Configuring 802.1X Port Authentication
4
| Configuring the Switch
CONFIGURING 802.1X PORT AUTHENTICATION
Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
The IEEE 802.1X (dot1x) standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network.
802.1x client
1. Client attempts to access a switch port.
2. Switch sends client an identity request.
RADIUS server
This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client. The EAP packet from the RADIUS server contains not only the challenge, but the authentication method to be used. The client can reject the authentication method and request another, depending on the configuration of the client software and the RADIUS server. The encryption method used by IEEE 802.1X to pass authentication messages can be MD5 (Message-Digest 5), TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). However, note that the only encryption method supported by MAC-Based authentication is MD5. The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked.
3. Client sends back identity information.
4. Switch forwards this to authentication server.
5. Authentication server challenges client.
6. Client responds with proper credentials.
7. Authentication server approves access.
8. Switch grants client access to this port.
– 82 –
Page 83
C
HAPTER
Configuring 802.1X Port Authentication
4
| Configuring the Switch
The operation of 802.1X on the switch requires the following:
The switch must have an IP address assigned (see page 56).
RADIUS authentication must be enabled on the switch and the IP
address of the RADIUS server specified. Backend RADIUS servers are configured on the Authentication configuration page (see page 65).
802.1X / MAC-based authentication must be enabled globally for the
switch.
The Admin State for each switch port that requires client authentication
must be set to 802.1X or MAC-based.
When using 802.1X authentication:
Each client that needs to be authenticated must have dot1x client software installed and properly configured.
When using 802.1X authentication, the RADIUS server and 802.1X client must support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.)
The RADIUS server and client also have to support the same EAP authentication type - MD5, PEAP, TLS, or TTLS. (Native support for these encryption methods is provided in Windows XP, and in Windows 2000 with Service Pack 4. To support these encryption methods in Windows 95 and 98, you can use the AEGIS dot1x client or other comparable client software.)
MAC-based authentication allows for authentication of more than one user on the same port, and does not require the user to have special 802.1X software installed on his system. The switch uses the client's MAC address to authenticate against the backend server. However, note that intruders can create counterfeit MAC addresses, which makes MAC-based authentication less secure than 802.1X authentication.
– 83 –
Page 84
C
HAPTER
Configuring 802.1X Port Authentication
4
| Configuring the Switch
USAGE GUIDELINES
When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. These parameters are described in this section.
PARAMETERS
The following parameters are displayed on the Port Security Configuration page:
System Configuration
Mode - Indicates if 802.1X and MAC-based authentication are globally
enabled or disabled on the switch. If globally disabled, all ports are allowed to forward frames.
Reauthentication Enabled - Sets the client to be re-authenticated
after the interval specified by the Re-authentication Period. Re­authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled)
For MAC-based ports, reauthentication is only useful if the RADIUS server configuration has changed. It does not involve communication between the switch and the client, and therefore does not imply that a client is still present on a port (see Age Period below).
Reauthentication Period - Sets the time period after which a
connected client must be re-authenticated. (Range: 1-3600 seconds; Default: 3600 seconds)
EAP Timeout - Sets the time the switch waits for a supplicant
response during an authentication session before retransmitting an EAP packet. (Range: 1-255; Default: 30 seconds)
Age Period - The period used to calculate when to age out a client
allowed access to the switch through MAC-based authentication as described below. (Range: 10-1000000 seconds; Default: 300 seconds)
Suppose a client is connected to a 3rd party switch or hub, which in turn is connected to a port on this switch that is running MAC-based authentication, and suppose the client gets successfully authenticated. Now assume that the client powers down his PC. What should make the switch forget about the authenticated client? Reauthentication will not solve this problem, since this doesn't require the client to be present, as discussed under Reauthentication Enabled above. The solution is aging out authenticated clients.
A timer is started when the client gets authenticated. After half the age period, the switch starts looking for frames sent by the client. If another half age period elapses and no frames are seen, the client is considered removed from the system, and it will have to authenticate again the next time a frame is seen from it. If, on the other hand, the client transmits a frame before the second half of the age period
– 84 –
Page 85
C
HAPTER
Configuring 802.1X Port Authentication
4
| Configuring the Switch
expires, the switch will consider the client alive, and leave it authenticated. Therefore, an age period of T will require the client to send frames more frequent than T/2 to stay authenticated.
Hold Time - The time after an EAP Failure indication or RADIUS
timeout that a client is not allowed access. This setting applies to ports running MAC-based authentication only. (Range: 10-1000000 seconds; Default: 10 seconds)
If the RADIUS server denies a client access, or a RADIUS server request times out (according to the timeout specified on the Authentication menu, page 65), the client is put on hold in the Unauthorized state. In this state, frames from the client will not cause the switch to attempt to reauthenticate the client.
Port Configuration
Port – Port identifier. (Range: 1-28)
Admin State - Sets the authentication mode to one of the following
options:
Authorized - Forces the port to grant access to all clients, either dot1x-aware or otherwise. (This is the default setting.)
Unauthorized - Forces the port to deny access to all clients, either dot1x-aware or otherwise.
802.1X - Requires a dot1x-aware client to be authorized by the authentication server. Clients that are not dot1x-aware will be denied access.
MAC-Based - Enables MAC-based authentication on the port. The switch does not transmit or accept EAPOL frames on the port. Flooded frames and broadcast traffic will be transmitted on the port, whether or not clients are authenticated on the port, whereas unicast traffic from an unsuccessfully authenticated client will be dropped. Clients that are not (or not yet) successfully authenticated will not be allowed to transmit frames of any kind.
Port Admin state can only be set to Authorized for ports participating in the Spanning Tree algorithm (see page 78).
When 802.1X authentication is enabled on a port, the MAC address learning function for this interface is disabled, and the addresses dynamically learned on this port are removed from the common address table.
Authenticated MAC addresses are stored as dynamic entries in the switch's secure MAC address table. Configured static MAC addresses are added to the secure address table when seen on a switch port (see
page 99). Static addresses are treated as authenticated without
sending a request to a RADIUS server.
When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored.
– 85 –
Page 86
C
HAPTER
Configuring 802.1X Port Authentication
4
| Configuring the Switch
Port State - The current state of the port:
Disabled - 802.1X and MAC-based authentication are globally disabled. (This is the default state.)
Link Down - 802.1X or MAC-based authentication is enabled, but there is no link on the port.
Authorized - The port is authorized. This state exists when 802.1X authentication is enabled, the port has a link, the Admin State is “802.1X,” and the supplicant is authenticated, or when the Admin State is “Authorized.”
Unauthorized - The port is unauthorized. This state exists when
802.1X authentication is enabled, the port has link, and the Admin State is “Auto,” but the supplicant is not (or not yet) authenticated, or when the Admin State is “Unauthorized”.
X Auth/Y Unauth - X clients are currently authorized and Y are unauthorized. This state is shown when 802.1X and MAC-based authentication is globally enabled and the Admin State is set to “MAC-Based.”
Max Clients - The maximum number of hosts that can connect to a
port when the Admin State is set to “MAC-Based.” (Range: 1-112; Default: 112)
The switch has a fixed pool of state-machines, from which all ports draw whenever a new client is seen on the port. When a given port's maximum is reached (counting both authorized and unauthorized clients), further new clients are disallowed access. Since all ports draw from the same pool, it may happen that a configured maximum cannot be granted, if the remaining ports have already used all available state­machines.
Restart - Restarts client authentication using one of the methods
described below. Note that the restart buttons are only enabled when the switch’s authentication mode is globally enabled (under System Configuration) and the port's Admin State is “802.X” or “MAC-Based.”
Reauthenticate - Schedules reauthentication to whenever the quiet-period of the port runs out (port-based authentication). For MAC-based authentication, reauthentication will be attempted immediately. The button only effects successfully authenticated ports/clients and will not cause the port/client to be temporarily unauthorized.
Reinitialize - Forces reinitialization of the port/clients, and therefore immediately starts reauthentication. The port/clients are set to the unauthorized state while reauthentication is ongoing.
– 86 –
Page 87
WEB INTERFACE
To configure 802.1X Port Security:
1. Click Configuration, Port Security.
2. Modify the required attributes.
3. Click Save.
Figure 14: Port Security Configuration
C
HAPTER
Configuring 802.1X Port Authentication
4
| Configuring the Switch
– 87 –
Page 88
C
HAPTER
Configuring HTTPS
4
| Configuring the Switch
CONFIGURING HTTPS
You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch's web interface.
USAGE GUIDELINES
If you enable HTTPS, you must indicate this in the URL that you specify
in your browser: https://device[:port-number]
When you start HTTPS, the connection is established in this way:
The client authenticates the server using the server's digital certificate.
The client and server negotiate a set of security protocols to use for the connection.
The client and server generate session keys for encrypting and decrypting data.
The client and server establish a secure encrypted connection.
A padlock icon should appear in the status bar for Internet Explorer
5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0 or above.
The following web browsers and operating systems currently support
HTTPS:
Table 8: HTTPS System Support
Web Browser Operating System
Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a),
Netscape 6.2 or later Windows 98,Windows NT (with service pack 6a),
Mozilla Firefox 2.0.0.0 or later
Windows 2000, Windows XP, Windows Vista
Windows 2000, Windows XP, Windows Vista, Solaris
2.6
Windows 2000, Windows XP, Windows Vista, Linux
PARAMETERS
The following parameters are displayed on the HTTPS Configuration page:
Mode - Enables HTTPS service on the switch. (Default: Disabled)
Automatic Redirect - Sets the HTTPS redirect mode operation. When
enabled, management access to the HTTP web interface for the switch are automatically redirected to HTTPS. (Default: Disabled)
– 88 –
Page 89
C
HAPTER
4
| Configuring the Switch
Configuring SSH
WEB INTERFACE
To configure HTTPS:
1. Click Configuration, HTTPS.
2. Enable HTTPS if required and set the Automatic Redirect mode.
3. Click Save.
Figure 15: HTTPS Configuration
CONFIGURING SSH
Secure Shell (SSH) provides remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication. SSH also encrypts all data transfers passing between the switch and SSH­enabled management station clients, and ensures that data traveling over the network arrives unaltered.
USAGE GUIDELINES
You need to install an SSH client on the management station to access
the switch for management via the SSH protocol. The switch supports both SSH Version 1.5 and 2.0 clients.
SSH service on this switch only supports password authentication. The
password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the Authentication menu (page 65).
To use SSH with password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client's keys.
The SSH service on the switch supports up to four client sessions. The
maximum number of client sessions includes both current Telnet sessions and SSH sessions.
– 89 –
Page 90
C
HAPTER
IGMP Snooping
4
| Configuring the Switch
PARAMETERS
The following parameters are displayed on the SSH Configuration page:
Mode - Allows you to enable/disable SSH service on the switch.
(Default: Disabled)
WEB INTERFACE
To configure SSH:
1. Click Configuration, SSH.
2. Enable SSH if required.
3. Click Save.
Figure 16: SSH Configuration
IGMP SNOOPING
Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/router. Although this approach reduces the network overhead required by a multicast server, the broadcast traffic must be carefully pruned at every multicast switch/router it passes through to ensure that traffic is only passed on to the hosts which subscribed to this service.
This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch. In this case (Layer
2) IGMP Query can be used to actively ask the attached hosts if they want to receive a specific multicast service. IGMP Query thereby identifies the
– 90 –
Page 91
C
HAPTER
4
| Configuring the Switch
IGMP Snooping
ports containing hosts requesting to join the service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
The purpose of IP multicast filtering is to optimize a switched network's performance, so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers/switches, instead of flooding traffic to all ports in the subnet (VLAN).
CONFIGURING IGMP
SNOOPING AND QUERY
You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and IGMP Query to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Multicast routers use information from IGMP snooping and query reports, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet.
PARAMETERS
The following parameters are displayed on the IGMP Snooping Configuration page:
Global Configuration
Snooping Enabled - When enabled, the switch will monitor network
traffic to determine which hosts want to receive multicast traffic. (Default: Enabled)
This switch can passively snoop on IGMP Query and Report packets transferred between IP multicast routers/switches and IP multicast host groups to identify the IP multicast group members. It simply monitors the IGMP packets passing through it, picks out the group registration information, and configures the multicast filters accordingly.
Unregistered IPMC Flooding Enabled - Floods unregistered
multicast traffic into the attached VLAN. (Default: Disabled)
Once the table used to store multicast entries for IGMP snooping is filled, no new entries are learned. If no router port is configured in the attached VLAN, and Unregistered IPMC Flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
Leave Proxy Enabled - Suppresses leave messages unless received
from the last member port in the group. (Default: Disabled)
– 91 –
Page 92
C
HAPTER
IGMP Snooping
4
| Configuring the Switch
IGMP leave proxy suppresses all unnecessary IGMP leave messages so that a non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group.
The leave-proxy feature does not function when a switch is set as the querier. When the switch is a non-querier, the receiving port is not the last dynamic member port in the group, the receiving port is not a router port, and no IGMPv1 member port exists in the group, the switch will generate and send a group-specific (GS) query to the member port which received the leave message, and then start the last member query timer for that port.
When the conditions in the preceding item all apply, except that the receiving port is a router port, then the switch will not send a GS-query, but will immediately start the last member query timer for that port.
VLAN Related Configuration
VLAN ID - VLAN Identifier.
Snooping Enabled - When enabled, the switch will monitor network
traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic. (Default: Enabled)
When IGMP snooping is enabled globally, the per VLAN interface settings for IGMP snooping take precedence. When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re­enabled globally.
IGMP Querier - When enabled, the switch can serve as the Querier
(on the selected interface), which is responsible for asking hosts if they want to receive multicast traffic. (Default: Disabled)
A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic. If there is more than one router/ switch on the LAN performing IP multicasting, one of these devices is elected “querier” and assumes the role of querying the LAN for group members. It then propagates the service requests on to any upstream multicast switch/router to ensure that it will continue to receive the multicast service. This feature is not supported for IGMPv3 snooping.
Port Related Configuration
Port – Port identifier. (Range: 1-28)
Router Port - Sets a port to function as a router port, which leads
towards a Layer 3 multicast device or IGMP querier. (Default: Disabled)
If IGMP snooping cannot locate the IGMP querier, you can manually designate a port which is connected to a known IGMP querier (i.e., a multicast router/switch). This interface will then join all the current multicast groups supported by the attached router/switch to ensure that multicast traffic is passed to all appropriate interfaces within the switch.
– 92 –
Page 93
C
HAPTER
4
| Configuring the Switch
IGMP Snooping
Fast Leave - Immediately deletes a member port of a multicast service
if a leave packet is received at that port. (Default: Disabled)
The switch can be configured to immediately delete a member port of a multicast service if a leave packet is received at that port and the Fast Leave function is enabled. This allows the switch to remove a port from the multicast forwarding table without first having to send an IGMP group-specific (GS) query to that interface.
If Fast Leave is not used, a multicast router (or querier) will send a GS-query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period.
If Fast Leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, Fast Leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
Fast Leave is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used.
Fast Leave does not apply to a port if the switch has learned that a multicast router is attached to it.
Fast Leave can improve bandwidth usage for a network which frequently experiences many IGMP host add and leave requests.
Throttling - Limits the number of multicast groups to which a port can
belong. (Range: 1-10; Default: unlimited)
IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, any new IGMP join reports will be dropped.
– 93 –
Page 94
C
HAPTER
IGMP Snooping
4
| Configuring the Switch
WEB INTERFACE
To configure IGMP Snooping:
1. Click Configuration, IGMP Snooping, Basic Configuration.
2. Adjust the IGMP settings as required.
3. Click Save.
Figure 17: IGMP Snooping Configuration
– 94 –
Page 95
C
HAPTER
4
| Configuring the Switch
IGMP Snooping
CONFIGURING IGMP
FILTERING
In certain switch applications, the administrator may want to control the multicast services that are available to end users; for example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by denying access to specified multicast services on a switch port.
PARAMETERS
The following parameters are displayed on the IGMP Snooping Port Group Filtering Configuration page:
Port – Port identifier. (Range: 1-28)
Filtering Groups – Multicast groups that are denied on a port. When
filter groups are defined, IGMP join reports received on a port are checked against the these groups. If a requested multicast group is denied, the IGMP join report is dropped.
WEB INTERFACE
To configure IGMP Snooping Port Group Filtering:
1. Click Configuration, IGMP Snooping, Port Group Filtering.
2. Click Add New Filtering Group to display a new entry in the table.
3. Select the port to which the filter will be applied.
4. Enter the IP address of the multicast service to be filtered.
5. Click Save.
Figure 18: IGMP Snooping Port Group Filtering Configuration
– 95 –
Page 96
C
HAPTER
Configuring Link Layer Discovery Protocol
4
| Configuring the Switch
CONFIGURING LINK LAYER DISCOVERY PROTOCOL
Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings. LLDP also defines how to store and maintain information gathered about the neighboring network nodes it discovers.
PARAMETERS
The following parameters are displayed on the LLDP Configuration page:
LLDP Timing Attributes
Tx Interval – Configures the periodic transmit interval for LLDP
advertisements. (Range: 5-32768 seconds; Default: 30 seconds)
This attribute must comply with the following rule:
(Transmission Interval * Transmission Hold Time) 65536, and Transmission Interval ≥ (4 * Transmission Delay)
Tx Hold – Configures the time-to-live (TTL) value sent in LLDP
advertisements as shown in the formula below. (Range: 2-10; Default: 3)
The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner.
TTL in seconds is based on the following rule:
(Transmission Interval * Transmission Hold Time) 65536. Therefore, the default TTL is 30*3 = 90 seconds.
Tx Delay – Configures a delay between the successive transmission of
advertisements initiated by a change in local LLDP MIB variables. (Range: 1-8192 seconds; Default: 2 seconds)
The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission.
This attribute must comply with the rule: (4 * Transmission Delay) Tr a ns mi s si o n I nt e rva l
Tx Reinit – Configures the delay before attempting to re-initialize after
LLDP ports are disabled or the link goes down. (Range: 1-10 seconds; Default: 2 seconds)
When LLDP is re-initialized on a port, all information in the remote system’s LLDP MIB associated with this port is deleted.
– 96 –
Page 97
C
HAPTER
Configuring Link Layer Discovery Protocol
4
| Configuring the Switch
LLDP Interface Attributes
Port – Port identifier. (Range: 1-28)
Mode – Enables LLDP message transmit and receive modes for LLDP
Protocol Data Units. (Options: Disabled, Enabled - TxRx, Rx only, Tx only; Default: Disabled)
CDP Aware – Enables decoding of Cisco Discovery Protocol frames.
(Default: Disabled)
If enabled, CDP TLVs that can be mapped into a corresponding field in the LLDP neighbors table are decoded, all others are discarded. CDP TLVs are mapped into LLDP neighbors table as shown below:
CDP TLV “Device ID” is mapped into the LLDP “Chassis ID” field.
CDP TLV “Address” is mapped into the LLDP “Management Address” field. The CDP address TLV can contain multiple addresses, but only the first address is shown in the LLDP neighbors table.
CDP TLV “Port ID” is mapped into the LLDP “Port ID” field.
CDP TLV “Version and Platform” is mapped into the LLDP “System Description” field.
Both the CDP and LLDP support “system capabilities,” but the CDP capabilities cover capabilities that are not part of LLDP. These capabilities are shown as “others” in the LLDP neighbors table.
If all ports have CDP awareness disabled, the switch forwards CDP frames received from neighbor devices. If at least one port has CDP awareness enabled, all CDP frames are terminated by the switch.
When CDP awareness for a port is disabled, the CDP information is not removed immediately, but will be removed when the hold time is exceeded.
Optional TLVs - Configures the information included in the TLV field of advertised messages.
Port Descr – The port description is taken from the ifDescr object in
RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
Sys Name – The system name is taken from the sysName object in
RFC 3418, which contains the system's administratively assigned name. To configure the system name, see page 55.
Sys Descr – The system description is taken from the sysDescr object
in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software.
Sys Capa – The system capabilities identifies the primary function(s)
of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB.
– 97 –
Page 98
C
HAPTER
Configuring Link Layer Discovery Protocol
4
| Configuring the Switch
Mgmt Addr – The management address protocol packet includes the
IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
The management address TLV may also include information about the specific interface associated with this address, and an object identifier indicating the type of hardware component or protocol entity associated with this address. The interface number and OID are included to assist SNMP applications in the performance of network discovery by indicating enterprise specific or other starting points for the search, such as the Interface or Entity MIB.
Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
WEB INTERFACE
To configure LLDP:
1. Click Configuration, LLDP.
2. Modify any of the timing parameters as required.
3. Set the required mode for transmitting or receiving LLDP messages.
4. Enable or disable decoding CDP frames.
5. Specify the information to include in the TLV field of advertised
messages.
6. Click Save.
– 98 –
Page 99
Figure 19: LLDP Configuration
C
HAPTER
Configuring the MAC Address Table
4
| Configuring the Switch
CONFIGURING THE MAC ADDRESS TABLE
Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
PARAMETERS
The following parameters are displayed on the MAC Address Table Configuration page:
Aging Configuration
Disable Automatic Aging - Disables the automatic aging of dynamic
entries. (Address aging is enabled by default.)
Age Time - The time after which a learned entry is discarded.
(Range: 10-1000000 seconds; Default: 300 seconds)
– 99 –
Page 100
C
HAPTER
Configuring the MAC Address Table
4
| Configuring the Switch
MAC Table Learning
Auto - Learning is done automatically as soon as a frame with an
unknown source MAC address is received. (This is the default.)
Disable - No addresses are learned and stored in the MAC address
table.
Secure - Only static MAC address entries are used, all other frames are
dropped.
Make sure that the link used for managing the switch is added to the Static MAC Table before changing to secure learning mode. Otherwise the management link will be lost, and can only be restored by using another non-secure port or by connecting to the switch via the serial interface.
N
OTE
grayed out, another software module is in control of the mode, so that it cannot be changed by the user. An example of such a module is the MAC­Based Authentication under 802.1X.
:
If the learning mode for a given port in the MAC Learning Table is
Static MAC Table Configuration
VLAN ID - VLAN Identifier. (Range: 1-4095)
MAC Address - Physical address of a device mapped to a port.
A static address can be assigned to a specific port on this switch. Static addresses are bound to the assigned port and will not be moved. When a static address is seen on another port, the address will be ignored and will not be written to the address table.
Port Members - Port identifier.
– 100 –
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use